fix intermittent openssl FIPS selftest failures in jitterentropy (#9890)

tobiasb-ms · web-flow · commit 297b90e3d050 · 2024-07-23T12:58:32.000-07:00
diff --git a/SPECS/openssl/openssl-1.1.1-jitterentropy-fix-intermittent-fips-selftest-failure.patch b/SPECS/openssl/openssl-1.1.1-jitterentropy-fix-intermittent-fips-selftest-failure.patch
@@ -0,0 +1,67 @@
+From d0e139f4e697265cd693769860b20d61c89bbd96 Mon Sep 17 00:00:00 2001
+From: Tobias Brick <tobiasb@microsoft.com>
+Date: Wed, 3 Jul 2024 20:24:14 +0000
+Subject: [PATCH] TOBIASB: Initialize ec.mem and set minimum OSR in
+ jent_time_entropy_init
+
+Ocassionally, the jitterentropy module was failing the FIPS self-test because it was unable to create
+sufficient entropy. This was due to two main reasons:
+A memory buffer was not being initialized in the jent_time_entropy_init function. This buffer is used 
+to add variations based on memory access to the entropy pool.
+
+The OSR value was being set to 1, rather than the standard minimum of 3. Since this affects the threshold
+for number of times the allows itself to attempt to generate entropy before failing out, this made the issue
+more likely to occur.
+
+This patch initializes that buffer and enforces the standard minmum OSR value.
+
+---
+ crypto/fips/jitterentropy-base.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/fips/jitterentropy-base.c b/crypto/fips/jitterentropy-base.c
+index 9fb5b96..a5079a0 100644
+--- a/crypto/fips/jitterentropy-base.c
++++ b/crypto/fips/jitterentropy-base.c
+@@ -1265,13 +1265,27 @@ static int jent_time_entropy_init(unsigned int enable_notime)
+ 
+ 	memset(&ec, 0, sizeof(ec));
+ 
++	/* Allocate memory for adding variations based on memory
++		* access
++		*/
++	ec.mem = 
++		(unsigned char *)jent_zalloc(JENT_MEMORY_SIZE);
++	if (ec.mem == NULL) {
++		ret = EHEALTH;
++		goto out;
++	}
++
++	ec.memblocksize = JENT_MEMORY_BLOCKSIZE;
++	ec.memblocks = JENT_MEMORY_BLOCKS;
++	ec.memaccessloops = JENT_MEMORY_ACCESSLOOPS;
++
+ 	if (enable_notime) {
+ 		ec.enable_notime = 1;
+ 		jent_notime_settick(&ec);
+ 	}
+ 
+ 	/* Required for RCT */
+-	ec.osr = 1;
++	ec.osr = JENT_MIN_OSR;
+ 	if (jent_fips_enabled())
+ 		ec.fips_enabled = 1;
+ 
+@@ -1429,6 +1443,9 @@ static int jent_time_entropy_init(unsigned int enable_notime)
+ 		ret = ESTUCK;
+ 
+ out:
++	if (ec.mem != NULL)
++		jent_zfree(ec.mem, JENT_MEMORY_SIZE);
++
+ 	if (enable_notime)
+ 		jent_notime_unsettick(&ec);
+ 
+-- 
+2.39.4
+
diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec
@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        32%{?dist}
+Release:        33%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -63,6 +63,7 @@ Patch39:        openssl-1.1.1-add-null-checks-where-contentinfo-data-can-be-null
 Patch40:        openssl-1.1.1-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch
 Patch41:        openssl-1.1.1-pkcs1-implicit-rejection.patch
 Patch42:        openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-them.patch
+Patch43:        openssl-1.1.1-jitterentropy-fix-intermittent-fips-selftest-failure.patch
 BuildRequires:  perl-Test-Warnings
 BuildRequires:  perl-Text-Template
 BuildRequires:  perl(FindBin)
@@ -178,6 +179,7 @@ cp %{SOURCE4} test/
 %patch40 -p1
 %patch41 -p1
 %patch42 -p1
+%patch43 -p1
 
 %build
 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
@@ -367,6 +369,9 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Tue Jul 16 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-33
+- Fix intermittent FIPS selftest failures in jitterentropy module
+
 * Tue Jun 04 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-32
 - Only free the read buffers if we're not using them
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-32.cm2.aarch64.rpm
-openssl-devel-1.1.1k-32.cm2.aarch64.rpm
-openssl-libs-1.1.1k-32.cm2.aarch64.rpm
-openssl-perl-1.1.1k-32.cm2.aarch64.rpm
-openssl-static-1.1.1k-32.cm2.aarch64.rpm
+openssl-1.1.1k-33.cm2.aarch64.rpm
+openssl-devel-1.1.1k-33.cm2.aarch64.rpm
+openssl-libs-1.1.1k-33.cm2.aarch64.rpm
+openssl-perl-1.1.1k-33.cm2.aarch64.rpm
+openssl-static-1.1.1k-33.cm2.aarch64.rpm
 libcap-2.60-2.cm2.aarch64.rpm
 libcap-devel-2.60-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-32.cm2.x86_64.rpm
-openssl-devel-1.1.1k-32.cm2.x86_64.rpm
-openssl-libs-1.1.1k-32.cm2.x86_64.rpm
-openssl-perl-1.1.1k-32.cm2.x86_64.rpm
-openssl-static-1.1.1k-32.cm2.x86_64.rpm
+openssl-1.1.1k-33.cm2.x86_64.rpm
+openssl-devel-1.1.1k-33.cm2.x86_64.rpm
+openssl-libs-1.1.1k-33.cm2.x86_64.rpm
+openssl-perl-1.1.1k-33.cm2.x86_64.rpm
+openssl-static-1.1.1k-33.cm2.x86_64.rpm
 libcap-2.60-2.cm2.x86_64.rpm
 libcap-devel-2.60-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm
 npth-debuginfo-1.6-4.cm2.aarch64.rpm
 npth-devel-1.6-4.cm2.aarch64.rpm
 ntsysv-1.20-4.cm2.aarch64.rpm
-openssl-1.1.1k-32.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-32.cm2.aarch64.rpm
-openssl-devel-1.1.1k-32.cm2.aarch64.rpm
-openssl-libs-1.1.1k-32.cm2.aarch64.rpm
-openssl-perl-1.1.1k-32.cm2.aarch64.rpm
-openssl-static-1.1.1k-32.cm2.aarch64.rpm
+openssl-1.1.1k-33.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-33.cm2.aarch64.rpm
+openssl-devel-1.1.1k-33.cm2.aarch64.rpm
+openssl-libs-1.1.1k-33.cm2.aarch64.rpm
+openssl-perl-1.1.1k-33.cm2.aarch64.rpm
+openssl-static-1.1.1k-33.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm
 npth-debuginfo-1.6-4.cm2.x86_64.rpm
 npth-devel-1.6-4.cm2.x86_64.rpm
 ntsysv-1.20-4.cm2.x86_64.rpm
-openssl-1.1.1k-32.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-32.cm2.x86_64.rpm
-openssl-devel-1.1.1k-32.cm2.x86_64.rpm
-openssl-libs-1.1.1k-32.cm2.x86_64.rpm
-openssl-perl-1.1.1k-32.cm2.x86_64.rpm
-openssl-static-1.1.1k-32.cm2.x86_64.rpm
+openssl-1.1.1k-33.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-33.cm2.x86_64.rpm
+openssl-devel-1.1.1k-33.cm2.x86_64.rpm
+openssl-libs-1.1.1k-33.cm2.x86_64.rpm
+openssl-perl-1.1.1k-33.cm2.x86_64.rpm
+openssl-static-1.1.1k-33.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm
