From: Pauli Date: Wed, 1 Jul 2020 01:09:38 +0000 (+1000) Subject: install: add notes about ignored seed sources in the FIPS provider. X-Git-Tag: openssl-3.0.0-alpha6~109 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=b99c463d78ecad29f89165fc64a281faafa9461c install: add notes about ignored seed sources in the FIPS provider. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12325) --- diff --git a/INSTALL.md b/INSTALL.md index 3ad854823b..01e255df7e 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -447,6 +447,7 @@ on most unix-ish operating systems. ### egd Check for an entropy generating daemon. +This source is ignored by the FIPS provider. ### rdcpu @@ -455,11 +456,13 @@ Use the `RDSEED` or `RDRAND` command if provided by the CPU. ### librandom Use librandom (not implemented yet). +This source is ignored by the FIPS provider. ### none Disable automatic seeding. This is the default on some operating systems where no suitable entropy source exists, or no support for it is implemented yet. +This option is ignored by the FIPS provider. For more information, see the section [Notes on random number generation][rng] at the end of this document. @@ -1689,7 +1692,8 @@ The seeding method can be configured using the `--with-rand-seed` option, which can be used to specify a comma separated list of seed methods. However, in most cases OpenSSL will choose a suitable default method, so it is not necessary to explicitly provide this option. Note also -that not all methods are available on all platforms. +that not all methods are available on all platforms. The FIPS provider will +silently ignore seed sources that were not validated. I) On operating systems which provide a suitable randomness source (in form of a system call or system device), OpenSSL will use the optimal