diff options
Diffstat (limited to 'src/crypto/tls/cipher_suites.go')
-rw-r--r-- | src/crypto/tls/cipher_suites.go | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go index ea16ef95bf..cbe14f8dbd 100644 --- a/src/crypto/tls/cipher_suites.go +++ b/src/crypto/tls/cipher_suites.go @@ -4,6 +4,8 @@ package tls +import "crypto/internal/boring" + import ( "crypto" "crypto/aes" @@ -249,7 +251,13 @@ func cipherAES(key, iv []byte, isRead bool) interface{} { // macSHA1 returns a macFunction for the given protocol version. func macSHA1(version uint16, key []byte) macFunction { - return tls10MAC{h: hmac.New(newConstantTimeHash(sha1.New), key)} + h := sha1.New + // The BoringCrypto SHA1 does not have a constant-time + // checksum function, so don't try to use it. + if !boring.Enabled { + h = newConstantTimeHash(h) + } + return tls10MAC{h: hmac.New(h, key)} } // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2 @@ -338,6 +346,10 @@ func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]by return result, err } +type gcmtls interface { + NewGCMTLS() (cipher.AEAD, error) +} + func aeadAESGCM(key, noncePrefix []byte) aead { if len(noncePrefix) != noncePrefixLength { panic("tls: internal error: wrong nonce length") @@ -346,7 +358,13 @@ func aeadAESGCM(key, noncePrefix []byte) aead { if err != nil { panic(err) } - aead, err := cipher.NewGCM(aes) + var aead cipher.AEAD + if aesTLS, ok := aes.(gcmtls); ok { + aead, err = aesTLS.NewGCMTLS() + } else { + boring.Unreachable() + aead, err = cipher.NewGCM(aes) + } if err != nil { panic(err) } @@ -406,6 +424,7 @@ func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { + boring.Unreachable() return func() hash.Hash { return &cthWrapper{h().(constantTimeHash)} } |