ike: Restart inactivity counter after doing a CHILD_SA rekey

When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.

This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.

1 files changed, 3 insertions, 2 deletions

diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 9ab69b417..197733979 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -73,12 +73,13 @@ METHOD(job_t, execute, job_requeue_t,
 		{
 			if (child_sa->get_reqid(child_sa) == this->reqid)
 			{
-				time_t in, out, diff;
+				time_t in, out, install, diff;
 
 				child_sa->get_usestats(child_sa, TRUE, &in, NULL, NULL);
 				child_sa->get_usestats(child_sa, FALSE, &out, NULL, NULL);
+				install = child_sa->get_installtime(child_sa);
 
-				diff = time_monotonic(NULL) - max(in, out);
+				diff = time_monotonic(NULL) - max(max(in, out), install);
 
 				if (diff >= this->timeout)
 				{