Merge "external/boringssl: Sync to 3a3552247ecb0bfb260a36d9da7a3bce7fdc3f8a."
diff --git a/Android.bp b/Android.bp
index 305f146..29fc802 100644
--- a/Android.bp
+++ b/Android.bp
@@ -157,16 +157,42 @@
"-DBORINGSSL_FIPS",
],
inject_bssl_hash: true,
+ static: {
+ // Disable the static version of libcrypto, as it causes
+ // problems for FIPS certification. Use libcrypto_static for
+ // modules that need static libcrypto but do not need FIPS self
+ // testing, or use dynamic libcrypto.
+ enabled: false,
+ },
},
},
}
// Static library
-// This should only be used for host modules that will be in a JVM, all other
-// modules should use the static variant of libcrypto.
+// This version of libcrypto will not have FIPS self tests enabled, so its
+// usage is protected through visibility to ensure it doesn't end up used
+// somewhere that needs the FIPS version.
cc_library_static {
name: "libcrypto_static",
- visibility: ["//visibility:public"],
+ visibility: [
+ "//bootable/recovery/updater",
+ "//external/conscrypt",
+ "//external/python/cpython2",
+ "//frameworks/ml/nn/runtime/test",
+ "//hardware/interfaces/confirmationui/1.0/vts/functional",
+ "//hardware/interfaces/drm/1.0/vts/functional",
+ "//hardware/interfaces/drm/1.2/vts/functional",
+ "//hardware/interfaces/keymaster/3.0/vts/functional",
+ "//hardware/interfaces/keymaster/4.0/vts/functional",
+ "//system/core/adb",
+ "//system/core/init",
+ "//system/core/fs_mgr/liblp",
+ "//system/core/fs_mgr/liblp/vts_core",
+ "//system/core/fs_mgr/libsnapshot",
+ "//system/libvintf/test",
+ "//system/security/keystore/tests",
+ "//test/vts-testcase/security/avb",
+ ],
defaults: [
"libcrypto_bcm_sources",
"libcrypto_sources",
@@ -174,19 +200,6 @@
"boringssl_defaults",
"boringssl_flags",
],
-
- target: {
- host: {
- // TODO: b/26160319. ASAN breaks use of this library in JVM.
- // Re-enable sanitization when the issue with making clients of this library
- // preload ASAN runtime is resolved. Without that, clients are getting runtime
- // errors due to unresolved ASAN symbols, such as
- // __asan_option_detect_stack_use_after_return.
- sanitize: {
- never: true,
- },
- },
- },
}
//// libssl
diff --git a/rules.mk b/rules.mk
index fb9dfcf..6cfbf05 100644
--- a/rules.mk
+++ b/rules.mk
@@ -49,7 +49,6 @@
LOCAL_SRC_FILES := $(filter-out src/crypto/bio/file.c,$(LOCAL_SRC_FILES))
LOCAL_SRC_FILES := $(filter-out src/crypto/bio/socket.c,$(LOCAL_SRC_FILES))
LOCAL_SRC_FILES := $(filter-out src/crypto/bio/socket_helper.c,$(LOCAL_SRC_FILES))
-LOCAL_SRC_FILES := $(filter-out src/crypto/asn1/time_support.c,$(LOCAL_SRC_FILES))
LOCAL_SRC_FILES := $(filter-out src/crypto/x509/by_dir.c,$(LOCAL_SRC_FILES))
# BoringSSL detects Trusty based on this define and does things like switch to