Move all the auxiliary cipher functions into a new module.

All those functions like aes256_encrypt_pubkey and des_decrypt_xdmauth
previously lived in the same source files as the ciphers they were
based on, and provided an alternative API to the internals of that
cipher's implementation. But there was no _need_ for them to have that
privileged access to the internals, because they didn't do anything
you couldn't access through the standard API. It was just a historical
oddity with no real benefit, whose main effect is to make refactoring
painful.

So now all of those functions live in a new file sshauxcrypt.c, and
they all work through the same vtable system as all other cipher
clients, by making an instance of the right cipher and configuring it
in the appropriate way. This should make them completely independent
of any internal changes to the cipher implementations they're based
on.

Recipe

@@ -254,7 +254,7 @@ ARITH    = mpint ecc
 SSHCRYPTO = ARITH sshmd5 sshsha sshsh256 sshsh512
 	 + sshrsa sshdss sshecc
          + sshdes sshblowf sshaes sshccp ssharcf
-         + sshdh sshcrc sshcrcda
+         + sshdh sshcrc sshcrcda sshauxcrypt
 SSHCOMMON = sshcommon sshrand SSHCRYPTO
          + sshverstring
          + sshpubk sshzlib
@@ -333,13 +333,13 @@ psftp    : [C] psftp winsftp wincons WINSSH BE_SSH SFTP wildcard WINMISC
 pageant  : [G] winpgnt pageant sshrsa sshpubk sshdes ARITH sshmd5 version
 	 + tree234 MISC sshaes sshsha winsecur winpgntc aqsync sshdss sshsh256
 	 + sshsh512 winutils sshecc winmisc winmiscs winhelp conf pageant.res
-	 + LIBS
+	 + sshauxcrypt LIBS
 
 puttygen : [G] winpgen sshrsag sshdssg sshprime sshdes ARITH sshmd5 version
          + sshrand winnoise sshsha winstore MISC winctrls sshrsa sshdss winmisc
          + sshpubk sshaes sshsh256 sshsh512 IMPORT winutils puttygen.res
          + tree234 notiming winhelp winnojmp CONF LIBS wintime sshecc
-         + sshecdsag winsecur winmiscs
+         + sshecdsag sshauxcrypt winsecur winmiscs
 
 pterm    : [X] GTKTERM uxmisc misc ldisc settings uxpty uxsel BE_NONE uxstore
          + uxsignal CHARSET cmdline uxpterm version time xpmpterm xpmptcfg
@@ -357,7 +357,7 @@ plink    : [U] uxplink uxcons NONSSH UXSSH U_BE_ALL logging UXMISC uxsignal
 PUTTYGEN_UNIX = sshrsag sshdssg sshprime sshdes ARITH sshmd5 version
          + sshrand uxnoise sshsha MISC sshrsa sshdss uxcons uxstore uxmisc
          + sshpubk sshaes sshsh256 sshsh512 IMPORT puttygen.res time tree234
-         + uxgen notiming CONF sshecc sshecdsag uxnogtk
+         + uxgen notiming CONF sshecc sshecdsag uxnogtk sshauxcrypt
 puttygen : [U] cmdgen PUTTYGEN_UNIX
 cgtest   : [UT] cgtest PUTTYGEN_UNIX
 
@@ -368,6 +368,7 @@ pageant  : [X] uxpgnt uxagentc aqsync pageant sshrsa sshpubk sshdes ARITH
 	 + sshmd5 version tree234 misc sshaes sshsha sshdss sshsh256 sshsh512
 	 + sshecc CONF uxsignal nocproxy nogss be_none x11fwd ux_x11 uxcons
          + gtkask gtkmisc nullplug logging UXMISC uxagentsock utils memory
+	 + sshauxcrypt
 
 ptermapp : [XT] GTKTERM uxmisc misc ldisc settings uxpty uxsel BE_NONE uxstore
          + uxsignal CHARSET uxpterm version time xpmpterm xpmptcfg

sshaes.c

@@ -1836,30 +1836,3 @@ STUB_ENC_DEC(192)
 STUB_ENC_DEC(256)
 
 #endif /* HW_AES */
-
-/* ----------------------------------------------------------------------
- * Auxiliary routines for use of AES in other contexts than the main
- * SSH packet protocol.
- */
-
-void aes256_encrypt_pubkey(const void *key, void *blk, int len)
-{
-    char iv[16];
-    memset(iv, 0, 16);
-    ssh_cipher *cipher = ssh_cipher_new(&ssh_aes256_cbc);
-    ssh_cipher_setkey(cipher, key);
-    ssh_cipher_setiv(cipher, iv);
-    ssh_cipher_encrypt(cipher, blk, len);
-    ssh_cipher_free(cipher);
-}
-
-void aes256_decrypt_pubkey(const void *key, void *blk, int len)
-{
-    char iv[16];
-    memset(iv, 0, 16);
-    ssh_cipher *cipher = ssh_cipher_new(&ssh_aes256_cbc);
-    ssh_cipher_setkey(cipher, key);
-    ssh_cipher_setiv(cipher, iv);
-    ssh_cipher_decrypt(cipher, blk, len);
-    ssh_cipher_free(cipher);
-}

sshauxcrypt.c

@@ -0,0 +1,152 @@
+/*
+ * sshauxcrypt.c: wrapper functions on ciphers for use in other
+ * contexts than the main SSH packet protocol, such as encrypting
+ * private key files and performing XDM-AUTHORIZATION-1.
+ *
+ * These all work through the standard cipher APIs, so they don't need
+ * to live in the same actual source files as the ciphers they wrap,
+ * and I think it keeps things tidier to have them out of the way here
+ * instead.
+ */
+
+#include "ssh.h"
+
+static ssh_cipher *aes256_pubkey_cipher(const void *key)
+{
+    /*
+     * PuTTY's own .PPK format for SSH-2 private key files is
+     * encrypted with 256-bit AES in CBC mode.
+     */
+    char iv[16];
+    memset(iv, 0, 16);
+    ssh_cipher *cipher = ssh_cipher_new(&ssh_aes256_cbc);
+    ssh_cipher_setkey(cipher, key);
+    ssh_cipher_setiv(cipher, iv);
+    return cipher;
+}
+
+void aes256_encrypt_pubkey(const void *key, void *blk, int len)
+{
+    ssh_cipher *c = aes256_pubkey_cipher(key);
+    ssh_cipher_encrypt(c, blk, len);
+    ssh_cipher_free(c);
+}
+
+void aes256_decrypt_pubkey(const void *key, void *blk, int len)
+{
+    ssh_cipher *c = aes256_pubkey_cipher(key);
+    ssh_cipher_decrypt(c, blk, len);
+    ssh_cipher_free(c);
+}
+
+static ssh_cipher *des3_pubkey_cipher(const void *vkey)
+{
+    /*
+     * SSH-1 private key files are encrypted with triple-DES in SSH-1
+     * style (three separate CBC layers), but the same key is used for
+     * the first and third layers.
+     */
+    ssh_cipher *c = ssh_cipher_new(&ssh_3des_ssh1);
+    uint8_t keys3[24], iv[8];
+
+    memcpy(keys3, vkey, 16);
+    memcpy(keys3 + 16, vkey, 8);
+    ssh_cipher_setkey(c, keys3);
+    smemclr(keys3, sizeof(keys3));
+
+    memset(iv, 0, 8);
+    ssh_cipher_setiv(c, iv);
+
+    return c;
+}
+
+void des3_decrypt_pubkey(const void *vkey, void *vblk, int len)
+{
+    ssh_cipher *c = des3_pubkey_cipher(vkey);
+    ssh_cipher_decrypt(c, vblk, len);
+    ssh_cipher_free(c);
+}
+
+void des3_encrypt_pubkey(const void *vkey, void *vblk, int len)
+{
+    ssh_cipher *c = des3_pubkey_cipher(vkey);
+    ssh_cipher_encrypt(c, vblk, len);
+    ssh_cipher_free(c);
+}
+
+static ssh_cipher *des3_pubkey_ossh_cipher(const void *vkey, const void *viv)
+{
+    /*
+     * OpenSSH PEM private key files are encrypted with triple-DES in
+     * SSH-2 style (one CBC layer), with three distinct keys, and an
+     * IV also generated from the passphrase.
+     */
+    ssh_cipher *c = ssh_cipher_new(&ssh_3des_ssh2);
+    ssh_cipher_setkey(c, vkey);
+    ssh_cipher_setiv(c, viv);
+    return c;
+}
+
+void des3_decrypt_pubkey_ossh(const void *vkey, const void *viv,
+			      void *vblk, int len)
+{
+    ssh_cipher *c = des3_pubkey_ossh_cipher(vkey, viv);
+    ssh_cipher_decrypt(c, vblk, len);
+    ssh_cipher_free(c);
+}
+
+void des3_encrypt_pubkey_ossh(const void *vkey, const void *viv,
+			      void *vblk, int len)
+{
+    ssh_cipher *c = des3_pubkey_ossh_cipher(vkey, viv);
+    ssh_cipher_encrypt(c, vblk, len);
+    ssh_cipher_free(c);
+}
+
+static ssh_cipher *des_xdmauth_cipher(const void *vkeydata)
+{
+    /*
+     * XDM-AUTHORIZATION-1 uses single-DES, but packs the key into 7
+     * bytes, so here we have to repack it manually into the canonical
+     * form where it occupies 8 bytes each with the low bit unused.
+     */
+    const unsigned char *keydata = (const unsigned char *)vkeydata;
+    unsigned char key[8];
+    int i, nbits, j;
+    unsigned int bits;
+
+    bits = 0;
+    nbits = 0;
+    j = 0;
+    for (i = 0; i < 8; i++) {
+	if (nbits < 7) {
+	    bits = (bits << 8) | keydata[j];
+	    nbits += 8;
+	    j++;
+	}
+	key[i] = (bits >> (nbits - 7)) << 1;
+	bits &= ~(0x7F << (nbits - 7));
+	nbits -= 7;
+    }
+
+    ssh_cipher *c = ssh_cipher_new(&ssh_des);
+    ssh_cipher_setkey(c, key);
+    smemclr(key, sizeof(key));
+    ssh_cipher_setiv(c, key);
+    return c;
+}
+
+void des_encrypt_xdmauth(const void *keydata, void *blk, int len)
+{
+    ssh_cipher *c = des_xdmauth_cipher(keydata);
+    ssh_cipher_encrypt(c, blk, len);
+    ssh_cipher_free(c);
+}
+
+void des_decrypt_xdmauth(const void *keydata, void *blk, int len)
+{
+    ssh_cipher *c = des_xdmauth_cipher(keydata);
+    ssh_cipher_decrypt(c, blk, len);
+    ssh_cipher_free(c);
+}
+

sshdes.c

@@ -927,112 +927,6 @@ static void des_decrypt_blk(ssh_cipher *cipher, void *blk, int len)
     des_cbc_decrypt(blk, len, &ctx->context);
 }
 
-void des3_decrypt_pubkey(const void *vkey, void *vblk, int len)
-{
-    const unsigned char *key = (const unsigned char *)vkey;
-    unsigned char *blk = (unsigned char *)vblk;
-    DESContext ourkeys[3];
-    des_key_setup(GET_32BIT_MSB_FIRST(key),
-		  GET_32BIT_MSB_FIRST(key + 4), &ourkeys[0]);
-    des_key_setup(GET_32BIT_MSB_FIRST(key + 8),
-		  GET_32BIT_MSB_FIRST(key + 12), &ourkeys[1]);
-    des_key_setup(GET_32BIT_MSB_FIRST(key),
-		  GET_32BIT_MSB_FIRST(key + 4), &ourkeys[2]);
-    des_3cbc_decrypt(blk, len, ourkeys);
-    smemclr(ourkeys, sizeof(ourkeys));
-}
-
-void des3_encrypt_pubkey(const void *vkey, void *vblk, int len)
-{
-    const unsigned char *key = (const unsigned char *)vkey;
-    unsigned char *blk = (unsigned char *)vblk;
-    DESContext ourkeys[3];
-    des_key_setup(GET_32BIT_MSB_FIRST(key),
-		  GET_32BIT_MSB_FIRST(key + 4), &ourkeys[0]);
-    des_key_setup(GET_32BIT_MSB_FIRST(key + 8),
-		  GET_32BIT_MSB_FIRST(key + 12), &ourkeys[1]);
-    des_key_setup(GET_32BIT_MSB_FIRST(key),
-		  GET_32BIT_MSB_FIRST(key + 4), &ourkeys[2]);
-    des_3cbc_encrypt(blk, len, ourkeys);
-    smemclr(ourkeys, sizeof(ourkeys));
-}
-
-void des3_decrypt_pubkey_ossh(const void *vkey, const void *viv,
-			      void *vblk, int len)
-{
-    const unsigned char *key = (const unsigned char *)vkey;
-    const unsigned char *iv = (const unsigned char *)viv;
-    unsigned char *blk = (unsigned char *)vblk;
-    DESContext ourkeys[3];
-    des_key_setup(GET_32BIT_MSB_FIRST(key),
-		  GET_32BIT_MSB_FIRST(key + 4), &ourkeys[0]);
-    des_key_setup(GET_32BIT_MSB_FIRST(key + 8),
-		  GET_32BIT_MSB_FIRST(key + 12), &ourkeys[1]);
-    des_key_setup(GET_32BIT_MSB_FIRST(key + 16),
-		  GET_32BIT_MSB_FIRST(key + 20), &ourkeys[2]);
-    ourkeys[0].iv0 = GET_32BIT_MSB_FIRST(iv);
-    ourkeys[0].iv1 = GET_32BIT_MSB_FIRST(iv+4);
-    des_cbc3_decrypt(blk, len, ourkeys);
-    smemclr(ourkeys, sizeof(ourkeys));
-}
-
-void des3_encrypt_pubkey_ossh(const void *vkey, const void *viv,
-			      void *vblk, int len)
-{
-    const unsigned char *key = (const unsigned char *)vkey;
-    const unsigned char *iv = (const unsigned char *)viv;
-    unsigned char *blk = (unsigned char *)vblk;
-    DESContext ourkeys[3];
-    des_key_setup(GET_32BIT_MSB_FIRST(key),
-		  GET_32BIT_MSB_FIRST(key + 4), &ourkeys[0]);
-    des_key_setup(GET_32BIT_MSB_FIRST(key + 8),
-		  GET_32BIT_MSB_FIRST(key + 12), &ourkeys[1]);
-    des_key_setup(GET_32BIT_MSB_FIRST(key + 16),
-		  GET_32BIT_MSB_FIRST(key + 20), &ourkeys[2]);
-    ourkeys[0].iv0 = GET_32BIT_MSB_FIRST(iv);
-    ourkeys[0].iv1 = GET_32BIT_MSB_FIRST(iv+4);
-    des_cbc3_encrypt(blk, len, ourkeys);
-    smemclr(ourkeys, sizeof(ourkeys));
-}
-
-static void des_keysetup_xdmauth(const void *vkeydata, DESContext *dc)
-{
-    const unsigned char *keydata = (const unsigned char *)vkeydata;
-    unsigned char key[8];
-    int i, nbits, j;
-    unsigned int bits;
-
-    bits = 0;
-    nbits = 0;
-    j = 0;
-    for (i = 0; i < 8; i++) {
-	if (nbits < 7) {
-	    bits = (bits << 8) | keydata[j];
-	    nbits += 8;
-	    j++;
-	}
-	key[i] = (bits >> (nbits - 7)) << 1;
-	bits &= ~(0x7F << (nbits - 7));
-	nbits -= 7;
-    }
-
-    des_key_setup(GET_32BIT_MSB_FIRST(key), GET_32BIT_MSB_FIRST(key + 4), dc);
-}
-
-void des_encrypt_xdmauth(const void *keydata, void *blk, int len)
-{
-    DESContext dc;
-    des_keysetup_xdmauth(keydata, &dc);
-    des_cbc_encrypt(blk, len, &dc);
-}
-
-void des_decrypt_xdmauth(const void *keydata, void *blk, int len)
-{
-    DESContext dc;
-    des_keysetup_xdmauth(keydata, &dc);
-    des_cbc_decrypt(blk, len, &dc);
-}
-
 const ssh_cipheralg ssh_3des_ssh2 = {
     des3_ssh2_new, des3_ssh2_free, des3_ssh2_setiv, des3_ssh2_setkey,
     des3_ssh2_encrypt_blk, des3_ssh2_decrypt_blk, NULL, NULL,