From d08bd9e3d6cda6e7043e58be7a647c0fdd1887ec Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 16 Mar 2023 15:57:53 +0100 Subject: [PATCH] ha: Enable optimized rekeying for CHILD_SAs with synced KE method This avoids having to explicitly sync if optimized rekeying can be used for a CHILD_SA i.e. whether it was created with IKE_AUTH or with a separate CREATE_CHILD_SA exchange (from scratch or rekeyed). If a key exchange method was synced, we definitely know the latter is the case. --- src/libcharon/plugins/ha/ha_dispatcher.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 0f497f8427..ed61110923 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -767,6 +767,9 @@ static void process_child_add(private_ha_dispatcher_t *this, if (dh_grp) { proposal->add_algorithm(proposal, KEY_EXCHANGE_METHOD, dh_grp, 0); + /* enable this only for SAs that we definitely know were rekeyed or + * created with a CREATE_CHILD_SA exchange */ + child_sa->set_optimized_rekey(child_sa, TRUE); } proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0); if (secret.len) -- 2.47.2