Do not use TFC padding if peer does not support ESPv3
authorMartin Willi <martin@revosec.ch>
Wed, 8 Dec 2010 12:41:51 +0000 (12:41 +0000)
committerMartin Willi <martin@revosec.ch>
Mon, 20 Dec 2010 08:45:39 +0000 (09:45 +0100)
src/libcharon/sa/child_sa.c
src/libcharon/sa/child_sa.h
src/libcharon/sa/tasks/child_create.c

index 4110815..4959299 100644 (file)
@@ -559,7 +559,7 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 
 METHOD(child_sa_t, install, status_t,
           private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
-          u_int16_t cpi, bool inbound, linked_list_t *my_ts,
+          u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts,
           linked_list_t *other_ts)
 {
        u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
@@ -592,7 +592,10 @@ METHOD(child_sa_t, install, status_t,
                this->other_spi = spi;
                this->other_cpi = cpi;
 
-               tfc = this->config->get_tfc(this->config);
+               if (tfcv3)
+               {
+                       tfc = this->config->get_tfc(this->config);
+               }
        }
 
        DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
index 95bc297..f17ef01 100644 (file)
@@ -313,12 +313,13 @@ struct child_sa_t {
         * @param spi           SPI to use, allocated for inbound
         * @param cpi           CPI to use, allocated for outbound
         * @param inbound       TRUE to install an inbound SA, FALSE for outbound
+        * @param tfcv3         TRUE if peer supports ESPv3 TFC
         * @param my_ts         negotiated local traffic selector list
         * @param other_ts      negotiated remote traffic selector list
         * @return                      SUCCESS or FAILED
         */
        status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-                                               u_int32_t spi, u_int16_t cpi, bool inbound,
+                                               u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3,
                                                linked_list_t *my_ts, linked_list_t *other_ts);
        /**
         * Install the policies using some traffic selectors.
index 57beedb..9a50dff 100644 (file)
@@ -117,6 +117,11 @@ struct private_child_create_t {
        ipsec_mode_t mode;
 
        /**
+        * peer accepts TFC padding for this SA
+        */
+       bool tfcv3;
+
+       /**
         * IPComp transform to use
         */
        ipcomp_transform_t ipcomp;
@@ -455,17 +460,21 @@ static status_t select_and_install(private_child_create_t *this,
        {
                if (this->initiator)
                {
-                       status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
-                                       this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-                       status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
-                                       this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+                       status_i = this->child_sa->install(this->child_sa,
+                                                       encr_r, integ_r, this->my_spi, this->my_cpi,
+                                                       TRUE, this->tfcv3, my_ts, other_ts);
+                       status_o = this->child_sa->install(this->child_sa,
+                                                       encr_i, integ_i, this->other_spi, this->other_cpi,
+                                                       FALSE, this->tfcv3, my_ts, other_ts);
                }
                else
                {
-                       status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
-                                       this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-                       status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
-                                       this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+                       status_i = this->child_sa->install(this->child_sa,
+                                                       encr_i, integ_i, this->my_spi, this->my_cpi,
+                                                       TRUE, this->tfcv3, my_ts, other_ts);
+                       status_o = this->child_sa->install(this->child_sa,
+                                                       encr_r, integ_r, this->other_spi, this->other_cpi,
+                                                       FALSE, this->tfcv3, my_ts, other_ts);
                }
        }
        chunk_clear(&integ_i);
@@ -631,7 +640,13 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
                                                 ipcomp_transform_names, ipcomp);
                                        break;
                        }
+                       break;
                }
+               case ESP_TFC_PADDING_NOT_SUPPORTED:
+                       DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
+                                notify_type_names, notify->get_notify_type(notify));
+                       this->tfcv3 = FALSE;
+                       break;
                default:
                        break;
        }
@@ -1310,6 +1325,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
        this->keymat = ike_sa->get_keymat(ike_sa);
        this->child_sa = NULL;
        this->mode = MODE_TUNNEL;
+       this->tfcv3 = TRUE;
        this->ipcomp = IPCOMP_NONE;
        this->ipcomp_received = IPCOMP_NONE;
        this->my_spi = 0;