RubyGems - grpc - Versions diffs - 1.66.0 → 1.67.0.pre1 - Mend

grpc 1.66.0 → 1.67.0.pre1

Files changed (547) hide show

data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h CHANGED Viewed

@@ -57,7 +57,7 @@
 /* This file is generated by crypto/obj/objects.go. */
-#define NUM_NID 965
+#define NUM_NID 966
 static const uint8_t kObjectData[] = {
     /* NID_rsadsi */
@@ -8783,6 +8783,7 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
     {"HKDF", "hkdf", NID_hkdf, 0, NULL, 0},
     {"X25519Kyber768Draft00", "X25519Kyber768Draft00",
      NID_X25519Kyber768Draft00, 0, NULL, 0},
+    {"X25519MLKEM768", "X25519MLKEM768", NID_X25519MLKEM768, 0, NULL, 0},
 };
 static const uint16_t kNIDsInShortNameOrder[] = {
@@ -8981,6 +8982,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
     458 /* UID */,
     948 /* X25519 */,
     964 /* X25519Kyber768Draft00 */,
+    965 /* X25519MLKEM768 */,
     961 /* X448 */,
     11 /* X500 */,
     378 /* X500algorithms */,
@@ -9852,6 +9854,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
     375 /* Trust Root */,
     948 /* X25519 */,
     964 /* X25519Kyber768Draft00 */,
+    965 /* X25519MLKEM768 */,
     961 /* X448 */,
     12 /* X509 */,
     402 /* X509v3 AC Targeting */,

data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c CHANGED Viewed

@@ -312,12 +312,11 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
     const unsigned iv_len = EVP_CIPHER_iv_length(enc);
     if (pass == NULL) {
-      pass_len = 0;
       if (!callback) {
         callback = PEM_def_callback;
       }
       pass_len = (*callback)(buf, PEM_BUFSIZE, 1, u);
-      if (pass_len <= 0) {
+      if (pass_len < 0) {
         OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);
         goto err;
       }
@@ -393,7 +392,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
     callback = PEM_def_callback;
   }
   pass_len = callback(buf, PEM_BUFSIZE, 0, u);
-  if (pass_len <= 0) {
+  if (pass_len < 0) {
     OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);
     return 0;
   }
@@ -779,11 +778,11 @@ err:
 int PEM_def_callback(char *buf, int size, int rwflag, void *userdata) {
   if (!buf || !userdata || size < 0) {
-    return 0;
+    return -1;
   }
   size_t len = strlen((char *)userdata);
   if (len >= (size_t)size) {
-    return 0;
+    return -1;
   }
   OPENSSL_strlcpy(buf, userdata, (size_t)size);
   return (int)len;

data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c CHANGED Viewed

@@ -113,12 +113,11 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,
   }
   if (enc || (nid != -1)) {
     if (!pass) {
-      pass_len = 0;
       if (!cb) {
         cb = PEM_def_callback;
       }
       pass_len = cb(buf, PEM_BUFSIZE, 1, u);
-      if (pass_len <= 0) {
+      if (pass_len < 0) {
         OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);
         PKCS8_PRIV_KEY_INFO_free(p8inf);
         return 0;
@@ -166,7 +165,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
     cb = PEM_def_callback;
   }
   pass_len = cb(psbuf, PEM_BUFSIZE, 0, u);
-  if (pass_len <= 0) {
+  if (pass_len < 0) {
     OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);
     X509_SIG_free(p8);
     return NULL;

data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c CHANGED Viewed

@@ -110,7 +110,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
       cb = PEM_def_callback;
     }
     pass_len = cb(psbuf, PEM_BUFSIZE, 0, u);
-    if (pass_len <= 0) {
+    if (pass_len < 0) {
       OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);
       X509_SIG_free(p8);
       goto err;

data/third_party/boringssl-with-bazel/src/crypto/pkcs8/internal.h CHANGED Viewed

@@ -57,6 +57,7 @@
 #define OPENSSL_HEADER_PKCS8_INTERNAL_H
 #include <openssl/base.h>
+#include <openssl/stack.h>
 #if defined(__cplusplus)
 extern "C" {

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/deterministic.c CHANGED Viewed

@@ -14,7 +14,8 @@
 #include <openssl/rand.h>
-#include "../fipsmodule/rand/internal.h"
+#include "../bcm_support.h"
+#include "sysrand_internal.h"
 #if defined(OPENSSL_RAND_DETERMINISTIC)
@@ -35,6 +36,8 @@ static CRYPTO_MUTEX g_num_calls_lock = CRYPTO_MUTEX_INIT;
 void RAND_reset_for_fuzzing(void) { g_num_calls = 0; }
+void CRYPTO_init_sysrand(void) {}
 void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   static const uint8_t kZeroKey[32];
@@ -50,6 +53,11 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   CRYPTO_chacha_20(out, out, requested, kZeroKey, nonce, 0);
 }
+int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+  return 1;
+}
 void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
   CRYPTO_sysrand(out, requested);
 }

data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/rand → rand_extra}/fork_detect.c RENAMED Viewed

@@ -16,8 +16,7 @@
 #define _GNU_SOURCE  // needed for madvise() and MAP_ANONYMOUS on Linux.
 #endif
-#include <openssl/base.h>
-#include "fork_detect.h"
+#include "../bcm_support.h"
 #if defined(OPENSSL_FORK_DETECTION_MADVISE)
 #include <unistd.h>
@@ -35,19 +34,18 @@ static_assert(MADV_WIPEONFORK == 18, "MADV_WIPEONFORK is not 18");
 #include <pthread.h>
 #endif // OPENSSL_FORK_DETECTION_MADVISE
-#include "../delocate.h"
-#include "../../internal.h"
+#include "../internal.h"
 #if defined(OPENSSL_FORK_DETECTION_MADVISE)
-DEFINE_BSS_GET(int, g_force_madv_wipeonfork);
-DEFINE_BSS_GET(int, g_force_madv_wipeonfork_enabled);
-DEFINE_STATIC_ONCE(g_fork_detect_once);
-DEFINE_STATIC_MUTEX(g_fork_detect_lock);
-DEFINE_BSS_GET(CRYPTO_atomic_u32 *, g_fork_detect_addr);
-DEFINE_BSS_GET(uint64_t, g_fork_generation);
+static int g_force_madv_wipeonfork;
+static int g_force_madv_wipeonfork_enabled;
+static CRYPTO_once_t g_fork_detect_once = CRYPTO_ONCE_INIT;
+static CRYPTO_MUTEX g_fork_detect_lock = CRYPTO_MUTEX_INIT;
+static CRYPTO_atomic_u32 * g_fork_detect_addr;
+static uint64_t g_fork_generation;
 static void init_fork_detect(void) {
-  if (*g_force_madv_wipeonfork_bss_get()) {
+  if (g_force_madv_wipeonfork) {
     return;
   }
@@ -74,13 +72,13 @@ static void init_fork_detect(void) {
   }
   CRYPTO_atomic_store_u32(addr, 1);
-  *g_fork_detect_addr_bss_get() = addr;
-  *g_fork_generation_bss_get() = 1;
+  g_fork_detect_addr = addr;
+  g_fork_generation = 1;
 }
 uint64_t CRYPTO_get_fork_generation(void) {
-  CRYPTO_once(g_fork_detect_once_bss_get(), init_fork_detect);
+  CRYPTO_once(&g_fork_detect_once, init_fork_detect);
   // In a single-threaded process, there are obviously no races because there's
   // only a single mutator in the address space.
@@ -93,12 +91,12 @@ uint64_t CRYPTO_get_fork_generation(void) {
   // child process is single-threaded, the child may become multi-threaded
   // before it observes this. Therefore, we must synchronize the logic below.
-  CRYPTO_atomic_u32 *const flag_ptr = *g_fork_detect_addr_bss_get();
+  CRYPTO_atomic_u32 *const flag_ptr = g_fork_detect_addr;
   if (flag_ptr == NULL) {
     // Our kernel is too old to support |MADV_WIPEONFORK| or
     // |g_force_madv_wipeonfork| is set.
-    if (*g_force_madv_wipeonfork_bss_get() &&
-        *g_force_madv_wipeonfork_enabled_bss_get()) {
+    if (g_force_madv_wipeonfork &&
+        g_force_madv_wipeonfork_enabled) {
       // A constant generation number to simulate support, even if the kernel
       // doesn't support it.
       return 42;
@@ -114,7 +112,7 @@ uint64_t CRYPTO_get_fork_generation(void) {
   // In the common case, try to observe the flag without taking a lock. This
   // avoids cacheline contention in the PRNG.
-  uint64_t *const generation_ptr = g_fork_generation_bss_get();
+  uint64_t *const generation_ptr = &g_fork_generation;
   if (CRYPTO_atomic_load_u32(flag_ptr) != 0) {
     // If we observe a non-zero flag, it is safe to read |generation_ptr|
     // without a lock. The flag and generation number are fixed for this copy of
@@ -125,7 +123,7 @@ uint64_t CRYPTO_get_fork_generation(void) {
   // The flag was zero. The generation number must be incremented, but other
   // threads may have concurrently observed the zero, so take a lock before
   // incrementing.
-  CRYPTO_MUTEX *const lock = g_fork_detect_lock_bss_get();
+  CRYPTO_MUTEX *const lock = &g_fork_detect_lock;
   CRYPTO_MUTEX_lock_write(lock);
   uint64_t current_generation = *generation_ptr;
   if (CRYPTO_atomic_load_u32(flag_ptr) == 0) {
@@ -147,35 +145,35 @@ uint64_t CRYPTO_get_fork_generation(void) {
 }
 void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(int on) {
-  *g_force_madv_wipeonfork_bss_get() = 1;
-  *g_force_madv_wipeonfork_enabled_bss_get() = on;
+  g_force_madv_wipeonfork = 1;
+  g_force_madv_wipeonfork_enabled = on;
 }
 #elif defined(OPENSSL_FORK_DETECTION_PTHREAD_ATFORK)
-DEFINE_STATIC_ONCE(g_pthread_fork_detection_once);
-DEFINE_BSS_GET(uint64_t, g_atfork_fork_generation);
+static CRYPTO_once_t g_pthread_fork_detection_once = CRYPTO_ONCE_INIT;
+static uint64_t g_atfork_fork_generation;
 static void we_are_forked(void) {
   // Immediately after a fork, the process must be single-threaded.
-  uint64_t value = *g_atfork_fork_generation_bss_get() + 1;
+  uint64_t value = g_atfork_fork_generation + 1;
   if (value == 0) {
     value = 1;
   }
-  *g_atfork_fork_generation_bss_get() = value;
+  g_atfork_fork_generation = value;
 }
 static void init_pthread_fork_detection(void) {
   if (pthread_atfork(NULL, NULL, we_are_forked) != 0) {
     abort();
   }
-  *g_atfork_fork_generation_bss_get() = 1;
+  g_atfork_fork_generation = 1;
 }
 uint64_t CRYPTO_get_fork_generation(void) {
-  CRYPTO_once(g_pthread_fork_detection_once_bss_get(), init_pthread_fork_detection);
+  CRYPTO_once(&g_pthread_fork_detection_once, init_pthread_fork_detection);
-  return *g_atfork_fork_generation_bss_get();
+  return g_atfork_fork_generation;
 }
 #elif defined(OPENSSL_DOES_NOT_FORK)

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/getentropy.c CHANGED Viewed

@@ -18,7 +18,8 @@
 #include <openssl/rand.h>
-#include "../fipsmodule/rand/internal.h"
+#include "../bcm_support.h"
+#include "sysrand_internal.h"
 #if defined(OPENSSL_RAND_GETENTROPY)
@@ -30,6 +31,8 @@
 #include <sys/random.h>
 #endif
+void CRYPTO_init_sysrand(void) {}
 // CRYPTO_sysrand puts |requested| random bytes into |out|.
 void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   while (requested > 0) {
@@ -45,6 +48,11 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   }
 }
+int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+  return 1;
+}
 void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
   CRYPTO_sysrand(out, requested);
 }

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/ios.c CHANGED Viewed

@@ -14,19 +14,27 @@
 #include <openssl/rand.h>
-#include "../fipsmodule/rand/internal.h"
+#include "../bcm_support.h"
+#include "sysrand_internal.h"
 #if defined(OPENSSL_RAND_IOS)
 #include <stdlib.h>
 #include <CommonCrypto/CommonRandom.h>
+void CRYPTO_init_sysrand(void) {}
 void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   if (CCRandomGenerateBytes(out, requested) != kCCSuccess) {
     abort();
   }
 }
+int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+  return 1;
+}
 void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
   CRYPTO_sysrand(out, requested);
 }

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c CHANGED Viewed

@@ -14,11 +14,27 @@
 #include <openssl/ctrdrbg.h>
-#include "../fipsmodule/rand/internal.h"
+#include "../fipsmodule/bcm_interface.h"
+#include "../bcm_support.h"
 #include "../internal.h"
 #if defined(BORINGSSL_FIPS)
+// passive_get_seed_entropy writes |out_entropy_len| bytes of entropy, suitable
+// for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the
+// entropy came directly from the CPU and zero if it came from the OS. It
+// actively obtains entropy from the CPU/OS
+static void passive_get_seed_entropy(uint8_t *out_entropy,
+                                     size_t out_entropy_len,
+                                     int *out_want_additional_input) {
+  *out_want_additional_input = 0;
+  if (bcm_success(BCM_rand_bytes_hwrng(out_entropy, out_entropy_len))) {
+    *out_want_additional_input = 1;
+  } else {
+    CRYPTO_sysrand_for_seed(out_entropy, out_entropy_len);
+  }
+}
 #define ENTROPY_READ_LEN \
   (/* last_block size */ 16 + CTR_DRBG_ENTROPY_LEN * BORINGSSL_FIPS_OVERREAD)
@@ -143,7 +159,7 @@ void RAND_need_entropy(size_t bytes_needed) {
   if (get_seed_from_daemon(buf, todo)) {
     want_additional_input = 1;
   } else {
-    CRYPTO_get_seed_entropy(buf, todo, &want_additional_input);
+    passive_get_seed_entropy(buf, todo, &want_additional_input);
   }
   if (boringssl_fips_break_test("CRNG")) {
@@ -152,7 +168,7 @@ void RAND_need_entropy(size_t bytes_needed) {
     OPENSSL_memset(buf, 0, todo);
   }
-  RAND_load_entropy(buf, todo, want_additional_input);
+  BCM_rand_load_entropy(buf, todo, want_additional_input);
 }
 #endif  // FIPS

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/rand_extra.c CHANGED Viewed

@@ -12,11 +12,21 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+#include <limits.h>
 #include <openssl/rand.h>
-#include <limits.h>
+#include "../bcm_support.h"
+#include "../fipsmodule/bcm_interface.h"
+int RAND_bytes(uint8_t *buf, size_t len) {
+  BCM_rand_bytes(buf, len);
+  return 1;
+}
+int RAND_pseudo_bytes(uint8_t *buf, size_t len) { return RAND_bytes(buf, len); }
 void RAND_seed(const void *buf, int num) {
   // OpenSSH calls |RAND_seed| before jailing on the assumption that any needed
   // file descriptors etc will be opened.
@@ -28,7 +38,7 @@ int RAND_load_file(const char *path, long num) {
   if (num < 0) {  // read the "whole file"
     return 1;
   } else if (num <= INT_MAX) {
-    return (int) num;
+    return (int)num;
   } else {
     return INT_MAX;
   }
@@ -38,37 +48,30 @@ const char *RAND_file_name(char *buf, size_t num) { return NULL; }
 void RAND_add(const void *buf, int num, double entropy) {}
-int RAND_egd(const char *path) {
-  return 255;
-}
+int RAND_egd(const char *path) { return 255; }
-int RAND_poll(void) {
-  return 1;
-}
+int RAND_poll(void) { return 1; }
-int RAND_status(void) {
-  return 1;
-}
+int RAND_status(void) { return 1; }
 static const struct rand_meth_st kSSLeayMethod = {
-  RAND_seed,
-  RAND_bytes,
-  RAND_cleanup,
-  RAND_add,
-  RAND_pseudo_bytes,
-  RAND_status,
+    RAND_seed, RAND_bytes,        RAND_cleanup,
+    RAND_add,  RAND_pseudo_bytes, RAND_status,
 };
-RAND_METHOD *RAND_SSLeay(void) {
-  return (RAND_METHOD*) &kSSLeayMethod;
-}
+RAND_METHOD *RAND_SSLeay(void) { return (RAND_METHOD *)&kSSLeayMethod; }
-RAND_METHOD *RAND_OpenSSL(void) {
-  return RAND_SSLeay();
-}
+RAND_METHOD *RAND_OpenSSL(void) { return RAND_SSLeay(); }
 const RAND_METHOD *RAND_get_rand_method(void) { return RAND_SSLeay(); }
 int RAND_set_rand_method(const RAND_METHOD *method) { return 1; }
 void RAND_cleanup(void) {}
+void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, size_t len) {
+  if (len > 256) {
+    abort();
+  }
+  CRYPTO_sysrand_for_seed(buf, len);
+}

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/sysrand_internal.h ADDED Viewed

@@ -0,0 +1,37 @@
+/* Copyright (c) 2024, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+#ifndef OPENSSL_HEADER_CRYPTO_SYSRAND_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_SYSRAND_INTERNAL_H
+#include <openssl/base.h>
+#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+#define OPENSSL_RAND_DETERMINISTIC
+#elif defined(OPENSSL_TRUSTY)
+#define OPENSSL_RAND_TRUSTY
+#elif defined(OPENSSL_WINDOWS)
+#define OPENSSL_RAND_WINDOWS
+#elif defined(OPENSSL_LINUX)
+#define OPENSSL_RAND_URANDOM
+#elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS)
+// Unlike macOS, iOS and similar hide away getentropy().
+#define OPENSSL_RAND_IOS
+#else
+// By default if you are integrating BoringSSL we expect you to
+// provide getentropy from the <unistd.h> header file.
+#define OPENSSL_RAND_GETENTROPY
+#endif
+#endif  // OPENSSL_HEADER_CRYPTO__SYSRAND_INTERNAL_H

data/third_party/boringssl-with-bazel/src/crypto/rand_extra/trusty.c CHANGED Viewed

@@ -14,7 +14,8 @@
 #include <openssl/rand.h>
-#include "../fipsmodule/rand/internal.h"
+#include "../bcm_support.h"
+#include "sysrand_internal.h"
 #if defined(OPENSSL_RAND_TRUSTY)
 #include <stdint.h>
@@ -25,12 +26,19 @@
 #include <lib/rng/trusty_rng.h>
+void CRYPTO_init_sysrand(void) {}
 void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   if (trusty_rng_hw_rand(out, requested) != NO_ERROR) {
     abort();
   }
 }
+int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {
+  CRYPTO_sysrand(buf, len);
+  return 1;
+}
 void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
   CRYPTO_sysrand(out, requested);
 }

data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/rand → rand_extra}/urandom.c RENAMED Viewed

@@ -18,7 +18,8 @@
 #include <openssl/rand.h>
-#include "internal.h"
+#include "../bcm_support.h"
+#include "sysrand_internal.h"
 #if defined(OPENSSL_RAND_URANDOM)
@@ -62,8 +63,7 @@
 #include <openssl/mem.h>
 #include "getrandom_fillin.h"
-#include "../delocate.h"
-#include "../../internal.h"
+#include "../internal.h"
 #if defined(USE_NR_getrandom)
@@ -96,17 +96,17 @@ static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) {
 static const int kHaveGetrandom = -3;
 // urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|.
-DEFINE_BSS_GET(int, urandom_fd)
+static int urandom_fd;
 #if defined(USE_NR_getrandom)
 // getrandom_ready is one if |getrandom| had been initialized by the time
 // |init_once| was called and zero otherwise.
-DEFINE_BSS_GET(int, getrandom_ready)
+static int getrandom_ready;
 // extra_getrandom_flags_for_seed contains a value that is ORed into the flags
 // for getrandom() when reading entropy for a seed.
-DEFINE_BSS_GET(int, extra_getrandom_flags_for_seed)
+static int extra_getrandom_flags_for_seed;
 // On Android, check a system property to decide whether to set
 // |extra_getrandom_flags_for_seed| otherwise they will default to zero.  If
@@ -123,14 +123,14 @@ static void maybe_set_extra_getrandom_flags(void) {
   value[length] = 0;
   if (OPENSSL_strcasecmp(value, "true") == 0) {
-    *extra_getrandom_flags_for_seed_bss_get() = GRND_RANDOM;
+    extra_getrandom_flags_for_seed = GRND_RANDOM;
   }
 #endif
 }
 #endif  // USE_NR_getrandom
-DEFINE_STATIC_ONCE(rand_once)
+static CRYPTO_once_t rand_once = CRYPTO_ONCE_INIT;
 // init_once initializes the state of this module to values previously
 // requested. This is the only function that modifies |urandom_fd|, which may be
@@ -142,7 +142,7 @@ static void init_once(void) {
   ssize_t getrandom_ret =
       boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);
   if (getrandom_ret == 1) {
-    *getrandom_ready_bss_get() = 1;
+    getrandom_ready = 1;
     have_getrandom = 1;
   } else if (getrandom_ret == -1 && errno == EAGAIN) {
     // We have getrandom, but the entropy pool has not been initialized yet.
@@ -157,7 +157,7 @@ static void init_once(void) {
   }
   if (have_getrandom) {
-    *urandom_fd_bss_get() = kHaveGetrandom;
+    urandom_fd = kHaveGetrandom;
     maybe_set_extra_getrandom_flags();
     return;
   }
@@ -185,19 +185,19 @@ static void init_once(void) {
     abort();
   }
-  *urandom_fd_bss_get() = fd;
+  urandom_fd = fd;
 }
-DEFINE_STATIC_ONCE(wait_for_entropy_once)
+static CRYPTO_once_t wait_for_entropy_once = CRYPTO_ONCE_INIT;
 static void wait_for_entropy(void) {
-  int fd = *urandom_fd_bss_get();
+  int fd = urandom_fd;
   if (fd == kHaveGetrandom) {
     // |getrandom| and |getentropy| support blocking in |fill_with_entropy|
     // directly. For |getrandom|, we first probe with a non-blocking call to aid
     // debugging.
 #if defined(USE_NR_getrandom)
-    if (*getrandom_ready_bss_get()) {
+    if (getrandom_ready) {
       // The entropy pool was already initialized in |init_once|.
       return;
     }
@@ -256,13 +256,13 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
 #if defined (USE_NR_getrandom)
   if (seed) {
-    getrandom_flags |= *extra_getrandom_flags_for_seed_bss_get();
+    getrandom_flags |= extra_getrandom_flags_for_seed;
   }
 #endif
   CRYPTO_init_sysrand();
   if (block) {
-    CRYPTO_once(wait_for_entropy_once_bss_get(), wait_for_entropy);
+    CRYPTO_once(&wait_for_entropy_once, wait_for_entropy);
   }
   // Clear |errno| so it has defined value if |read| or |getrandom|
@@ -271,7 +271,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
   while (len > 0) {
     ssize_t r;
-    if (*urandom_fd_bss_get() == kHaveGetrandom) {
+    if (urandom_fd == kHaveGetrandom) {
 #if defined(USE_NR_getrandom)
       r = boringssl_getrandom(out, len, getrandom_flags);
 #else  // USE_NR_getrandom
@@ -280,7 +280,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
 #endif
     } else {
       do {
-        r = read(*urandom_fd_bss_get(), out, len);
+        r = read(urandom_fd, out, len);
       } while (r == -1 && errno == EINTR);
     }
@@ -295,7 +295,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
 }
 void CRYPTO_init_sysrand(void) {
-  CRYPTO_once(rand_once_bss_get(), init_once);
+  CRYPTO_once(&rand_once, init_once);
 }
 // CRYPTO_sysrand puts |requested| random bytes into |out|.