mirror of
https://github.com/golang/go
synced 2024-10-04 23:20:17 +00:00
crypto/tls: don't call tlsrsakex.IncNonDefault with FIPS
We haven't called tlsrsakex.Value() yet at this point if we're using FIPS, like if CipherSuites != nil. This adds needFIPS as a gate next to CipherSuites != nil. FIPS specifies suites that would be skipped if tlsarsakex were set. Fixes #65991 Change-Id: I8070d8f43f27c04067490af8cc7ec5e787f2b9bd Reviewed-on: https://go-review.googlesource.com/c/go/+/582315 Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Bypass: Filippo Valsorda <filippo@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
This commit is contained in:
parent
18104621ce
commit
78e50d0fa0
|
@ -526,7 +526,7 @@ func (hs *clientHandshakeState) pickCipherSuite() error {
|
|||
return errors.New("tls: server chose an unconfigured cipher suite")
|
||||
}
|
||||
|
||||
if hs.c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] {
|
||||
if hs.c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
|
||||
tlsrsakex.IncNonDefault()
|
||||
}
|
||||
|
||||
|
|
|
@ -370,7 +370,7 @@ func (hs *serverHandshakeState) pickCipherSuite() error {
|
|||
}
|
||||
c.cipherSuite = hs.suite.id
|
||||
|
||||
if c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] {
|
||||
if c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
|
||||
tlsrsakex.IncNonDefault()
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue