mirror of
https://github.com/openssl/openssl.git
synced 2025-02-17 14:32:04 +08:00
Add configuration option to allow the FIPS provider to use the jitter source internally
Enabling this breaks FIPS compliance unless an entropy assessment and a revalidation are undertaken. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/25498)
This commit is contained in:
parent
01ec59defd
commit
61f032cc7b
10
Configure
10
Configure
@ -472,6 +472,7 @@ my @disablables = (
|
|||||||
"fips",
|
"fips",
|
||||||
"fips-securitychecks",
|
"fips-securitychecks",
|
||||||
"fips-post",
|
"fips-post",
|
||||||
|
"fips-jitter",
|
||||||
"fuzz-afl",
|
"fuzz-afl",
|
||||||
"fuzz-libfuzzer",
|
"fuzz-libfuzzer",
|
||||||
"gost",
|
"gost",
|
||||||
@ -573,6 +574,7 @@ my %deprecated_disablables = (
|
|||||||
|
|
||||||
our %disabled = ( # "what" => "comment"
|
our %disabled = ( # "what" => "comment"
|
||||||
"fips" => "default",
|
"fips" => "default",
|
||||||
|
"fips-jitter" => "default",
|
||||||
"asan" => "default",
|
"asan" => "default",
|
||||||
"brotli" => "default",
|
"brotli" => "default",
|
||||||
"brotli-dynamic" => "default",
|
"brotli-dynamic" => "default",
|
||||||
@ -689,7 +691,8 @@ my @disable_cascades = (
|
|||||||
|
|
||||||
"cmp" => [ "crmf" ],
|
"cmp" => [ "crmf" ],
|
||||||
|
|
||||||
"fips" => [ "fips-securitychecks", "fips-post", "acvp-tests" ],
|
"fips" => [ "fips-securitychecks", "fips-post", "acvp-tests",
|
||||||
|
"fips-jitter" ],
|
||||||
|
|
||||||
"threads" => [ "thread-pool" ],
|
"threads" => [ "thread-pool" ],
|
||||||
"thread-pool" => [ "default-thread-pool" ],
|
"thread-pool" => [ "default-thread-pool" ],
|
||||||
@ -957,6 +960,11 @@ while (@argvcopy)
|
|||||||
{
|
{
|
||||||
delete $disabled{"zstd"};
|
delete $disabled{"zstd"};
|
||||||
}
|
}
|
||||||
|
elsif ($1 eq "fips-jitter")
|
||||||
|
{
|
||||||
|
delete $disabled{"fips"};
|
||||||
|
delete $disabled{"jitter"};
|
||||||
|
}
|
||||||
my $algo = $1;
|
my $algo = $1;
|
||||||
delete $disabled{$algo};
|
delete $disabled{$algo};
|
||||||
|
|
||||||
|
27
INSTALL.md
27
INSTALL.md
@ -536,7 +536,7 @@ shown below:
|
|||||||
[random]
|
[random]
|
||||||
seed=JITTER
|
seed=JITTER
|
||||||
|
|
||||||
It uses a statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source.
|
It uses a statically linked [jitterentropy-library] as the seed source.
|
||||||
|
|
||||||
Additional configuration flags available:
|
Additional configuration flags available:
|
||||||
|
|
||||||
@ -841,6 +841,19 @@ Don't perform FIPS module Power On Self Tests.
|
|||||||
This option MUST be used for debugging only as it makes the FIPS provider
|
This option MUST be used for debugging only as it makes the FIPS provider
|
||||||
non-compliant. It is useful when setting breakpoints in FIPS algorithms.
|
non-compliant. It is useful when setting breakpoints in FIPS algorithms.
|
||||||
|
|
||||||
|
### enable-fips-jitter
|
||||||
|
|
||||||
|
Use the CPU Jitter library as a FIPS validated entropy source.
|
||||||
|
|
||||||
|
This option will only produce a compliant FIPS provider if you have:
|
||||||
|
|
||||||
|
1. independently performed the required [SP 800-90B] entropy assessments;
|
||||||
|
2. meet the minimum required entropy as specified by [jitterentropy-library];
|
||||||
|
3. obtain an [ESV] certificate for the [jitterentropy-library] and
|
||||||
|
4. have had the resulting FIPS provider certified by the [CMVP].
|
||||||
|
|
||||||
|
Failure to do all of these will produce a non-compliant FIPS provider.
|
||||||
|
|
||||||
### enable-fuzz-libfuzzer, enable-fuzz-afl
|
### enable-fuzz-libfuzzer, enable-fuzz-afl
|
||||||
|
|
||||||
Build with support for fuzzing using either libfuzzer or AFL.
|
Build with support for fuzzing using either libfuzzer or AFL.
|
||||||
@ -2006,3 +2019,15 @@ is used, as it is the version of the GNU assembler that will be checked.
|
|||||||
|
|
||||||
[10-main.conf]:
|
[10-main.conf]:
|
||||||
Configurations/10-main.conf
|
Configurations/10-main.conf
|
||||||
|
|
||||||
|
[CMVP]:
|
||||||
|
<https://csrc.nist.gov/projects/cryptographic-module-validation-program>
|
||||||
|
|
||||||
|
[ESV]:
|
||||||
|
<https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations>
|
||||||
|
|
||||||
|
[SP 800-90B]:
|
||||||
|
<https://csrc.nist.gov/pubs/sp/800/90/b/final>
|
||||||
|
|
||||||
|
[jitterentropy-library]:
|
||||||
|
<https://github.com/smuellerDD/jitterentropy-library>
|
||||||
|
Loading…
Reference in New Issue
Block a user