On 7 January 2016 at 10:25, Paul Wouters <[email protected]> wrote: > On Tue, 5 Jan 2016, Paul Wouters wrote: > >> Subject: [Swan-dev] Question on get_cookie() code > > >> I'm looking at get_cookie() which is used to generate SPI's for the IKE >> SA. The function has basically been the same since the old freeswan >> days: > > >> if (initiator) { >> get_rnd_bytes(cookie, length); >> } else { > > [...] > >> My question is, why is there a different process for generating the >> initiator and responder SPI? Both just need to be very random. > > > After talking to Hugh, it became clear and I've added comments to the > code. > > First, using a hash ensures we are not giving out pure random from our > pool, just to be extra paranoid at not leaking our internal random > state. > > Second, attackers cannot deplete our entropy pool.
Surely, if our FIPS certified random pool is leaking information we've a bigger problem. (any attempt to deplete the entropy pool, should, as a side effect, feed it). _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
