From: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Date: Fri, 15 Nov 2024 05:32:33 +0000 (+0000)
Subject: fips-jitter: set provider into error state upon CRNG permanent failures
X-Git-Tag: openssl-3.5.0-alpha1~881
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9886a6f3483e0525596d3b3956416282038da82;p=thirdparty%2Fopenssl.git

fips-jitter: set provider into error state upon CRNG permanent failures

With fips-jitter build time option, jitter can be inside FIPS
boundary.

Calls to jent_read_entropy() can return permanent failures for
Repetitive Count Test (RTC), Adaptive Proportion Test (APT), LAG
prediction test.

Ensure the module enters error state upon permanent jitter failures.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25957)
---

diff --git a/providers/implementations/rands/seed_src_jitter.c b/providers/implementations/rands/seed_src_jitter.c
index af8d5c4852d..1a1919d8230 100644
--- a/providers/implementations/rands/seed_src_jitter.c
+++ b/providers/implementations/rands/seed_src_jitter.c
@@ -17,8 +17,10 @@
 #include <openssl/err.h>
 #include <openssl/randerr.h>
 #include <openssl/proverr.h>
+#include <openssl/self_test.h>
 #include "prov/implementations.h"
 #include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
 #include "crypto/rand.h"
 #include "crypto/rand_pool.h"
 
@@ -98,10 +100,12 @@ static size_t get_jitter_random_value(PROV_JITTER *s,
 
         /*
          * Permanent Failure
-         * https://github.com/smuellerDD/jitterentropy-library/issues/118
+         * https://github.com/smuellerDD/jitterentropy-library/blob/master/doc/jitterentropy.3#L234
          */
-        if (result < -5)
+        if (result < -5) {
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG);
             break;
+        }
 
         /* Success */
         if (result >= 0 && (size_t)result == len)