From 427e409e99d465118fbc2f7c1ca2c5d44365f5a8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 5 Oct 2012 11:02:39 +1000 Subject: - markus@cvs.openbsd.org 2012/10/04 13:21:50 [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] add umac128 variant; ok djm@ at n2k12 (note: further Makefile work is required) --- mac.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'mac.c') diff --git a/mac.c b/mac.c index 9b450e4e2..47db127f5 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.18 2012/06/28 05:07:45 dtucker Exp $ */ +/* $OpenBSD: mac.c,v 1.19 2012/10/04 13:21:50 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -48,6 +48,7 @@ #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ +#define SSH_UMAC128 3 struct { char *name; @@ -68,6 +69,7 @@ struct { { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, + { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128 }, { NULL, 0, NULL, 0, -1, -1 } }; @@ -122,6 +124,9 @@ mac_init(Mac *mac) case SSH_UMAC: mac->umac_ctx = umac_new(mac->key); return 0; + case SSH_UMAC128: + mac->umac_ctx = umac128_new(mac->key); + return 0; default: return -1; } @@ -151,6 +156,11 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) umac_update(mac->umac_ctx, data, datalen); umac_final(mac->umac_ctx, m, nonce); break; + case SSH_UMAC128: + put_u64(nonce, seqno); + umac128_update(mac->umac_ctx, data, datalen); + umac128_final(mac->umac_ctx, m, nonce); + break; default: fatal("mac_compute: unknown MAC type"); } @@ -163,6 +173,9 @@ mac_clear(Mac *mac) if (mac->type == SSH_UMAC) { if (mac->umac_ctx != NULL) umac_delete(mac->umac_ctx); + } else if (mac->type == SSH_UMAC128) { + if (mac->umac_ctx != NULL) + umac128_delete(mac->umac_ctx); } else if (mac->evp_md != NULL) HMAC_cleanup(&mac->evp_ctx); mac->evp_md = NULL; -- cgit v1.2.3 From af43a7ac2d77c57112b48f34c7a72be2adb761bc Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 12 Dec 2012 10:46:31 +1100 Subject: - markus@cvs.openbsd.org 2012/12/11 22:31:18 [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@ --- ChangeLog | 8 +++++ PROTOCOL | 29 ++++++++++++++- authfile.c | 6 ++-- cipher.c | 22 +++++++++--- cipher.h | 4 +-- kex.h | 3 +- mac.c | 40 ++++++++++++++------- myproposal.h | 11 +++++- packet.c | 113 +++++++++++++++++++++++++++++++++++++++------------------- ssh_config.5 | 13 +++++-- sshd_config.5 | 13 +++++-- 11 files changed, 196 insertions(+), 66 deletions(-) (limited to 'mac.c') diff --git a/ChangeLog b/ChangeLog index b96329ef2..df6d03207 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,14 @@ [monitor.c] drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@ + - markus@cvs.openbsd.org 2012/12/11 22:31:18 + [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] + [packet.c ssh_config.5 sshd_config.5] + add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms + that change the packet format and compute the MAC over the encrypted + message (including the packet size) instead of the plaintext data; + these EtM modes are considered more secure and used by default. + feedback and ok djm@ 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/PROTOCOL b/PROTOCOL index c28196011..834716cc9 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -51,6 +51,33 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic curve points encoded using point compression are NOT accepted or generated. +1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms + +OpenSSH supports MAC algorithms, whose names contain "-etm", that +perform the calculations in a different order to that defined in RFC +4253. These variants use the so-called "encrypt then MAC" ordering, +calculating the MAC over the packet ciphertext rather than the +plaintext. This ordering closes a security flaw in the SSH transport +protocol, where decryption of unauthenticated ciphertext provided a +"decryption oracle" that could, in conjunction with cipher flaws, reveal +session plaintext. + +Specifically, the "-etm" MAC algorithms modify the transport protocol +to calculate the MAC over the packet ciphertext and to send the packet +length unencrypted. This is necessary for the transport to obtain the +length of the packet and location of the MAC tag so that it may be +verified without decrypting unauthenticated data. + +As such, the MAC covers: + + mac = MAC(key, sequence_number || encrypted_packet) + +where "encrypted_packet" contains: + + byte padding_length + byte[n1] payload; n1 = packet_length - padding_length - 1 + byte[n2] random padding; n2 = padding_length + 2. Connection protocol changes 2.1. connection: Channel write close extension "eow@openssh.com" @@ -291,4 +318,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. This extension is advertised in the SSH_FXP_VERSION hello with version "1". -$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ +$OpenBSD: PROTOCOL,v 1.18 2012/12/11 22:31:18 markus Exp $ diff --git a/authfile.c b/authfile.c index 7dd449690..d9ee4ca65 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.94 2012/12/11 22:31:18 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -150,7 +150,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_ENCRYPT); cipher_crypt(&ciphercontext, cp, - buffer_ptr(&buffer), buffer_len(&buffer)); + buffer_ptr(&buffer), buffer_len(&buffer), 0); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); @@ -474,7 +474,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) cipher_set_key_string(&ciphercontext, cipher, passphrase, CIPHER_DECRYPT); cipher_crypt(&ciphercontext, cp, - buffer_ptr(©), buffer_len(©)); + buffer_ptr(©), buffer_len(©), 0); cipher_cleanup(&ciphercontext); memset(&ciphercontext, 0, sizeof(ciphercontext)); buffer_free(©); diff --git a/cipher.c b/cipher.c index bb5c0ac3a..2116b55b1 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ +/* $OpenBSD: cipher.c,v 1.83 2012/12/11 22:31:18 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -273,13 +273,25 @@ cipher_init(CipherContext *cc, Cipher *cipher, } } +/* + * cipher_crypt() operates as following: + * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. + * Theses bytes are treated as additional authenticated data for + * authenticated encryption modes. + * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. + * Both 'aadlen' and 'authlen' can be set to 0. + */ void -cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) +cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, + u_int len, u_int aadlen) { + if (aadlen) + memcpy(dest, src, aadlen); if (len % cc->cipher->block_size) - fatal("cipher_encrypt: bad plaintext length %d", len); - if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) - fatal("evp_crypt: EVP_Cipher failed"); + fatal("%s: bad plaintext length %d", __func__, len); + if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen, + len) < 0) + fatal("%s: EVP_Cipher failed", __func__); } void diff --git a/cipher.h b/cipher.h index 3dd2270bb..78972fea5 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.37 2009/01/26 09:58:15 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.38 2012/12/11 22:31:18 markus Exp $ */ /* * Author: Tatu Ylonen @@ -76,7 +76,7 @@ char *cipher_name(int); int ciphers_valid(const char *); void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, const u_char *, u_int, int); -void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); +void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int, u_int); void cipher_cleanup(CipherContext *); void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); diff --git a/kex.h b/kex.h index 7373d3c78..03b984cc8 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.53 2012/12/11 22:31:18 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -100,6 +100,7 @@ struct Mac { u_char *key; u_int key_len; int type; + int etm; /* Encrypt-then-MAC */ const EVP_MD *evp_md; HMAC_CTX evp_ctx; struct umac_ctx *umac_ctx; diff --git a/mac.c b/mac.c index 47db127f5..0ece2e55d 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.19 2012/10/04 13:21:50 markus Exp $ */ +/* $OpenBSD: mac.c,v 1.20 2012/12/11 22:31:18 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -58,19 +58,34 @@ struct { int key_len; /* just for UMAC */ int len; /* just for UMAC */ } macs[] = { - { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, - { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, + /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ + { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, + { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, #ifdef HAVE_EVP_SHA256 - { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, - { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, + { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, + { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, #endif - { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, - { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, - { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, - { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, - { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, - { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128 }, - { NULL, 0, NULL, 0, -1, -1 } + { "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 }, + { "hmac-md5-96", SSH_EVP, EVP_md5, 96, 0, 0, 0 }, + { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 }, + { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 }, + { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 0 }, + { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 0 }, + + /* Encrypt-then-MAC variants */ + { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 }, + { "hmac-sha1-96-etm@openssh.com", SSH_EVP, EVP_sha1, 96, 0, 0, 1 }, +#ifdef HAVE_EVP_SHA256 + { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 }, + { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 }, +#endif + { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 }, + { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 }, + { "hmac-ripemd160-tem@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, + { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 }, + { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 }, + + { NULL, 0, NULL, 0, 0, 0, 0 } }; static void @@ -90,6 +105,7 @@ mac_setup_by_id(Mac *mac, int which) } if (macs[which].truncatebits != 0) mac->mac_len = macs[which].truncatebits / 8; + mac->etm = macs[which].etm; } int diff --git a/myproposal.h b/myproposal.h index 5e2b99857..d98f4b051 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.30 2012/10/04 13:21:50 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.31 2012/12/11 22:31:18 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -83,6 +83,15 @@ # define SHA2_HMAC_MODES #endif #define KEX_DEFAULT_MAC \ + "hmac-md5-etm@openssh.com," \ + "hmac-sha1-etm@openssh.com," \ + "umac-64-etm@openssh.com," \ + "umac-128-etm@openssh.com," \ + "hmac-sha2-256-etm@openssh.com," \ + "hmac-sha2-512-etm@openssh.com," \ + "hmac-ripemd160-etm@openssh.com," \ + "hmac-sha1-96-etm@openssh.com," \ + "hmac-md5-96-etm@openssh.com," \ "hmac-md5," \ "hmac-sha1," \ "umac-64@openssh.com," \ diff --git a/packet.c b/packet.c index b75c081f0..be8907854 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.177 2012/09/17 13:04:11 markus Exp $ */ +/* $OpenBSD: packet.c,v 1.178 2012/12/11 22:31:18 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -275,7 +275,7 @@ packet_stop_discard(void) static void packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard) { - if (enc == NULL || !cipher_is_cbc(enc->cipher)) + if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) packet_disconnect("Packet corrupt"); if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled) active_state->packet_discard_mac = mac; @@ -709,7 +709,7 @@ packet_send1(void) buffer_len(&active_state->outgoing_packet)); cipher_crypt(&active_state->send_context, cp, buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet)); + buffer_len(&active_state->outgoing_packet), 0); #ifdef PACKET_DEBUG fprintf(stderr, "encrypted: "); @@ -845,9 +845,8 @@ static void packet_send2_wrapped(void) { u_char type, *cp, *macbuf = NULL; - u_char padlen, pad; - u_int packet_length = 0; - u_int i, len; + u_char padlen, pad = 0; + u_int i, len, aadlen = 0; u_int32_t rnd = 0; Enc *enc = NULL; Mac *mac = NULL; @@ -860,6 +859,7 @@ packet_send2_wrapped(void) comp = &active_state->newkeys[MODE_OUT]->comp; } block_size = enc ? enc->block_size : 8; + aadlen = mac && mac->enabled && mac->etm ? 4 : 0; cp = buffer_ptr(&active_state->outgoing_packet); type = cp[5]; @@ -892,6 +892,7 @@ packet_send2_wrapped(void) * calc size of padding, alloc space, get random data, * minimum padding is 4 bytes */ + len -= aadlen; /* packet length is not encrypted for EtM modes */ padlen = block_size - (len % block_size); if (padlen < 4) padlen += block_size; @@ -919,29 +920,37 @@ packet_send2_wrapped(void) /* clear padding */ memset(cp, 0, padlen); } - /* packet_length includes payload, padding and padding length field */ - packet_length = buffer_len(&active_state->outgoing_packet) - 4; + /* sizeof (packet_len + pad_len + payload + padding) */ + len = buffer_len(&active_state->outgoing_packet); cp = buffer_ptr(&active_state->outgoing_packet); - put_u32(cp, packet_length); + /* packet_length includes payload, padding and padding length field */ + put_u32(cp, len - 4); cp[4] = padlen; - DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen)); + DBG(debug("send: len %d (includes padlen %d, aadlen %d)", + len, padlen, aadlen)); /* compute MAC over seqnr and packet(length fields, payload, padding) */ - if (mac && mac->enabled) { + if (mac && mac->enabled && !mac->etm) { macbuf = mac_compute(mac, active_state->p_send.seqnr, - buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet)); + buffer_ptr(&active_state->outgoing_packet), len); DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr)); } /* encrypt packet and append to output buffer. */ - cp = buffer_append_space(&active_state->output, - buffer_len(&active_state->outgoing_packet)); + cp = buffer_append_space(&active_state->output, len); cipher_crypt(&active_state->send_context, cp, buffer_ptr(&active_state->outgoing_packet), - buffer_len(&active_state->outgoing_packet)); + len - aadlen, aadlen); /* append unencrypted MAC */ - if (mac && mac->enabled) + if (mac && mac->enabled) { + if (mac->etm) { + /* EtM: compute mac over aadlen + cipher text */ + macbuf = mac_compute(mac, + active_state->p_send.seqnr, cp, len); + DBG(debug("done calc MAC(EtM) out #%d", + active_state->p_send.seqnr)); + } buffer_append(&active_state->output, macbuf, mac->mac_len); + } #ifdef PACKET_DEBUG fprintf(stderr, "encrypted: "); buffer_dump(&active_state->output); @@ -952,8 +961,8 @@ packet_send2_wrapped(void) if (++active_state->p_send.packets == 0) if (!(datafellows & SSH_BUG_NOREKEY)) fatal("XXX too many packets with same key"); - active_state->p_send.blocks += (packet_length + 4) / block_size; - active_state->p_send.bytes += packet_length + 4; + active_state->p_send.blocks += len / block_size; + active_state->p_send.bytes += len; buffer_clear(&active_state->outgoing_packet); if (type == SSH2_MSG_NEWKEYS) @@ -1190,7 +1199,7 @@ packet_read_poll1(void) buffer_clear(&active_state->incoming_packet); cp = buffer_append_space(&active_state->incoming_packet, padded_len); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), padded_len); + buffer_ptr(&active_state->input), padded_len, 0); buffer_consume(&active_state->input, padded_len); @@ -1238,8 +1247,8 @@ static int packet_read_poll2(u_int32_t *seqnr_p) { u_int padlen, need; - u_char *macbuf, *cp, type; - u_int maclen, block_size; + u_char *macbuf = NULL, *cp, type; + u_int maclen, aadlen = 0, block_size; Enc *enc = NULL; Mac *mac = NULL; Comp *comp = NULL; @@ -1254,8 +1263,22 @@ packet_read_poll2(u_int32_t *seqnr_p) } maclen = mac && mac->enabled ? mac->mac_len : 0; block_size = enc ? enc->block_size : 8; + aadlen = mac && mac->enabled && mac->etm ? 4 : 0; - if (active_state->packlen == 0) { + if (aadlen && active_state->packlen == 0) { + if (buffer_len(&active_state->input) < 4) + return SSH_MSG_NONE; + cp = buffer_ptr(&active_state->input); + active_state->packlen = get_u32(cp); + if (active_state->packlen < 1 + 4 || + active_state->packlen > PACKET_MAX_SIZE) { +#ifdef PACKET_DEBUG + buffer_dump(&active_state->input); +#endif + logit("Bad packet length %u.", active_state->packlen); + packet_disconnect("Packet corrupt"); + } + } else if (active_state->packlen == 0) { /* * check if input size is less than the cipher block size, * decrypt first block and extract length of incoming packet @@ -1266,7 +1289,7 @@ packet_read_poll2(u_int32_t *seqnr_p) cp = buffer_append_space(&active_state->incoming_packet, block_size); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), block_size); + buffer_ptr(&active_state->input), block_size, 0); cp = buffer_ptr(&active_state->incoming_packet); active_state->packlen = get_u32(cp); if (active_state->packlen < 1 + 4 || @@ -1279,13 +1302,21 @@ packet_read_poll2(u_int32_t *seqnr_p) PACKET_MAX_SIZE); return SSH_MSG_NONE; } - DBG(debug("input: packet len %u", active_state->packlen+4)); buffer_consume(&active_state->input, block_size); } - /* we have a partial packet of block_size bytes */ - need = 4 + active_state->packlen - block_size; - DBG(debug("partial packet %d, need %d, maclen %d", block_size, - need, maclen)); + DBG(debug("input: packet len %u", active_state->packlen+4)); + if (aadlen) { + /* only the payload is encrypted */ + need = active_state->packlen; + } else { + /* + * the payload size and the payload are encrypted, but we + * have a partial packet of block_size bytes + */ + need = 4 + active_state->packlen - block_size; + } + DBG(debug("partial packet: block %d, need %d, maclen %d, aadlen %d", + block_size, need, maclen, aadlen)); if (need % block_size != 0) { logit("padding error: need %d block %d mod %d", need, block_size, need % block_size); @@ -1295,26 +1326,34 @@ packet_read_poll2(u_int32_t *seqnr_p) } /* * check if the entire packet has been received and - * decrypt into incoming_packet + * decrypt into incoming_packet: + * 'aadlen' bytes are unencrypted, but authenticated. + * 'need' bytes are encrypted, followed by + * 'maclen' bytes of message authentication code. */ - if (buffer_len(&active_state->input) < need + maclen) + if (buffer_len(&active_state->input) < aadlen + need + maclen) return SSH_MSG_NONE; #ifdef PACKET_DEBUG fprintf(stderr, "read_poll enc/full: "); buffer_dump(&active_state->input); #endif - cp = buffer_append_space(&active_state->incoming_packet, need); + /* EtM: compute mac over encrypted input */ + if (mac && mac->enabled && mac->etm) + macbuf = mac_compute(mac, active_state->p_read.seqnr, + buffer_ptr(&active_state->input), aadlen + need); + cp = buffer_append_space(&active_state->incoming_packet, aadlen + need); cipher_crypt(&active_state->receive_context, cp, - buffer_ptr(&active_state->input), need); - buffer_consume(&active_state->input, need); + buffer_ptr(&active_state->input), need, aadlen); + buffer_consume(&active_state->input, aadlen + need); /* * compute MAC over seqnr and packet, * increment sequence number for incoming packet */ if (mac && mac->enabled) { - macbuf = mac_compute(mac, active_state->p_read.seqnr, - buffer_ptr(&active_state->incoming_packet), - buffer_len(&active_state->incoming_packet)); + if (!mac->etm) + macbuf = mac_compute(mac, active_state->p_read.seqnr, + buffer_ptr(&active_state->incoming_packet), + buffer_len(&active_state->incoming_packet)); if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input), mac->mac_len) != 0) { logit("Corrupted MAC on input."); diff --git a/ssh_config.5 b/ssh_config.5 index 09a3cf035..ee466d800 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $ -.Dd $Mdocdate: December 2 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.160 2012/12/11 22:31:18 markus Exp $ +.Dd $Mdocdate: December 11 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -792,8 +792,17 @@ in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. +The algorithms that contain +.Dq -etm +calculate the MAC after encryption (encrypt-then-mac). +These are considered safer and their use recommended. The default is: .Bd -literal -offset indent +hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, +umac-64-etm@openssh.com,umac-128-etm@openssh.com, +hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, +hmac-md5-96-etm@openssh.com, hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 diff --git a/sshd_config.5 b/sshd_config.5 index ad3692b38..0f4aa639d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.151 2012/12/03 08:33:03 jmc Exp $ -.Dd $Mdocdate: December 3 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.152 2012/12/11 22:31:18 markus Exp $ +.Dd $Mdocdate: December 11 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -706,8 +706,17 @@ Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. +The algorithms that contain +.Dq -etm +calculate the MAC after encryption (encrypt-then-mac). +These are considered safer and their use recommended. The default is: .Bd -literal -offset indent +hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, +umac-64-etm@openssh.com,umac-128-etm@openssh.com, +hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, +hmac-md5-96-etm@openssh.com, hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 -- cgit v1.2.3 From 74f13bdf26fc9ef29b9789d7004817ab7e7a295a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 12 Dec 2012 10:46:53 +1100 Subject: - sthen@cvs.openbsd.org 2012/12/11 22:51:45 [mac.c] fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@ --- ChangeLog | 3 +++ mac.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'mac.c') diff --git a/ChangeLog b/ChangeLog index df6d03207..425f7276b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@ + - sthen@cvs.openbsd.org 2012/12/11 22:51:45 + [mac.c] + fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@ 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/mac.c b/mac.c index 0ece2e55d..e55face40 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.20 2012/12/11 22:31:18 markus Exp $ */ +/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -81,7 +81,7 @@ struct { #endif { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 }, { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 }, - { "hmac-ripemd160-tem@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, + { "hmac-ripemd160-etm@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 }, { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 }, -- cgit v1.2.3 From 37834afe7be91de1aff4bdffbef2c54797ec58d6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 12 Dec 2012 11:00:37 +1100 Subject: - (djm) [mac.c] fix merge botch --- ChangeLog | 1 + mac.c | 1 + 2 files changed, 2 insertions(+) (limited to 'mac.c') diff --git a/ChangeLog b/ChangeLog index 05a3b078d..ed58d1ced 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,7 @@ - markus@cvs.openbsd.org 2012/12/11 23:12:13 [try-ciphers.sh] add hmac-ripemd160-etm@openssh.com + - (djm) [mac.c] fix merge botch 20121207 - (dtucker) OpenBSD CVS Sync diff --git a/mac.c b/mac.c index e55face40..3f2dc6f2a 100644 --- a/mac.c +++ b/mac.c @@ -57,6 +57,7 @@ struct { int truncatebits; /* truncate digest if != 0 */ int key_len; /* just for UMAC */ int len; /* just for UMAC */ + int etm; /* Encrypt-then-MAC */ } macs[] = { /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, -- cgit v1.2.3