crypto/encryptor.cc - Issue 7056026: Implement AES-CTR for NSS.

Side by Side Diff: crypto/encryptor.cc

Issue 7056026: Implement AES-CTR for NSS. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: revised Created 9 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "crypto/encryptor.h"

	6

	7 #include "base/logging.h"

	8

	9 namespace crypto {

	10

	11 namespace {

	12

	13 const size_t kCounterLength = 16u;

	14

	15 inline void Set8(void* memory, size_t offset, uint8 v) {

	16 static_cast<uint8*>(memory)[offset] = v;

	17 }

	18

	19 inline uint8 Get8(const void* memory, size_t offset) {

	20 return static_cast<const uint8*>(memory)[offset];

	21 }

	22

	23 inline void SetBE64(void* memory, uint64 v) {

	24 Set8(memory, 0, static_cast<uint8>(v >> 56));

	25 Set8(memory, 1, static_cast<uint8>(v >> 48));

	26 Set8(memory, 2, static_cast<uint8>(v >> 40));

	27 Set8(memory, 3, static_cast<uint8>(v >> 32));

	28 Set8(memory, 4, static_cast<uint8>(v >> 24));

	29 Set8(memory, 5, static_cast<uint8>(v >> 16));

	30 Set8(memory, 6, static_cast<uint8>(v >> 8));

	31 Set8(memory, 7, static_cast<uint8>(v >> 0));

	32 }

	33

	34 inline uint64 GetBE64(const void* memory) {

	35 return (static_cast<uint64>(Get8(memory, 0)) << 56)

	36 \| (static_cast<uint64>(Get8(memory, 1)) << 48)

	37 \| (static_cast<uint64>(Get8(memory, 2)) << 40)

	38 \| (static_cast<uint64>(Get8(memory, 3)) << 32)

	39 \| (static_cast<uint64>(Get8(memory, 4)) << 24)

	40 \| (static_cast<uint64>(Get8(memory, 5)) << 16)

	41 \| (static_cast<uint64>(Get8(memory, 6)) << 8)

	42 \| (static_cast<uint64>(Get8(memory, 7)) << 0);

	43 }
	Ryan Sleevi 2011/06/08 01:29:23 style nit: The \| operator should go at the end of style nit: The \| operator should go at the end of the line: http://www.chromium.org/developers/coding-style#TOC-Code-formatting Alpha Left Google 2011/06/13 23:32:45 Done. Show quoted text On 2011/06/08 01:29:23, Ryan Sleevi wrote: > style nit: The \| operator should go at the end of the line: > > http://www.chromium.org/developers/coding-style#TOC-Code-formatting Done.
	44

	45 } // namespace

	46

	47 /////////////////////////////////////////////////////////////////////////////

	48 // Encyptor::Counter Implementation.

	49 Encryptor::Counter::Counter(const std::string& counter) {

	50 CHECK_EQ(kCounterLength, counter.length());

	51

	52 high_num_ = GetBE64(counter.data());

	53 low_num_ = GetBE64(counter.data() + sizeof(high_num_));

	54 }

	55

	56 Encryptor::Counter::~Counter() {

	57 }

	58

	59 void Encryptor::Counter::Increment() {

	60 uint64 old_num = low_num_;

	61 ++low_num_;

	62

	63 // Overflow occurs.

	64 if (low_num_ < old_num)

	65 ++high_num_;

	66 }

	67

	68 void Encryptor::Counter::Write(uint8* buf) {

	69 SetBE64(buf, high_num_);

	70 SetBE64(buf + sizeof(high_num_), low_num_);

	71 }

	72

	73 const int Encryptor::Counter::GetLengthInBytes() const {

	74 return kCounterLength;

	75 }

	76

	77 /////////////////////////////////////////////////////////////////////////////

	78 // Partial Encryptor Implementation.

	79 bool Encryptor::UpdateCounter(const std::string& counter) {

	80 if (mode_ != CTR)

	81 return false;

	82 if (counter.length() != kCounterLength)

	83 return false;

	84

	85 counter_.reset(new Counter(counter));

	86 return true;

	87 }

	88

	89 void Encryptor::GenerateCounterMask(int plaintext_len,

	90 scoped_array<uint8>* mask,

	91 int* mask_len) {

	92 DCHECK_EQ(CTR, mode_);

	93

	94 const int kBlockLength = counter_->GetLengthInBytes();

	95 int blocks = (plaintext_len + kBlockLength - 1) / kBlockLength;

	96
	Ryan Sleevi 2011/06/08 01:29:23 nit: Given that it's crypto code, should there be nit: Given that it's crypto code, should there be over/underflow checks here to be extra-defensive? Alpha Left Google 2011/06/13 23:32:45 I've changed the types here to size_t and check th Show quoted text On 2011/06/08 01:29:23, Ryan Sleevi wrote: > nit: Given that it's crypto code, should there be over/underflow checks here to > be extra-defensive? I've changed the types here to size_t and check the input pointers. I think this should enough.
	97 mask_len = blocks kBlockLength;

	98 mask->reset(new uint8[*mask_len]);

	99

	100 uint8* buf = mask->get();

	101 for (int i = 0; i < blocks; ++i) {

	102 counter_->Write(buf);

	103 buf += kBlockLength;

	104 counter_->Increment();

	105 }
	Ryan Sleevi 2011/06/08 01:29:23 DESIGN: This API requires that the entire mask be DESIGN: This API requires that the entire mask be pre-allocated in order to be used below in MaskMessage(). One of the big advantages of CTR mode compared to other modes, such as CBC, is that the keystream isn't dependent on the blocks before it and can be programatically generated on demand, provided you have a valid, unique count/nonce, which all modern CTR-using protocols do. Further optimizing, ciphertext can be generated in place from the plaintext, with the only memory allocation necessary being that of one block (for the current mask). While it is possible (but not documented) for \|ciphertext\| and \|plaintext\| to use the same buffers below in MaskMessage(), requiring the Mask to be pre-allocated is rather unfortunate, and it'd be nice (bikeshedding?) if this wasn't the case. Perhaps that's already covered by the TODO(albertb) in the .h. This would, however, match the design of some of the other crypto/ classes, which allow for data streaming (eg: SignatureCreator/Verifier, SecureHash), and at least minimize the memory footprint. Perhaps that isn't a concern since I think last I saw, P2PSocket messages will be capped at 576 bytes? I would suggest combining MaskMessage() and GenerateCounterMask() into a simple EncryptCtr() type method, so that you only need to do new uint8[kBlockLength]... Alpha Left Google 2011/06/13 23:32:45 My first attempt was a combined version of Generat Show quoted text On 2011/06/08 01:29:23, Ryan Sleevi wrote: > DESIGN: This API requires that the entire mask be pre-allocated in order to be > used below in MaskMessage(). One of the big advantages of CTR mode compared to > other modes, such as CBC, is that the keystream isn't dependent on the blocks > before it and can be programatically generated on demand, provided you have a > valid, unique count/nonce, which all modern CTR-using protocols do. > > Further optimizing, ciphertext can be generated in place from the plaintext, > with the only memory allocation necessary being that of one block (for the > current mask). > > While it is possible (but not documented) for \|ciphertext\| and \|plaintext\| to > use the same buffers below in MaskMessage(), requiring the Mask to be > pre-allocated is rather unfortunate, and it'd be nice (bikeshedding?) if this > wasn't the case. Perhaps that's already covered by the TODO(albertb) in the .h. > > This would, however, match the design of some of the other crypto/ classes, > which allow for data streaming (eg: SignatureCreator/Verifier, SecureHash), and > at least minimize the memory footprint. Perhaps that isn't a concern since I > think last I saw, P2PSocket messages will be capped at 576 bytes? > > I would suggest combining MaskMessage() and GenerateCounterMask() into a simple > EncryptCtr() type method, so that you only need to do new uint8[kBlockLength]... My first attempt was a combined version of GenerateCounterMask() and MaskMessage(). The mask was also generated in place and XOR with the input message. So the loop was: Approach 1: for i = 1 to blocks Generate 16 bytes mask Encrypt mask message <= mask XOR message However this turned out to be very slow. The current approach is like this: Approach 2: Generate mask just bigger than message Encrypt mask messaeg <= mask XOR message Performance numbers: Message size = 33 bytes, Encrypt 1 million times Approach 1: 1600 ms Approach 2: 1659 ms Message size = 1000 bytes, Encrypt 1 million times Approach 1: 43675 ms Approach 2: 3531 ms Generating the block in place and XOR is way too slow compared to generating the whole mask at once. We could have preallocated a mask of size say 1024 bytes to avoid having generating too large a mask everytime, but this logic becomes hard to share among ports I took the easier to implement approach.
	106 }

	107

	108 void Encryptor::MaskMessage(const uint8* plaintext, int plaintext_len,

	109 const uint8* mask, uint8* ciphertext) const {

	110 DCHECK_EQ(CTR, mode_);

	111

	112 for (int i = 0; i < plaintext_len; ++i)

	113 ciphertext[i] = plaintext[i] ^ mask[i];

	114 }

	115

	116 } // namespace crypto

OLD	NEW

« crypto/encryptor.h ('K') | « crypto/encryptor.h ('k') | crypto/encryptor_nss.cc » ('j') | crypto/encryptor_nss.cc » ('J')