diff options
| author |  kim <grufwub@gmail.com> | 2025-10-13 16:49:53 +0200 |
|---|---|---|
| committer |  tobi <tobi.smethurst@protonmail.com> | 2025-10-17 15:32:55 +0200 |
| commit | ea7eeada77a52fd58a9e1a949a39eccc7bce955a (patch) | |
| tree | ede9f651d0bd7782b565883f9384341530f8320f /vendor/golang.org/x/crypto/ssh/mac.go | |
| parent | [bugfix] repeated posts on timeline endpoints (#4494) (diff) | |
| download | gotosocial-ea7eeada77a52fd58a9e1a949a39eccc7bce955a.tar.xz | |
[chore] update dependencies (#4495)
- github.com/coreos/go-oidc/v3: v3.15.0 -> v3.16.0
- github.com/go-playground/form/v4: v4.2.1 -> v4.3.0
- github.com/go-swagger/go-swagger: v0.32.3 -> v0.33.1
- golang.org/x/crypto: v0.42.0 -> v0.43.0
- golang.org/x/image: v0.31.0 -> v0.32.0
- golang.org/x/net: v0.45.0 -> v0.46.0
- golang.org/x/oauth2: v0.31.0 -> v0.32.0
- golang.org/x/sys: v0.36.0 -> v0.37.0
- golang.org/x/text: v0.29.0 -> v0.30.0
- modernc.org/sqlite: v1.39.0 -> v1.39.1 (w/ concurrency workaround)
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4495
Co-authored-by: kim <grufwub@gmail.com>
Co-committed-by: kim <grufwub@gmail.com>
Diffstat (limited to 'vendor/golang.org/x/crypto/ssh/mac.go')
| -rw-r--r-- | vendor/golang.org/x/crypto/ssh/mac.go | 42 |
1 files changed, 29 insertions, 13 deletions
diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go index de2639d57..87d626fbb 100644 --- a/vendor/golang.org/x/crypto/ssh/mac.go +++ b/vendor/golang.org/x/crypto/ssh/mac.go @@ -7,11 +7,13 @@ package ssh // Message authentication support import ( + "crypto/fips140" "crypto/hmac" "crypto/sha1" "crypto/sha256" "crypto/sha512" "hash" + "slices" ) type macMode struct { @@ -46,23 +48,37 @@ func (t truncatingMAC) Size() int { func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() } -var macModes = map[string]*macMode{ - HMACSHA512ETM: {64, true, func(key []byte) hash.Hash { +// macModes defines the supported MACs. MACs not included are not supported +// and will not be negotiated, even if explicitly configured. When FIPS mode is +// enabled, only FIPS-approved algorithms are included. +var macModes = map[string]*macMode{} + +func init() { + macModes[HMACSHA512ETM] = &macMode{64, true, func(key []byte) hash.Hash { return hmac.New(sha512.New, key) - }}, - HMACSHA256ETM: {32, true, func(key []byte) hash.Hash { + }} + macModes[HMACSHA256ETM] = &macMode{32, true, func(key []byte) hash.Hash { return hmac.New(sha256.New, key) - }}, - HMACSHA512: {64, false, func(key []byte) hash.Hash { + }} + macModes[HMACSHA512] = &macMode{64, false, func(key []byte) hash.Hash { return hmac.New(sha512.New, key) - }}, - HMACSHA256: {32, false, func(key []byte) hash.Hash { + }} + macModes[HMACSHA256] = &macMode{32, false, func(key []byte) hash.Hash { return hmac.New(sha256.New, key) - }}, - HMACSHA1: {20, false, func(key []byte) hash.Hash { + }} + + if fips140.Enabled() { + defaultMACs = slices.DeleteFunc(defaultMACs, func(algo string) bool { + _, ok := macModes[algo] + return !ok + }) + return + } + + macModes[HMACSHA1] = &macMode{20, false, func(key []byte) hash.Hash { return hmac.New(sha1.New, key) - }}, - InsecureHMACSHA196: {20, false, func(key []byte) hash.Hash { + }} + macModes[InsecureHMACSHA196] = &macMode{20, false, func(key []byte) hash.Hash { return truncatingMAC{12, hmac.New(sha1.New, key)} - }}, + }} } |