[tor-commits] [tor/master] Use NSS for AES_CTR.

nickm at torproject.org nickm at torproject.org
Wed Sep 5 00:47:13 UTC 2018 

commit 76e10ee6b9fbd5a0372f6d04e432c78aa560e9f9
Author: Nick Mathewson <nickm at torproject.org>
Date:   Mon Jul 16 09:49:05 2018 -0400

    Use NSS for AES_CTR.
---
 src/lib/crypt_ops/aes_nss.c                | 106 +++++++++++++++++++++++++++++
 src/lib/crypt_ops/{aes.c => aes_openssl.c} |   4 +-
 src/lib/crypt_ops/include.am               |   6 +-
 3 files changed, 113 insertions(+), 3 deletions(-)

diff --git a/src/lib/crypt_ops/aes_nss.c b/src/lib/crypt_ops/aes_nss.c
new file mode 100644
index 000000000..272edc559
--- /dev/null
+++ b/src/lib/crypt_ops/aes_nss.c
@@ -0,0 +1,106 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file aes_nss.c
+ * \brief Use NSS to implement AES_CTR.
+ **/
+
+#include "orconfig.h"
+#include "lib/crypt_ops/aes.h"
+#include "lib/crypt_ops/crypto_nss_mgt.h"
+#include "lib/crypt_ops/crypto_util.h"
+#include "lib/log/util_bug.h"
+
+DISABLE_GCC_WARNING(strict-prototypes)
+#include <pk11pub.h>
+#include <secerr.h>
+ENABLE_GCC_WARNING(strict-prototypes)
+
+aes_cnt_cipher_t *
+aes_new_cipher(const uint8_t *key, const uint8_t *iv,
+               int key_bits)
+{
+  const CK_MECHANISM_TYPE ckm = CKM_AES_CTR;
+  SECItem keyItem = { .type = siBuffer,
+                      .data = (unsigned char *)key,
+                      .len = (key_bits / 8) };
+  CK_AES_CTR_PARAMS params;
+  params.ulCounterBits = 128;
+  memcpy(params.cb, iv, 16);
+  SECItem ivItem = { .type = siBuffer,
+                     .data = (unsigned char *)&params,
+                     .len = sizeof(params) };
+  PK11SlotInfo *slot = NULL;
+  PK11SymKey *keyObj = NULL;
+  SECItem *ivObj = NULL;
+  PK11Context *result = NULL;
+
+  slot = PK11_GetBestSlot(ckm, NULL);
+  if (!slot)
+    goto err;
+
+  keyObj = PK11_ImportSymKey(slot, ckm, PK11_OriginUnwrap,
+                             CKA_ENCRYPT, &keyItem, NULL);
+  if (!keyObj)
+    goto err;
+
+  ivObj = PK11_ParamFromIV(ckm, &ivItem);
+  if (!ivObj)
+    goto err;
+
+  PORT_SetError(SEC_ERROR_IO);
+  result = PK11_CreateContextBySymKey(ckm, CKA_ENCRYPT, keyObj, ivObj);
+
+ err:
+  memwipe(&params, 0, sizeof(params));
+  if (ivObj)
+    SECITEM_FreeItem(ivObj, PR_TRUE);
+  if (keyObj)
+    PK11_FreeSymKey(keyObj);
+  if (slot)
+    PK11_FreeSlot(slot);
+
+  tor_assert(result);
+  return (aes_cnt_cipher_t *)result;
+}
+
+void
+aes_cipher_free_(aes_cnt_cipher_t *cipher)
+{
+  if (!cipher)
+    return;
+  PK11_DestroyContext((PK11Context*) cipher, PR_TRUE);
+}
+
+void
+aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data_, size_t len_)
+{
+  tor_assert(len_ <= INT_MAX);
+
+  SECStatus s;
+  PK11Context *ctx = (PK11Context*)cipher;
+  unsigned char *data = (unsigned char *)data_;
+  int len = (int) len_;
+  int result_len = 0;
+
+  s = PK11_CipherOp(ctx, data, &result_len, len, data, len);
+  tor_assert(s == SECSuccess);
+  tor_assert(result_len == len);
+}
+
+int
+evaluate_evp_for_aes(int force_value)
+{
+  (void)force_value;
+  return 0;
+}
+
+int
+evaluate_ctr_for_aes(void)
+{
+  return 0;
+}
diff --git a/src/lib/crypt_ops/aes.c b/src/lib/crypt_ops/aes_openssl.c
similarity index 99%
rename from src/lib/crypt_ops/aes.c
rename to src/lib/crypt_ops/aes_openssl.c
index ff9d4d855..387f5d3df 100644
--- a/src/lib/crypt_ops/aes.c
+++ b/src/lib/crypt_ops/aes_openssl.c
@@ -5,8 +5,8 @@
 /* See LICENSE for licensing information */
 
 /**
- * \file aes.c
- * \brief Implements a counter-mode stream cipher on top of AES.
+ * \file aes_openssl.c
+ * \brief Use OpenSSL to implement AES_CTR.
  **/
 
 #include "orconfig.h"
diff --git a/src/lib/crypt_ops/include.am b/src/lib/crypt_ops/include.am
index e96d6b0a5..3ebb0b0f6 100644
--- a/src/lib/crypt_ops/include.am
+++ b/src/lib/crypt_ops/include.am
@@ -6,7 +6,6 @@ noinst_LIBRARIES += src/lib/libtor-crypt-ops-testing.a
 endif
 
 src_lib_libtor_crypt_ops_a_SOURCES =			\
-	src/lib/crypt_ops/aes.c				\
 	src/lib/crypt_ops/crypto_cipher.c		\
 	src/lib/crypt_ops/crypto_curve25519.c		\
 	src/lib/crypt_ops/crypto_dh.c			\
@@ -24,8 +23,13 @@ src_lib_libtor_crypt_ops_a_SOURCES =			\
 
 if USE_NSS
 src_lib_libtor_crypt_ops_a_SOURCES +=			\
+	src/lib/crypt_ops/aes_nss.c			\
 	src/lib/crypt_ops/crypto_nss_mgt.c
+else
+src_lib_libtor_crypt_ops_a_SOURCES +=			\
+	src/lib/crypt_ops/aes_openssl.c
 endif
+
 if USE_OPENSSL
 src_lib_libtor_crypt_ops_a_SOURCES +=			\
 	src/lib/crypt_ops/crypto_openssl_mgt.c

More information about the tor-commits mailing list