Implement AES in different modes of operation, using AES-NI and

nss/lib/freebl/ctr.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 #include "prtypes.h"
 #include "blapit.h"
 #include "blapii.h"
 #include "ctr.h"
 #include "pkcs11t.h"
 #include "secerr.h"
 
+#ifdef USE_HW_AES
+#include "intel-aes.h"
+#include "rijndael.h"
+#endif
+
 SECStatus
 CTR_InitContext(CTRContext *ctr, void *context, freeblCipherFunc cipher,
                 const unsigned char *param, unsigned int blocksize)
 {
     const CK_AES_CTR_PARAMS *ctrParams = (const CK_AES_CTR_PARAMS *)param;
 
     if (ctrParams->ulCounterBits == 0 ||
         ctrParams->ulCounterBits > blocksize * PR_BITS_PER_BYTE) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
@@ skipping 133 matching lines @@
                         ctr->counter, blocksize, blocksize);
     ctr_GetNextCtr(ctr->counter, ctr->counterBits, blocksize);
     if (rv != SECSuccess) {
         return SECFailure;
     }
     ctr_xor(outbuf, inbuf, ctr->buffer, inlen);
     ctr->bufPtr = inlen;
     *outlen += inlen;
     return SECSuccess;
 }
+
+#if defined(USE_HW_AES) && defined(_MSC_VER)
+SECStatus
+CTR_Update_HW_AES(CTRContext *ctr, unsigned char *outbuf,
+                unsigned int *outlen, unsigned int maxout,
+                const unsigned char *inbuf, unsigned int inlen,
+                unsigned int blocksize)

[Ryan Sleevi, 2014/04/23 19:53:34]

Alignment?

[wtc, 2014/04/24 01:04:10]

Done. I will also align the parameters of the other functions in this file in
the NSS upstream patch.

+{
+    unsigned int tmp;
+    SECStatus rv;
+
+    if (maxout < inlen) {
+        *outlen = inlen;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+    *outlen = 0;
+    if (ctr->bufPtr != blocksize) {
+        unsigned int needed = PR_MIN(blocksize-ctr->bufPtr, inlen);
+        ctr_xor(outbuf, inbuf, ctr->buffer+ctr->bufPtr, needed);

[Ryan Sleevi, 2014/04/23 19:53:34]

spaces here between ctr->buffer and ctr->bufPtr?

[wtc, 2014/04/24 01:04:10]

I will fix this in the NSS upstream.

+        ctr->bufPtr += needed;
+        outbuf += needed;
+        inbuf += needed;
+        *outlen += needed;
+        inlen -= needed;
+        if (inlen == 0) {
+            return SECSuccess;
+        }
+        PORT_Assert(ctr->bufPtr == blocksize);
+    }
+
+    intel_aes_ctr_worker(((AESContext*)(ctr->context))->Nr)(
+        ctr, outbuf, outlen, maxout, inbuf, inlen, blocksize);
+    *outlen += inlen & (-16);
+    outbuf += inlen & (-16);
+    inbuf += inlen & (-16);
+    inlen &= 16 - 1;

[Ryan Sleevi, 2014/04/23 19:53:34]

This style surprises me, if only because it seems to subtly rely on integer
promotion rules. Is there a less surprising way to express this?

[wtc, 2014/04/24 01:04:10]

Done. This code also assumes |blocksize| is 16. I copied similar code from
nss/lib/freebl/cts.c to fix this.

+
+    if (inlen == 0) {
+        return SECSuccess;
+    }
+    rv = (*ctr->cipher)(ctr->context, ctr->buffer, &tmp, blocksize,

[Ryan Sleevi, 2014/04/23 19:53:34]

Should we add a PORT_Assert that tmp == blocksize?

[wtc, 2014/04/24 01:04:10]

Done.

+                        ctr->counter, blocksize, blocksize);
+    ctr_GetNextCtr(ctr->counter, ctr->counterBits, blocksize);

[Ryan Sleevi, 2014/04/23 19:53:34]

Why does this happen before the rv check?

[wtc, 2014/04/24 01:04:10]

I don't really know. Perhaps the author wanted to make sure the counter value
isn't reused even after an encryption failure.

+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    ctr_xor(outbuf, inbuf, ctr->buffer, inlen);
+    ctr->bufPtr = inlen;
+    *outlen += inlen;
+    return SECSuccess;
+}
+#endif