diff options
| author | Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> | 2024-07-10 16:39:01 +0200 |
|---|---|---|
| committer | Pauli <ppzgs1@gmail.com> | 2024-07-31 06:44:51 +0200 |
| commit | b28b3128048a83ba036c9d8a789badac9b1a2804 (patch) | |
| tree | f484e9e8ea3d7d1b5c67f3838831f7aca15abfde /Configurations | |
| parent | Add FIPS indicator to CMAC. (diff) | |
| download | openssl-b28b3128048a83ba036c9d8a789badac9b1a2804.tar.xz openssl-b28b3128048a83ba036c9d8a789badac9b1a2804.zip | |
jitter: add a new provider containing a jitter entropy source alone
This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a separate
provider, because it is likely to require less frequent updates than
fips provider. The same build likely can span multiple generations of
FIPS 140 standard revisions.
Note that rand-instances currently chain from public/private instances
to primary, prior to consuming the seed. Thus currently a unique ESV
needs to be obtained, and resue of jitterentropy.a certificate is not
possible as is. Separately a patch will be sent to allow for
unchaining public/private RAND instances for the purpose of reusing
ESV.
Also I do wonder if it makes sense to create a fips variant of stock
SEED-SRC entropy source, which in addition to using getrandom() also
verifies that the kernel is operating in FIPS mode and thus is likely
a validated entropy source. As in on Linux, check that
/proc/sys/crypto/fips_enabled is set to 1, and similar checks on
Windows / MacOS and so on.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
Diffstat (limited to 'Configurations')
| -rw-r--r-- | Configurations/00-base-templates.conf | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Configurations/00-base-templates.conf b/Configurations/00-base-templates.conf index a9ccb0ced8..d55ecea6dc 100644 --- a/Configurations/00-base-templates.conf +++ b/Configurations/00-base-templates.conf @@ -59,6 +59,8 @@ my %targets=( includes => sub { my @incs = (); + push @incs, $withargs{jitter_include} + if !$disabled{jitter} && $withargs{jitter_include}; push @incs, $withargs{brotli_include} if !$disabled{brotli} && $withargs{brotli_include}; push @incs, $withargs{zlib_include} @@ -95,6 +97,7 @@ my %targets=( lflags => sub { my @libs = (); + push(@libs, "-L".$withargs{jitter_lib}) if $withargs{jitter_lib}; push(@libs, "-L".$withargs{zlib_lib}) if $withargs{zlib_lib}; push(@libs, "-L".$withargs{brotli_lib}) if $withargs{brotli_lib}; push(@libs, "-L".$withargs{zstd_lib}) if $withargs{zstd_lib}; @@ -103,6 +106,7 @@ my %targets=( ex_libs => sub { my @libs = (); + push(@libs, "-l:libjitterentropy.a") if !defined($disabled{jitter}); push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"}); if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) { push(@libs, "-lbrotlienc"); |