diff options
author | Robert Sloan <varomodt@google.com> | 2018-11-05 11:56:34 -0800 |
---|---|---|
committer | Robert Sloan <varomodt@google.com> | 2018-11-05 12:33:00 -0800 |
commit | cbf5ea62f9677735fb503a0a23ab3ee8c15ef40e (patch) | |
tree | bf0fbfa1c4511327a66d992c21325d41541886b3 /src/crypto | |
parent | eba0b62d87ad9440658c42d08753f809bc41723e (diff) | |
download | boringssl-cbf5ea62f9677735fb503a0a23ab3ee8c15ef40e.tar.gz |
external/boringssl: Sync to 7f7e5e231efec6e86d6c7d3fd1b759be1cece156.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/dc332205326340ec1bf7d553452c7699904054b4..7f7e5e231efec6e86d6c7d3fd1b759be1cece156
Test: BoringSSL CTS Presubmits.
Change-Id: I0eaa045ec1cf8ac076814bab47a2658f8a5ee0e9
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/err/ssl.errordata | 2 | ||||
-rw-r--r-- | src/crypto/fipsmodule/FIPS.md | 1 | ||||
-rw-r--r-- | src/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx | bin | 0 -> 233950 bytes | |||
-rw-r--r-- | src/crypto/fipsmodule/rand/rand.c | 7 |
4 files changed, 8 insertions, 2 deletions
diff --git a/src/crypto/err/ssl.errordata b/src/crypto/err/ssl.errordata index 9bc295d4..171b9c70 100644 --- a/src/crypto/err/ssl.errordata +++ b/src/crypto/err/ssl.errordata @@ -128,6 +128,7 @@ SSL,271,PSK_IDENTITY_BINDER_COUNT_MISMATCH SSL,195,PSK_IDENTITY_NOT_FOUND SSL,196,PSK_NO_CLIENT_CB SSL,197,PSK_NO_SERVER_CB +SSL,298,QUIC_INTERNAL_ERROR SSL,198,READ_TIMEOUT_EXPIRED SSL,199,RECORD_LENGTH_MISMATCH SSL,200,RECORD_TOO_LARGE @@ -221,6 +222,7 @@ SSL,252,UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY SSL,241,WRONG_CERTIFICATE_TYPE SSL,242,WRONG_CIPHER_RETURNED SSL,243,WRONG_CURVE +SSL,299,WRONG_ENCRYPTION_LEVEL_RECEIVED SSL,244,WRONG_MESSAGE_TYPE SSL,245,WRONG_SIGNATURE_TYPE SSL,246,WRONG_SSL_VERSION diff --git a/src/crypto/fipsmodule/FIPS.md b/src/crypto/fipsmodule/FIPS.md index 426b38e2..a60e2bfe 100644 --- a/src/crypto/fipsmodule/FIPS.md +++ b/src/crypto/fipsmodule/FIPS.md @@ -9,6 +9,7 @@ Please note that we cannot answer questions about FIPS, nor about using BoringSS BoringCrypto has undergone the following validations: 1. 2017-06-15: certificate [#2964](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/2964), [security policy](/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20170615.docx) (in docx format). +1. 2018-07-30: certificate [#3318](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3318), [security policy](/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx) (in docx format). ## Running CAVP tests diff --git a/src/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx b/src/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx Binary files differnew file mode 100644 index 00000000..9574b1bb --- /dev/null +++ b/src/crypto/fipsmodule/policydocs/BoringCrypto-Security-Policy-20180730.docx diff --git a/src/crypto/fipsmodule/rand/rand.c b/src/crypto/fipsmodule/rand/rand.c index 02e63bc7..e6b4bb48 100644 --- a/src/crypto/fipsmodule/rand/rand.c +++ b/src/crypto/fipsmodule/rand/rand.c @@ -109,8 +109,9 @@ struct rand_state { // next forms a NULL-terminated linked-list of all free |rand_state| objects. struct rand_state *next; // calls is the number of generate calls made on |drbg| since it was last - // (re)seeded. This is bound by |kReseedInterval|. - unsigned calls; + // (re)seeded. This is bound by + // |kReseedInterval - 1 + SIZE_MAX / CTR_DRBG_MAX_GENERATE_LENGTH|. + size_t calls; #if defined(BORINGSSL_FIPS) // next_all forms another NULL-terminated linked-list, this time of all @@ -351,6 +352,8 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, out += todo; out_len -= todo; + // Though we only check before entering the loop, this cannot add enough to + // overflow a |size_t|. state->calls++; first_call = 0; } |