mirror of
https://github.com/openssl/openssl.git
synced 2025-02-17 14:32:04 +08:00
6f20c6804e
For FIPS 140-3 the continuous tests specified in SP 800-90B need to be
included on the output of any entropy source.
They are implemented here as a replacement for the primary DRBG in the FIPS
provider. This results in a setup that looks like this:
+-------------+
| |
| Seed Source |
| |
+------+------+
|
|
v
+-------------+
| |
| CRNG Test |
| |
++----------+-+
| |
| |
v v
+--------------+ +--------------+
| | | |
| Public DRBG | | Private DRBG |
| | | |
+--------------+ +--------------+
An additional benefit, that of avoiding DRBG chains, is also gained.
The current standards do not permit the output of one DRBG to be used
as the input for a second (i.e. a chain).
This also leaves open the future possibility of incorporating a seed
source inside the FIPS boundary.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25415)
|
||
|---|---|---|
| .. | ||
| __DECC_INCLUDE_EPILOGUE.H | ||
| __DECC_INCLUDE_PROLOGUE.H | ||
| blake2.h | ||
| ciphercommon_aead.h | ||
| ciphercommon_ccm.h | ||
| ciphercommon_gcm.h | ||
| ciphercommon.h | ||
| digestcommon.h | ||
| ecx.h | ||
| hmac_drbg.h | ||
| implementations.h | ||
| kdfexchange.h | ||
| macsignature.h | ||
| md5_sha1.h | ||
| names.h | ||
| seeding.h | ||