[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Thu Jan 15 17:59:04 EET 2015
New commits:
commit 0284478af9d18580f342bd10a18f1260aa34a4d1
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 14 23:22:28 2015 -0500
updated changes
commit b891e396468b1c5657ba35c58b40b4a96651c408
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 14 23:21:38 2015 -0500
documentation: regenerated man pages
commit 450b647d647d84c961b83fa6f5735e0039380a9b
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 14 23:10:39 2015 -0500
documentation: updated xml man pages for the new seed option
commit 6cce0301a12390a7211df35d98114cbe8f956918
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 14 23:01:39 2015 -0500
* pluto/rsasigkey: Allow specifying seedbits for NSS RNG
* Added --seedbits <numbits> option to pluto and rsasigkey
* Added seedbits= to ipsec.conf "config setup" section
There is a BSI requirement that we seed at least 440bits of random
from /dev/random into the NSS via PK11_RandomUpdate() before we
are allowed to pull random from PK11_GenerateRandom() despite the
fact that NSS already deals on it own with initialising its PRNG.
Since this can seriously stall startup on low-entropy machines,
we do not inflict this upon everyone.
rsasigkey already fed 480 bits into NSS, so I turned this into
an option with 480 as default. pluto's default is to not do this.
A big warning was added to the code using /dev/random in plutomain.c
to ensure people don't change this in the future and to ensure the
function to read from /dev/random is never exported to other parts of
the code.
More information about the Swan-commit
mailing list