Hi all, Attached to this email is a series of patches that implements Encrypt-then-MAC modes to LibSSH of the existing MACs, hmac-sha1, hmac-sha2-256, hmac-sha2-512 & hmac-md5.
This is tested and also currently running on GitHub.com and is being successfully used by various clients already. Some additional points for the patch series. 0001-Use-constant-time-comparison-function-for-HMAC-compa.patch contains a change previously sent upstream patch by Jon Simons to replace the HMAC comparison function by a constant time version. This is even more critical to include with Encrypt-then-MAC modes, as the MAC is the first thing to be compared in this scheme, which means it has to be resistant to timing attacks. This patch series should not be considered without also including this fix. 0002-Select-ciphers-for-MAC-tests-that-need-a-MAC.patch contains a fix for the pkd tests, that because they were not selecting an explicit cipher were using chacha20-poly1305 as the cipher, which has a MAC built in, making the test not exercise the actual MAC paths. 0003-Refactor-ssh_packet_hmac_verify-to-allow-for-direct-.patch contains a small refactor to make the later patches easier to review in isolation as well. The rest of the series implements the necessary code and tests for Encrypt-then-MAC mode. I have also pushed it up to the GitLab mirror to run the tests there as well in https://gitlab.com/libssh/libssh-mirror/merge_requests/4. Cheers, Dirkjan Bussink
0006-Add-implementation-for-Encrypt-then-MAC-mode.patch
Description: Binary data
0005-Add-tests-for-Encrypt-then-MAC-mode.patch
Description: Binary data
0004-Add-flag-for-tracking-EtM-HMACs.patch
Description: Binary data
0003-Refactor-ssh_packet_hmac_verify-to-allow-for-direct-.patch
Description: Binary data
0002-Select-ciphers-for-MAC-tests-that-need-a-MAC.patch
Description: Binary data
0001-Use-constant-time-comparison-function-for-HMAC-compa.patch
Description: Binary data
