aws · torben-hansen · Nov 25, 2024 · Nov 26, 2024 · Nov 26, 2024 · Nov 26, 2024
@@ -84,6 +84,9 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version: '>=1.18'
+      - name: Runner information
+        run: |
+          sysctl -a | grep machdep.cpu
       - name: Build ${{ env.PACKAGE_NAME }}
         run: |
           ./tests/ci/run_posix_tests.sh
@@ -103,7 +106,10 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version: '>=1.18'
-      - name: Build ${{ env.PACKAGE_NAME }} with FIPS mode
+      - name: Runner information
+        run: |
+          sysctl -a | grep machdep.cpu
+      - name: Build ${{ env.PACKAGE_NAME }}
         run: |
           ./tests/ci/run_fips_tests.sh
 

@@ -61,7 +61,7 @@ TEST(CPUJitterEntropyTest, Basic) {
   EXPECT_EQ(jent_read_entropy_safe(&jitter_ec.instance,
                                    (char*) data1, data_len), data_len);
 
-  // Verify that the Jitter library version is v3.4.0.
-  unsigned int jitter_version = 3040000;
+  // Verify that the Jitter library version is v3.6.0.
+  unsigned int jitter_version = 3060000;
   EXPECT_EQ(jitter_version, jent_version());
 }
@@ -0,0 +1,125 @@
+3.6.0
+ * Remove bi-modal behavior of conditioning function
+ * Make jent_read_entropy_safe safer by retrying the health test
+ * Move the version information to make them available at compile time
+
+3.5.0
+ * add distinction between intermittent and permanent health failure
+
+ * add compile time option to allow configuring a mask to reduce the size of
+   the time stamp used for the APT
+
+3.4.1
+ * add FIPS 140 hints to man page
+ * simplify the test tool to search for optimal configurations
+ * fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
+ * enhancement: add ARM64 assembler code to read high-res timer
+
+3.4.0
+ * enhancement: add API call jent_set_fips_failure_callback as requested by Daniel Ojalvo
+ * fix: Change the SHA-3 integration: The entropy pool is now a SHA-3 state.
+It is filled with the time delta containing entropy and auxiliary data that does not contain entropy using a SHA update operation. The auxiliary data is calculated by a SHA-3 hashing of some varying state data. The time delta that contains entropy is measured about the SHA-3 hasing of the auxiliary data. This satisfies FIPS 140-3 IG D.K resolutions 4, 6, and 8.
+ * enhancement: add CMake support by Andrew Hopkins
+
+3.3.1
+ * fix: bug fix in initialization logic by Vladis Dronov <vdronov@redhat.com>
+ * fix: use __asm__ instead of asm to suit the C11 standard
+
+3.3.0
+ * add jent_get_cachesize if _SC_LEVEL1_DCACHE_SIZE is not defined
+ * limit the memory buffer size allocated and allow caller to provide
+   the means to provide a limit, too
+ * fix: update man page
+ * update README explaining how to handle entropy shortfall to make it consistent with the current code base
+
+3.2.0
+ * fix: add API call jent_read_entropy_safe to header file
+ * enhancement: add jent_entropy_init_ex API call
+ * enhancement: call jent_entropy_init_ex automatically when jent_entropy_collector_alloc_internal detects that no self test has yet been performed
+ * test: provide jitterentropy-rng test tool allowing all options exported by the library to be invoked
+ * fix: re-add check of time_backwards in power-on test
+ * fix: silence static code analysis tool
+ * test: add test for GCD
+ * enhancement: add GCD selftest
+ * fix: simplify memory management for SHA-3
+ * enhancement: add random memory access (JENT_RANDOM_MEMACCESS)
+
+3.1.0
+ * Add link call to pthreads library as suggested by Mikhail Novosyolov
+ * Add ENTROPY_SAFETY_FACTOR to apply consideration of asymptotically reaching
+   full entropy following SP800-90C suggested by Joshua Hill
+ * Add test for finiding more entropy by changing the memory buffer size
+   used for the memory access loop
+ * Increase the memory buffer size to 512 kBytes per default based on
+   measurements on systems with low entropy.
+ * Add jent_ncpu() detecting the number of existing CPUs. Only when more than
+   one CPU is in the system, the internal timer thread is started.
+ * add GCD testing and analysis suggested by Joshua Hill
+ * add fixes to APT suggested by Joshua Hill
+ * add lag predictor health test suggested by Joshua Hill
+ * add jent_read_entropy_safe API call
+ * break up jitterentropy-base.c into various smaller code files
+
+3.0.2
+ * Small fixes suggested by Joshua Hill
+ * Update the invocation of SHA-3 invocation: each loop iteration defined by the loop shuffle is a self-contained SHA-3 operation. Therefore, the conditioning information is always *one* SHA-3 operation with different time duration.
+ * add JENT_CONF_DISABLE_LOOP_SHUFFLE config option allowing disabling of the shuffle operation
+ * Use -O0
+
+3.0.1
+ * on older GCC versions use -fstack-protector as suggested by Warszawski,
+   Diego
+ * prevent creating the internal timer thread if a high-res hardware timer is
+   found as reported by Lonnie Abelbeck
+
+3.0.0
+ * use RDTSC on x86 directly instead of clock_gettime
+ * use SHA-3 instead of LFSR
+ * add internal high-resolution timer support
+
+2.2.0
+ * SP800-90B compliance: Add RCT runtime health test
+ * SP800-90B compliance: Add Chi-Squared runtime health test as a replacement
+   for the adaptive proportion test
+ * SP800-90B compliance: Increase initial entropy test to 1024 rounds
+ * SP800-90B compliance: Invoke runtime health tests during initialization
+ * remove FIPS 140-2 continuous self test (RCT covers the requirement as per
+   FIPS 140-2 IG 9.8)
+ * SP800-90B compliance: Do not mix stuck time deltas into entropy pool
+
+2.1.2:
+ * Add static library compilation thanks to Neil Horman
+ * Initialize variable ec to satisfy valgrind as suggested by Steve Grubb
+ * Add cross-compilation support suggested by Lonnie Abelbeck
+
+2.1.1:
+ * Fix implementation of mathematical properties.
+
+2.1.0:
+ * Convert all __[u|s][32|64] into [uint|int][32|64]_t
+ * Remove all code protected by #if defined(__KERNEL__) && !defined(MODULE)
+ * Add JENT_PRIVATE_COMPILE: Enable flag during compile when
+   compiling a private copy of the Jitter RNG
+ * Remove unused statistical test code
+ * Add FIPS 140-2 continuous self test code
+ * threshold for init-time stuck test configurable with JENT_STUCK_INIT_THRES
+   during compile time
+
+2.0.1:
+ * Invcation of stuck test during initalization
+
+2.0.0:
+ * Replace the XOR folding of a time delta with an LFSR -- the use of an
+   LFSR is mathematically more sound for the argument to maintain entropy
+
+1.2.0:
+ * Use constant time operation of jent_stir_pool to prevent leaking
+   timing information about RNG.
+ * Make it compile on 32 bit archtectures
+
+1.1.0:
+ * start new numbering schema
+ * update processing of bit that is deemed holding no entropy by heuristic:
+   XOR it into pool without LSFR and bit rotation (reported and suggested
+   by Kevin Fowler <kevpfowler@gmail.com>)
+
@@ -7,14 +7,15 @@
 # the same as the source code.
 
 set(JITTER_SOURCES
-        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/jitterentropy-base.c
-        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/jitterentropy-gcd.c
-        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/jitterentropy-health.c
-        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/jitterentropy-noise.c
-        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/jitterentropy-sha3.c
-        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/jitterentropy-timer.c)
+        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/src/jitterentropy-base.c
+        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/src/jitterentropy-gcd.c
+        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/src/jitterentropy-health.c
+        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/src/jitterentropy-noise.c
+        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/src/jitterentropy-sha3.c
+        ${PROJECT_SOURCE_DIR}/third_party/jitterentropy/src/jitterentropy-timer.c)
 
 include_directories(${PROJECT_SOURCE_DIR}/include)
+include_directories(${PROJECT_SOURCE_DIR}/third_party/jitterentropy)
 
 if(WIN32)
     if(MSVC)
@@ -32,6 +33,10 @@ else()
         # https://gcc.gnu.org/wiki/NewWconversion.
         set(JITTER_COMPILE_FLAGS "${JITTER_COMPILE_FLAGS} -Wconversion")
     endif()
+
+    if(BORINGSSL_PREFIX)
+        set(JITTER_COMPILE_FLAGS "${JITTER_COMPILE_FLAGS} --include=${PROJECT_BINARY_DIR}/symbol_prefix_include/openssl/boringssl_prefix_symbols.h")
+    endif()
 endif()
 
 set_source_files_properties(${JITTER_SOURCES} PROPERTIES COMPILE_FLAGS "${JITTER_COMPILE_FLAGS}")

@@ -1,4 +1,4 @@
-Copyright (C) 2017 - 2022, Stephan Mueller <smueller@chronox.de>
+Copyright (C) 2017 - 2024, Stephan Mueller <smueller@chronox.de>
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions

@@ -0,0 +1,113 @@
+# Compile Noise Source as user space application
+
+CC ?= gcc
+#Hardening
+ENABLE_STACK_PROTECTOR ?= 1
+CFLAGS ?= -fwrapv --param ssp-buffer-size=4 -fvisibility=hidden -fPIE -Wcast-align -Wmissing-field-initializers -Wshadow -Wswitch-enum
+CFLAGS +=-Wextra -Wall -pedantic -fPIC -O0 -fwrapv -Wconversion
+LDFLAGS +=-Wl,-z,relro,-z,now -lpthread
+
+# Enable internal timer support
+CFLAGS += -DJENT_CONF_ENABLE_INTERNAL_TIMER
+
+GCCVERSIONFORMAT := $(shell echo `$(CC) -dumpversion | sed 's/\./\n/g' | wc -l`)
+ifeq "$(GCCVERSIONFORMAT)" "3"
+  GCC_GTEQ_490 := $(shell expr `$(CC) -dumpversion | sed -e 's/\.\([0-9][0-9]\)/\1/g' -e 's/\.\([0-9]\)/0\1/g' -e 's/^[0-9]\{3,4\}$$/&00/'` \>= 40900)
+else
+  GCC_GTEQ_490 := $(shell expr `$(CC) -dumpfullversion | sed -e 's/\.\([0-9][0-9]\)/\1/g' -e 's/\.\([0-9]\)/0\1/g' -e 's/^[0-9]\{3,4\}$$/&00/'` \>= 40900)
+endif
+
+ifeq "$(ENABLE_STACK_PROTECTOR)" "1"
+  ifeq "$(GCC_GTEQ_490)" "1"
+    CFLAGS += -fstack-protector-strong
+  else
+    CFLAGS += -fstack-protector-all
+  endif
+endif
+
+# Change as necessary
+PREFIX := /usr/local
+# library target directory (either lib or lib64)
+LIBDIR := lib
+
+# include target directory
+INCDIR := include
+SRCDIR := src
+
+INSTALL_STRIP ?= install -s
+
+NAME := jitterentropy
+LIBMAJOR=$(shell cat jitterentropy.h | egrep "define\s+JENT_MAJVERSION" | awk '{print $$3}')
+LIBMINOR=$(shell cat jitterentropy.h | egrep "define\s+JENT_MINVERSION" | awk '{print $$3}')
+LIBPATCH=$(shell cat jitterentropy.h | egrep "define\s+JENT_PATCHLEVEL" | awk '{print $$3}')
+LIBVERSION := $(LIBMAJOR).$(LIBMINOR).$(LIBPATCH)
+
+VPATH := $(SRCDIR)
+C_SRCS := $(notdir $(sort $(wildcard $(SRCDIR)/*.c)))
+C_OBJS := ${C_SRCS:.c=.o}
+OBJS := $(C_OBJS)
+
+analyze_srcs = $(filter %.c, $(sort $(C_SRCS)))
+analyze_plists = $(analyze_srcs:%.c=%.plist)
+
+INCLUDE_DIRS := . $(SRCDIR)
+LIBRARY_DIRS :=
+LIBRARIES := rt
+
+CFLAGS += $(foreach includedir,$(INCLUDE_DIRS),-I$(includedir))
+LDFLAGS += $(foreach librarydir,$(LIBRARY_DIRS),-L$(librarydir))
+LDFLAGS += $(foreach library,$(LIBRARIES),-l$(library))
+
+.PHONY: all scan install clean distclean check $(NAME) $(NAME)-static
+
+all: $(NAME) $(NAME)-static
+
+lib$(NAME).a: $(OBJS)
+	$(AR) rcs lib$(NAME).a $(OBJS)
+
+lib$(NAME).so.$(LIBVERSION): $(OBJS)
+	$(CC) -shared -Wl,-soname,lib$(NAME).so.$(LIBMAJOR) -o lib$(NAME).so.$(LIBVERSION) $(OBJS) $(LDFLAGS)
+
+$(NAME)-static: lib$(NAME).a
+$(NAME): lib$(NAME).so.$(LIBVERSION)
+
+$(analyze_plists): %.plist: %.c
+	@echo "  CCSA  " $@
+	clang --analyze $(CFLAGS) $< -o $@
+
+scan: $(analyze_plists)
+
+cppcheck:
+	cppcheck --force -q --enable=performance --enable=warning --enable=portability $(shell find * -name \*.h -o -name \*.c)
+
+install: install-man install-shared install-includes
+
+install-man:
+	install -d -m 0755 $(DESTDIR)$(PREFIX)/share/man/man3
+	install -m 644 doc/$(NAME).3 $(DESTDIR)$(PREFIX)/share/man/man3/
+	gzip -n -f -9 $(DESTDIR)$(PREFIX)/share/man/man3/$(NAME).3
+
+install-shared:
+	install -d -m 0755 $(DESTDIR)$(PREFIX)/$(LIBDIR)
+	$(INSTALL_STRIP) -m 0755 lib$(NAME).so.$(LIBVERSION) $(DESTDIR)$(PREFIX)/$(LIBDIR)/
+	$(RM) $(DESTDIR)$(PREFIX)/$(LIBDIR)/lib$(NAME).so.$(LIBMAJOR)
+	ln -sf lib$(NAME).so.$(LIBVERSION) $(DESTDIR)$(PREFIX)/$(LIBDIR)/lib$(NAME).so.$(LIBMAJOR)
+	ln -sf lib$(NAME).so.$(LIBMAJOR) $(DESTDIR)$(PREFIX)/$(LIBDIR)/lib$(NAME).so
+
+install-includes:
+	install -d -m 0755 $(DESTDIR)$(PREFIX)/$(INCDIR)
+	install -m 0644 jitterentropy.h $(DESTDIR)$(PREFIX)/$(INCDIR)/
+	install -m 0644 jitterentropy-base-user.h $(DESTDIR)$(PREFIX)/$(INCDIR)/
+
+install-static:
+	install -d -m 0755 $(DESTDIR)$(PREFIX)/$(LIBDIR)
+	install -m 0755 lib$(NAME).a $(DESTDIR)$(PREFIX)/$(LIBDIR)/
+
+clean:
+	@- $(RM) $(NAME)
+	@- $(RM) $(OBJS)
+	@- $(RM) lib$(NAME).so*
+	@- $(RM) lib$(NAME).a
+	@- $(RM) $(analyze_plists)
+
+distclean: clean
@@ -1,16 +1,3 @@
-NOTE
-=======================================
-
-The source code in this directory is taken from CPU Jitter RNG library
-version v3.4.0, available at:
-https://github.com/smuellerDD/jitterentropy-library.
-
-The following changes were made to the original source code to integrate
-the library with AWS-LC:
-* `asm volatile` was changed to `__asm__volatile`
-
-The original README.md file starts below.
-
 Hardware RNG based on CPU timing jitter
 =======================================
 
@@ -23,7 +10,7 @@ The implementation of the Jitter RNG is independent of any operating system.
 As such, it could even run on baremetal without any operating system.
 
 The design of the RNG is given in the documentation found in at
-http://www.chronox.de/jent.html . This documentation also covers the full
+http://www.chronox.de/jent . This documentation also covers the full
 assessment of the SP800-90B compliance as well as all required test code.
 
 API

@@ -0,0 +1,34 @@
+# Copyright (C) 2009 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := jitterentropy
+LOCAL_CFLAGS    := -O0 -DCRYPTO_CPU_JITTERENTROPY_STAT
+LOCAL_SRC_FILES := jitterentropy-base.c jitterentropy-stat.c jitterentropy-foldtime.c
+
+# compile into a shared library that can be pulled into an APK
+LOCAL_STATIC_LIBRARIES := android_native_app_glue
+include $(BUILD_SHARED_LIBRARY)
+$(call import-module,android/native_app_glue)
+
+# compilation of a standalone-binary that must be manually moved to
+# Android /data partition for execution.
+#include $(BUILD_EXECUTABLE)
+
+# compilation of the CPU Jitter RNG app
+#LOCAL_SRC_FILES := jitterentropy-base.c jitterentropy-main-user.c
+
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+      package="de.chronox.jitterentropy"
+      android:versionCode="1"
+      android:versionName="1.0">
+    <application android:label="jitterentropy" android:hasCode="false">
+        <activity android:name="android.app.NativeActivity"
+                  android:label="jitterentropy"
+                  android:configChanges="orientation|keyboardHidden">
+         <meta-data android:name="android.app.lib_name"
+                    android:value="jitterentropy" />
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+    <uses-sdk android:minSdkVersion="9" />
+</manifest>