grpc 1.24.0 → 1.25.0

data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c

@@ -54,10 +54,11 @@
 #include "internal.h"
 
 
-OPENSSL_COMPILE_ASSERT((16 % sizeof(size_t)) == 0, bad_size_t_size_ofb);
+OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0,
+                      "block cannot be divided into size_t");
 
 void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
-                           const void *key, uint8_t ivec[16], unsigned *num,
+                           const AES_KEY *key, uint8_t ivec[16], unsigned *num,
                            block128_f block) {
   assert(in && out && key && ivec && num);
 

data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c

@@ -64,8 +64,8 @@ int CTR_DRBG_init(CTR_DRBG_STATE *drbg,
   return 1;
 }
 
-OPENSSL_COMPILE_ASSERT(CTR_DRBG_ENTROPY_LEN % AES_BLOCK_SIZE == 0,
-                       not_a_multiple_of_block_size);
+OPENSSL_STATIC_ASSERT(CTR_DRBG_ENTROPY_LEN % AES_BLOCK_SIZE == 0,
+                      "not a multiple of AES block size");
 
 // ctr_inc adds |n| to the last four bytes of |drbg->counter|, treated as a
 // big-endian number.

data/third_party/boringssl/crypto/fipsmodule/rand/internal.h

@@ -16,6 +16,7 @@
 #define OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
 
 #include <openssl/aes.h>
+#include <openssl/cpu.h>
 
 #include "../../internal.h"
 #include "../modes/internal.h"
@@ -25,6 +26,11 @@ extern "C" {
 #endif
 
 
+#if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_FUCHSIA) && \
+    !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && !defined(OPENSSL_TRUSTY)
+#define OPENSSL_URANDOM
+#endif
+
 // RAND_bytes_with_additional_data samples from the RNG after mixing 32 bytes
 // from |user_additional_data| in.
 void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
@@ -34,6 +40,19 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
 // system.
 void CRYPTO_sysrand(uint8_t *buf, size_t len);
 
+#if defined(OPENSSL_URANDOM) || defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+// CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the
+// operating system. It may draw from the |GRND_RANDOM| pool on Android,
+// depending on the vendor's configuration.
+void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len);
+
+// CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the
+// operating system, if the entropy pool is initialized. If it is uninitialized,
+// it will not block and will instead fill |buf| with all zeros or early
+// /dev/urandom output.
+void CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);
+#endif
+
 // rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has
 // been enabled via |RAND_enable_fork_unsafe_buffering|.
 int rand_fork_unsafe_buffering_enabled(void);
@@ -85,6 +104,22 @@ OPENSSL_EXPORT int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out,
 OPENSSL_EXPORT void CTR_DRBG_clear(CTR_DRBG_STATE *drbg);
 
 
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
+OPENSSL_INLINE int have_rdrand(void) {
+  return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0;
+}
+
+// CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to
+// |out|. It returns one on success or zero on hardware failure.
+int CRYPTO_rdrand(uint8_t out[8]);
+
+// CRYPTO_rdrand_multiple8_buf fills |len| bytes at |buf| with random data from
+// the hardware RNG. The |len| argument must be a multiple of eight. It returns
+// one on success and zero on hardware failure.
+int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
+#endif  // OPENSSL_X86_64 && !OPENSSL_NO_ASM
+
+
 #if defined(__cplusplus)
 }  // extern C
 #endif

data/third_party/boringssl/crypto/fipsmodule/rand/rand.c

@@ -32,9 +32,9 @@
 
 
 // It's assumed that the operating system always has an unfailing source of
-// entropy which is accessed via |CRYPTO_sysrand|. (If the operating system
-// entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we
-// don't try to handle it.)
+// entropy which is accessed via |CRYPTO_sysrand[_for_seed]|. (If the operating
+// system entropy source fails, it's up to |CRYPTO_sysrand| to abort the
+// process—we don't try to handle it.)
 //
 // In addition, the hardware may provide a low-latency RNG. Intel's rdrand
 // instruction is the canonical example of this. When a hardware RNG is
@@ -61,11 +61,11 @@ struct rand_thread_state {
   // (re)seeded. This is bound by |kReseedInterval|.
   unsigned calls;
   // last_block_valid is non-zero iff |last_block| contains data from
-  // |CRYPTO_sysrand|.
+  // |CRYPTO_sysrand_for_seed|.
   int last_block_valid;
 
 #if defined(BORINGSSL_FIPS)
-  // last_block contains the previous block from |CRYPTO_sysrand|.
+  // last_block contains the previous block from |CRYPTO_sysrand_for_seed|.
   uint8_t last_block[CRNGT_BLOCK_SIZE];
   // next and prev form a NULL-terminated, double-linked list of all states in
   // a process.
@@ -125,15 +125,6 @@ static void rand_thread_state_free(void *state_in) {
 
 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
     !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
-
-// These functions are defined in asm/rdrand-x86_64.pl
-extern int CRYPTO_rdrand(uint8_t out[8]);
-extern int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
-
-static int have_rdrand(void) {
-  return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0;
-}
-
 static int hwrand(uint8_t *buf, const size_t len) {
   if (!have_rdrand()) {
     return 0;
@@ -178,7 +169,7 @@ static void rand_get_seed(struct rand_thread_state *state,
                           uint8_t seed[CTR_DRBG_ENTROPY_LEN]) {
   if (!state->last_block_valid) {
     if (!hwrand(state->last_block, sizeof(state->last_block))) {
-      CRYPTO_sysrand(state->last_block, sizeof(state->last_block));
+      CRYPTO_sysrand_for_seed(state->last_block, sizeof(state->last_block));
     }
     state->last_block_valid = 1;
   }
@@ -188,15 +179,16 @@ static void rand_get_seed(struct rand_thread_state *state,
 #define FIPS_OVERREAD 10
   uint8_t entropy[CTR_DRBG_ENTROPY_LEN * FIPS_OVERREAD];
 
-  if (!hwrand(entropy, sizeof(entropy))) {
-    CRYPTO_sysrand(entropy, sizeof(entropy));
+  int used_hwrand = hwrand(entropy, sizeof(entropy));
+  if (!used_hwrand) {
+    CRYPTO_sysrand_for_seed(entropy, sizeof(entropy));
   }
 
   // See FIPS 140-2, section 4.9.2. This is the “continuous random number
   // generator test” which causes the program to randomly abort. Hopefully the
   // rate of failure is small enough not to be a problem in practice.
   if (CRYPTO_memcmp(state->last_block, entropy, CRNGT_BLOCK_SIZE) == 0) {
-    printf("CRNGT failed.\n");
+    fprintf(stderr, "CRNGT failed.\n");
     BORINGSSL_FIPS_abort();
   }
 
@@ -204,7 +196,7 @@ static void rand_get_seed(struct rand_thread_state *state,
        i += CRNGT_BLOCK_SIZE) {
     if (CRYPTO_memcmp(entropy + i - CRNGT_BLOCK_SIZE, entropy + i,
                       CRNGT_BLOCK_SIZE) == 0) {
-      printf("CRNGT failed.\n");
+      fprintf(stderr, "CRNGT failed.\n");
       BORINGSSL_FIPS_abort();
     }
   }
@@ -219,6 +211,17 @@ static void rand_get_seed(struct rand_thread_state *state,
       seed[j] ^= entropy[CTR_DRBG_ENTROPY_LEN * i + j];
     }
   }
+
+#if defined(OPENSSL_URANDOM)
+  // If we used RDRAND, also opportunistically read from the system. This avoids
+  // solely relying on the hardware once the entropy pool has been initialized.
+  if (used_hwrand) {
+    CRYPTO_sysrand_if_available(entropy, CTR_DRBG_ENTROPY_LEN);
+    for (size_t i = 0; i < CTR_DRBG_ENTROPY_LEN; i++) {
+      seed[i] ^= entropy[i];
+    }
+  }
+#endif
 }
 
 #else
@@ -334,6 +337,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
 
     out += todo;
     out_len -= todo;
+    // Though we only check before entering the loop, this cannot add enough to
+    // overflow a |size_t|.
     state->calls++;
     first_call = 0;
   }

data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c

@@ -18,8 +18,9 @@
 
 #include <openssl/rand.h>
 
-#if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_FUCHSIA) && \
-    !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && !defined(OPENSSL_TRUSTY)
+#include "internal.h"
+
+#if defined(OPENSSL_URANDOM)
 
 #include <assert.h>
 #include <errno.h>
@@ -34,12 +35,36 @@
 #include <sys/ioctl.h>
 #endif
 #include <sys/syscall.h>
+
+#if defined(OPENSSL_ANDROID)
+#include <sys/system_properties.h>
+#endif
+
+#if !defined(OPENSSL_ANDROID)
+#define OPENSSL_HAS_GETAUXVAL
+#endif
+// glibc prior to 2.16 does not have getauxval and sys/auxv.h. Android has some
+// host builds (i.e. not building for Android itself, so |OPENSSL_ANDROID| is
+// unset) which are still using a 2.15 sysroot.
+//
+// TODO(davidben): Remove this once Android updates their sysroot.
+#if defined(__GLIBC_PREREQ)
+#if !__GLIBC_PREREQ(2, 16)
+#undef OPENSSL_HAS_GETAUXVAL
+#endif
+#endif
+#if defined(OPENSSL_HAS_GETAUXVAL)
+#include <sys/auxv.h>
+#endif
+#endif  // OPENSSL_LINUX
+
+#if defined(OPENSSL_MACOS)
+#include <sys/random.h>
 #endif
 
 #include <openssl/thread.h>
 #include <openssl/mem.h>
 
-#include "internal.h"
 #include "../delocate.h"
 #include "../../internal.h"
 
@@ -73,16 +98,40 @@
 
 #endif  // __NR_getrandom
 
+#if defined(OPENSSL_MSAN)
+void __msan_unpoison(void *, size_t);
+#endif
+
+static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) {
+  ssize_t ret;
+  do {
+    ret = syscall(__NR_getrandom, buf, buf_len, flags);
+  } while (ret == -1 && errno == EINTR);
+
+#if defined(OPENSSL_MSAN)
+  if (ret > 0) {
+    // MSAN doesn't recognise |syscall| and thus doesn't notice that we have
+    // initialised the output buffer.
+    __msan_unpoison(buf, ret);
+  }
+#endif  // OPENSSL_MSAN
+
+  return ret;
+}
+
 #endif  // EXPECTED_NR_getrandom
 
 #if !defined(GRND_NONBLOCK)
 #define GRND_NONBLOCK 1
 #endif
+#if !defined(GRND_RANDOM)
+#define GRND_RANDOM 2
+#endif
 
 #endif  // OPENSSL_LINUX
 
 // rand_lock is used to protect the |*_requested| variables.
-DEFINE_STATIC_MUTEX(rand_lock);
+DEFINE_STATIC_MUTEX(rand_lock)
 
 // The following constants are magic values of |urandom_fd|.
 static const int kUnset = 0;
@@ -90,24 +139,44 @@ static const int kHaveGetrandom = -3;
 
 // urandom_fd_requested is set by |RAND_set_urandom_fd|. It's protected by
 // |rand_lock|.
-DEFINE_BSS_GET(int, urandom_fd_requested);
+DEFINE_BSS_GET(int, urandom_fd_requested)
 
 // urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|.
-DEFINE_BSS_GET(int, urandom_fd);
+DEFINE_BSS_GET(int, urandom_fd)
 
-DEFINE_STATIC_ONCE(rand_once);
+#if defined(USE_NR_getrandom)
 
-#if defined(USE_NR_getrandom) || defined(BORINGSSL_FIPS)
-// message writes |msg| to stderr. We use this because referencing |stderr|
-// with |fprintf| generates relocations, which is a problem inside the FIPS
-// module.
-static void message(const char *msg) {
-  ssize_t r;
-  do {
-    r = write(2, msg, strlen(msg));
-  } while (r == -1 && errno == EINTR);
-}
+// getrandom_ready is one if |getrandom| had been initialized by the time
+// |init_once| was called and zero otherwise.
+DEFINE_BSS_GET(int, getrandom_ready)
+
+// extra_getrandom_flags_for_seed contains a value that is ORed into the flags
+// for getrandom() when reading entropy for a seed.
+DEFINE_BSS_GET(int, extra_getrandom_flags_for_seed)
+
+// On Android, check a system property to decide whether to set
+// |extra_getrandom_flags_for_seed| otherwise they will default to zero.  If
+// ro.oem_boringcrypto_hwrand is true then |extra_getrandom_flags_for_seed| will
+// be set to GRND_RANDOM, causing all random data to be drawn from the same
+// source as /dev/random.
+static void maybe_set_extra_getrandom_flags(void) {
+#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
+  char value[PROP_VALUE_MAX + 1];
+  int length = __system_property_get("ro.boringcrypto.hwrand", value);
+  if (length < 0 || length > PROP_VALUE_MAX) {
+    return;
+  }
+
+  value[length] = 0;
+  if (strcasecmp(value, "true") == 0) {
+    *extra_getrandom_flags_for_seed_bss_get() = GRND_RANDOM;
+  }
 #endif
+}
+
+#endif  // USE_NR_getrandom
+
+DEFINE_STATIC_ONCE(rand_once)
 
 // init_once initializes the state of this module to values previously
 // requested. This is the only function that modifies |urandom_fd| and
@@ -119,31 +188,47 @@ static void init_once(void) {
   CRYPTO_STATIC_MUTEX_unlock_read(rand_lock_bss_get());
 
 #if defined(USE_NR_getrandom)
+  int have_getrandom;
   uint8_t dummy;
-  long getrandom_ret =
-      syscall(__NR_getrandom, &dummy, sizeof(dummy), GRND_NONBLOCK);
-
+  ssize_t getrandom_ret =
+      boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
   if (getrandom_ret == 1) {
-    *urandom_fd_bss_get() = kHaveGetrandom;
-    return;
+    *getrandom_ready_bss_get() = 1;
+    have_getrandom = 1;
   } else if (getrandom_ret == -1 && errno == EAGAIN) {
-    message(
-        "getrandom indicates that the entropy pool has not been initialized. "
-        "Rather than continue with poor entropy, this process will block until "
-        "entropy is available.\n");
-
-    do {
-      getrandom_ret =
-          syscall(__NR_getrandom, &dummy, sizeof(dummy), 0 /* no flags */);
-    } while (getrandom_ret == -1 && errno == EINTR);
+    // We have getrandom, but the entropy pool has not been initialized yet.
+    have_getrandom = 1;
+  } else if (getrandom_ret == -1 && errno == ENOSYS) {
+    // Fallthrough to using /dev/urandom, below.
+    have_getrandom = 0;
+  } else {
+    // Other errors are fatal.
+    perror("getrandom");
+    abort();
+  }
 
-    if (getrandom_ret == 1) {
-      *urandom_fd_bss_get() = kHaveGetrandom;
-      return;
-    }
+  if (have_getrandom) {
+    *urandom_fd_bss_get() = kHaveGetrandom;
+    maybe_set_extra_getrandom_flags();
+    return;
   }
 #endif  // USE_NR_getrandom
 
+#if defined(OPENSSL_MACOS)
+  // getentropy is available in macOS 10.12 and up. iOS 10 and up may also
+  // support it, but the header is missing. See https://crbug.com/boringssl/287.
+  if (__builtin_available(macos 10.12, *)) {
+    *urandom_fd_bss_get() = kHaveGetrandom;
+    return;
+  }
+#endif
+
+  // Android FIPS builds must support getrandom.
+#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
+  perror("getrandom not found");
+  abort();
+#endif
+
   if (fd == kUnset) {
     do {
       fd = open("/dev/urandom", O_RDONLY);
@@ -151,6 +236,7 @@ static void init_once(void) {
   }
 
   if (fd < 0) {
+    perror("failed to open /dev/urandom");
     abort();
   }
 
@@ -163,8 +249,73 @@ static void init_once(void) {
     close(kUnset);
 
     if (fd <= 0) {
+      perror("failed to dup /dev/urandom fd");
+      abort();
+    }
+  }
+
+  int flags = fcntl(fd, F_GETFD);
+  if (flags == -1) {
+    // Native Client doesn't implement |fcntl|.
+    if (errno != ENOSYS) {
+      perror("failed to get flags from urandom fd");
+      abort();
+    }
+  } else {
+    flags |= FD_CLOEXEC;
+    if (fcntl(fd, F_SETFD, flags) == -1) {
+      perror("failed to set FD_CLOEXEC on urandom fd");
+      abort();
+    }
+  }
+  *urandom_fd_bss_get() = fd;
+}
+
+DEFINE_STATIC_ONCE(wait_for_entropy_once)
+
+static void wait_for_entropy(void) {
+  int fd = *urandom_fd_bss_get();
+  if (fd == kHaveGetrandom) {
+    // |getrandom| and |getentropy| support blocking in |fill_with_entropy|
+    // directly. For |getrandom|, we first probe with a non-blocking call to aid
+    // debugging.
+#if defined(USE_NR_getrandom)
+    if (*getrandom_ready_bss_get()) {
+      // The entropy pool was already initialized in |init_once|.
+      return;
+    }
+
+    uint8_t dummy;
+    ssize_t getrandom_ret =
+        boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
+    if (getrandom_ret == -1 && errno == EAGAIN) {
+      // Attempt to get the path of the current process to aid in debugging when
+      // something blocks.
+      const char *current_process = "<unknown>";
+#if defined(OPENSSL_HAS_GETAUXVAL)
+      const unsigned long getauxval_ret = getauxval(AT_EXECFN);
+      if (getauxval_ret != 0) {
+        current_process = (const char *)getauxval_ret;
+      }
+#endif
+
+      fprintf(
+          stderr,
+          "%s: getrandom indicates that the entropy pool has not been "
+          "initialized. Rather than continue with poor entropy, this process "
+          "will block until entropy is available.\n",
+          current_process);
+
+      getrandom_ret =
+          boringssl_getrandom(&dummy, sizeof(dummy), 0 /* no flags */);
+    }
+
+    if (getrandom_ret != 1) {
+      perror("getrandom");
       abort();
     }
+#endif  // USE_NR_getrandom
+    return;
   }
 
 #if defined(BORINGSSL_FIPS)
@@ -175,9 +326,9 @@ static void init_once(void) {
   for (;;) {
     int entropy_bits;
     if (ioctl(fd, RNDGETENTCNT, &entropy_bits)) {
-      message(
-          "RNDGETENTCNT on /dev/urandom failed. We cannot continue in this "
-          "case when in FIPS mode.\n");
+      fprintf(stderr,
+              "RNDGETENTCNT on /dev/urandom failed. We cannot continue in this "
+              "case when in FIPS mode.\n");
       abort();
     }
 
@@ -188,26 +339,13 @@ static void init_once(void) {
 
     usleep(250000);
   }
-#endif
-
-  int flags = fcntl(fd, F_GETFD);
-  if (flags == -1) {
-    // Native Client doesn't implement |fcntl|.
-    if (errno != ENOSYS) {
-      abort();
-    }
-  } else {
-    flags |= FD_CLOEXEC;
-    if (fcntl(fd, F_SETFD, flags) == -1) {
-      abort();
-    }
-  }
-  *urandom_fd_bss_get() = fd;
+#endif  // BORINGSSL_FIPS
 }
 
 void RAND_set_urandom_fd(int fd) {
   fd = dup(fd);
   if (fd < 0) {
+    perror("failed to dup supplied urandom fd");
     abort();
   }
 
@@ -220,6 +358,7 @@ void RAND_set_urandom_fd(int fd) {
     close(kUnset);
 
     if (fd <= 0) {
+      perror("failed to dup supplied urandom fd");
       abort();
     }
   }
@@ -232,35 +371,61 @@ void RAND_set_urandom_fd(int fd) {
   if (*urandom_fd_bss_get() == kHaveGetrandom) {
     close(fd);
   } else if (*urandom_fd_bss_get() != fd) {
-    abort();  // Already initialized.
+    fprintf(stderr, "RAND_set_urandom_fd called after initialisation.\n");
+    abort();
   }
 }
 
-#if defined(USE_NR_getrandom) && defined(OPENSSL_MSAN)
-void __msan_unpoison(void *, size_t);
+// fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
+// on success and zero on error. If |block| is one, this function will block
+// until the entropy pool is initialized. Otherwise, this function may fail,
+// setting |errno| to |EAGAIN| if the entropy pool has not yet been initialized.
+// If |seed| is one, this function will OR in the value of
+// |*extra_getrandom_flags_for_seed()| when using |getrandom|.
+static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
+  if (len == 0) {
+    return 1;
+  }
+
+#if defined(USE_NR_getrandom)
+  int getrandom_flags = 0;
+  if (!block) {
+    getrandom_flags |= GRND_NONBLOCK;
+  }
+  if (seed) {
+    getrandom_flags |= *extra_getrandom_flags_for_seed_bss_get();
+  }
 #endif
 
-// fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
-// on success and zero on error.
-static char fill_with_entropy(uint8_t *out, size_t len) {
+  CRYPTO_once(rand_once_bss_get(), init_once);
+  if (block) {
+    CRYPTO_once(wait_for_entropy_once_bss_get(), wait_for_entropy);
+  }
+
+  // Clear |errno| so it has defined value if |read| or |getrandom|
+  // "successfully" returns zero.
+  errno = 0;
   while (len > 0) {
     ssize_t r;
 
     if (*urandom_fd_bss_get() == kHaveGetrandom) {
 #if defined(USE_NR_getrandom)
-      do {
-        r = syscall(__NR_getrandom, out, len, 0 /* no flags */);
-      } while (r == -1 && errno == EINTR);
-
-#if defined(OPENSSL_MSAN)
-      if (r > 0) {
-        // MSAN doesn't recognise |syscall| and thus doesn't notice that we
-        // have initialised the output buffer.
-        __msan_unpoison(out, r);
+      r = boringssl_getrandom(out, len, getrandom_flags);
+#elif defined(OPENSSL_MACOS)
+      if (__builtin_available(macos 10.12, *)) {
+        // |getentropy| can only request 256 bytes at a time.
+        size_t todo = len <= 256 ? len : 256;
+        if (getentropy(out, todo) != 0) {
+          r = -1;
+        } else {
+          r = (ssize_t)todo;
+        }
+      } else {
+        fprintf(stderr, "urandom fd corrupt.\n");
+        abort();
       }
-#endif  // OPENSSL_MSAN
-
 #else  // USE_NR_getrandom
+      fprintf(stderr, "urandom fd corrupt.\n");
       abort();
 #endif
     } else {
@@ -281,13 +446,16 @@ static char fill_with_entropy(uint8_t *out, size_t len) {
 
 // CRYPTO_sysrand puts |requested| random bytes into |out|.
 void CRYPTO_sysrand(uint8_t *out, size_t requested) {
-  if (requested == 0) {
-    return;
+  if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/0)) {
+    perror("entropy fill failed");
+    abort();
   }
+}
 
-  CRYPTO_once(rand_once_bss_get(), init_once);
-
-  if (!fill_with_entropy(out, requested)) {
+#if defined(BORINGSSL_FIPS)
+void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
+  if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/1)) {
+    perror("entropy fill failed");
     abort();
   }
 
@@ -298,5 +466,16 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) {
 #endif
 }
 
-#endif /* !OPENSSL_WINDOWS && !defined(OPENSSL_FUCHSIA) && \
-          !BORINGSSL_UNSAFE_DETERMINISTIC_MODE && !OPENSSL_TRUSTY */
+void CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) {
+  // Return all zeros if |fill_with_entropy| fails.
+  OPENSSL_memset(out, 0, requested);
+
+  if (!fill_with_entropy(out, requested, /*block=*/0, /*seed=*/0) &&
+      errno != EAGAIN) {
+    perror("opportunistic entropy fill failed");
+    abort();
+  }
+}
+#endif  // BORINGSSL_FIPS
+
+#endif  // OPENSSL_URANDOM