diff options
| author | Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> | 2024-07-16 13:07:44 +0100 |
|---|---|---|
| committer | Pauli <ppzgs1@gmail.com> | 2024-07-31 14:44:51 +1000 |
| commit | f41b5ffe33bed336827096788b593e87927ae906 (patch) | |
| tree | ed086ce5b4ee522603f7299cc69235d586d76381 /providers/implementations | |
| parent | f8c510cd20a43f7ac7705aca40fd38aacd5febeb (diff) | |
jitter: retry intermittent failures
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)
Diffstat (limited to 'providers/implementations')
| -rw-r--r-- | providers/implementations/rands/seed_src_jitter.c | 44 |
1 files changed, 27 insertions, 17 deletions
diff --git a/providers/implementations/rands/seed_src_jitter.c b/providers/implementations/rands/seed_src_jitter.c index 8029a3cb8d..3dea0959d4 100644 --- a/providers/implementations/rands/seed_src_jitter.c +++ b/providers/implementations/rands/seed_src_jitter.c @@ -25,6 +25,8 @@ #ifndef OPENSSL_NO_JITTER # include <jitterentropy.h> +# define JITTER_MAX_NUM_TRIES 3 + static OSSL_FUNC_rand_newctx_fn jitter_new; static OSSL_FUNC_rand_freectx_fn jitter_free; static OSSL_FUNC_rand_instantiate_fn jitter_instantiate; @@ -81,24 +83,32 @@ static size_t get_jitter_random_value(PROV_JITTER *s, { struct rand_data *jitter_ec = NULL; ssize_t result = 0; + size_t num_tries; + + /* Retry intermittent failures, then give up */ + for (num_tries = 0; num_tries < JITTER_MAX_NUM_TRIES; num_tries++) { + /* Allocate a fresh collector */ + jitter_ec = jent_entropy_collector_alloc(0, JENT_FORCE_FIPS); + if (jitter_ec == NULL) + continue; + + /* Do not use _safe API as per typical security policies */ + result = jent_read_entropy(jitter_ec, (char *) buf, len); + jent_entropy_collector_free(jitter_ec); + + /* + * Permanent Failure + * https://github.com/smuellerDD/jitterentropy-library/issues/118 + */ + if (result < -5) + break; + + /* Success */ + if (result == len) + return len; + } - jitter_ec = jent_entropy_collector_alloc(0, JENT_FORCE_FIPS); - if (jitter_ec == NULL) - return 0; - - /* - * Do not use _safe API variant with built-in retries, until - * failure because it reseeds the entropy source which is not - * certifiable - */ - result = jent_read_entropy(jitter_ec, (char *) buf, len); - jent_entropy_collector_free(jitter_ec); - - /* Success */ - if (result == len) - return len; - - /* Failure */ + /* Permanent failure or too many intermittent failures */ s->state = EVP_RAND_STATE_ERROR; ERR_raise_data(ERR_LIB_RAND, RAND_R_ERROR_RETRIEVING_ENTROPY, "jent_read_entropy (%d)", result); |