makiko/mac/mod.rs
1//! Message authentication algorithms.
2//!
3//! The SSH protocol supports many message authentication algorithms (MACs), which are used to
4//! provide **integrity** (the attacker cannot modify the messages that we exchange over SSH).
5//!
6//! The client and the server exchange lists of supported algorithms, and the first algorithm on
7//! the client's list that is also supported by the server is used for the connection.
8//!
9//! # Supported algorithms
10//!
11//! - "hmac-sha2-256" ([`HMAC_SHA2_256`])
12//! - "hmac-sha2-512" ([`HMAC_SHA2_512`])
13//! - "hmac-sha1" ([`HMAC_SHA1`])
14//! - "hmac-sha2-256-etm@openssh.com" ([`HMAC_SHA2_256_ETM`])
15//! - "hmac-sha2-512-etm@openssh.com" ([`HMAC_SHA2_512_ETM`])
16//! - "hmac-sha1-etm@openssh.com" ([`HMAC_SHA1_ETM`])
17//! - "none" ([`NONE`])
18use crate::Result;
19use derivative::Derivative;
20pub use self::hmac::{
21 HMAC_SHA2_256, HMAC_SHA2_512, HMAC_SHA1,
22 HMAC_SHA2_256_ETM, HMAC_SHA2_512_ETM, HMAC_SHA1_ETM,
23};
24pub use self::none::NONE;
25pub(crate) use self::none::{INVALID, Empty};
26
27mod none;
28mod hmac;
29
30/// Algorithm for authenticating messages.
31///
32/// See the [module documentation][self] for details.
33#[derive(Derivative)]
34#[derivative(Debug)]
35pub struct MacAlgo {
36 /// Name of the algorithm.
37 pub name: &'static str,
38 pub(crate) tag_len: usize,
39 pub(crate) key_len: usize,
40 pub(crate) variant: MacAlgoVariant,
41 #[derivative(Debug = "ignore")]
42 pub(crate) make_mac: fn(key: &[u8]) -> Box<dyn Mac + Send>,
43}
44
45#[derive(Debug, Copy, Clone)]
46pub(crate) enum MacAlgoVariant {
47 EncryptAndMac,
48 EncryptThenMac,
49}
50
51pub(crate) trait Mac {
52 fn sign(&mut self, packet_seq: u32, data: &[u8], tag: &mut [u8]);
53 fn verify(&mut self, packet_seq: u32, data: &[u8], tag: &[u8]) -> Result<MacVerified>;
54}
55
56#[derive(Debug)]
57pub(crate) struct MacVerified(());
58
59impl MacVerified {
60 pub fn assertion() -> Self {
61 Self(())
62 }
63}