child-sa: Add flag to indicate if optimized rekeying can be used

The optimized rekeying can not be used for the CHILD_SA that's negotiated
with IKE_AUTH.  Because the key exchange methods are stripped from the
proposals exchanged there, we don't know what key exchange method (if
any) would get selected if the SA was rekeyed regularly or created with
a separate CREATE_CHILD_SA exchange.

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index f70eb014e78aa12b7c49a606925bc3831c38857d..aaaf73b2494e18dbf2a30e98ce4c6b99f230aec5 100644 (file)
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2019 Tobias Brunner
+ * Copyright (C) 2006-2023 Tobias Brunner
  * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
@@ -221,6 +221,11 @@ struct private_child_sa_t {
         */
        bool encap;
 
+       /**
+        * Whether optimized rekeying is supported for this CHILD_SA
+        */
+       bool optimized_rekey;
+
        /**
         * Specifies the IPComp transform used (IPCOMP_NONE if disabled)
         */
@@ -454,6 +459,18 @@ METHOD(child_sa_t, set_ipcomp, void,
        this->ipcomp = ipcomp;
 }
 
+METHOD(child_sa_t, get_optimized_rekey, bool,
+       private_child_sa_t *this)
+{
+       return this->optimized_rekey;
+}
+
+METHOD(child_sa_t, set_optimized_rekey, void,
+       private_child_sa_t *this, bool enabled)
+{
+       this->optimized_rekey = enabled;
+}
+
 METHOD(child_sa_t, set_close_action, void,
           private_child_sa_t *this, action_t action)
 {
@@ -2041,6 +2058,8 @@ child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
                        .has_encap = _has_encap,
                        .get_ipcomp = _get_ipcomp,
                        .set_ipcomp = _set_ipcomp,
+                       .get_optimized_rekey = _get_optimized_rekey,
+                       .set_optimized_rekey = _set_optimized_rekey,
                        .get_close_action = _get_close_action,
                        .set_close_action = _set_close_action,
                        .get_dpd_action = _get_dpd_action,

diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index fc35d33eff2db8fb6c2f4ffde10579361db7533a..fbee67024c316c2ec1f38c7c7e128820314d3d20 100644 (file)
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2019 Tobias Brunner
+ * Copyright (C) 2006-2023 Tobias Brunner
  * Copyright (C) 2006-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  *
@@ -278,6 +278,30 @@ struct child_sa_t {
         */
        void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
 
+       /**
+        * Whether this CHILD_SA can be rekeyed with an optimized exchange (omitting
+        * SA and TS payloads).
+        *
+        * The primary SA for which this is not possible is the initial SA that's
+        * created during IKE_AUTH as we don't know what key exchange method (if
+        * any) would get negotiated during rekeying.
+        *
+        * @return                      TRUE if optimized rekeying is possible
+        */
+       bool (*get_optimized_rekey)(child_sa_t *this);
+
+       /**
+        * Set whether this CHILD_SA can be rekeyed with an optimized
+        * CREATE_CHILD_SA exchange that omits SA and TS payloads.
+        *
+        * @note This must not be enabled for the initial SA that's negotiated
+        * during IKE_AUTH as we don't know what key exchange method (if any) should
+        * be used (they are stripped in the proposals exchanged during IKE_AUTH).
+        *
+        * @param enabled       TRUE to enable optimized rekeying
+        */
+       void (*set_optimized_rekey)(child_sa_t *this, bool enabled);
+
        /**
         * Get the action to enforce if the remote peer closes the CHILD_SA.
         *