Do not use TFC padding if peer does not support ESPv3

3 files changed, 31 insertions, 11 deletions

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 4110815bc..495929965 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -559,7 +559,7 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 
 METHOD(child_sa_t, install, status_t,
 	   private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
-	   u_int16_t cpi, bool inbound, linked_list_t *my_ts,
+	   u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts,
 	   linked_list_t *other_ts)
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
@@ -592,7 +592,10 @@ METHOD(child_sa_t, install, status_t,
 		this->other_spi = spi;
 		this->other_cpi = cpi;
 
-		tfc = this->config->get_tfc(this->config);
+		if (tfcv3)
+		{
+			tfc = this->config->get_tfc(this->config);
+		}
 	}
 
 	DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index 95bc297b0..f17ef01ac 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -313,12 +313,13 @@ struct child_sa_t {
 	 * @param spi		SPI to use, allocated for inbound
 	 * @param cpi		CPI to use, allocated for outbound
 	 * @param inbound	TRUE to install an inbound SA, FALSE for outbound
+	 * @param tfcv3		TRUE if peer supports ESPv3 TFC
 	 * @param my_ts		negotiated local traffic selector list
 	 * @param other_ts	negotiated remote traffic selector list
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound,
+						u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3,
 						linked_list_t *my_ts, linked_list_t *other_ts);
 	/**
 	 * Install the policies using some traffic selectors.
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index 57beedba9..9a50dff04 100644
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -117,6 +117,11 @@ struct private_child_create_t {
 	ipsec_mode_t mode;
 
 	/**
+	 * peer accepts TFC padding for this SA
+	 */
+	bool tfcv3;
+
+	/**
 	 * IPComp transform to use
 	 */
 	ipcomp_transform_t ipcomp;
@@ -455,17 +460,21 @@ static status_t select_and_install(private_child_create_t *this,
 	{
 		if (this->initiator)
 		{
-			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
-					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
-					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+			status_i = this->child_sa->install(this->child_sa,
+							encr_r, integ_r, this->my_spi, this->my_cpi,
+							TRUE, this->tfcv3, my_ts, other_ts);
+			status_o = this->child_sa->install(this->child_sa,
+							encr_i, integ_i, this->other_spi, this->other_cpi,
+							FALSE, this->tfcv3, my_ts, other_ts);
 		}
 		else
 		{
-			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
-					this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
-					this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
+			status_i = this->child_sa->install(this->child_sa,
+							encr_i, integ_i, this->my_spi, this->my_cpi,
+							TRUE, this->tfcv3, my_ts, other_ts);
+			status_o = this->child_sa->install(this->child_sa,
+							encr_r, integ_r, this->other_spi, this->other_cpi,
+							FALSE, this->tfcv3, my_ts, other_ts);
 		}
 	}
 	chunk_clear(&integ_i);
@@ -631,7 +640,13 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
 						 ipcomp_transform_names, ipcomp);
 					break;
 			}
+			break;
 		}
+		case ESP_TFC_PADDING_NOT_SUPPORTED:
+			DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
+				 notify_type_names, notify->get_notify_type(notify));
+			this->tfcv3 = FALSE;
+			break;
 		default:
 			break;
 	}
@@ -1310,6 +1325,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
 	this->keymat = ike_sa->get_keymat(ike_sa);
 	this->child_sa = NULL;
 	this->mode = MODE_TUNNEL;
+	this->tfcv3 = TRUE;
 	this->ipcomp = IPCOMP_NONE;
 	this->ipcomp_received = IPCOMP_NONE;
 	this->my_spi = 0;