Add FEATURE_AES_CSP to use hardware-accelerated AesCryptoServiceProvider

Reduces CPU usage dramatically, allowing more performance on slower machines

Author: Pedro Fonseca

src/Renci.SshNet/Renci.SshNet.csproj

@@ -18,6 +18,6 @@
   </ItemGroup>
 
   <PropertyGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' or '$(TargetFramework)' == 'netstandard2.1' or '$(TargetFramework)' == 'net6.0' or '$(TargetFramework)' == 'net7.0' ">
-    <DefineConstants>FEATURE_SOCKET_TAP;FEATURE_SOCKET_APM;FEATURE_SOCKET_EAP;FEATURE_DNS_SYNC;FEATURE_DNS_APM;FEATURE_DNS_TAP</DefineConstants>
+    <DefineConstants>FEATURE_SOCKET_TAP;FEATURE_SOCKET_APM;FEATURE_SOCKET_EAP;FEATURE_DNS_SYNC;FEATURE_DNS_APM;FEATURE_DNS_TAP;FEATURE_AES_CSP</DefineConstants>
   </PropertyGroup>
 </Project>

src/Renci.SshNet/Security/Cryptography/BlockCipher.cs

@@ -1,4 +1,5 @@
 using System;
+using csp = System.Security.Cryptography;
 using Renci.SshNet.Security.Cryptography.Ciphers;
 
 namespace Renci.SshNet.Security.Cryptography
@@ -60,7 +61,20 @@ protected BlockCipher(byte[] key, byte blockSize, CipherMode mode, CipherPadding
             _mode = mode;
             _padding = padding;
 
+#if FEATURE_AES_CSP
+            // use AesCryptoServiceProvider which uses AES-NI (faster, less CPU usage)
+            csp.AesCryptoServiceProvider aesProvider = new csp.AesCryptoServiceProvider()
+            {
+                BlockSize = blockSize * 8,
+                KeySize = Key.Length * 8,
+                Mode = _mode.cspMode,
+                Padding = padding == null ? csp.PaddingMode.None : csp.PaddingMode.PKCS7,
+                Key = key
+            };
+            _mode?.Init(this, aesProvider);
+#else
             _mode?.Init(this);
+#endif
         }
 
         /// <summary>
@@ -74,34 +88,42 @@ protected BlockCipher(byte[] key, byte blockSize, CipherMode mode, CipherPadding
         /// </returns>
         public override byte[] Encrypt(byte[] input, int offset, int length)
         {
-            if (length % _blockSize > 0)
-            {
-                if (_padding is null)
-                {
-                    throw new ArgumentException("data");
-                }
-
-                var paddingLength = _blockSize - (length % _blockSize);
-                input = _padding.Pad(input, offset, length, paddingLength);
-                length += paddingLength;
-                offset = 0;
-            }
-
             var output = new byte[length];
             var writtenBytes = 0;
 
-            for (var i = 0; i < length / _blockSize; i++)
+#if FEATURE_AES_CSP
+            if (_mode is not null && _mode.isCspAvailable)
+                writtenBytes = _mode.EncryptWithCSP(input, offset, output);
+            else
             {
-                if (_mode is null)
+#endif
+                if (length % _blockSize > 0)
                 {
-                    writtenBytes += EncryptBlock(input, offset + (i * _blockSize), _blockSize, output, i * _blockSize);
+                    if (_padding is null)
+                    {
+                        throw new ArgumentException("data");
+                    }
+
+                    var paddingLength = _blockSize - (length % _blockSize);
+                    input = _padding.Pad(input, offset, length, paddingLength);
+                    length += paddingLength;
+                    offset = 0;
                 }
-                else
+
+                for (var i = 0; i < length / _blockSize; i++)
                 {
-                    writtenBytes += _mode.EncryptBlock(input, offset + (i * _blockSize), _blockSize, output, i * _blockSize);
+                    if (_mode is null)
+                    {
+                        writtenBytes += EncryptBlock(input, offset + (i * _blockSize), _blockSize, output, i * _blockSize);
+                    }
+                    else
+                    {
+                        writtenBytes += _mode.EncryptBlock(input, offset + (i * _blockSize), _blockSize, output, i * _blockSize);
+                    }
                 }
+#if FEATURE_AES_CSP
             }
-
+#endif
             if (writtenBytes < length)
             {
                 throw new InvalidOperationException("Encryption error.");
@@ -133,33 +155,37 @@ public override byte[] Decrypt(byte[] input)
         /// </returns>
         public override byte[] Decrypt(byte[] input, int offset, int length)
         {
-            if (length % _blockSize > 0)
-            {
-                if (_padding is null)
-                {
-                    throw new ArgumentException("data");
-                }
-
-                input = _padding.Pad(_blockSize, input, offset, length);
-                offset = 0;
-                length = input.Length;
-            }
-
             var output = new byte[length];
-
             var writtenBytes = 0;
-            for (var i = 0; i < length / _blockSize; i++)
+
+#if FEATURE_AES_CSP
+            if (_mode is not null && _mode.isCspAvailable)
+                writtenBytes = _mode.DecryptWithCSP(input, offset, output);
+            else
             {
-                if (_mode is null)
+#endif
+                if (length % _blockSize > 0)
                 {
-                    writtenBytes += DecryptBlock(input, offset + (i * _blockSize), _blockSize, output, i * _blockSize);
+                    if (_padding is null)
+                    {
+                        throw new ArgumentException("data");
+                    }
+
+                    input = _padding.Pad(_blockSize, input, offset, length);
+                    offset = 0;
+                    length = input.Length;
                 }
-                else
+
+                for (var i = 0; i < length / _blockSize; i++)
                 {
-                    writtenBytes += _mode.DecryptBlock(input, offset + (i * _blockSize), _blockSize, output, i * _blockSize);
+                    if (_mode is null)
+                        writtenBytes += DecryptBlock(input, offset + (i * _blockSize), _blockSize, output, i * _blockSize);
+                    else
+                        writtenBytes += _mode.DecryptBlock(input, offset + (i * _blockSize), _blockSize, output, i * _blockSize);
                 }
+#if FEATURE_AES_CSP
             }
-
+#endif
             if (writtenBytes < length)
             {
                 throw new InvalidOperationException("Encryption error.");

src/Renci.SshNet/Security/Cryptography/Ciphers/CipherMode.cs

@@ -1,4 +1,6 @@
-using Renci.SshNet.Common;
+using System;
+using Renci.SshNet.Common;
+using csp = System.Security.Cryptography;
 
 namespace Renci.SshNet.Security.Cryptography.Ciphers
 {
@@ -17,7 +19,7 @@ public abstract class CipherMode
         /// <summary>
         /// Gets the IV vector.
         /// </summary>
-        protected byte[] IV;
+        internal byte[] IV;
 
         /// <summary>
         /// Holds block size of the cipher.
@@ -32,6 +34,9 @@ public abstract class CipherMode
         /// <param name="iv">The iv.</param>
         protected CipherMode(byte[] iv)
         {
+            if (iv.Length < 16)
+                throw new ArgumentException("Invalid AES IV length");
+
             IV = iv;
         }
 
@@ -70,6 +75,75 @@ internal void Init(BlockCipher cipher)
         /// <returns>
         /// The number of bytes decrypted.
         /// </returns>
-        public abstract int DecryptBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset);
+        public virtual int DecryptBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
+        {
+            // By default, use the same EncryptBlock() function
+            // Modes that require a different implementation (non-symmetric) can override this function (CBC/CFB)
+            return EncryptBlock(inputBuffer, inputOffset, inputCount, outputBuffer, outputOffset);
+        }
+
+#if FEATURE_AES_CSP
+        // CryptoServiceProvider acceleration using AES-NI if supported
+        internal csp.ICryptoTransform aesDecryptor;
+        internal csp.ICryptoTransform aesEncryptor;
+
+        // set to false when CSP is not available; falls back to legacy code
+        internal bool isCspAvailable = true;
+
+        // corresponding CSP cipher mode
+        internal csp.CipherMode cspMode = csp.CipherMode.ECB;
+
+        /// <summary>
+        /// If true, performs decryption using aesEncryptor
+        /// </summary>
+        protected bool cspDecryptAsEncrypt = true;
+
+        /// <summary>
+        /// Initializes the specified cipher mode using CryptoServiceProvider acceleration
+        /// </summary>
+        /// <param name="cipher">The cipher.</param>
+        /// <param name="csp">The cryptoServiceProvider instance</param>
+        internal void Init(BlockCipher cipher, csp.AesCryptoServiceProvider csp)
+        {
+            Init(cipher);
+            try
+            {
+                aesDecryptor = csp.CreateDecryptor(csp.Key, IV);
+                aesEncryptor = csp.CreateEncryptor(csp.Key, IV);
+            }
+            catch
+            {
+                // OFB/CFB might not be available on some versions of Windows - fallback to legacy code
+                isCspAvailable = false;
+            }
+        }
+
+        /// <summary>
+        /// Encrypts the specified region of the input byte array using AesCryptoServiceProvider
+        /// </summary>
+        /// <param name="data">The input data to encrypt.</param>
+        /// <param name="offset">The offset into the input byte array from which to begin using data.</param>
+        /// <param name="output">The output to which to write encrypted data.</param>
+        /// <returns>The number of bytes encrypted</returns>
+        public virtual int EncryptWithCSP(byte[] data, int offset, byte[] output)
+        {
+            return aesEncryptor.TransformBlock(data, offset, output.Length, output, 0);
+        }
+
+        /// <summary>
+        /// Decrypts the specified region of the input byte array using AesCryptoServiceProvider
+        /// </summary>
+        /// <param name="data">The input data to decrypt.</param>
+        /// <param name="offset">The offset into the input byte array from which to begin using data.</param>
+        /// <param name="output">The output to which to write decrypted data.</param>
+        /// <returns>The number of bytes decrypted</returns>
+        public virtual int DecryptWithCSP(byte[] data, int offset, byte[] output)
+        {
+            if (cspDecryptAsEncrypt)
+                return EncryptWithCSP(data, offset, output);
+
+            return aesDecryptor.TransformBlock(data, offset, output.Length, output, 0);
+        }
+#endif
     }
 }

src/Renci.SshNet/Security/Cryptography/Ciphers/Modes/CbcCipherMode.cs

@@ -15,6 +15,10 @@ public class CbcCipherMode : CipherMode
         public CbcCipherMode(byte[] iv)
             : base(iv)
         {
+#if FEATURE_AES_CSP
+            cspMode = System.Security.Cryptography.CipherMode.CBC;
+            cspDecryptAsEncrypt = false;
+#endif        
         }
 
         /// <summary>

src/Renci.SshNet/Security/Cryptography/Ciphers/Modes/CfbCipherMode.cs

@@ -18,6 +18,12 @@ public CfbCipherMode(byte[] iv)
             : base(iv)
         {
             _ivOutput = new byte[iv.Length];
+
+#if FEATURE_AES_CSP
+            cspMode = System.Security.Cryptography.CipherMode.CFB;
+            // note: the legacy code also uses EncryptBlock() on the DecryptBlock() function
+            cspDecryptAsEncrypt = true;
+#endif
         }
 
         /// <summary>

src/Renci.SshNet/Security/Cryptography/Ciphers/Modes/CtrCipherMode.cs

@@ -10,6 +10,11 @@ public class CtrCipherMode : CipherMode
     {
         private readonly byte[] _ivOutput;
 
+#if FEATURE_AES_CSP
+        // IV as uint[] for usage with CryptoServiceProvider
+        private uint[] _ivCSP;
+#endif
+
         /// <summary>
         /// Initializes a new instance of the <see cref="CtrCipherMode"/> class.
         /// </summary>
@@ -18,6 +23,19 @@ public CtrCipherMode(byte[] iv)
             : base(iv)
         {
             _ivOutput = new byte[iv.Length];
+
+#if FEATURE_AES_CSP
+            // CTR uses ECB plus an incrementing IV
+            cspMode = System.Security.Cryptography.CipherMode.ECB;      
+            cspDecryptAsEncrypt = true;
+
+            // convert the IV into an array of uint[4] for speed
+            _ivCSP = new uint[4];
+            _ivCSP[0] = (uint)((iv[0] << 24) | (iv[1] << 16) | (iv[2] << 8) | (iv[3]));
+            _ivCSP[1] = (uint)((iv[4] << 24) | (iv[5] << 16) | (iv[6] << 8) | (iv[7]));
+            _ivCSP[2] = (uint)((iv[8] << 24) | (iv[9] << 16) | (iv[10] << 8) | (iv[11]));
+            _ivCSP[3] = (uint)((iv[12] << 24) | (iv[13] << 16) | (iv[14] << 8) | (iv[15]));
+#endif
         }
 
         /// <summary>
@@ -64,6 +82,67 @@ public override int EncryptBlock(byte[] inputBuffer, int inputOffset, int inputC
             return _blockSize;
         }
 
+#if FEATURE_AES_CSP
+        /// <summary>
+        /// Encrypts the specified region of the input byte array using AesCryptoServiceProvider
+        /// </summary>
+        /// <param name="data">The input data to encrypt.</param>
+        /// <param name="offset">The offset into the input byte array from which to begin using data.</param>
+        /// <param name="output">The output to which to write encrypted data.</param>
+        /// <returns>The number of bytes encrypted</returns>
+        public override int EncryptWithCSP(byte[] data, int offset, byte[] output)
+        {
+            byte[] counter = CreateIVCounter(data, offset, output.Length);
+            int bytes = aesEncryptor.TransformBlock(counter, 0, output.Length, output, 0);
+            DataXorCounter(data, offset, output);
+            return bytes;
+        }
+
+        // creates the Counter array filled with incrementing copies of IV
+        private byte[] CreateIVCounter(byte[] inputBuffer, int offset, int length)
+        {
+            // fill an array with IV, increment by 1 for each copy
+            uint[] counter = new uint[length / 4];
+            for (int i = 0; i < counter.Length; i += 4)
+            {
+                // write IV to buffer (big endian)
+                counter[i] = (_ivCSP[0] << 24) | ((_ivCSP[0] << 8) & 0x00FF0000) | ((_ivCSP[0] >> 8) & 0x0000FF00) | (_ivCSP[0] >> 24);
+                counter[i + 1] = (_ivCSP[1] << 24) | ((_ivCSP[1] << 8) & 0x00FF0000) | ((_ivCSP[1] >> 8) & 0x0000FF00) | (_ivCSP[1] >> 24);
+                counter[i + 2] = (_ivCSP[2] << 24) | ((_ivCSP[2] << 8) & 0x00FF0000) | ((_ivCSP[2] >> 8) & 0x0000FF00) | (_ivCSP[2] >> 24);
+                counter[i + 3] = (_ivCSP[3] << 24) | ((_ivCSP[3] << 8) & 0x00FF0000) | ((_ivCSP[3] >> 8) & 0x0000FF00) | (_ivCSP[3] >> 24);
+
+                // increment IV (little endian)
+                for (int j = 3; j >= 0 && ++_ivCSP[j] == 0; j--) ;
+            }
+
+            // copy uint[] to byte[]
+            byte[] counterBytes = new byte[length];
+            System.Buffer.BlockCopy(counter, 0, counterBytes, 0, length);
+            return counterBytes;
+        }
+
+        // XORs the input data with the encrypted Counter array to produce the final output
+        private void DataXorCounter(byte[] data, int offset, byte[] output)
+        {
+            int length = output.Length;
+
+            // original data 
+            uint[] inwords = new uint[length / 4];
+            System.Buffer.BlockCopy(data, offset, inwords, 0, length);
+
+            // encrypted IV counter data
+            uint[] outwords = new uint[length / 4];
+            System.Buffer.BlockCopy(output, 0, outwords, 0, length);
+
+            // XOR encrypted Counter with input data (use uint arrays for speed)
+            for (int i = 0; i < outwords.Length; i++)
+                outwords[i] = outwords[i] ^ inwords[i];
+
+            // copy final data to output byte[]
+            System.Buffer.BlockCopy(outwords, 0, output, 0, length);
+        }
+#endif
+
         /// <summary>
         /// Decrypts the specified region of the input byte array and copies the decrypted data to the specified region of the output byte array.
         /// </summary>