sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-12-05 00:01:49 -05:00
Code Issues Projects Releases Wiki Activity

ha: Double receive buffer size for HA messages and make it configurable

Browse Source 
With IKEv1 we transmit both public DH factors (used to derive the initial
IV) besides the shared secret.  So these messages could get significantly
larger than 1024 bytes, depending on the DH group (modp2048 just about
fits into it).  The new default of 2048 bytes should be fine up to modp4096
and for larger groups the buffer size may be increased (an error is
logged should this happen).
This commit is contained in:
Tobias Brunner 2018-02-14 14:51:24 +01:00
parent 26e033cfe3
commit ce048c30ff
2 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
conf/plugins/ha.opt
View File

@ -2,6 +2,13 @@ charon.plugins.ha.autobalance = 0
Interval in seconds to automatically balance handled segments between nodes. Interval in seconds to automatically balance handled segments between nodes.
Set to 0 to disable. Set to 0 to disable.
charon.plugin.ha.buflen = 2048
Buffer size for received HA messages.
Buffer size for received HA messages. For IKEv1 the public DH factors are
also transmitted so depending on the DH group the HA messages can get quite
big (the default should be fine up to _modp4096_).
charon.plugins.ha.fifo_interface = yes charon.plugins.ha.fifo_interface = yes
charon.plugins.ha.heartbeat_delay = 1000 charon.plugins.ha.heartbeat_delay = 1000

27
src/libcharon/plugins/ha/ha_socket.c
View File

@ -1,6 +1,7 @@
/* /*
* Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi * Copyright (C) 2008-2009 Martin Willi
* Hochschule fuer Technik Rapperswil * HSR Hochschule fuer Technik Rapperswil
* *
* This program is free software; you can redistribute it and/or modify it * This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the * under the terms of the GNU General Public License as published by the
@ -52,6 +53,11 @@ struct private_ha_socket_t {
* remote host to receive/send to * remote host to receive/send to
*/ */
host_t *remote; host_t *remote;
/**
* Receive buffer size
*/
u_int buflen;
}; };
/** /**
@ -120,13 +126,26 @@ METHOD(ha_socket_t, pull, ha_message_t*,
while (TRUE) while (TRUE)
{ {
ha_message_t *message; ha_message_t *message;
char buf[1024]; char buf[this->buflen];
struct iovec iov = {
.iov_base = buf,
.iov_len = this->buflen,
};
struct msghdr msg = {
.msg_iov = &iov,
.msg_iovlen = 1,
};
bool oldstate; bool oldstate;
ssize_t len; ssize_t len;
oldstate = thread_cancelability(TRUE); oldstate = thread_cancelability(TRUE);
len = recv(this->fd, buf, sizeof(buf), 0); len = recvmsg(this->fd, &msg, 0);
thread_cancelability(oldstate); thread_cancelability(oldstate);
if (msg.msg_flags & MSG_TRUNC)
{
DBG1(DBG_CFG, "HA message exceeds receive buffer");
continue;
}
if (len <= 0) if (len <= 0)
{ {
switch (errno) switch (errno)
@ -208,6 +227,8 @@ ha_socket_t *ha_socket_create(char *local, char *remote)
}, },
.local = host_create_from_dns(local, 0, HA_PORT), .local = host_create_from_dns(local, 0, HA_PORT),
.remote = host_create_from_dns(remote, 0, HA_PORT), .remote = host_create_from_dns(remote, 0, HA_PORT),
.buflen = lib->settings->get_int(lib->settings,
"%s.plugins.ha.buflen", 2048, lib->ns),
.fd = -1, .fd = -1,
); );