[strongSwan-dev] [PATCH 2/2] Fix packet drop due to race condition on responder
christophe.gouault at 6wind.com
Fri Jul 11 14:58:22 CEST 2014
2014-07-11 13:51 GMT+02:00 Martin Willi <martin at strongswan.org>:
>> However, the hash calculation is not reentrant because a single hasher
>> is used for the whole IKE SA manager. It leads to bogus calculations
>> under high load
> I agree, this bug should be addressed. Some hasher implementations, such
> as the default, actually store hash context on the stack, so this is an
> issue for IKEv1 only. Others, such as the one from the openssl plugin,
> does not and can't handle multiple simultaneous users.
>> Don't share a single hasher in the IKE SA manager, create a transient
>> one whenever a message must be hashed.
> Thanks for the patch, looks good. Not sure if it would be better
> performance-wise to use locking instead, but I'm fine with that
>> - return FALSE;
>> + goto end;
> I'm no fan of goto-programming, hence I took the liberty to adjust your
> patch slightly .
Agreed, the manner you used is more elegant.
> Queued for mainline.
More information about the Dev