fips-jitter: Force use jitter entropy in the FIPS 3.0.9 provider callback

FIPS 3.0.9 provider does not honor runtime seed configuration, thus if one desires to use JITTER entropy source with FIPS 3.0.9 provider something like this needs to be applied to the core (libcrypto) build. Not sure if this is at all suitable for upstream. With fips-jitter (3.5+) config, also ensure that core<->provider callback for entropy uses jitter entropy source, rather than os seed (getrandom syscall). Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25930)
2024-11-09 21:32:48 +00:00 · 2024-11-09 21:32:48 +00:00 · aa5f1b4cf5
commit aa5f1b4cf5
parent 395a83a617
2 changed files with 42 additions and 0 deletions
--- a/providers/implementations/rands/seed_src_jitter.c
+++ b/providers/implementations/rands/seed_src_jitter.c
@ -295,6 +295,22 @@ static size_t jitter_get_seed(void *vseed, unsigned char **pout,
    return ret;
 }

+size_t ossl_rand_jitter_get_seed(unsigned char **pout, int entropy, size_t min_len, size_t max_len)
+{
+    size_t ret = 0;
+    OSSL_PARAM params[1] = { OSSL_PARAM_END };
+    PROV_JITTER *s = jitter_new(NULL, NULL, NULL);
+
+    if (s == NULL)
+        return ret;
+    if (!jitter_instantiate(s, 0, 0, NULL, 0, params))
+        goto end;
+    ret = jitter_get_seed(s, pout, entropy, min_len, max_len, 0, NULL, 0);
+ end:
+    jitter_free(s);
+    return ret;
+}
+
 static void jitter_clear_seed(ossl_unused void *vdrbg,
                              unsigned char *out, size_t outlen)
 {