[thirdparty/openssl.git] / providers / implementations / ciphers / cipher_aes_ocb.c

/*
 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "cipher_aes_ocb.h"
#include "prov/providercommonerr.h"
#include "prov/cipher_aead.h"
#include "prov/implementations.h"

#define AES_OCB_FLAGS AEAD_FLAGS

#define OCB_DEFAULT_TAG_LEN 16
#define OCB_DEFAULT_IV_LEN  12
#define OCB_MIN_IV_LEN      1
#define OCB_MAX_IV_LEN      15

PROV_CIPHER_FUNC(int, ocb_cipher, (PROV_AES_OCB_CTX *ctx,
                                   const unsigned char *in, unsigned char *out,
                                   size_t nextblock));
/* forward declarations */
static OSSL_OP_cipher_encrypt_init_fn aes_ocb_einit;
static OSSL_OP_cipher_decrypt_init_fn aes_ocb_dinit;
static OSSL_OP_cipher_update_fn aes_ocb_block_update;
static OSSL_OP_cipher_final_fn aes_ocb_block_final;
static OSSL_OP_cipher_cipher_fn aes_ocb_cipher;
static OSSL_OP_cipher_freectx_fn aes_ocb_freectx;
static OSSL_OP_cipher_dupctx_fn aes_ocb_dupctx;
static OSSL_OP_cipher_get_ctx_params_fn aes_ocb_get_ctx_params;
static OSSL_OP_cipher_set_ctx_params_fn aes_ocb_set_ctx_params;

/*
 * The following methods could be moved into PROV_AES_OCB_HW if
 * multiple hardware implementations are ever needed.
 */
static ossl_inline int aes_generic_ocb_setiv(PROV_AES_OCB_CTX *ctx,
                                             const unsigned char *iv,
                                             size_t ivlen, size_t taglen)
{
    return (CRYPTO_ocb128_setiv(&ctx->ocb, iv, ivlen, taglen) == 1);
}

static ossl_inline int aes_generic_ocb_setaad(PROV_AES_OCB_CTX *ctx,
                                              const unsigned char *aad,
                                              size_t alen)
{
    return CRYPTO_ocb128_aad(&ctx->ocb, aad, alen) == 1;
}

static ossl_inline int aes_generic_ocb_gettag(PROV_AES_OCB_CTX *ctx,
                                              unsigned char *tag, size_t tlen)
{
    return CRYPTO_ocb128_tag(&ctx->ocb, tag, tlen) > 0;
}

static ossl_inline int aes_generic_ocb_final(PROV_AES_OCB_CTX *ctx)
{
    return (CRYPTO_ocb128_finish(&ctx->ocb, ctx->tag, ctx->taglen) == 0);
}

static ossl_inline void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX *ctx)
{
    CRYPTO_ocb128_cleanup(&ctx->ocb);
}

static ossl_inline int aes_generic_ocb_cipher(PROV_AES_OCB_CTX *ctx,
                                              const unsigned char *in,
                                              unsigned char *out, size_t len)
{
    if (ctx->base.enc) {
        if (!CRYPTO_ocb128_encrypt(&ctx->ocb, in, out, len))
            return 0;
    } else {
        if (!CRYPTO_ocb128_decrypt(&ctx->ocb, in, out, len))
            return 0;
    }
    return 1;
}

static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
                                                PROV_AES_OCB_CTX *src)
{
    return CRYPTO_ocb128_copy_ctx(&dst->ocb, &src->ocb,
                                  &dst->ksenc.ks, &dst->ksdec.ks);
}

/*-
 * Provider dispatch functions
 */
static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
                        const unsigned char *iv, size_t ivlen, int enc)
{
   PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;

   ctx->base.enc = enc;

   if (iv != NULL) {
       if (ivlen != ctx->base.ivlen) {
           /* IV len must be 1 to 15 */
           if (ivlen < OCB_MIN_IV_LEN || ivlen > OCB_MAX_IV_LEN) {
               ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
               return 0;
           }
           ctx->base.ivlen = ivlen;
       }
       if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
           return 0;
       ctx->iv_state = IV_STATE_BUFFERED;
   }
   if (key != NULL) {
       if (keylen != ctx->base.keylen) {
           ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
           return 0;
       }
       return ctx->base.hw->init(&ctx->base, key, keylen);
   }
   return 1;
}

static int aes_ocb_einit(void *vctx, const unsigned char *key, size_t keylen,
                         const unsigned char *iv, size_t ivlen)
{
    return aes_ocb_init(vctx, key, keylen, iv, ivlen, 1);
}

static int aes_ocb_dinit(void *vctx, const unsigned char *key, size_t keylen,
                         const unsigned char *iv, size_t ivlen)
{
    return aes_ocb_init(vctx, key, keylen, iv, ivlen, 0);
}

/*
 * Because of the way OCB works, both the AAD and data are buffered in the
 * same way. Only the last block can be a partial block.
 */
static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx,
                                         unsigned char *buf, size_t *bufsz,
                                         unsigned char *out, size_t *outl,
                                         size_t outsize, const unsigned char *in,
                                         size_t inl, OSSL_ocb_cipher_fn ciph)
{
    size_t nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl);
    size_t outlint = 0;

    if (*bufsz == AES_BLOCK_SIZE) {
        if (outsize < AES_BLOCK_SIZE) {
            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
            return 0;
        }
        if (!ciph(ctx, buf, out, AES_BLOCK_SIZE)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
            return 0;
        }
        *bufsz = 0;
        outlint = AES_BLOCK_SIZE;
        out += AES_BLOCK_SIZE;
    }
    if (nextblocks > 0) {
        outlint += nextblocks;
        if (outsize < outlint) {
            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
            return 0;
        }
        if (!ciph(ctx, in, out, nextblocks)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
            return 0;
        }
        in += nextblocks;
        inl -= nextblocks;
    }
    if (!trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) {
        /* PROVerr already called */
        return 0;
    }

    *outl = outlint;
    return inl == 0;
}

/* A wrapper function that has the same signature as cipher */
static int cipher_updateaad(PROV_AES_OCB_CTX *ctx, const unsigned char *in,
                            unsigned char *out, size_t len)
{
    return aes_generic_ocb_setaad(ctx, in, len);
}

static int update_iv(PROV_AES_OCB_CTX *ctx)
{
    if (ctx->iv_state == IV_STATE_FINISHED
        || ctx->iv_state == IV_STATE_UNINITIALISED)
        return 0;
    if (ctx->iv_state == IV_STATE_BUFFERED) {
        if (!aes_generic_ocb_setiv(ctx, ctx->base.iv, ctx->base.ivlen,
                                   ctx->taglen))
            return 0;
        ctx->iv_state = IV_STATE_COPIED;
    }
    return 1;
}

static int aes_ocb_block_update(void *vctx, unsigned char *out, size_t *outl,
                                size_t outsize, const unsigned char *in,
                                size_t inl)
{
    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
    unsigned char *buf;
    size_t *buflen;
    OSSL_ocb_cipher_fn fn;

    if (!ctx->key_set || !update_iv(ctx))
        return 0;

    if (inl == 0) {
        *outl = 0;
        return 1;
    }

    /* Are we dealing with AAD or normal data here? */
    if (out == NULL) {
        buf = ctx->aad_buf;
        buflen = &ctx->aad_buf_len;
        fn = cipher_updateaad;
    } else {
        buf = ctx->data_buf;
        buflen = &ctx->data_buf_len;
        fn = aes_generic_ocb_cipher;
    }
    return aes_ocb_block_update_internal(ctx, buf, buflen, out, outl, outsize,
                                         in, inl, fn);
}

static int aes_ocb_block_final(void *vctx, unsigned char *out, size_t *outl,
                               size_t outsize)
{
    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;

    /* If no block_update has run then the iv still needs to be set */
    if (!ctx->key_set || !update_iv(ctx))
        return 0;

    /*
     * Empty the buffer of any partial block that we might have been provided,
     * both for data and AAD
     */
    *outl = 0;
    if (ctx->data_buf_len > 0) {
        if (!aes_generic_ocb_cipher(ctx, ctx->data_buf, out, ctx->data_buf_len))
            return 0;
        *outl = ctx->data_buf_len;
        ctx->data_buf_len = 0;
    }
    if (ctx->aad_buf_len > 0) {
        if (!aes_generic_ocb_setaad(ctx, ctx->aad_buf, ctx->aad_buf_len))
            return 0;
        ctx->aad_buf_len = 0;
    }
    if (ctx->base.enc) {
        /* If encrypting then just get the tag */
        if (!aes_generic_ocb_gettag(ctx, ctx->tag, ctx->taglen))
            return 0;
    } else {
        /* If decrypting then verify */
        if (ctx->taglen == 0)
            return 0;
        if (!aes_generic_ocb_final(ctx))
            return 0;
    }
    /* Don't reuse the IV */
    ctx->iv_state = IV_STATE_FINISHED;
    return 1;
}

static void *aes_ocb_newctx(void *provctx, size_t kbits, size_t blkbits,
                            size_t ivbits, unsigned int mode, uint64_t flags)
{
    PROV_AES_OCB_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));

    if (ctx != NULL) {
        cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
                               PROV_CIPHER_HW_aes_ocb(kbits), NULL);
        ctx->taglen = OCB_DEFAULT_TAG_LEN;
    }
    return ctx;
}

static void aes_ocb_freectx(void *vctx)
{
    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;

    if (ctx != NULL) {
        aes_generic_ocb_cleanup(ctx);
        OPENSSL_clear_free(ctx,  sizeof(*ctx));
    }
}

static void *aes_ocb_dupctx(void *vctx)
{
    PROV_AES_OCB_CTX *in = (PROV_AES_OCB_CTX *)vctx;
    PROV_AES_OCB_CTX *ret = OPENSSL_malloc(sizeof(*ret));

    if (ret == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return NULL;
    }
    *ret = *in;
    if (!aes_generic_ocb_copy_ctx(ret, in)) {
        OPENSSL_free(ret);
        ret = NULL;
    }
    return ret;
}

static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
    const OSSL_PARAM *p;
    size_t sz;

    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
    if (p != NULL) {
        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        if (p->data == NULL) {
            /* Tag len must be 0 to 16 */
            if (p->data_size > OCB_MAX_TAG_LEN)
                return 0;
            ctx->taglen = p->data_size;
        } else {
            if (p->data_size != ctx->taglen || ctx->base.enc)
                return 0;
            memcpy(ctx->tag, p->data, p->data_size);
        }
     }
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
    if (p != NULL) {
        if (!OSSL_PARAM_get_size_t(p, &sz)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        /* IV len must be 1 to 15 */
        if (sz < OCB_MIN_IV_LEN || sz > OCB_MAX_IV_LEN)
            return 0;
        ctx->base.ivlen = sz;
    }
    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
    if (p != NULL) {
        size_t keylen;

        if (!OSSL_PARAM_get_size_t(p, &keylen)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        if (ctx->base.keylen != keylen) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
            return 0;
        }
    }
    return 1;
}

static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
    OSSL_PARAM *p;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
        return 0;
    }
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
        return 0;
    }
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
    if (p != NULL) {
        if (!OSSL_PARAM_set_size_t(p, ctx->taglen)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
            return 0;
        }
    }

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
    if (p != NULL) {
        if (ctx->base.ivlen != p->data_size) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
            return 0;
        }
        if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
            return 0;
        }
    }
    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
    if (p != NULL) {
        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
            return 0;
        }
        if (!ctx->base.enc || p->data_size != ctx->taglen) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
            return 0;
        }
        memcpy(p->data, ctx->tag, ctx->taglen);
    }
    return 1;
}

static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = {
    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
    OSSL_PARAM_END
};
static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(void)
{
    return cipher_ocb_known_gettable_ctx_params;
}

static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = {
    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
    OSSL_PARAM_END
};
static const OSSL_PARAM *cipher_ocb_settable_ctx_params(void)
{
    return cipher_ocb_known_settable_ctx_params;
}

static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
                          size_t outsize, const unsigned char *in, size_t inl)
{
    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;

    if (outsize < inl) {
        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
        return 0;
    }

    if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
        return 0;
    }

    *outl = inl;
    return 1;
}

#define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits)          \
static OSSL_OP_cipher_get_params_fn aes_##kbits##_##mode##_get_params;         \
static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[])              \
{                                                                              \
    return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,         \
                                     flags, kbits, blkbits, ivbits);           \
}                                                                              \
static OSSL_OP_cipher_newctx_fn aes_##kbits##_##mode##_newctx;                 \
static void *aes_##kbits##_##mode##_newctx(void *provctx)                      \
{                                                                              \
    return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits,                \
                               EVP_CIPH_##UCMODE##_MODE, flags);               \
}                                                                              \
const OSSL_DISPATCH aes##kbits##mode##_functions[] = {                         \
    { OSSL_FUNC_CIPHER_NEWCTX,                                                 \
        (void (*)(void))aes_##kbits##_##mode##_newctx },                       \
    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit },     \
    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit },     \
    { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update },    \
    { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final },      \
    { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher },               \
    { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx },        \
    { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx },          \
    { OSSL_FUNC_CIPHER_GET_PARAMS,                                             \
        (void (*)(void))aes_##kbits##_##mode##_get_params },                   \
    { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                         \
        (void (*)(void))aes_##mode##_get_ctx_params },                         \
    { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                         \
        (void (*)(void))aes_##mode##_set_ctx_params },                         \
    { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                        \
        (void (*)(void))cipher_generic_gettable_params },                      \
    { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                    \
        (void (*)(void))cipher_ocb_gettable_ctx_params },                      \
    { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                    \
        (void (*)(void))cipher_ocb_settable_ctx_params },                      \
    { 0, NULL }                                                                \
}

IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8);
IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8);
IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8);
Commit	Line	Data
3837c202 SL	1	/*
	2	* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include "cipher_aes_ocb.h"
ddd21319	11	#include "prov/providercommonerr.h"
604e884b	12	#include "prov/cipher_aead.h"
af3e7e1b	13	#include "prov/implementations.h"
3837c202 SL	14
	15	#define AES_OCB_FLAGS AEAD_FLAGS
	16
	17	#define OCB_DEFAULT_TAG_LEN 16
	18	#define OCB_DEFAULT_IV_LEN 12
	19	#define OCB_MIN_IV_LEN 1
	20	#define OCB_MAX_IV_LEN 15
	21
	22	PROV_CIPHER_FUNC(int, ocb_cipher, (PROV_AES_OCB_CTX *ctx,
	23	const unsigned char in, unsigned char out,
	24	size_t nextblock));
	25	/* forward declarations */
	26	static OSSL_OP_cipher_encrypt_init_fn aes_ocb_einit;
	27	static OSSL_OP_cipher_decrypt_init_fn aes_ocb_dinit;
	28	static OSSL_OP_cipher_update_fn aes_ocb_block_update;
	29	static OSSL_OP_cipher_final_fn aes_ocb_block_final;
	30	static OSSL_OP_cipher_cipher_fn aes_ocb_cipher;
	31	static OSSL_OP_cipher_freectx_fn aes_ocb_freectx;
	32	static OSSL_OP_cipher_dupctx_fn aes_ocb_dupctx;
	33	static OSSL_OP_cipher_get_ctx_params_fn aes_ocb_get_ctx_params;
	34	static OSSL_OP_cipher_set_ctx_params_fn aes_ocb_set_ctx_params;
	35
	36	/*
	37	* The following methods could be moved into PROV_AES_OCB_HW if
	38	* multiple hardware implementations are ever needed.
	39	*/
	40	static ossl_inline int aes_generic_ocb_setiv(PROV_AES_OCB_CTX *ctx,
	41	const unsigned char *iv,
	42	size_t ivlen, size_t taglen)
	43	{
	44	return (CRYPTO_ocb128_setiv(&ctx->ocb, iv, ivlen, taglen) == 1);
	45	}
	46
	47	static ossl_inline int aes_generic_ocb_setaad(PROV_AES_OCB_CTX *ctx,
	48	const unsigned char *aad,
	49	size_t alen)
	50	{
	51	return CRYPTO_ocb128_aad(&ctx->ocb, aad, alen) == 1;
	52	}
	53
	54	static ossl_inline int aes_generic_ocb_gettag(PROV_AES_OCB_CTX *ctx,
	55	unsigned char *tag, size_t tlen)
	56	{
	57	return CRYPTO_ocb128_tag(&ctx->ocb, tag, tlen) > 0;
	58	}
	59
	60	static ossl_inline int aes_generic_ocb_final(PROV_AES_OCB_CTX *ctx)
	61	{
	62	return (CRYPTO_ocb128_finish(&ctx->ocb, ctx->tag, ctx->taglen) == 0);
	63	}
	64
	65	static ossl_inline void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX *ctx)
	66	{
	67	CRYPTO_ocb128_cleanup(&ctx->ocb);
	68	}
	69
	70	static ossl_inline int aes_generic_ocb_cipher(PROV_AES_OCB_CTX *ctx,
	71	const unsigned char *in,
	72	unsigned char *out, size_t len)
	73	{
	74	if (ctx->base.enc) {
	75	if (!CRYPTO_ocb128_encrypt(&ctx->ocb, in, out, len))
	76	return 0;
	77	} else {
78	if (!CRYPTO_ocb128_decrypt(&ctx->ocb, in, out, len))
79	return 0;
80	}
81	return 1;
82	}
83
84	static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
85	PROV_AES_OCB_CTX *src)
86	{
f75abcc0 SL	87	return CRYPTO_ocb128_copy_ctx(&dst->ocb, &src->ocb,
f75abcc0 SL	88	&dst->ksenc.ks, &dst->ksdec.ks);
3837c202 SL	89	}
	90
	91	/*-
	92	* Provider dispatch functions
	93	*/
	94	static int aes_ocb_init(void vctx, const unsigned char key, size_t keylen,
	95	const unsigned char *iv, size_t ivlen, int enc)
	96	{
	97	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
	98
	99	ctx->base.enc = enc;
	100
	101	if (iv != NULL) {
	102	if (ivlen != ctx->base.ivlen) {
	103	/* IV len must be 1 to 15 */
	104	if (ivlen < OCB_MIN_IV_LEN \|\| ivlen > OCB_MAX_IV_LEN) {
	105	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
	106	return 0;
	107	}
	108	ctx->base.ivlen = ivlen;
	109	}
089cb623 SL	110	if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
089cb623 SL	111	return 0;
3837c202 SL	112	ctx->iv_state = IV_STATE_BUFFERED;
	113	}
	114	if (key != NULL) {
	115	if (keylen != ctx->base.keylen) {
	116	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
	117	return 0;
	118	}
	119	return ctx->base.hw->init(&ctx->base, key, keylen);
	120	}
	121	return 1;
	122	}
	123
	124	static int aes_ocb_einit(void vctx, const unsigned char key, size_t keylen,
	125	const unsigned char *iv, size_t ivlen)
	126	{
	127	return aes_ocb_init(vctx, key, keylen, iv, ivlen, 1);
	128	}
	129
	130	static int aes_ocb_dinit(void vctx, const unsigned char key, size_t keylen,
	131	const unsigned char *iv, size_t ivlen)
	132	{
	133	return aes_ocb_init(vctx, key, keylen, iv, ivlen, 0);
	134	}
	135
	136	/*
	137	* Because of the way OCB works, both the AAD and data are buffered in the
	138	* same way. Only the last block can be a partial block.
	139	*/
	140	static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx,
	141	unsigned char buf, size_t bufsz,
	142	unsigned char out, size_t outl,
	143	size_t outsize, const unsigned char *in,
	144	size_t inl, OSSL_ocb_cipher_fn ciph)
	145	{
	146	size_t nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl);
	147	size_t outlint = 0;
	148
	149	if (*bufsz == AES_BLOCK_SIZE) {
	150	if (outsize < AES_BLOCK_SIZE) {
	151	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
	152	return 0;
	153	}
	154	if (!ciph(ctx, buf, out, AES_BLOCK_SIZE)) {
	155	ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
	156	return 0;
	157	}
	158	*bufsz = 0;
	159	outlint = AES_BLOCK_SIZE;
	160	out += AES_BLOCK_SIZE;
	161	}
	162	if (nextblocks > 0) {
	163	outlint += nextblocks;
	164	if (outsize < outlint) {
	165	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
	166	return 0;
	167	}
	168	if (!ciph(ctx, in, out, nextblocks)) {
	169	ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
	170	return 0;
	171	}
	172	in += nextblocks;
	173	inl -= nextblocks;
	174	}
	175	if (!trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) {
176	/* PROVerr already called */
177	return 0;
178	}
179
180	*outl = outlint;
181	return inl == 0;
182	}
183
184	/* A wrapper function that has the same signature as cipher */
185	static int cipher_updateaad(PROV_AES_OCB_CTX ctx, const unsigned char in,
186	unsigned char *out, size_t len)
187	{
188	return aes_generic_ocb_setaad(ctx, in, len);
189	}
190
191	static int update_iv(PROV_AES_OCB_CTX *ctx)
192	{
193	if (ctx->iv_state == IV_STATE_FINISHED
194	\|\| ctx->iv_state == IV_STATE_UNINITIALISED)
195	return 0;
196	if (ctx->iv_state == IV_STATE_BUFFERED) {
197	if (!aes_generic_ocb_setiv(ctx, ctx->base.iv, ctx->base.ivlen,
198	ctx->taglen))
199	return 0;
200	ctx->iv_state = IV_STATE_COPIED;
201	}
202	return 1;
203	}
204
205	static int aes_ocb_block_update(void vctx, unsigned char out, size_t *outl,
206	size_t outsize, const unsigned char *in,
207	size_t inl)
208	{
209	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
210	unsigned char *buf;
211	size_t *buflen;
212	OSSL_ocb_cipher_fn fn;
213
214	if (!ctx->key_set \|\| !update_iv(ctx))
215	return 0;
216
4b9c750b MC	217	if (inl == 0) {
	218	*outl = 0;
	219	return 1;
	220	}
	221
3837c202 SL	222	/* Are we dealing with AAD or normal data here? */
	223	if (out == NULL) {
	224	buf = ctx->aad_buf;
	225	buflen = &ctx->aad_buf_len;
	226	fn = cipher_updateaad;
	227	} else {
	228	buf = ctx->data_buf;
	229	buflen = &ctx->data_buf_len;
	230	fn = aes_generic_ocb_cipher;
	231	}
	232	return aes_ocb_block_update_internal(ctx, buf, buflen, out, outl, outsize,
	233	in, inl, fn);
	234	}
	235
	236	static int aes_ocb_block_final(void vctx, unsigned char out, size_t *outl,
	237	size_t outsize)
	238	{
	239	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
	240
	241	/* If no block_update has run then the iv still needs to be set */
	242	if (!ctx->key_set \|\| !update_iv(ctx))
	243	return 0;
	244
	245	/*
	246	* Empty the buffer of any partial block that we might have been provided,
	247	* both for data and AAD
	248	*/
	249	*outl = 0;
	250	if (ctx->data_buf_len > 0) {
	251	if (!aes_generic_ocb_cipher(ctx, ctx->data_buf, out, ctx->data_buf_len))
	252	return 0;
	253	*outl = ctx->data_buf_len;
	254	ctx->data_buf_len = 0;
	255	}
	256	if (ctx->aad_buf_len > 0) {
	257	if (!aes_generic_ocb_setaad(ctx, ctx->aad_buf, ctx->aad_buf_len))
	258	return 0;
	259	ctx->aad_buf_len = 0;
	260	}
	261	if (ctx->base.enc) {
	262	/* If encrypting then just get the tag */
	263	if (!aes_generic_ocb_gettag(ctx, ctx->tag, ctx->taglen))
	264	return 0;
	265	} else {
	266	/* If decrypting then verify */
	267	if (ctx->taglen == 0)
	268	return 0;
	269	if (!aes_generic_ocb_final(ctx))
	270	return 0;
	271	}
	272	/* Don't reuse the IV */
	273	ctx->iv_state = IV_STATE_FINISHED;
	274	return 1;
	275	}
	276
	277	static void aes_ocb_newctx(void provctx, size_t kbits, size_t blkbits,
	278	size_t ivbits, unsigned int mode, uint64_t flags)
	279	{
	280	PROV_AES_OCB_CTX ctx = OPENSSL_zalloc(sizeof(ctx));
	281
	282	if (ctx != NULL) {
	283	cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
	284	PROV_CIPHER_HW_aes_ocb(kbits), NULL);
	285	ctx->taglen = OCB_DEFAULT_TAG_LEN;
286	}
287	return ctx;
288	}
289
290	static void aes_ocb_freectx(void *vctx)
291	{
292	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
293
12fca1af SL	294	if (ctx != NULL) {
12fca1af SL	295	aes_generic_ocb_cleanup(ctx);
12fca1af SL	296	OPENSSL_clear_free(ctx, sizeof(*ctx));
12fca1af SL	297	}
3837c202 SL	298	}
	299
	300	static void aes_ocb_dupctx(void vctx)
	301	{
	302	PROV_AES_OCB_CTX in = (PROV_AES_OCB_CTX )vctx;
	303	PROV_AES_OCB_CTX ret = OPENSSL_malloc(sizeof(ret));
	304
	305	if (ret == NULL) {
	306	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	307	return NULL;
	308	}
	309	ret = in;
12fca1af	310	if (!aes_generic_ocb_copy_ctx(ret, in)) {
3837c202	311	OPENSSL_free(ret);
12fca1af SL	312	ret = NULL;
12fca1af SL	313	}
3837c202 SL	314	return ret;
	315	}
	316
	317	static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
	318	{
	319	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
	320	const OSSL_PARAM *p;
	321	size_t sz;
	322
	323	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
	324	if (p != NULL) {
	325	if (p->data_type != OSSL_PARAM_OCTET_STRING) {
	326	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
	327	return 0;
	328	}
	329	if (p->data == NULL) {
	330	/* Tag len must be 0 to 16 */
	331	if (p->data_size > OCB_MAX_TAG_LEN)
	332	return 0;
	333	ctx->taglen = p->data_size;
	334	} else {
	335	if (p->data_size != ctx->taglen \|\| ctx->base.enc)
	336	return 0;
	337	memcpy(ctx->tag, p->data, p->data_size);
	338	}
	339	}
	340	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
	341	if (p != NULL) {
	342	if (!OSSL_PARAM_get_size_t(p, &sz)) {
	343	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
	344	return 0;
	345	}
	346	/* IV len must be 1 to 15 */
	347	if (sz < OCB_MIN_IV_LEN \|\| sz > OCB_MAX_IV_LEN)
	348	return 0;
	349	ctx->base.ivlen = sz;
	350	}
	351	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
	352	if (p != NULL) {
	353	size_t keylen;
	354
	355	if (!OSSL_PARAM_get_size_t(p, &keylen)) {
	356	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
	357	return 0;
	358	}
	359	if (ctx->base.keylen != keylen) {
	360	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
	361	return 0;
	362	}
	363	}
	364	return 1;
	365	}
	366
	367	static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[])
	368	{
	369	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
	370	OSSL_PARAM *p;
	371
	372	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
	373	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
	374	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
	375	return 0;
	376	}
	377	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
378	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
379	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
380	return 0;
381	}
382	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
383	if (p != NULL) {
384	if (!OSSL_PARAM_set_size_t(p, ctx->taglen)) {
385	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
386	return 0;
387	}
388	}
389
390	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
391	if (p != NULL) {
392	if (ctx->base.ivlen != p->data_size) {
393	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
394	return 0;
395	}
089cb623	396	if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)) {
3837c202 SL	397	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
	398	return 0;
	399	}
	400	}
	401	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
	402	if (p != NULL) {
	403	if (p->data_type != OSSL_PARAM_OCTET_STRING) {
	404	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
	405	return 0;
	406	}
	407	if (!ctx->base.enc \|\| p->data_size != ctx->taglen) {
	408	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
	409	return 0;
	410	}
	411	memcpy(p->data, ctx->tag, ctx->taglen);
	412	}
	413	return 1;
	414	}
	415
	416	static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = {
	417	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
	418	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
	419	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
	420	OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
	421	OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
	422	OSSL_PARAM_END
	423	};
	424	static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(void)
	425	{
	426	return cipher_ocb_known_gettable_ctx_params;
	427	}
	428
	429	static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = {
	430	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
	431	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
	432	OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
	433	OSSL_PARAM_END
	434	};
	435	static const OSSL_PARAM *cipher_ocb_settable_ctx_params(void)
	436	{
	437	return cipher_ocb_known_settable_ctx_params;
	438	}
	439
	440	static int aes_ocb_cipher(void vctx, unsigned char out, size_t *outl,
	441	size_t outsize, const unsigned char *in, size_t inl)
	442	{
	443	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
	444
	445	if (outsize < inl) {
	446	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
	447	return 0;
	448	}
	449
	450	if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
	451	ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
	452	return 0;
	453	}
	454
	455	*outl = inl;
	456	return 1;
	457	}
	458
	459	#define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits) \
	460	static OSSL_OP_cipher_get_params_fn aes_##kbits##_##mode##_get_params; \
461	static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[]) \
462	{ \
463	return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
464	flags, kbits, blkbits, ivbits); \
465	} \
466	static OSSL_OP_cipher_newctx_fn aes_##kbits##_##mode##_newctx; \
467	static void aes_##kbits##_##mode##_newctx(void provctx) \
468	{ \
469	return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits, \
470	EVP_CIPH_##UCMODE##_MODE, flags); \
471	} \
472	const OSSL_DISPATCH aes##kbits##mode##_functions[] = { \
473	{ OSSL_FUNC_CIPHER_NEWCTX, \
474	(void (*)(void))aes_##kbits##_##mode##_newctx }, \
475	{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
476	{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
477	{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update }, \
478	{ OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final }, \
479	{ OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher }, \
480	{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
481	{ OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \
482	{ OSSL_FUNC_CIPHER_GET_PARAMS, \
483	(void (*)(void))aes_##kbits##_##mode##_get_params }, \
484	{ OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
485	(void (*)(void))aes_##mode##_get_ctx_params }, \
486	{ OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
487	(void (*)(void))aes_##mode##_set_ctx_params }, \
488	{ OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
489	(void (*)(void))cipher_generic_gettable_params }, \
490	{ OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
491	(void (*)(void))cipher_ocb_gettable_ctx_params }, \
492	{ OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
493	(void (*)(void))cipher_ocb_settable_ctx_params }, \
494	{ 0, NULL } \
495	}
496
497	IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8);
498	IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8);
499	IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8);
500