From: Martin Willi <martin@revosec.ch>
Date: Tue, 30 Nov 2010 18:19:56 +0000 (+0100)
Subject: Added a tfc ipsec.conf keyword to control Traffic Flow Confidentiality
X-Git-Tag: 4.5.1~366
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6c302616f1bf26dc99fa8b3457ef6f2738d5cd90;p=thirdparty%2Fstrongswan.git

Added a tfc ipsec.conf keyword to control Traffic Flow Confidentiality
---

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 187f369574..0de9a2c926 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -953,6 +953,13 @@ synonym for
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
+.BR tfc " = <value>"
+number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
+is currently supported in IKEv2 and applies to outgoing packets only. The
+special value
+.BR %mtu
+fills up ESP packets with padding to have the size of the MTU.
+.TP
 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 0f55e51077..4f2f58e869 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -801,7 +801,7 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
 				msg->add_conn.mode, ACTION_NONE, dpd, dpd, msg->add_conn.ipcomp,
 				msg->add_conn.inactivity, msg->add_conn.reqid,
-				&mark_in, &mark_out, 0);
+				&mark_in, &mark_out, msg->add_conn.tfc);
 	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
 											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
diff --git a/src/starter/args.c b/src/starter/args.c
index 37d6002836..c13f5a952f 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -239,6 +239,7 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_MARK */                                             },
 	{ ARG_MISC, 0, NULL  /* KW_MARK_IN */                                          },
 	{ ARG_MISC, 0, NULL  /* KW_MARK_OUT */                                         },
+	{ ARG_MISC, 0, NULL  /* KW_TFC */                                              },
 
 	/* ca section keywords */
 	{ ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 3367616ca7..1e7daa6a98 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -705,6 +705,23 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				cfg->err++;
 			}
 			break;
+		case KW_TFC:
+			if (streq(kw->value, "%mtu"))
+			{
+				conn->tfc = -1;
+			}
+			else
+			{
+				char *endptr;
+
+				conn->tfc = strtoul(kw->value, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+					cfg->err++;
+				}
+			}
+			break;
 		case KW_KEYINGTRIES:
 			if (streq(kw->value, "%forever"))
 			{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 982d1d206f..75ef992119 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -125,6 +125,7 @@ struct starter_conn {
 		u_int32_t       reqid;
 		mark_t          mark_in;
 		mark_t          mark_out;
+		u_int32_t       tfc;
 		sa_family_t     addr_family;
 		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 1dae65a999..038391acad 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -102,9 +102,10 @@ typedef enum {
 	KW_MARK,
 	KW_MARK_IN,
 	KW_MARK_OUT,
+	KW_TFC,
 
 #define KW_CONN_FIRST   KW_CONN_SETUP
-#define KW_CONN_LAST    KW_MARK_OUT
+#define KW_CONN_LAST    KW_TFC
 
    /* ca section keywords */
 	KW_CA_NAME,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 06705635ad..67ae53f015 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -93,6 +93,7 @@ reqid,             KW_REQID
 mark,              KW_MARK
 mark_in,           KW_MARK_IN
 mark_out,          KW_MARK_OUT
+tfc,               KW_TFC
 cacert,            KW_CACERT
 ldaphost,          KW_LDAPHOST
 ldapbase,          KW_LDAPBASE
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9ba569d476..a7e098d91f 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -266,6 +266,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.mark_in.mask = conn->mark_in.mask;
 	msg.add_conn.mark_out.value = conn->mark_out.value;
 	msg.add_conn.mark_out.mask = conn->mark_out.mask;
+	msg.add_conn.tfc = conn->tfc;
 
 	starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
 	starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index aeb4b68359..adb9d0e101 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -247,6 +247,7 @@ struct stroke_msg_t {
 			int proxy_mode;
 			int install_policy;
 			u_int32_t reqid;
+			u_int32_t tfc;
 
 			crl_policy_t crl_policy;
 			int unique;