From b28b3128048a83ba036c9d8a789badac9b1a2804 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Wed, 10 Jul 2024 15:39:01 +0100 Subject: jitter: add a new provider containing a jitter entropy source alone This entropy source can be used instead of SEED-SRC. Sample openssl.cnf configuration is provided. It is built as a separate provider, because it is likely to require less frequent updates than fips provider. The same build likely can span multiple generations of FIPS 140 standard revisions. Note that rand-instances currently chain from public/private instances to primary, prior to consuming the seed. Thus currently a unique ESV needs to be obtained, and resue of jitterentropy.a certificate is not possible as is. Separately a patch will be sent to allow for unchaining public/private RAND instances for the purpose of reusing ESV. Also I do wonder if it makes sense to create a fips variant of stock SEED-SRC entropy source, which in addition to using getrandom() also verifies that the kernel is operating in FIPS mode and thus is likely a validated entropy source. As in on Linux, check that /proc/sys/crypto/fips_enabled is set to 1, and similar checks on Windows / MacOS and so on. Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/24844) --- CHANGES.md | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index 594efc44de..13c28816ac 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -167,6 +167,11 @@ OpenSSL 3.3 ### Changes between 3.2 and 3.3.0 [9 Apr 2024] + * Add a new random seed source RNG `JITTER` using a statically linked + jitterentropy library. + + *Dimitri John Ledkov* + * The `-verify` option to the `openssl crl` and `openssl req` will make the program exit with 1 on failure. -- cgit v1.2.3