fips-jitter: set provider into error state upon CRNG permanent failures

With fips-jitter build time option, jitter can be inside FIPS
boundary.

Calls to jent_read_entropy() can return permanent failures for
Repetitive Count Test (RTC), Adaptive Proportion Test (APT), LAG
prediction test.

Ensure the module enters error state upon permanent jitter failures.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25957)
This commit is contained in:
Dimitri John Ledkov 2024-11-15 05:32:33 +00:00 committed by Tomas Mraz
parent 98be2e8fb6
commit b9886a6f34

View File

@ -17,8 +17,10 @@
#include <openssl/err.h>
#include <openssl/randerr.h>
#include <openssl/proverr.h>
#include <openssl/self_test.h>
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "crypto/rand.h"
#include "crypto/rand_pool.h"
@ -98,10 +100,12 @@ static size_t get_jitter_random_value(PROV_JITTER *s,
/*
* Permanent Failure
* https://github.com/smuellerDD/jitterentropy-library/issues/118
* https://github.com/smuellerDD/jitterentropy-library/blob/master/doc/jitterentropy.3#L234
*/
if (result < -5)
if (result < -5) {
ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG);
break;
}
/* Success */
if (result >= 0 && (size_t)result == len)