Use passive entropy collection everywhere.
Change-Id: I40513b3947fa571d2d0b918641b9917451ced3e1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47284
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/crypto/fipsmodule/rand/internal.h b/crypto/fipsmodule/rand/internal.h
index 598a17b..ac97b7c 100644
--- a/crypto/fipsmodule/rand/internal.h
+++ b/crypto/fipsmodule/rand/internal.h
@@ -45,12 +45,10 @@
// for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the
// entropy came directly from the CPU and zero if it came from the OS. It
// actively obtains entropy from the CPU/OS and so should not be called from
-// within the FIPS module if |BORINGSSL_FIPS_PASSIVE_ENTROPY| is defined.
+// within the FIPS module.
void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
int *out_used_cpu);
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
-
// RAND_load_entropy supplies |entropy_len| bytes of entropy to the module. The
// |from_cpu| parameter is true iff the entropy was obtained directly from the
// CPU.
@@ -61,7 +59,6 @@
// when the module has stopped because it has run out of entropy.
void RAND_need_entropy(size_t bytes_needed);
-#endif // BORINGSSL_FIPS_PASSIVE_ENTROPY
#endif // BORINGSSL_FIPS
// CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
diff --git a/crypto/fipsmodule/rand/rand.c b/crypto/fipsmodule/rand/rand.c
index 824efc8..089b814 100644
--- a/crypto/fipsmodule/rand/rand.c
+++ b/crypto/fipsmodule/rand/rand.c
@@ -178,8 +178,6 @@
#endif
}
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
-
// In passive entropy mode, entropy is supplied from outside of the module via
// |RAND_load_entropy| and is stored in global instance of the following
// structure.
@@ -242,17 +240,6 @@
CRYPTO_STATIC_MUTEX_unlock_write(entropy_buffer_lock_bss_get());
}
-#else
-
-// In the active case, |get_seed_entropy| simply calls |CRYPTO_get_seed_entropy|
-// in order to obtain entropy from the CPU or OS.
-static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
- int *out_used_cpu) {
- CRYPTO_get_seed_entropy(out_entropy, out_entropy_len, out_used_cpu);
-}
-
-#endif // !BORINGSSL_FIPS_PASSIVE_ENTROPY
-
// rand_get_seed fills |seed| with entropy and sets |*out_used_cpu| to one if
// that entropy came directly from the CPU and zero otherwise.
static void rand_get_seed(struct rand_thread_state *state,
diff --git a/crypto/rand_extra/passive.c b/crypto/rand_extra/passive.c
index a8c2487..a2b388f 100644
--- a/crypto/rand_extra/passive.c
+++ b/crypto/rand_extra/passive.c
@@ -15,7 +15,7 @@
#include <openssl/base.h>
#include "../fipsmodule/rand/internal.h"
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
+#if defined(BORINGSSL_FIPS)
// RAND_need_entropy is called by the FIPS module when it has blocked because of
// a lack of entropy. This signal is used as an indication to feed it more.
@@ -31,4 +31,4 @@
RAND_load_entropy(buf, todo, used_cpu);
}
-#endif // BORINGSSL_FIPS_PASSIVE_ENTROPY
+#endif // FIPS
diff --git a/include/openssl/base.h b/include/openssl/base.h
index e5fe146..598f4dd 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -160,10 +160,6 @@
#if defined(__ANDROID_API__)
#define OPENSSL_ANDROID
-#if defined(BORINGSSL_FIPS)
-// The FIPS module on Android passively receives entropy.
-#define BORINGSSL_FIPS_PASSIVE_ENTROPY
-#endif
#endif
#if defined(__FreeBSD__)