ha: Enable optimized rekeying for CHILD_SAs with synced KE method

This avoids having to explicitly sync if optimized rekeying can be used
for a CHILD_SA i.e. whether it was created with IKE_AUTH or with a
separate CREATE_CHILD_SA exchange (from scratch or rekeyed).  If a key
exchange method was synced, we definitely know the latter is the case.

diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 0f497f84277e1a2bc669b46cf519cfcb7f96ea61..ed61110923152256ce702b5cbb3731f33662c820 100644 (file)
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -767,6 +767,9 @@ static void process_child_add(private_ha_dispatcher_t *this,
        if (dh_grp)
        {
                proposal->add_algorithm(proposal, KEY_EXCHANGE_METHOD, dh_grp, 0);
+               /* enable this only for SAs that we definitely know were rekeyed or
+                * created with a CREATE_CHILD_SA exchange */
+               child_sa->set_optimized_rekey(child_sa, TRUE);
        }
        proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0);
        if (secret.len)