From: Tobias Brunner Date: Thu, 16 Mar 2023 14:51:34 +0000 (+0100) Subject: child-sa: Add flag to indicate if optimized rekeying can be used X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd5c72d1fc0517aa2ded8120855b8670cf534c98;p=thirdparty%2Fstrongswan.git child-sa: Add flag to indicate if optimized rekeying can be used The optimized rekeying can not be used for the CHILD_SA that's negotiated with IKE_AUTH. Because the key exchange methods are stripped from the proposals exchanged there, we don't know what key exchange method (if any) would get selected if the SA was rekeyed regularly or created with a separate CREATE_CHILD_SA exchange. --- diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index f70eb014e7..aaaf73b249 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2019 Tobias Brunner + * Copyright (C) 2006-2023 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger @@ -221,6 +221,11 @@ struct private_child_sa_t { */ bool encap; + /** + * Whether optimized rekeying is supported for this CHILD_SA + */ + bool optimized_rekey; + /** * Specifies the IPComp transform used (IPCOMP_NONE if disabled) */ @@ -454,6 +459,18 @@ METHOD(child_sa_t, set_ipcomp, void, this->ipcomp = ipcomp; } +METHOD(child_sa_t, get_optimized_rekey, bool, + private_child_sa_t *this) +{ + return this->optimized_rekey; +} + +METHOD(child_sa_t, set_optimized_rekey, void, + private_child_sa_t *this, bool enabled) +{ + this->optimized_rekey = enabled; +} + METHOD(child_sa_t, set_close_action, void, private_child_sa_t *this, action_t action) { @@ -2041,6 +2058,8 @@ child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config, .has_encap = _has_encap, .get_ipcomp = _get_ipcomp, .set_ipcomp = _set_ipcomp, + .get_optimized_rekey = _get_optimized_rekey, + .set_optimized_rekey = _set_optimized_rekey, .get_close_action = _get_close_action, .set_close_action = _set_close_action, .get_dpd_action = _get_dpd_action, diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index fc35d33eff..fbee67024c 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2019 Tobias Brunner + * Copyright (C) 2006-2023 Tobias Brunner * Copyright (C) 2006-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * @@ -278,6 +278,30 @@ struct child_sa_t { */ void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp); + /** + * Whether this CHILD_SA can be rekeyed with an optimized exchange (omitting + * SA and TS payloads). + * + * The primary SA for which this is not possible is the initial SA that's + * created during IKE_AUTH as we don't know what key exchange method (if + * any) would get negotiated during rekeying. + * + * @return TRUE if optimized rekeying is possible + */ + bool (*get_optimized_rekey)(child_sa_t *this); + + /** + * Set whether this CHILD_SA can be rekeyed with an optimized + * CREATE_CHILD_SA exchange that omits SA and TS payloads. + * + * @note This must not be enabled for the initial SA that's negotiated + * during IKE_AUTH as we don't know what key exchange method (if any) should + * be used (they are stripped in the proposals exchanged during IKE_AUTH). + * + * @param enabled TRUE to enable optimized rekeying + */ + void (*set_optimized_rekey)(child_sa_t *this, bool enabled); + /** * Get the action to enforce if the remote peer closes the CHILD_SA. *