Do not use TFC padding if peer does not support ESPv3

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 4110815bcb21bf9196df9ed43f9eb701207a1c35..495929965e240b4b09a86bada2dd5ea8e9ea0db9 100644 (file)
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -559,7 +559,7 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 
 METHOD(child_sa_t, install, status_t,
           private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
-          u_int16_t cpi, bool inbound, linked_list_t *my_ts,
+          u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts,
           linked_list_t *other_ts)
 {
        u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
@@ -592,7 +592,10 @@ METHOD(child_sa_t, install, status_t,
                this->other_spi = spi;
                this->other_cpi = cpi;
 
-               tfc = this->config->get_tfc(this->config);
+               if (tfcv3)
+               {
+                       tfc = this->config->get_tfc(this->config);
+               }
        }
 
        DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",

diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index 95bc297b0f937a06b5b6c1787e8e45aa9543464e..f17ef01ac884bc3f5e33d88ca686878f3559e291 100644 (file)
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -313,12 +313,13 @@ struct child_sa_t {
         * @param spi           SPI to use, allocated for inbound
         * @param cpi           CPI to use, allocated for outbound
         * @param inbound       TRUE to install an inbound SA, FALSE for outbound
+        * @param tfcv3         TRUE if peer supports ESPv3 TFC
         * @param my_ts         negotiated local traffic selector list
         * @param other_ts      negotiated remote traffic selector list
         * @return                      SUCCESS or FAILED
         */
        status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-                                               u_int32_t spi, u_int16_t cpi, bool inbound,
+                                               u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3,
                                                linked_list_t *my_ts, linked_list_t *other_ts);
        /**
         * Install the policies using some traffic selectors.

diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index 57beedba9a140620953354cca00b7250b0b98389..9a50dff047df33a45d3b34e1a51f8f6d927f9e9c 100644 (file)
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -116,6 +116,11 @@ struct private_child_create_t {
         */
        ipsec_mode_t mode;
 
+       /**
+        * peer accepts TFC padding for this SA
+        */
+       bool tfcv3;
+
        /**
         * IPComp transform to use
         */
@@ -455,17 +460,21 @@ static status_t select_and_install(private_child_create_t *this,
        {
                if (this->initiator)
                {
-                       status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
-                                       this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-                       status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
-                                       this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+                       status_i = this->child_sa->install(this->child_sa,
+                                                       encr_r, integ_r, this->my_spi, this->my_cpi,
+                                                       TRUE, this->tfcv3, my_ts, other_ts);
+                       status_o = this->child_sa->install(this->child_sa,
+                                                       encr_i, integ_i, this->other_spi, this->other_cpi,
+                                                       FALSE, this->tfcv3, my_ts, other_ts);
                }
                else
                {
-                       status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
-                                       this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-                       status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
-                                       this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+                       status_i = this->child_sa->install(this->child_sa,
+                                                       encr_i, integ_i, this->my_spi, this->my_cpi,
+                                                       TRUE, this->tfcv3, my_ts, other_ts);
+                       status_o = this->child_sa->install(this->child_sa,
+                                                       encr_r, integ_r, this->other_spi, this->other_cpi,
+                                                       FALSE, this->tfcv3, my_ts, other_ts);
                }
        }
        chunk_clear(&integ_i);
@@ -631,7 +640,13 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
                                                 ipcomp_transform_names, ipcomp);
                                        break;
                        }
+                       break;
                }
+               case ESP_TFC_PADDING_NOT_SUPPORTED:
+                       DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
+                                notify_type_names, notify->get_notify_type(notify));
+                       this->tfcv3 = FALSE;
+                       break;
                default:
                        break;
        }
@@ -1310,6 +1325,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
        this->keymat = ike_sa->get_keymat(ike_sa);
        this->child_sa = NULL;
        this->mode = MODE_TUNNEL;
+       this->tfcv3 = TRUE;
        this->ipcomp = IPCOMP_NONE;
        this->ipcomp_received = IPCOMP_NONE;
        this->my_spi = 0;