openssl/providers/implementations/ciphers/cipher_aes_ocb.c
Matt Caswell c72fa2554f Deprecate the low level AES functions
Use of the low level AES functions has been informally discouraged for a
long time. We now formally deprecate them.

Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10580)
2020-01-06 15:09:57 +00:00

508 lines
18 KiB
C

/*
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/*
* AES low level APIs are deprecated for public use, but still ok for internal
* use where we're using them to implement the higher level EVP interface, as is
* the case here.
*/
#include "internal/deprecated.h"
#include "cipher_aes_ocb.h"
#include "prov/providercommonerr.h"
#include "prov/ciphercommon_aead.h"
#include "prov/implementations.h"
#define AES_OCB_FLAGS AEAD_FLAGS
#define OCB_DEFAULT_TAG_LEN 16
#define OCB_DEFAULT_IV_LEN 12
#define OCB_MIN_IV_LEN 1
#define OCB_MAX_IV_LEN 15
PROV_CIPHER_FUNC(int, ocb_cipher, (PROV_AES_OCB_CTX *ctx,
const unsigned char *in, unsigned char *out,
size_t nextblock));
/* forward declarations */
static OSSL_OP_cipher_encrypt_init_fn aes_ocb_einit;
static OSSL_OP_cipher_decrypt_init_fn aes_ocb_dinit;
static OSSL_OP_cipher_update_fn aes_ocb_block_update;
static OSSL_OP_cipher_final_fn aes_ocb_block_final;
static OSSL_OP_cipher_cipher_fn aes_ocb_cipher;
static OSSL_OP_cipher_freectx_fn aes_ocb_freectx;
static OSSL_OP_cipher_dupctx_fn aes_ocb_dupctx;
static OSSL_OP_cipher_get_ctx_params_fn aes_ocb_get_ctx_params;
static OSSL_OP_cipher_set_ctx_params_fn aes_ocb_set_ctx_params;
/*
* The following methods could be moved into PROV_AES_OCB_HW if
* multiple hardware implementations are ever needed.
*/
static ossl_inline int aes_generic_ocb_setiv(PROV_AES_OCB_CTX *ctx,
const unsigned char *iv,
size_t ivlen, size_t taglen)
{
return (CRYPTO_ocb128_setiv(&ctx->ocb, iv, ivlen, taglen) == 1);
}
static ossl_inline int aes_generic_ocb_setaad(PROV_AES_OCB_CTX *ctx,
const unsigned char *aad,
size_t alen)
{
return CRYPTO_ocb128_aad(&ctx->ocb, aad, alen) == 1;
}
static ossl_inline int aes_generic_ocb_gettag(PROV_AES_OCB_CTX *ctx,
unsigned char *tag, size_t tlen)
{
return CRYPTO_ocb128_tag(&ctx->ocb, tag, tlen) > 0;
}
static ossl_inline int aes_generic_ocb_final(PROV_AES_OCB_CTX *ctx)
{
return (CRYPTO_ocb128_finish(&ctx->ocb, ctx->tag, ctx->taglen) == 0);
}
static ossl_inline void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX *ctx)
{
CRYPTO_ocb128_cleanup(&ctx->ocb);
}
static ossl_inline int aes_generic_ocb_cipher(PROV_AES_OCB_CTX *ctx,
const unsigned char *in,
unsigned char *out, size_t len)
{
if (ctx->base.enc) {
if (!CRYPTO_ocb128_encrypt(&ctx->ocb, in, out, len))
return 0;
} else {
if (!CRYPTO_ocb128_decrypt(&ctx->ocb, in, out, len))
return 0;
}
return 1;
}
static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
PROV_AES_OCB_CTX *src)
{
return CRYPTO_ocb128_copy_ctx(&dst->ocb, &src->ocb,
&dst->ksenc.ks, &dst->ksdec.ks);
}
/*-
* Provider dispatch functions
*/
static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen, int enc)
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
ctx->base.enc = enc;
if (iv != NULL) {
if (ivlen != ctx->base.ivlen) {
/* IV len must be 1 to 15 */
if (ivlen < OCB_MIN_IV_LEN || ivlen > OCB_MAX_IV_LEN) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
return 0;
}
ctx->base.ivlen = ivlen;
}
if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
return 0;
ctx->iv_state = IV_STATE_BUFFERED;
}
if (key != NULL) {
if (keylen != ctx->base.keylen) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
return ctx->base.hw->init(&ctx->base, key, keylen);
}
return 1;
}
static int aes_ocb_einit(void *vctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen)
{
return aes_ocb_init(vctx, key, keylen, iv, ivlen, 1);
}
static int aes_ocb_dinit(void *vctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen)
{
return aes_ocb_init(vctx, key, keylen, iv, ivlen, 0);
}
/*
* Because of the way OCB works, both the AAD and data are buffered in the
* same way. Only the last block can be a partial block.
*/
static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx,
unsigned char *buf, size_t *bufsz,
unsigned char *out, size_t *outl,
size_t outsize, const unsigned char *in,
size_t inl, OSSL_ocb_cipher_fn ciph)
{
size_t nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl);
size_t outlint = 0;
if (*bufsz == AES_BLOCK_SIZE) {
if (outsize < AES_BLOCK_SIZE) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
}
if (!ciph(ctx, buf, out, AES_BLOCK_SIZE)) {
ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
return 0;
}
*bufsz = 0;
outlint = AES_BLOCK_SIZE;
out += AES_BLOCK_SIZE;
}
if (nextblocks > 0) {
outlint += nextblocks;
if (outsize < outlint) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
}
if (!ciph(ctx, in, out, nextblocks)) {
ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
return 0;
}
in += nextblocks;
inl -= nextblocks;
}
if (!trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) {
/* PROVerr already called */
return 0;
}
*outl = outlint;
return inl == 0;
}
/* A wrapper function that has the same signature as cipher */
static int cipher_updateaad(PROV_AES_OCB_CTX *ctx, const unsigned char *in,
unsigned char *out, size_t len)
{
return aes_generic_ocb_setaad(ctx, in, len);
}
static int update_iv(PROV_AES_OCB_CTX *ctx)
{
if (ctx->iv_state == IV_STATE_FINISHED
|| ctx->iv_state == IV_STATE_UNINITIALISED)
return 0;
if (ctx->iv_state == IV_STATE_BUFFERED) {
if (!aes_generic_ocb_setiv(ctx, ctx->base.iv, ctx->base.ivlen,
ctx->taglen))
return 0;
ctx->iv_state = IV_STATE_COPIED;
}
return 1;
}
static int aes_ocb_block_update(void *vctx, unsigned char *out, size_t *outl,
size_t outsize, const unsigned char *in,
size_t inl)
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
unsigned char *buf;
size_t *buflen;
OSSL_ocb_cipher_fn fn;
if (!ctx->key_set || !update_iv(ctx))
return 0;
if (inl == 0) {
*outl = 0;
return 1;
}
/* Are we dealing with AAD or normal data here? */
if (out == NULL) {
buf = ctx->aad_buf;
buflen = &ctx->aad_buf_len;
fn = cipher_updateaad;
} else {
buf = ctx->data_buf;
buflen = &ctx->data_buf_len;
fn = aes_generic_ocb_cipher;
}
return aes_ocb_block_update_internal(ctx, buf, buflen, out, outl, outsize,
in, inl, fn);
}
static int aes_ocb_block_final(void *vctx, unsigned char *out, size_t *outl,
size_t outsize)
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
/* If no block_update has run then the iv still needs to be set */
if (!ctx->key_set || !update_iv(ctx))
return 0;
/*
* Empty the buffer of any partial block that we might have been provided,
* both for data and AAD
*/
*outl = 0;
if (ctx->data_buf_len > 0) {
if (!aes_generic_ocb_cipher(ctx, ctx->data_buf, out, ctx->data_buf_len))
return 0;
*outl = ctx->data_buf_len;
ctx->data_buf_len = 0;
}
if (ctx->aad_buf_len > 0) {
if (!aes_generic_ocb_setaad(ctx, ctx->aad_buf, ctx->aad_buf_len))
return 0;
ctx->aad_buf_len = 0;
}
if (ctx->base.enc) {
/* If encrypting then just get the tag */
if (!aes_generic_ocb_gettag(ctx, ctx->tag, ctx->taglen))
return 0;
} else {
/* If decrypting then verify */
if (ctx->taglen == 0)
return 0;
if (!aes_generic_ocb_final(ctx))
return 0;
}
/* Don't reuse the IV */
ctx->iv_state = IV_STATE_FINISHED;
return 1;
}
static void *aes_ocb_newctx(void *provctx, size_t kbits, size_t blkbits,
size_t ivbits, unsigned int mode, uint64_t flags)
{
PROV_AES_OCB_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL) {
cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
PROV_CIPHER_HW_aes_ocb(kbits), NULL);
ctx->taglen = OCB_DEFAULT_TAG_LEN;
}
return ctx;
}
static void aes_ocb_freectx(void *vctx)
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
if (ctx != NULL) {
aes_generic_ocb_cleanup(ctx);
OPENSSL_clear_free(ctx, sizeof(*ctx));
}
}
static void *aes_ocb_dupctx(void *vctx)
{
PROV_AES_OCB_CTX *in = (PROV_AES_OCB_CTX *)vctx;
PROV_AES_OCB_CTX *ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
}
*ret = *in;
if (!aes_generic_ocb_copy_ctx(ret, in)) {
OPENSSL_free(ret);
ret = NULL;
}
return ret;
}
static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
const OSSL_PARAM *p;
size_t sz;
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
if (p != NULL) {
if (p->data_type != OSSL_PARAM_OCTET_STRING) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
if (p->data == NULL) {
/* Tag len must be 0 to 16 */
if (p->data_size > OCB_MAX_TAG_LEN)
return 0;
ctx->taglen = p->data_size;
} else {
if (p->data_size != ctx->taglen || ctx->base.enc)
return 0;
memcpy(ctx->tag, p->data, p->data_size);
}
}
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
if (p != NULL) {
if (!OSSL_PARAM_get_size_t(p, &sz)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
/* IV len must be 1 to 15 */
if (sz < OCB_MIN_IV_LEN || sz > OCB_MAX_IV_LEN)
return 0;
ctx->base.ivlen = sz;
}
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
if (p != NULL) {
size_t keylen;
if (!OSSL_PARAM_get_size_t(p, &keylen)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
if (ctx->base.keylen != keylen) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
}
return 1;
}
static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
OSSL_PARAM *p;
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
return 0;
}
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
return 0;
}
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
if (p != NULL) {
if (!OSSL_PARAM_set_size_t(p, ctx->taglen)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
return 0;
}
}
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
if (p != NULL) {
if (ctx->base.ivlen != p->data_size) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
return 0;
}
if (!OSSL_PARAM_set_octet_string(p, ctx->base.oiv, ctx->base.ivlen)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
return 0;
}
}
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
if (p != NULL) {
if (p->data_type != OSSL_PARAM_OCTET_STRING) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
if (!ctx->base.enc || p->data_size != ctx->taglen) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
return 0;
}
memcpy(p->data, ctx->tag, ctx->taglen);
}
return 1;
}
static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
OSSL_PARAM_END
};
static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(void)
{
return cipher_ocb_known_gettable_ctx_params;
}
static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
OSSL_PARAM_END
};
static const OSSL_PARAM *cipher_ocb_settable_ctx_params(void)
{
return cipher_ocb_known_settable_ctx_params;
}
static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
size_t outsize, const unsigned char *in, size_t inl)
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
if (outsize < inl) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
}
if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
return 0;
}
*outl = inl;
return 1;
}
#define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits) \
static OSSL_OP_cipher_get_params_fn aes_##kbits##_##mode##_get_params; \
static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[]) \
{ \
return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
flags, kbits, blkbits, ivbits); \
} \
static OSSL_OP_cipher_newctx_fn aes_##kbits##_##mode##_newctx; \
static void *aes_##kbits##_##mode##_newctx(void *provctx) \
{ \
return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits, \
EVP_CIPH_##UCMODE##_MODE, flags); \
} \
const OSSL_DISPATCH aes##kbits##mode##_functions[] = { \
{ OSSL_FUNC_CIPHER_NEWCTX, \
(void (*)(void))aes_##kbits##_##mode##_newctx }, \
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit }, \
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit }, \
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update }, \
{ OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final }, \
{ OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher }, \
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
{ OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \
{ OSSL_FUNC_CIPHER_GET_PARAMS, \
(void (*)(void))aes_##kbits##_##mode##_get_params }, \
{ OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
(void (*)(void))aes_##mode##_get_ctx_params }, \
{ OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
(void (*)(void))aes_##mode##_set_ctx_params }, \
{ OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
(void (*)(void))cipher_generic_gettable_params }, \
{ OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
(void (*)(void))cipher_ocb_gettable_ctx_params }, \
{ OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
(void (*)(void))cipher_ocb_settable_ctx_params }, \
{ 0, NULL } \
}
IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8);
IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8);
IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8);