diff options
| author | slontis <shane.lontis@oracle.com> | 2024-08-15 08:18:56 +0200 |
|---|---|---|
| committer | Pauli <ppzgs1@gmail.com> | 2024-08-26 00:28:44 +0200 |
| commit | 5139b51cea6791c68630fbd0cb1d263a48674a96 (patch) | |
| tree | 559d86ee46abbf82d5fdf2518816840ebd32d4c2 /CHANGES.md | |
| parent | Add FIPS indicators to X25519 and X448. (diff) | |
| download | openssl-5139b51cea6791c68630fbd0cb1d263a48674a96.tar.xz openssl-5139b51cea6791c68630fbd0cb1d263a48674a96.zip | |
Add FIPS indicator documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25195)
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/CHANGES.md b/CHANGES.md index 9db980e142..a762dcb8f6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -29,6 +29,28 @@ OpenSSL 3.4 ### Changes between 3.3 and 3.4 [xx XXX xxxx] + * Add FIPS indicators to the FIPS provider. + FIPS 140-3 requires indicators to be used if the FIPS provider allows + non-approved algorithms. An algorithm is approved if it passes all + required checks such as minimum key size. By default an error will + occur if any check fails. For backwards compatibility individual + algorithms may override the checks by using either an option in the + FIPS configuration OR in code using an algorithm context setter. + Overriding the check means that the algorithm is not FIPS compliant. + OSSL_INDICATOR_set_callback() can be called to register a callback + to log unapproved algorithms. At the end of any algorithm operation + the approved status can be queried using an algorithm context getter. + FIPS provider configuration options are set using 'openssl fipsinstall'. + + Note that new FIPS 140-3 restrictions have been enforced such as + RSA Encryption using PKCS1 padding is no longer approved. + Documentation related to the changes can be found on the [fips_module(7)] + manual page. + + [fips_module(7)]: https://docs.openssl.org/master/man7/fips_module/#FIPS indicators + + *Shane Lontis, Paul Dale and Po-Hsing Wu* + * Add debuginfo Makefile target for unix platforms to produce a separate DWARF info file from the corresponding shared libs. @@ -39,12 +61,6 @@ OpenSSL 3.4 *Michael Baentsch* - * Add FIPS provider configuration option to enforce the a minimal - MAC length check. The option '-no_short_mac' can optionally be - supplied to 'openssl fipsinstall'. - - *Paul Dale* - * Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that what were formerly build time locations can now be defined at run time with registry keys. See NOTES-WINDOWS.md |