From: Pauli <ppzgs1@gmail.com>
Date: Thu, 19 Sep 2024 22:59:40 +0000 (+1000)
Subject: fips: mention the internal jitter source in the FIPS README
X-Git-Tag: openssl-3.5.0-alpha1~1027
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc5fb3c925258eb85c8802ea965ec4a5d389775c;p=thirdparty%2Fopenssl.git

fips: mention the internal jitter source in the FIPS README

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25498)
---

diff --git a/README-FIPS.md b/README-FIPS.md
index d8ca3c482d5..c15cbad67c6 100644
--- a/README-FIPS.md
+++ b/README-FIPS.md
@@ -167,6 +167,22 @@ manual page.
 
  [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html
 
+Entropy Source
+==============
+
+The FIPS provider typically relies on an external entropy source,
+specified during OpenSSL build configuration (default: `os`).  However, by
+enabling the `enable-fips-jitter` option during configuration, an internal
+jitter entropy source will be used instead.  Note that this will cause
+the FIPS provider to operate in a non-compliant mode unless an entropy
+assessment [ESV] and validation through the [CMVP] are additionally conducted.
+
+Note that the `enable-fips-jitter` option is only available in OpenSSL
+versions 3.5 and later.
+
+ [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+ [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
+
 3rd-Party Vendor Builds
 =====================================