+static ENGINE *funct_ref;
+static CRYPTO_RWLOCK *rand_engine_lock;
+#endif
+static CRYPTO_RWLOCK *rand_meth_lock;
+static const RAND_METHOD *default_RAND_meth;
+static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
+
+int rand_fork_count;
+
+#ifdef OPENSSL_RAND_SEED_RDTSC
+/*
+ * IMPORTANT NOTE: It is not currently possible to use this code
+ * because we are not sure about the amount of randomness it provides.
+ * Some SP900 tests have been run, but there is internal skepticism.
+ * So for now this code is not used.
+ */
+# error "RDTSC enabled? Should not be possible!"
+
+/*
+ * Acquire entropy from high-speed clock
+ *
+ * Since we get some randomness from the low-order bits of the
+ * high-speed clock, it can help.
+ *
+ * Returns the total entropy count, if it exceeds the requested
+ * entropy count. Otherwise, returns an entropy count of 0.
+ */
+size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool)
+{
+ unsigned char c;
+ int i;
+
+ if ((OPENSSL_ia32cap_P[0] & (1 << 4)) != 0) {
+ for (i = 0; i < TSC_READ_COUNT; i++) {
+ c = (unsigned char)(OPENSSL_rdtsc() & 0xFF);
+ rand_pool_add(pool, &c, 1, 4);
+ }
+ }
+ return rand_pool_entropy_available(pool);
+}
+#endif
+
+#ifdef OPENSSL_RAND_SEED_RDCPU
+size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len);
+size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len);
+
+extern unsigned int OPENSSL_ia32cap_P[];
+
+/*
+ * Acquire entropy using Intel-specific cpu instructions
+ *
+ * Uses the RDSEED instruction if available, otherwise uses
+ * RDRAND if available.
+ *
+ * For the differences between RDSEED and RDRAND, and why RDSEED
+ * is the preferred choice, see https://goo.gl/oK3KcN
+ *
+ * Returns the total entropy count, if it exceeds the requested
+ * entropy count. Otherwise, returns an entropy count of 0.
+ */
+size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool)
+{
+ size_t bytes_needed;
+ unsigned char *buffer;
+
+ bytes_needed = rand_pool_bytes_needed(pool, 8 /*entropy_per_byte*/);
+ if (bytes_needed > 0) {
+ buffer = rand_pool_add_begin(pool, bytes_needed);
+
+ if (buffer != NULL) {
+ /* Whichever comes first, use RDSEED, RDRAND or nothing */
+ if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) {
+ if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed)
+ == bytes_needed) {
+ rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
+ }
+ } else if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) {
+ if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed)
+ == bytes_needed) {
+ rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
+ }
+ } else {
+ rand_pool_add_end(pool, 0, 0);
+ }
+ }
+ }
+
+ return rand_pool_entropy_available(pool);
+}
+#endif
+
+
+/*
+ * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks())
+ *
+ * If the DRBG has a parent, then the required amount of entropy input
+ * is fetched using the parent's RAND_DRBG_generate().
+ *
+ * Otherwise, the entropy is polled from the system entropy sources
+ * using rand_pool_acquire_entropy().
+ *
+ * If a random pool has been added to the DRBG using RAND_add(), then
+ * its entropy will be used up first.
+ */
+size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance)
+{
+ size_t ret = 0;
+ size_t entropy_available = 0;
+ RAND_POOL *pool;
+
+ if (drbg->parent && drbg->strength > drbg->parent->strength) {
+ /*
+ * We currently don't support the algorithm from NIST SP 800-90C
+ * 10.1.2 to use a weaker DRBG as source
+ */
+ RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY, RAND_R_PARENT_STRENGTH_TOO_WEAK);
+ return 0;
+ }
+
+ pool = rand_pool_new(entropy, min_len, max_len);
+ if (pool == NULL)
+ return 0;
+
+ if (drbg->pool) {
+ rand_pool_add(pool,
+ rand_pool_buffer(drbg->pool),
+ rand_pool_length(drbg->pool),
+ rand_pool_entropy(drbg->pool));
+ rand_pool_free(drbg->pool);
+ drbg->pool = NULL;
+ }
+
+ if (drbg->parent) {
+ size_t bytes_needed = rand_pool_bytes_needed(pool, 8);
+ unsigned char *buffer = rand_pool_add_begin(pool, bytes_needed);
+
+ if (buffer != NULL) {
+ size_t bytes = 0;
+
+ /*
+ * Get random from parent, include our state as additional input.
+ * Our lock is already held, but we need to lock our parent before
+ * generating bits from it. (Note: taking the lock will be a no-op
+ * if locking if drbg->parent->lock == NULL.)
+ */
+ rand_drbg_lock(drbg->parent);
+ if (RAND_DRBG_generate(drbg->parent,
+ buffer, bytes_needed,
+ prediction_resistance,
+ (unsigned char *)drbg, sizeof(*drbg)) != 0)
+ bytes = bytes_needed;
+ rand_drbg_unlock(drbg->parent);
+
+ rand_pool_add_end(pool, bytes, 8 * bytes);
+ entropy_available = rand_pool_entropy_available(pool);
+ }
+
+ } else {
+ if (prediction_resistance) {
+ /*
+ * We don't have any entropy sources that comply with the NIST
+ * standard to provide prediction resistance (see NIST SP 800-90C,
+ * Section 5.4).
+ */
+ RANDerr(RAND_F_RAND_DRBG_GET_ENTROPY,
+ RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED);
+ goto err;
+ }
+
+ /* Get entropy by polling system entropy sources. */
+ entropy_available = rand_pool_acquire_entropy(pool);
+ }
+
+ if (entropy_available > 0) {
+ ret = rand_pool_length(pool);
+ *pout = rand_pool_detach(pool);
+ }
+
+ err:
+ rand_pool_free(pool);
+ return ret;
+}
+
+/*
+ * Find a suitable source of time. Start with the highest resolution source
+ * and work down to the slower ones. This is added as additional data and
+ * isn't counted as randomness, so any result is acceptable.
+ *
+ * Returns 0 when we weren't able to find any time source
+ */
+static uint64_t get_timer_bits(void)
+{
+ uint64_t res = OPENSSL_rdtsc();
+
+ if (res != 0)
+ return res;
+#if defined(_WIN32)
+ {
+ LARGE_INTEGER t;
+ FILETIME ft;
+
+ if (QueryPerformanceCounter(&t) != 0)
+ return t.QuadPart;
+ GetSystemTimeAsFileTime(&ft);
+ return TWO32TO64(ft.dwHighDateTime, ft.dwLowDateTime);
+ }
+#elif defined(__sun) || defined(__hpux)
+ return gethrtime();
+#elif defined(_AIX)
+ {
+ timebasestruct_t t;
+
+ read_wall_time(&t, TIMEBASE_SZ);
+ return TWO32TO64(t.tb_high, t.tb_low);
+ }
+#else
+
+# if defined(OSSL_POSIX_TIMER_OKAY)
+ {
+ struct timespec ts;
+ clockid_t cid;
+
+# ifdef CLOCK_BOOTTIME
+ cid = CLOCK_BOOTTIME;
+# elif defined(_POSIX_MONOTONIC_CLOCK)
+ cid = CLOCK_MONOTONIC;
+# else
+ cid = CLOCK_REALTIME;
+# endif
+
+ if (clock_gettime(cid, &ts) == 0)
+ return TWO32TO64(ts.tv_sec, ts.tv_nsec);
+ }
+# endif
+# if defined(__unix__) \
+ || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L)
+ {
+ struct timeval tv;
+
+ if (gettimeofday(&tv, NULL) == 0)
+ return TWO32TO64(tv.tv_sec, tv.tv_usec);
+ }
+# endif
+ {
+ time_t t = time(NULL);
+ if (t == (time_t)-1)
+ return 0;
+ return t;
+ }