commit 2cc2aa9f60f232e19ff042d152b363c64d348576
author Adam Langley <agl@chromium.org> Tue Jul 26 07:12:34 2022 +0000
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Jul 26 17:08:35 2022 +0000
tree 415dec88f1c6a81babf8735c0f887747985a2920
parent b95c7e53d7d4376dbba18c3e3bbba99d66e3fbff

Don't try to specify SHA-256 for Aarch64 FIPS.

27ffcc6e19bba switched the integrity check to using SHA-256, but the
Aarch64 FIPS build was still passing -sha256 to inject_hash.go.

Change-Id: I641de17d62205c7f127cd2a910d4e98778d492e7
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53605
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

crypto/fipsmodule/CMakeLists.txt

diff --git a/crypto/fipsmodule/CMakeLists.txt b/crypto/fipsmodule/CMakeLists.txt
index b99ebc7..a04ef6a 100644
--- a/crypto/fipsmodule/CMakeLists.txt
+++ b/crypto/fipsmodule/CMakeLists.txt
@@ -202,19 +202,11 @@
   set_target_properties(bcm_hashunset PROPERTIES POSITION_INDEPENDENT_CODE ON)
   set_target_properties(bcm_hashunset PROPERTIES LINKER_LANGUAGE C)
 
-  set(MAYBE_INJECT_HASH_SHA256_FLAG "")
-  # If building with OPENSSL_NO_ASM then ARCH will be "generic", but we still
-  # need to use SHA-256. Since this only matters for FIPS, we only need to
-  # worry about the Linux spelling of AArch64.
-  if (ARCH STREQUAL "aarch64" OR CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64")
-    set(MAYBE_INJECT_HASH_SHA256_FLAG "-sha256")
-  endif()
-
   go_executable(inject_hash
                 boringssl.googlesource.com/boringssl/util/fipstools/inject_hash)
   add_custom_command(
     OUTPUT bcm.o
-    COMMAND ./inject_hash -o bcm.o -in-archive $<TARGET_FILE:bcm_hashunset> ${MAYBE_INJECT_HASH_SHA256_FLAG}
+    COMMAND ./inject_hash -o bcm.o -in-archive $<TARGET_FILE:bcm_hashunset>
     DEPENDS bcm_hashunset inject_hash
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
   )