Add GCM, CTR, and CTS modes to AES.

nss/mozilla/security/nss/lib/freebl/rijndael.c

 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 29 matching lines @@
 #endif
 
 #include "prinit.h"
 #include "prerr.h"
 #include "secerr.h"
 
 #include "prtypes.h"
 #include "blapi.h"
 #include "rijndael.h"
 
+#include "cts.h"
+#include "ctr.h"
+#include "gcm.h"
+
 #if USE_HW_AES
 #include "intel-aes.h"
 #include "mpi.h"
 #endif
 
 /*
  * There are currently five ways to build this code, varying in performance
  * and code size.
  *
  * RIJNDAEL_INCLUDE_TABLES         Include all tables from rijndael32.tab
@@ skipping 983 matching lines @@
     cx->Nb = blocksize / 4;
     /* Nk = (key size in bits) / 32 */
     Nk = keysize / 4;
     /* Obtain number of rounds from "table" */
     cx->Nr = RIJNDAEL_NUM_ROUNDS(Nk, cx->Nb);
     /* copy in the iv, if neccessary */
     if (mode == NSS_AES_CBC) {
         memcpy(cx->iv, iv, blocksize);
 #if USE_HW_AES
         if (use_hw_aes) {
-            cx->worker = intel_aes_cbc_worker(encrypt, keysize);
+            cx->worker = (freeblCipherFunc)
+                                intel_aes_cbc_worker(encrypt, keysize);
         } else
 #endif
-            cx->worker = (encrypt
+            cx->worker = (freeblCipherFunc) (encrypt
                           ? &rijndael_encryptCBC : &rijndael_decryptCBC);
     } else {
 #if  USE_HW_AES
         if (use_hw_aes) {
-            cx->worker = intel_aes_ecb_worker(encrypt, keysize);
+            cx->worker = (freeblCipherFunc) 
+                                intel_aes_ecb_worker(encrypt, keysize);
         } else
 #endif
-            cx->worker = (encrypt
+            cx->worker = (freeblCipherFunc) (encrypt
                           ? &rijndael_encryptECB : &rijndael_decryptECB);
     }
     PORT_Assert((cx->Nb * (cx->Nr + 1)) <= RIJNDAEL_MAX_EXP_KEY_SIZE);
     if ((cx->Nb * (cx->Nr + 1)) > RIJNDAEL_MAX_EXP_KEY_SIZE) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         goto cleanup;
     }
 #ifdef USE_HW_AES
     if (use_hw_aes) {
         intel_aes_init(encrypt, keysize);
@@ skipping 12 matching lines @@
 #endif
         /* Generate expanded key */
         if (encrypt) {
             if (rijndael_key_expansion(cx, key, Nk) != SECSuccess)
                 goto cleanup;
         } else {
             if (rijndael_invkey_expansion(cx, key, Nk) != SECSuccess)
                 goto cleanup;
         }
     }
+    cx->worker_cx = cx;
+    cx->destroy = NULL;
+    cx->isBlock = PR_TRUE;
     return SECSuccess;
 cleanup:
     return SECFailure;
 }
 
 
 /* AES_CreateContext
  *
  * create a new context for Rijndael operations
  */
 AESContext *
 AES_CreateContext(const unsigned char *key, const unsigned char *iv, 
                   int mode, int encrypt,
                   unsigned int keysize, unsigned int blocksize)
 {
     AESContext *cx = AES_AllocateContext();
-    if (cx) {
-        SECStatus rv = AES_InitContext(cx, key, keysize, iv, mode, encrypt,
-                                       blocksize);
-        if (rv != SECSuccess) {
-            AES_DestroyContext(cx, PR_TRUE);
-            cx = NULL;
-        }
+    int basemode = mode;;
+    PRBool baseencrypt = encrypt;
+    SECStatus rv;
+
+    switch (mode) {
+    case NSS_AES_CTS:
+        basemode = NSS_AES_CBC;
+        break;
+    case NSS_AES_GCM:
+    case NSS_AES_CTR:
+        basemode = NSS_AES;
+        baseencrypt = PR_TRUE;
+        break;
+    }
+    if (cx == NULL) {
+        return NULL;
+    }
+    rv = AES_InitContext(cx, key, keysize, iv, basemode, 
+                                        baseencrypt, blocksize);
+    if (rv != SECSuccess) {
+        AES_DestroyContext(cx, PR_TRUE);
+        return NULL;
+    }
+
+    /* finally, set up any mode specific contexts */
+    switch (mode) {
+    case NSS_AES_CTS:
+        cx->worker_cx = CTS_CreateContext(cx, cx->worker, iv, blocksize);
+        cx->worker = (freeblCipherFunc) 
+                        (encrypt ?  CTS_EncryptUpdate : CTS_DecryptUpdate);
+        cx->destroy = (freeblDestroyFunc) CTS_DestroyContext;
+        cx->isBlock = PR_FALSE;
+        break;
+    case NSS_AES_GCM:
+        cx->worker_cx = GCM_CreateContext(cx, cx->worker, iv, blocksize);
+        cx->worker = (freeblCipherFunc)
+                        (encrypt ? GCM_EncryptUpdate : GCM_DecryptUpdate);
+        cx->destroy = (freeblDestroyFunc) GCM_DestroyContext;
+        cx->isBlock = PR_FALSE;
+        break;
+    case NSS_AES_CTR:
+        cx->worker_cx = CTR_CreateContext(cx, cx->worker, iv, blocksize);
+        cx->worker = (freeblCipherFunc) CTR_Update ;
+        cx->destroy = (freeblDestroyFunc) CTR_DestroyContext;
+        cx->isBlock = PR_FALSE;
+        break;
+    default:
+        /* everything has already been set up by AES_InitContext, just return*/
+        return cx;
+    }
+    /* check to see if we succeeded in getting the worker context */
+    if (cx->worker_cx == NULL) {
+        /* no, just destroy the existing context */
+        cx->destroy = NULL; /* paranoia, though you can see a dozen lines */
+                            /* below that this isn't necessary */
+        AES_DestroyContext(cx, PR_TRUE);
+        return NULL;
     }
     return cx;
 }
 
+
 /*
  * AES_DestroyContext
  * 
  * Zero an AES cipher context.  If freeit is true, also free the pointer
  * to the context.
  */
 void 
 AES_DestroyContext(AESContext *cx, PRBool freeit)
 {
 /*  memset(cx, 0, sizeof *cx); */
+    if (freeit && cx->worker_cx && cx->destroy) {

[Ryan Sleevi, 2012/09/11 19:34:30]

It's not clear why you switch on freeit here.

My expectation would be the following conditional:

if (cx->worker_cx) {
  if (cx->destroy) {
    (*cx->destroy)(cx->worker_cx, freeit);
    cx->destroy = NULL;
  }
  cx->worker_cx = NULL;
}

Could you explain why the above is not correct?

[rjrejyea, 2012/09/19 22:19:33]

It's ugly and has to do with psuedo private callers of freebl. If you call
Destroy without 'freeit' it means you are starting with a static copy of and
AES_Context. It is possible that you created a copy and zero'ed it and just
started going with it. It's basically a bit of paranoia. In the case I
meantioned, you should have called AES_InitContext(), which means worker_cx and
destroy should be NULL, but I also know there is no case where freeit should be
PR_TRUE and there is a worker_cx or a destroy field, so I'm basically protecting
against the cases where someone creates and uninitialized AESContext and calls
DestroyContext on it (I think I may have ran into a case or two in the tests).

bob

+        (*cx->destroy)(cx->worker_cx, freeit);
+    }
     if (freeit)
         PORT_Free(cx);
 }
 
 /*
  * AES_Encrypt
  *
  * Encrypt an arbitrary-length buffer.  The output buffer must already be
  * allocated to at least inputLen.
  */
 SECStatus 
 AES_Encrypt(AESContext *cx, unsigned char *output,
             unsigned int *outputLen, unsigned int maxOutputLen,
             const unsigned char *input, unsigned int inputLen)
 {
     int blocksize;
     /* Check args */
     if (cx == NULL || output == NULL || input == NULL) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     blocksize = 4 * cx->Nb;
-    if (inputLen % blocksize != 0) {
+    if (cx->isBlock && (inputLen % blocksize != 0)) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
     }
     if (maxOutputLen < inputLen) {
         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
         return SECFailure;
     }
     *outputLen = inputLen;
-    return (*cx->worker)(cx, output, outputLen, maxOutputLen,   
+    return (*cx->worker)(cx->worker_cx, output, outputLen, maxOutputLen,        
                              input, inputLen, blocksize);
 }
 
 /*
  * AES_Decrypt
  *
  * Decrypt and arbitrary-length buffer.  The output buffer must already be
  * allocated to at least inputLen.
  */
 SECStatus 
 AES_Decrypt(AESContext *cx, unsigned char *output,
             unsigned int *outputLen, unsigned int maxOutputLen,
             const unsigned char *input, unsigned int inputLen)
 {
     int blocksize;
     /* Check args */
     if (cx == NULL || output == NULL || input == NULL) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     blocksize = 4 * cx->Nb;
-    if (inputLen % blocksize != 0) {
+    if (cx->isBlock && (inputLen % blocksize != 0)) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
     }
     if (maxOutputLen < inputLen) {
         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
         return SECFailure;
     }
     *outputLen = inputLen;
-    return (*cx->worker)(cx, output, outputLen, maxOutputLen,   
+    return (*cx->worker)(cx->worker_cx, output, outputLen, maxOutputLen,        
                              input, inputLen, blocksize);
 }