From 5b7aef424bafa683bd94cbef59ad2ef992bfd9f2 Mon Sep 17 00:00:00 2001
From: Tobias Thierer <tobiast@google.com>
Date: Fri, 23 Aug 2019 11:08:22 +0100
Subject: external/boringssl: Sync to a8ffaf1bf2ec64cbbb17863ede06ba506b3db8b8.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/44544d9d2d624cbfff9b1e77cb77f8dfc70d073c..a8ffaf1bf2ec64cbbb17863ede06ba506b3db8b8

Bug: 137267623
Test: atest CtsLibcoreTestCases
Change-Id: I055f50e4f223810088400492bd51be29cbce445c
---
 src/crypto/err/ssl.errordata                  |  1 +
 src/crypto/fipsmodule/bcm.c                   |  4 ++-
 src/crypto/fipsmodule/rand/urandom.c          |  6 ++++
 src/crypto/fipsmodule/self_check/self_check.c | 44 ++++++++++++++++++++++++++-
 src/crypto/self_test.cc                       |  3 +-
 5 files changed, 55 insertions(+), 3 deletions(-)

(limited to 'src/crypto')

diff --git a/src/crypto/err/ssl.errordata b/src/crypto/err/ssl.errordata
index ddb383c3..132c9e0f 100644
--- a/src/crypto/err/ssl.errordata
+++ b/src/crypto/err/ssl.errordata
@@ -72,6 +72,7 @@ SSL,284,HANDSHAKE_NOT_COMPLETE
 SSL,155,HTTPS_PROXY_REQUEST
 SSL,156,HTTP_REQUEST
 SSL,157,INAPPROPRIATE_FALLBACK
+SSL,303,INCONSISTENT_CLIENT_HELLO
 SSL,259,INVALID_ALPN_PROTOCOL
 SSL,158,INVALID_COMMAND
 SSL,256,INVALID_COMPRESSION_LIST
diff --git a/src/crypto/fipsmodule/bcm.c b/src/crypto/fipsmodule/bcm.c
index 7666222d..559ade34 100644
--- a/src/crypto/fipsmodule/bcm.c
+++ b/src/crypto/fipsmodule/bcm.c
@@ -109,6 +109,8 @@ extern const uint8_t BORINGSSL_bcm_text_hash[];
 extern const uint8_t BORINGSSL_bcm_rodata_start[];
 extern const uint8_t BORINGSSL_bcm_rodata_end[];
 #endif
+#else
+static const uint8_t BORINGSSL_bcm_text_hash[SHA512_DIGEST_LENGTH] = {0};
 #endif
 
 static void __attribute__((constructor))
@@ -161,7 +163,7 @@ BORINGSSL_bcm_power_on_self_test(void) {
   }
 #endif
 
-  if (!BORINGSSL_self_test()) {
+  if (!BORINGSSL_self_test(BORINGSSL_bcm_text_hash)) {
     goto err;
   }
 
diff --git a/src/crypto/fipsmodule/rand/urandom.c b/src/crypto/fipsmodule/rand/urandom.c
index 56e4fbd2..f63857f8 100644
--- a/src/crypto/fipsmodule/rand/urandom.c
+++ b/src/crypto/fipsmodule/rand/urandom.c
@@ -183,6 +183,12 @@ static void init_once(void) {
   }
 #endif  // USE_NR_getrandom
 
+  // Android FIPS builds must support getrandom.
+#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
+  perror("getrandom not found");
+  abort();
+#endif
+
   if (fd == kUnset) {
     do {
       fd = open("/dev/urandom", O_RDONLY);
diff --git a/src/crypto/fipsmodule/self_check/self_check.c b/src/crypto/fipsmodule/self_check/self_check.c
index 1bbefa98..3d47e69e 100644
--- a/src/crypto/fipsmodule/self_check/self_check.c
+++ b/src/crypto/fipsmodule/self_check/self_check.c
@@ -35,6 +35,15 @@
 // compile this.
 #if !defined(_MSC_VER)
 
+#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
+// FIPS builds on Android will attempt to write flag files to
+// /dev/boringssl/selftest/ named after the module hash. If the flag file
+// exists, it's assumed that self-tests have already passed and thus do not need
+// to be repeated.
+#define BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
+static const char kFlagPrefix[] = "/dev/boringssl/selftest/";
+#endif
+
 static void hexdump(const uint8_t *in, size_t len) {
   for (size_t i = 0; i < len; i++) {
     fprintf(stderr, "%02x", in[i]);
@@ -227,7 +236,30 @@ static EC_KEY *self_test_ecdsa_key(void) {
   return ec_key;
 }
 
-int BORINGSSL_self_test(void) {
+int BORINGSSL_self_test(
+    const uint8_t module_sha512_hash[SHA512_DIGEST_LENGTH]) {
+#if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
+  // Test whether the flag file exists.
+  char flag_path[sizeof(kFlagPrefix) + 2*SHA512_DIGEST_LENGTH];
+  memcpy(flag_path, kFlagPrefix, sizeof(kFlagPrefix) - 1);
+  static const char kHexTable[17] = "0123456789abcdef";
+  uint8_t module_hash_sum = 0;
+  for (size_t i = 0; i < SHA512_DIGEST_LENGTH; i++) {
+    module_hash_sum |= module_sha512_hash[i];
+    flag_path[sizeof(kFlagPrefix) - 1 + 2 * i] =
+        kHexTable[module_sha512_hash[i] >> 4];
+    flag_path[sizeof(kFlagPrefix) - 1 + 2 * i + 1] =
+        kHexTable[module_sha512_hash[i] & 15];
+  }
+  flag_path[sizeof(flag_path) - 1] = 0;
+
+  const int flag_path_valid = (module_hash_sum != 0);
+  if (flag_path_valid && access(flag_path, F_OK) == 0) {
+    // Flag file found. Skip self-tests.
+    return 1;
+  }
+#endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
+
   static const uint8_t kAESKey[16] = "BoringCrypto Key";
   static const uint8_t kAESIV[16] = {0};
   static const uint8_t kPlaintext[64] =
@@ -577,6 +609,16 @@ int BORINGSSL_self_test(void) {
 
   ret = 1;
 
+#if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE)
+  // Tests were successful. Write flag file if requested.
+  if (flag_path_valid) {
+    const int fd = open(flag_path, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+    if (fd >= 0) {
+      close(fd);
+    }
+  }
+#endif  // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE
+
 err:
   EVP_AEAD_CTX_cleanup(&aead_ctx);
   RSA_free(rsa_key);
diff --git a/src/crypto/self_test.cc b/src/crypto/self_test.cc
index c20b5def..b0c769d4 100644
--- a/src/crypto/self_test.cc
+++ b/src/crypto/self_test.cc
@@ -19,6 +19,7 @@
 
 TEST(SelfTests, KAT) {
 #if !defined(_MSC_VER)
-  EXPECT_TRUE(BORINGSSL_self_test());
+  const uint8_t zero_hash[SHA512_DIGEST_LENGTH] = {0};
+  EXPECT_TRUE(BORINGSSL_self_test(zero_hash));
 #endif
 }
-- 
cgit v1.2.3