[dev.boringcrypto] all: merge commit 9d0819b27c (CL 314609) into dev.boringcrypto

[gostls13.git] / src / crypto / tls / cipher_suites.go

diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
index 4bf06468c6dae4741d0302b15b77f5219bc054ad..e07d742bd3b2d018c3215f7e0f3354bf6af2403f 100644 (file)
--- a/src/crypto/tls/cipher_suites.go
+++ b/src/crypto/tls/cipher_suites.go
@@ -4,6 +4,8 @@
 
 package tls
 
+import "crypto/internal/boring"
+
 import (
        "crypto"
        "crypto/aes"
@@ -422,7 +424,13 @@ func cipherAES(key, iv []byte, isRead bool) interface{} {
 
 // macSHA1 returns a SHA-1 based constant time MAC.
 func macSHA1(key []byte) hash.Hash {
-       return hmac.New(newConstantTimeHash(sha1.New), key)
+       h := sha1.New
+       // The BoringCrypto SHA1 does not have a constant-time
+       // checksum function, so don't try to use it.
+       if !boring.Enabled {
+               h = newConstantTimeHash(h)
+       }
+       return hmac.New(h, key)
 }
 
 // macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and
@@ -510,7 +518,16 @@ func aeadAESGCM(key, noncePrefix []byte) aead {
        if err != nil {
                panic(err)
        }
-       aead, err := cipher.NewGCM(aes)
+       type gcmtls interface {
+               NewGCMTLS() (cipher.AEAD, error)
+       }
+       var aead cipher.AEAD
+       if aesTLS, ok := aes.(gcmtls); ok {
+               aead, err = aesTLS.NewGCMTLS()
+       } else {
+               boring.Unreachable()
+               aead, err = cipher.NewGCM(aes)
+       }
        if err != nil {
                panic(err)
        }
@@ -570,6 +587,7 @@ func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
 func (c *cthWrapper) Sum(b []byte) []byte         { return c.h.ConstantTimeSum(b) }
 
 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
+       boring.Unreachable()
        return func() hash.Hash {
                return &cthWrapper{h().(constantTimeHash)}
        }