Google Git
Sign in
boringssl/boringssl.git/1cf78cd290542e8575c5139907d61dbad5b6f49d^!/.
commit
1cf78cd290542e8575c5139907d61dbad5b6f49d
[log]
author
Adam Langley <alangley@gmail.com>
Thu Apr 29 16:16:01 2021 -0700
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Fri Apr 30 15:43:31 2021 +0000
tree
6eb4ff81e863ebaecc3f6429e5936dffe65fcf3a
parent
a96f4dd3822efdfbd371abc4d8ad0e1b9b497866 [diff]
Use passive entropy collection everywhere.

Change-Id: I40513b3947fa571d2d0b918641b9917451ced3e1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47284
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/crypto/fipsmodule/rand/internal.h b/crypto/fipsmodule/rand/internal.h
index 598a17b..ac97b7c 100644
--- a/crypto/fipsmodule/rand/internal.h
+++ b/crypto/fipsmodule/rand/internal.h

@@ -45,12 +45,10 @@
 // for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the
 // entropy came directly from the CPU and zero if it came from the OS. It
 // actively obtains entropy from the CPU/OS and so should not be called from
-// within the FIPS module if |BORINGSSL_FIPS_PASSIVE_ENTROPY| is defined.
+// within the FIPS module.
 void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
                              int *out_used_cpu);
 
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
-
 // RAND_load_entropy supplies |entropy_len| bytes of entropy to the module. The
 // |from_cpu| parameter is true iff the entropy was obtained directly from the
 // CPU.
@@ -61,7 +59,6 @@
 // when the module has stopped because it has run out of entropy.
 void RAND_need_entropy(size_t bytes_needed);
 
-#endif  // BORINGSSL_FIPS_PASSIVE_ENTROPY
 #endif  // BORINGSSL_FIPS
 
 // CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating

diff --git a/crypto/fipsmodule/rand/rand.c b/crypto/fipsmodule/rand/rand.c
index 824efc8..089b814 100644
--- a/crypto/fipsmodule/rand/rand.c
+++ b/crypto/fipsmodule/rand/rand.c

@@ -178,8 +178,6 @@
 #endif
 }
 
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
-
 // In passive entropy mode, entropy is supplied from outside of the module via
 // |RAND_load_entropy| and is stored in global instance of the following
 // structure.
@@ -242,17 +240,6 @@
   CRYPTO_STATIC_MUTEX_unlock_write(entropy_buffer_lock_bss_get());
 }
 
-#else
-
-// In the active case, |get_seed_entropy| simply calls |CRYPTO_get_seed_entropy|
-// in order to obtain entropy from the CPU or OS.
-static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
-                            int *out_used_cpu) {
-  CRYPTO_get_seed_entropy(out_entropy, out_entropy_len, out_used_cpu);
-}
-
-#endif  // !BORINGSSL_FIPS_PASSIVE_ENTROPY
-
 // rand_get_seed fills |seed| with entropy and sets |*out_used_cpu| to one if
 // that entropy came directly from the CPU and zero otherwise.
 static void rand_get_seed(struct rand_thread_state *state,

diff --git a/crypto/rand_extra/passive.c b/crypto/rand_extra/passive.c
index a8c2487..a2b388f 100644
--- a/crypto/rand_extra/passive.c
+++ b/crypto/rand_extra/passive.c

@@ -15,7 +15,7 @@
 #include <openssl/base.h>
 #include "../fipsmodule/rand/internal.h"
 
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
+#if defined(BORINGSSL_FIPS)
 
 // RAND_need_entropy is called by the FIPS module when it has blocked because of
 // a lack of entropy. This signal is used as an indication to feed it more.
@@ -31,4 +31,4 @@
   RAND_load_entropy(buf, todo, used_cpu);
 }
 
-#endif  // BORINGSSL_FIPS_PASSIVE_ENTROPY
+#endif  // FIPS

diff --git a/include/openssl/base.h b/include/openssl/base.h
index e5fe146..598f4dd 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h

@@ -160,10 +160,6 @@
 
 #if defined(__ANDROID_API__)
 #define OPENSSL_ANDROID
-#if defined(BORINGSSL_FIPS)
-// The FIPS module on Android passively receives entropy.
-#define BORINGSSL_FIPS_PASSIVE_ENTROPY
-#endif
 #endif
 
 #if defined(__FreeBSD__)