[Swan-dev] Question on get_cookie() code
Andrew Cagney
andrew.cagney at gmail.com
Thu Jan 7 15:34:24 UTC 2016
On 7 January 2016 at 10:25, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 5 Jan 2016, Paul Wouters wrote:
>
>> Subject: [Swan-dev] Question on get_cookie() code
>
>
>> I'm looking at get_cookie() which is used to generate SPI's for the IKE
>> SA. The function has basically been the same since the old freeswan
>> days:
>
>
>> if (initiator) {
>> get_rnd_bytes(cookie, length);
>> } else {
>
> [...]
>
>> My question is, why is there a different process for generating the
>> initiator and responder SPI? Both just need to be very random.
>
>
> After talking to Hugh, it became clear and I've added comments to the
> code.
>
> First, using a hash ensures we are not giving out pure random from our
> pool, just to be extra paranoid at not leaking our internal random
> state.
>
> Second, attackers cannot deplete our entropy pool.
Surely, if our FIPS certified random pool is leaking information we've
a bigger problem.
(any attempt to deplete the entropy pool, should, as a side effect, feed it).
More information about the Swan-dev
mailing list