Use passive entropy collection everywhere.

Change-Id: I40513b3947fa571d2d0b918641b9917451ced3e1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47284
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

crypto/fipsmodule/rand/internal.h

@@ -45,12 +45,10 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
 // for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the
 // entropy came directly from the CPU and zero if it came from the OS. It
 // actively obtains entropy from the CPU/OS and so should not be called from
-// within the FIPS module if |BORINGSSL_FIPS_PASSIVE_ENTROPY| is defined.
+// within the FIPS module.
 void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
                              int *out_used_cpu);
 
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
-
 // RAND_load_entropy supplies |entropy_len| bytes of entropy to the module. The
 // |from_cpu| parameter is true iff the entropy was obtained directly from the
 // CPU.
@@ -61,7 +59,6 @@ void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len,
 // when the module has stopped because it has run out of entropy.
 void RAND_need_entropy(size_t bytes_needed);
 
-#endif  // BORINGSSL_FIPS_PASSIVE_ENTROPY
 #endif  // BORINGSSL_FIPS
 
 // CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating

crypto/fipsmodule/rand/rand.c

@@ -178,8 +178,6 @@ void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
 #endif
 }
 
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
-
 // In passive entropy mode, entropy is supplied from outside of the module via
 // |RAND_load_entropy| and is stored in global instance of the following
 // structure.
@@ -242,17 +240,6 @@ static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
   CRYPTO_STATIC_MUTEX_unlock_write(entropy_buffer_lock_bss_get());
 }
 
-#else
-
-// In the active case, |get_seed_entropy| simply calls |CRYPTO_get_seed_entropy|
-// in order to obtain entropy from the CPU or OS.
-static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
-                            int *out_used_cpu) {
-  CRYPTO_get_seed_entropy(out_entropy, out_entropy_len, out_used_cpu);
-}
-
-#endif  // !BORINGSSL_FIPS_PASSIVE_ENTROPY
-
 // rand_get_seed fills |seed| with entropy and sets |*out_used_cpu| to one if
 // that entropy came directly from the CPU and zero otherwise.
 static void rand_get_seed(struct rand_thread_state *state,

crypto/rand_extra/passive.c

@@ -15,7 +15,7 @@
 #include <openssl/base.h>
 #include "../fipsmodule/rand/internal.h"
 
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
+#if defined(BORINGSSL_FIPS)
 
 // RAND_need_entropy is called by the FIPS module when it has blocked because of
 // a lack of entropy. This signal is used as an indication to feed it more.
@@ -31,4 +31,4 @@ void RAND_need_entropy(size_t bytes_needed) {
   RAND_load_entropy(buf, todo, used_cpu);
 }
 
-#endif  // BORINGSSL_FIPS_PASSIVE_ENTROPY
+#endif  // FIPS

include/openssl/base.h

@@ -160,10 +160,6 @@ extern "C" {
 
 #if defined(__ANDROID_API__)
 #define OPENSSL_ANDROID
-#if defined(BORINGSSL_FIPS)
-// The FIPS module on Android passively receives entropy.
-#define BORINGSSL_FIPS_PASSIVE_ENTROPY
-#endif
 #endif
 
 #if defined(__FreeBSD__)