zybexXL · zybexXL · Nov 20, 2023 · Nov 12, 2023 · Nov 13, 2023
diff --git a/.editorconfig b/.editorconfig
@@ -291,6 +291,9 @@ dotnet_diagnostic.SA1520.severity = none
 # We do not use file headers.
 dotnet_diagnostic.SA1633.severity = none
 
+# SA1601: Partial elements should be documented
+dotnet_diagnostic.SA1601.severity = none
+
 # SA1648: <inheritdoc> must be used with inheriting class
 #
 # This rule is disabled by default, hence we need to explicitly enable it.
@@ -555,6 +558,18 @@ dotnet_code_quality.CA1859.api_surface = all
 # This is similar to, but less powerful than, MA0015.
 dotnet_diagnostic.CA2208.severity = none
 
+# CA5358: Do Not Use Unsafe Cipher Modes / Review cipher mode usage with cryptography experts
+# https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358
+#
+# We use ECB mode as the basis for other modes (e.g. CTR)
+dotnet_diagnostic.CA5358.severity = none
+
+# CA5401: Do not use CreateEncryptor with non-default IV
+# https://learn.microsoft.com/en-gb/dotnet/fundamentals/code-analysis/quality-rules/ca5401
+#
+# We need to specify the IV.
+dotnet_diagnostic.CA5401.severity = none
+
 #### Roslyn IDE analyser rules ####
 
 # IDE0032: Use auto-implemented property

diff --git a/src/Renci.SshNet/Security/Cryptography/Ciphers/AesCipher.BclImpl.cs b/src/Renci.SshNet/Security/Cryptography/Ciphers/AesCipher.BclImpl.cs
@@ -0,0 +1,108 @@
+using System;
+using System.Security.Cryptography;
+
+using Renci.SshNet.Common;
+
+namespace Renci.SshNet.Security.Cryptography.Ciphers
+{
+    public partial class AesCipher
+    {
+        private sealed class BclImpl : BlockCipher, IDisposable
+        {
+            private readonly Aes _aes;
+            private readonly ICryptoTransform _encryptor;
+            private readonly ICryptoTransform _decryptor;
+
+            public BclImpl(
+                byte[] key,
+                byte[] iv,
+                System.Security.Cryptography.CipherMode cipherMode,
+                PaddingMode paddingMode)
+                : base(key, 16, mode: null, padding: null)
+            {
+                var aes = Aes.Create();
+                aes.Key = key;
+
+                if (cipherMode != System.Security.Cryptography.CipherMode.ECB)
+                {
+                    if (iv is null)
+                    {
+                        throw new ArgumentNullException(nameof(iv));
+                    }
+
+                    aes.IV = iv.Take(16);
+                }
+
+                aes.Mode = cipherMode;
+                aes.Padding = paddingMode;
+                aes.FeedbackSize = 128; // We use CFB128
+                _aes = aes;
+                _encryptor = aes.CreateEncryptor();
+                _decryptor = aes.CreateDecryptor();
+            }
+
+            public override byte[] Encrypt(byte[] input, int offset, int length)
+            {
+                if (_aes.Padding != PaddingMode.None)
+                {
+                    // If padding has been specified, call TransformFinalBlock to apply
+                    // the padding and reset the state.
+                    return _encryptor.TransformFinalBlock(input, offset, length);
+                }
+
+                // Otherwise, (the most important case) assume this instance is
+                // used for one direction of an SSH connection, whereby the
+                // encrypted data in all packets are considered a single data
+                // stream i.e. we do not want to reset the state between calls to Encrypt.
+                var output = new byte[length];
+                _ = _encryptor.TransformBlock(input, offset, length, output, 0);
+                return output;
+            }
+
+            public override byte[] Decrypt(byte[] input, int offset, int length)
+            {
+                if (_aes.Padding != PaddingMode.None)
+                {
+                    // If padding has been specified, call TransformFinalBlock to apply
+                    // the padding and reset the state.
+                    return _decryptor.TransformFinalBlock(input, offset, length);
+                }
+
+                // Otherwise, (the most important case) assume this instance is
+                // used for one direction of an SSH connection, whereby the
+                // encrypted data in all packets are considered a single data
+                // stream i.e. we do not want to reset the state between calls to Decrypt.
+                var output = new byte[length];
+                _ = _decryptor.TransformBlock(input, offset, length, output, 0);
+                return output;
+            }
+
+            public override int EncryptBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
+            {
+                throw new NotImplementedException($"Invalid usage of {nameof(EncryptBlock)}.");
+            }
+
+            public override int DecryptBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
+            {
+                throw new NotImplementedException($"Invalid usage of {nameof(DecryptBlock)}.");
+            }
+
+            private void Dispose(bool disposing)
+            {
+                if (disposing)
+                {
+                    _aes.Dispose();
+                    _encryptor.Dispose();
+                    _decryptor.Dispose();
+                }
+            }
+
+            public void Dispose()
+            {
+                // Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method
+                Dispose(disposing: true);
+                GC.SuppressFinalize(this);
+            }
+        }
+    }
+}
diff --git a/src/Renci.SshNet/Security/Cryptography/Ciphers/AesCipher.BlockImpl.cs b/src/Renci.SshNet/Security/Cryptography/Ciphers/AesCipher.BlockImpl.cs
@@ -0,0 +1,54 @@
+using System;
+using System.Security.Cryptography;
+
+namespace Renci.SshNet.Security.Cryptography.Ciphers
+{
+    public partial class AesCipher
+    {
+        private sealed class BlockImpl : BlockCipher, IDisposable
+        {
+            private readonly Aes _aes;
+            private readonly ICryptoTransform _encryptor;
+            private readonly ICryptoTransform _decryptor;
+
+            public BlockImpl(byte[] key, CipherMode mode, CipherPadding padding)
+                : base(key, 16, mode, padding)
+            {
+                var aes = Aes.Create();
+                aes.Key = key;
+                aes.Mode = System.Security.Cryptography.CipherMode.ECB;
+                aes.Padding = PaddingMode.None;
+                _aes = aes;
+                _encryptor = aes.CreateEncryptor();
+                _decryptor = aes.CreateDecryptor();
+            }
+
+            public override int EncryptBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
+            {
+                return _encryptor.TransformBlock(inputBuffer, inputOffset, inputCount, outputBuffer, outputOffset);
+            }
+
+            public override int DecryptBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
+            {
+                return _decryptor.TransformBlock(inputBuffer, inputOffset, inputCount, outputBuffer, outputOffset);
+            }
+
+            private void Dispose(bool disposing)
+            {
+                if (disposing)
+                {
+                    _aes.Dispose();
+                    _encryptor.Dispose();
+                    _decryptor.Dispose();
+                }
+            }
+
+            public void Dispose()
+            {
+                // Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method
+                Dispose(disposing: true);
+                GC.SuppressFinalize(this);
+            }
+        }
+    }
+}