grpc 1.26.0 → 1.30.0

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c

@@ -0,0 +1,137 @@
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#if !defined(_GNU_SOURCE)
+#define _GNU_SOURCE  // needed for madvise() and MAP_ANONYMOUS on Linux.
+#endif
+
+#include <openssl/base.h>
+
+#include "fork_detect.h"
+
+#if defined(OPENSSL_LINUX)
+#include <sys/mman.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <openssl/type_check.h>
+
+#include "../delocate.h"
+#include "../../internal.h"
+
+
+#if defined(MADV_WIPEONFORK)
+OPENSSL_STATIC_ASSERT(MADV_WIPEONFORK == 18, "MADV_WIPEONFORK is not 18");
+#else
+#define MADV_WIPEONFORK 18
+#endif
+
+DEFINE_STATIC_ONCE(g_fork_detect_once);
+DEFINE_STATIC_MUTEX(g_fork_detect_lock);
+DEFINE_BSS_GET(volatile char *, g_fork_detect_addr);
+DEFINE_BSS_GET(uint64_t, g_fork_generation);
+DEFINE_BSS_GET(int, g_ignore_madv_wipeonfork);
+
+static void init_fork_detect(void) {
+  if (*g_ignore_madv_wipeonfork_bss_get()) {
+    return;
+  }
+
+  long page_size = sysconf(_SC_PAGESIZE);
+  if (page_size <= 0) {
+    return;
+  }
+
+  void *addr = mmap(NULL, (size_t)page_size, PROT_READ | PROT_WRITE,
+                    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  if (addr == MAP_FAILED) {
+    return;
+  }
+
+  // Some versions of qemu (up to at least 5.0.0-rc4, see linux-user/syscall.c)
+  // ignore |madvise| calls and just return zero (i.e. success). But we need to
+  // know whether MADV_WIPEONFORK actually took effect. Therefore try an invalid
+  // call to check that the implementation of |madvise| is actually rejecting
+  // unknown |advice| values.
+  if (madvise(addr, (size_t)page_size, -1) == 0 ||
+      madvise(addr, (size_t)page_size, MADV_WIPEONFORK) != 0) {
+    munmap(addr, (size_t)page_size);
+    return;
+  }
+
+  *((volatile char *) addr) = 1;
+  *g_fork_detect_addr_bss_get() = addr;
+  *g_fork_generation_bss_get() = 1;
+}
+
+uint64_t CRYPTO_get_fork_generation(void) {
+  // In a single-threaded process, there are obviously no races because there's
+  // only a single mutator in the address space.
+  //
+  // In a multi-threaded environment, |CRYPTO_once| ensures that the flag byte
+  // is initialised atomically, even if multiple threads enter this function
+  // concurrently.
+  //
+  // In the limit, the kernel may clear WIPEONFORK pages while a multi-threaded
+  // process is running. (For example, because a VM was cloned.) Therefore a
+  // lock is used below to synchronise the potentially multiple threads that may
+  // concurrently observe the cleared flag.
+
+  CRYPTO_once(g_fork_detect_once_bss_get(), init_fork_detect);
+  // This pointer is |volatile| because the value pointed to may be changed by
+  // external forces (i.e. the kernel wiping the page) thus the compiler must
+  // not assume that it has exclusive access to it.
+  volatile char *const flag_ptr = *g_fork_detect_addr_bss_get();
+  if (flag_ptr == NULL) {
+    // Our kernel is too old to support |MADV_WIPEONFORK|.
+    return 0;
+  }
+
+  struct CRYPTO_STATIC_MUTEX *const lock = g_fork_detect_lock_bss_get();
+  uint64_t *const generation_ptr = g_fork_generation_bss_get();
+
+  CRYPTO_STATIC_MUTEX_lock_read(lock);
+  uint64_t current_generation = *generation_ptr;
+  if (*flag_ptr) {
+    CRYPTO_STATIC_MUTEX_unlock_read(lock);
+    return current_generation;
+  }
+
+  CRYPTO_STATIC_MUTEX_unlock_read(lock);
+  CRYPTO_STATIC_MUTEX_lock_write(lock);
+  current_generation = *generation_ptr;
+  if (*flag_ptr == 0) {
+    // A fork has occurred.
+    *flag_ptr = 1;
+
+    current_generation++;
+    if (current_generation == 0) {
+      current_generation = 1;
+    }
+    *generation_ptr = current_generation;
+  }
+  CRYPTO_STATIC_MUTEX_unlock_write(lock);
+
+  return current_generation;
+}
+
+void CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing(void) {
+  *g_ignore_madv_wipeonfork_bss_get() = 1;
+}
+
+#else   // !OPENSSL_LINUX
+
+uint64_t CRYPTO_get_fork_generation(void) { return 0; }
+
+#endif  // OPENSSL_LINUX

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h

@@ -0,0 +1,49 @@
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_FORK_DETECT_H
+#define OPENSSL_HEADER_CRYPTO_FORK_DETECT_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+// crypto_get_fork_generation returns the fork generation number for the current
+// process, or zero if not supported on the platform. The fork generation number
+// is a non-zero, strictly-monotonic counter with the property that, if queried
+// in an address space and then again in a subsequently forked copy, the forked
+// address space will observe a greater value.
+//
+// This function may be used to clear cached values across a fork. When
+// initializing a cache, record the fork generation. Before using the cache,
+// check if the fork generation has changed. If so, drop the cache and update
+// the save fork generation. Note this logic transparently handles platforms
+// which always return zero.
+//
+// This is not reliably supported on all platforms which implement |fork|, so it
+// should only be used as a hardening measure.
+OPENSSL_EXPORT uint64_t CRYPTO_get_fork_generation(void);
+
+// CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing is an internal detail
+// used for testing purposes.
+OPENSSL_EXPORT void CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing(void);
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_FORK_DETECT_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h

@@ -0,0 +1,64 @@
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H
+#define OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H
+
+#include <openssl/base.h>
+
+
+#if defined(OPENSSL_LINUX)
+
+#include <sys/syscall.h>
+
+#if defined(OPENSSL_X86_64)
+#define EXPECTED_NR_getrandom 318
+#elif defined(OPENSSL_X86)
+#define EXPECTED_NR_getrandom 355
+#elif defined(OPENSSL_AARCH64)
+#define EXPECTED_NR_getrandom 278
+#elif defined(OPENSSL_ARM)
+#define EXPECTED_NR_getrandom 384
+#elif defined(OPENSSL_PPC64LE)
+#define EXPECTED_NR_getrandom 359
+#endif
+
+#if defined(EXPECTED_NR_getrandom)
+#define USE_NR_getrandom
+
+#if defined(__NR_getrandom)
+
+#if __NR_getrandom != EXPECTED_NR_getrandom
+#error "system call number for getrandom is not the expected value"
+#endif
+
+#else  // __NR_getrandom
+
+#define __NR_getrandom EXPECTED_NR_getrandom
+
+#endif  // __NR_getrandom
+
+#endif  // EXPECTED_NR_getrandom
+
+#if !defined(GRND_NONBLOCK)
+#define GRND_NONBLOCK 1
+#endif
+#if !defined(GRND_RANDOM)
+#define GRND_RANDOM 2
+#endif
+
+#endif  // OPENSSL_LINUX
+
+
+#endif  // OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h

@@ -0,0 +1,163 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
+
+#include <openssl/aes.h>
+#include <openssl/cpu.h>
+
+#include "../../internal.h"
+#include "../modes/internal.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+#if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_FUCHSIA) && \
+    !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && !defined(OPENSSL_TRUSTY)
+#define OPENSSL_URANDOM
+#endif
+
+// RAND_bytes_with_additional_data samples from the RNG after mixing 32 bytes
+// from |user_additional_data| in.
+void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
+                                     const uint8_t user_additional_data[32]);
+
+// CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
+// system.
+void CRYPTO_sysrand(uint8_t *buf, size_t len);
+
+#if defined(OPENSSL_URANDOM)
+// CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy
+// from the operating system.
+void CRYPTO_init_sysrand(void);
+
+// CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the
+// operating system. It may draw from the |GRND_RANDOM| pool on Android,
+// depending on the vendor's configuration.
+void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len);
+
+// CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the
+// operating system, or early /dev/urandom data, and returns 1, _if_ the entropy
+// pool is initialized or if getrandom() is not available and not in FIPS mode.
+// Otherwise it will not block and will instead fill |buf| with all zeros and
+// return 0.
+int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);
+#else
+OPENSSL_INLINE void CRYPTO_init_sysrand(void) {}
+
+OPENSSL_INLINE void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+}
+
+OPENSSL_INLINE int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+  return 1;
+}
+#endif
+
+// rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has
+// been enabled via |RAND_enable_fork_unsafe_buffering|.
+int rand_fork_unsafe_buffering_enabled(void);
+
+// CTR_DRBG_STATE contains the state of a CTR_DRBG based on AES-256. See SP
+// 800-90Ar1.
+typedef struct {
+  AES_KEY ks;
+  block128_f block;
+  ctr128_f ctr;
+  union {
+    uint8_t bytes[16];
+    uint32_t words[4];
+  } counter;
+  uint64_t reseed_counter;
+} CTR_DRBG_STATE;
+
+// See SP 800-90Ar1, table 3.
+#define CTR_DRBG_ENTROPY_LEN 48
+#define CTR_DRBG_MAX_GENERATE_LENGTH 65536
+
+// CTR_DRBG_init initialises |*drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of
+// entropy in |entropy| and, optionally, a personalization string up to
+// |CTR_DRBG_ENTROPY_LEN| bytes in length. It returns one on success and zero
+// on error.
+OPENSSL_EXPORT int CTR_DRBG_init(CTR_DRBG_STATE *drbg,
+                                 const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
+                                 const uint8_t *personalization,
+                                 size_t personalization_len);
+
+// CTR_DRBG_reseed reseeds |drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of entropy
+// in |entropy| and, optionally, up to |CTR_DRBG_ENTROPY_LEN| bytes of
+// additional data. It returns one on success or zero on error.
+OPENSSL_EXPORT int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg,
+                                   const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
+                                   const uint8_t *additional_data,
+                                   size_t additional_data_len);
+
+// CTR_DRBG_generate processes to up |CTR_DRBG_ENTROPY_LEN| bytes of additional
+// data (if any) and then writes |out_len| random bytes to |out|, where
+// |out_len| <= |CTR_DRBG_MAX_GENERATE_LENGTH|. It returns one on success or
+// zero on error.
+OPENSSL_EXPORT int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out,
+                                     size_t out_len,
+                                     const uint8_t *additional_data,
+                                     size_t additional_data_len);
+
+// CTR_DRBG_clear zeroises the state of |drbg|.
+OPENSSL_EXPORT void CTR_DRBG_clear(CTR_DRBG_STATE *drbg);
+
+
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
+
+OPENSSL_INLINE int have_rdrand(void) {
+  return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0;
+}
+
+// have_fast_rdrand returns true if RDRAND is supported and it's reasonably
+// fast. Concretely the latter is defined by whether the chip is Intel (fast) or
+// not (assumed slow).
+OPENSSL_INLINE int have_fast_rdrand(void) {
+  const uint32_t *const ia32cap = OPENSSL_ia32cap_get();
+  return (ia32cap[1] & (1u << 30)) && (ia32cap[0] & (1u << 30));
+}
+
+// CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to
+// |out|. It returns one on success or zero on hardware failure.
+int CRYPTO_rdrand(uint8_t out[8]);
+
+// CRYPTO_rdrand_multiple8_buf fills |len| bytes at |buf| with random data from
+// the hardware RNG. The |len| argument must be a multiple of eight. It returns
+// one on success and zero on hardware failure.
+int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
+
+#else  // OPENSSL_X86_64 && !OPENSSL_NO_ASM
+
+OPENSSL_INLINE int have_rdrand(void) {
+  return 0;
+}
+
+OPENSSL_INLINE int have_fast_rdrand(void) {
+  return 0;
+}
+
+#endif  // OPENSSL_X86_64 && !OPENSSL_NO_ASM
+
+
+#if defined(__cplusplus)
+}  // extern C
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c

@@ -0,0 +1,378 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#include <assert.h>
+#include <limits.h>
+#include <string.h>
+
+#if defined(BORINGSSL_FIPS)
+#include <unistd.h>
+#endif
+
+#include <openssl/chacha.h>
+#include <openssl/cpu.h>
+#include <openssl/mem.h>
+
+#include "internal.h"
+#include "fork_detect.h"
+#include "../../internal.h"
+#include "../delocate.h"
+
+
+// It's assumed that the operating system always has an unfailing source of
+// entropy which is accessed via |CRYPTO_sysrand[_for_seed]|. (If the operating
+// system entropy source fails, it's up to |CRYPTO_sysrand| to abort the
+// process—we don't try to handle it.)
+//
+// In addition, the hardware may provide a low-latency RNG. Intel's rdrand
+// instruction is the canonical example of this. When a hardware RNG is
+// available we don't need to worry about an RNG failure arising from fork()ing
+// the process or moving a VM, so we can keep thread-local RNG state and use it
+// as an additional-data input to CTR-DRBG.
+//
+// (We assume that the OS entropy is safe from fork()ing and VM duplication.
+// This might be a bit of a leap of faith, esp on Windows, but there's nothing
+// that we can do about it.)
+
+// kReseedInterval is the number of generate calls made to CTR-DRBG before
+// reseeding.
+static const unsigned kReseedInterval = 4096;
+
+// CRNGT_BLOCK_SIZE is the number of bytes in a “block” for the purposes of the
+// continuous random number generator test in FIPS 140-2, section 4.9.2.
+#define CRNGT_BLOCK_SIZE 16
+
+// rand_thread_state contains the per-thread state for the RNG.
+struct rand_thread_state {
+  CTR_DRBG_STATE drbg;
+  uint64_t fork_generation;
+  // calls is the number of generate calls made on |drbg| since it was last
+  // (re)seeded. This is bound by |kReseedInterval|.
+  unsigned calls;
+  // last_block_valid is non-zero iff |last_block| contains data from
+  // |CRYPTO_sysrand_for_seed|.
+  int last_block_valid;
+
+#if defined(BORINGSSL_FIPS)
+  // last_block contains the previous block from |CRYPTO_sysrand_for_seed|.
+  uint8_t last_block[CRNGT_BLOCK_SIZE];
+  // next and prev form a NULL-terminated, double-linked list of all states in
+  // a process.
+  struct rand_thread_state *next, *prev;
+#endif
+};
+
+#if defined(BORINGSSL_FIPS)
+// thread_states_list is the head of a linked-list of all |rand_thread_state|
+// objects in the process, one per thread. This is needed because FIPS requires
+// that they be zeroed on process exit, but thread-local destructors aren't
+// called when the whole process is exiting.
+DEFINE_BSS_GET(struct rand_thread_state *, thread_states_list);
+DEFINE_STATIC_MUTEX(thread_states_list_lock);
+
+static void rand_thread_state_clear_all(void) __attribute__((destructor));
+static void rand_thread_state_clear_all(void) {
+  CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get());
+  for (struct rand_thread_state *cur = *thread_states_list_bss_get();
+       cur != NULL; cur = cur->next) {
+    CTR_DRBG_clear(&cur->drbg);
+  }
+  // |thread_states_list_lock is deliberately left locked so that any threads
+  // that are still running will hang if they try to call |RAND_bytes|.
+}
+#endif
+
+// rand_thread_state_free frees a |rand_thread_state|. This is called when a
+// thread exits.
+static void rand_thread_state_free(void *state_in) {
+  struct rand_thread_state *state = state_in;
+
+  if (state_in == NULL) {
+    return;
+  }
+
+#if defined(BORINGSSL_FIPS)
+  CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get());
+
+  if (state->prev != NULL) {
+    state->prev->next = state->next;
+  } else {
+    *thread_states_list_bss_get() = state->next;
+  }
+
+  if (state->next != NULL) {
+    state->next->prev = state->prev;
+  }
+
+  CRYPTO_STATIC_MUTEX_unlock_write(thread_states_list_lock_bss_get());
+
+  CTR_DRBG_clear(&state->drbg);
+#endif
+
+  OPENSSL_free(state);
+}
+
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
+    !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+// rdrand should only be called if either |have_rdrand| or |have_fast_rdrand|
+// returned true.
+static int rdrand(uint8_t *buf, const size_t len) {
+  const size_t len_multiple8 = len & ~7;
+  if (!CRYPTO_rdrand_multiple8_buf(buf, len_multiple8)) {
+    return 0;
+  }
+  const size_t remainder = len - len_multiple8;
+
+  if (remainder != 0) {
+    assert(remainder < 8);
+
+    uint8_t rand_buf[8];
+    if (!CRYPTO_rdrand(rand_buf)) {
+      return 0;
+    }
+    OPENSSL_memcpy(buf + len_multiple8, rand_buf, remainder);
+  }
+
+#if defined(BORINGSSL_FIPS_BREAK_CRNG)
+  // This breaks the "continuous random number generator test" defined in FIPS
+  // 140-2, section 4.9.2, and implemented in rand_get_seed().
+  OPENSSL_memset(buf, 0, len);
+#endif
+
+  return 1;
+}
+
+#else
+
+static int rdrand(uint8_t *buf, size_t len) {
+  return 0;
+}
+
+#endif
+
+#if defined(BORINGSSL_FIPS)
+
+static void rand_get_seed(struct rand_thread_state *state,
+                          uint8_t seed[CTR_DRBG_ENTROPY_LEN]) {
+  if (!state->last_block_valid) {
+    if (!have_rdrand() ||
+        !rdrand(state->last_block, sizeof(state->last_block))) {
+      CRYPTO_sysrand_for_seed(state->last_block, sizeof(state->last_block));
+    }
+    state->last_block_valid = 1;
+  }
+
+  // We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to
+  // whiten.
+#define FIPS_OVERREAD 10
+  uint8_t entropy[CTR_DRBG_ENTROPY_LEN * FIPS_OVERREAD];
+
+  int used_rdrand = have_rdrand() && rdrand(entropy, sizeof(entropy));
+  if (!used_rdrand) {
+    CRYPTO_sysrand_for_seed(entropy, sizeof(entropy));
+  }
+
+  // See FIPS 140-2, section 4.9.2. This is the “continuous random number
+  // generator test” which causes the program to randomly abort. Hopefully the
+  // rate of failure is small enough not to be a problem in practice.
+  if (CRYPTO_memcmp(state->last_block, entropy, CRNGT_BLOCK_SIZE) == 0) {
+    fprintf(stderr, "CRNGT failed.\n");
+    BORINGSSL_FIPS_abort();
+  }
+
+  for (size_t i = CRNGT_BLOCK_SIZE; i < sizeof(entropy);
+       i += CRNGT_BLOCK_SIZE) {
+    if (CRYPTO_memcmp(entropy + i - CRNGT_BLOCK_SIZE, entropy + i,
+                      CRNGT_BLOCK_SIZE) == 0) {
+      fprintf(stderr, "CRNGT failed.\n");
+      BORINGSSL_FIPS_abort();
+    }
+  }
+  OPENSSL_memcpy(state->last_block,
+                 entropy + sizeof(entropy) - CRNGT_BLOCK_SIZE,
+                 CRNGT_BLOCK_SIZE);
+
+  OPENSSL_memcpy(seed, entropy, CTR_DRBG_ENTROPY_LEN);
+
+  for (size_t i = 1; i < FIPS_OVERREAD; i++) {
+    for (size_t j = 0; j < CTR_DRBG_ENTROPY_LEN; j++) {
+      seed[j] ^= entropy[CTR_DRBG_ENTROPY_LEN * i + j];
+    }
+  }
+
+#if defined(OPENSSL_URANDOM)
+  // If we used RDRAND, also opportunistically read from the system. This avoids
+  // solely relying on the hardware once the entropy pool has been initialized.
+  if (used_rdrand) {
+    CRYPTO_sysrand_if_available(entropy, CTR_DRBG_ENTROPY_LEN);
+    for (size_t i = 0; i < CTR_DRBG_ENTROPY_LEN; i++) {
+      seed[i] ^= entropy[i];
+    }
+  }
+#endif
+}
+
+#else
+
+static void rand_get_seed(struct rand_thread_state *state,
+                          uint8_t seed[CTR_DRBG_ENTROPY_LEN]) {
+  // If not in FIPS mode, we don't overread from the system entropy source and
+  // we don't depend only on the hardware RDRAND.
+  CRYPTO_sysrand(seed, CTR_DRBG_ENTROPY_LEN);
+}
+
+#endif
+
+void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
+                                     const uint8_t user_additional_data[32]) {
+  if (out_len == 0) {
+    return;
+  }
+
+  const uint64_t fork_generation = CRYPTO_get_fork_generation();
+
+  // Additional data is mixed into every CTR-DRBG call to protect, as best we
+  // can, against forks & VM clones. We do not over-read this information and
+  // don't reseed with it so, from the point of view of FIPS, this doesn't
+  // provide “prediction resistance”. But, in practice, it does.
+  uint8_t additional_data[32];
+  // Intel chips have fast RDRAND instructions while, in other cases, RDRAND can
+  // be _slower_ than a system call.
+  if (!have_fast_rdrand() ||
+      !rdrand(additional_data, sizeof(additional_data))) {
+    // Without a hardware RNG to save us from address-space duplication, the OS
+    // entropy is used. This can be expensive (one read per |RAND_bytes| call)
+    // and so is disabled when we have fork detection, or if the application has
+    // promised not to fork.
+    if (fork_generation != 0 || rand_fork_unsafe_buffering_enabled()) {
+      OPENSSL_memset(additional_data, 0, sizeof(additional_data));
+    } else if (!have_rdrand()) {
+      // No alternative so block for OS entropy.
+      CRYPTO_sysrand(additional_data, sizeof(additional_data));
+    } else if (!CRYPTO_sysrand_if_available(additional_data,
+                                            sizeof(additional_data)) &&
+               !rdrand(additional_data, sizeof(additional_data))) {
+      // RDRAND failed: block for OS entropy.
+      CRYPTO_sysrand(additional_data, sizeof(additional_data));
+    }
+  }
+
+  for (size_t i = 0; i < sizeof(additional_data); i++) {
+    additional_data[i] ^= user_additional_data[i];
+  }
+
+  struct rand_thread_state stack_state;
+  struct rand_thread_state *state =
+      CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND);
+
+  if (state == NULL) {
+    state = OPENSSL_malloc(sizeof(struct rand_thread_state));
+    if (state == NULL ||
+        !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state,
+                                 rand_thread_state_free)) {
+      // If the system is out of memory, use an ephemeral state on the
+      // stack.
+      state = &stack_state;
+    }
+
+    state->last_block_valid = 0;
+    uint8_t seed[CTR_DRBG_ENTROPY_LEN];
+    rand_get_seed(state, seed);
+    if (!CTR_DRBG_init(&state->drbg, seed, NULL, 0)) {
+      abort();
+    }
+    state->calls = 0;
+    state->fork_generation = fork_generation;
+
+#if defined(BORINGSSL_FIPS)
+    if (state != &stack_state) {
+      CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get());
+      struct rand_thread_state **states_list = thread_states_list_bss_get();
+      state->next = *states_list;
+      if (state->next != NULL) {
+        state->next->prev = state;
+      }
+      state->prev = NULL;
+      *states_list = state;
+      CRYPTO_STATIC_MUTEX_unlock_write(thread_states_list_lock_bss_get());
+    }
+#endif
+  }
+
+  if (state->calls >= kReseedInterval ||
+      state->fork_generation != fork_generation) {
+    uint8_t seed[CTR_DRBG_ENTROPY_LEN];
+    rand_get_seed(state, seed);
+#if defined(BORINGSSL_FIPS)
+    // Take a read lock around accesses to |state->drbg|. This is needed to
+    // avoid returning bad entropy if we race with
+    // |rand_thread_state_clear_all|.
+    //
+    // This lock must be taken after any calls to |CRYPTO_sysrand| to avoid a
+    // bug on ppc64le. glibc may implement pthread locks by wrapping user code
+    // in a hardware transaction, but, on some older versions of glibc and the
+    // kernel, syscalls made with |syscall| did not abort the transaction.
+    CRYPTO_STATIC_MUTEX_lock_read(thread_states_list_lock_bss_get());
+#endif
+    if (!CTR_DRBG_reseed(&state->drbg, seed, NULL, 0)) {
+      abort();
+    }
+    state->calls = 0;
+    state->fork_generation = fork_generation;
+  } else {
+#if defined(BORINGSSL_FIPS)
+    CRYPTO_STATIC_MUTEX_lock_read(thread_states_list_lock_bss_get());
+#endif
+  }
+
+  int first_call = 1;
+  while (out_len > 0) {
+    size_t todo = out_len;
+    if (todo > CTR_DRBG_MAX_GENERATE_LENGTH) {
+      todo = CTR_DRBG_MAX_GENERATE_LENGTH;
+    }
+
+    if (!CTR_DRBG_generate(&state->drbg, out, todo, additional_data,
+                           first_call ? sizeof(additional_data) : 0)) {
+      abort();
+    }
+
+    out += todo;
+    out_len -= todo;
+    // Though we only check before entering the loop, this cannot add enough to
+    // overflow a |size_t|.
+    state->calls++;
+    first_call = 0;
+  }
+
+  if (state == &stack_state) {
+    CTR_DRBG_clear(&state->drbg);
+  }
+
+#if defined(BORINGSSL_FIPS)
+  CRYPTO_STATIC_MUTEX_unlock_read(thread_states_list_lock_bss_get());
+#endif
+}
+
+int RAND_bytes(uint8_t *out, size_t out_len) {
+  static const uint8_t kZeroAdditionalData[32] = {0};
+  RAND_bytes_with_additional_data(out, out_len, kZeroAdditionalData);
+  return 1;
+}
+
+int RAND_pseudo_bytes(uint8_t *buf, size_t len) {
+  return RAND_bytes(buf, len);
+}