diff options
Diffstat (limited to 'src/crypto/tls/cipher_suites.go')
-rw-r--r-- | src/crypto/tls/cipher_suites.go | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go index 4bf06468c6d..e07d742bd3b 100644 --- a/src/crypto/tls/cipher_suites.go +++ b/src/crypto/tls/cipher_suites.go @@ -4,6 +4,8 @@ package tls +import "crypto/internal/boring" + import ( "crypto" "crypto/aes" @@ -422,7 +424,13 @@ func cipherAES(key, iv []byte, isRead bool) interface{} { // macSHA1 returns a SHA-1 based constant time MAC. func macSHA1(key []byte) hash.Hash { - return hmac.New(newConstantTimeHash(sha1.New), key) + h := sha1.New + // The BoringCrypto SHA1 does not have a constant-time + // checksum function, so don't try to use it. + if !boring.Enabled { + h = newConstantTimeHash(h) + } + return hmac.New(h, key) } // macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and @@ -510,7 +518,16 @@ func aeadAESGCM(key, noncePrefix []byte) aead { if err != nil { panic(err) } - aead, err := cipher.NewGCM(aes) + type gcmtls interface { + NewGCMTLS() (cipher.AEAD, error) + } + var aead cipher.AEAD + if aesTLS, ok := aes.(gcmtls); ok { + aead, err = aesTLS.NewGCMTLS() + } else { + boring.Unreachable() + aead, err = cipher.NewGCM(aes) + } if err != nil { panic(err) } @@ -570,6 +587,7 @@ func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { + boring.Unreachable() return func() hash.Hash { return &cthWrapper{h().(constantTimeHash)} } |