Implement AES-CTR for NSS.

crypto/encryptor_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/encryptor.h"
 
 #include <cryptohi.h>
 #include <vector>
 
 #include "base/logging.h"
 #include "crypto/nss_util.h"
 #include "crypto/symmetric_key.h"
 
 namespace crypto {
 
+namespace {
+
+inline CK_MECHANISM_TYPE GetMechanism(Encryptor::Mode mode) {
+  switch (mode) {
+    case Encryptor::CBC:
+      return CKM_AES_CBC_PAD;
+    case Encryptor::ECB:
+      return CKM_AES_ECB;
+    default:
+      NOTREACHED() << "Unsupported mode of operation";
+      break;
+  }
+  return CKM_AES_ECB;
+}
+
+}  // namespace
+
 Encryptor::Encryptor()
     : key_(NULL),
       mode_(CBC) {
   EnsureNSSInit();
 }
 
 Encryptor::~Encryptor() {
 }
 
 bool Encryptor::Init(SymmetricKey* key, Mode mode, const std::string& iv) {
   DCHECK(key);
-  DCHECK_EQ(CBC, mode);
+  DCHECK(CBC == mode || ECB == mode) << "Unsupported mode of operation";
 
   key_ = key;
   mode_ = mode;
 
   if (iv.size() != AES_BLOCK_SIZE)
     return false;
 
-  slot_.reset(PK11_GetBestSlot(CKM_AES_CBC_PAD, NULL));
+  slot_.reset(PK11_GetBestSlot(GetMechanism(mode), NULL));
   if (!slot_.get())
     return false;
 
-  SECItem iv_item;
-  iv_item.type = siBuffer;
-  iv_item.data = reinterpret_cast<unsigned char*>(
-      const_cast<char *>(iv.data()));
-  iv_item.len = iv.size();
+  if (mode == CBC) {
+    SECItem iv_item;
+    iv_item.type = siBuffer;
+    iv_item.data = reinterpret_cast<unsigned char*>(
+        const_cast<char *>(iv.data()));
+    iv_item.len = iv.size();
 
-  param_.reset(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item));
+    param_.reset(PK11_ParamFromIV(GetMechanism(mode), &iv_item));
+  } else if (mode == ECB) {
+    param_.reset(PK11_ParamFromIV(GetMechanism(mode), NULL));

[Ryan Sleevi, 2011/05/23 05:55:04]

PK11_ParamFromIV returns NULL for CKM_AES_ECB

http://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11mech.c?m...

See below at line 68 for the trouble this may cause.

[Alpha Left Google, 2011/06/01 20:29:37]

The function you are pointing at is PK11_IVFromParam. For PK11_ParamFromIV it
returns an empty SECItem struct which PK11_CreateContextBySymKey requires.

+  }
+
   if (!param_.get())
     return false;
-
   return true;
 }
 
 bool Encryptor::Encrypt(const std::string& plaintext, std::string* ciphertext) {
-  ScopedPK11Context context(PK11_CreateContextBySymKey(CKM_AES_CBC_PAD,
+  ScopedPK11Context context(PK11_CreateContextBySymKey(GetMechanism(mode_),
                                                        CKA_ENCRYPT,
                                                        key_->key(),
                                                        param_.get()));
   if (!context.get())
     return false;
 
   size_t ciphertext_len = plaintext.size() + AES_BLOCK_SIZE;
   std::vector<unsigned char> buffer(ciphertext_len);
 
   int op_len;
   SECStatus rv = PK11_CipherOp(context.get(),

[Ryan Sleevi, 2011/05/23 05:55:04]

BUG: PK11_CipherOp doesn't support padding when used with CKM_AES_ECB, unlike
CKM_AES_CBC_PAD. This means that |ciphertext_len| MUST be a multiple of
AES_BLOCK_SIZE

You can talk with wtc for more details, considering he responded on this thread
- http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg04546.html

The same presumably applies to line 123, but perhaps less important on the
decrypt size.

[Alpha Left Google, 2011/06/01 20:29:37]

Done.

                                &buffer[0],
                                &op_len,
                                ciphertext_len,
                                reinterpret_cast<unsigned char*>(
                                    const_cast<char*>(plaintext.data())),
                                plaintext.size());
   if (SECSuccess != rv)
     return false;
 
   unsigned int digest_len;
   rv = PK11_DigestFinal(context.get(),
                         &buffer[op_len],
                         &digest_len,
                         ciphertext_len - op_len);
   if (SECSuccess != rv)
     return false;
 
   ciphertext->assign(reinterpret_cast<char *>(&buffer[0]),
                      op_len + digest_len);
   return true;
 }
 
 bool Encryptor::Decrypt(const std::string& ciphertext, std::string* plaintext) {
   if (ciphertext.empty())
     return false;
 
-  ScopedPK11Context context(PK11_CreateContextBySymKey(CKM_AES_CBC_PAD,
+  ScopedPK11Context context(PK11_CreateContextBySymKey(GetMechanism(mode_),
                                                        CKA_DECRYPT,
                                                        key_->key(),
                                                        param_.get()));
   if (!context.get())
     return false;
 
   size_t plaintext_len = ciphertext.size();
   std::vector<unsigned char> buffer(plaintext_len);
 
   int op_len;
@@ skipping 14 matching lines @@
                         plaintext_len - op_len);
   if (SECSuccess != rv)
     return false;
 
   plaintext->assign(reinterpret_cast<char *>(&buffer[0]),
                     op_len + digest_len);
   return true;
 }
 
 }  // namespace crypto