[strongSwan-dev] [PATCH 2/2] Fix packet drop due to race condition on responder

Christophe Gouault christophe.gouault at 6wind.com
Fri Jul 11 14:58:22 CEST 2014

Hi Martin,

2014-07-11 13:51 GMT+02:00 Martin Willi <martin at strongswan.org>:
> Christophe,
>> However, the hash calculation is not reentrant because a single hasher
>> is used for the whole IKE SA manager. It leads to bogus calculations
>> under high load
> I agree, this bug should be addressed. Some hasher implementations, such
> as the default, actually store hash context on the stack, so this is an
> issue for IKEv1 only. Others, such as the one from the openssl plugin,
> does not and can't handle multiple simultaneous users.
>> Don't share a single hasher in the IKE SA manager, create a transient
>> one whenever a message must be hashed.
> Thanks for the patch, looks good. Not sure if it would be better
> performance-wise to use locking instead, but I'm fine with that
> approach.
>> -                     return FALSE;
>> +                     goto end;
> I'm no fan of goto-programming, hence I took the liberty to adjust your
> patch slightly [1].

Agreed, the manner you used is more elegant.

> Queued for mainline.

Great, thanks.

> Regards
> Martin
> [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=595389f9

More information about the Dev mailing list