mirror of
https://github.com/openssl/openssl.git
synced 2025-03-01 19:28:10 +08:00
b28b312804
This entropy source can be used instead of SEED-SRC. Sample openssl.cnf configuration is provided. It is built as a separate provider, because it is likely to require less frequent updates than fips provider. The same build likely can span multiple generations of FIPS 140 standard revisions. Note that rand-instances currently chain from public/private instances to primary, prior to consuming the seed. Thus currently a unique ESV needs to be obtained, and resue of jitterentropy.a certificate is not possible as is. Separately a patch will be sent to allow for unchaining public/private RAND instances for the purpose of reusing ESV. Also I do wonder if it makes sense to create a fips variant of stock SEED-SRC entropy source, which in addition to using getrandom() also verifies that the kernel is operating in FIPS mode and thus is likely a validated entropy source. As in on Linux, check that /proc/sys/crypto/fips_enabled is set to 1, and similar checks on Windows / MacOS and so on. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24844) |
||
|---|---|---|
| .. | ||
| perl | ||
| platform_symbols | ||
| add-depends.pl | ||
| build.info | ||
| c-compress-test.pl | ||
| cavs-to-evptest.pl | ||
| check-format-commit.sh | ||
| check-format-test-negatives.c | ||
| check-format-test-positives.c | ||
| check-format.pl | ||
| check-malloc-errs | ||
| checkplatformsyms.pl | ||
| ck_errf.pl | ||
| copy.pl | ||
| ctags.sh | ||
| dofile.pl | ||
| echo.pl | ||
| engines.num | ||
| err-to-raise | ||
| find-doc-nits | ||
| find-unused-errs | ||
| fips-checksums.sh | ||
| fix-deprecation | ||
| fix-includes | ||
| fix-includes.sed | ||
| help.pl | ||
| indent.pro | ||
| lang-compress.pl | ||
| libcrypto.num | ||
| libssl.num | ||
| markdownlint.rb | ||
| merge-err-lines | ||
| missingcrypto111.txt | ||
| missingcrypto-internal.txt | ||
| missingcrypto.txt | ||
| missingmacro111.txt | ||
| missingmacro.txt | ||
| missingssl111.txt | ||
| missingssl-internal.txt | ||
| missingssl.txt | ||
| mk-fipsmodule-cnf.pl | ||
| mkbuildinf.pl | ||
| mkdef.pl | ||
| mkdir-p.pl | ||
| mkerr.pl | ||
| mkinstallvars.pl | ||
| mknum.pl | ||
| mkpod2html.pl | ||
| mkrc.pl | ||
| mktar.sh | ||
| opensslwrap.sh | ||
| other-internal.syms | ||
| other.syms | ||
| providers.num | ||
| quicserver.c | ||
| shlib_wrap.sh.in | ||
| su-filter.pl | ||
| update_abi_check.sh | ||
| withlibctx.pl | ||
| wrap.pl.in | ||
| write-man-symlinks | ||