Merge pull request #3241 from realm/prepare-5.14.0-patch.0

Use hardware optimized encryption functions

CHANGELOG.md

@@ -1,3 +1,12 @@
+# 5.14.0-hotfix.0 Release notes
+
+### Enhancement
+* Improved performance of encryption and decryption significantly by utilizing hardware optimized encryption functions.
+  ([#293](https://github.com/realm/realm-core-private/issues/293))
+
+### Fixed
+* None
+
 # 5.14.0 Release notes
 
 ### Enhancements

dependencies.list

@@ -1,2 +1,2 @@
 PACKAGE_NAME=realm-core
-VERSION=5.14.0
+VERSION=5.14.0-hotfix.0

src/realm/util/aes_cryptor.hpp

@@ -33,8 +33,8 @@
 #include <bcrypt.h>
 #pragma comment(lib, "bcrypt.lib")
 #else
-#include <openssl/aes.h>
 #include <openssl/sha.h>
+#include <openssl/evp.h>
 #endif
 
 namespace realm {
@@ -62,8 +62,8 @@ class AESCryptor {
         mode_Encrypt = 0,
         mode_Decrypt = 1
 #else
-        mode_Encrypt = AES_ENCRYPT,
-        mode_Decrypt = AES_DECRYPT
+        mode_Encrypt = 1,
+        mode_Decrypt = 0
 #endif
     };
 
@@ -73,8 +73,8 @@ class AESCryptor {
 #elif defined(_WIN32)
     BCRYPT_KEY_HANDLE m_aes_key_handle;
 #else
-    AES_KEY m_ectx;
-    AES_KEY m_dctx;
+    uint8_t m_aesKey[32];
+    EVP_CIPHER_CTX* m_ctx;
 #endif
 
     uint8_t m_hmacKey[32];
@@ -86,6 +86,7 @@ class AESCryptor {
     bool check_hmac(const void* data, size_t len, const uint8_t* hmac) const;
     void crypt(EncryptionMode mode, off_t pos, char* dst, const char* src, const char* stored_iv) noexcept;
     iv_table& get_iv_table(FileDesc fd, off_t data_pos) noexcept;
+    void handle_error();
 };
 
 struct ReaderInfo {

src/realm/util/encrypted_file_mapping.cpp

@@ -168,8 +168,12 @@ AESCryptor::AESCryptor(const uint8_t* key)
     ret = BCryptGenerateSymmetricKey(hAesAlg, &m_aes_key_handle, nullptr, 0, (PBYTE)key, 32, 0);
     REALM_ASSERT_RELEASE_EX(ret == 0 && "BCryptGenerateSymmetricKey()", ret);
 #else
-    AES_set_encrypt_key(key, 256 /* key size in bits */, &m_ectx);
-    AES_set_decrypt_key(key, 256 /* key size in bits */, &m_dctx);
+    m_ctx = EVP_CIPHER_CTX_new();
+
+    if (!m_ctx)
+        handle_error();
+
+    memcpy(m_aesKey, key, 32);
 #endif
     memcpy(m_hmacKey, key + 32, 32);
 }
@@ -179,9 +183,18 @@ AESCryptor::~AESCryptor() noexcept
 #if REALM_PLATFORM_APPLE
     CCCryptorRelease(m_encr);
     CCCryptorRelease(m_decr);
+#elif defined(_WIN32)
+#else
+    EVP_CIPHER_CTX_cleanup(m_ctx);
+    EVP_CIPHER_CTX_free(m_ctx);
 #endif
 }
 
+void AESCryptor::handle_error()
+{
+    throw std::runtime_error("Error occurred in encryption layer");
+}
+
 void AESCryptor::set_file_size(off_t new_size)
 {
     REALM_ASSERT(new_size >= 0 && !int_cast_has_overflow<size_t>(new_size));
@@ -354,8 +367,20 @@ void AESCryptor::crypt(EncryptionMode mode, off_t pos, char* dst, const char* sr
     }
 
 #else
-    AES_cbc_encrypt(reinterpret_cast<const uint8_t*>(src), reinterpret_cast<uint8_t*>(dst), block_size,
-                    mode == mode_Encrypt ? &m_ectx : &m_dctx, iv, mode);
+    if (!EVP_CipherInit_ex(m_ctx, EVP_aes_256_cbc(), NULL, m_aesKey, iv, mode))
+        handle_error();
+
+    int len;
+    // Use zero padding - we always write a whole page
+    EVP_CIPHER_CTX_set_padding(m_ctx, 0);
+
+    if (!EVP_CipherUpdate(m_ctx, reinterpret_cast<uint8_t*>(dst), &len, reinterpret_cast<const uint8_t*>(src),
+                          block_size))
+        handle_error();
+
+    // Finalize the encryption. Should not output further data.
+    if (!EVP_CipherFinal_ex(m_ctx, reinterpret_cast<uint8_t*>(dst) + len, &len))
+        handle_error();
 #endif
 }