"crypto/cipher"
"crypto/des"
"crypto/hmac"
+ "crypto/internal/boring"
"crypto/rc4"
"crypto/sha1"
"crypto/sha256"
copy(mac.key, key)
return mac
}
- return tls10MAC{hmac.New(newConstantTimeHash(sha1.New), key)}
+ h := sha1.New
+ if !boring.Enabled {
+ h = newConstantTimeHash(h)
+ }
+ return tls10MAC{hmac.New(h, key)}
}
// macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2
return result, err
}
+type gcmtls interface {
+ NewGCMTLS() (cipher.AEAD, error)
+}
+
func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
aes, err := aes.NewCipher(key)
if err != nil {
panic(err)
}
- aead, err := cipher.NewGCM(aes)
+ var aead cipher.AEAD
+ if aesTLS, ok := aes.(gcmtls); ok {
+ aead, err = aesTLS.NewGCMTLS()
+ } else {
+ boring.Unreachable()
+ aead, err = cipher.NewGCM(aes)
+ }
if err != nil {
panic(err)
}
func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) }
func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
+ if boring.Enabled {
+ // The BoringCrypto SHA1 does not have a constant-time
+ // checksum function, so don't try to use it.
+ return h
+ }
return func() hash.Hash {
return &cthWrapper{h().(constantTimeHash)}
}