rand_lib: do not chain drbgs with FIPS+JITTER

Seed public & private DRBG directly from jitter, without use of
primary DRBG under FIPS. This allows to reuse pre-existing ESV
certificate of statically built libjitterentropy.a.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>

crypto/rand/rand_lib.c

@@ -783,8 +783,18 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_CTX *ctx)
         if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
                 && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
             return NULL;
+#if defined(OPENSSL_RAND_SEED_JITTER) && defined(FIPS_MODULE)
+	/*
+	 * Explicitely use SEED_JITTER without chaining to allow reuse
+	 * of pre-certified static jitterentropy.a without need for a
+	 * separate ESV certificate.
+	 */
+        rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
+                             SECONDARY_RESEED_TIME_INTERVAL, 0);
+#else
         rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
                              SECONDARY_RESEED_TIME_INTERVAL, 0);
+#endif
         CRYPTO_THREAD_set_local(&dgbl->public, rand);
     }
     return rand;
@@ -816,8 +826,18 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx)
         if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
                 && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
             return NULL;
+#if defined(OPENSSL_RAND_SEED_JITTER) && defined(FIPS_MODULE)
+	/*
+	 * Explicitely use SEED_JITTER without chaining to allow reuse
+	 * of pre-certified static jitterentropy.a without need for a
+	 * separate ESV certificate.
+	 */
+        rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
+                             SECONDARY_RESEED_TIME_INTERVAL, 0);
+#else
         rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
                              SECONDARY_RESEED_TIME_INTERVAL, 0);
+#endif
         CRYPTO_THREAD_set_local(&dgbl->private, rand);
     }
     return rand;