2
0
mirror of https://github.com/openssl/openssl.git synced 2025-02-17 14:32:04 +08:00

Add configuration option to allow the FIPS provider to use the jitter source internally

Enabling this breaks FIPS compliance unless an entropy assessment and a revalidation
are undertaken.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25498)
This commit is contained in:
Pauli 2024-09-20 08:58:12 +10:00
parent 01ec59defd
commit 61f032cc7b
2 changed files with 35 additions and 2 deletions

View File

@ -472,6 +472,7 @@ my @disablables = (
"fips", "fips",
"fips-securitychecks", "fips-securitychecks",
"fips-post", "fips-post",
"fips-jitter",
"fuzz-afl", "fuzz-afl",
"fuzz-libfuzzer", "fuzz-libfuzzer",
"gost", "gost",
@ -573,6 +574,7 @@ my %deprecated_disablables = (
our %disabled = ( # "what" => "comment" our %disabled = ( # "what" => "comment"
"fips" => "default", "fips" => "default",
"fips-jitter" => "default",
"asan" => "default", "asan" => "default",
"brotli" => "default", "brotli" => "default",
"brotli-dynamic" => "default", "brotli-dynamic" => "default",
@ -689,7 +691,8 @@ my @disable_cascades = (
"cmp" => [ "crmf" ], "cmp" => [ "crmf" ],
"fips" => [ "fips-securitychecks", "fips-post", "acvp-tests" ], "fips" => [ "fips-securitychecks", "fips-post", "acvp-tests",
"fips-jitter" ],
"threads" => [ "thread-pool" ], "threads" => [ "thread-pool" ],
"thread-pool" => [ "default-thread-pool" ], "thread-pool" => [ "default-thread-pool" ],
@ -957,6 +960,11 @@ while (@argvcopy)
{ {
delete $disabled{"zstd"}; delete $disabled{"zstd"};
} }
elsif ($1 eq "fips-jitter")
{
delete $disabled{"fips"};
delete $disabled{"jitter"};
}
my $algo = $1; my $algo = $1;
delete $disabled{$algo}; delete $disabled{$algo};

View File

@ -536,7 +536,7 @@ shown below:
[random] [random]
seed=JITTER seed=JITTER
It uses a statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source. It uses a statically linked [jitterentropy-library] as the seed source.
Additional configuration flags available: Additional configuration flags available:
@ -841,6 +841,19 @@ Don't perform FIPS module Power On Self Tests.
This option MUST be used for debugging only as it makes the FIPS provider This option MUST be used for debugging only as it makes the FIPS provider
non-compliant. It is useful when setting breakpoints in FIPS algorithms. non-compliant. It is useful when setting breakpoints in FIPS algorithms.
### enable-fips-jitter
Use the CPU Jitter library as a FIPS validated entropy source.
This option will only produce a compliant FIPS provider if you have:
1. independently performed the required [SP 800-90B] entropy assessments;
2. meet the minimum required entropy as specified by [jitterentropy-library];
3. obtain an [ESV] certificate for the [jitterentropy-library] and
4. have had the resulting FIPS provider certified by the [CMVP].
Failure to do all of these will produce a non-compliant FIPS provider.
### enable-fuzz-libfuzzer, enable-fuzz-afl ### enable-fuzz-libfuzzer, enable-fuzz-afl
Build with support for fuzzing using either libfuzzer or AFL. Build with support for fuzzing using either libfuzzer or AFL.
@ -2006,3 +2019,15 @@ is used, as it is the version of the GNU assembler that will be checked.
[10-main.conf]: [10-main.conf]:
Configurations/10-main.conf Configurations/10-main.conf
[CMVP]:
<https://csrc.nist.gov/projects/cryptographic-module-validation-program>
[ESV]:
<https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations>
[SP 800-90B]:
<https://csrc.nist.gov/pubs/sp/800/90/b/final>
[jitterentropy-library]:
<https://github.com/smuellerDD/jitterentropy-library>