mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-12 20:30:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add documentation to explain DRBG changes

Browse Source 
Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26542)
This commit is contained in:
Simo Sorce 2025-02-07 14:20:00 -05:00 committed by Dmitry Belyavskiy
parent d037551ee3
commit 0ba139f4b9
4 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGES.md
View File

@ -35,6 +35,14 @@ OpenSSL 3.5
*Matt Caswell*
* The default DRBG implementations have been changed to prefer to fetch
algorithm implementations from the default provider (the provider the
DRBG implementation is built in) regardless of the default properties
set in the configuration file. The code will still fallback to find
an implementation, as done previously, if needed.
*Simo Sorce*
* For TLSv1.3: Add capability for a client to send multiple key shares. Extend the scope of
`SSL_OP_CIPHER_SERVER_PREFERENCE` to cover server-side key exchange group selection.
Extend the server-side key exchange group selection algorithm and related group list syntax

6
doc/man7/EVP_RAND-CTR-DRBG.pod
View File

@ -65,6 +65,12 @@ A context for CTR DRBG can be obtained by calling:
EVP_RAND *rand = EVP_RAND_fetch(NULL, "CTR-DRBG", NULL);
EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL);
The default CTR-DRBG implementation attempts to fetch the required internal
algorithms from the provider they are built into (eg the default provider)
regardless of the properties provided. Should the provider not implement
the required algorithms then properties will be used to find a different
implementation.
=head1 EXAMPLES
EVP_RAND *rand;

6
doc/man7/EVP_RAND-HASH-DRBG.pod
View File

@ -64,6 +64,12 @@ When the FIPS provider is installed using the B<-no_drbg_truncated_digests>
option to fipsinstall, only these digests are permitted (as per
L<FIPS 140-3 IG D.R|https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>):
The default HASH-DRBG implementation attempts to fetch the required internal
algorithms from the provider they are built into (eg the default provider)
regardless of the properties provided. Should the provider not implement
the required algorithms then properties will be used to find a different
implementation.
=over 4
=item SHA-1

6
doc/man7/EVP_RAND-HMAC-DRBG.pod
View File

@ -65,6 +65,12 @@ These parameters work as described in L<provider-rand(7)/PARAMETERS>.
When using the FIPS provider, only these digests are permitted (as per
L<FIPS 140-3 IG D.R|https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>):
The default HMAC-DRBG implementation attempts to fetch the required internal
algorithms from the provider they are built into (eg the default provider)
regardless of the properties provided. Should the provider not implement
the required algorithms then properties will be used to find a different
implementation.
=over 4
=item SHA-1