[strongSwan-dev] [PATCH 2/2] Fix packet drop due to race condition on responder

Martin Willi martin at strongswan.org
Fri Jul 11 13:51:20 CEST 2014


> However, the hash calculation is not reentrant because a single hasher
> is used for the whole IKE SA manager. It leads to bogus calculations
> under high load

I agree, this bug should be addressed. Some hasher implementations, such
as the default, actually store hash context on the stack, so this is an
issue for IKEv1 only. Others, such as the one from the openssl plugin,
does not and can't handle multiple simultaneous users.

> Don't share a single hasher in the IKE SA manager, create a transient
> one whenever a message must be hashed.

Thanks for the patch, looks good. Not sure if it would be better
performance-wise to use locking instead, but I'm fine with that

> -			return FALSE;
> +			goto end;

I'm no fan of goto-programming, hence I took the liberty to adjust your
patch slightly [1]. Queued for mainline.



More information about the Dev mailing list