JITTER: excercise all tests in CI with JITTER seed source under certain build configuration

Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24844)
2025-03-13 19:47:47 +08:00 · 2024-07-11 12:36:31 +01:00 · 2024-07-11 12:36:31 +01:00 · 1e7ff7be23
commit 1e7ff7be23
parent 8f3ebb7d60
10 changed files with 55 additions and 39 deletions
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@ -191,7 +191,7 @@ jobs:
      if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success'
      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

-  jitter_provider:
+  jitter:
    runs-on: ubuntu-latest
    steps:
    - name: checkout openssl
@ -207,7 +207,7 @@ jobs:
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
-      run: ./config enable-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ && perl configdata.pm --dump
+      run: ./config --with-rand-seed=none enable-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ -DOPENSSL_DEFAULT_SEED_SRC='"JITTER"' && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
@ -216,8 +216,6 @@ jobs:
        ./util/opensslwrap.sh version -c
    - name: make test
      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-    - name: test jitter entropy
-      run: ./util/wrap.pl -jitter ./apps/openssl rand -hex 8

  enable_brotli_dynamic:
    runs-on: ubuntu-latest
--- a/5
+++ b/5
@ -1326,6 +1326,11 @@ All operations depending on the random generator such as creating keys
 will not work unless the random generator is seeded manually by the
 application.

+Alternative to manually seeding is to compile with JITTER RNG enabled,
+it will be used instead of rand-seed=none. Or specify alternative
+seed= provider in openssl.cnf (for example from a 3rd party entropy
+provider).
+
 Please read the 'Note on random number generation' section in the
 INSTALL.md instructions and the RAND_DRBG(7) manual page for more
 details.
--- a/INSTALL.md
+++ b/INSTALL.md
@ -521,32 +521,22 @@ at the end of this document.

 [rng]: #notes-on-random-number-generation

-# jitter
+### jitter

 When configured with `enable-jitter`, a "JITTER" RNG is compiled that
-can provided alternative software seed source. It can be configured by
-loadin setting `seed` setting in `openssl.cnf`. An example
-`openssl.cnf` is shown below:
+can provide an alternative software seed source. It can be configured
+by setting `seed` option in `openssl.cnf`. A minimal `openssl.cnf` is
+shown below:

    openssl_conf = openssl_init

-    # Comment out the next line to ignore configuration errors
-    config_diagnostics = 1
-
    [openssl_init]
-    providers = provider_sect
    random = random

-    [provider_sect]
-    default = default_sect
-
-    [default_sect]
-    activate = 1
-
    [random]
    seed=JITTER

-It uses statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source.
+It uses a statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source.

 Additional configuration flags available:

@ -560,7 +550,6 @@ it is outside the system include path.
 This is the directory containing the static libjitterentropy.a
 library, if it is outside the system library path.

-
 Setting the FIPS HMAC key
 -------------------------

--- a/crypto/info.c
+++ b/crypto/info.c
@ -189,9 +189,11 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings)
        add_seeds_string("os-specific");
 #endif
 #ifndef OPENSSL_NO_JITTER
-        char jent_version_string[32];
-        sprintf(jent_version_string, "JITTER (%d)", jent_version());
-        add_seeds_string(jent_version_string);
+	{
+            char jent_version_string[32];
+            sprintf(jent_version_string, "JITTER (%d)", jent_version());
+            add_seeds_string(jent_version_string);
+	}
 #endif
        seed_sources = seeds;
    }
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@ -20,6 +20,10 @@
 #include "rand_local.h"
 #include "crypto/context.h"

+#ifndef OPENSSL_DEFAULT_SEED_SRC
+# define OPENSSL_DEFAULT_SEED_SRC "SEED-SRC"
+#endif
+
 #ifndef FIPS_MODULE
 # include <stdio.h>
 # include <time.h>
@ -593,7 +597,7 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx)
                propq = props;
            }
        }
-        name = "SEED-SRC";
+        name = OPENSSL_DEFAULT_SEED_SRC;
    }

    rand = EVP_RAND_fetch(libctx, name, propq);
--- a/doc/build.info
+++ b/doc/build.info
@ -4739,14 +4739,14 @@ DEPEND[html/man7/EVP_RAND-HMAC-DRBG.html]=man7/EVP_RAND-HMAC-DRBG.pod
 GENERATE[html/man7/EVP_RAND-HMAC-DRBG.html]=man7/EVP_RAND-HMAC-DRBG.pod
 DEPEND[man/man7/EVP_RAND-HMAC-DRBG.7]=man7/EVP_RAND-HMAC-DRBG.pod
 GENERATE[man/man7/EVP_RAND-HMAC-DRBG.7]=man7/EVP_RAND-HMAC-DRBG.pod
-DEPEND[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
-GENERATE[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
-DEPEND[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
-GENERATE[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
 DEPEND[html/man7/EVP_RAND-JITTER.html]=man7/EVP_RAND-JITTER.pod
 GENERATE[html/man7/EVP_RAND-JITTER.html]=man7/EVP_RAND-JITTER.pod
 DEPEND[man/man7/EVP_RAND-JITTER.7]=man7/EVP_RAND-JITTER.pod
 GENERATE[man/man7/EVP_RAND-JITTER.7]=man7/EVP_RAND-JITTER.pod
+DEPEND[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
+GENERATE[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
+DEPEND[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
+GENERATE[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
 DEPEND[html/man7/EVP_RAND-TEST-RAND.html]=man7/EVP_RAND-TEST-RAND.pod
 GENERATE[html/man7/EVP_RAND-TEST-RAND.html]=man7/EVP_RAND-TEST-RAND.pod
 DEPEND[man/man7/EVP_RAND-TEST-RAND.7]=man7/EVP_RAND-TEST-RAND.pod
@ -5112,8 +5112,8 @@ html/man7/EVP_PKEY-X25519.html \
 html/man7/EVP_RAND-CTR-DRBG.html \
 html/man7/EVP_RAND-HASH-DRBG.html \
 html/man7/EVP_RAND-HMAC-DRBG.html \
-html/man7/EVP_RAND-SEED-SRC.html \
 html/man7/EVP_RAND-JITTER.html \
+html/man7/EVP_RAND-SEED-SRC.html \
 html/man7/EVP_RAND-TEST-RAND.html \
 html/man7/EVP_RAND.html \
 html/man7/EVP_SIGNATURE-DSA.html \
@ -5258,8 +5258,8 @@ man/man7/EVP_PKEY-X25519.7 \
 man/man7/EVP_RAND-CTR-DRBG.7 \
 man/man7/EVP_RAND-HASH-DRBG.7 \
 man/man7/EVP_RAND-HMAC-DRBG.7 \
-man/man7/EVP_RAND-SEED-SRC.7 \
 man/man7/EVP_RAND-JITTER.7 \
+man/man7/EVP_RAND-SEED-SRC.7 \
 man/man7/EVP_RAND-TEST-RAND.7 \
 man/man7/EVP_RAND.7 \
 man/man7/EVP_SIGNATURE-DSA.7 \
--- a/doc/man3/RAND_set_DRBG_type.pod
+++ b/doc/man3/RAND_set_DRBG_type.pod
@ -41,7 +41,15 @@ is made too late.

 The default DRBG is "CTR-DRBG" using the "AES-256-CTR" cipher.

-The default seed source is "SEED-SRC".
+The default seed source can be configured when OpenSSL is compiled by
+setting B<-DOPENSSL_DEFAULT_SEED_SRC='\"SEED-SRC\"'>. If not set then
+"SEED-SRC" is used.
+
+=head1 EXAMPLES
+
+ unsigned char bytes[100];
+ RAND_set_seed_source_type(NULL, "JITTER", NULL);
+ RAND_bytes(bytes, 100);

 =head1 SEE ALSO

--- a/doc/man7/EVP_RAND-JITTER.pod
+++ b/doc/man7/EVP_RAND-JITTER.pod
@ -9,8 +9,12 @@ EVP_RAND-JITTER - The randomness seed source EVP_RAND implementation
 Support for deterministic random number generator seeding through the
 B<EVP_RAND> API.

-The seed source comes from statically linked jitterentropy-library,
-which produces randomness based on tiny CPU "jitter" fluctuations.
+This software seed source produces randomness based on tiny CPU
+"jitter" fluctuations.
+
+It is available when OpenSSL is compiled with B<enable-jitter>
+option. When available it is listed in B<openssl list
+-random-generators> and B<openssl info -seeds>.

 =head2 Identity

--- a/doc/man7/EVP_RAND.pod
+++ b/doc/man7/EVP_RAND.pod
@ -224,11 +224,17 @@ but also for every generate request.
 =head2 Configuring the Random Seed Source

 In most cases OpenSSL will automatically choose a suitable seed source
-for automatically seeding and reseeding its <primary> DRBG. In some cases
-however, it will be necessary to explicitly specify a seed source during
-configuration, using the --with-rand-seed option. For more information,
-see the INSTALL instructions. There are also operating systems where no
-seed source is available and automatic reseeding is disabled by default.
+for automatically seeding and reseeding its <primary> DRBG. The
+default seed source can be configured when OpenSSL is compiled by
+setting B<-DOPENSSL_DEFAULT_SEED_SRC='\"SEED-SRC\"'>. If not set then
+"SEED-SRC" is used. One can specify third-party provider seed-source,
+or B<-DOPENSSL_DEFAULT_SEED_SRC='\"JITTER\"'> if available.
+
+In some cases however, it will be necessary to explicitly specify a
+seed source used by "SEED-SRC" during configuration, using the
+--with-rand-seed option. For more information, see the INSTALL
+instructions. There are also operating systems where no seed source is
+available and automatic reseeding is disabled by default.

 The following two sections describe the reseeding process of the primary
 DRBG, depending on whether automatic reseeding is available or not.
--- a/providers/implementations/rands/seed_src_jitter.c
+++ b/providers/implementations/rands/seed_src_jitter.c
@ -90,7 +90,7 @@ static size_t get_jitter_random_value(unsigned char *buf, size_t len)
        /*
         * Do not use _safe API variant with built-in retries, until
         * failure because it reseeds the entropy source which is not
-         * certifyable
+         * certifiable
         */
        result = jent_read_entropy(jitter_ec, (char *) buf, len);