2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "cipher_aes_ocb.h"
11 #include "internal/providercommonerr.h"
12 #include "internal/ciphers/cipher_aead.h"
13 #include "internal/provider_algs.h"
15 #define AES_OCB_FLAGS AEAD_FLAGS
17 #define OCB_DEFAULT_TAG_LEN 16
18 #define OCB_DEFAULT_IV_LEN 12
19 #define OCB_MIN_IV_LEN 1
20 #define OCB_MAX_IV_LEN 15
22 PROV_CIPHER_FUNC(int, ocb_cipher
, (PROV_AES_OCB_CTX
*ctx
,
23 const unsigned char *in
, unsigned char *out
,
25 /* forward declarations */
26 static OSSL_OP_cipher_encrypt_init_fn aes_ocb_einit
;
27 static OSSL_OP_cipher_decrypt_init_fn aes_ocb_dinit
;
28 static OSSL_OP_cipher_update_fn aes_ocb_block_update
;
29 static OSSL_OP_cipher_final_fn aes_ocb_block_final
;
30 static OSSL_OP_cipher_cipher_fn aes_ocb_cipher
;
31 static OSSL_OP_cipher_freectx_fn aes_ocb_freectx
;
32 static OSSL_OP_cipher_dupctx_fn aes_ocb_dupctx
;
33 static OSSL_OP_cipher_get_ctx_params_fn aes_ocb_get_ctx_params
;
34 static OSSL_OP_cipher_set_ctx_params_fn aes_ocb_set_ctx_params
;
37 * The following methods could be moved into PROV_AES_OCB_HW if
38 * multiple hardware implementations are ever needed.
40 static ossl_inline
int aes_generic_ocb_setiv(PROV_AES_OCB_CTX
*ctx
,
41 const unsigned char *iv
,
42 size_t ivlen
, size_t taglen
)
44 return (CRYPTO_ocb128_setiv(&ctx
->ocb
, iv
, ivlen
, taglen
) == 1);
47 static ossl_inline
int aes_generic_ocb_setaad(PROV_AES_OCB_CTX
*ctx
,
48 const unsigned char *aad
,
51 return CRYPTO_ocb128_aad(&ctx
->ocb
, aad
, alen
) == 1;
54 static ossl_inline
int aes_generic_ocb_gettag(PROV_AES_OCB_CTX
*ctx
,
55 unsigned char *tag
, size_t tlen
)
57 return CRYPTO_ocb128_tag(&ctx
->ocb
, tag
, tlen
) > 0;
60 static ossl_inline
int aes_generic_ocb_final(PROV_AES_OCB_CTX
*ctx
)
62 return (CRYPTO_ocb128_finish(&ctx
->ocb
, ctx
->tag
, ctx
->taglen
) == 0);
65 static ossl_inline
void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX
*ctx
)
67 CRYPTO_ocb128_cleanup(&ctx
->ocb
);
70 static ossl_inline
int aes_generic_ocb_cipher(PROV_AES_OCB_CTX
*ctx
,
71 const unsigned char *in
,
72 unsigned char *out
, size_t len
)
75 if (!CRYPTO_ocb128_encrypt(&ctx
->ocb
, in
, out
, len
))
78 if (!CRYPTO_ocb128_decrypt(&ctx
->ocb
, in
, out
, len
))
84 static ossl_inline
int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX
*dst
,
85 PROV_AES_OCB_CTX
*src
)
87 return (!CRYPTO_ocb128_copy_ctx(&dst
->ocb
, &src
->ocb
,
88 &src
->ksenc
.ks
, &src
->ksdec
.ks
));
92 * Provider dispatch functions
94 static int aes_ocb_init(void *vctx
, const unsigned char *key
, size_t keylen
,
95 const unsigned char *iv
, size_t ivlen
, int enc
)
97 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
102 if (ivlen
!= ctx
->base
.ivlen
) {
103 /* IV len must be 1 to 15 */
104 if (ivlen
< OCB_MIN_IV_LEN
|| ivlen
> OCB_MAX_IV_LEN
) {
105 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_IV_LENGTH
);
108 ctx
->base
.ivlen
= ivlen
;
110 memcpy(ctx
->base
.iv
, iv
, ivlen
);
111 ctx
->iv_state
= IV_STATE_BUFFERED
;
114 if (keylen
!= ctx
->base
.keylen
) {
115 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_KEY_LENGTH
);
118 return ctx
->base
.hw
->init(&ctx
->base
, key
, keylen
);
123 static int aes_ocb_einit(void *vctx
, const unsigned char *key
, size_t keylen
,
124 const unsigned char *iv
, size_t ivlen
)
126 return aes_ocb_init(vctx
, key
, keylen
, iv
, ivlen
, 1);
129 static int aes_ocb_dinit(void *vctx
, const unsigned char *key
, size_t keylen
,
130 const unsigned char *iv
, size_t ivlen
)
132 return aes_ocb_init(vctx
, key
, keylen
, iv
, ivlen
, 0);
136 * Because of the way OCB works, both the AAD and data are buffered in the
137 * same way. Only the last block can be a partial block.
139 static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX
*ctx
,
140 unsigned char *buf
, size_t *bufsz
,
141 unsigned char *out
, size_t *outl
,
142 size_t outsize
, const unsigned char *in
,
143 size_t inl
, OSSL_ocb_cipher_fn ciph
)
145 size_t nextblocks
= fillblock(buf
, bufsz
, AES_BLOCK_SIZE
, &in
, &inl
);
148 if (*bufsz
== AES_BLOCK_SIZE
) {
149 if (outsize
< AES_BLOCK_SIZE
) {
150 ERR_raise(ERR_LIB_PROV
, PROV_R_OUTPUT_BUFFER_TOO_SMALL
);
153 if (!ciph(ctx
, buf
, out
, AES_BLOCK_SIZE
)) {
154 ERR_raise(ERR_LIB_PROV
, PROV_R_CIPHER_OPERATION_FAILED
);
158 outlint
= AES_BLOCK_SIZE
;
159 out
+= AES_BLOCK_SIZE
;
161 if (nextblocks
> 0) {
162 outlint
+= nextblocks
;
163 if (outsize
< outlint
) {
164 ERR_raise(ERR_LIB_PROV
, PROV_R_OUTPUT_BUFFER_TOO_SMALL
);
167 if (!ciph(ctx
, in
, out
, nextblocks
)) {
168 ERR_raise(ERR_LIB_PROV
, PROV_R_CIPHER_OPERATION_FAILED
);
174 if (!trailingdata(buf
, bufsz
, AES_BLOCK_SIZE
, &in
, &inl
)) {
175 /* PROVerr already called */
183 /* A wrapper function that has the same signature as cipher */
184 static int cipher_updateaad(PROV_AES_OCB_CTX
*ctx
, const unsigned char *in
,
185 unsigned char *out
, size_t len
)
187 return aes_generic_ocb_setaad(ctx
, in
, len
);
190 static int update_iv(PROV_AES_OCB_CTX
*ctx
)
192 if (ctx
->iv_state
== IV_STATE_FINISHED
193 || ctx
->iv_state
== IV_STATE_UNINITIALISED
)
195 if (ctx
->iv_state
== IV_STATE_BUFFERED
) {
196 if (!aes_generic_ocb_setiv(ctx
, ctx
->base
.iv
, ctx
->base
.ivlen
,
199 ctx
->iv_state
= IV_STATE_COPIED
;
204 static int aes_ocb_block_update(void *vctx
, unsigned char *out
, size_t *outl
,
205 size_t outsize
, const unsigned char *in
,
208 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
211 OSSL_ocb_cipher_fn fn
;
213 if (!ctx
->key_set
|| !update_iv(ctx
))
216 /* Are we dealing with AAD or normal data here? */
219 buflen
= &ctx
->aad_buf_len
;
220 fn
= cipher_updateaad
;
223 buflen
= &ctx
->data_buf_len
;
224 fn
= aes_generic_ocb_cipher
;
226 return aes_ocb_block_update_internal(ctx
, buf
, buflen
, out
, outl
, outsize
,
230 static int aes_ocb_block_final(void *vctx
, unsigned char *out
, size_t *outl
,
233 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
235 /* If no block_update has run then the iv still needs to be set */
236 if (!ctx
->key_set
|| !update_iv(ctx
))
240 * Empty the buffer of any partial block that we might have been provided,
241 * both for data and AAD
244 if (ctx
->data_buf_len
> 0) {
245 if (!aes_generic_ocb_cipher(ctx
, ctx
->data_buf
, out
, ctx
->data_buf_len
))
247 *outl
= ctx
->data_buf_len
;
248 ctx
->data_buf_len
= 0;
250 if (ctx
->aad_buf_len
> 0) {
251 if (!aes_generic_ocb_setaad(ctx
, ctx
->aad_buf
, ctx
->aad_buf_len
))
253 ctx
->aad_buf_len
= 0;
256 /* If encrypting then just get the tag */
257 if (!aes_generic_ocb_gettag(ctx
, ctx
->tag
, ctx
->taglen
))
260 /* If decrypting then verify */
261 if (ctx
->taglen
== 0)
263 if (!aes_generic_ocb_final(ctx
))
266 /* Don't reuse the IV */
267 ctx
->iv_state
= IV_STATE_FINISHED
;
271 static void *aes_ocb_newctx(void *provctx
, size_t kbits
, size_t blkbits
,
272 size_t ivbits
, unsigned int mode
, uint64_t flags
)
274 PROV_AES_OCB_CTX
*ctx
= OPENSSL_zalloc(sizeof(*ctx
));
277 cipher_generic_initkey(ctx
, kbits
, blkbits
, ivbits
, mode
, flags
,
278 PROV_CIPHER_HW_aes_ocb(kbits
), NULL
);
279 ctx
->taglen
= OCB_DEFAULT_TAG_LEN
;
284 static void aes_ocb_freectx(void *vctx
)
286 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
288 aes_generic_ocb_cleanup(ctx
);
289 OPENSSL_cleanse(ctx
->base
.iv
, sizeof(ctx
->base
.iv
));
290 OPENSSL_clear_free(ctx
, sizeof(*ctx
));
293 static void *aes_ocb_dupctx(void *vctx
)
295 PROV_AES_OCB_CTX
*in
= (PROV_AES_OCB_CTX
*)vctx
;
296 PROV_AES_OCB_CTX
*ret
= OPENSSL_malloc(sizeof(*ret
));
299 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
303 if (!aes_generic_ocb_copy_ctx(ret
, in
))
308 static int aes_ocb_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
310 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
314 p
= OSSL_PARAM_locate_const(params
, OSSL_CIPHER_PARAM_AEAD_TAG
);
316 if (p
->data_type
!= OSSL_PARAM_OCTET_STRING
) {
317 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_GET_PARAMETER
);
320 if (p
->data
== NULL
) {
321 /* Tag len must be 0 to 16 */
322 if (p
->data_size
> OCB_MAX_TAG_LEN
)
324 ctx
->taglen
= p
->data_size
;
326 if (p
->data_size
!= ctx
->taglen
|| ctx
->base
.enc
)
328 memcpy(ctx
->tag
, p
->data
, p
->data_size
);
331 p
= OSSL_PARAM_locate_const(params
, OSSL_CIPHER_PARAM_AEAD_IVLEN
);
333 if (!OSSL_PARAM_get_size_t(p
, &sz
)) {
334 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_GET_PARAMETER
);
337 /* IV len must be 1 to 15 */
338 if (sz
< OCB_MIN_IV_LEN
|| sz
> OCB_MAX_IV_LEN
)
340 ctx
->base
.ivlen
= sz
;
342 p
= OSSL_PARAM_locate_const(params
, OSSL_CIPHER_PARAM_KEYLEN
);
346 if (!OSSL_PARAM_get_size_t(p
, &keylen
)) {
347 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_GET_PARAMETER
);
350 if (ctx
->base
.keylen
!= keylen
) {
351 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_KEY_LENGTH
);
358 static int aes_ocb_get_ctx_params(void *vctx
, OSSL_PARAM params
[])
360 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
363 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_IVLEN
);
364 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, ctx
->base
.ivlen
)) {
365 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
368 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_KEYLEN
);
369 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, ctx
->base
.keylen
)) {
370 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
373 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_AEAD_TAGLEN
);
375 if (!OSSL_PARAM_set_size_t(p
, ctx
->taglen
)) {
376 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
381 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_IV
);
383 if (ctx
->base
.ivlen
!= p
->data_size
) {
384 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_IV_LENGTH
);
387 if (!OSSL_PARAM_set_octet_string(p
, ctx
->base
.iv
, ctx
->base
.ivlen
)) {
388 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
392 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_AEAD_TAG
);
394 if (p
->data_type
!= OSSL_PARAM_OCTET_STRING
) {
395 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_GET_PARAMETER
);
398 if (!ctx
->base
.enc
|| p
->data_size
!= ctx
->taglen
) {
399 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_TAGLEN
);
402 memcpy(p
->data
, ctx
->tag
, ctx
->taglen
);
407 static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params
[] = {
408 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN
, NULL
),
409 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN
, NULL
),
410 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN
, NULL
),
411 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV
, NULL
, 0),
412 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG
, NULL
, 0),
415 static const OSSL_PARAM
*cipher_ocb_gettable_ctx_params(void)
417 return cipher_ocb_known_gettable_ctx_params
;
420 static const OSSL_PARAM cipher_ocb_known_settable_ctx_params
[] = {
421 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN
, NULL
),
422 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN
, NULL
),
423 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG
, NULL
, 0),
426 static const OSSL_PARAM
*cipher_ocb_settable_ctx_params(void)
428 return cipher_ocb_known_settable_ctx_params
;
431 static int aes_ocb_cipher(void *vctx
, unsigned char *out
, size_t *outl
,
432 size_t outsize
, const unsigned char *in
, size_t inl
)
434 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
437 ERR_raise(ERR_LIB_PROV
, PROV_R_OUTPUT_BUFFER_TOO_SMALL
);
441 if (!aes_generic_ocb_cipher(ctx
, in
, out
, inl
)) {
442 ERR_raise(ERR_LIB_PROV
, PROV_R_CIPHER_OPERATION_FAILED
);
450 #define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits) \
451 static OSSL_OP_cipher_get_params_fn aes_##kbits##_##mode##_get_params; \
452 static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[]) \
454 return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
455 flags, kbits, blkbits, ivbits); \
457 static OSSL_OP_cipher_newctx_fn aes_##kbits##_##mode##_newctx; \
458 static void *aes_##kbits##_##mode##_newctx(void *provctx) \
460 return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits, \
461 EVP_CIPH_##UCMODE##_MODE, flags); \
463 const OSSL_DISPATCH aes##kbits##mode##_functions[] = { \
464 { OSSL_FUNC_CIPHER_NEWCTX, \
465 (void (*)(void))aes_##kbits##_##mode##_newctx }, \
466 { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
467 { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
468 { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update }, \
469 { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final }, \
470 { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher }, \
471 { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
472 { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \
473 { OSSL_FUNC_CIPHER_GET_PARAMS, \
474 (void (*)(void))aes_##kbits##_##mode##_get_params }, \
475 { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
476 (void (*)(void))aes_##mode##_get_ctx_params }, \
477 { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
478 (void (*)(void))aes_##mode##_set_ctx_params }, \
479 { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
480 (void (*)(void))cipher_generic_gettable_params }, \
481 { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
482 (void (*)(void))cipher_ocb_gettable_ctx_params }, \
483 { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
484 (void (*)(void))cipher_ocb_settable_ctx_params }, \
488 IMPLEMENT_cipher(ocb
, OCB
, AES_OCB_FLAGS
, 256, 128, OCB_DEFAULT_IV_LEN
* 8);
489 IMPLEMENT_cipher(ocb
, OCB
, AES_OCB_FLAGS
, 192, 128, OCB_DEFAULT_IV_LEN
* 8);
490 IMPLEMENT_cipher(ocb
, OCB
, AES_OCB_FLAGS
, 128, 128, OCB_DEFAULT_IV_LEN
* 8);