wip: ike-auth: Negotiate support for optimized rekeying

wip: draft/rfc ref, this technically breaks interop until we add support
in tasks, however, we require this so we can add test cases with
optimized rekeying with those commits

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index d3ddf061502b8626da361479c0fa40027c08bb53..a9ce531616007c6afc21586475a5754d6a6cf2ad 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -302,6 +302,9 @@ charon.nbns1
 charon.nbns2
        WINS servers assigned to peer via configuration payload (CP).
 
+charon.optimized_rekeying = yes
+       Enable optimized rekeying that omits SA and TS payloads (RFC ...).
+
 charon.port = 500
        UDP port used locally. If set to 0 a random port will be allocated.
 

diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 0118f80294905719f6be8c7a74c9e44d5419c9f9..6f1895a4dd8ffac5fa834794f5dc15f8ec39d461 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -158,7 +158,7 @@ struct private_ike_auth_t {
 };
 
 /**
- * check if multiple authentication extension is enabled, configuration-wise
+ * check if multiple authentication extension is disabled in the config
  */
 static bool multiple_auth_enabled()
 {
@@ -166,6 +166,15 @@ static bool multiple_auth_enabled()
                                                                   "%s.multiple_authentication", TRUE, lib->ns);
 }
 
+/**
+ * check if optimized rekeying is disabled in the config
+ */
+static bool optimized_rekey_enabled()
+{
+       return lib->settings->get_bool(lib->settings,
+                                                                  "%s.optimized_rekeying", TRUE, lib->ns);
+}
+
 /**
  * collect the needed information in the IKE_SA_INIT exchange from our message
  */
@@ -685,6 +694,11 @@ METHOD(task_t, build_i, status_t,
                        message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
                                                                chunk_empty);
                }
+               if (optimized_rekey_enabled())
+               {       /* indicate support for optmized rekeying */
+                       message->add_notify(message, FALSE, OPTIMIZED_REKEY_SUPPORTED,
+                                                               chunk_empty);
+               }
                /* indicate support for EAP-only authentication */
                message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
                                                        chunk_empty);
@@ -879,6 +893,11 @@ METHOD(task_t, process_r, status_t,
                {
                        this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
                }
+               if (message->get_notify(message, OPTIMIZED_REKEY_SUPPORTED) &&
+                       optimized_rekey_enabled())
+               {
+                       this->ike_sa->enable_extension(this->ike_sa, EXT_OPTIMIZED_REKEY);
+               }
                if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
                {
                        this->ike_sa->enable_extension(this->ike_sa,
@@ -1257,6 +1276,12 @@ METHOD(task_t, build_r, status_t,
                                                        "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
                                                        lib->ns));
        }
+       else if (this->ike_sa->supports_extension(this->ike_sa, EXT_OPTIMIZED_REKEY))
+       {
+               /* indicate support for optimized rekeying in last IKE_AUTH message */
+               message->add_notify(message, FALSE, OPTIMIZED_REKEY_SUPPORTED,
+                                                       chunk_empty);
+       }
 
        this->ike_sa->set_condition(this->ike_sa, COND_AUTHENTICATED, TRUE);
        return SUCCESS;
@@ -1413,6 +1438,13 @@ METHOD(task_t, process_i, status_t,
                                        this->ike_sa->enable_extension(this->ike_sa,
                                                                                                   EXT_IKE_MESSAGE_ID_SYNC);
                                        break;
+                               case OPTIMIZED_REKEY_SUPPORTED:
+                                       if (optimized_rekey_enabled())
+                                       {
+                                               this->ike_sa->enable_extension(this->ike_sa,
+                                                                                                          EXT_OPTIMIZED_REKEY);
+                                       }
+                                       break;
                                case PPK_IDENTITY:
                                        ppk_id_received = TRUE;
                                        break;