sshaes.c

大名鼎鼎的远程登录软件putty的Symbian版源码

				     D1[(block[(i+C1)%Nb] >> 16) & 0xFF] ^ \
				     D2[(block[(i+C2)%Nb] >> 8) & 0xFF] ^ \
				     D3[block[(i+C3)%Nb] & 0xFF]) )
#define LASTWORD(i) (newstate[i] = (Sboxinv[(block[i] >> 24) & 0xFF] << 24) | \
			   (Sboxinv[(block[(i+C1)%Nb] >> 16) & 0xFF] << 16) | \
			   (Sboxinv[(block[(i+C2)%Nb] >>  8) & 0xFF] <<  8) | \
			   (Sboxinv[(block[(i+C3)%Nb]      ) & 0xFF]      ) )

/*
 * Core decrypt routines, expecting word32 inputs read big-endian
 * from the byte-oriented input stream.
 */
static void aes_decrypt_nb_4(AESContext * ctx, word32 * block)
{
    int i;
    static const int C1 = 4 - 1, C2 = 4 - 2, C3 = 4 - 3, Nb = 4;
    word32 *keysched = ctx->invkeysched;
    word32 newstate[4];
    for (i = 0; i < ctx->Nr - 1; i++) {
	ADD_ROUND_KEY_4;
	MAKEWORD(0);
	MAKEWORD(1);
	MAKEWORD(2);
	MAKEWORD(3);
	MOVEWORD(0);
	MOVEWORD(1);
	MOVEWORD(2);
	MOVEWORD(3);
    }
    ADD_ROUND_KEY_4;
    LASTWORD(0);
    LASTWORD(1);
    LASTWORD(2);
    LASTWORD(3);
    MOVEWORD(0);
    MOVEWORD(1);
    MOVEWORD(2);
    MOVEWORD(3);
    ADD_ROUND_KEY_4;
}
static void aes_decrypt_nb_6(AESContext * ctx, word32 * block)
{
    int i;
    static const int C1 = 6 - 1, C2 = 6 - 2, C3 = 6 - 3, Nb = 6;
    word32 *keysched = ctx->invkeysched;
    word32 newstate[6];
    for (i = 0; i < ctx->Nr - 1; i++) {
	ADD_ROUND_KEY_6;
	MAKEWORD(0);
	MAKEWORD(1);
	MAKEWORD(2);
	MAKEWORD(3);
	MAKEWORD(4);
	MAKEWORD(5);
	MOVEWORD(0);
	MOVEWORD(1);
	MOVEWORD(2);
	MOVEWORD(3);
	MOVEWORD(4);
	MOVEWORD(5);
    }
    ADD_ROUND_KEY_6;
    LASTWORD(0);
    LASTWORD(1);
    LASTWORD(2);
    LASTWORD(3);
    LASTWORD(4);
    LASTWORD(5);
    MOVEWORD(0);
    MOVEWORD(1);
    MOVEWORD(2);
    MOVEWORD(3);
    MOVEWORD(4);
    MOVEWORD(5);
    ADD_ROUND_KEY_6;
}
static void aes_decrypt_nb_8(AESContext * ctx, word32 * block)
{
    int i;
    static const int C1 = 8 - 1, C2 = 8 - 3, C3 = 8 - 4, Nb = 8;
    word32 *keysched = ctx->invkeysched;
    word32 newstate[8];
    for (i = 0; i < ctx->Nr - 1; i++) {
	ADD_ROUND_KEY_8;
	MAKEWORD(0);
	MAKEWORD(1);
	MAKEWORD(2);
	MAKEWORD(3);
	MAKEWORD(4);
	MAKEWORD(5);
	MAKEWORD(6);
	MAKEWORD(7);
	MOVEWORD(0);
	MOVEWORD(1);
	MOVEWORD(2);
	MOVEWORD(3);
	MOVEWORD(4);
	MOVEWORD(5);
	MOVEWORD(6);
	MOVEWORD(7);
    }
    ADD_ROUND_KEY_8;
    LASTWORD(0);
    LASTWORD(1);
    LASTWORD(2);
    LASTWORD(3);
    LASTWORD(4);
    LASTWORD(5);
    LASTWORD(6);
    LASTWORD(7);
    MOVEWORD(0);
    MOVEWORD(1);
    MOVEWORD(2);
    MOVEWORD(3);
    MOVEWORD(4);
    MOVEWORD(5);
    MOVEWORD(6);
    MOVEWORD(7);
    ADD_ROUND_KEY_8;
}

#undef MAKEWORD
#undef LASTWORD


/*
 * Set up an AESContext. `keylen' and `blocklen' are measured in
 * bytes; each can be either 16 (128-bit), 24 (192-bit), or 32
 * (256-bit).
 */
static void aes_setup(AESContext * ctx, int blocklen,
	       unsigned char *key, int keylen)
{
    int i, j, Nk, rconst;

    assert(blocklen == 16 || blocklen == 24 || blocklen == 32);
    assert(keylen == 16 || keylen == 24 || keylen == 32);

    /*
     * Basic parameters. Words per block, words in key, rounds.
     */
    Nk = keylen / 4;
    ctx->Nb = blocklen / 4;
    ctx->Nr = 6 + (ctx->Nb > Nk ? ctx->Nb : Nk);

    /*
     * Assign core-function pointers.
     */
    if (ctx->Nb == 8)
	ctx->encrypt = aes_encrypt_nb_8, ctx->decrypt = aes_decrypt_nb_8;
    else if (ctx->Nb == 6)
	ctx->encrypt = aes_encrypt_nb_6, ctx->decrypt = aes_decrypt_nb_6;
    else if (ctx->Nb == 4)
	ctx->encrypt = aes_encrypt_nb_4, ctx->decrypt = aes_decrypt_nb_4;

    /*
     * Now do the key setup itself.
     */
    rconst = 1;
    for (i = 0; i < (ctx->Nr + 1) * ctx->Nb; i++) {
	if (i < Nk)
	    ctx->keysched[i] = GET_32BIT_MSB_FIRST(key + 4 * i);
	else {
	    word32 temp = ctx->keysched[i - 1];
	    if (i % Nk == 0) {
		int a, b, c, d;
		a = (temp >> 16) & 0xFF;
		b = (temp >> 8) & 0xFF;
		c = (temp >> 0) & 0xFF;
		d = (temp >> 24) & 0xFF;
		temp = Sbox[a] ^ rconst;
		temp = (temp << 8) | Sbox[b];
		temp = (temp << 8) | Sbox[c];
		temp = (temp << 8) | Sbox[d];
		rconst = mulby2(rconst);
	    } else if (i % Nk == 4 && Nk > 6) {
		int a, b, c, d;
		a = (temp >> 24) & 0xFF;
		b = (temp >> 16) & 0xFF;
		c = (temp >> 8) & 0xFF;
		d = (temp >> 0) & 0xFF;
		temp = Sbox[a];
		temp = (temp << 8) | Sbox[b];
		temp = (temp << 8) | Sbox[c];
		temp = (temp << 8) | Sbox[d];
	    }
	    ctx->keysched[i] = ctx->keysched[i - Nk] ^ temp;
	}
    }

    /*
     * Now prepare the modified keys for the inverse cipher.
     */
    for (i = 0; i <= ctx->Nr; i++) {
	for (j = 0; j < ctx->Nb; j++) {
	    word32 temp;
	    temp = ctx->keysched[(ctx->Nr - i) * ctx->Nb + j];
	    if (i != 0 && i != ctx->Nr) {
		/*
		 * Perform the InvMixColumn operation on i. The D
		 * tables give the result of InvMixColumn applied
		 * to Sboxinv on individual bytes, so we should
		 * compose Sbox with the D tables for this.
		 */
		int a, b, c, d;
		a = (temp >> 24) & 0xFF;
		b = (temp >> 16) & 0xFF;
		c = (temp >> 8) & 0xFF;
		d = (temp >> 0) & 0xFF;
		temp = D0[Sbox[a]];
		temp ^= D1[Sbox[b]];
		temp ^= D2[Sbox[c]];
		temp ^= D3[Sbox[d]];
	    }
	    ctx->invkeysched[i * ctx->Nb + j] = temp;
	}
    }
}

static void aes_encrypt(AESContext * ctx, word32 * block)
{
    ctx->encrypt(ctx, block);
}

static void aes_decrypt(AESContext * ctx, word32 * block)
{
    ctx->decrypt(ctx, block);
}

static void aes_encrypt_cbc(unsigned char *blk, int len, AESContext * ctx)
{
    word32 iv[4];
    int i;

    assert((len & 15) == 0);

    memcpy(iv, ctx->iv, sizeof(iv));

    while (len > 0) {
	for (i = 0; i < 4; i++)
	    iv[i] ^= GET_32BIT_MSB_FIRST(blk + 4 * i);
	aes_encrypt(ctx, iv);
	for (i = 0; i < 4; i++)
	    PUT_32BIT_MSB_FIRST(blk + 4 * i, iv[i]);
	blk += 16;
	len -= 16;
    }

    memcpy(ctx->iv, iv, sizeof(iv));
}

static void aes_decrypt_cbc(unsigned char *blk, int len, AESContext * ctx)
{
    word32 iv[4], x[4], ct[4];
    int i;

    assert((len & 15) == 0);

    memcpy(iv, ctx->iv, sizeof(iv));

    while (len > 0) {
	for (i = 0; i < 4; i++)
	    x[i] = ct[i] = GET_32BIT_MSB_FIRST(blk + 4 * i);
	aes_decrypt(ctx, x);
	for (i = 0; i < 4; i++) {
	    PUT_32BIT_MSB_FIRST(blk + 4 * i, iv[i] ^ x[i]);
	    iv[i] = ct[i];
	}
	blk += 16;
	len -= 16;
    }

    memcpy(ctx->iv, iv, sizeof(iv));
}

static void *aes_make_context(void)
{
    return snew(AESContext);
}

static void aes_free_context(void *handle)
{
    sfree(handle);
}

static void aes128_key(void *handle, unsigned char *key)
{
    AESContext *ctx = (AESContext *)handle;
    aes_setup(ctx, 16, key, 16);
}

static void aes192_key(void *handle, unsigned char *key)
{
    AESContext *ctx = (AESContext *)handle;
    aes_setup(ctx, 16, key, 24);
}

static void aes256_key(void *handle, unsigned char *key)
{
    AESContext *ctx = (AESContext *)handle;
    aes_setup(ctx, 16, key, 32);
}

static void aes_iv(void *handle, unsigned char *iv)
{
    AESContext *ctx = (AESContext *)handle;
    int i;
    for (i = 0; i < 4; i++)
	ctx->iv[i] = GET_32BIT_MSB_FIRST(iv + 4 * i);
}

static void aes_ssh2_encrypt_blk(void *handle, unsigned char *blk, int len)
{
    AESContext *ctx = (AESContext *)handle;
    aes_encrypt_cbc(blk, len, ctx);
}

static void aes_ssh2_decrypt_blk(void *handle, unsigned char *blk, int len)
{
    AESContext *ctx = (AESContext *)handle;
    aes_decrypt_cbc(blk, len, ctx);
}

void aes256_encrypt_pubkey(unsigned char *key, unsigned char *blk, int len)
{
    AESContext ctx;
    aes_setup(&ctx, 16, key, 32);
    memset(ctx.iv, 0, sizeof(ctx.iv));
    aes_encrypt_cbc(blk, len, &ctx);
    memset(&ctx, 0, sizeof(ctx));
}

void aes256_decrypt_pubkey(unsigned char *key, unsigned char *blk, int len)
{
    AESContext ctx;
    aes_setup(&ctx, 16, key, 32);
    memset(ctx.iv, 0, sizeof(ctx.iv));
    aes_decrypt_cbc(blk, len, &ctx);
    memset(&ctx, 0, sizeof(ctx));
}

static const struct ssh2_cipher ssh_aes128 = {
    aes_make_context, aes_free_context, aes_iv, aes128_key,
    aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk,
    "aes128-cbc",
    16, 128, "AES-128"
};

static const struct ssh2_cipher ssh_aes192 = {
    aes_make_context, aes_free_context, aes_iv, aes192_key,
    aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk,
    "aes192-cbc",
    16, 192, "AES-192"
};

static const struct ssh2_cipher ssh_aes256 = {
    aes_make_context, aes_free_context, aes_iv, aes256_key,
    aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk,
    "aes256-cbc",
    16, 256, "AES-256"
};

static const struct ssh2_cipher ssh_rijndael128 = {
    aes_make_context, aes_free_context, aes_iv, aes128_key,
    aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk,
    "rijndael128-cbc",
    16, 128, "AES-128"
};

static const struct ssh2_cipher ssh_rijndael192 = {
    aes_make_context, aes_free_context, aes_iv, aes192_key,
    aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk,
    "rijndael192-cbc",
    16, 192, "AES-192"
};

static const struct ssh2_cipher ssh_rijndael256 = {
    aes_make_context, aes_free_context, aes_iv, aes256_key,
    aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk,
    "rijndael256-cbc",
    16, 256, "AES-256"
};

static const struct ssh2_cipher ssh_rijndael_lysator = {
    aes_make_context, aes_free_context, aes_iv, aes256_key,
    aes_ssh2_encrypt_blk, aes_ssh2_decrypt_blk,
    "rijndael-cbc@lysator.liu.se",
    16, 256, "AES-256"
};

static const struct ssh2_cipher *const aes_list[] = {
    &ssh_aes256,
    &ssh_rijndael256,
    &ssh_rijndael_lysator,
    &ssh_aes192,
    &ssh_rijndael192,
    &ssh_aes128,
    &ssh_rijndael128,
};

const struct ssh2_ciphers ssh2_aes = {
    sizeof(aes_list) / sizeof(*aes_list),
    aes_list
};