Add tests and implementation for Encrypt-then-MAC mode

This adds the OpenSSH HMACs that do encrypt then mac. This is a more secure mode than the original HMAC. Newer AEAD ciphers like chacha20 and AES-GCM are already encrypt-then-mac, but this also adds it for older legacy clients that don't support those ciphers yet. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2025-11-27 13:21:11 +03:00 · 2019-02-12 08:56:37 +00:00
parent e4c7912b35
commit 4a67c19118
9 changed files with 465 additions and 87 deletions
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -56,13 +56,17 @@
 #include "libssh/curve25519.h"

 static struct ssh_hmac_struct ssh_hmac_tab[] = {
-  { "hmac-sha1",     SSH_HMAC_SHA1,          false },
-  { "hmac-sha2-256", SSH_HMAC_SHA256,        false },
-  { "hmac-sha2-512", SSH_HMAC_SHA512,        false },
-  { "hmac-md5",      SSH_HMAC_MD5,           false },
-  { "aead-poly1305", SSH_HMAC_AEAD_POLY1305, false },
-  { "aead-gcm",      SSH_HMAC_AEAD_GCM,      false },
-  { NULL,            0,                      false }
+  { "hmac-sha1",                     SSH_HMAC_SHA1,          false },
+  { "hmac-sha2-256",                 SSH_HMAC_SHA256,        false },
+  { "hmac-sha2-512",                 SSH_HMAC_SHA512,        false },
+  { "hmac-md5",                      SSH_HMAC_MD5,           false },
+  { "aead-poly1305",                 SSH_HMAC_AEAD_POLY1305, false },
+  { "aead-gcm",                      SSH_HMAC_AEAD_GCM,      false },
+  { "hmac-sha1-etm@openssh.com",     SSH_HMAC_SHA1,          true  },
+  { "hmac-sha2-256-etm@openssh.com", SSH_HMAC_SHA256,        true  },
+  { "hmac-sha2-512-etm@openssh.com", SSH_HMAC_SHA512,        true  },
+  { "hmac-md5-etm@openssh.com",      SSH_HMAC_MD5,           true  },
+  { NULL,                            0,                      false }
 };

 struct ssh_hmac_struct *ssh_get_hmactab(void) {