X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/0a3f1d48f7f8779690073685f057bc5705d61006..HEAD:/sshaes.c diff --git a/sshaes.c b/sshaes.c index 0e7ddc1c..97935b7f 100644 --- a/sshaes.c +++ b/sshaes.c @@ -32,201 +32,23 @@ #include "ssh.h" -typedef unsigned int word32; - #define MAX_NR 14 /* max no of rounds */ #define MAX_NK 8 /* max no of words in input key */ #define MAX_NB 8 /* max no of words in cipher blk */ #define mulby2(x) ( ((x&0x7F) << 1) ^ (x & 0x80 ? 0x1B : 0) ) -#define GET_32BIT_MSB_FIRST(cp) \ - (((unsigned long)(unsigned char)(cp)[3]) | \ - ((unsigned long)(unsigned char)(cp)[2] << 8) | \ - ((unsigned long)(unsigned char)(cp)[1] << 16) | \ - ((unsigned long)(unsigned char)(cp)[0] << 24)) - -#define PUT_32BIT_MSB_FIRST(cp, value) do { \ - (cp)[3] = (value); \ - (cp)[2] = (value) >> 8; \ - (cp)[1] = (value) >> 16; \ - (cp)[0] = (value) >> 24; } while (0) - typedef struct AESContext AESContext; struct AESContext { - word32 keysched[(MAX_NR+1) * MAX_NB]; - word32 invkeysched[(MAX_NR+1) * MAX_NB]; - void (*encrypt)(AESContext *ctx, word32 *block); - void (*decrypt)(AESContext *ctx, word32 *block); + word32 keysched[(MAX_NR + 1) * MAX_NB]; + word32 invkeysched[(MAX_NR + 1) * MAX_NB]; + void (*encrypt) (AESContext * ctx, word32 * block); + void (*decrypt) (AESContext * ctx, word32 * block); word32 iv[MAX_NB]; int Nb, Nr; }; -static const unsigned char Sbox[256], Sboxinv[256]; -static const word32 E0[256], E1[256], E2[256], E3[256]; -static const word32 D0[256], D1[256], D2[256], D3[256]; - -/* - * Common macros in both the encryption and decryption routines. - */ -#define ADD_ROUND_KEY_4 (block[0]^=*keysched++, block[1]^=*keysched++, \ - block[2]^=*keysched++, block[3]^=*keysched++) -#define ADD_ROUND_KEY_6 (block[0]^=*keysched++, block[1]^=*keysched++, \ - block[2]^=*keysched++, block[3]^=*keysched++, \ - block[4]^=*keysched++, block[5]^=*keysched++) -#define ADD_ROUND_KEY_8 (block[0]^=*keysched++, block[1]^=*keysched++, \ - block[2]^=*keysched++, block[3]^=*keysched++, \ - block[4]^=*keysched++, block[5]^=*keysched++, \ - block[6]^=*keysched++, block[7]^=*keysched++) -#define MOVEWORD(i) ( block[i] = newstate[i] ) - -/* - * Macros for the encryption routine. There are three encryption - * cores, for Nb=4,6,8. - */ -#define MAKEWORD(i) ( newstate[i] = (E0[(block[i] >> 24) & 0xFF] ^ \ - E1[(block[(i+C1)%Nb] >> 16) & 0xFF] ^ \ - E2[(block[(i+C2)%Nb] >> 8) & 0xFF] ^ \ - E3[block[(i+C3)%Nb] & 0xFF]) ) -#define LASTWORD(i) ( newstate[i] = (Sbox[(block[i] >> 24) & 0xFF] << 24) | \ - (Sbox[(block[(i+C1)%Nb] >> 16) & 0xFF] << 16) | \ - (Sbox[(block[(i+C2)%Nb] >> 8) & 0xFF] << 8) | \ - (Sbox[(block[(i+C3)%Nb] ) & 0xFF] ) ) - -/* - * Core encrypt routines, expecting word32 inputs read big-endian - * from the byte-oriented input stream. - */ -static void aes_encrypt_nb_4(AESContext *ctx, word32 *block) { - int i; - static const int C1 = 1, C2 = 2, C3 = 3, Nb = 4; - word32 *keysched = ctx->keysched; - word32 newstate[4]; - for (i = 0; i < ctx->Nr-1; i++) { - ADD_ROUND_KEY_4; - MAKEWORD(0); MAKEWORD(1); MAKEWORD(2); MAKEWORD(3); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); MOVEWORD(3); - } - ADD_ROUND_KEY_4; - LASTWORD(0); LASTWORD(1); LASTWORD(2); LASTWORD(3); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); MOVEWORD(3); - ADD_ROUND_KEY_4; -} -static void aes_encrypt_nb_6(AESContext *ctx, word32 *block) { - int i; - static const int C1 = 1, C2 = 2, C3 = 3, Nb = 6; - word32 *keysched = ctx->keysched; - word32 newstate[6]; - for (i = 0; i < ctx->Nr-1; i++) { - ADD_ROUND_KEY_6; - MAKEWORD(0); MAKEWORD(1); MAKEWORD(2); - MAKEWORD(3); MAKEWORD(4); MAKEWORD(5); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); - MOVEWORD(3); MOVEWORD(4); MOVEWORD(5); - } - ADD_ROUND_KEY_6; - LASTWORD(0); LASTWORD(1); LASTWORD(2); - LASTWORD(3); LASTWORD(4); LASTWORD(5); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); - MOVEWORD(3); MOVEWORD(4); MOVEWORD(5); - ADD_ROUND_KEY_6; -} -static void aes_encrypt_nb_8(AESContext *ctx, word32 *block) { - int i; - static const int C1 = 1, C2 = 3, C3 = 4, Nb = 8; - word32 *keysched = ctx->keysched; - word32 newstate[8]; - for (i = 0; i < ctx->Nr-1; i++) { - ADD_ROUND_KEY_8; - MAKEWORD(0); MAKEWORD(1); MAKEWORD(2); MAKEWORD(3); - MAKEWORD(4); MAKEWORD(5); MAKEWORD(6); MAKEWORD(7); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); MOVEWORD(3); - MOVEWORD(4); MOVEWORD(5); MOVEWORD(6); MOVEWORD(7); - } - ADD_ROUND_KEY_8; - LASTWORD(0); LASTWORD(1); LASTWORD(2); LASTWORD(3); - LASTWORD(4); LASTWORD(5); LASTWORD(6); LASTWORD(7); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); MOVEWORD(3); - MOVEWORD(4); MOVEWORD(5); MOVEWORD(6); MOVEWORD(7); - ADD_ROUND_KEY_8; -} -#undef MAKEWORD -#undef LASTWORD - -/* - * Macros for the decryption routine. There are three decryption - * cores, for Nb=4,6,8. - */ -#define MAKEWORD(i) ( newstate[i] = (D0[(block[i] >> 24) & 0xFF] ^ \ - D1[(block[(i+C1)%Nb] >> 16) & 0xFF] ^ \ - D2[(block[(i+C2)%Nb] >> 8) & 0xFF] ^ \ - D3[block[(i+C3)%Nb] & 0xFF]) ) -#define LASTWORD(i) (newstate[i] = (Sboxinv[(block[i] >> 24) & 0xFF] << 24) | \ - (Sboxinv[(block[(i+C1)%Nb] >> 16) & 0xFF] << 16) | \ - (Sboxinv[(block[(i+C2)%Nb] >> 8) & 0xFF] << 8) | \ - (Sboxinv[(block[(i+C3)%Nb] ) & 0xFF] ) ) - -/* - * Core decrypt routines, expecting word32 inputs read big-endian - * from the byte-oriented input stream. - */ -static void aes_decrypt_nb_4(AESContext *ctx, word32 *block) { - int i; - static const int C1 = 4-1, C2 = 4-2, C3 = 4-3, Nb = 4; - word32 *keysched = ctx->invkeysched; - word32 newstate[4]; - for (i = 0; i < ctx->Nr-1; i++) { - ADD_ROUND_KEY_4; - MAKEWORD(0); MAKEWORD(1); MAKEWORD(2); MAKEWORD(3); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); MOVEWORD(3); - } - ADD_ROUND_KEY_4; - LASTWORD(0); LASTWORD(1); LASTWORD(2); LASTWORD(3); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); MOVEWORD(3); - ADD_ROUND_KEY_4; -} -static void aes_decrypt_nb_6(AESContext *ctx, word32 *block) { - int i; - static const int C1 = 6-1, C2 = 6-2, C3 = 6-3, Nb = 6; - word32 *keysched = ctx->invkeysched; - word32 newstate[6]; - for (i = 0; i < ctx->Nr-1; i++) { - ADD_ROUND_KEY_6; - MAKEWORD(0); MAKEWORD(1); MAKEWORD(2); - MAKEWORD(3); MAKEWORD(4); MAKEWORD(5); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); - MOVEWORD(3); MOVEWORD(4); MOVEWORD(5); - } - ADD_ROUND_KEY_6; - LASTWORD(0); LASTWORD(1); LASTWORD(2); - LASTWORD(3); LASTWORD(4); LASTWORD(5); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); - MOVEWORD(3); MOVEWORD(4); MOVEWORD(5); - ADD_ROUND_KEY_6; -} -static void aes_decrypt_nb_8(AESContext *ctx, word32 *block) { - int i; - static const int C1 = 8-1, C2 = 8-3, C3 = 8-4, Nb = 8; - word32 *keysched = ctx->invkeysched; - word32 newstate[8]; - for (i = 0; i < ctx->Nr-1; i++) { - ADD_ROUND_KEY_8; - MAKEWORD(0); MAKEWORD(1); MAKEWORD(2); MAKEWORD(3); - MAKEWORD(4); MAKEWORD(5); MAKEWORD(6); MAKEWORD(7); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); MOVEWORD(3); - MOVEWORD(4); MOVEWORD(5); MOVEWORD(6); MOVEWORD(7); - } - ADD_ROUND_KEY_8; - LASTWORD(0); LASTWORD(1); LASTWORD(2); LASTWORD(3); - LASTWORD(4); LASTWORD(5); LASTWORD(6); LASTWORD(7); - MOVEWORD(0); MOVEWORD(1); MOVEWORD(2); MOVEWORD(3); - MOVEWORD(4); MOVEWORD(5); MOVEWORD(6); MOVEWORD(7); - ADD_ROUND_KEY_8; -} -#undef MAKEWORD -#undef LASTWORD - static const unsigned char Sbox[256] = { 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, @@ -827,12 +649,286 @@ static const word32 D3[256] = { }; /* + * Common macros in both the encryption and decryption routines. + */ +#define ADD_ROUND_KEY_4 (block[0]^=*keysched++, block[1]^=*keysched++, \ + block[2]^=*keysched++, block[3]^=*keysched++) +#define ADD_ROUND_KEY_6 (block[0]^=*keysched++, block[1]^=*keysched++, \ + block[2]^=*keysched++, block[3]^=*keysched++, \ + block[4]^=*keysched++, block[5]^=*keysched++) +#define ADD_ROUND_KEY_8 (block[0]^=*keysched++, block[1]^=*keysched++, \ + block[2]^=*keysched++, block[3]^=*keysched++, \ + block[4]^=*keysched++, block[5]^=*keysched++, \ + block[6]^=*keysched++, block[7]^=*keysched++) +#define MOVEWORD(i) ( block[i] = newstate[i] ) + +/* + * Macros for the encryption routine. There are three encryption + * cores, for Nb=4,6,8. + */ +#define MAKEWORD(i) ( newstate[i] = (E0[(block[i] >> 24) & 0xFF] ^ \ + E1[(block[(i+C1)%Nb] >> 16) & 0xFF] ^ \ + E2[(block[(i+C2)%Nb] >> 8) & 0xFF] ^ \ + E3[block[(i+C3)%Nb] & 0xFF]) ) +#define LASTWORD(i) ( newstate[i] = (Sbox[(block[i] >> 24) & 0xFF] << 24) | \ + (Sbox[(block[(i+C1)%Nb] >> 16) & 0xFF] << 16) | \ + (Sbox[(block[(i+C2)%Nb] >> 8) & 0xFF] << 8) | \ + (Sbox[(block[(i+C3)%Nb] ) & 0xFF] ) ) + +/* + * Core encrypt routines, expecting word32 inputs read big-endian + * from the byte-oriented input stream. + */ +static void aes_encrypt_nb_4(AESContext * ctx, word32 * block) +{ + int i; + static const int C1 = 1, C2 = 2, C3 = 3, Nb = 4; + word32 *keysched = ctx->keysched; + word32 newstate[4]; + for (i = 0; i < ctx->Nr - 1; i++) { + ADD_ROUND_KEY_4; + MAKEWORD(0); + MAKEWORD(1); + MAKEWORD(2); + MAKEWORD(3); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + } + ADD_ROUND_KEY_4; + LASTWORD(0); + LASTWORD(1); + LASTWORD(2); + LASTWORD(3); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + ADD_ROUND_KEY_4; +} +static void aes_encrypt_nb_6(AESContext * ctx, word32 * block) +{ + int i; + static const int C1 = 1, C2 = 2, C3 = 3, Nb = 6; + word32 *keysched = ctx->keysched; + word32 newstate[6]; + for (i = 0; i < ctx->Nr - 1; i++) { + ADD_ROUND_KEY_6; + MAKEWORD(0); + MAKEWORD(1); + MAKEWORD(2); + MAKEWORD(3); + MAKEWORD(4); + MAKEWORD(5); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + MOVEWORD(4); + MOVEWORD(5); + } + ADD_ROUND_KEY_6; + LASTWORD(0); + LASTWORD(1); + LASTWORD(2); + LASTWORD(3); + LASTWORD(4); + LASTWORD(5); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + MOVEWORD(4); + MOVEWORD(5); + ADD_ROUND_KEY_6; +} +static void aes_encrypt_nb_8(AESContext * ctx, word32 * block) +{ + int i; + static const int C1 = 1, C2 = 3, C3 = 4, Nb = 8; + word32 *keysched = ctx->keysched; + word32 newstate[8]; + for (i = 0; i < ctx->Nr - 1; i++) { + ADD_ROUND_KEY_8; + MAKEWORD(0); + MAKEWORD(1); + MAKEWORD(2); + MAKEWORD(3); + MAKEWORD(4); + MAKEWORD(5); + MAKEWORD(6); + MAKEWORD(7); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + MOVEWORD(4); + MOVEWORD(5); + MOVEWORD(6); + MOVEWORD(7); + } + ADD_ROUND_KEY_8; + LASTWORD(0); + LASTWORD(1); + LASTWORD(2); + LASTWORD(3); + LASTWORD(4); + LASTWORD(5); + LASTWORD(6); + LASTWORD(7); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + MOVEWORD(4); + MOVEWORD(5); + MOVEWORD(6); + MOVEWORD(7); + ADD_ROUND_KEY_8; +} + +#undef MAKEWORD +#undef LASTWORD + +/* + * Macros for the decryption routine. There are three decryption + * cores, for Nb=4,6,8. + */ +#define MAKEWORD(i) ( newstate[i] = (D0[(block[i] >> 24) & 0xFF] ^ \ + D1[(block[(i+C1)%Nb] >> 16) & 0xFF] ^ \ + D2[(block[(i+C2)%Nb] >> 8) & 0xFF] ^ \ + D3[block[(i+C3)%Nb] & 0xFF]) ) +#define LASTWORD(i) (newstate[i] = (Sboxinv[(block[i] >> 24) & 0xFF] << 24) | \ + (Sboxinv[(block[(i+C1)%Nb] >> 16) & 0xFF] << 16) | \ + (Sboxinv[(block[(i+C2)%Nb] >> 8) & 0xFF] << 8) | \ + (Sboxinv[(block[(i+C3)%Nb] ) & 0xFF] ) ) + +/* + * Core decrypt routines, expecting word32 inputs read big-endian + * from the byte-oriented input stream. + */ +static void aes_decrypt_nb_4(AESContext * ctx, word32 * block) +{ + int i; + static const int C1 = 4 - 1, C2 = 4 - 2, C3 = 4 - 3, Nb = 4; + word32 *keysched = ctx->invkeysched; + word32 newstate[4]; + for (i = 0; i < ctx->Nr - 1; i++) { + ADD_ROUND_KEY_4; + MAKEWORD(0); + MAKEWORD(1); + MAKEWORD(2); + MAKEWORD(3); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + } + ADD_ROUND_KEY_4; + LASTWORD(0); + LASTWORD(1); + LASTWORD(2); + LASTWORD(3); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + ADD_ROUND_KEY_4; +} +static void aes_decrypt_nb_6(AESContext * ctx, word32 * block) +{ + int i; + static const int C1 = 6 - 1, C2 = 6 - 2, C3 = 6 - 3, Nb = 6; + word32 *keysched = ctx->invkeysched; + word32 newstate[6]; + for (i = 0; i < ctx->Nr - 1; i++) { + ADD_ROUND_KEY_6; + MAKEWORD(0); + MAKEWORD(1); + MAKEWORD(2); + MAKEWORD(3); + MAKEWORD(4); + MAKEWORD(5); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + MOVEWORD(4); + MOVEWORD(5); + } + ADD_ROUND_KEY_6; + LASTWORD(0); + LASTWORD(1); + LASTWORD(2); + LASTWORD(3); + LASTWORD(4); + LASTWORD(5); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + MOVEWORD(4); + MOVEWORD(5); + ADD_ROUND_KEY_6; +} +static void aes_decrypt_nb_8(AESContext * ctx, word32 * block) +{ + int i; + static const int C1 = 8 - 1, C2 = 8 - 3, C3 = 8 - 4, Nb = 8; + word32 *keysched = ctx->invkeysched; + word32 newstate[8]; + for (i = 0; i < ctx->Nr - 1; i++) { + ADD_ROUND_KEY_8; + MAKEWORD(0); + MAKEWORD(1); + MAKEWORD(2); + MAKEWORD(3); + MAKEWORD(4); + MAKEWORD(5); + MAKEWORD(6); + MAKEWORD(7); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + MOVEWORD(4); + MOVEWORD(5); + MOVEWORD(6); + MOVEWORD(7); + } + ADD_ROUND_KEY_8; + LASTWORD(0); + LASTWORD(1); + LASTWORD(2); + LASTWORD(3); + LASTWORD(4); + LASTWORD(5); + LASTWORD(6); + LASTWORD(7); + MOVEWORD(0); + MOVEWORD(1); + MOVEWORD(2); + MOVEWORD(3); + MOVEWORD(4); + MOVEWORD(5); + MOVEWORD(6); + MOVEWORD(7); + ADD_ROUND_KEY_8; +} + +#undef MAKEWORD +#undef LASTWORD + + +/* * Set up an AESContext. `keylen' and `blocklen' are measured in * bytes; each can be either 16 (128-bit), 24 (192-bit), or 32 * (256-bit). */ -void aes_setup(AESContext *ctx, int blocklen, - unsigned char *key, int keylen) { +static void aes_setup(AESContext * ctx, int blocklen, + unsigned char *key, int keylen) +{ int i, j, Nk, rconst; assert(blocklen == 16 || blocklen == 24 || blocklen == 32); @@ -859,16 +955,16 @@ void aes_setup(AESContext *ctx, int blocklen, * Now do the key setup itself. */ rconst = 1; - for (i = 0; i < (ctx->Nr+1) * ctx->Nb; i++) { + for (i = 0; i < (ctx->Nr + 1) * ctx->Nb; i++) { if (i < Nk) - ctx->keysched[i] = GET_32BIT_MSB_FIRST(key + 4*i); + ctx->keysched[i] = GET_32BIT_MSB_FIRST(key + 4 * i); else { - word32 temp = ctx->keysched[i-1]; + word32 temp = ctx->keysched[i - 1]; if (i % Nk == 0) { int a, b, c, d; a = (temp >> 16) & 0xFF; - b = (temp >> 8) & 0xFF; - c = (temp >> 0) & 0xFF; + b = (temp >> 8) & 0xFF; + c = (temp >> 0) & 0xFF; d = (temp >> 24) & 0xFF; temp = Sbox[a] ^ rconst; temp = (temp << 8) | Sbox[b]; @@ -879,14 +975,14 @@ void aes_setup(AESContext *ctx, int blocklen, int a, b, c, d; a = (temp >> 24) & 0xFF; b = (temp >> 16) & 0xFF; - c = (temp >> 8) & 0xFF; - d = (temp >> 0) & 0xFF; + c = (temp >> 8) & 0xFF; + d = (temp >> 0) & 0xFF; temp = Sbox[a]; temp = (temp << 8) | Sbox[b]; temp = (temp << 8) | Sbox[c]; - temp = (temp << 8) | Sbox[d]; + temp = (temp << 8) | Sbox[d]; } - ctx->keysched[i] = ctx->keysched[i-Nk] ^ temp; + ctx->keysched[i] = ctx->keysched[i - Nk] ^ temp; } } @@ -907,8 +1003,8 @@ void aes_setup(AESContext *ctx, int blocklen, int a, b, c, d; a = (temp >> 24) & 0xFF; b = (temp >> 16) & 0xFF; - c = (temp >> 8) & 0xFF; - d = (temp >> 0) & 0xFF; + c = (temp >> 8) & 0xFF; + d = (temp >> 0) & 0xFF; temp = D0[Sbox[a]]; temp ^= D1[Sbox[b]]; temp ^= D2[Sbox[c]]; @@ -919,15 +1015,18 @@ void aes_setup(AESContext *ctx, int blocklen, } } -static void aes_encrypt(AESContext *ctx, word32 *block) { +static void aes_encrypt(AESContext * ctx, word32 * block) +{ ctx->encrypt(ctx, block); } -static void aes_decrypt(AESContext *ctx, word32 *block) { +static void aes_decrypt(AESContext * ctx, word32 * block) +{ ctx->decrypt(ctx, block); } -static void aes_encrypt_cbc(unsigned char *blk, int len, AESContext *ctx) { +static void aes_encrypt_cbc(unsigned char *blk, int len, AESContext * ctx) +{ word32 iv[4]; int i; @@ -937,18 +1036,19 @@ static void aes_encrypt_cbc(unsigned char *blk, int len, AESContext *ctx) { while (len > 0) { for (i = 0; i < 4; i++) - iv[i] ^= GET_32BIT_MSB_FIRST(blk+4*i); + iv[i] ^= GET_32BIT_MSB_FIRST(blk + 4 * i); aes_encrypt(ctx, iv); - for (i = 0; i < 4; i++) - PUT_32BIT_MSB_FIRST(blk+4*i, iv[i]); - blk += 16; - len -= 16; + for (i = 0; i < 4; i++) + PUT_32BIT_MSB_FIRST(blk + 4 * i, iv[i]); + blk += 16; + len -= 16; } memcpy(ctx->iv, iv, sizeof(iv)); } -static void aes_decrypt_cbc(unsigned char *blk, int len, AESContext *ctx) { +static void aes_decrypt_cbc(unsigned char *blk, int len, AESContext * ctx) +{ word32 iv[4], x[4], ct[4]; int i; @@ -958,145 +1058,177 @@ static void aes_decrypt_cbc(unsigned char *blk, int len, AESContext *ctx) { while (len > 0) { for (i = 0; i < 4; i++) - x[i] = ct[i] = GET_32BIT_MSB_FIRST(blk+4*i); + x[i] = ct[i] = GET_32BIT_MSB_FIRST(blk + 4 * i); aes_decrypt(ctx, x); for (i = 0; i < 4; i++) { - PUT_32BIT_MSB_FIRST(blk+4*i, iv[i] ^ x[i]); - iv[i] = ct[i]; - } - blk += 16; - len -= 16; + PUT_32BIT_MSB_FIRST(blk + 4 * i, iv[i] ^ x[i]); + iv[i] = ct[i]; + } + blk += 16; + len -= 16; } memcpy(ctx->iv, iv, sizeof(iv)); } -static AESContext csctx, scctx; +static void aes_sdctr(unsigned char *blk, int len, AESContext *ctx) +{ + word32 iv[4], b[4], tmp; + int i; + + assert((len & 15) == 0); + + memcpy(iv, ctx->iv, sizeof(iv)); + + while (len > 0) { + memcpy(b, iv, sizeof(b)); + aes_encrypt(ctx, b); + for (i = 0; i < 4; i++) { + tmp = GET_32BIT_MSB_FIRST(blk + 4 * i); + PUT_32BIT_MSB_FIRST(blk + 4 * i, tmp ^ b[i]); + } + for (i = 3; i >= 0; i--) + if ((iv[i] = (iv[i] + 1) & 0xffffffff) != 0) + break; + blk += 16; + len -= 16; + } -static void aes128_cskey(unsigned char *key) { - aes_setup(&csctx, 16, key, 16); - logevent("Initialised AES-128 client->server encryption"); + memcpy(ctx->iv, iv, sizeof(iv)); } -static void aes128_sckey(unsigned char *key) { - aes_setup(&scctx, 16, key, 16); - logevent("Initialised AES-128 server->client encryption"); +void *aes_make_context(void) +{ + return snew(AESContext); } -static void aes192_cskey(unsigned char *key) { - aes_setup(&csctx, 16, key, 24); - logevent("Initialised AES-192 client->server encryption"); +void aes_free_context(void *handle) +{ + sfree(handle); } -static void aes192_sckey(unsigned char *key) { - aes_setup(&scctx, 16, key, 24); - logevent("Initialised AES-192 server->client encryption"); +void aes128_key(void *handle, unsigned char *key) +{ + AESContext *ctx = (AESContext *)handle; + aes_setup(ctx, 16, key, 16); } -static void aes256_cskey(unsigned char *key) { - aes_setup(&csctx, 16, key, 32); - logevent("Initialised AES-256 client->server encryption"); +void aes192_key(void *handle, unsigned char *key) +{ + AESContext *ctx = (AESContext *)handle; + aes_setup(ctx, 16, key, 24); } -static void aes256_sckey(unsigned char *key) { - aes_setup(&scctx, 16, key, 32); - logevent("Initialised AES-256 server->client encryption"); +void aes256_key(void *handle, unsigned char *key) +{ + AESContext *ctx = (AESContext *)handle; + aes_setup(ctx, 16, key, 32); } -static void aes_csiv(unsigned char *iv) { +void aes_iv(void *handle, unsigned char *iv) +{ + AESContext *ctx = (AESContext *)handle; int i; for (i = 0; i < 4; i++) - csctx.iv[i] = GET_32BIT_MSB_FIRST(iv+4*i); + ctx->iv[i] = GET_32BIT_MSB_FIRST(iv + 4 * i); } -static void aes_sciv(unsigned char *iv) { - int i; - for (i = 0; i < 4; i++) - scctx.iv[i] = GET_32BIT_MSB_FIRST(iv+4*i); +void aes_ssh2_encrypt_blk(void *handle, unsigned char *blk, int len) +{ + AESContext *ctx = (AESContext *)handle; + aes_encrypt_cbc(blk, len, ctx); } -static void aes_ssh2_encrypt_blk(unsigned char *blk, int len) { - aes_encrypt_cbc(blk, len, &csctx); +void aes_ssh2_decrypt_blk(void *handle, unsigned char *blk, int len) +{ + AESContext *ctx = (AESContext *)handle; + aes_decrypt_cbc(blk, len, ctx); } -static void aes_ssh2_decrypt_blk(unsigned char *blk, int len) { - aes_decrypt_cbc(blk, len, &scctx); +static void aes_ssh2_sdctr(void *handle, unsigned char *blk, int len) +{ + AESContext *ctx = (AESContext *)handle; + aes_sdctr(blk, len, ctx); } -static struct ssh2_cipher ssh_aes128 = { - aes_csiv, aes128_cskey, - aes_sciv, aes128_sckey, - aes_ssh2_encrypt_blk, - aes_ssh2_decrypt_blk, - "aes128-cbc", - 16, 128 +void aes256_encrypt_pubkey(unsigned char *key, unsigned char *blk, int len) +{ + AESContext ctx; + aes_setup(&ctx, 16, key, 32); + memset(ctx.iv, 0, sizeof(ctx.iv)); + aes_encrypt_cbc(blk, len, &ctx); + smemclr(&ctx, sizeof(ctx)); +} + +void aes256_decrypt_pubkey(unsigned char *key, unsigned char *blk, int len) +{ + AESContext ctx; + aes_setup(&ctx, 16, key, 32); + memset(ctx.iv, 0, sizeof(ctx.iv)); + aes_decrypt_cbc(blk, len, &ctx); + smemclr(&ctx, sizeof(ctx)); +} + +static const struct ssh2_cipher ssh_aes128_ctr = { + aes_make_context, aes_free_context, aes_iv, aes128_key, + aes_ssh2_sdctr, aes_ssh2_sdctr, + "aes128-ctr", + 16, 128, 0, "AES-128 SDCTR" }; -static struct ssh2_cipher ssh_aes192 = { - aes_csiv, aes192_cskey, - aes_sciv, aes192_sckey, - aes_ssh2_encrypt_blk, - aes_ssh2_decrypt_blk, - "aes192-cbc", - 16, 192 +static const struct ssh2_cipher ssh_aes192_ctr = { + aes_make_context, aes_free_context, aes_iv, aes192_key, + aes_ssh2_sdctr, aes_ssh2_sdctr, + "aes192-ctr", + 16, 192, 0, "AES-192 SDCTR" }; -static struct ssh2_cipher ssh_aes256 = { - aes_csiv, aes256_cskey, - aes_sciv, aes256_sckey, - aes_ssh2_encrypt_blk, - aes_ssh2_decrypt_blk, - "aes256-cbc", - 16, 256 +static const struct ssh2_cipher ssh_aes256_ctr = { + aes_make_context, aes_free_context, aes_iv, aes256_key, + aes_ssh2_sdctr, aes_ssh2_sdctr, + "aes256-ctr", + 16, 256, 0, "AES-256 SDCTR" }; -static struct ssh2_cipher ssh_rijndael128 = { - aes_csiv, aes128_cskey, - aes_sciv, aes128_sckey, - aes_ssh2_encrypt_blk, - aes_ssh2_decrypt_blk, - "rijndael128-cbc", - 16, 128 +static const struct ssh2_cipher ssh_aes128 = { + aes_make_context, aes_free_context, aes_iv, aes128_key, + aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk, + "aes128-cbc", + 16, 128, SSH_CIPHER_IS_CBC, "AES-128 CBC" }; -static struct ssh2_cipher ssh_rijndael192 = { - aes_csiv, aes192_cskey, - aes_sciv, aes192_sckey, - aes_ssh2_encrypt_blk, - aes_ssh2_decrypt_blk, - "rijndael192-cbc", - 16, 192 +static const struct ssh2_cipher ssh_aes192 = { + aes_make_context, aes_free_context, aes_iv, aes192_key, + aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk, + "aes192-cbc", + 16, 192, SSH_CIPHER_IS_CBC, "AES-192 CBC" }; -static struct ssh2_cipher ssh_rijndael256 = { - aes_csiv, aes256_cskey, - aes_sciv, aes256_sckey, - aes_ssh2_encrypt_blk, - aes_ssh2_decrypt_blk, - "rijndael256-cbc", - 16, 256 +static const struct ssh2_cipher ssh_aes256 = { + aes_make_context, aes_free_context, aes_iv, aes256_key, + aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk, + "aes256-cbc", + 16, 256, SSH_CIPHER_IS_CBC, "AES-256 CBC" }; -static struct ssh2_cipher ssh_rijndael_lysator = { - aes_csiv, aes256_cskey, - aes_sciv, aes256_sckey, - aes_ssh2_encrypt_blk, - aes_ssh2_decrypt_blk, +static const struct ssh2_cipher ssh_rijndael_lysator = { + aes_make_context, aes_free_context, aes_iv, aes256_key, + aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk, "rijndael-cbc@lysator.liu.se", - 16, 256 + 16, 256, SSH_CIPHER_IS_CBC, "AES-256 CBC" }; -static struct ssh2_cipher *aes_list[] = { +static const struct ssh2_cipher *const aes_list[] = { + &ssh_aes256_ctr, &ssh_aes256, - &ssh_rijndael256, &ssh_rijndael_lysator, + &ssh_aes192_ctr, &ssh_aes192, - &ssh_rijndael192, + &ssh_aes128_ctr, &ssh_aes128, - &ssh_rijndael128, }; -struct ssh2_ciphers ssh2_aes = { +const struct ssh2_ciphers ssh2_aes = { sizeof(aes_list) / sizeof(*aes_list), aes_list };