Add flag for tracking EtM HMACs

This adds a flag to the type structures to track if we use a Encrypt-then-MAC cipher instead of Encrypt-and-MAC. EtM is a more secure hashing mechanism. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-08 19:44:36 +00:00 · 2019-02-08 19:44:36 +00:00 · e4c7912b35
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@ -25,6 +25,7 @@
 #ifndef _CRYPTO_H_
 #define _CRYPTO_H_

+#include <stdbool.h>
 #include "config.h"

 #ifdef HAVE_LIBGCRYPT
@ -133,6 +134,7 @@ struct ssh_crypto_struct {
    unsigned char hmacbuf[DIGEST_MAX_LEN];
    struct ssh_cipher_struct *in_cipher, *out_cipher; /* the cipher structures/objects */
    enum ssh_hmac_e in_hmac, out_hmac; /* the MAC algorithms used */
+    bool in_hmac_etm, out_hmac_etm; /* Whether EtM mode is used or not */

    ssh_key server_pubkey;
    int do_compress_out; /* idem */
--- a/include/libssh/wrapper.h
+++ b/include/libssh/wrapper.h
@ -21,6 +21,8 @@
 #ifndef WRAPPER_H_
 #define WRAPPER_H_

+#include <stdbool.h>
+
 #include "config.h"
 #include "libssh/libssh.h"
 #include "libssh/libcrypto.h"
@ -58,6 +60,7 @@ enum ssh_des_e {
 struct ssh_hmac_struct {
  const char* name;
  enum ssh_hmac_e hmac_type;
+  bool etm;
 };

 enum ssh_crypto_direction_e {
@ -119,6 +122,6 @@ void ssh_crypto_finalize(void);
 void ssh_cipher_clear(struct ssh_cipher_struct *cipher);
 struct ssh_hmac_struct *ssh_get_hmactab(void);
 struct ssh_cipher_struct *ssh_get_ciphertab(void);
-const char *ssh_hmac_type_to_string(enum ssh_hmac_e hmac_type);
+const char *ssh_hmac_type_to_string(enum ssh_hmac_e hmac_type, bool etm);

 #endif /* WRAPPER_H_ */
--- a/src/session.c
+++ b/src/session.c
@ -419,7 +419,7 @@ const char* ssh_get_cipher_out(ssh_session session) {
 const char* ssh_get_hmac_in(ssh_session session) {
    if ((session != NULL) &&
        (session->current_crypto != NULL)) {
-        return ssh_hmac_type_to_string(session->current_crypto->in_hmac);
+        return ssh_hmac_type_to_string(session->current_crypto->in_hmac, session->current_crypto->in_hmac_etm);
    }
    return NULL;
 }
@ -434,7 +434,7 @@ const char* ssh_get_hmac_in(ssh_session session) {
 const char* ssh_get_hmac_out(ssh_session session) {
    if ((session != NULL) &&
        (session->current_crypto != NULL)) {
-        return ssh_hmac_type_to_string(session->current_crypto->out_hmac);
+        return ssh_hmac_type_to_string(session->current_crypto->out_hmac, session->current_crypto->out_hmac_etm);
    }
    return NULL;
 }
--- a/src/wrapper.c
+++ b/src/wrapper.c
@ -56,13 +56,13 @@
 #include "libssh/curve25519.h"

 static struct ssh_hmac_struct ssh_hmac_tab[] = {
-  { "hmac-sha1",     SSH_HMAC_SHA1 },
-  { "hmac-sha2-256", SSH_HMAC_SHA256 },
-  { "hmac-sha2-512", SSH_HMAC_SHA512 },
-  { "hmac-md5",      SSH_HMAC_MD5 },
-  { "aead-poly1305", SSH_HMAC_AEAD_POLY1305 },
-  { "aead-gcm",      SSH_HMAC_AEAD_GCM },
-  { NULL,            0}
+  { "hmac-sha1",     SSH_HMAC_SHA1,          false },
+  { "hmac-sha2-256", SSH_HMAC_SHA256,        false },
+  { "hmac-sha2-512", SSH_HMAC_SHA512,        false },
+  { "hmac-md5",      SSH_HMAC_MD5,           false },
+  { "aead-poly1305", SSH_HMAC_AEAD_POLY1305, false },
+  { "aead-gcm",      SSH_HMAC_AEAD_GCM,      false },
+  { NULL,            0,                      false }
 };

 struct ssh_hmac_struct *ssh_get_hmactab(void) {
@ -88,11 +88,13 @@ size_t hmac_digest_len(enum ssh_hmac_e type) {
  }
 }

-const char *ssh_hmac_type_to_string(enum ssh_hmac_e hmac_type)
+const char *ssh_hmac_type_to_string(enum ssh_hmac_e hmac_type, bool etm)
 {
  int i = 0;
  struct ssh_hmac_struct *ssh_hmactab = ssh_get_hmactab();
-  while (ssh_hmactab[i].name && (ssh_hmactab[i].hmac_type != hmac_type)) {
+  while (ssh_hmactab[i].name &&
+         ((ssh_hmactab[i].hmac_type != hmac_type) ||
+          (ssh_hmactab[i].etm != etm))) {
    i++;
  }
  return ssh_hmactab[i].name;
@ -293,6 +295,7 @@ static int crypt_set_algorithms2(ssh_session session)
    SSH_LOG(SSH_LOG_PACKET, "Set HMAC output algorithm to %s", wanted);

    session->next_crypto->out_hmac = ssh_hmactab[i].hmac_type;
+    session->next_crypto->out_hmac_etm = ssh_hmactab[i].etm;

    /* in */
    wanted = session->next_crypto->kex_methods[SSH_CRYPT_S_C];
@ -346,6 +349,7 @@ static int crypt_set_algorithms2(ssh_session session)
    SSH_LOG(SSH_LOG_PACKET, "Set HMAC input algorithm to %s", wanted);

    session->next_crypto->in_hmac = ssh_hmactab[i].hmac_type;
+    session->next_crypto->in_hmac_etm = ssh_hmactab[i].etm;

    /* compression */
    cmp = strcmp(session->next_crypto->kex_methods[SSH_COMP_C_S], "zlib");
@ -443,6 +447,7 @@ int crypt_set_algorithms_server(ssh_session session){
    SSH_LOG(SSH_LOG_PACKET, "Set HMAC output algorithm to %s", method);

    session->next_crypto->out_hmac = ssh_hmactab[i].hmac_type;
+    session->next_crypto->out_hmac_etm = ssh_hmactab[i].etm;

    /* in */
    method = session->next_crypto->kex_methods[SSH_CRYPT_C_S];
@ -495,6 +500,7 @@ int crypt_set_algorithms_server(ssh_session session){
    SSH_LOG(SSH_LOG_PACKET, "Set HMAC input algorithm to %s", method);

    session->next_crypto->in_hmac = ssh_hmactab[i].hmac_type;
+    session->next_crypto->in_hmac_etm = ssh_hmactab[i].etm;

    /* compression */
    method = session->next_crypto->kex_methods[SSH_COMP_C_S];