asedeno.scripts.mit.edu Git - PuTTY.git/commit

author	Simon Tatham <anakin@pobox.com>
	Sun, 26 Apr 2015 22:30:32 +0000 (23:30 +0100)
committer	Simon Tatham <anakin@pobox.com>
	Sun, 26 Apr 2015 22:30:32 +0000 (23:30 +0100)
commit	183a9ee98b6535f8d059b4c488f198532ad84586
tree	515b037fec9df63b07ef7be0b5204fddfef09bf3	tree \| snapshot
parent	78989c97c94ef45b7081d80df1c35f2cc1edfea0	commit \| diff

Support OpenSSH encrypt-then-MAC protocol extension.

This causes the initial length field of the SSH-2 binary packet to be
unencrypted (with the knock-on effect that now the packet length not
including MAC must be congruent to 4 rather than 0 mod the cipher
block size), and then the MAC is applied over the unencrypted length
field and encrypted ciphertext (prefixed by the sequence number as
usual). At the cost of exposing some information about the packet
lengths to an attacker (but rarely anything they couldn't have
inferred from the TCP headers anyway), this closes down any
possibility of a MITM using the client as a decryption oracle, unless
they can _first_ fake a correct MAC.

ETM mode is enabled by means of selecting a different MAC identifier,
all the current ones of which are constructed by appending
"-etm@openssh.com" to the name of a MAC that already existed.

We currently prefer the original SSH-2 binary packet protocol (i.e. we
list all the ETM-mode MACs last in our KEXINIT), on the grounds that
it's better tested and more analysed, so at the moment the new mode is
only activated if a server refuses to speak anything else.

ssh.c		diff \| blob \| history
ssh.h		diff \| blob \| history
sshmd5.c		diff \| blob \| history
sshsh256.c		diff \| blob \| history
sshsha.c		diff \| blob \| history