[strongSwan] PSK_with_ideal_keys, charon_crashes_with_8m_keylife_?

Martin Willi martin at strongswan.org
Wed Mar 23 09:13:45 CET 2011



> How difficult would be to feed in the "ideal" key material to the DH
> exchange? It would be great if instead of calculating (DH) the next
> cryptokey for let say each new CHILD_SA, this mechanism selects the
> next key in a serial manner from a given file/db (of the ideal keys)

The default libgmp based DH implementation reads random bytes from a
registered rng_t backend of quality RNG_STRONG [1]. You could replace
that code directly to read from a file.
Alternatively, you could register your own rng_t [1] that does this for
you. As the RNG_STRONG quality is used at some other places, you could
introduce your own quality class and change the DH implementation to use
it.
There are by the way two other DH implementations: The gcrypt crypto
backend uses rng_t, too, but the openssl plugin relies on OpenSSL to
generate the keys.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c#l225
[2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/crypto/rngs/rng.h#l49






More information about the Users mailing list