jitter: add a new provider containing a jitter entropy source alone

This entropy source can be used instead of SEED-SRC. Sample
openssl.cnf configuration is provided. It is built as a separate
provider, because it is likely to require less frequent updates than
fips provider. The same build likely can span multiple generations of
FIPS 140 standard revisions.

Note that rand-instances currently chain from public/private instances
to primary, prior to consuming the seed. Thus currently a unique ESV
needs to be obtained, and resue of jitterentropy.a certificate is not
possible as is. Separately a patch will be sent to allow for
unchaining public/private RAND instances for the purpose of reusing
ESV.

Also I do wonder if it makes sense to create a fips variant of stock
SEED-SRC entropy source, which in addition to using getrandom() also
verifies that the kernel is operating in FIPS mode and thus is likely
a validated entropy source. As in on Linux, check that
/proc/sys/crypto/fips_enabled is set to 1, and similar checks on
Windows / MacOS and so on.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24844)

1 files changed, 12 insertions, 0 deletions

diff --git a/util/wrap.pl.in b/util/wrap.pl.in
index 7d11cb7c27..9b2b684c57 100644
--- a/util/wrap.pl.in
+++ b/util/wrap.pl.in
@@ -36,6 +36,18 @@ if ($ARGV[0] eq '-fips') {
     $std_openssl_conf_include = catdir($there, 'providers');
 }
 
+if ($ARGV[0] eq '-jitter') {
+    $std_openssl_conf = {-
+         use Cwd qw(abs_path);
+
+         "'" . abs_path(catfile($config{sourcedir}, 'test/default-and-jitter.cnf')) . "'";
+         -};
+    shift;
+
+    $std_openssl_conf_include = catdir($there, 'providers');
+}
+
+
 local $ENV{OPENSSL_CONF_INCLUDE} = $std_openssl_conf_include
     if defined $std_openssl_conf_include
        &&($ENV{OPENSSL_CONF_INCLUDE} // '') eq ''