From 31a322e7256867f5f12e4b25014188878a5867b5 Mon Sep 17 00:00:00 2001
From: torben-hansen <50673096+torben-hansen@users.noreply.github.com>
Date: Mon, 16 Oct 2023 09:53:36 -0700
Subject: [PATCH] Completely remove Jitter CPU from library artifact if not
 enabled (#1249)

Previously, we disabled jitter cpu by default; instead enabling the passive strategy by default. This is a build-time configuration. That is, if jitter cpu is not explicitly enabled, jitter cpu is not used as the source in FIPS mode and is redundant.

Remove it completely now.
---
 CMakeLists.txt                            |  3 +--
 crypto/CMakeLists.txt                     | 11 +++--------
 crypto/fipsmodule/bcm.c                   |  2 ++
 crypto/fipsmodule/rand/cpu_jitter_test.cc |  2 +-
 tool/speed.cc                             | 10 ++++++++--
 5 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1a559ef303..81ab5c55c3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -33,6 +33,7 @@ if(FIPS)
 
   if(ENABLE_FIPS_ENTROPY_CPU_JITTER)
     add_definitions(-DFIPS_ENTROPY_SOURCE_JITTER_CPU)
+    add_subdirectory(third_party/jitterentropy)
     message(STATUS "FIPS entropy source method configured: CPU Jitter")
   else()
     add_definitions(-DFIPS_ENTROPY_SOURCE_PASSIVE)
@@ -647,8 +648,6 @@ if(FIPS)
     message(FATAL_ERROR "Windows Debug build is not supported with FIPS, use Release or RelWithDebInfo")
   endif()
 
-  add_subdirectory(third_party/jitterentropy)
-
   add_definitions(-DBORINGSSL_FIPS)
   if(FIPS_BREAK_TEST)
     add_definitions("-DBORINGSSL_FIPS_BREAK_${FIPS_BREAK_TEST}=1")
diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
index d7d8780420..1cfd7fee50 100644
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -532,7 +532,9 @@ target_include_directories(crypto_objects BEFORE PRIVATE ${PROJECT_BINARY_DIR}/s
 target_include_directories(crypto_objects PRIVATE ${PROJECT_SOURCE_DIR}/include)
 
 function(build_libcrypto name module_source)
-  if(FIPS)
+  if(FIPS AND ENABLE_FIPS_ENTROPY_CPU_JITTER)
+    # If the jitter cpu entropy source is enabled add an object dependency to
+    # the libcrypto target.
     add_library(${name} $<TARGET_OBJECTS:crypto_objects> ${CRYPTO_FIPS_OBJECTS} ${module_source} $<TARGET_OBJECTS:jitterentropy>)
   else()
     add_library(${name} $<TARGET_OBJECTS:crypto_objects> ${CRYPTO_FIPS_OBJECTS} ${module_source})
@@ -679,13 +681,6 @@ if(BUILD_TESTING)
     fipsmodule/rand/urandom_test.cc
   )
 
-  # When using CPU Jitter as the entropy source (only in FIPS build)
-  # urandom_test should not be performed so we pass the compilation flag
-  # and handle it in urandom_test.cc
-  if(JITTER_ENTROPY)
-    target_compile_options(${RANDOM_TEST_EXEC} PUBLIC -DJITTER_ENTROPY)
-  endif()
-
   add_dependencies(${RANDOM_TEST_EXEC} boringssl_prefix_symbols)
   target_link_libraries(${RANDOM_TEST_EXEC} test_support_lib boringssl_gtest crypto)
   target_include_directories(${RANDOM_TEST_EXEC} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index 85199ee00b..d2b291ead7 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c
@@ -235,10 +235,12 @@ static void BORINGSSL_bcm_power_on_self_test(void) {
   OPENSSL_cpuid_setup();
 #endif
 
+#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
   if (jent_entropy_init()) {
     fprintf(stderr, "CPU Jitter entropy RNG initialization failed.\n");
     goto err;
   }
+#endif
 
 #if !defined(OPENSSL_ASAN)
   // Integrity tests cannot run under ASAN because it involves reading the full
diff --git a/crypto/fipsmodule/rand/cpu_jitter_test.cc b/crypto/fipsmodule/rand/cpu_jitter_test.cc
index ff9fa67447..1ac0f9eb4f 100644
--- a/crypto/fipsmodule/rand/cpu_jitter_test.cc
+++ b/crypto/fipsmodule/rand/cpu_jitter_test.cc
@@ -1,7 +1,7 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
-#if defined(BORINGSSL_FIPS)
+#if defined(BORINGSSL_FIPS) && defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
 
 #include <gtest/gtest.h>
 
diff --git a/tool/speed.cc b/tool/speed.cc
index 0f4fd01a59..7e4f4cd6ac 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc
@@ -2252,6 +2252,7 @@ static bool SpeedSelfTest(const std::string &selected) {
   return true;
 }
 
+#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
 static bool SpeedJitter(size_t chunk_size) {
   struct rand_data *jitter_ec = jent_entropy_collector_alloc(0, JENT_FORCE_FIPS);
 
@@ -2288,6 +2289,7 @@ static bool SpeedJitter(std::string selected) {
   return true;
 }
 #endif
+#endif
 
 static bool SpeedDHcheck(size_t prime_bit_length) {
 
@@ -2682,10 +2684,14 @@ bool Speed(const std::vector<std::string> &args) {
     }
 
 #if defined(AWSLC_FIPS)
-    if (!SpeedSelfTest(selected) ||
-        !SpeedJitter(selected)) {
+    if (!SpeedSelfTest(selected)) {
+      return false;
+    }
+#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
+    if (!SpeedJitter(selected)) {
       return false;
     }
+#endif
 #endif
   }