Implement AES-CTR for NSS.

crypto/encryptor.cc

Index: crypto/encryptor.cc
diff --git a/crypto/encryptor.cc b/crypto/encryptor.cc
new file mode 100644
index 0000000000000000000000000000000000000000..0cee9b4dd1a8d2b29c163ff467175df347fea6cf
--- /dev/null
+++ b/crypto/encryptor.cc
@@ -0,0 +1,116 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "crypto/encryptor.h"
+
+#include "base/logging.h"
+
+namespace crypto {
+
+namespace {
+
+const size_t kCounterLength = 16u;
+
+inline void Set8(void* memory, size_t offset, uint8 v) {
+  static_cast<uint8*>(memory)[offset] = v;
+}
+
+inline uint8 Get8(const void* memory, size_t offset) {
+  return static_cast<const uint8*>(memory)[offset];
+}
+
+inline void SetBE64(void* memory, uint64 v) {
+  Set8(memory, 0, static_cast<uint8>(v >> 56));
+  Set8(memory, 1, static_cast<uint8>(v >> 48));
+  Set8(memory, 2, static_cast<uint8>(v >> 40));
+  Set8(memory, 3, static_cast<uint8>(v >> 32));
+  Set8(memory, 4, static_cast<uint8>(v >> 24));
+  Set8(memory, 5, static_cast<uint8>(v >> 16));
+  Set8(memory, 6, static_cast<uint8>(v >>  8));
+  Set8(memory, 7, static_cast<uint8>(v >>  0));
+}
+
+inline uint64 GetBE64(const void* memory) {
+  return (static_cast<uint64>(Get8(memory, 0)) << 56)
+      | (static_cast<uint64>(Get8(memory, 1)) << 48)
+      | (static_cast<uint64>(Get8(memory, 2)) << 40)
+      | (static_cast<uint64>(Get8(memory, 3)) << 32)
+      | (static_cast<uint64>(Get8(memory, 4)) << 24)
+      | (static_cast<uint64>(Get8(memory, 5)) << 16)
+      | (static_cast<uint64>(Get8(memory, 6)) <<  8)
+      | (static_cast<uint64>(Get8(memory, 7)) <<  0);
+}

[Ryan Sleevi, 2011/06/08 01:29:23]

style nit: The | operator should go at the end of the line:

http://www.chromium.org/developers/coding-style#TOC-Code-formatting

[Alpha Left Google, 2011/06/13 23:32:45]

Done.

+
+}  // namespace
+
+/////////////////////////////////////////////////////////////////////////////
+// Encyptor::Counter Implementation.
+Encryptor::Counter::Counter(const std::string& counter) {
+  CHECK_EQ(kCounterLength, counter.length());
+
+  high_num_ = GetBE64(counter.data());
+  low_num_ = GetBE64(counter.data() + sizeof(high_num_));
+}
+
+Encryptor::Counter::~Counter() {
+}
+
+void Encryptor::Counter::Increment() {
+  uint64 old_num = low_num_;
+  ++low_num_;
+
+  // Overflow occurs.
+  if (low_num_ < old_num)
+    ++high_num_;
+}
+
+void Encryptor::Counter::Write(uint8* buf) {
+  SetBE64(buf, high_num_);
+  SetBE64(buf + sizeof(high_num_), low_num_);
+}
+
+const int Encryptor::Counter::GetLengthInBytes() const {
+  return kCounterLength;
+}
+
+/////////////////////////////////////////////////////////////////////////////
+// Partial Encryptor Implementation.
+bool Encryptor::UpdateCounter(const std::string& counter) {
+  if (mode_ != CTR)
+    return false;
+  if (counter.length() != kCounterLength)
+    return false;
+
+  counter_.reset(new Counter(counter));
+  return true;
+}
+
+void Encryptor::GenerateCounterMask(int plaintext_len,
+                                    scoped_array<uint8>* mask,
+                                    int* mask_len) {
+  DCHECK_EQ(CTR, mode_);
+
+  const int kBlockLength = counter_->GetLengthInBytes();
+  int blocks = (plaintext_len + kBlockLength - 1) / kBlockLength;
+

[Ryan Sleevi, 2011/06/08 01:29:23]

nit: Given that it's crypto code, should there be over/underflow checks here to
be extra-defensive?

[Alpha Left Google, 2011/06/13 23:32:45]

I've changed the types here to size_t and check the input pointers. I think this
should enough.

+  *mask_len = blocks * kBlockLength;
+  mask->reset(new uint8[*mask_len]);
+
+  uint8* buf = mask->get();
+  for (int i = 0; i < blocks; ++i) {
+    counter_->Write(buf);
+    buf += kBlockLength;
+    counter_->Increment();
+  }

[Ryan Sleevi, 2011/06/08 01:29:23]

DESIGN: This API requires that the entire mask be pre-allocated in order to be
used below in MaskMessage(). One of the big advantages of CTR mode compared to
other modes, such as CBC, is that the keystream isn't dependent on the blocks
before it and can be programatically generated on demand, provided you have a
valid, unique count/nonce, which all modern CTR-using protocols do.

Further optimizing, ciphertext can be generated in place from the plaintext,
with the only memory allocation necessary being that of one block (for the
current mask).

While it is possible (but not documented) for |ciphertext| and |plaintext| to
use the same buffers below in MaskMessage(), requiring the Mask to be
pre-allocated is rather unfortunate, and it'd be nice (bikeshedding?) if this
wasn't the case. Perhaps that's already covered by the TODO(albertb) in the .h.

This would, however, match the design of some of the other crypto/ classes,
which allow for data streaming (eg: SignatureCreator/Verifier, SecureHash), and
at least minimize the memory footprint. Perhaps that isn't a concern since I
think last I saw, P2PSocket messages will be capped at 576 bytes?

I would suggest combining MaskMessage() and GenerateCounterMask() into a simple
EncryptCtr() type method, so that you only need to do new uint8[kBlockLength]...

[Alpha Left Google, 2011/06/13 23:32:45]

My first attempt was a combined version of GenerateCounterMask() and
MaskMessage(). The mask was also generated in place and XOR with the input
message. So the loop was:

Approach 1:

for i = 1 to blocks
  Generate 16 bytes mask
  Encrypt mask
  message <= mask XOR message

However this turned out to be *very slow*. The current approach is like this:

Approach 2:

Generate mask just bigger than message
Encrypt mask
messaeg <= mask XOR message

Performance numbers:

Message size = 33 bytes, Encrypt 1 million times
Approach 1: 1600 ms
Approach 2: 1659 ms


Message size = 1000 bytes, Encrypt 1 million times
Approach 1: 43675 ms
Approach 2: 3531 ms

Generating the block in place and XOR is way too slow compared to generating the
whole mask at once. We could have preallocated a mask of size say 1024 bytes to
avoid having generating too large a mask everytime, but this logic becomes hard
to share among ports I took the easier to implement approach.

+}
+
+void Encryptor::MaskMessage(const uint8* plaintext, int plaintext_len,
+                            const uint8* mask, uint8* ciphertext) const {
+  DCHECK_EQ(CTR, mode_);
+
+  for (int i = 0; i < plaintext_len; ++i)
+    ciphertext[i] = plaintext[i] ^ mask[i];
+}
+
+}  // namespace crypto