From: Pauli <ppzgs1@gmail.com>
Date: Thu, 19 Sep 2024 23:00:02 +0000 (+1000)
Subject: add news and changes entries for the internal jitter source in FIPS
X-Git-Tag: openssl-3.5.0-alpha1~1026
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed524da19a0b20d606c559d30580b99e56d66f6f;p=thirdparty%2Fopenssl.git

add news and changes entries for the internal jitter source in FIPS

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25498)
---

diff --git a/CHANGES.md b/CHANGES.md
index cc6baa6934c..b240095c2c3 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,7 +30,13 @@ OpenSSL 3.4
 
 ### Changes between 3.4 and 3.5 [xx XXX xxxx]
 
- * none yet
+ * Optionally allow the FIPS provider to use the `JITTER` entropy source.
+   Note that using this option will require the resulting FIPS provider
+   to undergo entropy source validation [ESV] by the [CMVP], without this
+   the FIPS provider will not be FIPS compliant.  Enable this using the
+   configuration option `enable-fips-jitter`.
+
+   *Paul Dale*
 
 OpenSSL 3.4
 -----------
@@ -21062,3 +21068,5 @@ ndif
 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
+[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
diff --git a/NEWS.md b/NEWS.md
index a8cf33aec50..5b3a004c792 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -37,7 +37,13 @@ changes:
 
 This release adds the following new features:
 
-  * none yet
+  * Allow the FIPS provider to optionally use the `JITTER` seed source.
+    Because this seed source is not part of the OpenSSL FIPS validations,
+    it should only be enabled after the [jitterentropy-library] has been
+    assessed for entropy quality.  Moreover, the FIPS provider including
+    this entropy source will need to obtain an [ESV] from the [CMVP] before
+    FIPS compliance can be claimed.  Enable this using the configuration
+    option `enable-fips-jitter`.
 
 OpenSSL 3.4
 -----------
@@ -2007,3 +2013,6 @@ OpenSSL 0.9.x
 [CHANGES.md]: ./CHANGES.md
 [README-QUIC.md]: ./README-QUIC.md
 [issue tracker]: https://github.com/openssl/openssl/issues
+[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
+[jitterentropy-library]: https://github.com/smuellerDD/jitterentropy-library