commit 8cacbd93b8788cfb46f6a4d7e11b99c29b3752bd
author Bob Beck <bbe@google.com> Wed Apr 05 14:38:38 2023 -0600
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Apr 12 20:50:25 2023 +0000
tree b60ef1d189a868b2125e73e6f65d72ff1eb9fee4
parent 94235101d2fb07ce8cf57c0afcdc22593abc54a7

Add functions to allow the mocking of AES hw support for testing.

Bug: 586
Change-Id: I5bc8e6df3a5a14e6b218f41181d06406e835f9c1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58605
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Bob Beck <bbe@google.com>

ssl/internal.h

diff --git a/ssl/internal.h b/ssl/internal.h
index b4d853a..15ad6c2 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -633,9 +633,11 @@
 // newly-allocated |SSLCipherPreferenceList| containing the result. It returns
 // true on success and false on failure. If |strict| is true, nonsense will be
 // rejected. If false, nonsense will be silently ignored. An empty result is
-// considered an error regardless of |strict|.
+// considered an error regardless of |strict|. |has_aes_hw| indicates if the
+// list should be ordered based on having support for AES in hardware or not.
 bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
-                            const char *rule_str, bool strict);
+                            const bool has_aes_hw, const char *rule_str,
+                            bool strict);
 
 // ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth|
 // values suitable for use with |key| in TLS 1.2 and below.
@@ -659,9 +661,12 @@
 
 // ssl_choose_tls13_cipher returns an |SSL_CIPHER| corresponding with the best
 // available from |cipher_suites| compatible with |version|, |group_id|, and
-// |only_fips|. It returns NULL if there isn't a compatible cipher.
-const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, uint16_t version,
-                                          uint16_t group_id, bool only_fips);
+// |only_fips|. It returns NULL if there isn't a compatible cipher. |has_aes_hw|
+// indicates if the choice should be made as if support for AES in hardware
+// is available.
+const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,
+                                          uint16_t version, uint16_t group_id,
+                                          bool only_fips);
 
 // ssl_tls13_cipher_meets_policy returns true if |cipher_id| is acceptable given
 // |only_fips|. (For now there's only a single policy and so the policy argument
@@ -3111,6 +3116,15 @@
   // only_fips_cipher_suites_in_tls13 constrains the selection of cipher suites
   // in TLS 1.3 such that only FIPS approved ones will be selected.
   bool only_fips_cipher_suites_in_tls13 : 1;
+
+  // aes_hw_override if set indicates we should override checking for aes
+  // hardware support, and use the value in aes_hw_override_value instead.
+  bool aes_hw_override : 1;
+
+  // aes_hw_override_value is used for testing to indicate the support or lack
+  // of support for AES hw. The value is only considered if |aes_hw_override| is
+  // true.
+  bool aes_hw_override_value : 1;
 };
 
 // From RFC 8446, used in determining PSK modes.
@@ -3722,6 +3736,15 @@
   // in TLS 1.3 such that only FIPS approved ones will be selected.
   bool only_fips_cipher_suites_in_tls13 : 1;
 
+  // aes_hw_override if set indicates we should override checking for AES
+  // hardware support, and use the value in aes_hw_override_value instead.
+  bool aes_hw_override : 1;
+
+  // aes_hw_override_value is used for testing to indicate the support or lack
+  // of support for AES hardware. The value is only considered if
+  // |aes_hw_override| is true.
+  bool aes_hw_override_value : 1;
+
  private:
   ~ssl_ctx_st();
   friend OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *);