grpc 1.28.0 → 1.30.0

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c

@@ -60,9 +60,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_RAW_POINT *r,
       OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
       for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
         BN_ULONG mask = constant_time_eq_w(j, window);
-        ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X);
-        ec_felem_select(group, &tmp.Y, mask, &precomp[j].Y, &tmp.Y);
-        ec_felem_select(group, &tmp.Z, mask, &precomp[j].Z, &tmp.Z);
+        ec_point_select(group, &tmp, mask, &precomp[j], &tmp);
       }
 
       if (r_is_at_infinity) {
@@ -82,3 +80,191 @@ void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_RAW_POINT *r,
                           const EC_SCALAR *scalar) {
   ec_GFp_mont_mul(group, r, &group->generator->raw, scalar);
 }
+
+static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
+                                      size_t num, const EC_RAW_POINT *p) {
+  assert(num > 1);
+  ec_GFp_simple_point_set_to_infinity(group, &out[0]);
+  ec_GFp_simple_point_copy(&out[1], p);
+  for (size_t j = 2; j < num; j++) {
+    if (j & 1) {
+      ec_GFp_mont_add(group, &out[j], &out[1], &out[j - 1]);
+    } else {
+      ec_GFp_mont_dbl(group, &out[j], &out[j / 2]);
+    }
+  }
+}
+
+static void ec_GFp_mont_batch_get_window(const EC_GROUP *group,
+                                         EC_RAW_POINT *out,
+                                         const EC_RAW_POINT precomp[17],
+                                         const EC_SCALAR *scalar, unsigned i) {
+  const size_t width = group->order.width;
+  uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5;
+  window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 4;
+  window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 3;
+  window |= bn_is_bit_set_words(scalar->words, width, i + 1) << 2;
+  window |= bn_is_bit_set_words(scalar->words, width, i) << 1;
+  if (i > 0) {
+    window |= bn_is_bit_set_words(scalar->words, width, i - 1);
+  }
+  uint8_t sign, digit;
+  ec_GFp_nistp_recode_scalar_bits(&sign, &digit, window);
+
+  // Select the entry in constant-time.
+  OPENSSL_memset(out, 0, sizeof(EC_RAW_POINT));
+  for (size_t j = 0; j < 17; j++) {
+    BN_ULONG mask = constant_time_eq_w(j, digit);
+    ec_point_select(group, out, mask, &precomp[j], out);
+  }
+
+  // Negate if necessary.
+  EC_FELEM neg_Y;
+  ec_felem_neg(group, &neg_Y, &out->Y);
+  BN_ULONG sign_mask = sign;
+  sign_mask = 0u - sign_mask;
+  ec_felem_select(group, &out->Y, sign_mask, &neg_Y, &out->Y);
+}
+
+void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_RAW_POINT *r,
+                           const EC_RAW_POINT *p0, const EC_SCALAR *scalar0,
+                           const EC_RAW_POINT *p1, const EC_SCALAR *scalar1,
+                           const EC_RAW_POINT *p2, const EC_SCALAR *scalar2) {
+  EC_RAW_POINT precomp[3][17];
+  ec_GFp_mont_batch_precomp(group, precomp[0], 17, p0);
+  ec_GFp_mont_batch_precomp(group, precomp[1], 17, p1);
+  if (p2 != NULL) {
+    ec_GFp_mont_batch_precomp(group, precomp[2], 17, p2);
+  }
+
+  // Divide bits in |scalar| into windows.
+  unsigned bits = BN_num_bits(&group->order);
+  int r_is_at_infinity = 1;
+  for (unsigned i = bits; i <= bits; i--) {
+    if (!r_is_at_infinity) {
+      ec_GFp_mont_dbl(group, r, r);
+    }
+    if (i % 5 == 0) {
+      EC_RAW_POINT tmp;
+      ec_GFp_mont_batch_get_window(group, &tmp, precomp[0], scalar0, i);
+      if (r_is_at_infinity) {
+        ec_GFp_simple_point_copy(r, &tmp);
+        r_is_at_infinity = 0;
+      } else {
+        ec_GFp_mont_add(group, r, r, &tmp);
+      }
+
+      ec_GFp_mont_batch_get_window(group, &tmp, precomp[1], scalar1, i);
+      ec_GFp_mont_add(group, r, r, &tmp);
+
+      if (p2 != NULL) {
+        ec_GFp_mont_batch_get_window(group, &tmp, precomp[2], scalar2, i);
+        ec_GFp_mont_add(group, r, r, &tmp);
+      }
+    }
+  }
+  if (r_is_at_infinity) {
+    ec_GFp_simple_point_set_to_infinity(group, r);
+  }
+}
+
+static unsigned ec_GFp_mont_comb_stride(const EC_GROUP *group) {
+  return (BN_num_bits(&group->field) + EC_MONT_PRECOMP_COMB_SIZE - 1) /
+         EC_MONT_PRECOMP_COMB_SIZE;
+}
+
+int ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,
+                             const EC_RAW_POINT *p) {
+  // comb[i - 1] stores the ith element of the comb. That is, if i is
+  // b4 * 2^4 + b3 * 2^3 + ... + b0 * 2^0, it stores k * |p|, where k is
+  // b4 * 2^(4*stride) + b3 * 2^(3*stride) + ... + b0 * 2^(0*stride). stride
+  // here is |ec_GFp_mont_comb_stride|. We store at index i - 1 because the 0th
+  // comb entry is always infinity.
+  EC_RAW_POINT comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1];
+  unsigned stride = ec_GFp_mont_comb_stride(group);
+
+  // We compute the comb sequentially by the highest set bit. Initially, all
+  // entries up to 2^0 are filled.
+  comb[(1 << 0) - 1] = *p;
+  for (unsigned i = 1; i < EC_MONT_PRECOMP_COMB_SIZE; i++) {
+    // Compute entry 2^i by doubling the entry for 2^(i-1) |stride| times.
+    unsigned bit = 1 << i;
+    ec_GFp_mont_dbl(group, &comb[bit - 1], &comb[bit / 2 - 1]);
+    for (unsigned j = 1; j < stride; j++) {
+      ec_GFp_mont_dbl(group, &comb[bit - 1], &comb[bit - 1]);
+    }
+    // Compute entries from 2^i + 1 to 2^i + (2^i - 1) by adding entry 2^i to
+    // a previous entry.
+    for (unsigned j = 1; j < bit; j++) {
+      ec_GFp_mont_add(group, &comb[bit + j - 1], &comb[bit - 1], &comb[j - 1]);
+    }
+  }
+
+  // Store the comb in affine coordinates to shrink the table. (This reduces
+  // cache pressure and makes the constant-time selects faster.)
+  OPENSSL_STATIC_ASSERT(
+      OPENSSL_ARRAY_SIZE(comb) == OPENSSL_ARRAY_SIZE(out->comb),
+      "comb sizes did not match");
+  return ec_jacobian_to_affine_batch(group, out->comb, comb,
+                                     OPENSSL_ARRAY_SIZE(comb));
+}
+
+static void ec_GFp_mont_get_comb_window(const EC_GROUP *group,
+                                        EC_RAW_POINT *out,
+                                        const EC_PRECOMP *precomp,
+                                        const EC_SCALAR *scalar, unsigned i) {
+  const size_t width = group->order.width;
+  unsigned stride = ec_GFp_mont_comb_stride(group);
+  // Select the bits corresponding to the comb shifted up by |i|.
+  unsigned window = 0;
+  for (unsigned j = 0; j < EC_MONT_PRECOMP_COMB_SIZE; j++) {
+    window |= bn_is_bit_set_words(scalar->words, width, j * stride + i)
+              << j;
+  }
+
+  // Select precomp->comb[window - 1]. If |window| is zero, |match| will always
+  // be zero, which will leave |out| at infinity.
+  OPENSSL_memset(out, 0, sizeof(EC_RAW_POINT));
+  for (unsigned j = 0; j < OPENSSL_ARRAY_SIZE(precomp->comb); j++) {
+    BN_ULONG match = constant_time_eq_w(window, j + 1);
+    ec_felem_select(group, &out->X, match, &precomp->comb[j].X, &out->X);
+    ec_felem_select(group, &out->Y, match, &precomp->comb[j].Y, &out->Y);
+  }
+  BN_ULONG is_infinity = constant_time_is_zero_w(window);
+  ec_felem_select(group, &out->Z, is_infinity, &out->Z, &group->one);
+}
+
+void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_RAW_POINT *r,
+                             const EC_PRECOMP *p0, const EC_SCALAR *scalar0,
+                             const EC_PRECOMP *p1, const EC_SCALAR *scalar1,
+                             const EC_PRECOMP *p2, const EC_SCALAR *scalar2) {
+  unsigned stride = ec_GFp_mont_comb_stride(group);
+  int r_is_at_infinity = 1;
+  for (unsigned i = stride - 1; i < stride; i--) {
+    if (!r_is_at_infinity) {
+      ec_GFp_mont_dbl(group, r, r);
+    }
+
+    EC_RAW_POINT tmp;
+    ec_GFp_mont_get_comb_window(group, &tmp, p0, scalar0, i);
+    if (r_is_at_infinity) {
+      ec_GFp_simple_point_copy(r, &tmp);
+      r_is_at_infinity = 0;
+    } else {
+      ec_GFp_mont_add(group, r, r, &tmp);
+    }
+
+    if (p1 != NULL) {
+      ec_GFp_mont_get_comb_window(group, &tmp, p1, scalar1, i);
+      ec_GFp_mont_add(group, r, r, &tmp);
+    }
+
+    if (p2 != NULL) {
+      ec_GFp_mont_get_comb_window(group, &tmp, p2, scalar2, i);
+      ec_GFp_mont_add(group, r, r, &tmp);
+    }
+  }
+  if (r_is_at_infinity) {
+    ec_GFp_simple_point_set_to_infinity(group, r);
+  }
+}

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c

@@ -72,6 +72,7 @@
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
+#include <openssl/mem.h>
 #include <openssl/thread.h>
 
 #include "internal.h"
@@ -174,24 +175,57 @@ static void lookup_precomp(const EC_GROUP *group, EC_RAW_POINT *out,
 // EC_WNAF_TABLE_SIZE is the table size to use for |ec_GFp_mont_mul_public|.
 #define EC_WNAF_TABLE_SIZE (1 << (EC_WNAF_WINDOW_BITS - 1))
 
-void ec_GFp_mont_mul_public(const EC_GROUP *group, EC_RAW_POINT *r,
-                            const EC_SCALAR *g_scalar, const EC_RAW_POINT *p,
-                            const EC_SCALAR *p_scalar) {
+// EC_WNAF_STACK is the number of points worth of data to stack-allocate and
+// avoid a malloc.
+#define EC_WNAF_STACK 3
+
+int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_RAW_POINT *r,
+                                 const EC_SCALAR *g_scalar,
+                                 const EC_RAW_POINT *points,
+                                 const EC_SCALAR *scalars, size_t num) {
   size_t bits = BN_num_bits(&group->order);
   size_t wNAF_len = bits + 1;
 
+  int ret = 0;
+  int8_t wNAF_stack[EC_WNAF_STACK][EC_MAX_BYTES * 8 + 1];
+  int8_t (*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL;
+  int8_t (*wNAF)[EC_MAX_BYTES * 8 + 1];
+  EC_RAW_POINT precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE];
+  EC_RAW_POINT (*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL;
+  EC_RAW_POINT (*precomp)[EC_WNAF_TABLE_SIZE];
+  if (num <= EC_WNAF_STACK) {
+    wNAF = wNAF_stack;
+    precomp = precomp_stack;
+  } else {
+    if (num >= ((size_t)-1) / sizeof(wNAF_alloc[0]) ||
+        num >= ((size_t)-1) / sizeof(precomp_alloc[0])) {
+      OPENSSL_PUT_ERROR(EC, ERR_R_OVERFLOW);
+      goto err;
+    }
+    wNAF_alloc = OPENSSL_malloc(num * sizeof(wNAF_alloc[0]));
+    precomp_alloc = OPENSSL_malloc(num * sizeof(precomp_alloc[0]));
+    if (wNAF_alloc == NULL || precomp_alloc == NULL) {
+      OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
+      goto err;
+    }
+    wNAF = wNAF_alloc;
+    precomp = precomp_alloc;
+  }
+
   int8_t g_wNAF[EC_MAX_BYTES * 8 + 1];
   EC_RAW_POINT g_precomp[EC_WNAF_TABLE_SIZE];
   assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF));
   const EC_RAW_POINT *g = &group->generator->raw;
-  ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS);
-  compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE);
+  if (g_scalar != NULL) {
+    ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS);
+    compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE);
+  }
 
-  int8_t p_wNAF[EC_MAX_BYTES * 8 + 1];
-  EC_RAW_POINT p_precomp[EC_WNAF_TABLE_SIZE];
-  assert(wNAF_len <= OPENSSL_ARRAY_SIZE(p_wNAF));
-  ec_compute_wNAF(group, p_wNAF, p_scalar, bits, EC_WNAF_WINDOW_BITS);
-  compute_precomp(group, p_precomp, p, EC_WNAF_TABLE_SIZE);
+  for (size_t i = 0; i < num; i++) {
+    assert(wNAF_len <= OPENSSL_ARRAY_SIZE(wNAF[i]));
+    ec_compute_wNAF(group, wNAF[i], &scalars[i], bits, EC_WNAF_WINDOW_BITS);
+    compute_precomp(group, precomp[i], &points[i], EC_WNAF_TABLE_SIZE);
+  }
 
   EC_RAW_POINT tmp;
   int r_is_at_infinity = 1;
@@ -200,7 +234,7 @@ void ec_GFp_mont_mul_public(const EC_GROUP *group, EC_RAW_POINT *r,
       ec_GFp_mont_dbl(group, r, r);
     }
 
-    if (g_wNAF[k] != 0) {
+    if (g_scalar != NULL && g_wNAF[k] != 0) {
       lookup_precomp(group, &tmp, g_precomp, g_wNAF[k]);
       if (r_is_at_infinity) {
         ec_GFp_simple_point_copy(r, &tmp);
@@ -210,13 +244,15 @@ void ec_GFp_mont_mul_public(const EC_GROUP *group, EC_RAW_POINT *r,
       }
     }
 
-    if (p_wNAF[k] != 0) {
-      lookup_precomp(group, &tmp, p_precomp, p_wNAF[k]);
-      if (r_is_at_infinity) {
-        ec_GFp_simple_point_copy(r, &tmp);
-        r_is_at_infinity = 0;
-      } else {
-        ec_GFp_mont_add(group, r, r, &tmp);
+    for (size_t i = 0; i < num; i++) {
+      if (wNAF[i][k] != 0) {
+        lookup_precomp(group, &tmp, precomp[i], wNAF[i][k]);
+        if (r_is_at_infinity) {
+          ec_GFp_simple_point_copy(r, &tmp);
+          r_is_at_infinity = 0;
+        } else {
+          ec_GFp_mont_add(group, r, r, &tmp);
+        }
       }
     }
   }
@@ -224,4 +260,11 @@ void ec_GFp_mont_mul_public(const EC_GROUP *group, EC_RAW_POINT *r,
   if (r_is_at_infinity) {
     ec_GFp_simple_point_set_to_infinity(group, r);
   }
+
+  ret = 1;
+
+err:
+  OPENSSL_free(wNAF_alloc);
+  OPENSSL_free(precomp_alloc);
+  return ret;
 }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c

@@ -94,8 +94,8 @@ int ECDH_compute_key_fips(uint8_t *out, size_t out_len, const EC_POINT *pub_key,
   uint8_t buf[EC_MAX_BYTES];
   size_t buflen;
   if (!ec_point_mul_scalar(group, &shared_point, &pub_key->raw, priv) ||
-      !ec_point_get_affine_coordinate_bytes(group, buf, NULL, &buflen,
-                                            sizeof(buf), &shared_point)) {
+      !ec_get_x_coordinate_as_bytes(group, buf, &buflen, sizeof(buf),
+                                    &shared_point)) {
     OPENSSL_PUT_ERROR(ECDH, ECDH_R_POINT_ARITHMETIC_FAILURE);
     return 0;
   }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c

@@ -122,6 +122,14 @@ void ECDSA_SIG_free(ECDSA_SIG *sig) {
   OPENSSL_free(sig);
 }
 
+const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig) {
+  return sig->r;
+}
+
+const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig) {
+  return sig->s;
+}
+
 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r,
                     const BIGNUM **out_s) {
   if (out_r != NULL) {
@@ -161,8 +169,11 @@ int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
     return 0;
   }
 
-  // s_inv_mont = s^-1 in the Montgomery domain. This is
-  ec_scalar_inv_montgomery_vartime(group, &s_inv_mont, &s);
+  // s_inv_mont = s^-1 in the Montgomery domain.
+  if (!ec_scalar_to_montgomery_inv_vartime(group, &s_inv_mont, &s)) {
+    OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
 
   // u1 = m * s^-1 mod order
   // u2 = r * s^-1 mod order
@@ -208,6 +219,10 @@ static int ecdsa_sign_setup(const EC_KEY *eckey, EC_SCALAR *out_kinv_mont,
       if (!ec_bignum_to_scalar(group, &k, eckey->fixed_k)) {
         goto err;
       }
+      if (ec_scalar_is_zero(group, &k)) {
+        OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
+        goto err;
+      }
     } else {
       // Pass a SHA512 hash of the private key and digest as additional data
       // into the RBG. This is a hardening measure against entropy failure.
@@ -225,10 +240,10 @@ static int ecdsa_sign_setup(const EC_KEY *eckey, EC_SCALAR *out_kinv_mont,
     }
 
     // Compute k^-1 in the Montgomery domain. This is |ec_scalar_to_montgomery|
-    // followed by |ec_scalar_inv_montgomery|, but |ec_scalar_inv_montgomery|
+    // followed by |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery|
     // followed by |ec_scalar_from_montgomery| is equivalent and slightly more
-    // efficient.
-    ec_scalar_inv_montgomery(group, out_kinv_mont, &k);
+    // efficient. Note k is non-zero, so the inverse must exist.
+    ec_scalar_inv0_montgomery(group, out_kinv_mont, &k);
     ec_scalar_from_montgomery(group, out_kinv_mont, out_kinv_mont);
 
     // Compute r, the x-coordinate of generator * k.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c

@@ -0,0 +1,137 @@
+/* Copyright (c) 2020, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#if !defined(_GNU_SOURCE)
+#define _GNU_SOURCE  // needed for madvise() and MAP_ANONYMOUS on Linux.
+#endif
+
+#include <openssl/base.h>
+
+#include "fork_detect.h"
+
+#if defined(OPENSSL_LINUX)
+#include <sys/mman.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <openssl/type_check.h>
+
+#include "../delocate.h"
+#include "../../internal.h"
+
+
+#if defined(MADV_WIPEONFORK)
+OPENSSL_STATIC_ASSERT(MADV_WIPEONFORK == 18, "MADV_WIPEONFORK is not 18");
+#else
+#define MADV_WIPEONFORK 18
+#endif
+
+DEFINE_STATIC_ONCE(g_fork_detect_once);
+DEFINE_STATIC_MUTEX(g_fork_detect_lock);
+DEFINE_BSS_GET(volatile char *, g_fork_detect_addr);
+DEFINE_BSS_GET(uint64_t, g_fork_generation);
+DEFINE_BSS_GET(int, g_ignore_madv_wipeonfork);
+
+static void init_fork_detect(void) {
+  if (*g_ignore_madv_wipeonfork_bss_get()) {
+    return;
+  }
+
+  long page_size = sysconf(_SC_PAGESIZE);
+  if (page_size <= 0) {
+    return;
+  }
+
+  void *addr = mmap(NULL, (size_t)page_size, PROT_READ | PROT_WRITE,
+                    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  if (addr == MAP_FAILED) {
+    return;
+  }
+
+  // Some versions of qemu (up to at least 5.0.0-rc4, see linux-user/syscall.c)
+  // ignore |madvise| calls and just return zero (i.e. success). But we need to
+  // know whether MADV_WIPEONFORK actually took effect. Therefore try an invalid
+  // call to check that the implementation of |madvise| is actually rejecting
+  // unknown |advice| values.
+  if (madvise(addr, (size_t)page_size, -1) == 0 ||
+      madvise(addr, (size_t)page_size, MADV_WIPEONFORK) != 0) {
+    munmap(addr, (size_t)page_size);
+    return;
+  }
+
+  *((volatile char *) addr) = 1;
+  *g_fork_detect_addr_bss_get() = addr;
+  *g_fork_generation_bss_get() = 1;
+}
+
+uint64_t CRYPTO_get_fork_generation(void) {
+  // In a single-threaded process, there are obviously no races because there's
+  // only a single mutator in the address space.
+  //
+  // In a multi-threaded environment, |CRYPTO_once| ensures that the flag byte
+  // is initialised atomically, even if multiple threads enter this function
+  // concurrently.
+  //
+  // In the limit, the kernel may clear WIPEONFORK pages while a multi-threaded
+  // process is running. (For example, because a VM was cloned.) Therefore a
+  // lock is used below to synchronise the potentially multiple threads that may
+  // concurrently observe the cleared flag.
+
+  CRYPTO_once(g_fork_detect_once_bss_get(), init_fork_detect);
+  // This pointer is |volatile| because the value pointed to may be changed by
+  // external forces (i.e. the kernel wiping the page) thus the compiler must
+  // not assume that it has exclusive access to it.
+  volatile char *const flag_ptr = *g_fork_detect_addr_bss_get();
+  if (flag_ptr == NULL) {
+    // Our kernel is too old to support |MADV_WIPEONFORK|.
+    return 0;
+  }
+
+  struct CRYPTO_STATIC_MUTEX *const lock = g_fork_detect_lock_bss_get();
+  uint64_t *const generation_ptr = g_fork_generation_bss_get();
+
+  CRYPTO_STATIC_MUTEX_lock_read(lock);
+  uint64_t current_generation = *generation_ptr;
+  if (*flag_ptr) {
+    CRYPTO_STATIC_MUTEX_unlock_read(lock);
+    return current_generation;
+  }
+
+  CRYPTO_STATIC_MUTEX_unlock_read(lock);
+  CRYPTO_STATIC_MUTEX_lock_write(lock);
+  current_generation = *generation_ptr;
+  if (*flag_ptr == 0) {
+    // A fork has occurred.
+    *flag_ptr = 1;
+
+    current_generation++;
+    if (current_generation == 0) {
+      current_generation = 1;
+    }
+    *generation_ptr = current_generation;
+  }
+  CRYPTO_STATIC_MUTEX_unlock_write(lock);
+
+  return current_generation;
+}
+
+void CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing(void) {
+  *g_ignore_madv_wipeonfork_bss_get() = 1;
+}
+
+#else   // !OPENSSL_LINUX
+
+uint64_t CRYPTO_get_fork_generation(void) { return 0; }
+
+#endif  // OPENSSL_LINUX