Skip to content

Commit 6d57af3

Browse files
justsmthjustsmth
committed
On MacOS, use arc4random if CommonCrypto not available
1 parent bcce787 commit 6d57af3

File tree

1 file changed

+16
-6
lines changed

1 file changed

+16
-6
lines changed

crypto/fipsmodule/rand/urandom.c

+16-6
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,12 @@
6666
#endif // OPENSSL_LINUX
6767

6868
#if defined(OPENSSL_APPLE)
69+
#if __has_include(<CommonCrypto/CommonRandom.h>)
70+
#define AWS_LC_HAVE_COMMON_CRYPTO
6971
#include <CommonCrypto/CommonRandom.h>
72+
#else
73+
#define AWS_LC_USE_ARC4RANDOM
74+
#endif
7075
#endif
7176

7277
#if defined(OPENSSL_FREEBSD)
@@ -80,6 +85,10 @@
8085
#endif
8186

8287
#if defined(OPENSSL_OPENBSD)
88+
#define AWS_LC_USE_ARC4RANDOM
89+
#endif
90+
91+
#if defined(AWS_LC_USE_ARC4RANDOM)
8392
#include <stdlib.h>
8493
#endif
8594

@@ -250,16 +259,16 @@ static void init_once(void) {
250259
}
251260
#endif // USE_NR_getrandom
252261

253-
#if defined(OPENSSL_APPLE)
262+
#if defined(AWS_LC_HAVE_COMMON_CRYPTO)
254263
// To get system randomness on MacOS and iOS we use |CCRandomGenerateBytes|
255264
// function provided by Apple rather than /dev/urandom or |getentropy|
256265
// function which is available on MacOS but not on iOS.
257266
return;
258267
#endif
259268

260-
#if defined(OPENSSL_OPENBSD)
269+
#if defined(AWS_LC_USE_ARC4RANDOM)
261270
// To get system randomness on OpenBSD we use |arc4random_buf| function
262-
// which is recommended to use for C APIs rather then /dev/urandom.
271+
// which is recommended to use for C APIs rather than /dev/urandom.
263272
// See https://man.openbsd.org/arc4random.3
264273
return;
265274
#endif
@@ -350,7 +359,8 @@ static void wait_for_entropy(void) {
350359
}
351360

352361
#if defined(BORINGSSL_FIPS) && !defined(URANDOM_BLOCKS_FOR_ENTROPY) && \
353-
!(defined(OPENSSL_APPLE) || defined(OPENSSL_OPENBSD)) // On MacOS, iOS, and OpenBSD we don't use /dev/urandom.
362+
!(defined(AWS_LC_HAVE_COMMON_CRYPTO) || defined(AWS_LC_USE_ARC4RANDOM))
363+
// On MacOS, iOS, and OpenBSD we don't use /dev/urandom.
354364

355365
// In FIPS mode on platforms where urandom doesn't block at startup, we ensure
356366
// that the kernel has sufficient entropy before continuing. This is
@@ -388,7 +398,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
388398
return 1;
389399
}
390400

391-
#if defined(OPENSSL_APPLE)
401+
#if defined(AWS_LC_HAVE_COMMON_CRYPTO)
392402
// To get system randomness on MacOS and iOS we use |CCRandomGenerateBytes|
393403
// rather than |getentropy| and /dev/urandom.
394404
if (CCRandomGenerateBytes(out, len) == kCCSuccess) {
@@ -399,7 +409,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
399409
}
400410
#endif
401411

402-
#if defined(OPENSSL_OPENBSD)
412+
#if defined(AWS_LC_USE_ARC4RANDOM)
403413
// Return value is void, no error to check
404414
arc4random_buf(out, len);
405415
return 1;

0 commit comments

Comments
 (0)