Decrypt should take into account *manual* padding for length of inputBuffer passed to DecryptBlock and unpadding for the final output if padding is not specified and mode is CFB or OFB.

scott-xu · scott-xu · commit 0303aa9470fc · 2024-11-30T16:10:32.000+08:00
diff --git a/src/Renci.SshNet/PrivateKeyFile.PKCS1.cs b/src/Renci.SshNet/PrivateKeyFile.PKCS1.cs
@@ -56,7 +56,7 @@ public Key Parse()
                             cipher = new CipherInfo(192, (key, iv) => new TripleDesCipher(key, new CbcCipherMode(iv), new PKCS7Padding()));
                             break;
                         case "DES-EDE3-CFB":
-                            cipher = new CipherInfo(192, (key, iv) => new TripleDesCipher(key, new CfbCipherMode(iv), new PKCS7Padding()));
+                            cipher = new CipherInfo(192, (key, iv) => new TripleDesCipher(key, new CfbCipherMode(iv), padding: null));
                             break;
                         case "DES-CBC":
                             cipher = new CipherInfo(64, (key, iv) => new DesCipher(key, new CbcCipherMode(iv), new PKCS7Padding()));
diff --git a/src/Renci.SshNet/PrivateKeyFile.SSHCOM.cs b/src/Renci.SshNet/PrivateKeyFile.SSHCOM.cs
@@ -8,7 +8,6 @@
 using Renci.SshNet.Security;
 using Renci.SshNet.Security.Cryptography.Ciphers;
 using Renci.SshNet.Security.Cryptography.Ciphers.Modes;
-using Renci.SshNet.Security.Cryptography.Ciphers.Paddings;
 
 namespace Renci.SshNet
 {
@@ -52,7 +51,7 @@ public Key Parse()
                     }
 
                     var key = GetCipherKey(_passPhrase, 192 / 8);
-                    var ssh2Сipher = new TripleDesCipher(key, new CbcCipherMode(new byte[8]), new PKCS7Padding());
+                    var ssh2Сipher = new TripleDesCipher(key, new CbcCipherMode(new byte[8]), padding: null);
                     keyData = ssh2Сipher.Decrypt(reader.ReadBytes(blobSize));
                 }
                 else
diff --git a/src/Renci.SshNet/Security/Cryptography/BlockCipher.cs b/src/Renci.SshNet/Security/Cryptography/BlockCipher.cs
@@ -2,7 +2,9 @@
 
 using Org.BouncyCastle.Crypto.Paddings;
 
+using Renci.SshNet.Common;
 using Renci.SshNet.Security.Cryptography.Ciphers;
+using Renci.SshNet.Security.Cryptography.Ciphers.Modes;
 using Renci.SshNet.Security.Cryptography.Ciphers.Paddings;
 
 namespace Renci.SshNet.Security.Cryptography
@@ -87,7 +89,18 @@ public override byte[] Encrypt(byte[] input, int offset, int length)
             }
             else if (length % _blockSize > 0)
             {
-                throw new ArgumentException(string.Format("The data block size is incorrect for {0}.", GetType().Name), "data");
+                if (_mode is CfbCipherMode or OfbCipherMode)
+                {
+                    var paddingLength = _blockSize - (length % _blockSize);
+                    input = input.Take(offset, length);
+                    Array.Resize(ref input, length + paddingLength);
+                    length += paddingLength;
+                    offset = 0;
+                }
+                else
+                {
+                    throw new ArgumentException(string.Format("The data block size is incorrect for {0}.", GetType().Name), "data");
+                }
             }
 
             var output = new byte[length];
@@ -124,16 +137,21 @@ public override byte[] Encrypt(byte[] input, int offset, int length)
         /// </returns>
         public override byte[] Decrypt(byte[] input, int offset, int length)
         {
+            var paddingLength = 0;
             if (length % _blockSize > 0)
             {
-                if (_padding is null)
+                if (_padding is null && _mode is CfbCipherMode or OfbCipherMode)
+                {
+                    paddingLength = _blockSize - (length % _blockSize);
+                    input = input.Take(offset, length);
+                    length += paddingLength;
+                    Array.Resize(ref input, length);
+                    offset = 0;
+                }
+                else
                 {
                     throw new ArgumentException(string.Format("The data block size is incorrect for {0}.", GetType().Name), "data");
                 }
-
-                input = _padding.Pad(_blockSize, input, offset, length);
-                offset = 0;
-                length = input.Length;
             }
 
             var output = new byte[length];
@@ -158,7 +176,11 @@ public override byte[] Decrypt(byte[] input, int offset, int length)
 
             if (_padding is PKCS7Padding)
             {
-                var paddingLength = new Pkcs7Padding().PadCount(output);
+                paddingLength = new Pkcs7Padding().PadCount(output);
+            }
+
+            if (paddingLength > 0)
+            {
                 Array.Resize(ref output, output.Length - paddingLength);
             }
 
diff --git a/test/Renci.SshNet.Tests/Classes/Security/Cryptography/BlockCipherTest.cs b/test/Renci.SshNet.Tests/Classes/Security/Cryptography/BlockCipherTest.cs
@@ -5,6 +5,7 @@
 
 using Renci.SshNet.Security.Cryptography;
 using Renci.SshNet.Security.Cryptography.Ciphers;
+using Renci.SshNet.Security.Cryptography.Ciphers.Modes;
 using Renci.SshNet.Security.Cryptography.Ciphers.Paddings;
 using Renci.SshNet.Tests.Common;
 
@@ -78,6 +79,27 @@ public void DecryptShouldTakeIntoAccountUnPaddingForTheFinalOutput()
             Assert.IsTrue(output.SequenceEqual(actual));
         }
 
+        [TestMethod]
+        public void DecryptShouldTakeIntoAccountManualPaddingForLengthOfInputBufferPassedToDecryptBlockAndUnPaddingForTheFinalOutput_CFB()
+        {
+            var input = new byte[] { 0x0a, 0x00, 0x03, 0x02, 0x06 };
+            var output = new byte[] { 0x2c, 0x1a, 0x05, 0x00, 0x68 };
+            var key = new byte[] { 0x17, 0x78, 0x56, 0xe1, 0x3e, 0xbd, 0x3e, 0x50, 0x1d, 0x79, 0x3f, 0x0f, 0x55, 0x37, 0x45, 0x54 };
+            var blockCipher = new BlockCipherStub(key, 8, new CfbCipherModeStub(new byte[8]), null)
+            {
+                DecryptBlockDelegate = (inputBuffer, inputOffset, inputCount, outputBuffer, outputOffset) =>
+                {
+                    Assert.AreEqual(8, inputBuffer.Length);
+                    Buffer.BlockCopy(output, 0, outputBuffer, 0, output.Length);
+                    return inputBuffer.Length;
+                }
+            };
+
+            var actual = blockCipher.Decrypt(input);
+
+            Assert.IsTrue(output.SequenceEqual(actual));
+        }
+
 
         private class BlockCipherStub : BlockCipher
         {
@@ -98,5 +120,18 @@ public override int DecryptBlock(byte[] inputBuffer, int inputOffset, int inputC
                 return DecryptBlockDelegate(inputBuffer, inputOffset, inputCount, outputBuffer, outputOffset);
             }
         }
+
+        private class CfbCipherModeStub : CfbCipherMode
+        {
+            public CfbCipherModeStub(byte[] iv)
+                : base(iv)
+            {
+            }
+
+            public override int DecryptBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
+            {
+                return Cipher.DecryptBlock(inputBuffer, inputOffset, inputCount, outputBuffer, outputOffset);
+            }
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,6 @@`
`8`	`8`	`using Renci.SshNet.Security;`
`9`	`9`	`using Renci.SshNet.Security.Cryptography.Ciphers;`
`10`	`10`	`using Renci.SshNet.Security.Cryptography.Ciphers.Modes;`
`11`		`-using Renci.SshNet.Security.Cryptography.Ciphers.Paddings;`
`12`	`11`
`13`	`12`	`namespace Renci.SshNet`
`14`	`13`	`{`
`@@ -52,7 +51,7 @@ public Key Parse()`
`52`	`51`	`}`
`53`	`52`
`54`	`53`	`var key = GetCipherKey(_passPhrase, 192 / 8);`
`55`		`- var ssh2Сipher = new TripleDesCipher(key, new CbcCipherMode(new byte[8]), new PKCS7Padding());`
	`54`	`+ var ssh2Сipher = new TripleDesCipher(key, new CbcCipherMode(new byte[8]), padding: null);`
`56`	`55`	`keyData = ssh2Сipher.Decrypt(reader.ReadBytes(blobSize));`
`57`	`56`	`}`
`58`	`57`	`else`