> How difficult would be to feed in the "ideal" key material to the DH > exchange? It would be great if instead of calculating (DH) the next > cryptokey for let say each new CHILD_SA, this mechanism selects the > next key in a serial manner from a given file/db (of the ideal keys)
The default libgmp based DH implementation reads random bytes from a registered rng_t backend of quality RNG_STRONG [1]. You could replace that code directly to read from a file. Alternatively, you could register your own rng_t [1] that does this for you. As the RNG_STRONG quality is used at some other places, you could introduce your own quality class and change the DH implementation to use it. There are by the way two other DH implementations: The gcrypt crypto backend uses rng_t, too, but the openssl plugin relies on OpenSSL to generate the keys. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c#l225 [2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/crypto/rngs/rng.h#l49 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
