[openssl/openssl] b28b31: jitter: add a new provider containing a jitter ent...

Dimitri John Ledkov noreply at github.com
Wed Jul 31 04:46:57 UTC 2024 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: b28b3128048a83ba036c9d8a789badac9b1a2804
      https://github.com/openssl/openssl/commit/b28b3128048a83ba036c9d8a789badac9b1a2804
  Author: Dimitri John Ledkov <dimitri.ledkov at surgut.co.uk>
  Date:   2024-07-31 (Wed, 31 Jul 2024)

  Changed paths:
    M .github/workflows/run-checker-daily.yml
    M CHANGES.md
    M Configurations/00-base-templates.conf
    M Configure
    M INSTALL.md
    M crypto/info.c
    M providers/baseprov.c
    M providers/defltprov.c
    M providers/implementations/include/prov/implementations.h
    M providers/implementations/include/prov/names.h
    M providers/implementations/include/prov/seeding.h
    M providers/implementations/rands/build.info
    A providers/implementations/rands/seed_src_jitter.c
    A test/default-and-jitter.cnf
    M util/wrap.pl.in

  Log Message:
  -----------
  jitter: add a new provider containing a jitter entropy source alone

This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a separate
provider, because it is likely to require less frequent updates than
fips provider. The same build likely can span multiple generations of
FIPS 140 standard revisions.

Note that rand-instances currently chain from public/private instances
to primary, prior to consuming the seed. Thus currently a unique ESV
needs to be obtained, and resue of jitterentropy.a certificate is not
possible as is. Separately a patch will be sent to allow for
unchaining public/private RAND instances for the purpose of reusing
ESV.

Also I do wonder if it makes sense to create a fips variant of stock
SEED-SRC entropy source, which in addition to using getrandom() also
verifies that the kernel is operating in FIPS mode and thus is likely
a validated entropy source. As in on Linux, check that
/proc/sys/crypto/fips_enabled is set to 1, and similar checks on
Windows / MacOS and so on.

Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)


  Commit: 8f3ebb7d601e9066b6ac1059fe28d57cb5fd24a7
      https://github.com/openssl/openssl/commit/8f3ebb7d601e9066b6ac1059fe28d57cb5fd24a7
  Author: Dimitri John Ledkov <dimitri.ledkov at surgut.co.uk>
  Date:   2024-07-31 (Wed, 31 Jul 2024)

  Changed paths:
    M doc/build.info
    A doc/man7/EVP_RAND-JITTER.pod
    M doc/man7/OSSL_PROVIDER-base.pod
    M doc/man7/OSSL_PROVIDER-default.pod

  Log Message:
  -----------
  JITTER: add documentation

Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)


  Commit: 1e7ff7be23c6fc8a88a698a57107a0e0c6db2435
      https://github.com/openssl/openssl/commit/1e7ff7be23c6fc8a88a698a57107a0e0c6db2435
  Author: Dimitri John Ledkov <dimitri.ledkov at surgut.co.uk>
  Date:   2024-07-31 (Wed, 31 Jul 2024)

  Changed paths:
    M .github/workflows/run-checker-daily.yml
    M Configure
    M INSTALL.md
    M crypto/info.c
    M crypto/rand/rand_lib.c
    M doc/build.info
    M doc/man3/RAND_set_DRBG_type.pod
    M doc/man7/EVP_RAND-JITTER.pod
    M doc/man7/EVP_RAND.pod
    M providers/implementations/rands/seed_src_jitter.c

  Log Message:
  -----------
  JITTER: excercise all tests in CI with JITTER seed source under certain build configuration

Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)


  Commit: f8c510cd20a43f7ac7705aca40fd38aacd5febeb
      https://github.com/openssl/openssl/commit/f8c510cd20a43f7ac7705aca40fd38aacd5febeb
  Author: Dimitri John Ledkov <dimitri.ledkov at surgut.co.uk>
  Date:   2024-07-31 (Wed, 31 Jul 2024)

  Changed paths:
    M Configure
    M crypto/info.c
    M doc/man7/EVP_RAND.pod
    M providers/implementations/include/prov/seeding.h
    M providers/implementations/rands/seed_src_jitter.c

  Log Message:
  -----------
  JITTER: implement error handling from jitter library

Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)


  Commit: f41b5ffe33bed336827096788b593e87927ae906
      https://github.com/openssl/openssl/commit/f41b5ffe33bed336827096788b593e87927ae906
  Author: Dimitri John Ledkov <dimitri.ledkov at surgut.co.uk>
  Date:   2024-07-31 (Wed, 31 Jul 2024)

  Changed paths:
    M providers/implementations/rands/seed_src_jitter.c

  Log Message:
  -----------
  jitter: retry intermittent failures

Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)


Compare: https://github.com/openssl/openssl/compare/4f5febe2c684...f41b5ffe33be

To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications

More information about the openssl-commits mailing list