]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 14f0251)
[release-branch.go1.22] crypto/tls: don't call tlsrsakex.IncNonDefault with FIPS
authorMike Beaumont <mjboamail@gmail.com>
Mon, 29 Apr 2024 10:14:32 +0000 (12:14 +0200)
committerJoedian Reid <joedian@google.com>
Mon, 24 Jun 2024 17:11:13 +0000 (17:11 +0000)
We haven't called tlsrsakex.Value() yet at this point if we're using
FIPS, like if CipherSuites != nil. This adds needFIPS as a gate next to
CipherSuites != nil. FIPS specifies suites that would be skipped if
tlsarsakex were set.

For #65991.
Fixes #65994.

Change-Id: I8070d8f43f27c04067490af8cc7ec5e787f2b9bd
Reviewed-on: https://go-review.googlesource.com/c/go/+/582315
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Bypass: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit 78e50d0fa0bc78d197bd1b41e1bdef8c20a03396)
Reviewed-on: https://go-review.googlesource.com/c/go/+/593395
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
src/crypto/tls/handshake_client.go patch | blob | history
src/crypto/tls/handshake_server.go patch | blob | history

diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index f016e01b4b5182dccff5944b70ef431983c63f25..08a2d47974c20e24cf7cfec1516a42c3c47223df 100644 (file)
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -526,7 +526,7 @@ func (hs *clientHandshakeState) pickCipherSuite() error {
                return errors.New("tls: server chose an unconfigured cipher suite")
        }
 
-       if hs.c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] {
+       if hs.c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
                tlsrsakex.IncNonDefault()
        }
 
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 8129e9c6164af9341dc4b0857fb5263b8193dd48..4e84aa9d8f0a1dc2ddca607e26b0a2f8e4ce5f46 100644 (file)
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -370,7 +370,7 @@ func (hs *serverHandshakeState) pickCipherSuite() error {
        }
        c.cipherSuite = hs.suite.id
 
-       if c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] {
+       if c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
                tlsrsakex.IncNonDefault()
        }
 
Go GOST TLS 1.3