Added a tfc ipsec.conf keyword to control Traffic Flow Confidentiality
authorMartin Willi <martin@revosec.ch>
Tue, 30 Nov 2010 18:19:56 +0000 (19:19 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 20 Dec 2010 08:45:39 +0000 (09:45 +0100)
man/ipsec.conf.5.in
src/libcharon/plugins/stroke/stroke_config.c
src/starter/args.c
src/starter/confread.c
src/starter/confread.h
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterstroke.c
src/stroke/stroke_msg.h

index 187f369..0de9a2c 100644 (file)
@@ -953,6 +953,13 @@ synonym for
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
+.BR tfc " = <value>"
+number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
+is currently supported in IKEv2 and applies to outgoing packets only. The
+special value
+.BR %mtu
+fills up ESP packets with padding to have the size of the MTU.
+.TP
 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are
index 0f55e51..4f2f58e 100644 (file)
@@ -801,7 +801,7 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
                                msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
                                msg->add_conn.mode, ACTION_NONE, dpd, dpd, msg->add_conn.ipcomp,
                                msg->add_conn.inactivity, msg->add_conn.reqid,
-                               &mark_in, &mark_out, 0);
+                               &mark_in, &mark_out, msg->add_conn.tfc);
        child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
                                                                                        msg->add_conn.install_policy);
        add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
index 37d6002..c13f5a9 100644 (file)
@@ -239,6 +239,7 @@ static const token_info_t token_info[] =
        { ARG_MISC, 0, NULL  /* KW_MARK */                                             },
        { ARG_MISC, 0, NULL  /* KW_MARK_IN */                                          },
        { ARG_MISC, 0, NULL  /* KW_MARK_OUT */                                         },
+       { ARG_MISC, 0, NULL  /* KW_TFC */                                              },
 
        /* ca section keywords */
        { ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
index 3367616..1e7daa6 100644 (file)
@@ -705,6 +705,23 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
                                cfg->err++;
                        }
                        break;
+               case KW_TFC:
+                       if (streq(kw->value, "%mtu"))
+                       {
+                               conn->tfc = -1;
+                       }
+                       else
+                       {
+                               char *endptr;
+
+                               conn->tfc = strtoul(kw->value, &endptr, 10);
+                               if (*endptr != '\0')
+                               {
+                                       plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+                                       cfg->err++;
+                               }
+                       }
+                       break;
                case KW_KEYINGTRIES:
                        if (streq(kw->value, "%forever"))
                        {
index 982d1d2..75ef992 100644 (file)
@@ -125,6 +125,7 @@ struct starter_conn {
                u_int32_t       reqid;
                mark_t          mark_in;
                mark_t          mark_out;
+               u_int32_t       tfc;
                sa_family_t     addr_family;
                sa_family_t     tunnel_addr_family;
                bool            install_policy;
index 1dae65a..038391a 100644 (file)
@@ -102,9 +102,10 @@ typedef enum {
        KW_MARK,
        KW_MARK_IN,
        KW_MARK_OUT,
+       KW_TFC,
 
 #define KW_CONN_FIRST   KW_CONN_SETUP
-#define KW_CONN_LAST    KW_MARK_OUT
+#define KW_CONN_LAST    KW_TFC
 
    /* ca section keywords */
        KW_CA_NAME,
index 0670563..67ae53f 100644 (file)
@@ -93,6 +93,7 @@ reqid,             KW_REQID
 mark,              KW_MARK
 mark_in,           KW_MARK_IN
 mark_out,          KW_MARK_OUT
+tfc,               KW_TFC
 cacert,            KW_CACERT
 ldaphost,          KW_LDAPHOST
 ldapbase,          KW_LDAPBASE
index 9ba569d..a7e098d 100644 (file)
@@ -266,6 +266,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
        msg.add_conn.mark_in.mask = conn->mark_in.mask;
        msg.add_conn.mark_out.value = conn->mark_out.value;
        msg.add_conn.mark_out.mask = conn->mark_out.mask;
+       msg.add_conn.tfc = conn->tfc;
 
        starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
        starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
index aeb4b68..adb9d0e 100644 (file)
@@ -247,6 +247,7 @@ struct stroke_msg_t {
                        int proxy_mode;
                        int install_policy;
                        u_int32_t reqid;
+                       u_int32_t tfc;
 
                        crl_policy_t crl_policy;
                        int unique;