[strongSwan-dev] Blocking operations during authorization processing

Vit Herman vit at herman.pro
Tue Aug 18 15:19:25 CEST 2015


recently, we've seen an issue in our deployment of strongSwan, where 
charon was seemingly silently dropping incoming initiator requests. 
After some investigation, we've found out that this was caused by the 
fact that we were performing some fairly expensive (time-wise) 
operations in our custom child-updown handler.

We can process the child-updown events asynchronously, however, we were 
planning on using a similar kind of handler for authorization purposes 
too. Since the authorization call has to be synchronous, we need to 
process it in a way that wouldn't block accepting requests from other 

I've looked at the implementation of the event bus in 
src/libcharon/bus/bus.c and if I'm reading it correctly, it gets locked 
for processing of each event. So implementing our authorization code as 
a listener for authorize or ike-updown events (in the fashion that 
xauth-pam or ext-auth plugins do) is not an option?

So the question is: is there a better place to put this kind of call?

Thanks for any hints.

Best regards,
Vit Herman

More information about the Dev mailing list