Move crypto into its own subdirectory.

Similarly to 'utils', I've moved all the stuff in the crypto
build-time library into a source directory of its own, and while I'm
at it, split up the monolithic sshauxcrypt.c into its various
unrelated parts.

This is also an opportunity to remove the annoying 'ssh' prefix from
the front of the file names, and give several of them less cryptic
names.

CMakeLists.txt

@@ -23,15 +23,8 @@ add_library(settings STATIC
   cmdline.c settings.c)
 
 add_library(crypto STATIC
-  sshaes.c sshauxcrypt.c sshdes.c sshdss.c sshecc.c sshhmac.c sshmd5.c sshrsa.c
-  sshsh256.c sshsh512.c sshsha.c sshsha3.c
-  ecc.c mpint.c
-  sshprng.c
-  sshcrc.c
-  sshdh.c sshmac.c
-  ssharcf.c sshblowf.c sshccp.c
-  sshblake2.c sshargon2.c sshbcrypt.c
   cproxy.c)
+add_subdirectory(crypto)
 
 add_library(network STATIC
   be_misc.c nullplug.c errsock.c proxy.c logging.c x11disp.c)

crypto/CMakeLists.txt

@@ -0,0 +1,30 @@
+add_sources_from_current_dir(crypto
+  aes.c
+  arcfour.c
+  argon2.c
+  bcrypt.c
+  blake2.c
+  blowfish.c
+  chacha20-poly1305.c
+  crc32.c
+  des.c
+  diffie-hellman.c
+  dsa.c
+  ecc-arithmetic.c
+  ecc-ssh.c
+  hash_simple.c
+  hmac.c
+  mac.c
+  mac_simple.c
+  md5.c
+  mpint.c
+  prng.c
+  pubkey-pem.c
+  pubkey-ppk.c
+  pubkey-ssh1.c
+  rsa.c
+  sha256.c
+  sha512.c
+  sha3.c
+  sha1.c
+  xdmauth.c)

crypto/aes.c

@@ -1,5 +1,5 @@
 /*
- * sshaes.c - implementation of AES
+ * Implementation of AES.
  */
 
 #include <assert.h>

crypto/crc32.c

@@ -1,6 +1,11 @@
 /*
  * CRC32 implementation, as used in SSH-1.
  *
+ * (This is not, of course, a cryptographic function! It lives in the
+ * 'crypto' directory because SSH-1 uses it _as if_ it was crypto: it
+ * handles sensitive data, and we implement it with care for side
+ * channels.)
+ *
  * This particular form of the CRC uses the polynomial
  * P(x) = x^32+x^26+x^23+x^22+x^16+x^12+x^11+x^10+x^8+x^7+x^5+x^4+x^2+x^1+1
  * and represents polynomials in bit-reversed form, so that the x^0

crypto/des.c

@@ -1,5 +1,5 @@
 /*
- * sshdes.c: implementation of DES.
+ * Implementation of DES.
  */
 
 /*

crypto/dsa.c

@@ -1,5 +1,5 @@
 /*
- * Digital Signature Standard implementation for PuTTY.
+ * Digital Signature Algorithm implementation for PuTTY.
  */
 
 #include <stdio.h>

crypto/ecc-arithmetic.c

@@ -1,3 +1,7 @@
+/*
+ * Basic arithmetic for elliptic curves, implementing ecc.h.
+ */
+
 #include <assert.h>
 
 #include "ssh.h"

crypto/ecc-ssh.c

@@ -1,13 +1,5 @@
 /*
- * Elliptic-curve crypto module for PuTTY
- * Implements the three required curves, no optional curves
- *
- * NOTE: Only curves on prime field are handled by the maths functions
- *       in Weierstrass form using Jacobian co-ordinates.
- *
- *       Montgomery form curves are supported for DH. (Curve25519)
- *
- *       Edwards form curves are supported for DSA. (Ed25519, Ed448)
+ * Elliptic-curve signing and key exchange for PuTTY's SSH layer.
  */
 
 /*

crypto/hash_simple.c

@@ -0,0 +1,13 @@
+/*
+ * Convenience function to hash a single piece of data, wrapping up
+ * the faff of making and freeing an ssh_hash.
+ */
+
+#include "ssh.h"
+
+void hash_simple(const ssh_hashalg *alg, ptrlen data, void *output)
+{
+    ssh_hash *hash = ssh_hash_new(alg);
+    put_datapl(hash, data);
+    ssh_hash_final(hash, output);
+}

crypto/mac_simple.c

@@ -0,0 +1,16 @@
+/*
+ * Convenience function to MAC a single piece of data, wrapping up
+ * the faff of making and freeing an ssh_mac.
+ */
+
+#include "ssh.h"
+
+void mac_simple(const ssh2_macalg *alg, ptrlen key, ptrlen data, void *output)
+{
+    ssh2_mac *mac = ssh2_mac_new(alg, NULL);
+    ssh2_mac_setkey(mac, key);
+    ssh2_mac_start(mac);
+    put_datapl(mac, data);
+    ssh2_mac_genresult(mac, output);
+    ssh2_mac_free(mac);
+}

crypto/mpint.c

@@ -1,3 +1,7 @@
+/*
+ * Multiprecision integer arithmetic, implementing mpint.h.
+ */
+
 #include <assert.h>
 #include <limits.h>
 #include <stdio.h>

crypto/prng.c

@@ -1,5 +1,5 @@
 /*
- * sshprng.c: PuTTY's cryptographic pseudorandom number generator.
+ * PuTTY's cryptographic pseudorandom number generator.
  *
  * This module just defines the PRNG object type and its methods. The
  * usual global instance of it is managed by sshrand.c.

crypto/pubkey-pem.c

@@ -0,0 +1,32 @@
+/*
+ * Convenience functions to encrypt and decrypt OpenSSH PEM format for
+ * SSH-2 private key files. This uses triple-DES in SSH-2 style (one
+ * CBC layer), with three distinct keys, and an IV also generated from
+ * the passphrase.
+ */
+
+#include "ssh.h"
+
+static ssh_cipher *des3_pubkey_ossh_cipher(const void *vkey, const void *viv)
+{
+    ssh_cipher *c = ssh_cipher_new(&ssh_3des_ssh2);
+    ssh_cipher_setkey(c, vkey);
+    ssh_cipher_setiv(c, viv);
+    return c;
+}
+
+void des3_decrypt_pubkey_ossh(const void *vkey, const void *viv,
+                              void *vblk, int len)
+{
+    ssh_cipher *c = des3_pubkey_ossh_cipher(vkey, viv);
+    ssh_cipher_decrypt(c, vblk, len);
+    ssh_cipher_free(c);
+}
+
+void des3_encrypt_pubkey_ossh(const void *vkey, const void *viv,
+                              void *vblk, int len)
+{
+    ssh_cipher *c = des3_pubkey_ossh_cipher(vkey, viv);
+    ssh_cipher_encrypt(c, vblk, len);
+    ssh_cipher_free(c);
+}

crypto/pubkey-ppk.c

@@ -0,0 +1,29 @@
+/*
+ * Convenience functions to encrypt and decrypt PuTTY's own .PPK
+ * format for SSH-2 private key files, which uses 256-bit AES in CBC
+ * mode.
+ */
+
+#include "ssh.h"
+
+static ssh_cipher *aes256_pubkey_cipher(const void *key, const void *iv)
+{
+    ssh_cipher *cipher = ssh_cipher_new(&ssh_aes256_cbc);
+    ssh_cipher_setkey(cipher, key);
+    ssh_cipher_setiv(cipher, iv);
+    return cipher;
+}
+
+void aes256_encrypt_pubkey(const void *key, const void *iv, void *blk, int len)
+{
+    ssh_cipher *c = aes256_pubkey_cipher(key, iv);
+    ssh_cipher_encrypt(c, blk, len);
+    ssh_cipher_free(c);
+}
+
+void aes256_decrypt_pubkey(const void *key, const void *iv, void *blk, int len)
+{
+    ssh_cipher *c = aes256_pubkey_cipher(key, iv);
+    ssh_cipher_decrypt(c, blk, len);
+    ssh_cipher_free(c);
+}

crypto/pubkey-ssh1.c

@@ -0,0 +1,38 @@
+/*
+ * Convenience functions to encrypt and decrypt the standard format
+ * for SSH-1 private key files. This uses triple-DES in SSH-1 style
+ * (three separate CBC layers), but the same key is used for the first
+ * and third layers.CBC mode.
+ */
+
+#include "ssh.h"
+
+static ssh_cipher *des3_pubkey_cipher(const void *vkey)
+{
+    ssh_cipher *c = ssh_cipher_new(&ssh_3des_ssh1);
+    uint8_t keys3[24], iv[8];
+
+    memcpy(keys3, vkey, 16);
+    memcpy(keys3 + 16, vkey, 8);
+    ssh_cipher_setkey(c, keys3);
+    smemclr(keys3, sizeof(keys3));
+
+    memset(iv, 0, 8);
+    ssh_cipher_setiv(c, iv);
+
+    return c;
+}
+
+void des3_decrypt_pubkey(const void *vkey, void *vblk, int len)
+{
+    ssh_cipher *c = des3_pubkey_cipher(vkey);
+    ssh_cipher_decrypt(c, vblk, len);
+    ssh_cipher_free(c);
+}
+
+void des3_encrypt_pubkey(const void *vkey, void *vblk, int len)
+{
+    ssh_cipher *c = des3_pubkey_cipher(vkey);
+    ssh_cipher_encrypt(c, vblk, len);
+    ssh_cipher_free(c);
+}

crypto/xdmauth.c

@@ -0,0 +1,53 @@
+/*
+ * Convenience functions to encrypt and decrypt the cookies used in
+ * XDM-AUTHORIZATION-1. 
+ */
+
+#include "ssh.h"
+
+static ssh_cipher *des_xdmauth_cipher(const void *vkeydata)
+{
+    /*
+     * XDM-AUTHORIZATION-1 uses single-DES, but packs the key into 7
+     * bytes, so here we have to repack it manually into the canonical
+     * form where it occupies 8 bytes each with the low bit unused.
+     */
+    const unsigned char *keydata = (const unsigned char *)vkeydata;
+    unsigned char key[8];
+    int i, nbits, j;
+    unsigned int bits;
+
+    bits = 0;
+    nbits = 0;
+    j = 0;
+    for (i = 0; i < 8; i++) {
+        if (nbits < 7) {
+            bits = (bits << 8) | keydata[j];
+            nbits += 8;
+            j++;
+        }
+        key[i] = (bits >> (nbits - 7)) << 1;
+        bits &= ~(0x7F << (nbits - 7));
+        nbits -= 7;
+    }
+
+    ssh_cipher *c = ssh_cipher_new(&ssh_des);
+    ssh_cipher_setkey(c, key);
+    smemclr(key, sizeof(key));
+    ssh_cipher_setiv(c, key);
+    return c;
+}
+
+void des_encrypt_xdmauth(const void *keydata, void *blk, int len)
+{
+    ssh_cipher *c = des_xdmauth_cipher(keydata);
+    ssh_cipher_encrypt(c, blk, len);
+    ssh_cipher_free(c);
+}
+
+void des_decrypt_xdmauth(const void *keydata, void *blk, int len)
+{
+    ssh_cipher *c = des_xdmauth_cipher(keydata);
+    ssh_cipher_decrypt(c, blk, len);
+    ssh_cipher_free(c);
+}

sshauxcrypt.c

@@ -1,166 +0,0 @@
-/*
- * sshauxcrypt.c: wrapper functions on crypto primitives for use in
- * other contexts than the main SSH packet protocol, such as
- * encrypting private key files and performing XDM-AUTHORIZATION-1.
- *
- * These all work through the standard cipher/hash/MAC APIs, so they
- * don't need to live in the same actual source files as the ciphers
- * they wrap, and I think it keeps things tidier to have them out of
- * the way here instead.
- */
-
-#include "ssh.h"
-
-static ssh_cipher *aes256_pubkey_cipher(const void *key, const void *iv)
-{
-    /*
-     * PuTTY's own .PPK format for SSH-2 private key files is
-     * encrypted with 256-bit AES in CBC mode.
-     */
-    ssh_cipher *cipher = ssh_cipher_new(&ssh_aes256_cbc);
-    ssh_cipher_setkey(cipher, key);
-    ssh_cipher_setiv(cipher, iv);
-    return cipher;
-}
-
-void aes256_encrypt_pubkey(const void *key, const void *iv, void *blk, int len)
-{
-    ssh_cipher *c = aes256_pubkey_cipher(key, iv);
-    ssh_cipher_encrypt(c, blk, len);
-    ssh_cipher_free(c);
-}
-
-void aes256_decrypt_pubkey(const void *key, const void *iv, void *blk, int len)
-{
-    ssh_cipher *c = aes256_pubkey_cipher(key, iv);
-    ssh_cipher_decrypt(c, blk, len);
-    ssh_cipher_free(c);
-}
-
-static ssh_cipher *des3_pubkey_cipher(const void *vkey)
-{
-    /*
-     * SSH-1 private key files are encrypted with triple-DES in SSH-1
-     * style (three separate CBC layers), but the same key is used for
-     * the first and third layers.
-     */
-    ssh_cipher *c = ssh_cipher_new(&ssh_3des_ssh1);
-    uint8_t keys3[24], iv[8];
-
-    memcpy(keys3, vkey, 16);
-    memcpy(keys3 + 16, vkey, 8);
-    ssh_cipher_setkey(c, keys3);
-    smemclr(keys3, sizeof(keys3));
-
-    memset(iv, 0, 8);
-    ssh_cipher_setiv(c, iv);
-
-    return c;
-}
-
-void des3_decrypt_pubkey(const void *vkey, void *vblk, int len)
-{
-    ssh_cipher *c = des3_pubkey_cipher(vkey);
-    ssh_cipher_decrypt(c, vblk, len);
-    ssh_cipher_free(c);
-}
-
-void des3_encrypt_pubkey(const void *vkey, void *vblk, int len)
-{
-    ssh_cipher *c = des3_pubkey_cipher(vkey);
-    ssh_cipher_encrypt(c, vblk, len);
-    ssh_cipher_free(c);
-}
-
-static ssh_cipher *des3_pubkey_ossh_cipher(const void *vkey, const void *viv)
-{
-    /*
-     * OpenSSH PEM private key files are encrypted with triple-DES in
-     * SSH-2 style (one CBC layer), with three distinct keys, and an
-     * IV also generated from the passphrase.
-     */
-    ssh_cipher *c = ssh_cipher_new(&ssh_3des_ssh2);
-    ssh_cipher_setkey(c, vkey);
-    ssh_cipher_setiv(c, viv);
-    return c;
-}
-
-void des3_decrypt_pubkey_ossh(const void *vkey, const void *viv,
-                              void *vblk, int len)
-{
-    ssh_cipher *c = des3_pubkey_ossh_cipher(vkey, viv);
-    ssh_cipher_decrypt(c, vblk, len);
-    ssh_cipher_free(c);
-}
-
-void des3_encrypt_pubkey_ossh(const void *vkey, const void *viv,
-                              void *vblk, int len)
-{
-    ssh_cipher *c = des3_pubkey_ossh_cipher(vkey, viv);
-    ssh_cipher_encrypt(c, vblk, len);
-    ssh_cipher_free(c);
-}
-
-static ssh_cipher *des_xdmauth_cipher(const void *vkeydata)
-{
-    /*
-     * XDM-AUTHORIZATION-1 uses single-DES, but packs the key into 7
-     * bytes, so here we have to repack it manually into the canonical
-     * form where it occupies 8 bytes each with the low bit unused.
-     */
-    const unsigned char *keydata = (const unsigned char *)vkeydata;
-    unsigned char key[8];
-    int i, nbits, j;
-    unsigned int bits;
-
-    bits = 0;
-    nbits = 0;
-    j = 0;
-    for (i = 0; i < 8; i++) {
-        if (nbits < 7) {
-            bits = (bits << 8) | keydata[j];
-            nbits += 8;
-            j++;
-        }
-        key[i] = (bits >> (nbits - 7)) << 1;
-        bits &= ~(0x7F << (nbits - 7));
-        nbits -= 7;
-    }
-
-    ssh_cipher *c = ssh_cipher_new(&ssh_des);
-    ssh_cipher_setkey(c, key);
-    smemclr(key, sizeof(key));
-    ssh_cipher_setiv(c, key);
-    return c;
-}
-
-void des_encrypt_xdmauth(const void *keydata, void *blk, int len)
-{
-    ssh_cipher *c = des_xdmauth_cipher(keydata);
-    ssh_cipher_encrypt(c, blk, len);
-    ssh_cipher_free(c);
-}
-
-void des_decrypt_xdmauth(const void *keydata, void *blk, int len)
-{
-    ssh_cipher *c = des_xdmauth_cipher(keydata);
-    ssh_cipher_decrypt(c, blk, len);
-    ssh_cipher_free(c);
-}
-
-void hash_simple(const ssh_hashalg *alg, ptrlen data, void *output)
-{
-    ssh_hash *hash = ssh_hash_new(alg);
-    put_datapl(hash, data);
-    ssh_hash_final(hash, output);
-}
-
-void mac_simple(const ssh2_macalg *alg, ptrlen key, ptrlen data, void *output)
-{
-    ssh2_mac *mac = ssh2_mac_new(alg, NULL);
-    ssh2_mac_setkey(mac, key);
-    ssh2_mac_start(mac);
-    put_datapl(mac, data);
-    ssh2_mac_genresult(mac, output);
-    ssh2_mac_free(mac);
-}