cipher_aes_ocb.c source code [ClickHouse/contrib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c]

1	/*
2	* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include "cipher_aes_ocb.h"
11	#include "prov/providercommonerr.h"
12	#include "prov/ciphercommon_aead.h"
13	#include "prov/implementations.h"
14
15	#define AES_OCB_FLAGS AEAD_FLAGS
16
17	#define OCB_DEFAULT_TAG_LEN 16
18	#define OCB_DEFAULT_IV_LEN 12
19	#define OCB_MIN_IV_LEN 1
20	#define OCB_MAX_IV_LEN 15
21
22	PROV_CIPHER_FUNC(int, ocb_cipher, (PROV_AES_OCB_CTX *ctx,
23	const unsigned char in, unsigned* char *out,
24	size_t nextblock));
25	/ forward declarations /
26	static OSSL_OP_cipher_encrypt_init_fn aes_ocb_einit;
27	static OSSL_OP_cipher_decrypt_init_fn aes_ocb_dinit;
28	static OSSL_OP_cipher_update_fn aes_ocb_block_update;
29	static OSSL_OP_cipher_final_fn aes_ocb_block_final;
30	static OSSL_OP_cipher_cipher_fn aes_ocb_cipher;
31	static OSSL_OP_cipher_freectx_fn aes_ocb_freectx;
32	static OSSL_OP_cipher_dupctx_fn aes_ocb_dupctx;
33	static OSSL_OP_cipher_get_ctx_params_fn aes_ocb_get_ctx_params;
34	static OSSL_OP_cipher_set_ctx_params_fn aes_ocb_set_ctx_params;
35
36	/*
37	* The following methods could be moved into PROV_AES_OCB_HW if
38	* multiple hardware implementations are ever needed.
39	*/
40	static ossl_inline int aes_generic_ocb_setiv(PROV_AES_OCB_CTX *ctx,
41	const unsigned char *iv,
42	size_t ivlen, size_t taglen)
43	{
44	return (CRYPTO_ocb128_setiv(&ctx->ocb, iv, ivlen, taglen) == `1`);
45	}
46
47	static ossl_inline int aes_generic_ocb_setaad(PROV_AES_OCB_CTX *ctx,
48	const unsigned char *aad,
49	size_t alen)
50	{
51	return CRYPTO_ocb128_aad(&ctx->ocb, aad, alen) == `1`;
52	}
53
54	static ossl_inline int aes_generic_ocb_gettag(PROV_AES_OCB_CTX *ctx,
55	unsigned char *tag, size_t tlen)
56	{
57	return CRYPTO_ocb128_tag(&ctx->ocb, tag, tlen) > `0`;
58	}
59
60	static ossl_inline int aes_generic_ocb_final(PROV_AES_OCB_CTX *ctx)
61	{
62	return (CRYPTO_ocb128_finish(&ctx->ocb, ctx->tag, ctx->taglen) == `0`);
63	}
64
65	static ossl_inline void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX *ctx)
66	{
67	CRYPTO_ocb128_cleanup(&ctx->ocb);
68	}
69
70	static ossl_inline int aes_generic_ocb_cipher(PROV_AES_OCB_CTX *ctx,
71	const unsigned char *in,
72	unsigned char *out, size_t len)
73	{
74	if (ctx->base.enc) {
75	if (!CRYPTO_ocb128_encrypt(&ctx->ocb, in, out, len))
76	return `0`;
77	} else {
78	if (!CRYPTO_ocb128_decrypt(&ctx->ocb, in, out, len))
79	return `0`;
80	}
81	return `1`;
82	}
83
84	static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
85	PROV_AES_OCB_CTX *src)
86	{
87	return CRYPTO_ocb128_copy_ctx(&dst->ocb, &src->ocb,
88	&dst->ksenc.ks, &dst->ksdec.ks);
89	}
90
91	/-*
92	* Provider dispatch functions
93	*/
94	static int aes_ocb_init(void vctx, const* unsigned char *key, size_t keylen,
95	const unsigned char iv, size_t ivlen, int* enc)
96	{
97	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
98
99	ctx->base.enc = enc;
100
101	if (iv != NULL) {
102	if (ivlen != ctx->base.ivlen) {
103	/ IV len must be 1 to 15 /
104	if (ivlen < OCB_MIN_IV_LEN \|\| ivlen > OCB_MAX_IV_LEN) {
105	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
106	return `0`;
107	}
108	ctx->base.ivlen = ivlen;
109	}
110	if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
111	return `0`;
112	ctx->iv_state = IV_STATE_BUFFERED;
113	}
114	if (key != NULL) {
115	if (keylen != ctx->base.keylen) {
116	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
117	return `0`;
118	}
119	return ctx->base.hw->init(&ctx->base, key, keylen);
120	}
121	return `1`;
122	}
123
124	static int aes_ocb_einit(void vctx, const* unsigned char *key, size_t keylen,
125	const unsigned char *iv, size_t ivlen)
126	{
127	return aes_ocb_init(vctx, key, keylen, iv, ivlen, `1`);
128	}
129
130	static int aes_ocb_dinit(void vctx, const* unsigned char *key, size_t keylen,
131	const unsigned char *iv, size_t ivlen)
132	{
133	return aes_ocb_init(vctx, key, keylen, iv, ivlen, `0`);
134	}
135
136	/*
137	* Because of the way OCB works, both the AAD and data are buffered in the
138	* same way. Only the last block can be a partial block.
139	*/
140	static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx,
141	unsigned char buf, size_t bufsz,
142	unsigned char out, size_t outl,
143	size_t outsize, const unsigned char *in,
144	size_t inl, OSSL_ocb_cipher_fn ciph)
145	{
146	size_t nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl);
147	size_t outlint = `0`;
148
149	if (*bufsz == AES_BLOCK_SIZE) {
150	if (outsize < AES_BLOCK_SIZE) {
151	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
152	return `0`;
153	}
154	if (!ciph(ctx, buf, out, AES_BLOCK_SIZE)) {
155	ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
156	return `0`;
157	}
158	*bufsz = `0`;
159	outlint = AES_BLOCK_SIZE;
160	out += AES_BLOCK_SIZE;
161	}
162	if (nextblocks > `0`) {
163	outlint += nextblocks;
164	if (outsize < outlint) {
165	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
166	return `0`;
167	}
168	if (!ciph(ctx, in, out, nextblocks)) {
169	ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
170	return `0`;
171	}
172	in += nextblocks;
173	inl -= nextblocks;
174	}
175	if (!trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) {
176	/ PROVerr already called /
177	return `0`;
178	}
179
180	*outl = outlint;
181	return inl == `0`;
182	}
183
184	/ A wrapper function that has the same signature as cipher /
185	static int cipher_updateaad(PROV_AES_OCB_CTX ctx, const* unsigned char *in,
186	unsigned char *out, size_t len)
187	{
188	return aes_generic_ocb_setaad(ctx, in, len);
189	}
190
191	static int update_iv(PROV_AES_OCB_CTX *ctx)
192	{
193	if (ctx->iv_state == IV_STATE_FINISHED
194	\|\| ctx->iv_state == IV_STATE_UNINITIALISED)
195	return `0`;
196	if (ctx->iv_state == IV_STATE_BUFFERED) {
197	if (!aes_generic_ocb_setiv(ctx, ctx->base.iv, ctx->base.ivlen,
198	ctx->taglen))
199	return `0`;
200	ctx->iv_state = IV_STATE_COPIED;
201	}
202	return `1`;
203	}
204
205	static int aes_ocb_block_update(void vctx, unsigned* char out, size_t outl,
206	size_t outsize, const unsigned char *in,
207	size_t inl)
208	{
209	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
210	unsigned char *buf;
211	size_t *buflen;
212	OSSL_ocb_cipher_fn fn;
213
214	if (!ctx->key_set \|\| !update_iv(ctx))
215	return `0`;
216
217	if (inl == `0`) {
218	*outl = `0`;
219	return `1`;
220	}
221
222	/ Are we dealing with AAD or normal data here? /
223	if (out == NULL) {
224	buf = ctx->aad_buf;
225	buflen = &ctx->aad_buf_len;
226	fn = cipher_updateaad;
227	} else {
228	buf = ctx->data_buf;
229	buflen = &ctx->data_buf_len;
230	fn = aes_generic_ocb_cipher;
231	}
232	return aes_ocb_block_update_internal(ctx, buf, buflen, out, outl, outsize,
233	in, inl, fn);
234	}
235
236	static int aes_ocb_block_final(void vctx, unsigned* char out, size_t outl,
237	size_t outsize)
238	{
239	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
240
241	/ If no block_update has run then the iv still needs to be set /
242	if (!ctx->key_set \|\| !update_iv(ctx))
243	return `0`;
244
245	/*
246	* Empty the buffer of any partial block that we might have been provided,
247	* both for data and AAD
248	*/
249	*outl = `0`;
250	if (ctx->data_buf_len > `0`) {
251	if (!aes_generic_ocb_cipher(ctx, ctx->data_buf, out, ctx->data_buf_len))
252	return `0`;
253	*outl = ctx->data_buf_len;
254	ctx->data_buf_len = `0`;
255	}
256	if (ctx->aad_buf_len > `0`) {
257	if (!aes_generic_ocb_setaad(ctx, ctx->aad_buf, ctx->aad_buf_len))
258	return `0`;
259	ctx->aad_buf_len = `0`;
260	}
261	if (ctx->base.enc) {
262	/ If encrypting then just get the tag /
263	if (!aes_generic_ocb_gettag(ctx, ctx->tag, ctx->taglen))
264	return `0`;
265	} else {
266	/ If decrypting then verify /
267	if (ctx->taglen == `0`)
268	return `0`;
269	if (!aes_generic_ocb_final(ctx))
270	return `0`;
271	}
272	/ Don't reuse the IV /
273	ctx->iv_state = IV_STATE_FINISHED;
274	return `1`;
275	}
276
277	static void aes_ocb_newctx(void* *provctx, size_t kbits, size_t blkbits,
278	size_t ivbits, unsigned int mode, uint64_t flags)
279	{
280	PROV_AES_OCB_CTX ctx = OPENSSL_zalloc(sizeof(ctx));
281
282	if (ctx != NULL) {
283	cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
284	PROV_CIPHER_HW_aes_ocb(kbits), NULL);
285	ctx->taglen = OCB_DEFAULT_TAG_LEN;
286	}
287	return ctx;
288	}
289
290	static void aes_ocb_freectx(void *vctx)
291	{
292	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
293
294	if (ctx != NULL) {
295	aes_generic_ocb_cleanup(ctx);
296	OPENSSL_clear_free(ctx, sizeof(*ctx));
297	}
298	}
299
300	static void aes_ocb_dupctx(void* *vctx)
301	{
302	PROV_AES_OCB_CTX in = (PROV_AES_OCB_CTX )vctx;
303	PROV_AES_OCB_CTX ret = OPENSSL_malloc(sizeof(ret));
304
305	if (ret == NULL) {
306	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
307	return NULL;
308	}
309	ret = in;
310	if (!aes_generic_ocb_copy_ctx(ret, in)) {
311	OPENSSL_free(ret);
312	ret = NULL;
313	}
314	return ret;
315	}
316
317	static int aes_ocb_set_ctx_params(void vctx, const* OSSL_PARAM params[])
318	{
319	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
320	const OSSL_PARAM *p;
321	size_t sz;
322
323	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
324	if (p != NULL) {
325	if (p->data_type != OSSL_PARAM_OCTET_STRING) {
326	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
327	return `0`;
328	}
329	if (p->data == NULL) {
330	/ Tag len must be 0 to 16 /
331	if (p->data_size > OCB_MAX_TAG_LEN)
332	return `0`;
333	ctx->taglen = p->data_size;
334	} else {
335	if (p->data_size != ctx->taglen \|\| ctx->base.enc)
336	return `0`;
337	memcpy(ctx->tag, p->data, p->data_size);
338	}
339	}
340	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
341	if (p != NULL) {
342	if (!OSSL_PARAM_get_size_t(p, &sz)) {
343	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
344	return `0`;
345	}
346	/ IV len must be 1 to 15 /
347	if (sz < OCB_MIN_IV_LEN \|\| sz > OCB_MAX_IV_LEN)
348	return `0`;
349	ctx->base.ivlen = sz;
350	}
351	p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
352	if (p != NULL) {
353	size_t keylen;
354
355	if (!OSSL_PARAM_get_size_t(p, &keylen)) {
356	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
357	return `0`;
358	}
359	if (ctx->base.keylen != keylen) {
360	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
361	return `0`;
362	}
363	}
364	return `1`;
365	}
366
367	static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[])
368	{
369	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
370	OSSL_PARAM *p;
371
372	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
373	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
374	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
375	return `0`;
376	}
377	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
378	if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
379	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
380	return `0`;
381	}
382	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
383	if (p != NULL) {
384	if (!OSSL_PARAM_set_size_t(p, ctx->taglen)) {
385	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
386	return `0`;
387	}
388	}
389
390	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
391	if (p != NULL) {
392	if (ctx->base.ivlen != p->data_size) {
393	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
394	return `0`;
395	}
396	if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)) {
397	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
398	return `0`;
399	}
400	}
401	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
402	if (p != NULL) {
403	if (p->data_type != OSSL_PARAM_OCTET_STRING) {
404	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
405	return `0`;
406	}
407	if (!ctx->base.enc \|\| p->data_size != ctx->taglen) {
408	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
409	return `0`;
410	}
411	memcpy(p->data, ctx->tag, ctx->taglen);
412	}
413	return `1`;
414	}
415
416	static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = {
417	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
418	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
419	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
420	OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, `0`),
421	OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, `0`),
422	OSSL_PARAM_END
423	};
424	static const OSSL_PARAM cipher_ocb_gettable_ctx_params(void*)
425	{
426	return cipher_ocb_known_gettable_ctx_params;
427	}
428
429	static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = {
430	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
431	OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
432	OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, `0`),
433	OSSL_PARAM_END
434	};
435	static const OSSL_PARAM cipher_ocb_settable_ctx_params(void*)
436	{
437	return cipher_ocb_known_settable_ctx_params;
438	}
439
440	static int aes_ocb_cipher(void vctx, unsigned* char out, size_t outl,
441	size_t outsize, const unsigned char *in, size_t inl)
442	{
443	PROV_AES_OCB_CTX ctx = (PROV_AES_OCB_CTX )vctx;
444
445	if (outsize < inl) {
446	ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
447	return `0`;
448	}
449
450	if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
451	ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
452	return `0`;
453	}
454
455	*outl = inl;
456	return `1`;
457	}
458
459	#define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits) \
460	static OSSL_OP_cipher_get_params_fn aes_##kbits##_##mode##_get_params; \
461	static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[]) \
462	{ \
463	return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
464	flags, kbits, blkbits, ivbits); \
465	} \
466	static OSSL_OP_cipher_newctx_fn aes_##kbits##_##mode##_newctx; \
467	static void aes_##kbits##_##mode##_newctx(void provctx) \
468	{ \
469	return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits, \
470	EVP_CIPH_##UCMODE##_MODE, flags); \
471	} \
472	const OSSL_DISPATCH aes##kbits##mode##_functions[] = { \
473	{ OSSL_FUNC_CIPHER_NEWCTX, \
474	(void (*)(void))aes_##kbits##_##mode##_newctx }, \
475	{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
476	{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
477	{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update }, \
478	{ OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final }, \
479	{ OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher }, \
480	{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
481	{ OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \
482	{ OSSL_FUNC_CIPHER_GET_PARAMS, \
483	(void (*)(void))aes_##kbits##_##mode##_get_params }, \
484	{ OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
485	(void (*)(void))aes_##mode##_get_ctx_params }, \
486	{ OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
487	(void (*)(void))aes_##mode##_set_ctx_params }, \
488	{ OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
489	(void (*)(void))cipher_generic_gettable_params }, \
490	{ OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
491	(void (*)(void))cipher_ocb_gettable_ctx_params }, \
492	{ OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
493	(void (*)(void))cipher_ocb_settable_ctx_params }, \
494	{ 0, NULL } \
495	}
496
497	IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, `256`, `128`, OCB_DEFAULT_IV_LEN * `8`);
498	IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, `192`, `128`, OCB_DEFAULT_IV_LEN * `8`);
499	IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, `128`, `128`, OCB_DEFAULT_IV_LEN * `8`);
500
501

Browse the source code of ClickHouse/contrib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c