providers/implementations/ciphers/cipher_aes_ocb.c

   1 /*
   2  * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /*
  11  * AES low level APIs are deprecated for public use, but still ok for internal
  12  * use where we're using them to implement the higher level EVP interface, as is
  13  * the case here.
  14  */
  15 #include "internal/deprecated.h"
  16
  17 #include "cipher_aes_ocb.h"
  18 #include "prov/providercommonerr.h"
  19 #include "prov/ciphercommon_aead.h"
  20 #include "prov/implementations.h"
  21
  22 #define AES_OCB_FLAGS AEAD_FLAGS
  23
  24 #define OCB_DEFAULT_TAG_LEN 16
  25 #define OCB_DEFAULT_IV_LEN  12
  26 #define OCB_MIN_IV_LEN      1
  27 #define OCB_MAX_IV_LEN      15
  28
  29 PROV_CIPHER_FUNC(int, ocb_cipher, (PROV_AES_OCB_CTX *ctx,
  30                                    const unsigned char *in, unsigned char *out,
  31                                    size_t nextblock));
  32 /* forward declarations */
  33 static OSSL_FUNC_cipher_encrypt_init_fn aes_ocb_einit;
  34 static OSSL_FUNC_cipher_decrypt_init_fn aes_ocb_dinit;
  35 static OSSL_FUNC_cipher_update_fn aes_ocb_block_update;
  36 static OSSL_FUNC_cipher_final_fn aes_ocb_block_final;
  37 static OSSL_FUNC_cipher_cipher_fn aes_ocb_cipher;
  38 static OSSL_FUNC_cipher_freectx_fn aes_ocb_freectx;
  39 static OSSL_FUNC_cipher_dupctx_fn aes_ocb_dupctx;
  40 static OSSL_FUNC_cipher_get_ctx_params_fn aes_ocb_get_ctx_params;
  41 static OSSL_FUNC_cipher_set_ctx_params_fn aes_ocb_set_ctx_params;
  42
  43 /*
  44  * The following methods could be moved into PROV_AES_OCB_HW if
  45  * multiple hardware implementations are ever needed.
  46  */
  47 static ossl_inline int aes_generic_ocb_setiv(PROV_AES_OCB_CTX *ctx,
  48                                              const unsigned char *iv,
  49                                              size_t ivlen, size_t taglen)
  50 {
  51     return (CRYPTO_ocb128_setiv(&ctx->ocb, iv, ivlen, taglen) == 1);
  52 }
  53
  54 static ossl_inline int aes_generic_ocb_setaad(PROV_AES_OCB_CTX *ctx,
  55                                               const unsigned char *aad,
  56                                               size_t alen)
  57 {
  58     return CRYPTO_ocb128_aad(&ctx->ocb, aad, alen) == 1;
  59 }
  60
  61 static ossl_inline int aes_generic_ocb_gettag(PROV_AES_OCB_CTX *ctx,
  62                                               unsigned char *tag, size_t tlen)
  63 {
  64     return CRYPTO_ocb128_tag(&ctx->ocb, tag, tlen) > 0;
  65 }
  66
  67 static ossl_inline int aes_generic_ocb_final(PROV_AES_OCB_CTX *ctx)
  68 {
  69     return (CRYPTO_ocb128_finish(&ctx->ocb, ctx->tag, ctx->taglen) == 0);
  70 }
  71
  72 static ossl_inline void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX *ctx)
  73 {
  74     CRYPTO_ocb128_cleanup(&ctx->ocb);
  75 }
  76
  77 static ossl_inline int aes_generic_ocb_cipher(PROV_AES_OCB_CTX *ctx,
  78                                               const unsigned char *in,
  79                                               unsigned char *out, size_t len)
  80 {
  81     if (ctx->base.enc) {
  82         if (!CRYPTO_ocb128_encrypt(&ctx->ocb, in, out, len))
  83             return 0;
  84     } else {
  85         if (!CRYPTO_ocb128_decrypt(&ctx->ocb, in, out, len))
  86             return 0;
  87     }
  88     return 1;
  89 }
  90
  91 static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
  92                                                 PROV_AES_OCB_CTX *src)
  93 {
  94     return CRYPTO_ocb128_copy_ctx(&dst->ocb, &src->ocb,
  95                                   &dst->ksenc.ks, &dst->ksdec.ks);
  96 }
  97
  98 /*-
  99  * Provider dispatch functions
 100  */
 101 static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
 102                         const unsigned char *iv, size_t ivlen, int enc)
 103 {
 104    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
 105
 106    ctx->base.enc = enc;
 107
 108    if (iv != NULL) {
 109        if (ivlen != ctx->base.ivlen) {
 110            /* IV len must be 1 to 15 */
 111            if (ivlen < OCB_MIN_IV_LEN || ivlen > OCB_MAX_IV_LEN) {
 112                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
 113                return 0;
 114            }
 115            ctx->base.ivlen = ivlen;
 116        }
 117        if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
 118            return 0;
 119        ctx->iv_state = IV_STATE_BUFFERED;
 120    }
 121    if (key != NULL) {
 122        if (keylen != ctx->base.keylen) {
 123            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
 124            return 0;
 125        }
 126        return ctx->base.hw->init(&ctx->base, key, keylen);
 127    }
 128    return 1;
 129 }
 130
 131 static int aes_ocb_einit(void *vctx, const unsigned char *key, size_t keylen,
 132                          const unsigned char *iv, size_t ivlen)
 133 {
 134     return aes_ocb_init(vctx, key, keylen, iv, ivlen, 1);
 135 }
 136
 137 static int aes_ocb_dinit(void *vctx, const unsigned char *key, size_t keylen,
 138                          const unsigned char *iv, size_t ivlen)
 139 {
 140     return aes_ocb_init(vctx, key, keylen, iv, ivlen, 0);
 141 }
 142
 143 /*
 144  * Because of the way OCB works, both the AAD and data are buffered in the
 145  * same way. Only the last block can be a partial block.
 146  */
 147 static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx,
 148                                          unsigned char *buf, size_t *bufsz,
 149                                          unsigned char *out, size_t *outl,
 150                                          size_t outsize, const unsigned char *in,
 151                                          size_t inl, OSSL_ocb_cipher_fn ciph)
 152 {
 153     size_t nextblocks;
 154     size_t outlint = 0;
 155
 156     if (*bufsz != 0)
 157         nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl);
 158     else
 159         nextblocks = inl & ~(AES_BLOCK_SIZE-1);
 160
 161     if (*bufsz == AES_BLOCK_SIZE) {
 162         if (outsize < AES_BLOCK_SIZE) {
 163             ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
 164             return 0;
 165         }
 166         if (!ciph(ctx, buf, out, AES_BLOCK_SIZE)) {
 167             ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
 168             return 0;
 169         }
 170         *bufsz = 0;
 171         outlint = AES_BLOCK_SIZE;
 172         out += AES_BLOCK_SIZE;
 173     }
 174     if (nextblocks > 0) {
 175         outlint += nextblocks;
 176         if (outsize < outlint) {
 177             ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
 178             return 0;
 179         }
 180         if (!ciph(ctx, in, out, nextblocks)) {
 181             ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
 182             return 0;
 183         }
 184         in += nextblocks;
 185         inl -= nextblocks;
 186     }
 187     if (inl != 0 && !trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) {
 188         /* PROVerr already called */
 189         return 0;
 190     }
 191
 192     *outl = outlint;
 193     return inl == 0;
 194 }
 195
 196 /* A wrapper function that has the same signature as cipher */
 197 static int cipher_updateaad(PROV_AES_OCB_CTX *ctx, const unsigned char *in,
 198                             unsigned char *out, size_t len)
 199 {
 200     return aes_generic_ocb_setaad(ctx, in, len);
 201 }
 202
 203 static int update_iv(PROV_AES_OCB_CTX *ctx)
 204 {
 205     if (ctx->iv_state == IV_STATE_FINISHED
 206         || ctx->iv_state == IV_STATE_UNINITIALISED)
 207         return 0;
 208     if (ctx->iv_state == IV_STATE_BUFFERED) {
 209         if (!aes_generic_ocb_setiv(ctx, ctx->base.iv, ctx->base.ivlen,
 210                                    ctx->taglen))
 211             return 0;
 212         ctx->iv_state = IV_STATE_COPIED;
 213     }
 214     return 1;
 215 }
 216
 217 static int aes_ocb_block_update(void *vctx, unsigned char *out, size_t *outl,
 218                                 size_t outsize, const unsigned char *in,
 219                                 size_t inl)
 220 {
 221     PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
 222     unsigned char *buf;
 223     size_t *buflen;
 224     OSSL_ocb_cipher_fn fn;
 225
 226     if (!ctx->key_set || !update_iv(ctx))
 227         return 0;
 228
 229     if (inl == 0) {
 230         *outl = 0;
 231         return 1;
 232     }
 233
 234     /* Are we dealing with AAD or normal data here? */
 235     if (out == NULL) {
 236         buf = ctx->aad_buf;
 237         buflen = &ctx->aad_buf_len;
 238         fn = cipher_updateaad;
 239     } else {
 240         buf = ctx->data_buf;
 241         buflen = &ctx->data_buf_len;
 242         fn = aes_generic_ocb_cipher;
 243     }
 244     return aes_ocb_block_update_internal(ctx, buf, buflen, out, outl, outsize,
 245                                          in, inl, fn);
 246 }
 247
 248 static int aes_ocb_block_final(void *vctx, unsigned char *out, size_t *outl,
 249                                size_t outsize)
 250 {
 251     PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
 252
 253     /* If no block_update has run then the iv still needs to be set */
 254     if (!ctx->key_set || !update_iv(ctx))
 255         return 0;
 256
 257     /*
 258      * Empty the buffer of any partial block that we might have been provided,
 259      * both for data and AAD
 260      */
 261     *outl = 0;
 262     if (ctx->data_buf_len > 0) {
 263         if (!aes_generic_ocb_cipher(ctx, ctx->data_buf, out, ctx->data_buf_len))
 264             return 0;
 265         *outl = ctx->data_buf_len;
 266         ctx->data_buf_len = 0;
 267     }
 268     if (ctx->aad_buf_len > 0) {
 269         if (!aes_generic_ocb_setaad(ctx, ctx->aad_buf, ctx->aad_buf_len))
 270             return 0;
 271         ctx->aad_buf_len = 0;
 272     }
 273     if (ctx->base.enc) {
 274         /* If encrypting then just get the tag */
 275         if (!aes_generic_ocb_gettag(ctx, ctx->tag, ctx->taglen))
 276             return 0;
 277     } else {
 278         /* If decrypting then verify */
 279         if (ctx->taglen == 0)
 280             return 0;
 281         if (!aes_generic_ocb_final(ctx))
 282             return 0;
 283     }
 284     /* Don't reuse the IV */
 285     ctx->iv_state = IV_STATE_FINISHED;
 286     return 1;
 287 }
 288
 289 static void *aes_ocb_newctx(void *provctx, size_t kbits, size_t blkbits,
 290                             size_t ivbits, unsigned int mode, uint64_t flags)
 291 {
 292     PROV_AES_OCB_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
 293
 294     if (ctx != NULL) {
 295         cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
 296                                PROV_CIPHER_HW_aes_ocb(kbits), NULL);
 297         ctx->taglen = OCB_DEFAULT_TAG_LEN;
 298     }
 299     return ctx;
 300 }
 301
 302 static void aes_ocb_freectx(void *vctx)
 303 {
 304     PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
 305
 306     if (ctx != NULL) {
 307         aes_generic_ocb_cleanup(ctx);
 308         OPENSSL_clear_free(ctx,  sizeof(*ctx));
 309     }
 310 }
 311
 312 static void *aes_ocb_dupctx(void *vctx)
 313 {
 314     PROV_AES_OCB_CTX *in = (PROV_AES_OCB_CTX *)vctx;
 315     PROV_AES_OCB_CTX *ret = OPENSSL_malloc(sizeof(*ret));
 316
 317     if (ret == NULL) {
 318         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 319         return NULL;
 320     }
 321     *ret = *in;
 322     if (!aes_generic_ocb_copy_ctx(ret, in)) {
 323         OPENSSL_free(ret);
 324         ret = NULL;
 325     }
 326     return ret;
 327 }
 328
 329 static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
 330 {
 331     PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
 332     const OSSL_PARAM *p;
 333     size_t sz;
 334
 335     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
 336     if (p != NULL) {
 337         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
 338             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
 339             return 0;
 340         }
 341         if (p->data == NULL) {
 342             /* Tag len must be 0 to 16 */
 343             if (p->data_size > OCB_MAX_TAG_LEN)
 344                 return 0;
 345             ctx->taglen = p->data_size;
 346         } else {
 347             if (p->data_size != ctx->taglen || ctx->base.enc)
 348                 return 0;
 349             memcpy(ctx->tag, p->data, p->data_size);
 350         }
 351      }
 352     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
 353     if (p != NULL) {
 354         if (!OSSL_PARAM_get_size_t(p, &sz)) {
 355             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
 356             return 0;
 357         }
 358         /* IV len must be 1 to 15 */
 359         if (sz < OCB_MIN_IV_LEN || sz > OCB_MAX_IV_LEN)
 360             return 0;
 361         ctx->base.ivlen = sz;
 362     }
 363     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
 364     if (p != NULL) {
 365         size_t keylen;
 366
 367         if (!OSSL_PARAM_get_size_t(p, &keylen)) {
 368             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
 369             return 0;
 370         }
 371         if (ctx->base.keylen != keylen) {
 372             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
 373             return 0;
 374         }
 375     }
 376     return 1;
 377 }
 378
 379 static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[])
 380 {
 381     PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
 382     OSSL_PARAM *p;
 383
 384     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
 385     if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
 386         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
 387         return 0;
 388     }
 389     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
 390     if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
 391         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
 392         return 0;
 393     }
 394     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
 395     if (p != NULL) {
 396         if (!OSSL_PARAM_set_size_t(p, ctx->taglen)) {
 397             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
 398             return 0;
 399         }
 400     }
 401
 402     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
 403     if (p != NULL) {
 404         if (ctx->base.ivlen > p->data_size) {
 405             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
 406             return 0;
 407         }
 408         if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)
 409             && !OSSL_PARAM_set_octet_ptr(p, &ctx->base.oiv, ctx->base.ivlen)) {
 410             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
 411             return 0;
 412         }
 413     }
 414     p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
 415     if (p != NULL) {
 416         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
 417             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
 418             return 0;
 419         }
 420         if (!ctx->base.enc || p->data_size != ctx->taglen) {
 421             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
 422             return 0;
 423         }
 424         memcpy(p->data, ctx->tag, ctx->taglen);
 425     }
 426     return 1;
 427 }
 428
 429 static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = {
 430     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
 431     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
 432     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
 433     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
 434     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
 435     OSSL_PARAM_END
 436 };
 437 static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(void)
 438 {
 439     return cipher_ocb_known_gettable_ctx_params;
 440 }
 441
 442 static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = {
 443     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
 444     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
 445     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
 446     OSSL_PARAM_END
 447 };
 448 static const OSSL_PARAM *cipher_ocb_settable_ctx_params(void)
 449 {
 450     return cipher_ocb_known_settable_ctx_params;
 451 }
 452
 453 static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
 454                           size_t outsize, const unsigned char *in, size_t inl)
 455 {
 456     PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
 457
 458     if (outsize < inl) {
 459         ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
 460         return 0;
 461     }
 462
 463     if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
 464         ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
 465         return 0;
 466     }
 467
 468     *outl = inl;
 469     return 1;
 470 }
 471
 472 #define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits)          \
 473 static OSSL_FUNC_cipher_get_params_fn aes_##kbits##_##mode##_get_params;       \
 474 static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[])              \
 475 {                                                                              \
 476     return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,         \
 477                                      flags, kbits, blkbits, ivbits);           \
 478 }                                                                              \
 479 static OSSL_FUNC_cipher_newctx_fn aes_##kbits##_##mode##_newctx;               \
 480 static void *aes_##kbits##_##mode##_newctx(void *provctx)                      \
 481 {                                                                              \
 482     return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits,                \
 483                                EVP_CIPH_##UCMODE##_MODE, flags);               \
 484 }                                                                              \
 485 const OSSL_DISPATCH aes##kbits##mode##_functions[] = {                         \
 486     { OSSL_FUNC_CIPHER_NEWCTX,                                                 \
 487         (void (*)(void))aes_##kbits##_##mode##_newctx },                       \
 488     { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit },     \
 489     { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit },     \
 490     { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update },    \
 491     { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final },      \
 492     { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher },               \
 493     { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx },        \
 494     { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx },          \
 495     { OSSL_FUNC_CIPHER_GET_PARAMS,                                             \
 496         (void (*)(void))aes_##kbits##_##mode##_get_params },                   \
 497     { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                         \
 498         (void (*)(void))aes_##mode##_get_ctx_params },                         \
 499     { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                         \
 500         (void (*)(void))aes_##mode##_set_ctx_params },                         \
 501     { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                        \
 502         (void (*)(void))cipher_generic_gettable_params },                      \
 503     { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                    \
 504         (void (*)(void))cipher_ocb_gettable_ctx_params },                      \
 505     { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                    \
 506         (void (*)(void))cipher_ocb_settable_ctx_params },                      \
 507     { 0, NULL }                                                                \
 508 }
 509
 510 IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8);
 511 IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8);
 512 IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8);
 513