external/boringssl: Sync to 7f7e5e231efec6e86d6c7d3fd1b759be1cece156.

This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/dc332205326340ec1bf7d553452c7699904054b4..7f7e5e231efec6e86d6c7d3fd1b759be1cece156 Test: BoringSSL CTS Presubmits. Change-Id: I0eaa045ec1cf8ac076814bab47a2658f8a5ee0e9
author: Robert Sloan <varomodt@google.com> 2018-11-05 11:56:34 -0800
committer: Robert Sloan <varomodt@google.com> 2018-11-05 12:33:00 -0800
commit: cbf5ea62f9677735fb503a0a23ab3ee8c15ef40e (patch)
tree: bf0fbfa1c4511327a66d992c21325d41541886b3 /src/crypto
parent: eba0b62d87ad9440658c42d08753f809bc41723e (diff)
download: boringssl-cbf5ea62f9677735fb503a0a23ab3ee8c15ef40e.tar.gz
4 files changed, 8 insertions, 2 deletions
diff --git a/src/crypto/err/ssl.errordata b/src/crypto/err/ssl.errordata
index 9bc295d4..171b9c70 100644
--- a/src/crypto/err/ssl.errordata
+++ b/src/crypto/err/ssl.errordata
@@ -128,6 +128,7 @@ SSL,271,PSK_IDENTITY_BINDER_COUNT_MISMATCH
 SSL,195,PSK_IDENTITY_NOT_FOUND
 SSL,196,PSK_NO_CLIENT_CB
 SSL,197,PSK_NO_SERVER_CB
+SSL,298,QUIC_INTERNAL_ERROR
 SSL,198,READ_TIMEOUT_EXPIRED
 SSL,199,RECORD_LENGTH_MISMATCH
 SSL,200,RECORD_TOO_LARGE
@@ -221,6 +222,7 @@ SSL,252,UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY
 SSL,241,WRONG_CERTIFICATE_TYPE
 SSL,242,WRONG_CIPHER_RETURNED
 SSL,243,WRONG_CURVE
+SSL,299,WRONG_ENCRYPTION_LEVEL_RECEIVED
 SSL,244,WRONG_MESSAGE_TYPE
 SSL,245,WRONG_SIGNATURE_TYPE
 SSL,246,WRONG_SSL_VERSION
diff --git a/src/crypto/fipsmodule/FIPS.md b/src/crypto/fipsmodule/FIPS.md
index 426b38e2..a60e2bfe 100644
--- a/src/crypto/fipsmodule/FIPS.md
+++ b/src/crypto/fipsmodule/FIPS.md
@@ -9,6 +9,7 @@ Please note that we cannot answer questions about FIPS, nor about using BoringSS
 BoringCrypto has undergone the following validations:
 
 1. 2017-06-15: certificate [#2964](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/2964), [security policy](/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20170615.docx) (in docx format).
+1. 2018-07-30: certificate [#3318](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3318), [security policy](/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx) (in docx format).
 
 ## Running CAVP tests
 
diff --git a/src/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx b/src/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx
new file mode 100644
index 00000000..9574b1bb
--- /dev/null
+++ b/src/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx
diff --git a/src/crypto/fipsmodule/rand/rand.c b/src/crypto/fipsmodule/rand/rand.c
index 02e63bc7..e6b4bb48 100644
--- a/src/crypto/fipsmodule/rand/rand.c
+++ b/src/crypto/fipsmodule/rand/rand.c
@@ -109,8 +109,9 @@ struct rand_state {
   // next forms a NULL-terminated linked-list of all free |rand_state| objects.
   struct rand_state *next;
   // calls is the number of generate calls made on |drbg| since it was last
-  // (re)seeded. This is bound by |kReseedInterval|.
-  unsigned calls;
+  // (re)seeded. This is bound by
+  // |kReseedInterval - 1 + SIZE_MAX / CTR_DRBG_MAX_GENERATE_LENGTH|.
+  size_t calls;
 
 #if defined(BORINGSSL_FIPS)
   // next_all forms another NULL-terminated linked-list, this time of all
@@ -351,6 +352,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
 
     out += todo;
     out_len -= todo;
+    // Though we only check before entering the loop, this cannot add enough to
+    // overflow a |size_t|.
     state->calls++;
     first_call = 0;
   }
author	Robert Sloan <varomodt@google.com>	2018-11-05 11:56:34 -0800
committer	Robert Sloan <varomodt@google.com>	2018-11-05 12:33:00 -0800
commit	cbf5ea62f9677735fb503a0a23ab3ee8c15ef40e (patch)
tree	bf0fbfa1c4511327a66d992c21325d41541886b3 /src/crypto
parent	eba0b62d87ad9440658c42d08753f809bc41723e (diff)
download	boringssl-cbf5ea62f9677735fb503a0a23ab3ee8c15ef40e.tar.gz