Implement AES-CTR for NSS.

crypto/encryptor_nss.cc

Index: crypto/encryptor_nss.cc
diff --git a/crypto/encryptor_nss.cc b/crypto/encryptor_nss.cc
index aaa66268341623e15c87ff7e9d63e1ebe4c0e7df..ec1f6e9847895355c79b8f1610218cf6cf557a38 100644
--- a/crypto/encryptor_nss.cc
+++ b/crypto/encryptor_nss.cc
@@ -13,6 +13,23 @@
 
 namespace crypto {
 
+namespace {
+
+inline CK_MECHANISM_TYPE GetMechanism(Encryptor::Mode mode) {
+  switch (mode) {
+    case Encryptor::CBC:
+      return CKM_AES_CBC_PAD;
+    case Encryptor::ECB:
+      return CKM_AES_ECB;
+    default:
+      NOTREACHED() << "Unsupported mode of operation";
+      break;
+  }
+  return CKM_AES_ECB;
+}
+
+}  // namespace
+
 Encryptor::Encryptor()
     : key_(NULL),
       mode_(CBC) {
@@ -24,7 +41,7 @@ Encryptor::~Encryptor() {
 
 bool Encryptor::Init(SymmetricKey* key, Mode mode, const std::string& iv) {
   DCHECK(key);
-  DCHECK_EQ(CBC, mode);
+  DCHECK(CBC == mode || ECB == mode) << "Unsupported mode of operation";
 
   key_ = key;
   mode_ = mode;
@@ -32,25 +49,29 @@ bool Encryptor::Init(SymmetricKey* key, Mode mode, const std::string& iv) {
   if (iv.size() != AES_BLOCK_SIZE)
     return false;
 
-  slot_.reset(PK11_GetBestSlot(CKM_AES_CBC_PAD, NULL));
+  slot_.reset(PK11_GetBestSlot(GetMechanism(mode), NULL));
   if (!slot_.get())
     return false;
 
-  SECItem iv_item;
-  iv_item.type = siBuffer;
-  iv_item.data = reinterpret_cast<unsigned char*>(
-      const_cast<char *>(iv.data()));
-  iv_item.len = iv.size();
+  if (mode == CBC) {
+    SECItem iv_item;
+    iv_item.type = siBuffer;
+    iv_item.data = reinterpret_cast<unsigned char*>(
+        const_cast<char *>(iv.data()));
+    iv_item.len = iv.size();
+
+    param_.reset(PK11_ParamFromIV(GetMechanism(mode), &iv_item));
+  } else if (mode == ECB) {
+    param_.reset(PK11_ParamFromIV(GetMechanism(mode), NULL));

[Ryan Sleevi, 2011/05/23 05:55:04]

PK11_ParamFromIV returns NULL for CKM_AES_ECB

http://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11mech.c?m...

See below at line 68 for the trouble this may cause.

[Alpha Left Google, 2011/06/01 20:29:37]

The function you are pointing at is PK11_IVFromParam. For PK11_ParamFromIV it
returns an empty SECItem struct which PK11_CreateContextBySymKey requires.

+  }
 
-  param_.reset(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item));
   if (!param_.get())
     return false;
-
   return true;
 }
 
 bool Encryptor::Encrypt(const std::string& plaintext, std::string* ciphertext) {
-  ScopedPK11Context context(PK11_CreateContextBySymKey(CKM_AES_CBC_PAD,
+  ScopedPK11Context context(PK11_CreateContextBySymKey(GetMechanism(mode_),
                                                        CKA_ENCRYPT,
                                                        key_->key(),
                                                        param_.get()));
@@ -88,7 +109,7 @@ bool Encryptor::Decrypt(const std::string& ciphertext, std::string* plaintext) {
   if (ciphertext.empty())
     return false;
 
-  ScopedPK11Context context(PK11_CreateContextBySymKey(CKM_AES_CBC_PAD,
+  ScopedPK11Context context(PK11_CreateContextBySymKey(GetMechanism(mode_),
                                                        CKA_DECRYPT,
                                                        key_->key(),
                                                        param_.get()));