From 745fe686eca76ba00833b807efc4c81fa12ba1b9 Mon Sep 17 00:00:00 2001
From: Luke Mann <luke@mann.xyz>
Date: Thu, 19 Mar 2026 15:32:34 -0700
Subject: [PATCH] fix: include TargetConditionals.h in target.h for iOS
 cross-compilation

target.h checks TARGET_OS_IPHONE to define OPENSSL_IOS, but relies on
base.h having already included <TargetConditionals.h>. On toolchains
where TARGET_OS_IPHONE is not a compiler builtin (e.g. Xcode 16.2 /
Apple Clang 16 on macOS 14), the macro is never set, OPENSSL_IOS is
never defined, and the entropy source selection in internal.h falls
through to OPENSSL_RAND_URANDOM. This compiles urandom.c's full body
for iOS, which references the Linux-only RNDGETENTCNT ioctl and calls
ioctl() without <sys/ioctl.h>, producing hard errors:

  urandom.c:370: error: call to undeclared function 'ioctl'
  urandom.c:370: error: use of undeclared identifier 'RNDGETENTCNT'

Two changes:
1. target.h now includes <TargetConditionals.h> directly (guarded by
   !__ASSEMBLER__ since the header is also used in .S files). This
   ensures OPENSSL_IOS is always defined for iOS targets.
2. urandom.c's ensure_dev_urandom_is_initialized() guards the
   RNDGETENTCNT/ioctl block behind #if defined(OPENSSL_LINUX) as a
   defensive measure, since those symbols only come from headers that
   are themselves guarded by OPENSSL_LINUX.

Made-with: Cursor
---
 crypto/rand_extra/urandom.c | 7 +++++--
 include/openssl/target.h    | 8 ++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/crypto/rand_extra/urandom.c b/crypto/rand_extra/urandom.c
index f9e8069374b..58148a9dd66 100644
--- a/crypto/rand_extra/urandom.c
+++ b/crypto/rand_extra/urandom.c
@@ -352,8 +352,10 @@ static void ensure_getrandom_is_initialized(void) {
 
 static void ensure_dev_urandom_is_initialized(void) {
 
-  // On platforms where urandom doesn't block at startup, we ensure that the
-  // kernel has sufficient entropy before continuing.
+#if defined(OPENSSL_LINUX)
+  // On Linux, where urandom doesn't block at startup, we ensure that the
+  // kernel has sufficient entropy before continuing. RNDGETENTCNT and ioctl
+  // are Linux-specific (from <linux/random.h> and <sys/ioctl.h>).
   for (;;) {
     int entropy_bits = 0;
     if (ioctl(urandom_fd, RNDGETENTCNT, &entropy_bits)) {
@@ -376,6 +378,7 @@ static void ensure_dev_urandom_is_initialized(void) {
     struct timespec sleep_time = {.tv_sec = 0, .tv_nsec = MILLISECONDS_250 };
     nanosleep(&sleep_time, &sleep_time);
   }
+#endif  // OPENSSL_LINUX
 
   random_flavor_state = STATE_READY;
 }
diff --git a/include/openssl/target.h b/include/openssl/target.h
index d06f0fa9fc6..1da62e3fdf9 100644
--- a/include/openssl/target.h
+++ b/include/openssl/target.h
@@ -87,6 +87,14 @@
 #endif
 
 #if defined(__APPLE__)
+// TargetConditionals.h defines TARGET_OS_OSX, TARGET_OS_IPHONE, etc.
+// base.h includes it for C/C++, but target.h must be self-contained
+// because it can be included before base.h. In assembly contexts the
+// header is unavailable, but the TARGET_OS_* checks below will simply
+// evaluate to false, which is fine -- assembly never inspects them.
+#if !defined(__ASSEMBLER__)
+#include <TargetConditionals.h>
+#endif
 #define OPENSSL_APPLE
 // Note |TARGET_OS_MAC| is set for all Apple OS variants. |TARGET_OS_OSX|
 // targets macOS specifically.