JITTER: excercise all tests in CI with JITTER seed source under certain build configuration

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)

.github/workflows/run-checker-daily.yml

@@ -191,7 +191,7 @@ jobs:
       if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success'
       run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
 
-  jitter_provider:
+  jitter:
     runs-on: ubuntu-latest
     steps:
     - name: checkout openssl
@@ -207,7 +207,7 @@ jobs:
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
-      run: ./config enable-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ && perl configdata.pm --dump
+      run: ./config --with-rand-seed=none enable-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ -DOPENSSL_DEFAULT_SEED_SRC='"JITTER"' && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -216,8 +216,6 @@ jobs:
         ./util/opensslwrap.sh version -c
     - name: make test
       run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-    - name: test jitter entropy
-      run: ./util/wrap.pl -jitter ./apps/openssl rand -hex 8
 
   enable_brotli_dynamic:
     runs-on: ubuntu-latest

Configure

@@ -1326,6 +1326,11 @@ All operations depending on the random generator such as creating keys
 will not work unless the random generator is seeded manually by the
 application.
 
+Alternative to manually seeding is to compile with JITTER RNG enabled,
+it will be used instead of rand-seed=none. Or specify alternative
+seed= provider in openssl.cnf (for example from a 3rd party entropy
+provider).
+
 Please read the 'Note on random number generation' section in the
 INSTALL.md instructions and the RAND_DRBG(7) manual page for more
 details.

INSTALL.md

@@ -521,32 +521,22 @@ at the end of this document.
 
 [rng]: #notes-on-random-number-generation
 
-# jitter
+### jitter
 
 When configured with `enable-jitter`, a "JITTER" RNG is compiled that
-can provided alternative software seed source. It can be configured by
+can provide an alternative software seed source. It can be configured
-loadin setting `seed` setting in `openssl.cnf`. An example
+by setting `seed` option in `openssl.cnf`. A minimal `openssl.cnf` is
-`openssl.cnf` is shown below:
+shown below:
 
     openssl_conf = openssl_init
 
-    # Comment out the next line to ignore configuration errors
-    config_diagnostics = 1
-
     [openssl_init]
-    providers = provider_sect
     random = random
 
-    [provider_sect]
-    default = default_sect
-
-    [default_sect]
-    activate = 1
-
     [random]
     seed=JITTER
 
-It uses statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source.
+It uses a statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source.
 
 Additional configuration flags available:
 
@@ -560,7 +550,6 @@ it is outside the system include path.
 This is the directory containing the static libjitterentropy.a
 library, if it is outside the system library path.
 
-
 Setting the FIPS HMAC key
 -------------------------
 

crypto/info.c

@@ -189,9 +189,11 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings)
         add_seeds_string("os-specific");
 #endif
 #ifndef OPENSSL_NO_JITTER
-        char jent_version_string[32];
+	{
-        sprintf(jent_version_string, "JITTER (%d)", jent_version());
+            char jent_version_string[32];
-        add_seeds_string(jent_version_string);
+            sprintf(jent_version_string, "JITTER (%d)", jent_version());
+            add_seeds_string(jent_version_string);
+	}
 #endif
         seed_sources = seeds;
     }

crypto/rand/rand_lib.c

@@ -20,6 +20,10 @@
 #include "rand_local.h"
 #include "crypto/context.h"
 
+#ifndef OPENSSL_DEFAULT_SEED_SRC
+# define OPENSSL_DEFAULT_SEED_SRC "SEED-SRC"
+#endif
+
 #ifndef FIPS_MODULE
 # include <stdio.h>
 # include <time.h>
@@ -593,7 +597,7 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx)
                 propq = props;
             }
         }
-        name = "SEED-SRC";
+        name = OPENSSL_DEFAULT_SEED_SRC;
     }
 
     rand = EVP_RAND_fetch(libctx, name, propq);

doc/build.info

@@ -4739,14 +4739,14 @@ DEPEND[html/man7/EVP_RAND-HMAC-DRBG.html]=man7/EVP_RAND-HMAC-DRBG.pod
 GENERATE[html/man7/EVP_RAND-HMAC-DRBG.html]=man7/EVP_RAND-HMAC-DRBG.pod
 DEPEND[man/man7/EVP_RAND-HMAC-DRBG.7]=man7/EVP_RAND-HMAC-DRBG.pod
 GENERATE[man/man7/EVP_RAND-HMAC-DRBG.7]=man7/EVP_RAND-HMAC-DRBG.pod
-DEPEND[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
-GENERATE[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
-DEPEND[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
-GENERATE[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
 DEPEND[html/man7/EVP_RAND-JITTER.html]=man7/EVP_RAND-JITTER.pod
 GENERATE[html/man7/EVP_RAND-JITTER.html]=man7/EVP_RAND-JITTER.pod
 DEPEND[man/man7/EVP_RAND-JITTER.7]=man7/EVP_RAND-JITTER.pod
 GENERATE[man/man7/EVP_RAND-JITTER.7]=man7/EVP_RAND-JITTER.pod
+DEPEND[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
+GENERATE[html/man7/EVP_RAND-SEED-SRC.html]=man7/EVP_RAND-SEED-SRC.pod
+DEPEND[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
+GENERATE[man/man7/EVP_RAND-SEED-SRC.7]=man7/EVP_RAND-SEED-SRC.pod
 DEPEND[html/man7/EVP_RAND-TEST-RAND.html]=man7/EVP_RAND-TEST-RAND.pod
 GENERATE[html/man7/EVP_RAND-TEST-RAND.html]=man7/EVP_RAND-TEST-RAND.pod
 DEPEND[man/man7/EVP_RAND-TEST-RAND.7]=man7/EVP_RAND-TEST-RAND.pod
@@ -5112,8 +5112,8 @@ html/man7/EVP_PKEY-X25519.html \
 html/man7/EVP_RAND-CTR-DRBG.html \
 html/man7/EVP_RAND-HASH-DRBG.html \
 html/man7/EVP_RAND-HMAC-DRBG.html \
-html/man7/EVP_RAND-SEED-SRC.html \
 html/man7/EVP_RAND-JITTER.html \
+html/man7/EVP_RAND-SEED-SRC.html \
 html/man7/EVP_RAND-TEST-RAND.html \
 html/man7/EVP_RAND.html \
 html/man7/EVP_SIGNATURE-DSA.html \
@@ -5258,8 +5258,8 @@ man/man7/EVP_PKEY-X25519.7 \
 man/man7/EVP_RAND-CTR-DRBG.7 \
 man/man7/EVP_RAND-HASH-DRBG.7 \
 man/man7/EVP_RAND-HMAC-DRBG.7 \
-man/man7/EVP_RAND-SEED-SRC.7 \
 man/man7/EVP_RAND-JITTER.7 \
+man/man7/EVP_RAND-SEED-SRC.7 \
 man/man7/EVP_RAND-TEST-RAND.7 \
 man/man7/EVP_RAND.7 \
 man/man7/EVP_SIGNATURE-DSA.7 \

doc/man3/RAND_set_DRBG_type.pod

@@ -41,7 +41,15 @@ is made too late.
 
 The default DRBG is "CTR-DRBG" using the "AES-256-CTR" cipher.
 
-The default seed source is "SEED-SRC".
+The default seed source can be configured when OpenSSL is compiled by
+setting B<-DOPENSSL_DEFAULT_SEED_SRC='\"SEED-SRC\"'>. If not set then
+"SEED-SRC" is used.
+
+=head1 EXAMPLES
+
+ unsigned char bytes[100];
+ RAND_set_seed_source_type(NULL, "JITTER", NULL);
+ RAND_bytes(bytes, 100);
 
 =head1 SEE ALSO
 

doc/man7/EVP_RAND-JITTER.pod

@@ -9,8 +9,12 @@ EVP_RAND-JITTER - The randomness seed source EVP_RAND implementation
 Support for deterministic random number generator seeding through the
 B<EVP_RAND> API.
 
-The seed source comes from statically linked jitterentropy-library,
+This software seed source produces randomness based on tiny CPU
-which produces randomness based on tiny CPU "jitter" fluctuations.
+"jitter" fluctuations.
+
+It is available when OpenSSL is compiled with B<enable-jitter>
+option. When available it is listed in B<openssl list
+-random-generators> and B<openssl info -seeds>.
 
 =head2 Identity
 

doc/man7/EVP_RAND.pod

@@ -224,11 +224,17 @@ but also for every generate request.
 =head2 Configuring the Random Seed Source
 
 In most cases OpenSSL will automatically choose a suitable seed source
-for automatically seeding and reseeding its <primary> DRBG. In some cases
+for automatically seeding and reseeding its <primary> DRBG. The
-however, it will be necessary to explicitly specify a seed source during
+default seed source can be configured when OpenSSL is compiled by
-configuration, using the --with-rand-seed option. For more information,
+setting B<-DOPENSSL_DEFAULT_SEED_SRC='\"SEED-SRC\"'>. If not set then
-see the INSTALL instructions. There are also operating systems where no
+"SEED-SRC" is used. One can specify third-party provider seed-source,
-seed source is available and automatic reseeding is disabled by default.
+or B<-DOPENSSL_DEFAULT_SEED_SRC='\"JITTER\"'> if available.
+
+In some cases however, it will be necessary to explicitly specify a
+seed source used by "SEED-SRC" during configuration, using the
+--with-rand-seed option. For more information, see the INSTALL
+instructions. There are also operating systems where no seed source is
+available and automatic reseeding is disabled by default.
 
 The following two sections describe the reseeding process of the primary
 DRBG, depending on whether automatic reseeding is available or not.

providers/implementations/rands/seed_src_jitter.c

@@ -90,7 +90,7 @@ static size_t get_jitter_random_value(unsigned char *buf, size_t len)
         /*
          * Do not use _safe API variant with built-in retries, until
          * failure because it reseeds the entropy source which is not
-         * certifyable
+         * certifiable
          */
         result = jent_read_entropy(jitter_ec, (char *) buf, len);