x/crypto/ssh: support additional MACs

[rickard-von-essen]

Support OpenSSH etm and umac ssh MAC's to allow Go to connect to ssh servers which don't allow older MAC's.

Currently golang.org/x/crypto/ssh packer only supports:

• hmac-sha2-256
• hmac-sha1
• hmac-sha1-96

see ssh/mac.go#L47

The default MAC's in OpenBSD 6.0, see sshd_config (5) - MACs, in priority order is:

• umac-64-etm@openssh.com
• umac-128-etm@openssh.com
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-512-etm@openssh.com
• hmac-sha1-etm@openssh.com
• umac-64@openssh.com
• umac-128@openssh.com
• hmac-sha2-256
• hmac-sha2-512
• hmac-sha1

Only the two in bold overlap with the Go supported MAC's. The OpenSSH docs also state:

The algorithms that contain “-etm” calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended

Following this leaves Go based software unable to connect over SSH.

go version go1.7.1 darwin/amd64

[odeke-em]

/cc @hanwen @agl

[hanwen]

"to connect to ssh servers which don't allow older MAC's." - are you aware of servers that don't support hmac-sha2-256 ?

[MiLk]

Recent servers support hmac-sha2-256, but there are cases where hmac-sha2-512 and hmac-sha2-256 are disabled to only allow Encrypt-then-MAC algorithms.

[hanwen]

I guess we could add hmac-sha2-256-etm@openssh.com ; want to cook up a CL ?

[MiLk]

I will try to look at it at the end of the month. I have to do more research on etm, and I won't have a lot of time the 2 weeks to come.

[MiLk]

In addition of the already present algorithm in https://github.com/golang/go/blob/master/src/crypto/hmac/hmac.go#L67-L90 which follows the FIPS 198-1 specs, I will need to implement Protocol 2 Encrypt-then-MAC MAC algorithms as defined in the openssh project: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL#L54-L80

The following documents/code sections might be useful to find how to do the implementation:

• https://tools.ietf.org/html/rfc4253
• https://tools.ietf.org/html/rfc2104
• https://github.com/golang/crypto/blob/81372b2fc2f10bef2a7f338da115c315a56b2726/ssh/cipher.go#L220-L225

EDIT:
After more thought, it seems I need to replace the standard algorithm by the one described here.

mac = MAC(key, sequence_number || ( length fields || payload || random padding ))
should be replaced by
mac = MAC(key, sequence_number || packet_length || encrypted_packet)

where "packet_length" is encoded as a uint32 and "encrypted_packet"
contains:

 byte      padding_length
 byte[n1]  payload; n1 = packet_length - padding_length - 1
 byte[n2]  random padding; n2 = padding_length

(as described in RFC4253)

C implementation here

[MiLk]

@hanwen I'm trying to setup my environment to work on x/crypto/ssh.
Should I work on it as any standard go package (clone, modify the code, go build, etc)?
Or is there anything special I need to do (installing go from the source, following https://golang.org/doc/contribute.html) ?

[hanwen]

just the standard methodology.

[hanwen]

you can follow the pattern for existing ciphers. The go package unittests against itself, but you should also make sure the test that runs against openssh passes (under the test/ directory)

[MiLk]

Ok, thank you. I will try to do something over the week end.