- markus@cvs.openbsd.org 2012/12/11 22:31:18

[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
     [packet.c ssh_config.5 sshd_config.5]
     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
     that change the packet format and compute the MAC over the encrypted
     message (including the packet size) instead of the plaintext data;
     these EtM modes are considered more secure and used by default.
     feedback and ok djm@

ChangeLog

@@ -4,6 +4,14 @@
      [monitor.c]
      drain the log messages after receiving the keystate from the unpriv
      child. otherwise it might block while sending. ok djm@
+   - markus@cvs.openbsd.org 2012/12/11 22:31:18
+     [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
+     [packet.c ssh_config.5 sshd_config.5]
+     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
+     that change the packet format and compute the MAC over the encrypted
+     message (including the packet size) instead of the plaintext data;
+     these EtM modes are considered more secure and used by default.
+     feedback and ok djm@
 
 20121207
  - (dtucker) OpenBSD CVS Sync

PROTOCOL

@@ -51,6 +51,33 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
 curve points encoded using point compression are NOT accepted or
 generated.
 
+1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
+
+OpenSSH supports MAC algorithms, whose names contain "-etm", that
+perform the calculations in a different order to that defined in RFC
+4253. These variants use the so-called "encrypt then MAC" ordering,
+calculating the MAC over the packet ciphertext rather than the
+plaintext. This ordering closes a security flaw in the SSH transport
+protocol, where decryption of unauthenticated ciphertext provided a
+"decryption oracle" that could, in conjunction with cipher flaws, reveal
+session plaintext.
+
+Specifically, the "-etm" MAC algorithms modify the transport protocol
+to calculate the MAC over the packet ciphertext and to send the packet
+length unencrypted. This is necessary for the transport to obtain the
+length of the packet and location of the MAC tag so that it may be
+verified without decrypting unauthenticated data.
+
+As such, the MAC covers:
+
+      mac = MAC(key, sequence_number || encrypted_packet)
+
+where "encrypted_packet" contains:
+
+      byte      padding_length
+      byte[n1]  payload; n1 = packet_length - padding_length - 1
+      byte[n2]  random padding; n2 = padding_length
+
 2. Connection protocol changes
 
 2.1. connection: Channel write close extension "eow@openssh.com"
@@ -291,4 +318,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
 This extension is advertised in the SSH_FXP_VERSION hello with version
 "1".
 
-$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $
+$OpenBSD: PROTOCOL,v 1.18 2012/12/11 22:31:18 markus Exp $

authfile.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */
+/* $OpenBSD: authfile.c,v 1.94 2012/12/11 22:31:18 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -150,7 +150,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
 	cipher_set_key_string(&ciphercontext, cipher, passphrase,
 	    CIPHER_ENCRYPT);
 	cipher_crypt(&ciphercontext, cp,
-	    buffer_ptr(&buffer), buffer_len(&buffer));
+	    buffer_ptr(&buffer), buffer_len(&buffer), 0);
 	cipher_cleanup(&ciphercontext);
 	memset(&ciphercontext, 0, sizeof(ciphercontext));
 
@@ -474,7 +474,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
 	cipher_set_key_string(&ciphercontext, cipher, passphrase,
 	    CIPHER_DECRYPT);
 	cipher_crypt(&ciphercontext, cp,
-	    buffer_ptr(&copy), buffer_len(&copy));
+	    buffer_ptr(&copy), buffer_len(&copy), 0);
 	cipher_cleanup(&ciphercontext);
 	memset(&ciphercontext, 0, sizeof(ciphercontext));
 	buffer_free(&copy);

cipher.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */
+/* $OpenBSD: cipher.c,v 1.83 2012/12/11 22:31:18 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -273,13 +273,25 @@ cipher_init(CipherContext *cc, Cipher *cipher,
 	}
 }
 
+/*
+ * cipher_crypt() operates as following:
+ * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
+ * Theses bytes are treated as additional authenticated data for
+ * authenticated encryption modes.
+ * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
+ * Both 'aadlen' and 'authlen' can be set to 0.
+ */
 void
-cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len, u_int aadlen)
 {
+	if (aadlen)
+		memcpy(dest, src, aadlen);
 	if (len % cc->cipher->block_size)
-		fatal("cipher_encrypt: bad plaintext length %d", len);
-	if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
-		fatal("evp_crypt: EVP_Cipher failed");
+		fatal("%s: bad plaintext length %d", __func__, len);
+	if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
+	    len) < 0)
+		fatal("%s: EVP_Cipher failed", __func__);
 }
 
 void

cipher.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.h,v 1.37 2009/01/26 09:58:15 markus Exp $ */
+/* $OpenBSD: cipher.h,v 1.38 2012/12/11 22:31:18 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -76,7 +76,7 @@ char	*cipher_name(int);
 int	 ciphers_valid(const char *);
 void	 cipher_init(CipherContext *, Cipher *, const u_char *, u_int,
     const u_char *, u_int, int);
-void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
+void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int, u_int);
 void	 cipher_cleanup(CipherContext *);
 void	 cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
 u_int	 cipher_blocksize(const Cipher *);

kex.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.53 2012/12/11 22:31:18 markus Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -100,6 +100,7 @@ struct Mac {
 	u_char	*key;
 	u_int	key_len;
 	int	type;
+	int	etm;		/* Encrypt-then-MAC */
 	const EVP_MD	*evp_md;
 	HMAC_CTX	evp_ctx;
 	struct umac_ctx *umac_ctx;

mac.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: mac.c,v 1.19 2012/10/04 13:21:50 markus Exp $ */
+/* $OpenBSD: mac.c,v 1.20 2012/12/11 22:31:18 markus Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -58,19 +58,34 @@ struct {
 	int		key_len;	/* just for UMAC */
 	int		len;		/* just for UMAC */
 } macs[] = {
-	{ "hmac-sha1",			SSH_EVP, EVP_sha1, 0, -1, -1 },
-	{ "hmac-sha1-96",		SSH_EVP, EVP_sha1, 96, -1, -1 },
+	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
+	{ "hmac-sha1",				SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
+	{ "hmac-sha1-96",			SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
 #ifdef HAVE_EVP_SHA256
-	{ "hmac-sha2-256",		SSH_EVP, EVP_sha256, 0, -1, -1 },
-	{ "hmac-sha2-512",		SSH_EVP, EVP_sha512, 0, -1, -1 },
+	{ "hmac-sha2-256",			SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
+	{ "hmac-sha2-512",			SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
 #endif
-	{ "hmac-md5",			SSH_EVP, EVP_md5, 0, -1, -1 },
-	{ "hmac-md5-96",		SSH_EVP, EVP_md5, 96, -1, -1 },
-	{ "hmac-ripemd160",		SSH_EVP, EVP_ripemd160, 0, -1, -1 },
-	{ "hmac-ripemd160@openssh.com",	SSH_EVP, EVP_ripemd160, 0, -1, -1 },
-	{ "umac-64@openssh.com",	SSH_UMAC, NULL, 0, 128, 64 },
-	{ "umac-128@openssh.com",	SSH_UMAC128, NULL, 0, 128, 128 },
-	{ NULL,				0, NULL, 0, -1, -1 }
+	{ "hmac-md5",				SSH_EVP, EVP_md5, 0, 0, 0, 0 },
+	{ "hmac-md5-96",			SSH_EVP, EVP_md5, 96, 0, 0, 0 },
+	{ "hmac-ripemd160",			SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
+	{ "hmac-ripemd160@openssh.com",		SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
+	{ "umac-64@openssh.com",		SSH_UMAC, NULL, 0, 128, 64, 0 },
+	{ "umac-128@openssh.com",		SSH_UMAC128, NULL, 0, 128, 128, 0 },
+
+	/* Encrypt-then-MAC variants */
+	{ "hmac-sha1-etm@openssh.com",		SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
+	{ "hmac-sha1-96-etm@openssh.com",	SSH_EVP, EVP_sha1, 96, 0, 0, 1 },
+#ifdef HAVE_EVP_SHA256
+	{ "hmac-sha2-256-etm@openssh.com",	SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
+	{ "hmac-sha2-512-etm@openssh.com",	SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
+#endif
+	{ "hmac-md5-etm@openssh.com",		SSH_EVP, EVP_md5, 0, 0, 0, 1 },
+	{ "hmac-md5-96-etm@openssh.com",	SSH_EVP, EVP_md5, 96, 0, 0, 1 },
+	{ "hmac-ripemd160-tem@openssh.com",	SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 },
+	{ "umac-64-etm@openssh.com",		SSH_UMAC, NULL, 0, 128, 64, 1 },
+	{ "umac-128-etm@openssh.com",		SSH_UMAC128, NULL, 0, 128, 128, 1 },
+
+	{ NULL,					0, NULL, 0, 0, 0, 0 }
 };
 
 static void
@@ -90,6 +105,7 @@ mac_setup_by_id(Mac *mac, int which)
 	}
 	if (macs[which].truncatebits != 0)
 		mac->mac_len = macs[which].truncatebits / 8;
+	mac->etm = macs[which].etm;
 }
 
 int

myproposal.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.30 2012/10/04 13:21:50 markus Exp $ */
+/* $OpenBSD: myproposal.h,v 1.31 2012/12/11 22:31:18 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -83,6 +83,15 @@
 # define SHA2_HMAC_MODES
 #endif
 #define	KEX_DEFAULT_MAC \
+	"hmac-md5-etm@openssh.com," \
+	"hmac-sha1-etm@openssh.com," \
+	"umac-64-etm@openssh.com," \
+	"umac-128-etm@openssh.com," \
+	"hmac-sha2-256-etm@openssh.com," \
+	"hmac-sha2-512-etm@openssh.com," \
+	"hmac-ripemd160-etm@openssh.com," \
+	"hmac-sha1-96-etm@openssh.com," \
+	"hmac-md5-96-etm@openssh.com," \
 	"hmac-md5," \
 	"hmac-sha1," \
 	"umac-64@openssh.com," \

packet.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.177 2012/09/17 13:04:11 markus Exp $ */
+/* $OpenBSD: packet.c,v 1.178 2012/12/11 22:31:18 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -275,7 +275,7 @@ packet_stop_discard(void)
 static void
 packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard)
 {
-	if (enc == NULL || !cipher_is_cbc(enc->cipher))
+	if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm))
 		packet_disconnect("Packet corrupt");
 	if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled)
 		active_state->packet_discard_mac = mac;
@@ -709,7 +709,7 @@ packet_send1(void)
 	    buffer_len(&active_state->outgoing_packet));
 	cipher_crypt(&active_state->send_context, cp,
 	    buffer_ptr(&active_state->outgoing_packet),
-	    buffer_len(&active_state->outgoing_packet));
+	    buffer_len(&active_state->outgoing_packet), 0);
 
 #ifdef PACKET_DEBUG
 	fprintf(stderr, "encrypted: ");
@@ -845,9 +845,8 @@ static void
 packet_send2_wrapped(void)
 {
 	u_char type, *cp, *macbuf = NULL;
-	u_char padlen, pad;
-	u_int packet_length = 0;
-	u_int i, len;
+	u_char padlen, pad = 0;
+	u_int i, len, aadlen = 0;
 	u_int32_t rnd = 0;
 	Enc *enc   = NULL;
 	Mac *mac   = NULL;
@@ -860,6 +859,7 @@ packet_send2_wrapped(void)
 		comp = &active_state->newkeys[MODE_OUT]->comp;
 	}
 	block_size = enc ? enc->block_size : 8;
+	aadlen = mac && mac->enabled && mac->etm ? 4 : 0;
 
 	cp = buffer_ptr(&active_state->outgoing_packet);
 	type = cp[5];
@@ -892,6 +892,7 @@ packet_send2_wrapped(void)
 	 * calc size of padding, alloc space, get random data,
 	 * minimum padding is 4 bytes
 	 */
+	len -= aadlen; /* packet length is not encrypted for EtM modes */
 	padlen = block_size - (len % block_size);
 	if (padlen < 4)
 		padlen += block_size;
@@ -919,29 +920,37 @@ packet_send2_wrapped(void)
 		/* clear padding */
 		memset(cp, 0, padlen);
 	}
-	/* packet_length includes payload, padding and padding length field */
-	packet_length = buffer_len(&active_state->outgoing_packet) - 4;
+	/* sizeof (packet_len + pad_len + payload + padding) */
+	len = buffer_len(&active_state->outgoing_packet);
 	cp = buffer_ptr(&active_state->outgoing_packet);
-	put_u32(cp, packet_length);
+	/* packet_length includes payload, padding and padding length field */
+	put_u32(cp, len - 4);
 	cp[4] = padlen;
-	DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
+	DBG(debug("send: len %d (includes padlen %d, aadlen %d)",
+	    len, padlen, aadlen));
 
 	/* compute MAC over seqnr and packet(length fields, payload, padding) */
-	if (mac && mac->enabled) {
+	if (mac && mac->enabled && !mac->etm) {
 		macbuf = mac_compute(mac, active_state->p_send.seqnr,
-		    buffer_ptr(&active_state->outgoing_packet),
-		    buffer_len(&active_state->outgoing_packet));
+		    buffer_ptr(&active_state->outgoing_packet), len);
 		DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr));
 	}
 	/* encrypt packet and append to output buffer. */
-	cp = buffer_append_space(&active_state->output,
-	    buffer_len(&active_state->outgoing_packet));
+	cp = buffer_append_space(&active_state->output, len);
 	cipher_crypt(&active_state->send_context, cp,
 	    buffer_ptr(&active_state->outgoing_packet),
-	    buffer_len(&active_state->outgoing_packet));
+	    len - aadlen, aadlen);
 	/* append unencrypted MAC */
-	if (mac && mac->enabled)
+	if (mac && mac->enabled) {
+		if (mac->etm) {
+			/* EtM: compute mac over aadlen + cipher text */
+			macbuf = mac_compute(mac,
+			    active_state->p_send.seqnr, cp, len);
+			DBG(debug("done calc MAC(EtM) out #%d",
+			    active_state->p_send.seqnr));
+		}
 		buffer_append(&active_state->output, macbuf, mac->mac_len);
+	}
 #ifdef PACKET_DEBUG
 	fprintf(stderr, "encrypted: ");
 	buffer_dump(&active_state->output);
@@ -952,8 +961,8 @@ packet_send2_wrapped(void)
 	if (++active_state->p_send.packets == 0)
 		if (!(datafellows & SSH_BUG_NOREKEY))
 			fatal("XXX too many packets with same key");
-	active_state->p_send.blocks += (packet_length + 4) / block_size;
-	active_state->p_send.bytes += packet_length + 4;
+	active_state->p_send.blocks += len / block_size;
+	active_state->p_send.bytes += len;
 	buffer_clear(&active_state->outgoing_packet);
 
 	if (type == SSH2_MSG_NEWKEYS)
@@ -1190,7 +1199,7 @@ packet_read_poll1(void)
 	buffer_clear(&active_state->incoming_packet);
 	cp = buffer_append_space(&active_state->incoming_packet, padded_len);
 	cipher_crypt(&active_state->receive_context, cp,
-	    buffer_ptr(&active_state->input), padded_len);
+	    buffer_ptr(&active_state->input), padded_len, 0);
 
 	buffer_consume(&active_state->input, padded_len);
 
@@ -1238,8 +1247,8 @@ static int
 packet_read_poll2(u_int32_t *seqnr_p)
 {
 	u_int padlen, need;
-	u_char *macbuf, *cp, type;
-	u_int maclen, block_size;
+	u_char *macbuf = NULL, *cp, type;
+	u_int maclen, aadlen = 0, block_size;
 	Enc *enc   = NULL;
 	Mac *mac   = NULL;
 	Comp *comp = NULL;
@@ -1254,8 +1263,22 @@ packet_read_poll2(u_int32_t *seqnr_p)
 	}
 	maclen = mac && mac->enabled ? mac->mac_len : 0;
 	block_size = enc ? enc->block_size : 8;
+	aadlen = mac && mac->enabled && mac->etm ? 4 : 0;
 
-	if (active_state->packlen == 0) {
+	if (aadlen && active_state->packlen == 0) {
+		if (buffer_len(&active_state->input) < 4)
+			return SSH_MSG_NONE;
+		cp = buffer_ptr(&active_state->input);
+		active_state->packlen = get_u32(cp);
+		if (active_state->packlen < 1 + 4 ||
+		    active_state->packlen > PACKET_MAX_SIZE) {
+#ifdef PACKET_DEBUG
+			buffer_dump(&active_state->input);
+#endif
+			logit("Bad packet length %u.", active_state->packlen);
+			packet_disconnect("Packet corrupt");
+		}
+	} else if (active_state->packlen == 0) {
 		/*
 		 * check if input size is less than the cipher block size,
 		 * decrypt first block and extract length of incoming packet
@@ -1266,7 +1289,7 @@ packet_read_poll2(u_int32_t *seqnr_p)
 		cp = buffer_append_space(&active_state->incoming_packet,
 		    block_size);
 		cipher_crypt(&active_state->receive_context, cp,
-		    buffer_ptr(&active_state->input), block_size);
+		    buffer_ptr(&active_state->input), block_size, 0);
 		cp = buffer_ptr(&active_state->incoming_packet);
 		active_state->packlen = get_u32(cp);
 		if (active_state->packlen < 1 + 4 ||
@@ -1279,13 +1302,21 @@ packet_read_poll2(u_int32_t *seqnr_p)
 			    PACKET_MAX_SIZE);
 			return SSH_MSG_NONE;
 		}
-		DBG(debug("input: packet len %u", active_state->packlen+4));
 		buffer_consume(&active_state->input, block_size);
 	}
-	/* we have a partial packet of block_size bytes */
-	need = 4 + active_state->packlen - block_size;
-	DBG(debug("partial packet %d, need %d, maclen %d", block_size,
-	    need, maclen));
+	DBG(debug("input: packet len %u", active_state->packlen+4));
+	if (aadlen) {
+		/* only the payload is encrypted */
+		need = active_state->packlen;
+	} else {
+		/*
+		 * the payload size and the payload are encrypted, but we
+		 * have a partial packet of block_size bytes
+		 */
+		need = 4 + active_state->packlen - block_size;
+	}
+	DBG(debug("partial packet: block %d, need %d, maclen %d, aadlen %d",
+	    block_size, need, maclen, aadlen));
 	if (need % block_size != 0) {
 		logit("padding error: need %d block %d mod %d",
 		    need, block_size, need % block_size);
@@ -1295,26 +1326,34 @@ packet_read_poll2(u_int32_t *seqnr_p)
 	}
 	/*
 	 * check if the entire packet has been received and
-	 * decrypt into incoming_packet
+	 * decrypt into incoming_packet:
+	 * 'aadlen' bytes are unencrypted, but authenticated.
+	 * 'need' bytes are encrypted, followed by
+	 * 'maclen' bytes of message authentication code.
 	 */
-	if (buffer_len(&active_state->input) < need + maclen)
+	if (buffer_len(&active_state->input) < aadlen + need + maclen)
 		return SSH_MSG_NONE;
 #ifdef PACKET_DEBUG
 	fprintf(stderr, "read_poll enc/full: ");
 	buffer_dump(&active_state->input);
 #endif
-	cp = buffer_append_space(&active_state->incoming_packet, need);
+	/* EtM: compute mac over encrypted input */
+	if (mac && mac->enabled && mac->etm)
+		macbuf = mac_compute(mac, active_state->p_read.seqnr,
+		    buffer_ptr(&active_state->input), aadlen + need);
+	cp = buffer_append_space(&active_state->incoming_packet, aadlen + need);
 	cipher_crypt(&active_state->receive_context, cp,
-	    buffer_ptr(&active_state->input), need);
-	buffer_consume(&active_state->input, need);
+	    buffer_ptr(&active_state->input), need, aadlen);
+	buffer_consume(&active_state->input, aadlen + need);
 	/*
 	 * compute MAC over seqnr and packet,
 	 * increment sequence number for incoming packet
 	 */
 	if (mac && mac->enabled) {
-		macbuf = mac_compute(mac, active_state->p_read.seqnr,
-		    buffer_ptr(&active_state->incoming_packet),
-		    buffer_len(&active_state->incoming_packet));
+		if (!mac->etm)
+			macbuf = mac_compute(mac, active_state->p_read.seqnr,
+			    buffer_ptr(&active_state->incoming_packet),
+			    buffer_len(&active_state->incoming_packet));
 		if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input),
 		    mac->mac_len) != 0) {
 			logit("Corrupted MAC on input.");

ssh_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $
-.Dd $Mdocdate: December 2 2012 $
+.\" $OpenBSD: ssh_config.5,v 1.160 2012/12/11 22:31:18 markus Exp $
+.Dd $Mdocdate: December 11 2012 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -792,8 +792,17 @@ in order of preference.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+The algorithms that contain
+.Dq -etm
+calculate the MAC after encryption (encrypt-then-mac).
+These are considered safer and their use recommended.
 The default is:
 .Bd -literal -offset indent
+hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+hmac-md5-96-etm@openssh.com,
 hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96

sshd_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.151 2012/12/03 08:33:03 jmc Exp $
-.Dd $Mdocdate: December 3 2012 $
+.\" $OpenBSD: sshd_config.5,v 1.152 2012/12/11 22:31:18 markus Exp $
+.Dd $Mdocdate: December 11 2012 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -706,8 +706,17 @@ Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+The algorithms that contain
+.Dq -etm
+calculate the MAC after encryption (encrypt-then-mac).
+These are considered safer and their use recommended.
 The default is:
 .Bd -literal -offset indent
+hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
+hmac-md5-96-etm@openssh.com,
 hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96