2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * AES low level APIs are deprecated for public use, but still ok for internal
12 * use where we're using them to implement the higher level EVP interface, as is
15 #include "internal/deprecated.h"
17 #include <openssl/proverr.h>
18 #include "cipher_aes_ocb.h"
19 #include "prov/providercommon.h"
20 #include "prov/ciphercommon_aead.h"
21 #include "prov/implementations.h"
23 #define AES_OCB_FLAGS AEAD_FLAGS
25 #define OCB_DEFAULT_TAG_LEN 16
26 #define OCB_DEFAULT_IV_LEN 12
27 #define OCB_MIN_IV_LEN 1
28 #define OCB_MAX_IV_LEN 15
30 PROV_CIPHER_FUNC(int, ocb_cipher
, (PROV_AES_OCB_CTX
*ctx
,
31 const unsigned char *in
, unsigned char *out
,
33 /* forward declarations */
34 static OSSL_FUNC_cipher_encrypt_init_fn aes_ocb_einit
;
35 static OSSL_FUNC_cipher_decrypt_init_fn aes_ocb_dinit
;
36 static OSSL_FUNC_cipher_update_fn aes_ocb_block_update
;
37 static OSSL_FUNC_cipher_final_fn aes_ocb_block_final
;
38 static OSSL_FUNC_cipher_cipher_fn aes_ocb_cipher
;
39 static OSSL_FUNC_cipher_freectx_fn aes_ocb_freectx
;
40 static OSSL_FUNC_cipher_dupctx_fn aes_ocb_dupctx
;
41 static OSSL_FUNC_cipher_get_ctx_params_fn aes_ocb_get_ctx_params
;
42 static OSSL_FUNC_cipher_set_ctx_params_fn aes_ocb_set_ctx_params
;
43 static OSSL_FUNC_cipher_gettable_ctx_params_fn cipher_ocb_gettable_ctx_params
;
44 static OSSL_FUNC_cipher_settable_ctx_params_fn cipher_ocb_settable_ctx_params
;
47 * The following methods could be moved into PROV_AES_OCB_HW if
48 * multiple hardware implementations are ever needed.
50 static ossl_inline
int aes_generic_ocb_setiv(PROV_AES_OCB_CTX
*ctx
,
51 const unsigned char *iv
,
52 size_t ivlen
, size_t taglen
)
54 return (CRYPTO_ocb128_setiv(&ctx
->ocb
, iv
, ivlen
, taglen
) == 1);
57 static ossl_inline
int aes_generic_ocb_setaad(PROV_AES_OCB_CTX
*ctx
,
58 const unsigned char *aad
,
61 return CRYPTO_ocb128_aad(&ctx
->ocb
, aad
, alen
) == 1;
64 static ossl_inline
int aes_generic_ocb_gettag(PROV_AES_OCB_CTX
*ctx
,
65 unsigned char *tag
, size_t tlen
)
67 return CRYPTO_ocb128_tag(&ctx
->ocb
, tag
, tlen
) > 0;
70 static ossl_inline
int aes_generic_ocb_final(PROV_AES_OCB_CTX
*ctx
)
72 return (CRYPTO_ocb128_finish(&ctx
->ocb
, ctx
->tag
, ctx
->taglen
) == 0);
75 static ossl_inline
void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX
*ctx
)
77 CRYPTO_ocb128_cleanup(&ctx
->ocb
);
80 static ossl_inline
int aes_generic_ocb_cipher(PROV_AES_OCB_CTX
*ctx
,
81 const unsigned char *in
,
82 unsigned char *out
, size_t len
)
85 if (!CRYPTO_ocb128_encrypt(&ctx
->ocb
, in
, out
, len
))
88 if (!CRYPTO_ocb128_decrypt(&ctx
->ocb
, in
, out
, len
))
94 static ossl_inline
int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX
*dst
,
95 PROV_AES_OCB_CTX
*src
)
97 return CRYPTO_ocb128_copy_ctx(&dst
->ocb
, &src
->ocb
,
98 &dst
->ksenc
.ks
, &dst
->ksdec
.ks
);
102 * Provider dispatch functions
104 static int aes_ocb_init(void *vctx
, const unsigned char *key
, size_t keylen
,
105 const unsigned char *iv
, size_t ivlen
,
106 const OSSL_PARAM params
[], int enc
)
108 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
110 if (!ossl_prov_is_running())
113 ctx
->aad_buf_len
= 0;
114 ctx
->data_buf_len
= 0;
118 if (ivlen
!= ctx
->base
.ivlen
) {
119 /* IV len must be 1 to 15 */
120 if (ivlen
< OCB_MIN_IV_LEN
|| ivlen
> OCB_MAX_IV_LEN
) {
121 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_IV_LENGTH
);
124 ctx
->base
.ivlen
= ivlen
;
126 if (!ossl_cipher_generic_initiv(&ctx
->base
, iv
, ivlen
))
128 ctx
->iv_state
= IV_STATE_BUFFERED
;
131 if (keylen
!= ctx
->base
.keylen
) {
132 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_KEY_LENGTH
);
135 if (!ctx
->base
.hw
->init(&ctx
->base
, key
, keylen
))
138 return aes_ocb_set_ctx_params(ctx
, params
);
141 static int aes_ocb_einit(void *vctx
, const unsigned char *key
, size_t keylen
,
142 const unsigned char *iv
, size_t ivlen
,
143 const OSSL_PARAM params
[])
145 return aes_ocb_init(vctx
, key
, keylen
, iv
, ivlen
, params
, 1);
148 static int aes_ocb_dinit(void *vctx
, const unsigned char *key
, size_t keylen
,
149 const unsigned char *iv
, size_t ivlen
,
150 const OSSL_PARAM params
[])
152 return aes_ocb_init(vctx
, key
, keylen
, iv
, ivlen
, params
, 0);
156 * Because of the way OCB works, both the AAD and data are buffered in the
157 * same way. Only the last block can be a partial block.
159 static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX
*ctx
,
160 unsigned char *buf
, size_t *bufsz
,
161 unsigned char *out
, size_t *outl
,
162 size_t outsize
, const unsigned char *in
,
163 size_t inl
, OSSL_ocb_cipher_fn ciph
)
169 nextblocks
= ossl_cipher_fillblock(buf
, bufsz
, AES_BLOCK_SIZE
, &in
, &inl
);
171 nextblocks
= inl
& ~(AES_BLOCK_SIZE
-1);
173 if (*bufsz
== AES_BLOCK_SIZE
) {
174 if (outsize
< AES_BLOCK_SIZE
) {
175 ERR_raise(ERR_LIB_PROV
, PROV_R_OUTPUT_BUFFER_TOO_SMALL
);
178 if (!ciph(ctx
, buf
, out
, AES_BLOCK_SIZE
)) {
179 ERR_raise(ERR_LIB_PROV
, PROV_R_CIPHER_OPERATION_FAILED
);
183 outlint
= AES_BLOCK_SIZE
;
185 out
+= AES_BLOCK_SIZE
;
187 if (nextblocks
> 0) {
188 outlint
+= nextblocks
;
189 if (outsize
< outlint
) {
190 ERR_raise(ERR_LIB_PROV
, PROV_R_OUTPUT_BUFFER_TOO_SMALL
);
193 if (!ciph(ctx
, in
, out
, nextblocks
)) {
194 ERR_raise(ERR_LIB_PROV
, PROV_R_CIPHER_OPERATION_FAILED
);
201 && !ossl_cipher_trailingdata(buf
, bufsz
, AES_BLOCK_SIZE
, &in
, &inl
)) {
202 /* PROVerr already called */
210 /* A wrapper function that has the same signature as cipher */
211 static int cipher_updateaad(PROV_AES_OCB_CTX
*ctx
, const unsigned char *in
,
212 unsigned char *out
, size_t len
)
214 return aes_generic_ocb_setaad(ctx
, in
, len
);
217 static int update_iv(PROV_AES_OCB_CTX
*ctx
)
219 if (ctx
->iv_state
== IV_STATE_FINISHED
220 || ctx
->iv_state
== IV_STATE_UNINITIALISED
)
222 if (ctx
->iv_state
== IV_STATE_BUFFERED
) {
223 if (!aes_generic_ocb_setiv(ctx
, ctx
->base
.iv
, ctx
->base
.ivlen
,
226 ctx
->iv_state
= IV_STATE_COPIED
;
231 static int aes_ocb_block_update(void *vctx
, unsigned char *out
, size_t *outl
,
232 size_t outsize
, const unsigned char *in
,
235 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
238 OSSL_ocb_cipher_fn fn
;
240 if (!ctx
->key_set
|| !update_iv(ctx
))
248 /* Are we dealing with AAD or normal data here? */
251 buflen
= &ctx
->aad_buf_len
;
252 fn
= cipher_updateaad
;
255 buflen
= &ctx
->data_buf_len
;
256 fn
= aes_generic_ocb_cipher
;
258 return aes_ocb_block_update_internal(ctx
, buf
, buflen
, out
, outl
, outsize
,
262 static int aes_ocb_block_final(void *vctx
, unsigned char *out
, size_t *outl
,
265 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
267 if (!ossl_prov_is_running())
270 /* If no block_update has run then the iv still needs to be set */
271 if (!ctx
->key_set
|| !update_iv(ctx
))
275 * Empty the buffer of any partial block that we might have been provided,
276 * both for data and AAD
279 if (ctx
->data_buf_len
> 0) {
280 if (!aes_generic_ocb_cipher(ctx
, ctx
->data_buf
, out
, ctx
->data_buf_len
))
282 *outl
= ctx
->data_buf_len
;
283 ctx
->data_buf_len
= 0;
285 if (ctx
->aad_buf_len
> 0) {
286 if (!aes_generic_ocb_setaad(ctx
, ctx
->aad_buf
, ctx
->aad_buf_len
))
288 ctx
->aad_buf_len
= 0;
291 /* If encrypting then just get the tag */
292 if (!aes_generic_ocb_gettag(ctx
, ctx
->tag
, ctx
->taglen
))
295 /* If decrypting then verify */
296 if (ctx
->taglen
== 0)
298 if (!aes_generic_ocb_final(ctx
))
301 /* Don't reuse the IV */
302 ctx
->iv_state
= IV_STATE_FINISHED
;
306 static void *aes_ocb_newctx(void *provctx
, size_t kbits
, size_t blkbits
,
307 size_t ivbits
, unsigned int mode
, uint64_t flags
)
309 PROV_AES_OCB_CTX
*ctx
;
311 if (!ossl_prov_is_running())
314 ctx
= OPENSSL_zalloc(sizeof(*ctx
));
316 ossl_cipher_generic_initkey(ctx
, kbits
, blkbits
, ivbits
, mode
, flags
,
317 ossl_prov_cipher_hw_aes_ocb(kbits
), NULL
);
318 ctx
->taglen
= OCB_DEFAULT_TAG_LEN
;
323 static void aes_ocb_freectx(void *vctx
)
325 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
328 aes_generic_ocb_cleanup(ctx
);
329 ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX
*)vctx
);
330 OPENSSL_clear_free(ctx
, sizeof(*ctx
));
334 static void *aes_ocb_dupctx(void *vctx
)
336 PROV_AES_OCB_CTX
*in
= (PROV_AES_OCB_CTX
*)vctx
;
337 PROV_AES_OCB_CTX
*ret
;
339 if (!ossl_prov_is_running())
342 ret
= OPENSSL_malloc(sizeof(*ret
));
346 if (!aes_generic_ocb_copy_ctx(ret
, in
)) {
353 static int aes_ocb_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
355 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
362 p
= OSSL_PARAM_locate_const(params
, OSSL_CIPHER_PARAM_AEAD_TAG
);
364 if (p
->data_type
!= OSSL_PARAM_OCTET_STRING
) {
365 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_GET_PARAMETER
);
368 if (p
->data
== NULL
) {
369 /* Tag len must be 0 to 16 */
370 if (p
->data_size
> OCB_MAX_TAG_LEN
)
372 ctx
->taglen
= p
->data_size
;
374 if (p
->data_size
!= ctx
->taglen
|| ctx
->base
.enc
)
376 memcpy(ctx
->tag
, p
->data
, p
->data_size
);
379 p
= OSSL_PARAM_locate_const(params
, OSSL_CIPHER_PARAM_AEAD_IVLEN
);
381 if (!OSSL_PARAM_get_size_t(p
, &sz
)) {
382 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_GET_PARAMETER
);
385 /* IV len must be 1 to 15 */
386 if (sz
< OCB_MIN_IV_LEN
|| sz
> OCB_MAX_IV_LEN
)
388 ctx
->base
.ivlen
= sz
;
390 p
= OSSL_PARAM_locate_const(params
, OSSL_CIPHER_PARAM_KEYLEN
);
394 if (!OSSL_PARAM_get_size_t(p
, &keylen
)) {
395 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_GET_PARAMETER
);
398 if (ctx
->base
.keylen
!= keylen
) {
399 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_KEY_LENGTH
);
406 static int aes_ocb_get_ctx_params(void *vctx
, OSSL_PARAM params
[])
408 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
411 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_IVLEN
);
412 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, ctx
->base
.ivlen
)) {
413 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
416 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_KEYLEN
);
417 if (p
!= NULL
&& !OSSL_PARAM_set_size_t(p
, ctx
->base
.keylen
)) {
418 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
421 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_AEAD_TAGLEN
);
423 if (!OSSL_PARAM_set_size_t(p
, ctx
->taglen
)) {
424 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
429 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_IV
);
431 if (ctx
->base
.ivlen
> p
->data_size
) {
432 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_IV_LENGTH
);
435 if (!OSSL_PARAM_set_octet_string(p
, ctx
->base
.oiv
, ctx
->base
.ivlen
)
436 && !OSSL_PARAM_set_octet_ptr(p
, &ctx
->base
.oiv
, ctx
->base
.ivlen
)) {
437 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
441 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_UPDATED_IV
);
443 if (ctx
->base
.ivlen
> p
->data_size
) {
444 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_IV_LENGTH
);
447 if (!OSSL_PARAM_set_octet_string(p
, ctx
->base
.iv
, ctx
->base
.ivlen
)
448 && !OSSL_PARAM_set_octet_ptr(p
, &ctx
->base
.iv
, ctx
->base
.ivlen
)) {
449 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_SET_PARAMETER
);
453 p
= OSSL_PARAM_locate(params
, OSSL_CIPHER_PARAM_AEAD_TAG
);
455 if (p
->data_type
!= OSSL_PARAM_OCTET_STRING
) {
456 ERR_raise(ERR_LIB_PROV
, PROV_R_FAILED_TO_GET_PARAMETER
);
459 if (!ctx
->base
.enc
|| p
->data_size
!= ctx
->taglen
) {
460 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_TAG_LENGTH
);
463 memcpy(p
->data
, ctx
->tag
, ctx
->taglen
);
468 static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params
[] = {
469 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN
, NULL
),
470 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN
, NULL
),
471 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN
, NULL
),
472 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV
, NULL
, 0),
473 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV
, NULL
, 0),
474 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG
, NULL
, 0),
477 static const OSSL_PARAM
*cipher_ocb_gettable_ctx_params(ossl_unused
void *cctx
,
478 ossl_unused
void *p_ctx
)
480 return cipher_ocb_known_gettable_ctx_params
;
483 static const OSSL_PARAM cipher_ocb_known_settable_ctx_params
[] = {
484 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN
, NULL
),
485 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN
, NULL
),
486 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG
, NULL
, 0),
489 static const OSSL_PARAM
*cipher_ocb_settable_ctx_params(ossl_unused
void *cctx
,
490 ossl_unused
void *p_ctx
)
492 return cipher_ocb_known_settable_ctx_params
;
495 static int aes_ocb_cipher(void *vctx
, unsigned char *out
, size_t *outl
,
496 size_t outsize
, const unsigned char *in
, size_t inl
)
498 PROV_AES_OCB_CTX
*ctx
= (PROV_AES_OCB_CTX
*)vctx
;
500 if (!ossl_prov_is_running())
504 ERR_raise(ERR_LIB_PROV
, PROV_R_OUTPUT_BUFFER_TOO_SMALL
);
508 if (!aes_generic_ocb_cipher(ctx
, in
, out
, inl
)) {
509 ERR_raise(ERR_LIB_PROV
, PROV_R_CIPHER_OPERATION_FAILED
);
517 #define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits) \
518 static OSSL_FUNC_cipher_get_params_fn aes_##kbits##_##mode##_get_params; \
519 static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[]) \
521 return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
522 flags, kbits, blkbits, ivbits); \
524 static OSSL_FUNC_cipher_newctx_fn aes_##kbits##_##mode##_newctx; \
525 static void *aes_##kbits##_##mode##_newctx(void *provctx) \
527 return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits, \
528 EVP_CIPH_##UCMODE##_MODE, flags); \
530 const OSSL_DISPATCH ossl_##aes##kbits##mode##_functions[] = { \
531 { OSSL_FUNC_CIPHER_NEWCTX, \
532 (void (*)(void))aes_##kbits##_##mode##_newctx }, \
533 { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
534 { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
535 { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update }, \
536 { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final }, \
537 { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher }, \
538 { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
539 { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \
540 { OSSL_FUNC_CIPHER_GET_PARAMS, \
541 (void (*)(void))aes_##kbits##_##mode##_get_params }, \
542 { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
543 (void (*)(void))aes_##mode##_get_ctx_params }, \
544 { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
545 (void (*)(void))aes_##mode##_set_ctx_params }, \
546 { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
547 (void (*)(void))ossl_cipher_generic_gettable_params }, \
548 { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
549 (void (*)(void))cipher_ocb_gettable_ctx_params }, \
550 { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
551 (void (*)(void))cipher_ocb_settable_ctx_params }, \
555 IMPLEMENT_cipher(ocb
, OCB
, AES_OCB_FLAGS
, 256, 128, OCB_DEFAULT_IV_LEN
* 8);
556 IMPLEMENT_cipher(ocb
, OCB
, AES_OCB_FLAGS
, 192, 128, OCB_DEFAULT_IV_LEN
* 8);
557 IMPLEMENT_cipher(ocb
, OCB
, AES_OCB_FLAGS
, 128, 128, OCB_DEFAULT_IV_LEN
* 8);