Added a tfc ipsec.conf keyword to control Traffic Flow Confidentiality

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 187f3695742ac55bcc2514fdc010e074f94164fa..0de9a2c92639f18e38b5a6c4c0ddb51e662c6d8b 100644 (file)
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -953,6 +953,13 @@ synonym for
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
+.BR tfc " = <value>"
+number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
+is currently supported in IKEv2 and applies to outgoing packets only. The
+special value
+.BR %mtu
+fills up ESP packets with padding to have the size of the MTU.
+.TP
 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 0f55e510778045141509beeab048bc0dced51afe..4f2f58e869d4c4680f7b05e8bb176c4a85d3fa45 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -801,7 +801,7 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
                                msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
                                msg->add_conn.mode, ACTION_NONE, dpd, dpd, msg->add_conn.ipcomp,
                                msg->add_conn.inactivity, msg->add_conn.reqid,
-                               &mark_in, &mark_out, 0);
+                               &mark_in, &mark_out, msg->add_conn.tfc);
        child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
                                                                                        msg->add_conn.install_policy);
        add_ts(this, &msg->add_conn.me, child_cfg, TRUE);

diff --git a/src/starter/args.c b/src/starter/args.c
index 37d60028363ba6e5f1191f75c9f240d80d4419d5..c13f5a952fa56cfc0c5b7c022ee78afc4b61e65e 100644 (file)
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -239,6 +239,7 @@ static const token_info_t token_info[] =
        { ARG_MISC, 0, NULL  /* KW_MARK */                                             },
        { ARG_MISC, 0, NULL  /* KW_MARK_IN */                                          },
        { ARG_MISC, 0, NULL  /* KW_MARK_OUT */                                         },
+       { ARG_MISC, 0, NULL  /* KW_TFC */                                              },
 
        /* ca section keywords */
        { ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },

diff --git a/src/starter/confread.c b/src/starter/confread.c
index 3367616ca7f7952134bdb1c5953089541321a52b..1e7daa6a98237ea44efaad9d22b2845d0594bce9 100644 (file)
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -705,6 +705,23 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
                                cfg->err++;
                        }
                        break;
+               case KW_TFC:
+                       if (streq(kw->value, "%mtu"))
+                       {
+                               conn->tfc = -1;
+                       }
+                       else
+                       {
+                               char *endptr;
+
+                               conn->tfc = strtoul(kw->value, &endptr, 10);
+                               if (*endptr != '\0')
+                               {
+                                       plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+                                       cfg->err++;
+                               }
+                       }
+                       break;
                case KW_KEYINGTRIES:
                        if (streq(kw->value, "%forever"))
                        {

diff --git a/src/starter/confread.h b/src/starter/confread.h
index 982d1d206f1235f98d3df61dfed7bdb0534aecdb..75ef99211989837f1ab413f7ea56f04e17652bb9 100644 (file)
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -125,6 +125,7 @@ struct starter_conn {
                u_int32_t       reqid;
                mark_t          mark_in;
                mark_t          mark_out;
+               u_int32_t       tfc;
                sa_family_t     addr_family;
                sa_family_t     tunnel_addr_family;
                bool            install_policy;

diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 1dae65a999973139881351db6dfe2d03b1818dc2..038391acad371884068827aa39b51ec05f80846c 100644 (file)
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -102,9 +102,10 @@ typedef enum {
        KW_MARK,
        KW_MARK_IN,
        KW_MARK_OUT,
+       KW_TFC,
 
 #define KW_CONN_FIRST   KW_CONN_SETUP
-#define KW_CONN_LAST    KW_MARK_OUT
+#define KW_CONN_LAST    KW_TFC
 
    /* ca section keywords */
        KW_CA_NAME,

diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 06705635adcc99249d4a8ea656dcb25e1b9b9525..67ae53f01547f84bbecb84b4c718fcc3af4299df 100644 (file)
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -93,6 +93,7 @@ reqid,             KW_REQID
 mark,              KW_MARK
 mark_in,           KW_MARK_IN
 mark_out,          KW_MARK_OUT
+tfc,               KW_TFC
 cacert,            KW_CACERT
 ldaphost,          KW_LDAPHOST
 ldapbase,          KW_LDAPBASE

diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9ba569d47648bacbc229294bd8115eaf10d2259e..a7e098d91f549d68132e091cb8af135d7a208c55 100644 (file)
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -266,6 +266,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
        msg.add_conn.mark_in.mask = conn->mark_in.mask;
        msg.add_conn.mark_out.value = conn->mark_out.value;
        msg.add_conn.mark_out.mask = conn->mark_out.mask;
+       msg.add_conn.tfc = conn->tfc;
 
        starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
        starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);

diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index aeb4b68359a76c9f7e65ed3e27c81fb34fafc29f..adb9d0e101b4290fcb8e83169dca28d3cce57f24 100644 (file)
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -247,6 +247,7 @@ struct stroke_msg_t {
                        int proxy_mode;
                        int install_policy;
                        u_int32_t reqid;
+                       u_int32_t tfc;
 
                        crl_policy_t crl_policy;
                        int unique;