strongSwan: T4551: Added soft lifetime calculation

Depending on the configured hard lifetime the default soft lifetime
might not make sense and could even cause rekeying to get disabled.
To avoid that, derive the soft lifetime from the hard lifetime so it's
10% higher than the soft lifetime.
https://github.com/strongswan/strongswan/commit/a2b1e06f07569e8d3f08a37b68a206164b67fbe3

1 files changed, 97 insertions, 0 deletions

diff --git a/packages/strongswan/patches/0005-vici-add-soft-lifetime-calculation-if-hard-lifetime-configured.patch b/packages/strongswan/patches/0005-vici-add-soft-lifetime-calculation-if-hard-lifetime-configured.patch
new file mode 100644
index 0000000..dc21a96
--- /dev/null
+++ b/packages/strongswan/patches/0005-vici-add-soft-lifetime-calculation-if-hard-lifetime-configured.patch
@@ -0,0 +1,97 @@
+From a2b1e06f07569e8d3f08a37b68a206164b67fbe3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 6 Dec 2022 17:33:20 +0100
+Subject: [PATCH] vici: Base default soft lifetime on hard lifetime if
+ configured
+
+Depending on the configured hard lifetime the default soft lifetime
+might not make sense and could even cause rekeying to get disabled.
+To avoid that, derive the soft lifetime from the hard lifetime so it's
+10% higher than the soft lifetime.
+
+References strongswan/strongswan#1414
+---
+ src/libcharon/plugins/vici/vici_config.c | 46 ++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 6 deletions(-)
+
+diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
+index 0c061d4b2d7..a59d799caf6 100644
+--- a/src/libcharon/plugins/vici/vici_config.c
++++ b/src/libcharon/plugins/vici/vici_config.c
+@@ -1981,18 +1981,52 @@ CALLBACK(auth_sn, bool,
+  */
+ static void check_lifetimes(lifetime_cfg_t *lft)
+ {
++	/* if no soft lifetime specified, set a default or base it on the hard lifetime */
++	if (lft->time.rekey == LFT_UNDEFINED)
++	{
++		if (lft->time.life != LFT_UNDEFINED)
++		{
++			lft->time.rekey = lft->time.life / 1.1;
++		}
++		else
++		{
++			lft->time.rekey = LFT_DEFAULT_CHILD_REKEY_TIME;
++		}
++	}
++	if (lft->bytes.rekey == LFT_UNDEFINED)
++	{
++		if (lft->bytes.life != LFT_UNDEFINED)
++		{
++			lft->bytes.rekey = lft->bytes.life / 1.1;
++		}
++		else
++		{
++			lft->bytes.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES;
++		}
++	}
++	if (lft->packets.rekey == LFT_UNDEFINED)
++	{
++		if (lft->packets.life != LFT_UNDEFINED)
++		{
++			lft->packets.rekey = lft->packets.life / 1.1;
++		}
++		else
++		{
++			lft->packets.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS;
++		}
++	}
+ 	/* if no hard lifetime specified, add one at soft lifetime + 10% */
+ 	if (lft->time.life == LFT_UNDEFINED)
+ 	{
+-		lft->time.life = lft->time.rekey * 110 / 100;
++		lft->time.life = lft->time.rekey * 1.1;
+ 	}
+ 	if (lft->bytes.life == LFT_UNDEFINED)
+ 	{
+-		lft->bytes.life = lft->bytes.rekey * 110 / 100;
++		lft->bytes.life = lft->bytes.rekey * 1.1;
+ 	}
+ 	if (lft->packets.life == LFT_UNDEFINED)
+ 	{
+-		lft->packets.life = lft->packets.rekey * 110 / 100;
++		lft->packets.life = lft->packets.rekey * 1.1;
+ 	}
+ 	/* if no rand time defined, use difference of hard and soft */
+ 	if (lft->time.jitter == LFT_UNDEFINED)
+@@ -2026,17 +2060,17 @@ CALLBACK(children_sn, bool,
+ 			.mode = MODE_TUNNEL,
+ 			.lifetime = {
+ 				.time = {
+-					.rekey = LFT_DEFAULT_CHILD_REKEY_TIME,
++					.rekey = LFT_UNDEFINED,
+ 					.life = LFT_UNDEFINED,
+ 					.jitter = LFT_UNDEFINED,
+ 				},
+ 				.bytes = {
+-					.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES,
++					.rekey = LFT_UNDEFINED,
+ 					.life = LFT_UNDEFINED,
+ 					.jitter = LFT_UNDEFINED,
+ 				},
+ 				.packets = {
+-					.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS,
++					.rekey = LFT_UNDEFINED,
+ 					.life = LFT_UNDEFINED,
+ 					.jitter = LFT_UNDEFINED,
+ 				},