diff options
Diffstat (limited to 'vendor/golang.org/x/crypto/ssh')
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/agent/client_test.go | 2 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/cipher.go | 62 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/cipher_test.go | 68 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/client_auth_test.go | 4 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/common.go | 2 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/handshake.go | 49 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/handshake_test.go | 61 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/mac.go | 10 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/mux_test.go | 3 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/server.go | 27 | ||||
-rw-r--r-- | vendor/golang.org/x/crypto/ssh/transport.go | 32 |
11 files changed, 223 insertions, 97 deletions
diff --git a/vendor/golang.org/x/crypto/ssh/agent/client_test.go b/vendor/golang.org/x/crypto/ssh/agent/client_test.go index e33d47138..a13a65001 100644 --- a/vendor/golang.org/x/crypto/ssh/agent/client_test.go +++ b/vendor/golang.org/x/crypto/ssh/agent/client_test.go @@ -180,7 +180,7 @@ func TestCert(t *testing.T) { // therefore is buffered (net.Pipe deadlocks if both sides start with // a write.) func netPipe() (net.Conn, net.Conn, error) { - listener, err := net.Listen("tcp", "127.0.0.1:0") + listener, err := net.Listen("tcp", ":0") if err != nil { return nil, nil, err } diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go index 34d3917c4..13484ab4b 100644 --- a/vendor/golang.org/x/crypto/ssh/cipher.go +++ b/vendor/golang.org/x/crypto/ssh/cipher.go @@ -135,6 +135,7 @@ const prefixLen = 5 type streamPacketCipher struct { mac hash.Hash cipher cipher.Stream + etm bool // The following members are to avoid per-packet allocations. prefix [prefixLen]byte @@ -150,7 +151,14 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err return nil, err } - s.cipher.XORKeyStream(s.prefix[:], s.prefix[:]) + var encryptedPaddingLength [1]byte + if s.mac != nil && s.etm { + copy(encryptedPaddingLength[:], s.prefix[4:5]) + s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5]) + } else { + s.cipher.XORKeyStream(s.prefix[:], s.prefix[:]) + } + length := binary.BigEndian.Uint32(s.prefix[0:4]) paddingLength := uint32(s.prefix[4]) @@ -159,7 +167,12 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err s.mac.Reset() binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum) s.mac.Write(s.seqNumBytes[:]) - s.mac.Write(s.prefix[:]) + if s.etm { + s.mac.Write(s.prefix[:4]) + s.mac.Write(encryptedPaddingLength[:]) + } else { + s.mac.Write(s.prefix[:]) + } macSize = uint32(s.mac.Size()) } @@ -184,10 +197,17 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err } mac := s.packetData[length-1:] data := s.packetData[:length-1] + + if s.mac != nil && s.etm { + s.mac.Write(data) + } + s.cipher.XORKeyStream(data, data) if s.mac != nil { - s.mac.Write(data) + if !s.etm { + s.mac.Write(data) + } s.macResult = s.mac.Sum(s.macResult[:0]) if subtle.ConstantTimeCompare(s.macResult, mac) != 1 { return nil, errors.New("ssh: MAC failure") @@ -203,7 +223,13 @@ func (s *streamPacketCipher) writePacket(seqNum uint32, w io.Writer, rand io.Rea return errors.New("ssh: packet too large") } - paddingLength := packetSizeMultiple - (prefixLen+len(packet))%packetSizeMultiple + aadlen := 0 + if s.mac != nil && s.etm { + // packet length is not encrypted for EtM modes + aadlen = 4 + } + + paddingLength := packetSizeMultiple - (prefixLen+len(packet)-aadlen)%packetSizeMultiple if paddingLength < 4 { paddingLength += packetSizeMultiple } @@ -220,15 +246,37 @@ func (s *streamPacketCipher) writePacket(seqNum uint32, w io.Writer, rand io.Rea s.mac.Reset() binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum) s.mac.Write(s.seqNumBytes[:]) + + if s.etm { + // For EtM algorithms, the packet length must stay unencrypted, + // but the following data (padding length) must be encrypted + s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5]) + } + s.mac.Write(s.prefix[:]) - s.mac.Write(packet) - s.mac.Write(padding) + + if !s.etm { + // For non-EtM algorithms, the algorithm is applied on unencrypted data + s.mac.Write(packet) + s.mac.Write(padding) + } + } + + if !(s.mac != nil && s.etm) { + // For EtM algorithms, the padding length has already been encrypted + // and the packet length must remain unencrypted + s.cipher.XORKeyStream(s.prefix[:], s.prefix[:]) } - s.cipher.XORKeyStream(s.prefix[:], s.prefix[:]) s.cipher.XORKeyStream(packet, packet) s.cipher.XORKeyStream(padding, padding) + if s.mac != nil && s.etm { + // For EtM algorithms, packet and padding must be encrypted + s.mac.Write(packet) + s.mac.Write(padding) + } + if _, err := w.Write(s.prefix[:]); err != nil { return err } diff --git a/vendor/golang.org/x/crypto/ssh/cipher_test.go b/vendor/golang.org/x/crypto/ssh/cipher_test.go index eced8d851..5cfa17a62 100644 --- a/vendor/golang.org/x/crypto/ssh/cipher_test.go +++ b/vendor/golang.org/x/crypto/ssh/cipher_test.go @@ -26,39 +26,41 @@ func TestPacketCiphers(t *testing.T) { defer delete(cipherModes, aes128cbcID) for cipher := range cipherModes { - kr := &kexResult{Hash: crypto.SHA1} - algs := directionAlgorithms{ - Cipher: cipher, - MAC: "hmac-sha1", - Compression: "none", - } - client, err := newPacketCipher(clientKeys, algs, kr) - if err != nil { - t.Errorf("newPacketCipher(client, %q): %v", cipher, err) - continue - } - server, err := newPacketCipher(clientKeys, algs, kr) - if err != nil { - t.Errorf("newPacketCipher(client, %q): %v", cipher, err) - continue - } - - want := "bla bla" - input := []byte(want) - buf := &bytes.Buffer{} - if err := client.writePacket(0, buf, rand.Reader, input); err != nil { - t.Errorf("writePacket(%q): %v", cipher, err) - continue - } - - packet, err := server.readPacket(0, buf) - if err != nil { - t.Errorf("readPacket(%q): %v", cipher, err) - continue - } - - if string(packet) != want { - t.Errorf("roundtrip(%q): got %q, want %q", cipher, packet, want) + for mac := range macModes { + kr := &kexResult{Hash: crypto.SHA1} + algs := directionAlgorithms{ + Cipher: cipher, + MAC: mac, + Compression: "none", + } + client, err := newPacketCipher(clientKeys, algs, kr) + if err != nil { + t.Errorf("newPacketCipher(client, %q, %q): %v", cipher, mac, err) + continue + } + server, err := newPacketCipher(clientKeys, algs, kr) + if err != nil { + t.Errorf("newPacketCipher(client, %q, %q): %v", cipher, mac, err) + continue + } + + want := "bla bla" + input := []byte(want) + buf := &bytes.Buffer{} + if err := client.writePacket(0, buf, rand.Reader, input); err != nil { + t.Errorf("writePacket(%q, %q): %v", cipher, mac, err) + continue + } + + packet, err := server.readPacket(0, buf) + if err != nil { + t.Errorf("readPacket(%q, %q): %v", cipher, mac, err) + continue + } + + if string(packet) != want { + t.Errorf("roundtrip(%q, %q): got %q, want %q", cipher, mac, packet, want) + } } } } diff --git a/vendor/golang.org/x/crypto/ssh/client_auth_test.go b/vendor/golang.org/x/crypto/ssh/client_auth_test.go index 1d9681a06..e384c796b 100644 --- a/vendor/golang.org/x/crypto/ssh/client_auth_test.go +++ b/vendor/golang.org/x/crypto/ssh/client_auth_test.go @@ -333,14 +333,14 @@ func TestClientLoginCert(t *testing.T) { } // allowed source address - cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42/24"} + cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42/24,::42/120"} cert.SignCert(rand.Reader, testSigners["ecdsa"]) if err := tryAuth(t, clientConfig); err != nil { t.Errorf("cert login with source-address failed: %v", err) } // disallowed source address - cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42"} + cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42,::42"} cert.SignCert(rand.Reader, testSigners["ecdsa"]) if err := tryAuth(t, clientConfig); err == nil { t.Errorf("cert login with source-address succeeded") diff --git a/vendor/golang.org/x/crypto/ssh/common.go b/vendor/golang.org/x/crypto/ssh/common.go index faabb7ef9..8656d0f85 100644 --- a/vendor/golang.org/x/crypto/ssh/common.go +++ b/vendor/golang.org/x/crypto/ssh/common.go @@ -56,7 +56,7 @@ var supportedHostKeyAlgos = []string{ // This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed // because they have reached the end of their useful life. var supportedMACs = []string{ - "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96", + "hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96", } var supportedCompressions = []string{compressionNone} diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go index 57f2d3daf..8de650644 100644 --- a/vendor/golang.org/x/crypto/ssh/handshake.go +++ b/vendor/golang.org/x/crypto/ssh/handshake.go @@ -66,8 +66,8 @@ type handshakeTransport struct { // If the read loop wants to schedule a kex, it pings this // channel, and the write loop will send out a kex - // message. The boolean is whether this is the first request or not. - requestKex chan bool + // message. + requestKex chan struct{} // If the other side requests or confirms a kex, its kexInit // packet is sent here for the write loop to find it. @@ -102,14 +102,14 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion: serverVersion, clientVersion: clientVersion, incoming: make(chan []byte, chanSize), - requestKex: make(chan bool, 1), + requestKex: make(chan struct{}, 1), startKex: make(chan *pendingKex, 1), config: config, } // We always start with a mandatory key exchange. - t.requestKex <- true + t.requestKex <- struct{}{} return t } @@ -166,6 +166,7 @@ func (t *handshakeTransport) printPacket(p []byte, write bool) { if write { action = "sent" } + if p[0] == msgChannelData || p[0] == msgChannelExtendedData { log.Printf("%s %s data (packet %d bytes)", t.id(), action, len(p)) } else { @@ -230,14 +231,13 @@ func (t *handshakeTransport) recordWriteError(err error) { func (t *handshakeTransport) requestKeyExchange() { select { - case t.requestKex <- false: + case t.requestKex <- struct{}{}: default: // something already requested a kex, so do nothing. } } func (t *handshakeTransport) kexLoop() { - firstSent := false write: for t.getWriteError() == nil { @@ -251,18 +251,8 @@ write: if !ok { break write } - case requestFirst := <-t.requestKex: - // For the first key exchange, both - // sides will initiate a key exchange, - // and both channels will fire. To - // avoid doing two key exchanges in a - // row, ignore our own request for an - // initial kex if we have already sent - // it out. - if firstSent && requestFirst { - - continue - } + case <-t.requestKex: + break } if !sent { @@ -270,7 +260,6 @@ write: t.recordWriteError(err) break } - firstSent = true sent = true } } @@ -287,7 +276,8 @@ write: // We're not servicing t.startKex, but the remote end // has just sent us a kexInitMsg, so it can't send - // another key change request. + // another key change request, until we close the done + // channel on the pendingKex request. err := t.enterKeyExchange(request.otherInit) @@ -301,6 +291,23 @@ write: } else if t.algorithms != nil { t.writeBytesLeft = t.algorithms.w.rekeyBytes() } + + // we have completed the key exchange. Since the + // reader is still blocked, it is safe to clear out + // the requestKex channel. This avoids the situation + // where: 1) we consumed our own request for the + // initial kex, and 2) the kex from the remote side + // caused another send on the requestKex channel, + clear: + for { + select { + case <-t.requestKex: + // + default: + break clear + } + } + request.done <- t.writeError // kex finished. Push packets that we received while @@ -314,7 +321,7 @@ write: break } } - t.pendingPackets = t.pendingPackets[0:] + t.pendingPackets = t.pendingPackets[:0] t.mu.Unlock() } diff --git a/vendor/golang.org/x/crypto/ssh/handshake_test.go b/vendor/golang.org/x/crypto/ssh/handshake_test.go index e61348fea..1b831127e 100644 --- a/vendor/golang.org/x/crypto/ssh/handshake_test.go +++ b/vendor/golang.org/x/crypto/ssh/handshake_test.go @@ -40,7 +40,7 @@ func (t *testChecker) Check(dialAddr string, addr net.Addr, key PublicKey) error // therefore is buffered (net.Pipe deadlocks if both sides start with // a write.) func netPipe() (net.Conn, net.Conn, error) { - listener, err := net.Listen("tcp", "127.0.0.1:0") + listener, err := net.Listen("tcp", ":0") if err != nil { return nil, nil, err } @@ -125,7 +125,12 @@ func TestHandshakeBasic(t *testing.T) { t.Skip("see golang.org/issue/7237") } - checker := &syncChecker{make(chan int, 10)} + checker := &syncChecker{ + waitCall: make(chan int, 10), + called: make(chan int, 10), + } + + checker.waitCall <- 1 trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr", false) if err != nil { t.Fatalf("handshakePair: %v", err) @@ -134,22 +139,25 @@ func TestHandshakeBasic(t *testing.T) { defer trC.Close() defer trS.Close() + // Let first kex complete normally. <-checker.called clientDone := make(chan int, 0) gotHalf := make(chan int, 0) + const N = 20 go func() { defer close(clientDone) // Client writes a bunch of stuff, and does a key // change in the middle. This should not confuse the - // handshake in progress - for i := 0; i < 10; i++ { + // handshake in progress. We do this twice, so we test + // that the packet buffer is reset correctly. + for i := 0; i < N; i++ { p := []byte{msgRequestSuccess, byte(i)} if err := trC.writePacket(p); err != nil { t.Fatalf("sendPacket: %v", err) } - if i == 5 { + if (i % 10) == 5 { <-gotHalf // halfway through, we request a key change. trC.requestKeyExchange() @@ -159,32 +167,38 @@ func TestHandshakeBasic(t *testing.T) { // write more. <-checker.called } + if (i % 10) == 7 { + // write some packets until the kex + // completes, to test buffering of + // packets. + checker.waitCall <- 1 + } } }() // Server checks that client messages come in cleanly i := 0 err = nil - for ; i < 10; i++ { + for ; i < N; i++ { var p []byte p, err = trS.readPacket() if err != nil { break } - if i == 5 { + if (i % 10) == 5 { gotHalf <- 1 } want := []byte{msgRequestSuccess, byte(i)} if bytes.Compare(p, want) != 0 { - t.Errorf("message %d: got %q, want %q", i, p, want) + t.Errorf("message %d: got %v, want %v", i, p, want) } } <-clientDone if err != nil && err != io.EOF { t.Fatalf("server error: %v", err) } - if i != 10 { + if i != N { t.Errorf("received %d messages, want 10.", i) } @@ -239,7 +253,10 @@ func TestForceFirstKex(t *testing.T) { } func TestHandshakeAutoRekeyWrite(t *testing.T) { - checker := &syncChecker{make(chan int, 10)} + checker := &syncChecker{ + called: make(chan int, 10), + waitCall: nil, + } clientConf := &ClientConfig{HostKeyCallback: checker.Check} clientConf.RekeyThreshold = 500 trC, trS, err := handshakePair(clientConf, "addr", false) @@ -249,14 +266,19 @@ func TestHandshakeAutoRekeyWrite(t *testing.T) { defer trC.Close() defer trS.Close() + input := make([]byte, 251) + input[0] = msgRequestSuccess + done := make(chan int, 1) const numPacket = 5 go func() { defer close(done) j := 0 for ; j < numPacket; j++ { - if _, err := trS.readPacket(); err != nil { + if p, err := trS.readPacket(); err != nil { break + } else if !bytes.Equal(input, p) { + t.Errorf("got packet type %d, want %d", p[0], input[0]) } } @@ -268,9 +290,9 @@ func TestHandshakeAutoRekeyWrite(t *testing.T) { <-checker.called for i := 0; i < numPacket; i++ { - packet := make([]byte, 251) - packet[0] = msgRequestSuccess - if err := trC.writePacket(packet); err != nil { + p := make([]byte, len(input)) + copy(p, input) + if err := trC.writePacket(p); err != nil { t.Errorf("writePacket: %v", err) } if i == 2 { @@ -283,16 +305,23 @@ func TestHandshakeAutoRekeyWrite(t *testing.T) { } type syncChecker struct { - called chan int + waitCall chan int + called chan int } func (c *syncChecker) Check(dialAddr string, addr net.Addr, key PublicKey) error { c.called <- 1 + if c.waitCall != nil { + <-c.waitCall + } return nil } func TestHandshakeAutoRekeyRead(t *testing.T) { - sync := &syncChecker{make(chan int, 2)} + sync := &syncChecker{ + called: make(chan int, 2), + waitCall: nil, + } clientConf := &ClientConfig{ HostKeyCallback: sync.Check, } diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go index 07744ad67..c07a06285 100644 --- a/vendor/golang.org/x/crypto/ssh/mac.go +++ b/vendor/golang.org/x/crypto/ssh/mac.go @@ -15,6 +15,7 @@ import ( type macMode struct { keySize int + etm bool new func(key []byte) hash.Hash } @@ -45,13 +46,16 @@ func (t truncatingMAC) Size() int { func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() } var macModes = map[string]*macMode{ - "hmac-sha2-256": {32, func(key []byte) hash.Hash { + "hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash { return hmac.New(sha256.New, key) }}, - "hmac-sha1": {20, func(key []byte) hash.Hash { + "hmac-sha2-256": {32, false, func(key []byte) hash.Hash { + return hmac.New(sha256.New, key) + }}, + "hmac-sha1": {20, false, func(key []byte) hash.Hash { return hmac.New(sha1.New, key) }}, - "hmac-sha1-96": {20, func(key []byte) hash.Hash { + "hmac-sha1-96": {20, false, func(key []byte) hash.Hash { return truncatingMAC{12, hmac.New(sha1.New, key)} }}, } diff --git a/vendor/golang.org/x/crypto/ssh/mux_test.go b/vendor/golang.org/x/crypto/ssh/mux_test.go index 591aae8e8..25d2181d6 100644 --- a/vendor/golang.org/x/crypto/ssh/mux_test.go +++ b/vendor/golang.org/x/crypto/ssh/mux_test.go @@ -499,4 +499,7 @@ func TestDebug(t *testing.T) { if debugHandshake { t.Error("handshake debug switched on") } + if debugTransport { + t.Error("transport debug switched on") + } } diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go index 28b109a9c..77c84d165 100644 --- a/vendor/golang.org/x/crypto/ssh/server.go +++ b/vendor/golang.org/x/crypto/ssh/server.go @@ -10,6 +10,7 @@ import ( "fmt" "io" "net" + "strings" ) // The Permissions type holds fine-grained permissions that are @@ -231,7 +232,7 @@ func isAcceptableAlgo(algo string) bool { return false } -func checkSourceAddress(addr net.Addr, sourceAddr string) error { +func checkSourceAddress(addr net.Addr, sourceAddrs string) error { if addr == nil { return errors.New("ssh: no address known for client, but source-address match required") } @@ -241,18 +242,20 @@ func checkSourceAddress(addr net.Addr, sourceAddr string) error { return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr) } - if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil { - if allowedIP.Equal(tcpAddr.IP) { - return nil - } - } else { - _, ipNet, err := net.ParseCIDR(sourceAddr) - if err != nil { - return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err) - } + for _, sourceAddr := range strings.Split(sourceAddrs, ",") { + if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil { + if allowedIP.Equal(tcpAddr.IP) { + return nil + } + } else { + _, ipNet, err := net.ParseCIDR(sourceAddr) + if err != nil { + return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err) + } - if ipNet.Contains(tcpAddr.IP) { - return nil + if ipNet.Contains(tcpAddr.IP) { + return nil + } } } diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go index fd199324d..f9780e0ae 100644 --- a/vendor/golang.org/x/crypto/ssh/transport.go +++ b/vendor/golang.org/x/crypto/ssh/transport.go @@ -8,8 +8,13 @@ import ( "bufio" "errors" "io" + "log" ) +// debugTransport if set, will print packet types as they go over the +// wire. No message decoding is done, to minimize the impact on timing. +const debugTransport = false + const ( gcmCipherID = "aes128-gcm@openssh.com" aes128cbcID = "aes128-cbc" @@ -40,7 +45,7 @@ type transport struct { bufReader *bufio.Reader bufWriter *bufio.Writer rand io.Reader - + isClient bool io.Closer } @@ -86,6 +91,22 @@ func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) err return nil } +func (t *transport) printPacket(p []byte, write bool) { + if len(p) == 0 { + return + } + who := "server" + if t.isClient { + who = "client" + } + what := "read" + if write { + what = "write" + } + + log.Println(what, who, p[0]) +} + // Read and decrypt next packet. func (t *transport) readPacket() (p []byte, err error) { for { @@ -97,6 +118,9 @@ func (t *transport) readPacket() (p []byte, err error) { break } } + if debugTransport { + t.printPacket(p, false) + } return p, err } @@ -141,6 +165,9 @@ func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) { } func (t *transport) writePacket(packet []byte) error { + if debugTransport { + t.printPacket(packet, true) + } return t.writer.writePacket(t.bufWriter, t.rand, packet) } @@ -181,6 +208,8 @@ func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transp }, Closer: rwc, } + t.isClient = isClient + if isClient { t.reader.dir = serverKeys t.writer.dir = clientKeys @@ -238,6 +267,7 @@ func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (pac c := &streamPacketCipher{ mac: macModes[algs.MAC].new(macKey), + etm: macModes[algs.MAC].etm, } c.macResult = make([]byte, c.mac.Size()) |