[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Thu Jan 15 17:59:04 EET 2015


New commits:
commit 0284478af9d18580f342bd10a18f1260aa34a4d1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 14 23:22:28 2015 -0500

    updated changes

commit b891e396468b1c5657ba35c58b40b4a96651c408
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 14 23:21:38 2015 -0500

    documentation: regenerated man pages

commit 450b647d647d84c961b83fa6f5735e0039380a9b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 14 23:10:39 2015 -0500

    documentation: updated xml man pages for the new seed option

commit 6cce0301a12390a7211df35d98114cbe8f956918
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 14 23:01:39 2015 -0500

    * pluto/rsasigkey: Allow specifying seedbits for NSS RNG
    
    * Added --seedbits <numbits> option to pluto and rsasigkey
    * Added seedbits= to ipsec.conf "config setup" section
    
    There is a BSI requirement that we seed at least 440bits of random
    from /dev/random into the NSS via PK11_RandomUpdate() before we
    are allowed to pull random from PK11_GenerateRandom() despite the
    fact that NSS already deals on it own with initialising its PRNG.
    
    Since this can seriously stall startup on low-entropy machines,
    we do not inflict this upon everyone.
    
    rsasigkey already fed 480 bits into NSS, so I turned this into
    an option with 480 as default. pluto's default is to not do this.
    
    A big warning was added to the code using /dev/random in plutomain.c
    to ensure people don't change this in the future and to ensure the
    function to read from /dev/random is never exported to other parts of
    the code.



More information about the Swan-commit mailing list