jitter: add a new provider containing a jitter entropy source alone

This entropy source can be used instead of SEED-SRC. Sample openssl.cnf configuration is provided. It is built as a separate provider, because it is likely to require less frequent updates than fips provider. The same build likely can span multiple generations of FIPS 140 standard revisions. Note that rand-instances currently chain from public/private instances to primary, prior to consuming the seed. Thus currently a unique ESV needs to be obtained, and resue of jitterentropy.a certificate is not possible as is. Separately a patch will be sent to allow for unchaining public/private RAND instances for the purpose of reusing ESV. Also I do wonder if it makes sense to create a fips variant of stock SEED-SRC entropy source, which in addition to using getrandom() also verifies that the kernel is operating in FIPS mode and thus is likely a validated entropy source. As in on Linux, check that /proc/sys/crypto/fips_enabled is set to 1, and similar checks on Windows / MacOS and so on. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24844)
2024-07-10 15:39:01 +01:00 · 2024-07-10 15:39:01 +01:00 · b28b312804
commit b28b312804
parent 4f5febe2c6
15 changed files with 458 additions and 1 deletions
--- a/10
+++ b/10
@ -476,6 +476,7 @@ my @disablables = (
    "gost",
    "http",
    "idea",
+    "jitter",
    "ktls",
    "legacy",
    "loadereng",
@ -586,6 +587,7 @@ our %disabled = ( # "what"         => "comment"
                  "fuzz-afl"            => "default",
                  "fuzz-libfuzzer"      => "default",
                  "pie"                 => "default",
+                  "jitter"              => "default",
                  "ktls"                => "default",
                  "md2"                 => "default",
                  "msan"                => "default",
@ -1019,6 +1021,14 @@ while (@argvcopy)
                        {
                        $config{openssldir}=$1;
                        }
+                elsif (/^--with-jitter-include=(.*)$/)
+                        {
+                        $withargs{jitter_include}=$1;
+                        }
+                elsif (/^--with-jitter-lib=(.*)$/)
+                        {
+                        $withargs{jitter_lib}=$1;
+                        }
                elsif (/^--with-zlib-lib=(.*)$/)
                        {
                        $withargs{zlib_lib}=$1;