[Swan-dev] wicked waste of CPU
Paul Wouters
paul at nohats.ca
Fri Mar 21 06:22:47 EET 2014
On Thu, 20 Mar 2014, D. Hugh Redelmeier wrote:
> These commands server no useful purpose and waste a fair bit of time.
> reply_buffer is 64k long. One of these is executed for every output
> packet.
>
> reply_buffer contains NO secrets: it only ever contains what will go
> out on the wire.
>
> These should go.
These were added after a FIPS review. I am not saying you are wrong. But
I am not ready to remove them yet either. There could be a bug that for
instance would send some uninitialised space from one endpoint to
another. I know normally this cannot happen. But these calls are extra
security meassures against such a bug.
We could make the 64k smaller. I don't think things ever get even
remotely near to that maximum.
Paul
> programs/pluto/ikev2_parent.c:858: zero(reply_buffer);
> programs/pluto/ikev2_parent.c:1500: zero(reply_buffer);
> programs/pluto/ikev2_parent.c:1975: zero(reply_buffer);
> programs/pluto/ikev2_parent.c:2912: zero(reply_buffer);
> programs/pluto/ikev2_parent.c:3455: zero(reply_buffer);
> programs/pluto/ikev1_aggr.c:479: zero(reply_buffer);
> programs/pluto/ikev1_aggr.c:812: zero(reply_buffer);
> programs/pluto/ikev1_aggr.c:1225: zero(reply_buffer);
> programs/pluto/ikev1_main.c:165: zero(reply_buffer);
> programs/pluto/ikev1_main.c:792: zero(reply_buffer);
> programs/pluto/ikev1_main.c:1053: zero(reply_buffer);
> programs/pluto/ikev1_main.c:2350: zero(reply_buffer);
> programs/pluto/ikev1_main.c:2520: zero(reply_buffer);
> programs/pluto/ikev1_main.c:2743: zero(reply_buffer);
> programs/pluto/ipsec_doi.c:111: zero(reply_buffer);
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
More information about the Swan-dev
mailing list