Mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-01-18 17:11:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

jitter: add a new provider containing a jitter entropy source alone

Browse Source 
This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a separate
provider, because it is likely to require less frequent updates than
fips provider. The same build likely can span multiple generations of
FIPS 140 standard revisions.

Note that rand-instances currently chain from public/private instances
to primary, prior to consuming the seed. Thus currently a unique ESV
needs to be obtained, and resue of jitterentropy.a certificate is not
possible as is. Separately a patch will be sent to allow for
unchaining public/private RAND instances for the purpose of reusing
ESV.

Also I do wonder if it makes sense to create a fips variant of stock
SEED-SRC entropy source, which in addition to using getrandom() also
verifies that the kernel is operating in FIPS mode and thus is likely
a validated entropy source. As in on Linux, check that
/proc/sys/crypto/fips_enabled is set to 1, and similar checks on
Windows / MacOS and so on.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
This commit is contained in:
Dimitri John Ledkov
2024-07-10 15:39:01 +01:00
committed by Pauli
parent 4f5febe2c6
commit b28b312804
15 changed files with 458 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Configurations/00-base-templates.conf
View File

@@ -59,6 +59,8 @@ my %targets=(
includes =>
sub {
my @incs = ();
push @incs, $withargs{jitter_include}
if !$disabled{jitter} && $withargs{jitter_include};
push @incs, $withargs{brotli_include}
if !$disabled{brotli} && $withargs{brotli_include};
push @incs, $withargs{zlib_include}
@@ -95,6 +97,7 @@ my %targets=(
lflags =>
sub {
my @libs = ();
push(@libs, "-L".$withargs{jitter_lib}) if $withargs{jitter_lib};
push(@libs, "-L".$withargs{zlib_lib}) if $withargs{zlib_lib};
push(@libs, "-L".$withargs{brotli_lib}) if $withargs{brotli_lib};
push(@libs, "-L".$withargs{zstd_lib}) if $withargs{zstd_lib};
@@ -103,6 +106,7 @@ my %targets=(
ex_libs =>
sub {
my @libs = ();
push(@libs, "-l:libjitterentropy.a") if !defined($disabled{jitter});
push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) {
push(@libs, "-lbrotlienc");