[Swan-dev] wicked waste of CPU

Paul Wouters paul at nohats.ca
Fri Mar 21 06:22:47 EET 2014

On Thu, 20 Mar 2014, D. Hugh Redelmeier wrote:

> These commands server no useful purpose and waste a fair bit of time.
> reply_buffer is 64k long.  One of these is executed for every output
> packet.
> reply_buffer contains NO secrets: it only ever contains what will go
> out on the wire.
> These should go.

These were added after a FIPS review. I am not saying you are wrong. But
I am not ready to remove them yet either. There could be a bug that for
instance would send some uninitialised space from one endpoint to
another. I know normally this cannot happen. But these calls are extra
security meassures against such a bug.

We could make the 64k smaller. I don't think things ever get even
remotely near to that maximum.


> programs/pluto/ikev2_parent.c:858:	zero(reply_buffer);
> programs/pluto/ikev2_parent.c:1500:	zero(reply_buffer);
> programs/pluto/ikev2_parent.c:1975:		zero(reply_buffer);
> programs/pluto/ikev2_parent.c:2912:			zero(reply_buffer);
> programs/pluto/ikev2_parent.c:3455:		zero(reply_buffer);
> programs/pluto/ikev1_aggr.c:479:	zero(reply_buffer);
> programs/pluto/ikev1_aggr.c:812:	zero(reply_buffer);
> programs/pluto/ikev1_aggr.c:1225:	zero(reply_buffer);
> programs/pluto/ikev1_main.c:165:	zero(reply_buffer);
> programs/pluto/ikev1_main.c:792:	zero(reply_buffer);
> programs/pluto/ikev1_main.c:1053:	zero(reply_buffer);
> programs/pluto/ikev1_main.c:2350:	zero(reply_buffer);
> programs/pluto/ikev1_main.c:2520:	zero(reply_buffer);
> programs/pluto/ikev1_main.c:2743:	zero(reply_buffer);
> programs/pluto/ipsec_doi.c:111:	zero(reply_buffer);
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list