During shutdown, waiting for callbacks might never complete, as queued
callbacks might not get executed under certain conditions. Not the clean fix,
but works good enough for now.
Seen on Windows in vici tests.
While we don't add FDs with an active callback to the watched FDSET, we still
can get notifications for callbacks active due the asynchronous processing
of the same.
To avoid queue multiple callbacks, we check for queued callbacks before
activating new ones.
Using the same mechanism as the METHOD macro, the CALLBACK macro defines
a hybrid function signature. It strictly uses a weak void* for the first
function parameter, in contrast to the dynamic METHOD object "this" type.
This solves a problem with GNAT when compiling charon-tkm as __atomic*
built-ins are only provided in GCC 4.7 and newer.
Currently GNAT 4.6 and GCC 4.7.2 is shipped with Debian wheezy (stable),
as used in the testing environment. So while the configure script correctly
detected the __atomic* built-ins, and defined HAVE_GCC_ATOMIC_OPERATIONS,
this define turned out to be incorrect when charon-tkm was later built
with GNAT.
aikgen outputs a binary AIK private key blob and the AIK public key.
Optionally the Identity Request encrypted with the public key of
the Privacy CA can be output.
tests.load and tests.plugindir to allow the specification of the plugins
to be loaded and the directory to load them from.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
By setting the environment variable TESTS_STRONGSWAN_CONF, the unit tests can
be asked to load a configuration file, thus enabling the tester to make use of
the usual configuration settings.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
FreeBSD 10 deprecated the SIOCSIFADDR etc. commands, so we use this
newer command to set the address and netmask. A destination address
is now also required.
Fixes#566.
Adds support for GCC's __atomic* built-ins and improves the performance
of logging (for ignored log levels) and half-open IKE_SA checking under
high loads.
Also fixes two potential race conditions in the load-tester plugin.
For some rwlock_t implementations acquiring the read lock could be quite
expensive even if there are no writers (e.g. because the implementation
requires acquiring a mutex to check for writers) particularly if the
lock is highly contended, like it is for the vlog() method.
Due to an unprotected incrementation, two load-tester initiators occasionally
use the same SPI under high load, and hence generate 2 IPsec SAs with the same
identifier. The responder IPsec stack will refuse to configure the second SA.
Use an atomic incrementation to avoid this race condition.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Due to an unprotected incrementation, two load-tester initiators occasionally
use the same identifier under high load. The responder typically drops one of
the connections.
Use an atomic incrementation to avoid this race condition.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
This patch is based on one by Christoph Gouault.
Currently, to count the total number of half_open IKE_SAs,
get_half_open_count sums up the count of each segment in the SA hash
table (acquiring a lock for each segment). This procedure does not scale
well when the number of segments increases, as the method is called for
each new negotiation.
Instead, lets maintain a global atomic counter.
This optimization allows the use of big values for charon.ikesa_table_size
and charon.ikesa_table_segments.
These are available since GCC 4.7 and will eventually replace the __sync
operations. They support the memory model defined by C++11. For instance,
by using __ATOMIC_RELAXED for some operations on the reference counters we
can avoid memory barriers, which are required by __sync operations (whose
memory model essentially is __ATOMIC_SEQ_CST).
On many architectures it is safe to read the value directly (those
using cache coherency protocols, and with atomic loads for 32-bit
values) but it is not if that's not the case or if we ever decide to
make refcount_t 64-bit (load not atomic on x86).
So make sure the operation is actually atomic and that users do not
have to care about the size of refcount_t.
- get_cpi function was implemented to retrieve a CPI from the kernel.
- add_sa/update_sa/del_sa were updated to accommodate for IPComp SA.
- Updated add_policy_internal to update the SPD to support IPComp.