if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success'
run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
- jitter_provider:
+ jitter:
runs-on: ubuntu-latest
steps:
- name: checkout openssl
- name: checkout fuzz/corpora submodule
run: git submodule update --init --depth 1 fuzz/corpora
- name: config
- run: ./config enable-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ && perl configdata.pm --dump
+ run: ./config --with-rand-seed=none enable-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ -DOPENSSL_DEFAULT_SEED_SRC='"JITTER"' && perl configdata.pm --dump
- name: make
run: make -s -j4
- name: get cpu info
./util/opensslwrap.sh version -c
- name: make test
run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
- - name: test jitter entropy
- run: ./util/wrap.pl -jitter ./apps/openssl rand -hex 8
enable_brotli_dynamic:
runs-on: ubuntu-latest
will not work unless the random generator is seeded manually by the
application.
+Alternative to manually seeding is to compile with JITTER RNG enabled,
+it will be used instead of rand-seed=none. Or specify alternative
+seed= provider in openssl.cnf (for example from a 3rd party entropy
+provider).
+
Please read the 'Note on random number generation' section in the
INSTALL.md instructions and the RAND_DRBG(7) manual page for more
details.
[rng]: #notes-on-random-number-generation
-# jitter
+### jitter
When configured with `enable-jitter`, a "JITTER" RNG is compiled that
-can provided alternative software seed source. It can be configured by
-loadin setting `seed` setting in `openssl.cnf`. An example
-`openssl.cnf` is shown below:
+can provide an alternative software seed source. It can be configured
+by setting `seed` option in `openssl.cnf`. A minimal `openssl.cnf` is
+shown below:
openssl_conf = openssl_init
- # Comment out the next line to ignore configuration errors
- config_diagnostics = 1
-
[openssl_init]
- providers = provider_sect
random = random
- [provider_sect]
- default = default_sect
-
- [default_sect]
- activate = 1
-
[random]
seed=JITTER
-It uses statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source.
+It uses a statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source.
Additional configuration flags available:
This is the directory containing the static libjitterentropy.a
library, if it is outside the system library path.
-
Setting the FIPS HMAC key
-------------------------
add_seeds_string("os-specific");
#endif
#ifndef OPENSSL_NO_JITTER
- char jent_version_string[32];
- sprintf(jent_version_string, "JITTER (%d)", jent_version());
- add_seeds_string(jent_version_string);
+ {
+ char jent_version_string[32];
+ sprintf(jent_version_string, "JITTER (%d)", jent_version());
+ add_seeds_string(jent_version_string);
+ }
#endif
seed_sources = seeds;
}
#include "rand_local.h"
#include "crypto/context.h"
+#ifndef OPENSSL_DEFAULT_SEED_SRC
+# define OPENSSL_DEFAULT_SEED_SRC "SEED-SRC"
+#endif
+
#ifndef FIPS_MODULE
# include <stdio.h>
# include <time.h>
propq = props;
}
}
- name = "SEED-SRC";
+ name = OPENSSL_DEFAULT_SEED_SRC;
}
rand = EVP_RAND_fetch(libctx, name, propq);
GENERATE[html/man7/EVP_RAND-HMAC-DRBG.html]=man7/EVP_RAND-HMAC-DRBG.pod
DEPEND[man/man7/EVP_RAND-HMAC-DRBG.7]=man7/EVP_RAND-HMAC-DRBG.pod
GENERATE[man/man7/EVP_RAND-HMAC-DRBG.7]=man7/EVP_RAND-HMAC-DRBG.pod
-DEPEND[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
-GENERATE[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
-DEPEND[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
-GENERATE[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
DEPEND[html/man7/EVP_RAND-JITTER.html]=man7/EVP_RAND-JITTER.pod
GENERATE[html/man7/EVP_RAND-JITTER.html]=man7/EVP_RAND-JITTER.pod
DEPEND[man/man7/EVP_RAND-JITTER.7]=man7/EVP_RAND-JITTER.pod
GENERATE[man/man7/EVP_RAND-JITTER.7]=man7/EVP_RAND-JITTER.pod
+DEPEND[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
+GENERATE[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
+DEPEND[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
+GENERATE[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
DEPEND[html/man7/EVP_RAND-TEST-RAND.html]=man7/EVP_RAND-TEST-RAND.pod
GENERATE[html/man7/EVP_RAND-TEST-RAND.html]=man7/EVP_RAND-TEST-RAND.pod
DEPEND[man/man7/EVP_RAND-TEST-RAND.7]=man7/EVP_RAND-TEST-RAND.pod
html/man7/EVP_RAND-CTR-DRBG.html \
html/man7/EVP_RAND-HASH-DRBG.html \
html/man7/EVP_RAND-HMAC-DRBG.html \
-html/man7/EVP_RAND-SEED-SRC.html \
html/man7/EVP_RAND-JITTER.html \
+html/man7/EVP_RAND-SEED-SRC.html \
html/man7/EVP_RAND-TEST-RAND.html \
html/man7/EVP_RAND.html \
html/man7/EVP_SIGNATURE-DSA.html \
man/man7/EVP_RAND-CTR-DRBG.7 \
man/man7/EVP_RAND-HASH-DRBG.7 \
man/man7/EVP_RAND-HMAC-DRBG.7 \
-man/man7/EVP_RAND-SEED-SRC.7 \
man/man7/EVP_RAND-JITTER.7 \
+man/man7/EVP_RAND-SEED-SRC.7 \
man/man7/EVP_RAND-TEST-RAND.7 \
man/man7/EVP_RAND.7 \
man/man7/EVP_SIGNATURE-DSA.7 \
The default DRBG is "CTR-DRBG" using the "AES-256-CTR" cipher.
-The default seed source is "SEED-SRC".
+The default seed source can be configured when OpenSSL is compiled by
+setting B<-DOPENSSL_DEFAULT_SEED_SRC='\"SEED-SRC\"'>. If not set then
+"SEED-SRC" is used.
+
+=head1 EXAMPLES
+
+ unsigned char bytes[100];
+ RAND_set_seed_source_type(NULL, "JITTER", NULL);
+ RAND_bytes(bytes, 100);
=head1 SEE ALSO
Support for deterministic random number generator seeding through the
B<EVP_RAND> API.
-The seed source comes from statically linked jitterentropy-library,
-which produces randomness based on tiny CPU "jitter" fluctuations.
+This software seed source produces randomness based on tiny CPU
+"jitter" fluctuations.
+
+It is available when OpenSSL is compiled with B<enable-jitter>
+option. When available it is listed in B<openssl list
+-random-generators> and B<openssl info -seeds>.
=head2 Identity
=head2 Configuring the Random Seed Source
In most cases OpenSSL will automatically choose a suitable seed source
-for automatically seeding and reseeding its <primary> DRBG. In some cases
-however, it will be necessary to explicitly specify a seed source during
-configuration, using the --with-rand-seed option. For more information,
-see the INSTALL instructions. There are also operating systems where no
-seed source is available and automatic reseeding is disabled by default.
+for automatically seeding and reseeding its <primary> DRBG. The
+default seed source can be configured when OpenSSL is compiled by
+setting B<-DOPENSSL_DEFAULT_SEED_SRC='\"SEED-SRC\"'>. If not set then
+"SEED-SRC" is used. One can specify third-party provider seed-source,
+or B<-DOPENSSL_DEFAULT_SEED_SRC='\"JITTER\"'> if available.
+
+In some cases however, it will be necessary to explicitly specify a
+seed source used by "SEED-SRC" during configuration, using the
+--with-rand-seed option. For more information, see the INSTALL
+instructions. There are also operating systems where no seed source is
+available and automatic reseeding is disabled by default.
The following two sections describe the reseeding process of the primary
DRBG, depending on whether automatic reseeding is available or not.
/*
* Do not use _safe API variant with built-in retries, until
* failure because it reseeds the entropy source which is not
- * certifyable
+ * certifiable
*/
result = jent_read_entropy(jitter_ec, (char *) buf, len);
projects / thirdparty / openssl.git / commitdiff
