[strongSwan-dev] PRF+ and wrapping

Jean-Francois HREN jean-francois.hren at stormshield.eu
Thu Oct 17 15:01:20 CEST 2019

Thank you for the reply. 

This behavior was asked to us by ANSSI (French Cybersecurity agency) so it might make some sense but I'm no expert on the subject. 
However they also told us that wrapping should not happen so returning FALSE is surely good enough. 

Thank you, 

De: "Tobias Brunner" <tobias at strongswan.org> 
À: "jean-francois hren" <jean-francois.hren at stormshield.eu>, "dev" <dev at lists.strongswan.org> 
Envoyé: Jeudi 17 Octobre 2019 14:09:29 
Objet: Re: [strongSwan-dev] PRF+ and wrapping 

Hi Jean-Francois, 

> In 'src/libstrongswan/crypto/prf_plus.c:get_bytes()' if 'this->counter' 
> wraps, the feature is disabled. 

Yes, it just switches to the non-counter mode (IKEv1 variant). 

> The RFC says " The prf+ function is not defined beyond 255 times the 
> size of the prf function output." however when wrapping occurs, we can 
> set 'this->counter' to 0x01 since the behavior is not defined anyway. 
> What do you think ? 

What exactly would the benefit be of that (compared to the current 

To be honest, I'd actually prefer if get_bytes() just returned FALSE 
once it wrapped. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20191017/23fad7bc/attachment.html>

More information about the Dev mailing list