- markus@cvs.openbsd.org 2012/12/11 22:31:18

     [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
     [packet.c ssh_config.5 sshd_config.5]
     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
     that change the packet format and compute the MAC over the encrypted
     message (including the packet size) instead of the plaintext data;
     these EtM modes are considered more secure and used by default.
     feedback and ok djm@

11 files changed, 196 insertions, 66 deletions

diff --git a/ChangeLog b/ChangeLog
index b96329ef2..df6d03207 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,14 @@
      [monitor.c]
      drain the log messages after receiving the keystate from the unpriv
      child. otherwise it might block while sending. ok djm@
+   - markus@cvs.openbsd.org 2012/12/11 22:31:18
+     [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
+     [packet.c ssh_config.5 sshd_config.5]
+     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
+     that change the packet format and compute the MAC over the encrypted
+     message (including the packet size) instead of the plaintext data;
+     these EtM modes are considered more secure and used by default.
+     feedback and ok djm@
 
 20121207
  - (dtucker) OpenBSD CVS Sync
diff --git a/PROTOCOL b/PROTOCOL
index c28196011..834716cc9 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -51,6 +51,33 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
 curve points encoded using point compression are NOT accepted or
 generated.
 
+1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
+
+OpenSSH supports MAC algorithms, whose names contain "-etm", that
+perform the calculations in a different order to that defined in RFC
+4253. These variants use the so-called "encrypt then MAC" ordering,
+calculating the MAC over the packet ciphertext rather than the
+plaintext. This ordering closes a security flaw in the SSH transport
+protocol, where decryption of unauthenticated ciphertext provided a
+"decryption oracle" that could, in conjunction with cipher flaws, reveal
+session plaintext.
+
+Specifically, the "-etm" MAC algorithms modify the transport protocol
+to calculate the MAC over the packet ciphertext and to send the packet
+length unencrypted. This is necessary for the transport to obtain the
+length of the packet and location of the MAC tag so that it may be
+verified without decrypting unauthenticated data.
+
+As such, the MAC covers:
+
+      mac = MAC(key, sequence_number || encrypted_packet)
+
+where "encrypted_packet" contains:
+
+      byte      padding_length
+      byte[n1]  payload; n1 = packet_length - padding_length - 1
+      byte[n2]  random padding; n2 = padding_length
+
 2. Connection protocol changes
 
 2.1. connection: Channel write close extension "eow@openssh.com"
@@ -291,4 +318,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
 This extension is advertised in the SSH_FXP_VERSION hello with version
 "1".
 
-$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $
+$OpenBSD: PROTOCOL,v 1.18 2012/12/11 22:31:18 markus Exp $
diff --git a/authfile.c b/authfile.c
index 7dd449690..d9ee4ca65 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */
+/* $OpenBSD: authfile.c,v 1.94 2012/12/11 22:31:18 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -150,7 +150,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
         cipher_set_key_string(&ciphercontext, cipher, passphrase,
             CIPHER_ENCRYPT);
         cipher_crypt(&ciphercontext, cp,
-            buffer_ptr(&buffer), buffer_len(&buffer));
+            buffer_ptr(&buffer), buffer_len(&buffer), 0);
         cipher_cleanup(&ciphercontext);
         memset(&ciphercontext, 0, sizeof(ciphercontext));
 
@@ -474,7 +474,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
         cipher_set_key_string(&ciphercontext, cipher, passphrase,
             CIPHER_DECRYPT);
         cipher_crypt(&ciphercontext, cp,
-            buffer_ptr(&copy), buffer_len(&copy));
+            buffer_ptr(&copy), buffer_len(&copy), 0);
         cipher_cleanup(&ciphercontext);
         memset(&ciphercontext, 0, sizeof(ciphercontext));
         buffer_free(&copy);
diff --git a/cipher.c b/cipher.c
index bb5c0ac3a..2116b55b1 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */
+/* $OpenBSD: cipher.c,v 1.83 2012/12/11 22:31:18 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -273,13 +273,25 @@ cipher_init(CipherContext *cc, Cipher *cipher,
         }
 }
 
+/*
+ * cipher_crypt() operates as following:
+ * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
+ * Theses bytes are treated as additional authenticated data for
+ * authenticated encryption modes.
+ * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
+ * Both 'aadlen' and 'authlen' can be set to 0.
+ */
 void
-cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len, u_int aadlen)
 {
+        if (aadlen)
+                memcpy(dest, src, aadlen);
         if (len % cc->cipher->block_size)
-                fatal("cipher_encrypt: bad plaintext length %d", len);
-        if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
-                fatal("evp_crypt: EVP_Cipher failed");
+                fatal("%s: bad plaintext length %d", __func__, len);
+        if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
+            len) < 0)
+                fatal("%s: EVP_Cipher failed", __func__);
 }
 
 void
diff --git a/cipher.h b/cipher.h
index 3dd2270bb..78972fea5 100644
--- a/cipher.h
+++ b/cipher.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.h,v 1.37 2009/01/26 09:58:15 markus Exp $ */
+/* $OpenBSD: cipher.h,v 1.38 2012/12/11 22:31:18 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -76,7 +76,7 @@ char	*cipher_name(int);
 int      ciphers_valid(const char *);
 void     cipher_init(CipherContext *, Cipher *, const u_char *, u_int,
     const u_char *, u_int, int);
-void     cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
+void     cipher_crypt(CipherContext *, u_char *, const u_char *, u_int, u_int);
 void     cipher_cleanup(CipherContext *);
 void     cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
 u_int    cipher_blocksize(const Cipher *);
diff --git a/kex.h b/kex.h
index 7373d3c78..03b984cc8 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.53 2012/12/11 22:31:18 markus Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -100,6 +100,7 @@ struct Mac {
         u_char  *key;
         u_int   key_len;
         int     type;
+        int     etm;            /* Encrypt-then-MAC */
         const EVP_MD    *evp_md;
         HMAC_CTX        evp_ctx;
         struct umac_ctx *umac_ctx;
diff --git a/mac.c b/mac.c
index 47db127f5..0ece2e55d 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mac.c,v 1.19 2012/10/04 13:21:50 markus Exp $ */
+/* $OpenBSD: mac.c,v 1.20 2012/12/11 22:31:18 markus Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -58,19 +58,34 @@ struct {
         int             key_len;        /* just for UMAC */
         int             len;            /* just for UMAC */
 } macs[] = {
-        { "hmac-sha1",                  SSH_EVP, EVP_sha1, 0, -1, -1 },
-        { "hmac-sha1-96",               SSH_EVP, EVP_sha1, 96, -1, -1 },
+        /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
+        { "hmac-sha1",                          SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
+        { "hmac-sha1-96",                       SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
 #ifdef HAVE_EVP_SHA256
-        { "hmac-sha2-256",              SSH_EVP, EVP_sha256, 0, -1, -1 },
-        { "hmac-sha2-512",              SSH_EVP, EVP_sha512, 0, -1, -1 },
+        { "hmac-sha2-256",                      SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
+        { "hmac-sha2-512",                      SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
 #endif
-        { "hmac-md5",                   SSH_EVP, EVP_md5, 0, -1, -1 },
-        { "hmac-md5-96",                SSH_EVP, EVP_md5, 96, -1, -1 },
-        { "hmac-ripemd160",             SSH_EVP, EVP_ripemd160, 0, -1, -1 },
-        { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
-        { "umac-64@openssh.com",        SSH_UMAC, NULL, 0, 128, 64 },
-        { "umac-128@openssh.com",       SSH_UMAC128, NULL, 0, 128, 128 },
-        { NULL,                         0, NULL, 0, -1, -1 }
+        { "hmac-md5",                           SSH_EVP, EVP_md5, 0, 0, 0, 0 },
+        { "hmac-md5-96",                        SSH_EVP, EVP_md5, 96, 0, 0, 0 },
+        { "hmac-ripemd160",                     SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
+        { "hmac-ripemd160@openssh.com",         SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
+        { "umac-64@openssh.com",                SSH_UMAC, NULL, 0, 128, 64, 0 },
+        { "umac-128@openssh.com",               SSH_UMAC128, NULL, 0, 128, 128, 0 },
+
+        /* Encrypt-then-MAC variants */
+        { "hmac-sha1-etm@openssh.com",          SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
+        { "hmac-sha1-96-etm@openssh.com",       SSH_EVP, EVP_sha1, 96, 0, 0, 1 },
+#ifdef HAVE_EVP_SHA256
+        { "hmac-sha2-256-etm@openssh.com",      SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
+        { "hmac-sha2-512-etm@openssh.com",      SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
+#endif
+        { "hmac-md5-etm@openssh.com",           SSH_EVP, EVP_md5, 0, 0, 0, 1 },
+        { "hmac-md5-96-etm@openssh.com",        SSH_EVP, EVP_md5, 96, 0, 0, 1 },
+        { "hmac-ripemd160-tem@openssh.com",     SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 },
+        { "umac-64-etm@openssh.com",            SSH_UMAC, NULL, 0, 128, 64, 1 },
+        { "umac-128-etm@openssh.com",           SSH_UMAC128, NULL, 0, 128, 128, 1 },
+
+        { NULL,                                 0, NULL, 0, 0, 0, 0 }
 };
 
 static void
@@ -90,6 +105,7 @@ mac_setup_by_id(Mac *mac, int which)
         }
         if (macs[which].truncatebits != 0)
                 mac->mac_len = macs[which].truncatebits / 8;
+        mac->etm = macs[which].etm;
 }
 
 int
diff --git a/myproposal.h b/myproposal.h
index 5e2b99857..d98f4b051 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.30 2012/10/04 13:21:50 markus Exp $ */
+/* $OpenBSD: myproposal.h,v 1.31 2012/12/11 22:31:18 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -83,6 +83,15 @@
 # define SHA2_HMAC_MODES
 #endif
 #define KEX_DEFAULT_MAC \
+        "hmac-md5-etm@openssh.com," \
+        "hmac-sha1-etm@openssh.com," \
+        "umac-64-etm@openssh.com," \
+        "umac-128-etm@openssh.com," \
+        "hmac-sha2-256-etm@openssh.com," \
+        "hmac-sha2-512-etm@openssh.com," \
+        "hmac-ripemd160-etm@openssh.com," \
+        "hmac-sha1-96-etm@openssh.com," \
+        "hmac-md5-96-etm@openssh.com," \
         "hmac-md5," \
         "hmac-sha1," \
         "umac-64@openssh.com," \
diff --git a/packet.c b/packet.c
index b75c081f0..be8907854 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.177 2012/09/17 13:04:11 markus Exp $ */
+/* $OpenBSD: packet.c,v 1.178 2012/12/11 22:31:18 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -275,7 +275,7 @@ packet_stop_discard(void)
 static void
 packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard)
 {
-        if (enc == NULL || !cipher_is_cbc(enc->cipher))
+        if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm))
                 packet_disconnect("Packet corrupt");
         if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled)
                 active_state->packet_discard_mac = mac;
@@ -709,7 +709,7 @@ packet_send1(void)
             buffer_len(&active_state->outgoing_packet));
         cipher_crypt(&active_state->send_context, cp,
             buffer_ptr(&active_state->outgoing_packet),
-            buffer_len(&active_state->outgoing_packet));
+            buffer_len(&active_state->outgoing_packet), 0);
 
 #ifdef PACKET_DEBUG
         fprintf(stderr, "encrypted: ");
@@ -845,9 +845,8 @@ static void
 packet_send2_wrapped(void)
 {
         u_char type, *cp, *macbuf = NULL;
-        u_char padlen, pad;
-        u_int packet_length = 0;
-        u_int i, len;
+        u_char padlen, pad = 0;
+        u_int i, len, aadlen = 0;
         u_int32_t rnd = 0;
         Enc *enc   = NULL;
         Mac *mac   = NULL;
@@ -860,6 +859,7 @@ packet_send2_wrapped(void)
                 comp = &active_state->newkeys[MODE_OUT]->comp;
         }
         block_size = enc ? enc->block_size : 8;
+        aadlen = mac && mac->enabled && mac->etm ? 4 : 0;
 
         cp = buffer_ptr(&active_state->outgoing_packet);
         type = cp[5];
@@ -892,6 +892,7 @@ packet_send2_wrapped(void)
          * calc size of padding, alloc space, get random data,
          * minimum padding is 4 bytes
          */
+        len -= aadlen; /* packet length is not encrypted for EtM modes */
         padlen = block_size - (len % block_size);
         if (padlen < 4)
                 padlen += block_size;
@@ -919,29 +920,37 @@ packet_send2_wrapped(void)
                 /* clear padding */
                 memset(cp, 0, padlen);
         }
-        /* packet_length includes payload, padding and padding length field */
-        packet_length = buffer_len(&active_state->outgoing_packet) - 4;
+        /* sizeof (packet_len + pad_len + payload + padding) */
+        len = buffer_len(&active_state->outgoing_packet);
         cp = buffer_ptr(&active_state->outgoing_packet);
-        put_u32(cp, packet_length);
+        /* packet_length includes payload, padding and padding length field */
+        put_u32(cp, len - 4);
         cp[4] = padlen;
-        DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
+        DBG(debug("send: len %d (includes padlen %d, aadlen %d)",
+            len, padlen, aadlen));
 
         /* compute MAC over seqnr and packet(length fields, payload, padding) */
-        if (mac && mac->enabled) {
+        if (mac && mac->enabled && !mac->etm) {
                 macbuf = mac_compute(mac, active_state->p_send.seqnr,
-                    buffer_ptr(&active_state->outgoing_packet),
-                    buffer_len(&active_state->outgoing_packet));
+                    buffer_ptr(&active_state->outgoing_packet), len);
                 DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr));
         }
         /* encrypt packet and append to output buffer. */
-        cp = buffer_append_space(&active_state->output,
-            buffer_len(&active_state->outgoing_packet));
+        cp = buffer_append_space(&active_state->output, len);
         cipher_crypt(&active_state->send_context, cp,
             buffer_ptr(&active_state->outgoing_packet),
-            buffer_len(&active_state->outgoing_packet));
+            len - aadlen, aadlen);
         /* append unencrypted MAC */
-        if (mac && mac->enabled)
+        if (mac && mac->enabled) {
+                if (mac->etm) {
+                        /* EtM: compute mac over aadlen + cipher text */
+                        macbuf = mac_compute(mac,
+                            active_state->p_send.seqnr, cp, len);
+                        DBG(debug("done calc MAC(EtM) out #%d",
+                            active_state->p_send.seqnr));
+                }
                 buffer_append(&active_state->output, macbuf, mac->mac_len);
+        }
 #ifdef PACKET_DEBUG
         fprintf(stderr, "encrypted: ");
         buffer_dump(&active_state->output);
@@ -952,8 +961,8 @@ packet_send2_wrapped(void)
         if (++active_state->p_send.packets == 0)
                 if (!(datafellows & SSH_BUG_NOREKEY))
                         fatal("XXX too many packets with same key");
-        active_state->p_send.blocks += (packet_length + 4) / block_size;
-        active_state->p_send.bytes += packet_length + 4;
+        active_state->p_send.blocks += len / block_size;
+        active_state->p_send.bytes += len;
         buffer_clear(&active_state->outgoing_packet);
 
         if (type == SSH2_MSG_NEWKEYS)
@@ -1190,7 +1199,7 @@ packet_read_poll1(void)
         buffer_clear(&active_state->incoming_packet);
         cp = buffer_append_space(&active_state->incoming_packet, padded_len);
         cipher_crypt(&active_state->receive_context, cp,
-            buffer_ptr(&active_state->input), padded_len);
+            buffer_ptr(&active_state->input), padded_len, 0);
 
         buffer_consume(&active_state->input, padded_len);
 
@@ -1238,8 +1247,8 @@ static int
 packet_read_poll2(u_int32_t *seqnr_p)
 {
         u_int padlen, need;
-        u_char *macbuf, *cp, type;
-        u_int maclen, block_size;
+        u_char *macbuf = NULL, *cp, type;
+        u_int maclen, aadlen = 0, block_size;
         Enc *enc   = NULL;
         Mac *mac   = NULL;
         Comp *comp = NULL;
@@ -1254,8 +1263,22 @@ packet_read_poll2(u_int32_t *seqnr_p)
         }
         maclen = mac && mac->enabled ? mac->mac_len : 0;
         block_size = enc ? enc->block_size : 8;
+        aadlen = mac && mac->enabled && mac->etm ? 4 : 0;
 
-        if (active_state->packlen == 0) {
+        if (aadlen && active_state->packlen == 0) {
+                if (buffer_len(&active_state->input) < 4)
+                        return SSH_MSG_NONE;
+                cp = buffer_ptr(&active_state->input);
+                active_state->packlen = get_u32(cp);
+                if (active_state->packlen < 1 + 4 ||
+                    active_state->packlen > PACKET_MAX_SIZE) {
+#ifdef PACKET_DEBUG
+                        buffer_dump(&active_state->input);
+#endif
+                        logit("Bad packet length %u.", active_state->packlen);
+                        packet_disconnect("Packet corrupt");
+                }
+        } else if (active_state->packlen == 0) {
                 /*
                  * check if input size is less than the cipher block size,
                  * decrypt first block and extract length of incoming packet
@@ -1266,7 +1289,7 @@ packet_read_poll2(u_int32_t *seqnr_p)
                 cp = buffer_append_space(&active_state->incoming_packet,
                     block_size);
                 cipher_crypt(&active_state->receive_context, cp,
-                    buffer_ptr(&active_state->input), block_size);
+                    buffer_ptr(&active_state->input), block_size, 0);
                 cp = buffer_ptr(&active_state->incoming_packet);
                 active_state->packlen = get_u32(cp);
                 if (active_state->packlen < 1 + 4 ||
@@ -1279,13 +1302,21 @@ packet_read_poll2(u_int32_t *seqnr_p)
                             PACKET_MAX_SIZE);
                         return SSH_MSG_NONE;
                 }
-                DBG(debug("input: packet len %u", active_state->packlen+4));
                 buffer_consume(&active_state->input, block_size);
         }
-        /* we have a partial packet of block_size bytes */
-        need = 4 + active_state->packlen - block_size;
-        DBG(debug("partial packet %d, need %d, maclen %d", block_size,
-            need, maclen));
+        DBG(debug("input: packet len %u", active_state->packlen+4));
+        if (aadlen) {
+                /* only the payload is encrypted */
+                need = active_state->packlen;
+        } else {
+                /*
+                 * the payload size and the payload are encrypted, but we
+                 * have a partial packet of block_size bytes
+                 */
+                need = 4 + active_state->packlen - block_size;
+        }
+        DBG(debug("partial packet: block %d, need %d, maclen %d, aadlen %d",
+            block_size, need, maclen, aadlen));
         if (need % block_size != 0) {
                 logit("padding error: need %d block %d mod %d",
                     need, block_size, need % block_size);
@@ -1295,26 +1326,34 @@ packet_read_poll2(u_int32_t *seqnr_p)
         }
         /*
          * check if the entire packet has been received and
-         * decrypt into incoming_packet
+         * decrypt into incoming_packet:
+         * 'aadlen' bytes are unencrypted, but authenticated.
+         * 'need' bytes are encrypted, followed by
+         * 'maclen' bytes of message authentication code.
          */
-        if (buffer_len(&active_state->input) < need + maclen)
+        if (buffer_len(&active_state->input) < aadlen + need + maclen)
                 return SSH_MSG_NONE;
 #ifdef PACKET_DEBUG
         fprintf(stderr, "read_poll enc/full: ");
         buffer_dump(&active_state->input);
 #endif
-        cp = buffer_append_space(&active_state->incoming_packet, need);
+        /* EtM: compute mac over encrypted input */
+        if (mac && mac->enabled && mac->etm)
+                macbuf = mac_compute(mac, active_state->p_read.seqnr,
+                    buffer_ptr(&active_state->input), aadlen + need);
+        cp = buffer_append_space(&active_state->incoming_packet, aadlen + need);
         cipher_crypt(&active_state->receive_context, cp,
-            buffer_ptr(&active_state->input), need);
-        buffer_consume(&active_state->input, need);
+            buffer_ptr(&active_state->input), need, aadlen);
+        buffer_consume(&active_state->input, aadlen + need);
         /*
          * compute MAC over seqnr and packet,
          * increment sequence number for incoming packet
          */
         if (mac && mac->enabled) {
-                macbuf = mac_compute(mac, active_state->p_read.seqnr,
-                    buffer_ptr(&active_state->incoming_packet),
-                    buffer_len(&active_state->incoming_packet));
+                if (!mac->etm)
+                        macbuf = mac_compute(mac, active_state->p_read.seqnr,
+                            buffer_ptr(&active_state->incoming_packet),
+                            buffer_len(&active_state->incoming_packet));
                 if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input),
                     mac->mac_len) != 0) {
                         logit("Corrupted MAC on input.");
diff --git a/ssh_config.5 b/ssh_config.5
index 09a3cf035..ee466d800 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $
-.Dd $Mdocdate: December 2 2012 $
+.\" $OpenBSD: ssh_config.5,v 1.160 2012/12/11 22:31:18 markus Exp $
+.Dd $Mdocdate: December 11 2012 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -792,8 +792,17 @@ in order of preference.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+The algorithms that contain
+.Dq -etm
+calculate the MAC after encryption (encrypt-then-mac).
+These are considered safer and their use recommended.
 The default is:
 .Bd -literal -offset indent
+hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+hmac-md5-96-etm@openssh.com,
 hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96
diff --git a/sshd_config.5 b/sshd_config.5
index ad3692b38..0f4aa639d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.151 2012/12/03 08:33:03 jmc Exp $
-.Dd $Mdocdate: December 3 2012 $
+.\" $OpenBSD: sshd_config.5,v 1.152 2012/12/11 22:31:18 markus Exp $
+.Dd $Mdocdate: December 11 2012 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -706,8 +706,17 @@ Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+The algorithms that contain
+.Dq -etm
+calculate the MAC after encryption (encrypt-then-mac).
+These are considered safer and their use recommended.
 The default is:
 .Bd -literal -offset indent
+hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+hmac-md5-96-etm@openssh.com,
 hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96