SSH2 transport layer now enables encryption and MAC successfully for 3DES

[originally from svn r571]

ssh.c

@@ -88,11 +88,12 @@ enum { PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR };
 #define crWaitUntil(c)	do { crReturn(0); } while (!(c))
 
 extern struct ssh_cipher ssh_3des;
+extern struct ssh_cipher ssh_3des_ssh2;
 extern struct ssh_cipher ssh_des;
 extern struct ssh_cipher ssh_blowfish;
 
 /* for ssh 2; we miss out single-DES because it isn't supported */
-struct ssh_cipher *ciphers[] = { &ssh_3des, &ssh_blowfish };
+struct ssh_cipher *ciphers[] = { &ssh_3des_ssh2, &ssh_blowfish };
 
 extern struct ssh_kex ssh_diffiehellman;
 struct ssh_kex *kex_algs[] = { &ssh_diffiehellman };
@@ -408,8 +409,9 @@ next_packet:
     /*
      * Check the MAC.
      */
-    if (scmac && !scmac->verify(pktin.data, incoming_sequence++, len+4))
+    if (scmac && !scmac->verify(pktin.data, len+4, incoming_sequence))
 	fatalbox("Incorrect MAC received on packet");
+    incoming_sequence++;               /* whether or not we MACed */
 
     pktin.savedpos = 6;
     pktin.type = pktin.data[5];
@@ -1207,7 +1209,7 @@ void ssh2_pkt_addmp(Bignum b) {
 }
 void ssh2_pkt_send(void) {
     int cipherblk, maclen, padding, i;
-    unsigned long outgoing_sequence = 0;
+    static unsigned long outgoing_sequence = 0;
 
     /*
      * Add padding. At least four bytes, and must also bring total
@@ -1222,8 +1224,9 @@ void ssh2_pkt_send(void) {
         pktout.data[pktout.length + i] = random_byte();
     PUT_32BIT(pktout.data, pktout.length + padding - 4);
     if (csmac)
-        csmac->generate(pktout.data, outgoing_sequence++,
-                      pktout.length + padding);
+        csmac->generate(pktout.data, pktout.length + padding,
+                        outgoing_sequence);
+    outgoing_sequence++;               /* whether or not we MACed */
     if (cscipher)
         cscipher->encrypt(pktout.data, pktout.length + padding);
     maclen = csmac ? csmac->len : 0;
@@ -1584,6 +1587,14 @@ static int do_ssh2_kex(unsigned char *in, int inlen, int ispkt)
     ssh2_mkkey(K, exchange_hash, 'E', keyspace); csmac->setcskey(keyspace);
     ssh2_mkkey(K, exchange_hash, 'F', keyspace); scmac->setsckey(keyspace);
 
+    /*
+     * Now we're encrypting. Send a test packet (FIXME).
+     */
+    crWaitUntil(!ispkt);
+    ssh2_pkt_init(SSH2_MSG_IGNORE);
+    ssh2_pkt_addstring("oo-er");
+    ssh2_pkt_send();
+
     crWaitUntil(0);
 
     crFinish(1);

sshdes.c

@@ -1,6 +1,10 @@
 #include <assert.h>
+#include <stdarg.h> /* FIXME */
+#include <windows.h> /* FIXME */
+#include "putty.h" /* FIXME */
 #include "ssh.h"
 
+
 /* des.c - implementation of DES
  */
 
@@ -655,6 +659,30 @@ static void des_3cbc_encrypt(unsigned char *dest, const unsigned char *src,
     des_cbc_encrypt(dest, src, len, &scheds[2]);
 }
 
+static void des_cbc3_encrypt(unsigned char *dest, const unsigned char *src,
+                             unsigned int len, DESContext *scheds) {
+    word32 out[2], iv0, iv1;
+    unsigned int i;
+
+    assert((len & 7) == 0);
+
+    iv0 = scheds->eiv0;
+    iv1 = scheds->eiv1;
+    for (i = 0; i < len; i += 8) {
+        iv0 ^= GET_32BIT_MSB_FIRST(src); src += 4;
+        iv1 ^= GET_32BIT_MSB_FIRST(src); src += 4;
+        des_encipher(out, iv0, iv1, &scheds[0]);
+        des_decipher(out, out[0], out[1], &scheds[1]);
+        des_encipher(out, out[0], out[1], &scheds[2]);
+        iv0 = out[0];
+        iv1 = out[1];
+        PUT_32BIT_MSB_FIRST(dest, iv0); dest += 4;
+        PUT_32BIT_MSB_FIRST(dest, iv1); dest += 4;
+    }
+    scheds->eiv0 = iv0;
+    scheds->eiv1 = iv1;
+}
+
 static void des_3cbc_decrypt(unsigned char *dest, const unsigned char *src,
                              unsigned int len, DESContext *scheds) {
     des_cbc_decrypt(dest, src, len, &scheds[2]);
@@ -662,6 +690,32 @@ static void des_3cbc_decrypt(unsigned char *dest, const unsigned char *src,
     des_cbc_decrypt(dest, src, len, &scheds[0]);
 }
 
+static void des_cbc3_decrypt(unsigned char *dest, const unsigned char *src,
+                             unsigned int len, DESContext *scheds) {
+    word32 out[2], iv0, iv1, xL, xR;
+    unsigned int i;
+
+    assert((len & 7) == 0);
+
+    iv0 = scheds->div0;
+    iv1 = scheds->div1;
+    for (i = 0; i < len; i += 8) {
+        xL = GET_32BIT_MSB_FIRST(src); src += 4;
+        xR = GET_32BIT_MSB_FIRST(src); src += 4;
+        des_decipher(out, xL, xR, &scheds[2]);
+        des_encipher(out, out[0], out[1], &scheds[1]);
+        des_decipher(out, out[0], out[1], &scheds[0]);
+        iv0 ^= out[0];
+        iv1 ^= out[1];
+        PUT_32BIT_MSB_FIRST(dest, iv0); dest += 4;
+        PUT_32BIT_MSB_FIRST(dest, iv1); dest += 4;
+        iv0 = xL;
+        iv1 = xR;
+    }
+    scheds->div0 = iv0;
+    scheds->div1 = iv1;
+}
+
 static DESContext cskeys[3], sckeys[3];
 
 static void des3_cskey(unsigned char *key) {
@@ -707,10 +761,27 @@ static void des3_decrypt_blk(unsigned char *blk, int len) {
     des_3cbc_decrypt(blk, blk, len, sckeys);
 }
 
-struct ssh_cipher ssh_3des = {
-    des3_sesskey,
+static void des3_ssh2_encrypt_blk(unsigned char *blk, int len) {
+    des_cbc3_encrypt(blk, blk, len, cskeys);
+}
+
+static void des3_ssh2_decrypt_blk(unsigned char *blk, int len) {
+    des_cbc3_decrypt(blk, blk, len, sckeys);
+}
+
+struct ssh_cipher ssh_3des_ssh2 = {
+    NULL,
     des3_csiv, des3_cskey,
     des3_sciv, des3_sckey,
+    des3_ssh2_encrypt_blk,
+    des3_ssh2_decrypt_blk,
+    "3des-cbc",
+    8
+};
+
+struct ssh_cipher ssh_3des = {
+    des3_sesskey,
+    NULL, NULL, NULL, NULL,
     des3_encrypt_blk,
     des3_decrypt_blk,
     "3des-cbc",

sshsha.c

@@ -1,3 +1,7 @@
+#include <stdarg.h> /* FIXME */
+#include <windows.h> /* FIXME */
+#include "putty.h" /* FIXME */
+
 /*
  * SHA1 hash algorithm. Used in SSH2 as a MAC, and the transform is
  * also used as a `stirring' function for the PuTTY random number
@@ -177,6 +181,11 @@ static void sha1_key(SHA_State *s1, SHA_State *s2,
                      unsigned char *key, int len) {
     unsigned char foo[64];
     int i;
+    {int j;
+        debug(("Key supplied is:\r\n"));
+        for (j=0; j<len; j++) debug(("  %02X", key[j]));
+        debug(("\r\n"));
+    }
 
     memset(foo, 0x36, 64);
     for (i = 0; i < len && i < 64; i++)
@@ -222,12 +231,32 @@ static void sha1_do_hmac(SHA_State *s1, SHA_State *s2,
 }
 
 static void sha1_generate(unsigned char *blk, int len, unsigned long seq) {
+    {int i;
+        debug(("Gen HMAC on block len=%d seq=%d:\r\n", len, seq));
+        for (i=0; i<len; i++) debug(("  %02X", blk[i]));
+        debug(("\r\n"));
+    }
     sha1_do_hmac(&sha1_cs_mac_s1, &sha1_cs_mac_s2, blk, len, seq, blk+len);
+    {int i;
+        debug(("We compute HMAC as:\r\n"));
+        for (i=0; i<20; i++) debug(("  %02X", blk[len+i]));
+        debug(("\r\n"));
+    }
 }
 
 static int sha1_verify(unsigned char *blk, int len, unsigned long seq) {
     unsigned char correct[20];
+    {int i;
+        debug(("HMAC on block len=%d seq=%d:\r\n", len, seq));
+        for (i=0; i<len; i++) debug(("  %02X", blk[i]));
+        debug(("\r\n"));
+    }
     sha1_do_hmac(&sha1_sc_mac_s1, &sha1_sc_mac_s2, blk, len, seq, correct);
+    {int i;
+        debug(("We compute HMAC as:\r\n"));
+        for (i=0; i<20; i++) debug(("  %02X", correct[i]));
+        debug(("\r\n"));
+    }
     return !memcmp(correct, blk+len, 20);
 }