Skip to content

fix: include TargetConditionals.h in target.h for iOS cross-compilation #3111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
lukejmann wants to merge 1 commit into from
Closed

fix: include TargetConditionals.h in target.h for iOS cross-compilation #3111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions crypto/rand_extra/urandom.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -352,8 +352,10 @@ static void ensure_getrandom_is_initialized(void) {

static void ensure_dev_urandom_is_initialized(void) {

// On platforms where urandom doesn't block at startup, we ensure that the
// kernel has sufficient entropy before continuing.
#if defined(OPENSSL_LINUX)
// On Linux, where urandom doesn't block at startup, we ensure that the
// kernel has sufficient entropy before continuing. RNDGETENTCNT and ioctl
// are Linux-specific (from <linux/random.h> and <sys/ioctl.h>).
Comment on lines +355 to +358
Copy link
Copy Markdown
Contributor

@justsmth justsmth Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @lukejmann -- Thanks for the PR, and the detailed write up! We also have an issue related to this in the aws-lc-rs repo: aws/aws-lc-rs#1068. I wrote up my initial analysis here.

The change here to "urandom.c" is concerning. This is guarding the loop with OPENSSL_LINUX while still leaving random_flavor_state = STATE_READY below unconditional. The problem is that if this code were ever compiled/used on a non-Linux platform, it would silently skip entropy initialization entirely.

We believe the correct fix is likely in crypto/rand_extra/internal.h: adding an OPENSSL_APPLE catch-all so Apple platforms never fall through to OPENSSL_RAND_URANDOM in the first place.

We're working on this now — thanks again for bringing it to our attention!

Copy link
Copy Markdown
Author

@lukejmann lukejmann Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!!

for (;;) {
int entropy_bits = 0;
if (ioctl(urandom_fd, RNDGETENTCNT, &entropy_bits)) {
Expand All @@ -377,6 +379,7 @@ static void ensure_dev_urandom_is_initialized(void) {
nanosleep(&sleep_time, &sleep_time);
}

#endif // OPENSSL_LINUX
random_flavor_state = STATE_READY;
}

Expand Down
8 changes: 8 additions & 0 deletions include/openssl/target.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,14 @@
#endif

#if defined(__APPLE__)
// TargetConditionals.h defines TARGET_OS_OSX, TARGET_OS_IPHONE, etc.
// base.h includes it for C/C++, but target.h must be self-contained
// because it can be included before base.h. In assembly contexts the
// header is unavailable, but the TARGET_OS_* checks below will simply
// evaluate to false, which is fine -- assembly never inspects them.
#if !defined(__ASSEMBLER__)
#include <TargetConditionals.h>
#endif
#define OPENSSL_APPLE
// Note |TARGET_OS_MAC| is set for all Apple OS variants. |TARGET_OS_OSX|
// targets macOS specifically.
Expand Down