grpc 1.10.0.pre1 → 1.10.0.pre2

data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c

@@ -0,0 +1,95 @@
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ==================================================================== */
+
+#include <openssl/type_check.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include "internal.h"
+
+
+OPENSSL_COMPILE_ASSERT((16 % sizeof(size_t)) == 0, bad_size_t_size_ofb);
+
+void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
+                           const void *key, uint8_t ivec[16], unsigned *num,
+                           block128_f block) {
+  assert(in && out && key && ivec && num);
+
+  unsigned n = *num;
+
+  while (n && len) {
+    *(out++) = *(in++) ^ ivec[n];
+    --len;
+    n = (n + 1) % 16;
+  }
+
+  while (len >= 16) {
+    (*block)(ivec, ivec, key);
+    for (; n < 16; n += sizeof(size_t)) {
+      size_t a, b;
+      OPENSSL_memcpy(&a, in + n, sizeof(size_t));
+      OPENSSL_memcpy(&b, ivec + n, sizeof(size_t));
+
+      const size_t c = a ^ b;
+      OPENSSL_memcpy(out + n, &c, sizeof(size_t));
+    }
+    len -= 16;
+    out += 16;
+    in += 16;
+    n = 0;
+  }
+  if (len) {
+    (*block)(ivec, ivec, key);
+    while (len--) {
+      out[n] = in[n] ^ ivec[n];
+      ++n;
+    }
+  }
+  *num = n;
+}

data/third_party/boringssl/crypto/fipsmodule/modes/polyval.c

@@ -0,0 +1,91 @@
+/* Copyright (c) 2016, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include "internal.h"
+#include "../../internal.h"
+
+
+// byte_reverse reverses the order of the bytes in |b->c|.
+static void byte_reverse(polyval_block *b) {
+  const uint64_t t = CRYPTO_bswap8(b->u[0]);
+  b->u[0] = CRYPTO_bswap8(b->u[1]);
+  b->u[1] = t;
+}
+
+// reverse_and_mulX_ghash interprets the bytes |b->c| as a reversed element of
+// the GHASH field, multiplies that by 'x' and serialises the result back into
+// |b|, but with GHASH's backwards bit ordering.
+static void reverse_and_mulX_ghash(polyval_block *b) {
+  uint64_t hi = b->u[0];
+  uint64_t lo = b->u[1];
+  const crypto_word_t carry = constant_time_eq_w(hi & 1, 1);
+  hi >>= 1;
+  hi |= lo << 63;
+  lo >>= 1;
+  lo ^= ((uint64_t) constant_time_select_w(carry, 0xe1, 0)) << 56;
+
+  b->u[0] = CRYPTO_bswap8(lo);
+  b->u[1] = CRYPTO_bswap8(hi);
+}
+
+// POLYVAL(H, X_1, ..., X_n) =
+// ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
+// ByteReverse(X_n))).
+//
+// See https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#appendix-A.
+
+void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) {
+  polyval_block H;
+  OPENSSL_memcpy(H.c, key, 16);
+  reverse_and_mulX_ghash(&H);
+
+  int is_avx;
+  CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, &ctx->H, ctx->Htable, &is_avx,
+                    H.c);
+  OPENSSL_memset(&ctx->S, 0, sizeof(ctx->S));
+}
+
+void CRYPTO_POLYVAL_update_blocks(struct polyval_ctx *ctx, const uint8_t *in,
+                                  size_t in_len) {
+  assert((in_len & 15) == 0);
+  polyval_block reversed[32];
+
+  while (in_len > 0) {
+    size_t todo = in_len;
+    if (todo > sizeof(reversed)) {
+      todo = sizeof(reversed);
+    }
+    OPENSSL_memcpy(reversed, in, todo);
+    in += todo;
+    in_len -= todo;
+
+    size_t blocks = todo / sizeof(polyval_block);
+    for (size_t i = 0; i < blocks; i++) {
+      byte_reverse(&reversed[i]);
+    }
+
+    ctx->ghash(ctx->S.u, ctx->Htable, (const uint8_t *) reversed, todo);
+  }
+}
+
+void CRYPTO_POLYVAL_finish(const struct polyval_ctx *ctx, uint8_t out[16]) {
+  polyval_block S = ctx->S;
+  byte_reverse(&S);
+  OPENSSL_memcpy(out, &S.c, sizeof(polyval_block));
+}

data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c

@@ -0,0 +1,200 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#include <openssl/type_check.h>
+#include <openssl/mem.h>
+
+#include "internal.h"
+#include "../cipher/internal.h"
+
+
+// Section references in this file refer to SP 800-90Ar1:
+// http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
+
+// See table 3.
+static const uint64_t kMaxReseedCount = UINT64_C(1) << 48;
+
+int CTR_DRBG_init(CTR_DRBG_STATE *drbg,
+                  const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
+                  const uint8_t *personalization, size_t personalization_len) {
+  // Section 10.2.1.3.1
+  if (personalization_len > CTR_DRBG_ENTROPY_LEN) {
+    return 0;
+  }
+
+  uint8_t seed_material[CTR_DRBG_ENTROPY_LEN];
+  OPENSSL_memcpy(seed_material, entropy, CTR_DRBG_ENTROPY_LEN);
+
+  for (size_t i = 0; i < personalization_len; i++) {
+    seed_material[i] ^= personalization[i];
+  }
+
+  // Section 10.2.1.2
+
+  // kInitMask is the result of encrypting blocks with big-endian value 1, 2
+  // and 3 with the all-zero AES-256 key.
+  static const uint8_t kInitMask[CTR_DRBG_ENTROPY_LEN] = {
+      0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9, 0xa9, 0x63, 0xb4, 0xf1,
+      0xc4, 0xcb, 0x73, 0x8b, 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
+      0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18, 0x72, 0x60, 0x03, 0xca,
+      0x37, 0xa6, 0x2a, 0x74, 0xd1, 0xa2, 0xf5, 0x8e, 0x75, 0x06, 0x35, 0x8e,
+  };
+
+  for (size_t i = 0; i < sizeof(kInitMask); i++) {
+    seed_material[i] ^= kInitMask[i];
+  }
+
+  drbg->ctr = aes_ctr_set_key(&drbg->ks, NULL, &drbg->block, seed_material, 32);
+  OPENSSL_memcpy(drbg->counter.bytes, seed_material + 32, 16);
+  drbg->reseed_counter = 1;
+
+  return 1;
+}
+
+OPENSSL_COMPILE_ASSERT(CTR_DRBG_ENTROPY_LEN % AES_BLOCK_SIZE == 0,
+                       not_a_multiple_of_block_size);
+
+// ctr_inc adds |n| to the last four bytes of |drbg->counter|, treated as a
+// big-endian number.
+static void ctr32_add(CTR_DRBG_STATE *drbg, uint32_t n) {
+  drbg->counter.words[3] =
+      CRYPTO_bswap4(CRYPTO_bswap4(drbg->counter.words[3]) + n);
+}
+
+static int CTR_DRBG_update(CTR_DRBG_STATE *drbg, const uint8_t *data,
+                           size_t data_len) {
+  // Section 10.2.1.2. A value of |data_len| which less than
+  // |CTR_DRBG_ENTROPY_LEN| is permitted and acts the same as right-padding
+  // with zeros. This can save a copy.
+  if (data_len > CTR_DRBG_ENTROPY_LEN) {
+    return 0;
+  }
+
+  uint8_t temp[CTR_DRBG_ENTROPY_LEN];
+  for (size_t i = 0; i < CTR_DRBG_ENTROPY_LEN; i += AES_BLOCK_SIZE) {
+    ctr32_add(drbg, 1);
+    drbg->block(drbg->counter.bytes, temp + i, &drbg->ks);
+  }
+
+  for (size_t i = 0; i < data_len; i++) {
+    temp[i] ^= data[i];
+  }
+
+  drbg->ctr = aes_ctr_set_key(&drbg->ks, NULL, &drbg->block, temp, 32);
+  OPENSSL_memcpy(drbg->counter.bytes, temp + 32, 16);
+
+  return 1;
+}
+
+int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg,
+                    const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
+                    const uint8_t *additional_data,
+                    size_t additional_data_len) {
+  // Section 10.2.1.4
+  uint8_t entropy_copy[CTR_DRBG_ENTROPY_LEN];
+
+  if (additional_data_len > 0) {
+    if (additional_data_len > CTR_DRBG_ENTROPY_LEN) {
+      return 0;
+    }
+
+    OPENSSL_memcpy(entropy_copy, entropy, CTR_DRBG_ENTROPY_LEN);
+    for (size_t i = 0; i < additional_data_len; i++) {
+      entropy_copy[i] ^= additional_data[i];
+    }
+
+    entropy = entropy_copy;
+  }
+
+  if (!CTR_DRBG_update(drbg, entropy, CTR_DRBG_ENTROPY_LEN)) {
+    return 0;
+  }
+
+  drbg->reseed_counter = 1;
+
+  return 1;
+}
+
+int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out, size_t out_len,
+                      const uint8_t *additional_data,
+                      size_t additional_data_len) {
+  // See 9.3.1
+  if (out_len > CTR_DRBG_MAX_GENERATE_LENGTH) {
+    return 0;
+  }
+
+  // See 10.2.1.5.1
+  if (drbg->reseed_counter > kMaxReseedCount) {
+    return 0;
+  }
+
+  if (additional_data_len != 0 &&
+      !CTR_DRBG_update(drbg, additional_data, additional_data_len)) {
+    return 0;
+  }
+
+  // kChunkSize is used to interact better with the cache. Since the AES-CTR
+  // code assumes that it's encrypting rather than just writing keystream, the
+  // buffer has to be zeroed first. Without chunking, large reads would zero
+  // the whole buffer, flushing the L1 cache, and then do another pass (missing
+  // the cache every time) to “encrypt” it. The code can avoid this by
+  // chunking.
+  static const size_t kChunkSize = 8 * 1024;
+
+  while (out_len >= AES_BLOCK_SIZE) {
+    size_t todo = kChunkSize;
+    if (todo > out_len) {
+      todo = out_len;
+    }
+
+    todo &= ~(AES_BLOCK_SIZE-1);
+    const size_t num_blocks = todo / AES_BLOCK_SIZE;
+
+    if (drbg->ctr) {
+      OPENSSL_memset(out, 0, todo);
+      ctr32_add(drbg, 1);
+      drbg->ctr(out, out, num_blocks, &drbg->ks, drbg->counter.bytes);
+      ctr32_add(drbg, num_blocks - 1);
+    } else {
+      for (size_t i = 0; i < todo; i += AES_BLOCK_SIZE) {
+        ctr32_add(drbg, 1);
+        drbg->block(drbg->counter.bytes, out + i, &drbg->ks);
+      }
+    }
+
+    out += todo;
+    out_len -= todo;
+  }
+
+  if (out_len > 0) {
+    uint8_t block[AES_BLOCK_SIZE];
+    ctr32_add(drbg, 1);
+    drbg->block(drbg->counter.bytes, block, &drbg->ks);
+
+    OPENSSL_memcpy(out, block, out_len);
+  }
+
+  if (!CTR_DRBG_update(drbg, additional_data, additional_data_len)) {
+    return 0;
+  }
+
+  drbg->reseed_counter++;
+  return 1;
+}
+
+void CTR_DRBG_clear(CTR_DRBG_STATE *drbg) {
+  OPENSSL_cleanse(drbg, sizeof(CTR_DRBG_STATE));
+}

data/third_party/boringssl/crypto/fipsmodule/rand/rand.c

@@ -0,0 +1,358 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#include <assert.h>
+#include <limits.h>
+#include <string.h>
+
+#if defined(BORINGSSL_FIPS)
+#include <unistd.h>
+#endif
+
+#include <openssl/chacha.h>
+#include <openssl/cpu.h>
+#include <openssl/mem.h>
+
+#include "internal.h"
+#include "../../internal.h"
+#include "../delocate.h"
+
+
+// It's assumed that the operating system always has an unfailing source of
+// entropy which is accessed via |CRYPTO_sysrand|. (If the operating system
+// entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we
+// don't try to handle it.)
+//
+// In addition, the hardware may provide a low-latency RNG. Intel's rdrand
+// instruction is the canonical example of this. When a hardware RNG is
+// available we don't need to worry about an RNG failure arising from fork()ing
+// the process or moving a VM, so we can keep thread-local RNG state and use it
+// as an additional-data input to CTR-DRBG.
+//
+// (We assume that the OS entropy is safe from fork()ing and VM duplication.
+// This might be a bit of a leap of faith, esp on Windows, but there's nothing
+// that we can do about it.)
+
+// kReseedInterval is the number of generate calls made to CTR-DRBG before
+// reseeding.
+static const unsigned kReseedInterval = 4096;
+
+// CRNGT_BLOCK_SIZE is the number of bytes in a “block” for the purposes of the
+// continuous random number generator test in FIPS 140-2, section 4.9.2.
+#define CRNGT_BLOCK_SIZE 16
+
+// rand_thread_state contains the per-thread state for the RNG.
+struct rand_thread_state {
+  CTR_DRBG_STATE drbg;
+  // calls is the number of generate calls made on |drbg| since it was last
+  // (re)seeded. This is bound by |kReseedInterval|.
+  unsigned calls;
+  // last_block_valid is non-zero iff |last_block| contains data from
+  // |CRYPTO_sysrand|.
+  int last_block_valid;
+
+#if defined(BORINGSSL_FIPS)
+  // last_block contains the previous block from |CRYPTO_sysrand|.
+  uint8_t last_block[CRNGT_BLOCK_SIZE];
+  // next and prev form a NULL-terminated, double-linked list of all states in
+  // a process.
+  struct rand_thread_state *next, *prev;
+#endif
+};
+
+#if defined(BORINGSSL_FIPS)
+// thread_states_list is the head of a linked-list of all |rand_thread_state|
+// objects in the process, one per thread. This is needed because FIPS requires
+// that they be zeroed on process exit, but thread-local destructors aren't
+// called when the whole process is exiting.
+DEFINE_BSS_GET(struct rand_thread_state *, thread_states_list);
+DEFINE_STATIC_MUTEX(thread_states_list_lock);
+
+static void rand_thread_state_clear_all(void) __attribute__((destructor));
+static void rand_thread_state_clear_all(void) {
+  CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get());
+  for (struct rand_thread_state *cur = *thread_states_list_bss_get();
+       cur != NULL; cur = cur->next) {
+    CTR_DRBG_clear(&cur->drbg);
+  }
+  // |thread_states_list_lock is deliberately left locked so that any threads
+  // that are still running will hang if they try to call |RAND_bytes|.
+}
+#endif
+
+// rand_thread_state_free frees a |rand_thread_state|. This is called when a
+// thread exits.
+static void rand_thread_state_free(void *state_in) {
+  struct rand_thread_state *state = state_in;
+
+  if (state_in == NULL) {
+    return;
+  }
+
+#if defined(BORINGSSL_FIPS)
+  CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get());
+
+  if (state->prev != NULL) {
+    state->prev->next = state->next;
+  } else {
+    *thread_states_list_bss_get() = state->next;
+  }
+
+  if (state->next != NULL) {
+    state->next->prev = state->prev;
+  }
+
+  CRYPTO_STATIC_MUTEX_unlock_write(thread_states_list_lock_bss_get());
+
+  CTR_DRBG_clear(&state->drbg);
+#endif
+
+  OPENSSL_free(state);
+}
+
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
+    !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+
+// These functions are defined in asm/rdrand-x86_64.pl
+extern int CRYPTO_rdrand(uint8_t out[8]);
+extern int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
+
+static int have_rdrand(void) {
+  return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0;
+}
+
+static int hwrand(uint8_t *buf, const size_t len) {
+  if (!have_rdrand()) {
+    return 0;
+  }
+
+  const size_t len_multiple8 = len & ~7;
+  if (!CRYPTO_rdrand_multiple8_buf(buf, len_multiple8)) {
+    return 0;
+  }
+  const size_t remainder = len - len_multiple8;
+
+  if (remainder != 0) {
+    assert(remainder < 8);
+
+    uint8_t rand_buf[8];
+    if (!CRYPTO_rdrand(rand_buf)) {
+      return 0;
+    }
+    OPENSSL_memcpy(buf + len_multiple8, rand_buf, remainder);
+  }
+
+#if defined(BORINGSSL_FIPS_BREAK_CRNG)
+  // This breaks the "continuous random number generator test" defined in FIPS
+  // 140-2, section 4.9.2, and implemented in rand_get_seed().
+  OPENSSL_memset(buf, 0, len);
+#endif
+
+  return 1;
+}
+
+#else
+
+static int hwrand(uint8_t *buf, size_t len) {
+  return 0;
+}
+
+#endif
+
+#if defined(BORINGSSL_FIPS)
+
+static void rand_get_seed(struct rand_thread_state *state,
+                          uint8_t seed[CTR_DRBG_ENTROPY_LEN]) {
+  if (!state->last_block_valid) {
+    if (!hwrand(state->last_block, sizeof(state->last_block))) {
+      CRYPTO_sysrand(state->last_block, sizeof(state->last_block));
+    }
+    state->last_block_valid = 1;
+  }
+
+  // We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to
+  // whiten.
+#define FIPS_OVERREAD 10
+  uint8_t entropy[CTR_DRBG_ENTROPY_LEN * FIPS_OVERREAD];
+
+  if (!hwrand(entropy, sizeof(entropy))) {
+    CRYPTO_sysrand(entropy, sizeof(entropy));
+  }
+
+  // See FIPS 140-2, section 4.9.2. This is the “continuous random number
+  // generator test” which causes the program to randomly abort. Hopefully the
+  // rate of failure is small enough not to be a problem in practice.
+  if (CRYPTO_memcmp(state->last_block, entropy, CRNGT_BLOCK_SIZE) == 0) {
+    printf("CRNGT failed.\n");
+    BORINGSSL_FIPS_abort();
+  }
+
+  for (size_t i = CRNGT_BLOCK_SIZE; i < sizeof(entropy);
+       i += CRNGT_BLOCK_SIZE) {
+    if (CRYPTO_memcmp(entropy + i - CRNGT_BLOCK_SIZE, entropy + i,
+                      CRNGT_BLOCK_SIZE) == 0) {
+      printf("CRNGT failed.\n");
+      BORINGSSL_FIPS_abort();
+    }
+  }
+  OPENSSL_memcpy(state->last_block,
+                 entropy + sizeof(entropy) - CRNGT_BLOCK_SIZE,
+                 CRNGT_BLOCK_SIZE);
+
+  OPENSSL_memcpy(seed, entropy, CTR_DRBG_ENTROPY_LEN);
+
+  for (size_t i = 1; i < FIPS_OVERREAD; i++) {
+    for (size_t j = 0; j < CTR_DRBG_ENTROPY_LEN; j++) {
+      seed[j] ^= entropy[CTR_DRBG_ENTROPY_LEN * i + j];
+    }
+  }
+}
+
+#else
+
+static void rand_get_seed(struct rand_thread_state *state,
+                          uint8_t seed[CTR_DRBG_ENTROPY_LEN]) {
+  // If not in FIPS mode, we don't overread from the system entropy source and
+  // we don't depend only on the hardware RDRAND.
+  CRYPTO_sysrand(seed, CTR_DRBG_ENTROPY_LEN);
+}
+
+#endif
+
+void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
+                                     const uint8_t user_additional_data[32]) {
+  if (out_len == 0) {
+    return;
+  }
+
+  // Additional data is mixed into every CTR-DRBG call to protect, as best we
+  // can, against forks & VM clones. We do not over-read this information and
+  // don't reseed with it so, from the point of view of FIPS, this doesn't
+  // provide “prediction resistance”. But, in practice, it does.
+  uint8_t additional_data[32];
+  if (!hwrand(additional_data, sizeof(additional_data))) {
+    // Without a hardware RNG to save us from address-space duplication, the OS
+    // entropy is used. This can be expensive (one read per |RAND_bytes| call)
+    // and so can be disabled by applications that we have ensured don't fork
+    // and aren't at risk of VM cloning.
+    if (!rand_fork_unsafe_buffering_enabled()) {
+      CRYPTO_sysrand(additional_data, sizeof(additional_data));
+    } else {
+      OPENSSL_memset(additional_data, 0, sizeof(additional_data));
+    }
+  }
+
+  for (size_t i = 0; i < sizeof(additional_data); i++) {
+    additional_data[i] ^= user_additional_data[i];
+  }
+
+  struct rand_thread_state stack_state;
+  struct rand_thread_state *state =
+      CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND);
+
+  if (state == NULL) {
+    state = OPENSSL_malloc(sizeof(struct rand_thread_state));
+    if (state == NULL ||
+        !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state,
+                                 rand_thread_state_free)) {
+      // If the system is out of memory, use an ephemeral state on the
+      // stack.
+      state = &stack_state;
+    }
+
+    state->last_block_valid = 0;
+    uint8_t seed[CTR_DRBG_ENTROPY_LEN];
+    rand_get_seed(state, seed);
+    if (!CTR_DRBG_init(&state->drbg, seed, NULL, 0)) {
+      abort();
+    }
+    state->calls = 0;
+
+#if defined(BORINGSSL_FIPS)
+    if (state != &stack_state) {
+      CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get());
+      struct rand_thread_state **states_list = thread_states_list_bss_get();
+      state->next = *states_list;
+      if (state->next != NULL) {
+        state->next->prev = state;
+      }
+      state->prev = NULL;
+      *states_list = state;
+      CRYPTO_STATIC_MUTEX_unlock_write(thread_states_list_lock_bss_get());
+    }
+#endif
+  }
+
+  if (state->calls >= kReseedInterval) {
+    uint8_t seed[CTR_DRBG_ENTROPY_LEN];
+    rand_get_seed(state, seed);
+#if defined(BORINGSSL_FIPS)
+    // Take a read lock around accesses to |state->drbg|. This is needed to
+    // avoid returning bad entropy if we race with
+    // |rand_thread_state_clear_all|.
+    //
+    // This lock must be taken after any calls to |CRYPTO_sysrand| to avoid a
+    // bug on ppc64le. glibc may implement pthread locks by wrapping user code
+    // in a hardware transaction, but, on some older versions of glibc and the
+    // kernel, syscalls made with |syscall| did not abort the transaction.
+    CRYPTO_STATIC_MUTEX_lock_read(thread_states_list_lock_bss_get());
+#endif
+    if (!CTR_DRBG_reseed(&state->drbg, seed, NULL, 0)) {
+      abort();
+    }
+    state->calls = 0;
+  } else {
+#if defined(BORINGSSL_FIPS)
+    CRYPTO_STATIC_MUTEX_lock_read(thread_states_list_lock_bss_get());
+#endif
+  }
+
+  int first_call = 1;
+  while (out_len > 0) {
+    size_t todo = out_len;
+    if (todo > CTR_DRBG_MAX_GENERATE_LENGTH) {
+      todo = CTR_DRBG_MAX_GENERATE_LENGTH;
+    }
+
+    if (!CTR_DRBG_generate(&state->drbg, out, todo, additional_data,
+                           first_call ? sizeof(additional_data) : 0)) {
+      abort();
+    }
+
+    out += todo;
+    out_len -= todo;
+    state->calls++;
+    first_call = 0;
+  }
+
+  if (state == &stack_state) {
+    CTR_DRBG_clear(&state->drbg);
+  }
+
+#if defined(BORINGSSL_FIPS)
+  CRYPTO_STATIC_MUTEX_unlock_read(thread_states_list_lock_bss_get());
+#endif
+}
+
+int RAND_bytes(uint8_t *out, size_t out_len) {
+  static const uint8_t kZeroAdditionalData[32] = {0};
+  RAND_bytes_with_additional_data(out, out_len, kZeroAdditionalData);
+  return 1;
+}
+
+int RAND_pseudo_bytes(uint8_t *buf, size_t len) {
+  return RAND_bytes(buf, len);
+}