sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-03 00:00:24 -04:00
Code Issues Projects Releases Wiki Activity

vici: Base default soft lifetime on hard lifetime if configured

Browse Source 
Depending on the configured hard lifetime the default soft lifetime
might not make sense and could even cause rekeying to get disabled.
To avoid that, derive the soft lifetime from the hard lifetime so it's
10% higher than the soft lifetime.

References strongswan/strongswan#1414
This commit is contained in:
Tobias Brunner 2022-12-06 17:33:20 +01:00
parent b450865615
commit a2b1e06f07
1 changed files with 40 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/libcharon/plugins/vici/vici_config.c
View File

@ -1981,18 +1981,52 @@ CALLBACK(auth_sn, bool,
*/
static void check_lifetimes(lifetime_cfg_t *lft)
{
/* if no soft lifetime specified, set a default or base it on the hard lifetime */
if (lft->time.rekey == LFT_UNDEFINED)
{
if (lft->time.life != LFT_UNDEFINED)
{
lft->time.rekey = lft->time.life / 1.1;
}
else
{
lft->time.rekey = LFT_DEFAULT_CHILD_REKEY_TIME;
}
}
if (lft->bytes.rekey == LFT_UNDEFINED)
{
if (lft->bytes.life != LFT_UNDEFINED)
{
lft->bytes.rekey = lft->bytes.life / 1.1;
}
else
{
lft->bytes.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES;
}
}
if (lft->packets.rekey == LFT_UNDEFINED)
{
if (lft->packets.life != LFT_UNDEFINED)
{
lft->packets.rekey = lft->packets.life / 1.1;
}
else
{
lft->packets.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS;
}
}
/* if no hard lifetime specified, add one at soft lifetime + 10% */
if (lft->time.life == LFT_UNDEFINED)
{
lft->time.life = lft->time.rekey * 110 / 100;
lft->time.life = lft->time.rekey * 1.1;
}
if (lft->bytes.life == LFT_UNDEFINED)
{
lft->bytes.life = lft->bytes.rekey * 110 / 100;
lft->bytes.life = lft->bytes.rekey * 1.1;
}
if (lft->packets.life == LFT_UNDEFINED)
{
lft->packets.life = lft->packets.rekey * 110 / 100;
lft->packets.life = lft->packets.rekey * 1.1;
}
/* if no rand time defined, use difference of hard and soft */
if (lft->time.jitter == LFT_UNDEFINED)
@ -2026,17 +2060,17 @@ CALLBACK(children_sn, bool,
.mode = MODE_TUNNEL,
.lifetime = {
.time = {
.rekey = LFT_DEFAULT_CHILD_REKEY_TIME,
.rekey = LFT_UNDEFINED,
.life = LFT_UNDEFINED,
.jitter = LFT_UNDEFINED,
},
.bytes = {
.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES,
.rekey = LFT_UNDEFINED,
.life = LFT_UNDEFINED,
.jitter = LFT_UNDEFINED,
},
.packets = {
.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS,
.rekey = LFT_UNDEFINED,
.life = LFT_UNDEFINED,
.jitter = LFT_UNDEFINED,
},