2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * AES low level APIs are deprecated for public use, but still ok for internal
12 * use where we're using them to implement the higher level EVP interface, as is
15 #include "internal/deprecated.h"
17 #include "cipher_aes_ocb.h"
18 #include "prov/providercommonerr.h"
19 #include "prov/ciphercommon_aead.h"
20 #include "prov/implementations.h"
22 #define AES_OCB_FLAGS AEAD_FLAGS
24 #define OCB_DEFAULT_TAG_LEN 16
25 #define OCB_DEFAULT_IV_LEN 12
26 #define OCB_MIN_IV_LEN 1
27 #define OCB_MAX_IV_LEN 15
29 PROV_CIPHER_FUNC(int, ocb_cipher, (PROV_AES_OCB_CTX *ctx,
30 const unsigned char *in, unsigned char *out,
32 /* forward declarations */
33 static OSSL_FUNC_cipher_encrypt_init_fn aes_ocb_einit;
34 static OSSL_FUNC_cipher_decrypt_init_fn aes_ocb_dinit;
35 static OSSL_FUNC_cipher_update_fn aes_ocb_block_update;
36 static OSSL_FUNC_cipher_final_fn aes_ocb_block_final;
37 static OSSL_FUNC_cipher_cipher_fn aes_ocb_cipher;
38 static OSSL_FUNC_cipher_freectx_fn aes_ocb_freectx;
39 static OSSL_FUNC_cipher_dupctx_fn aes_ocb_dupctx;
40 static OSSL_FUNC_cipher_get_ctx_params_fn aes_ocb_get_ctx_params;
41 static OSSL_FUNC_cipher_set_ctx_params_fn aes_ocb_set_ctx_params;
42 static OSSL_FUNC_cipher_gettable_ctx_params_fn cipher_ocb_gettable_ctx_params;
43 static OSSL_FUNC_cipher_settable_ctx_params_fn cipher_ocb_settable_ctx_params;
46 * The following methods could be moved into PROV_AES_OCB_HW if
47 * multiple hardware implementations are ever needed.
49 static ossl_inline int aes_generic_ocb_setiv(PROV_AES_OCB_CTX *ctx,
50 const unsigned char *iv,
51 size_t ivlen, size_t taglen)
53 return (CRYPTO_ocb128_setiv(&ctx->ocb, iv, ivlen, taglen) == 1);
56 static ossl_inline int aes_generic_ocb_setaad(PROV_AES_OCB_CTX *ctx,
57 const unsigned char *aad,
60 return CRYPTO_ocb128_aad(&ctx->ocb, aad, alen) == 1;
63 static ossl_inline int aes_generic_ocb_gettag(PROV_AES_OCB_CTX *ctx,
64 unsigned char *tag, size_t tlen)
66 return CRYPTO_ocb128_tag(&ctx->ocb, tag, tlen) > 0;
69 static ossl_inline int aes_generic_ocb_final(PROV_AES_OCB_CTX *ctx)
71 return (CRYPTO_ocb128_finish(&ctx->ocb, ctx->tag, ctx->taglen) == 0);
74 static ossl_inline void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX *ctx)
76 CRYPTO_ocb128_cleanup(&ctx->ocb);
79 static ossl_inline int aes_generic_ocb_cipher(PROV_AES_OCB_CTX *ctx,
80 const unsigned char *in,
81 unsigned char *out, size_t len)
84 if (!CRYPTO_ocb128_encrypt(&ctx->ocb, in, out, len))
87 if (!CRYPTO_ocb128_decrypt(&ctx->ocb, in, out, len))
93 static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
94 PROV_AES_OCB_CTX *src)
96 return CRYPTO_ocb128_copy_ctx(&dst->ocb, &src->ocb,
97 &dst->ksenc.ks, &dst->ksdec.ks);
101 * Provider dispatch functions
103 static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
104 const unsigned char *iv, size_t ivlen, int enc)
106 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
108 ctx->aad_buf_len = 0;
109 ctx->data_buf_len = 0;
113 if (ivlen != ctx->base.ivlen) {
114 /* IV len must be 1 to 15 */
115 if (ivlen < OCB_MIN_IV_LEN || ivlen > OCB_MAX_IV_LEN) {
116 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
119 ctx->base.ivlen = ivlen;
121 if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
123 ctx->iv_state = IV_STATE_BUFFERED;
126 if (keylen != ctx->base.keylen) {
127 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
130 return ctx->base.hw->init(&ctx->base, key, keylen);
135 static int aes_ocb_einit(void *vctx, const unsigned char *key, size_t keylen,
136 const unsigned char *iv, size_t ivlen)
138 return aes_ocb_init(vctx, key, keylen, iv, ivlen, 1);
141 static int aes_ocb_dinit(void *vctx, const unsigned char *key, size_t keylen,
142 const unsigned char *iv, size_t ivlen)
144 return aes_ocb_init(vctx, key, keylen, iv, ivlen, 0);
148 * Because of the way OCB works, both the AAD and data are buffered in the
149 * same way. Only the last block can be a partial block.
151 static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx,
152 unsigned char *buf, size_t *bufsz,
153 unsigned char *out, size_t *outl,
154 size_t outsize, const unsigned char *in,
155 size_t inl, OSSL_ocb_cipher_fn ciph)
161 nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl);
163 nextblocks = inl & ~(AES_BLOCK_SIZE-1);
165 if (*bufsz == AES_BLOCK_SIZE) {
166 if (outsize < AES_BLOCK_SIZE) {
167 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
170 if (!ciph(ctx, buf, out, AES_BLOCK_SIZE)) {
171 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
175 outlint = AES_BLOCK_SIZE;
176 out += AES_BLOCK_SIZE;
178 if (nextblocks > 0) {
179 outlint += nextblocks;
180 if (outsize < outlint) {
181 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
184 if (!ciph(ctx, in, out, nextblocks)) {
185 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
191 if (inl != 0 && !trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) {
192 /* PROVerr already called */
200 /* A wrapper function that has the same signature as cipher */
201 static int cipher_updateaad(PROV_AES_OCB_CTX *ctx, const unsigned char *in,
202 unsigned char *out, size_t len)
204 return aes_generic_ocb_setaad(ctx, in, len);
207 static int update_iv(PROV_AES_OCB_CTX *ctx)
209 if (ctx->iv_state == IV_STATE_FINISHED
210 || ctx->iv_state == IV_STATE_UNINITIALISED)
212 if (ctx->iv_state == IV_STATE_BUFFERED) {
213 if (!aes_generic_ocb_setiv(ctx, ctx->base.iv, ctx->base.ivlen,
216 ctx->iv_state = IV_STATE_COPIED;
221 static int aes_ocb_block_update(void *vctx, unsigned char *out, size_t *outl,
222 size_t outsize, const unsigned char *in,
225 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
228 OSSL_ocb_cipher_fn fn;
230 if (!ctx->key_set || !update_iv(ctx))
238 /* Are we dealing with AAD or normal data here? */
241 buflen = &ctx->aad_buf_len;
242 fn = cipher_updateaad;
245 buflen = &ctx->data_buf_len;
246 fn = aes_generic_ocb_cipher;
248 return aes_ocb_block_update_internal(ctx, buf, buflen, out, outl, outsize,
252 static int aes_ocb_block_final(void *vctx, unsigned char *out, size_t *outl,
255 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
257 /* If no block_update has run then the iv still needs to be set */
258 if (!ctx->key_set || !update_iv(ctx))
262 * Empty the buffer of any partial block that we might have been provided,
263 * both for data and AAD
266 if (ctx->data_buf_len > 0) {
267 if (!aes_generic_ocb_cipher(ctx, ctx->data_buf, out, ctx->data_buf_len))
269 *outl = ctx->data_buf_len;
270 ctx->data_buf_len = 0;
272 if (ctx->aad_buf_len > 0) {
273 if (!aes_generic_ocb_setaad(ctx, ctx->aad_buf, ctx->aad_buf_len))
275 ctx->aad_buf_len = 0;
278 /* If encrypting then just get the tag */
279 if (!aes_generic_ocb_gettag(ctx, ctx->tag, ctx->taglen))
282 /* If decrypting then verify */
283 if (ctx->taglen == 0)
285 if (!aes_generic_ocb_final(ctx))
288 /* Don't reuse the IV */
289 ctx->iv_state = IV_STATE_FINISHED;
293 static void *aes_ocb_newctx(void *provctx, size_t kbits, size_t blkbits,
294 size_t ivbits, unsigned int mode, uint64_t flags)
296 PROV_AES_OCB_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
299 cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
300 PROV_CIPHER_HW_aes_ocb(kbits), NULL);
301 ctx->taglen = OCB_DEFAULT_TAG_LEN;
306 static void aes_ocb_freectx(void *vctx)
308 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
311 aes_generic_ocb_cleanup(ctx);
312 cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
313 OPENSSL_clear_free(ctx, sizeof(*ctx));
317 static void *aes_ocb_dupctx(void *vctx)
319 PROV_AES_OCB_CTX *in = (PROV_AES_OCB_CTX *)vctx;
320 PROV_AES_OCB_CTX *ret = OPENSSL_malloc(sizeof(*ret));
323 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
327 if (!aes_generic_ocb_copy_ctx(ret, in)) {
334 static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
336 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
340 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
342 if (p->data_type != OSSL_PARAM_OCTET_STRING) {
343 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
346 if (p->data == NULL) {
347 /* Tag len must be 0 to 16 */
348 if (p->data_size > OCB_MAX_TAG_LEN)
350 ctx->taglen = p->data_size;
352 if (p->data_size != ctx->taglen || ctx->base.enc)
354 memcpy(ctx->tag, p->data, p->data_size);
357 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
359 if (!OSSL_PARAM_get_size_t(p, &sz)) {
360 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
363 /* IV len must be 1 to 15 */
364 if (sz < OCB_MIN_IV_LEN || sz > OCB_MAX_IV_LEN)
366 ctx->base.ivlen = sz;
368 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
372 if (!OSSL_PARAM_get_size_t(p, &keylen)) {
373 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
376 if (ctx->base.keylen != keylen) {
377 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
384 static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[])
386 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
389 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
390 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
391 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
394 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
395 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
396 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
399 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
401 if (!OSSL_PARAM_set_size_t(p, ctx->taglen)) {
402 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
407 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
409 if (ctx->base.ivlen > p->data_size) {
410 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
413 if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)
414 && !OSSL_PARAM_set_octet_ptr(p, &ctx->base.oiv, ctx->base.ivlen)) {
415 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
419 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
421 if (p->data_type != OSSL_PARAM_OCTET_STRING) {
422 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
425 if (!ctx->base.enc || p->data_size != ctx->taglen) {
426 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
429 memcpy(p->data, ctx->tag, ctx->taglen);
434 static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = {
435 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
436 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
437 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
438 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
439 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
442 static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(void *provctx)
444 return cipher_ocb_known_gettable_ctx_params;
447 static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = {
448 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
449 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
450 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
453 static const OSSL_PARAM *cipher_ocb_settable_ctx_params(void *provctx)
455 return cipher_ocb_known_settable_ctx_params;
458 static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
459 size_t outsize, const unsigned char *in, size_t inl)
461 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
464 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
468 if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
469 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
477 #define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits) \
478 static OSSL_FUNC_cipher_get_params_fn aes_##kbits##_##mode##_get_params; \
479 static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[]) \
481 return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
482 flags, kbits, blkbits, ivbits); \
484 static OSSL_FUNC_cipher_newctx_fn aes_##kbits##_##mode##_newctx; \
485 static void *aes_##kbits##_##mode##_newctx(void *provctx) \
487 return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits, \
488 EVP_CIPH_##UCMODE##_MODE, flags); \
490 const OSSL_DISPATCH aes##kbits##mode##_functions[] = { \
491 { OSSL_FUNC_CIPHER_NEWCTX, \
492 (void (*)(void))aes_##kbits##_##mode##_newctx }, \
493 { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
494 { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
495 { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update }, \
496 { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final }, \
497 { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher }, \
498 { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
499 { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \
500 { OSSL_FUNC_CIPHER_GET_PARAMS, \
501 (void (*)(void))aes_##kbits##_##mode##_get_params }, \
502 { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
503 (void (*)(void))aes_##mode##_get_ctx_params }, \
504 { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
505 (void (*)(void))aes_##mode##_set_ctx_params }, \
506 { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
507 (void (*)(void))cipher_generic_gettable_params }, \
508 { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
509 (void (*)(void))cipher_ocb_gettable_ctx_params }, \
510 { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
511 (void (*)(void))cipher_ocb_settable_ctx_params }, \
515 IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8);
516 IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8);
517 IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8);