Add support for IPsec TFC. Ticket #4688

2 files changed, 58 insertions, 1 deletions

diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc
index 8c9e4b5..c2de452 100644
--- a/src/etc/inc/vpn.inc
+++ b/src/etc/inc/vpn.inc
@@ -1165,6 +1165,14 @@ EOD;
 				$mobike = 'mobike = no';
 			}
 
+			if (isset($ph1ent['tfc_enable'])) {
+				if (isset($ph1ent['tfc_bytes']) && is_numericint($ph1ent['tfc_bytes'])) {
+					$tfc = "tfc = {$ph1ent['tfc_bytes']}";
+				} else {
+					$tfc = "tfc = %mtu";
+				}
+			}
+
 			$ipseclifetime = 0;
 			$rightsubnet_spec = array();
 			$leftsubnet_spec = array();
@@ -1338,6 +1346,7 @@ EOD;
 	{$reauth}
 	{$forceencaps}
 	{$mobike}
+	{$tfc}
 	{$rekey}
 	installpolicy = yes
 	{$tunneltype}
diff --git a/src/usr/local/www/vpn_ipsec_phase1.php b/src/usr/local/www/vpn_ipsec_phase1.php
index 52b3c81..ef754f4 100644
--- a/src/usr/local/www/vpn_ipsec_phase1.php
+++ b/src/usr/local/www/vpn_ipsec_phase1.php
@@ -160,6 +160,14 @@ if (isset($p1index) && $a_phase1[$p1index]) {
 		$pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay'];
 		$pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail'];
 	}
+
+	if (isset($a_phase1[$p1index]['tfc_enable'])) {
+		$pconfig['tfc_enable'] = true;
+	}
+
+	if (isset($a_phase1[$p1index]['tfc_bytes'])) {
+		$pconfig['tfc_bytes'] = $a_phase1[$p1index]['tfc_bytes'];
+	}
 } else {
 	/* defaults */
 	$pconfig['interface'] = "wan";
@@ -404,8 +412,12 @@ if ($_POST) {
 		}
 	}
 
+	if ($pconfig['tfc_bytes'] && !is_numericint($pconfig['tfc_bytes'])) {
+		$input_errors[] = gettext("A numeric value must be specified for TFC bytes.");
+	}
+
 	if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2" && $pconfig['iketype'] != "auto") {
-		$input_errors[] = gettext("Valid arguments for IKE type is v1, v2 or auto");
+		$input_errors[] = gettext("Valid arguments for IKE type are v1, v2 or auto");
 	}
 
 	if (!empty($_POST['ealgo']) && isset($config['system']['crypto_hardware'])) {
@@ -502,6 +514,14 @@ if ($_POST) {
 			$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
 		}
 
+		if (isset($pconfig['tfc_enable'])) {
+			$ph1ent['tfc_enable'] = true;
+		}
+
+		if (isset($pconfig['tfc_bytes'])) {
+			$ph1ent['tfc_bytes'] = $pconfig['tfc_bytes'];
+		}
+
 		/* generate unique phase1 ikeid */
 		if ($ph1ent['ikeid'] == 0) {
 			$ph1ent['ikeid'] = ipsec_ikeid_next();
@@ -865,6 +885,20 @@ $section->addInput(new Form_Select(
 ))->setHelp('Set this option to control the use of MOBIKE');
 
 $section->addInput(new Form_Checkbox(
+	'tfc_enable',
+	'Traffic Flow Confidentiality',
+	'Enable TFC',
+	$pconfig['tfc_enable']
+))->setHelp('Enable Traffic Flow Confidentiality');
+
+$section->addInput(new Form_Input(
+	'tfc_bytes',
+	'TFC Bytes',
+	'Bytes TFC',
+	$pconfig['tfc_bytes']
+))->setHelp('Enter the number of bytes to pad ESP data to, or leave blank to fill to MTU size');
+
+$section->addInput(new Form_Checkbox(
 	'dpd_enable',
 	'Dead Peer Detection',
 	'Enable DPD',
@@ -940,11 +974,14 @@ events.push(function() {
 			hideInput('mode', true);
 			hideInput('mobike', false);
 			hideInput('nat_traversal', true);
+			hideCheckbox('tfc_enable', false);
 			hideCheckbox('reauth_enable', false);
 		} else {
 			hideInput('mode', false);
 			hideInput('mobike', true);
 			hideInput('nat_traversal', false);
+			hideCheckbox('tfc_enable', true);
+			hideInput('tfc_bytes', true);
 			hideCheckbox('reauth_enable', true);
 		}
 	}
@@ -1056,6 +1093,12 @@ events.push(function() {
 		}
 	}
 
+	function tfcchkbox_change() {
+		hide = !$('#tfc_enable').prop('checked');
+
+		hideInput('tfc_bytes', hide);
+	}
+
 	// ---------- Monitor elements for change and call the appropriate display functions ----------
 
 	 // Enable DPD
@@ -1063,6 +1106,11 @@ events.push(function() {
 		dpdchkbox_change();
 	});
 
+	 // TFC
+	$('#tfc_enable').click(function () {
+		tfcchkbox_change();
+	});
+
 	 // Peer identifier
 	$('#peerid_type').click(function () {
 		peeridsel_change();