1/*
2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include "cipher_aes_ocb.h"
11#include "prov/providercommonerr.h"
12#include "prov/ciphercommon_aead.h"
13#include "prov/implementations.h"
14
15#define AES_OCB_FLAGS AEAD_FLAGS
16
17#define OCB_DEFAULT_TAG_LEN 16
18#define OCB_DEFAULT_IV_LEN 12
19#define OCB_MIN_IV_LEN 1
20#define OCB_MAX_IV_LEN 15
21
22PROV_CIPHER_FUNC(int, ocb_cipher, (PROV_AES_OCB_CTX *ctx,
23 const unsigned char *in, unsigned char *out,
24 size_t nextblock));
25/* forward declarations */
26static OSSL_OP_cipher_encrypt_init_fn aes_ocb_einit;
27static OSSL_OP_cipher_decrypt_init_fn aes_ocb_dinit;
28static OSSL_OP_cipher_update_fn aes_ocb_block_update;
29static OSSL_OP_cipher_final_fn aes_ocb_block_final;
30static OSSL_OP_cipher_cipher_fn aes_ocb_cipher;
31static OSSL_OP_cipher_freectx_fn aes_ocb_freectx;
32static OSSL_OP_cipher_dupctx_fn aes_ocb_dupctx;
33static OSSL_OP_cipher_get_ctx_params_fn aes_ocb_get_ctx_params;
34static OSSL_OP_cipher_set_ctx_params_fn aes_ocb_set_ctx_params;
35
36/*
37 * The following methods could be moved into PROV_AES_OCB_HW if
38 * multiple hardware implementations are ever needed.
39 */
40static ossl_inline int aes_generic_ocb_setiv(PROV_AES_OCB_CTX *ctx,
41 const unsigned char *iv,
42 size_t ivlen, size_t taglen)
43{
44 return (CRYPTO_ocb128_setiv(&ctx->ocb, iv, ivlen, taglen) == 1);
45}
46
47static ossl_inline int aes_generic_ocb_setaad(PROV_AES_OCB_CTX *ctx,
48 const unsigned char *aad,
49 size_t alen)
50{
51 return CRYPTO_ocb128_aad(&ctx->ocb, aad, alen) == 1;
52}
53
54static ossl_inline int aes_generic_ocb_gettag(PROV_AES_OCB_CTX *ctx,
55 unsigned char *tag, size_t tlen)
56{
57 return CRYPTO_ocb128_tag(&ctx->ocb, tag, tlen) > 0;
58}
59
60static ossl_inline int aes_generic_ocb_final(PROV_AES_OCB_CTX *ctx)
61{
62 return (CRYPTO_ocb128_finish(&ctx->ocb, ctx->tag, ctx->taglen) == 0);
63}
64
65static ossl_inline void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX *ctx)
66{
67 CRYPTO_ocb128_cleanup(&ctx->ocb);
68}
69
70static ossl_inline int aes_generic_ocb_cipher(PROV_AES_OCB_CTX *ctx,
71 const unsigned char *in,
72 unsigned char *out, size_t len)
73{
74 if (ctx->base.enc) {
75 if (!CRYPTO_ocb128_encrypt(&ctx->ocb, in, out, len))
76 return 0;
77 } else {
78 if (!CRYPTO_ocb128_decrypt(&ctx->ocb, in, out, len))
79 return 0;
80 }
81 return 1;
82}
83
84static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
85 PROV_AES_OCB_CTX *src)
86{
87 return CRYPTO_ocb128_copy_ctx(&dst->ocb, &src->ocb,
88 &dst->ksenc.ks, &dst->ksdec.ks);
89}
90
91/*-
92 * Provider dispatch functions
93 */
94static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
95 const unsigned char *iv, size_t ivlen, int enc)
96{
97 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
98
99 ctx->base.enc = enc;
100
101 if (iv != NULL) {
102 if (ivlen != ctx->base.ivlen) {
103 /* IV len must be 1 to 15 */
104 if (ivlen < OCB_MIN_IV_LEN || ivlen > OCB_MAX_IV_LEN) {
105 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
106 return 0;
107 }
108 ctx->base.ivlen = ivlen;
109 }
110 if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
111 return 0;
112 ctx->iv_state = IV_STATE_BUFFERED;
113 }
114 if (key != NULL) {
115 if (keylen != ctx->base.keylen) {
116 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
117 return 0;
118 }
119 return ctx->base.hw->init(&ctx->base, key, keylen);
120 }
121 return 1;
122}
123
124static int aes_ocb_einit(void *vctx, const unsigned char *key, size_t keylen,
125 const unsigned char *iv, size_t ivlen)
126{
127 return aes_ocb_init(vctx, key, keylen, iv, ivlen, 1);
128}
129
130static int aes_ocb_dinit(void *vctx, const unsigned char *key, size_t keylen,
131 const unsigned char *iv, size_t ivlen)
132{
133 return aes_ocb_init(vctx, key, keylen, iv, ivlen, 0);
134}
135
136/*
137 * Because of the way OCB works, both the AAD and data are buffered in the
138 * same way. Only the last block can be a partial block.
139 */
140static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx,
141 unsigned char *buf, size_t *bufsz,
142 unsigned char *out, size_t *outl,
143 size_t outsize, const unsigned char *in,
144 size_t inl, OSSL_ocb_cipher_fn ciph)
145{
146 size_t nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl);
147 size_t outlint = 0;
148
149 if (*bufsz == AES_BLOCK_SIZE) {
150 if (outsize < AES_BLOCK_SIZE) {
151 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
152 return 0;
153 }
154 if (!ciph(ctx, buf, out, AES_BLOCK_SIZE)) {
155 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
156 return 0;
157 }
158 *bufsz = 0;
159 outlint = AES_BLOCK_SIZE;
160 out += AES_BLOCK_SIZE;
161 }
162 if (nextblocks > 0) {
163 outlint += nextblocks;
164 if (outsize < outlint) {
165 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
166 return 0;
167 }
168 if (!ciph(ctx, in, out, nextblocks)) {
169 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
170 return 0;
171 }
172 in += nextblocks;
173 inl -= nextblocks;
174 }
175 if (!trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) {
176 /* PROVerr already called */
177 return 0;
178 }
179
180 *outl = outlint;
181 return inl == 0;
182}
183
184/* A wrapper function that has the same signature as cipher */
185static int cipher_updateaad(PROV_AES_OCB_CTX *ctx, const unsigned char *in,
186 unsigned char *out, size_t len)
187{
188 return aes_generic_ocb_setaad(ctx, in, len);
189}
190
191static int update_iv(PROV_AES_OCB_CTX *ctx)
192{
193 if (ctx->iv_state == IV_STATE_FINISHED
194 || ctx->iv_state == IV_STATE_UNINITIALISED)
195 return 0;
196 if (ctx->iv_state == IV_STATE_BUFFERED) {
197 if (!aes_generic_ocb_setiv(ctx, ctx->base.iv, ctx->base.ivlen,
198 ctx->taglen))
199 return 0;
200 ctx->iv_state = IV_STATE_COPIED;
201 }
202 return 1;
203}
204
205static int aes_ocb_block_update(void *vctx, unsigned char *out, size_t *outl,
206 size_t outsize, const unsigned char *in,
207 size_t inl)
208{
209 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
210 unsigned char *buf;
211 size_t *buflen;
212 OSSL_ocb_cipher_fn fn;
213
214 if (!ctx->key_set || !update_iv(ctx))
215 return 0;
216
217 if (inl == 0) {
218 *outl = 0;
219 return 1;
220 }
221
222 /* Are we dealing with AAD or normal data here? */
223 if (out == NULL) {
224 buf = ctx->aad_buf;
225 buflen = &ctx->aad_buf_len;
226 fn = cipher_updateaad;
227 } else {
228 buf = ctx->data_buf;
229 buflen = &ctx->data_buf_len;
230 fn = aes_generic_ocb_cipher;
231 }
232 return aes_ocb_block_update_internal(ctx, buf, buflen, out, outl, outsize,
233 in, inl, fn);
234}
235
236static int aes_ocb_block_final(void *vctx, unsigned char *out, size_t *outl,
237 size_t outsize)
238{
239 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
240
241 /* If no block_update has run then the iv still needs to be set */
242 if (!ctx->key_set || !update_iv(ctx))
243 return 0;
244
245 /*
246 * Empty the buffer of any partial block that we might have been provided,
247 * both for data and AAD
248 */
249 *outl = 0;
250 if (ctx->data_buf_len > 0) {
251 if (!aes_generic_ocb_cipher(ctx, ctx->data_buf, out, ctx->data_buf_len))
252 return 0;
253 *outl = ctx->data_buf_len;
254 ctx->data_buf_len = 0;
255 }
256 if (ctx->aad_buf_len > 0) {
257 if (!aes_generic_ocb_setaad(ctx, ctx->aad_buf, ctx->aad_buf_len))
258 return 0;
259 ctx->aad_buf_len = 0;
260 }
261 if (ctx->base.enc) {
262 /* If encrypting then just get the tag */
263 if (!aes_generic_ocb_gettag(ctx, ctx->tag, ctx->taglen))
264 return 0;
265 } else {
266 /* If decrypting then verify */
267 if (ctx->taglen == 0)
268 return 0;
269 if (!aes_generic_ocb_final(ctx))
270 return 0;
271 }
272 /* Don't reuse the IV */
273 ctx->iv_state = IV_STATE_FINISHED;
274 return 1;
275}
276
277static void *aes_ocb_newctx(void *provctx, size_t kbits, size_t blkbits,
278 size_t ivbits, unsigned int mode, uint64_t flags)
279{
280 PROV_AES_OCB_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
281
282 if (ctx != NULL) {
283 cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
284 PROV_CIPHER_HW_aes_ocb(kbits), NULL);
285 ctx->taglen = OCB_DEFAULT_TAG_LEN;
286 }
287 return ctx;
288}
289
290static void aes_ocb_freectx(void *vctx)
291{
292 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
293
294 if (ctx != NULL) {
295 aes_generic_ocb_cleanup(ctx);
296 OPENSSL_clear_free(ctx, sizeof(*ctx));
297 }
298}
299
300static void *aes_ocb_dupctx(void *vctx)
301{
302 PROV_AES_OCB_CTX *in = (PROV_AES_OCB_CTX *)vctx;
303 PROV_AES_OCB_CTX *ret = OPENSSL_malloc(sizeof(*ret));
304
305 if (ret == NULL) {
306 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
307 return NULL;
308 }
309 *ret = *in;
310 if (!aes_generic_ocb_copy_ctx(ret, in)) {
311 OPENSSL_free(ret);
312 ret = NULL;
313 }
314 return ret;
315}
316
317static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
318{
319 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
320 const OSSL_PARAM *p;
321 size_t sz;
322
323 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
324 if (p != NULL) {
325 if (p->data_type != OSSL_PARAM_OCTET_STRING) {
326 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
327 return 0;
328 }
329 if (p->data == NULL) {
330 /* Tag len must be 0 to 16 */
331 if (p->data_size > OCB_MAX_TAG_LEN)
332 return 0;
333 ctx->taglen = p->data_size;
334 } else {
335 if (p->data_size != ctx->taglen || ctx->base.enc)
336 return 0;
337 memcpy(ctx->tag, p->data, p->data_size);
338 }
339 }
340 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
341 if (p != NULL) {
342 if (!OSSL_PARAM_get_size_t(p, &sz)) {
343 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
344 return 0;
345 }
346 /* IV len must be 1 to 15 */
347 if (sz < OCB_MIN_IV_LEN || sz > OCB_MAX_IV_LEN)
348 return 0;
349 ctx->base.ivlen = sz;
350 }
351 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
352 if (p != NULL) {
353 size_t keylen;
354
355 if (!OSSL_PARAM_get_size_t(p, &keylen)) {
356 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
357 return 0;
358 }
359 if (ctx->base.keylen != keylen) {
360 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
361 return 0;
362 }
363 }
364 return 1;
365}
366
367static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[])
368{
369 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
370 OSSL_PARAM *p;
371
372 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
373 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
374 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
375 return 0;
376 }
377 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
378 if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
379 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
380 return 0;
381 }
382 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
383 if (p != NULL) {
384 if (!OSSL_PARAM_set_size_t(p, ctx->taglen)) {
385 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
386 return 0;
387 }
388 }
389
390 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
391 if (p != NULL) {
392 if (ctx->base.ivlen != p->data_size) {
393 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
394 return 0;
395 }
396 if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)) {
397 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
398 return 0;
399 }
400 }
401 p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
402 if (p != NULL) {
403 if (p->data_type != OSSL_PARAM_OCTET_STRING) {
404 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
405 return 0;
406 }
407 if (!ctx->base.enc || p->data_size != ctx->taglen) {
408 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
409 return 0;
410 }
411 memcpy(p->data, ctx->tag, ctx->taglen);
412 }
413 return 1;
414}
415
416static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = {
417 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
418 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
419 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
420 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
421 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
422 OSSL_PARAM_END
423};
424static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(void)
425{
426 return cipher_ocb_known_gettable_ctx_params;
427}
428
429static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = {
430 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
431 OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
432 OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
433 OSSL_PARAM_END
434};
435static const OSSL_PARAM *cipher_ocb_settable_ctx_params(void)
436{
437 return cipher_ocb_known_settable_ctx_params;
438}
439
440static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
441 size_t outsize, const unsigned char *in, size_t inl)
442{
443 PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
444
445 if (outsize < inl) {
446 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
447 return 0;
448 }
449
450 if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
451 ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
452 return 0;
453 }
454
455 *outl = inl;
456 return 1;
457}
458
459#define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits) \
460static OSSL_OP_cipher_get_params_fn aes_##kbits##_##mode##_get_params; \
461static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[]) \
462{ \
463 return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
464 flags, kbits, blkbits, ivbits); \
465} \
466static OSSL_OP_cipher_newctx_fn aes_##kbits##_##mode##_newctx; \
467static void *aes_##kbits##_##mode##_newctx(void *provctx) \
468{ \
469 return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits, \
470 EVP_CIPH_##UCMODE##_MODE, flags); \
471} \
472const OSSL_DISPATCH aes##kbits##mode##_functions[] = { \
473 { OSSL_FUNC_CIPHER_NEWCTX, \
474 (void (*)(void))aes_##kbits##_##mode##_newctx }, \
475 { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
476 { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
477 { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update }, \
478 { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final }, \
479 { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher }, \
480 { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
481 { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \
482 { OSSL_FUNC_CIPHER_GET_PARAMS, \
483 (void (*)(void))aes_##kbits##_##mode##_get_params }, \
484 { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
485 (void (*)(void))aes_##mode##_get_ctx_params }, \
486 { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
487 (void (*)(void))aes_##mode##_set_ctx_params }, \
488 { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
489 (void (*)(void))cipher_generic_gettable_params }, \
490 { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
491 (void (*)(void))cipher_ocb_gettable_ctx_params }, \
492 { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
493 (void (*)(void))cipher_ocb_settable_ctx_params }, \
494 { 0, NULL } \
495}
496
497IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8);
498IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8);
499IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8);
500
501