Add aes_ocb cipher to providers

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9320)

crypto/evp/evp_enc.c

@@ -165,6 +165,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
         case NID_aes_128_ctr:
         case NID_aes_128_xts:
         case NID_aes_256_xts:
+        case NID_aes_256_ocb:
+        case NID_aes_192_ocb:
+        case NID_aes_128_ocb:
         case NID_aes_256_gcm:
         case NID_aes_192_gcm:
         case NID_aes_128_gcm:

providers/common/ciphers/cipher_locl.h

@@ -25,9 +25,5 @@ const OSSL_PARAM * name##_gettable_ctx_params(void)                            \
     return name##_known_gettable_ctx_params;                                   \
 }
 
-size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize,
-                 const unsigned char **in, size_t *inlen);
-int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
-                 const unsigned char **in, size_t *inlen);
 void padblock(unsigned char *buf, size_t *buflen, size_t blocksize);
 int unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize);

providers/common/include/internal/ciphers/ciphercommon.h

@@ -224,3 +224,9 @@ static int cipher_hw_##NAME##_##MODE##_cipher(PROV_CIPHER_CTX *ctx,            \
     ctx->num = num;                                                            \
     return 1;                                                                  \
 }
+
+size_t fillblock(unsigned char *buf, size_t *buflen, size_t blocksize,
+                 const unsigned char **in, size_t *inlen);
+int trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
+                 const unsigned char **in, size_t *inlen);
+

providers/common/include/internal/provider_algs.h

@@ -58,6 +58,11 @@ extern const OSSL_DISPATCH aes192ctr_functions[];
 extern const OSSL_DISPATCH aes128ctr_functions[];
 extern const OSSL_DISPATCH aes256xts_functions[];
 extern const OSSL_DISPATCH aes128xts_functions[];
+#ifndef OPENSSL_NO_OCB
+extern const OSSL_DISPATCH aes256ocb_functions[];
+extern const OSSL_DISPATCH aes192ocb_functions[];
+extern const OSSL_DISPATCH aes128ocb_functions[];
+#endif /* OPENSSL_NO_OCB */
 extern const OSSL_DISPATCH aes256gcm_functions[];
 extern const OSSL_DISPATCH aes192gcm_functions[];
 extern const OSSL_DISPATCH aes128gcm_functions[];

providers/default/ciphers/build.info

@@ -44,4 +44,9 @@ IF[{- !$disabled{sm4} -}]
       cipher_sm4.c cipher_sm4_hw.c
 ENDIF
 
+IF[{- !$disabled{ocb} -}]
+  SOURCE[../../../libcrypto]=\
+       cipher_aes_ocb.c cipher_aes_ocb_hw.c
+ENDIF
+
 INCLUDE[../../../libcrypto]=. ../../../crypto

providers/default/ciphers/cipher_aes_ocb.c

@@ -0,0 +1,491 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_aes_ocb.h"
+#include "internal/providercommonerr.h"
+#include "internal/ciphers/cipher_aead.h"
+#include "internal/provider_algs.h"
+
+#define AES_OCB_FLAGS AEAD_FLAGS
+
+#define OCB_DEFAULT_TAG_LEN 16
+#define OCB_DEFAULT_IV_LEN  12
+#define OCB_MIN_IV_LEN      1
+#define OCB_MAX_IV_LEN      15
+
+PROV_CIPHER_FUNC(int, ocb_cipher, (PROV_AES_OCB_CTX *ctx,
+                                   const unsigned char *in, unsigned char *out,
+                                   size_t nextblock));
+/* forward declarations */
+static OSSL_OP_cipher_encrypt_init_fn aes_ocb_einit;
+static OSSL_OP_cipher_decrypt_init_fn aes_ocb_dinit;
+static OSSL_OP_cipher_update_fn aes_ocb_block_update;
+static OSSL_OP_cipher_final_fn aes_ocb_block_final;
+static OSSL_OP_cipher_cipher_fn aes_ocb_cipher;
+static OSSL_OP_cipher_freectx_fn aes_ocb_freectx;
+static OSSL_OP_cipher_dupctx_fn aes_ocb_dupctx;
+static OSSL_OP_cipher_get_ctx_params_fn aes_ocb_get_ctx_params;
+static OSSL_OP_cipher_set_ctx_params_fn aes_ocb_set_ctx_params;
+
+/*
+ * The following methods could be moved into PROV_AES_OCB_HW if
+ * multiple hardware implementations are ever needed.
+ */
+static ossl_inline int aes_generic_ocb_setiv(PROV_AES_OCB_CTX *ctx,
+                                             const unsigned char *iv,
+                                             size_t ivlen, size_t taglen)
+{
+    return (CRYPTO_ocb128_setiv(&ctx->ocb, iv, ivlen, taglen) == 1);
+}
+
+static ossl_inline int aes_generic_ocb_setaad(PROV_AES_OCB_CTX *ctx,
+                                              const unsigned char *aad,
+                                              size_t alen)
+{
+    return CRYPTO_ocb128_aad(&ctx->ocb, aad, alen) == 1;
+}
+
+static ossl_inline int aes_generic_ocb_gettag(PROV_AES_OCB_CTX *ctx,
+                                              unsigned char *tag, size_t tlen)
+{
+    return CRYPTO_ocb128_tag(&ctx->ocb, tag, tlen) > 0;
+}
+
+static ossl_inline int aes_generic_ocb_final(PROV_AES_OCB_CTX *ctx)
+{
+    return (CRYPTO_ocb128_finish(&ctx->ocb, ctx->tag, ctx->taglen) == 0);
+}
+
+static ossl_inline void aes_generic_ocb_cleanup(PROV_AES_OCB_CTX *ctx)
+{
+    CRYPTO_ocb128_cleanup(&ctx->ocb);
+}
+
+static ossl_inline int aes_generic_ocb_cipher(PROV_AES_OCB_CTX *ctx,
+                                              const unsigned char *in,
+                                              unsigned char *out, size_t len)
+{
+    if (ctx->base.enc) {
+        if (!CRYPTO_ocb128_encrypt(&ctx->ocb, in, out, len))
+            return 0;
+    } else {
+        if (!CRYPTO_ocb128_decrypt(&ctx->ocb, in, out, len))
+            return 0;
+    }
+    return 1;
+}
+
+static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
+                                                PROV_AES_OCB_CTX *src)
+{
+    return (!CRYPTO_ocb128_copy_ctx(&dst->ocb, &src->ocb,
+                                    &src->ksenc.ks, &src->ksdec.ks));
+}
+
+/*-
+ * Provider dispatch functions
+ */
+static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
+                        const unsigned char *iv, size_t ivlen, int enc)
+{
+   PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+   ctx->base.enc = enc;
+
+   if (iv != NULL) {
+       if (ivlen != ctx->base.ivlen) {
+           /* IV len must be 1 to 15 */
+           if (ivlen < OCB_MIN_IV_LEN || ivlen > OCB_MAX_IV_LEN) {
+               ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+               return 0;
+           }
+           ctx->base.ivlen = ivlen;
+       }
+       memcpy(ctx->base.iv, iv, ivlen);
+       ctx->iv_state = IV_STATE_BUFFERED;
+   }
+   if (key != NULL) {
+       if (keylen != ctx->base.keylen) {
+           ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+           return 0;
+       }
+       return ctx->base.hw->init(&ctx->base, key, keylen);
+   }
+   return 1;
+}
+
+static int aes_ocb_einit(void *vctx, const unsigned char *key, size_t keylen,
+                         const unsigned char *iv, size_t ivlen)
+{
+    return aes_ocb_init(vctx, key, keylen, iv, ivlen, 1);
+}
+
+static int aes_ocb_dinit(void *vctx, const unsigned char *key, size_t keylen,
+                         const unsigned char *iv, size_t ivlen)
+{
+    return aes_ocb_init(vctx, key, keylen, iv, ivlen, 0);
+}
+
+/*
+ * Because of the way OCB works, both the AAD and data are buffered in the
+ * same way. Only the last block can be a partial block.
+ */
+static int aes_ocb_block_update_internal(PROV_AES_OCB_CTX *ctx,
+                                         unsigned char *buf, size_t *bufsz,
+                                         unsigned char *out, size_t *outl,
+                                         size_t outsize, const unsigned char *in,
+                                         size_t inl, OSSL_ocb_cipher_fn ciph)
+{
+    size_t nextblocks = fillblock(buf, bufsz, AES_BLOCK_SIZE, &in, &inl);
+    size_t outlint = 0;
+
+    if (*bufsz == AES_BLOCK_SIZE) {
+        if (outsize < AES_BLOCK_SIZE) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+            return 0;
+        }
+        if (!ciph(ctx, buf, out, AES_BLOCK_SIZE)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+            return 0;
+        }
+        *bufsz = 0;
+        outlint = AES_BLOCK_SIZE;
+        out += AES_BLOCK_SIZE;
+    }
+    if (nextblocks > 0) {
+        outlint += nextblocks;
+        if (outsize < outlint) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+            return 0;
+        }
+        if (!ciph(ctx, in, out, nextblocks)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+            return 0;
+        }
+        in += nextblocks;
+        inl -= nextblocks;
+    }
+    if (!trailingdata(buf, bufsz, AES_BLOCK_SIZE, &in, &inl)) {
+        /* PROVerr already called */
+        return 0;
+    }
+
+    *outl = outlint;
+    return inl == 0;
+}
+
+/* A wrapper function that has the same signature as cipher */
+static int cipher_updateaad(PROV_AES_OCB_CTX *ctx, const unsigned char *in,
+                            unsigned char *out, size_t len)
+{
+    return aes_generic_ocb_setaad(ctx, in, len);
+}
+
+static int update_iv(PROV_AES_OCB_CTX *ctx)
+{
+    if (ctx->iv_state == IV_STATE_FINISHED
+        || ctx->iv_state == IV_STATE_UNINITIALISED)
+        return 0;
+    if (ctx->iv_state == IV_STATE_BUFFERED) {
+        if (!aes_generic_ocb_setiv(ctx, ctx->base.iv, ctx->base.ivlen,
+                                   ctx->taglen))
+            return 0;
+        ctx->iv_state = IV_STATE_COPIED;
+    }
+    return 1;
+}
+
+static int aes_ocb_block_update(void *vctx, unsigned char *out, size_t *outl,
+                                size_t outsize, const unsigned char *in,
+                                size_t inl)
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+    unsigned char *buf;
+    size_t *buflen;
+    OSSL_ocb_cipher_fn fn;
+
+    if (!ctx->key_set || !update_iv(ctx))
+        return 0;
+
+    /* Are we dealing with AAD or normal data here? */
+    if (out == NULL) {
+        buf = ctx->aad_buf;
+        buflen = &ctx->aad_buf_len;
+        fn = cipher_updateaad;
+    } else {
+        buf = ctx->data_buf;
+        buflen = &ctx->data_buf_len;
+        fn = aes_generic_ocb_cipher;
+    }
+    return aes_ocb_block_update_internal(ctx, buf, buflen, out, outl, outsize,
+                                         in, inl, fn);
+}
+
+static int aes_ocb_block_final(void *vctx, unsigned char *out, size_t *outl,
+                               size_t outsize)
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+    /* If no block_update has run then the iv still needs to be set */
+    if (!ctx->key_set || !update_iv(ctx))
+        return 0;
+
+    /*
+     * Empty the buffer of any partial block that we might have been provided,
+     * both for data and AAD
+     */
+    *outl = 0;
+    if (ctx->data_buf_len > 0) {
+        if (!aes_generic_ocb_cipher(ctx, ctx->data_buf, out, ctx->data_buf_len))
+            return 0;
+        *outl = ctx->data_buf_len;
+        ctx->data_buf_len = 0;
+    }
+    if (ctx->aad_buf_len > 0) {
+        if (!aes_generic_ocb_setaad(ctx, ctx->aad_buf, ctx->aad_buf_len))
+            return 0;
+        ctx->aad_buf_len = 0;
+    }
+    if (ctx->base.enc) {
+        /* If encrypting then just get the tag */
+        if (!aes_generic_ocb_gettag(ctx, ctx->tag, ctx->taglen))
+            return 0;
+    } else {
+        /* If decrypting then verify */
+        if (ctx->taglen == 0)
+            return 0;
+        if (!aes_generic_ocb_final(ctx))
+            return 0;
+    }
+    /* Don't reuse the IV */
+    ctx->iv_state = IV_STATE_FINISHED;
+    return 1;
+}
+
+static void *aes_ocb_newctx(void *provctx, size_t kbits, size_t blkbits,
+                            size_t ivbits, unsigned int mode, uint64_t flags)
+{
+    PROV_AES_OCB_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+    if (ctx != NULL) {
+        cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
+                               PROV_CIPHER_HW_aes_ocb(kbits), NULL);
+        ctx->taglen = OCB_DEFAULT_TAG_LEN;
+    }
+    return ctx;
+}
+
+static void aes_ocb_freectx(void *vctx)
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+    aes_generic_ocb_cleanup(ctx);
+    OPENSSL_cleanse(ctx->base.iv, sizeof(ctx->base.iv));
+    OPENSSL_clear_free(ctx,  sizeof(*ctx));
+}
+
+static void *aes_ocb_dupctx(void *vctx)
+{
+    PROV_AES_OCB_CTX *in = (PROV_AES_OCB_CTX *)vctx;
+    PROV_AES_OCB_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+
+    if (ret == NULL) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    *ret = *in;
+    if (!aes_generic_ocb_copy_ctx(ret, in))
+        OPENSSL_free(ret);
+    return ret;
+}
+
+static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+    const OSSL_PARAM *p;
+    size_t sz;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+    if (p != NULL) {
+        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if (p->data == NULL) {
+            /* Tag len must be 0 to 16 */
+            if (p->data_size > OCB_MAX_TAG_LEN)
+                return 0;
+            ctx->taglen = p->data_size;
+        } else {
+            if (p->data_size != ctx->taglen || ctx->base.enc)
+                return 0;
+            memcpy(ctx->tag, p->data, p->data_size);
+        }
+     }
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN);
+    if (p != NULL) {
+        if (!OSSL_PARAM_get_size_t(p, &sz)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        /* IV len must be 1 to 15 */
+        if (sz < OCB_MIN_IV_LEN || sz > OCB_MAX_IV_LEN)
+            return 0;
+        ctx->base.ivlen = sz;
+    }
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
+    if (p != NULL) {
+        size_t keylen;
+
+        if (!OSSL_PARAM_get_size_t(p, &keylen)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if (ctx->base.keylen != keylen) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+            return 0;
+        }
+    }
+    return 1;
+}
+
+static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+    OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.ivlen)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN);
+    if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->base.keylen)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+        return 0;
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN);
+    if (p != NULL) {
+        if (!OSSL_PARAM_set_size_t(p, ctx->taglen)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+            return 0;
+        }
+    }
+
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV);
+    if (p != NULL) {
+        if (ctx->base.ivlen != p->data_size) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+            return 0;
+        }
+        if (!OSSL_PARAM_set_octet_string(p, ctx->base.iv, ctx->base.ivlen)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+            return 0;
+        }
+    }
+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG);
+    if (p != NULL) {
+        if (p->data_type != OSSL_PARAM_OCTET_STRING) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+            return 0;
+        }
+        if (!ctx->base.enc || p->data_size != ctx->taglen) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAGLEN);
+            return 0;
+        }
+        memcpy(p->data, ctx->tag, ctx->taglen);
+    }
+    return 1;
+}
+
+static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = {
+    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
+    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM *cipher_ocb_gettable_ctx_params(void)
+{
+    return cipher_ocb_known_gettable_ctx_params;
+}
+
+static const OSSL_PARAM cipher_ocb_known_settable_ctx_params[] = {
+    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
+    OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, NULL),
+    OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+    OSSL_PARAM_END
+};
+static const OSSL_PARAM *cipher_ocb_settable_ctx_params(void)
+{
+    return cipher_ocb_known_settable_ctx_params;
+}
+
+static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
+                          size_t outsize, const unsigned char *in, size_t inl)
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+    if (outsize < inl) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+        return 0;
+    }
+
+    if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+        return 0;
+    }
+
+    *outl = inl;
+    return 1;
+}
+
+#define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits)          \
+static OSSL_OP_cipher_get_params_fn aes_##kbits##_##mode##_get_params;         \
+static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[])              \
+{                                                                              \
+    return cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,         \
+                                     flags, kbits, blkbits, ivbits);           \
+}                                                                              \
+static OSSL_OP_cipher_newctx_fn aes_##kbits##_##mode##_newctx;                 \
+static void *aes_##kbits##_##mode##_newctx(void *provctx)                      \
+{                                                                              \
+    return aes_##mode##_newctx(provctx, kbits, blkbits, ivbits,                \
+                               EVP_CIPH_##UCMODE##_MODE, flags);               \
+}                                                                              \
+const OSSL_DISPATCH aes##kbits##mode##_functions[] = {                         \
+    { OSSL_FUNC_CIPHER_NEWCTX,                                                 \
+        (void (*)(void))aes_##kbits##_##mode##_newctx },                       \
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_##mode##_einit },     \
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_##mode##_dinit },     \
+    { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_block_update },    \
+    { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_block_final },      \
+    { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))aes_ocb_cipher },               \
+    { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx },        \
+    { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx },          \
+    { OSSL_FUNC_CIPHER_GET_PARAMS,                                             \
+        (void (*)(void))aes_##kbits##_##mode##_get_params },                   \
+    { OSSL_FUNC_CIPHER_GET_CTX_PARAMS,                                         \
+        (void (*)(void))aes_##mode##_get_ctx_params },                         \
+    { OSSL_FUNC_CIPHER_SET_CTX_PARAMS,                                         \
+        (void (*)(void))aes_##mode##_set_ctx_params },                         \
+    { OSSL_FUNC_CIPHER_GETTABLE_PARAMS,                                        \
+        (void (*)(void))cipher_generic_gettable_params },                      \
+    { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS,                                    \
+        (void (*)(void))cipher_ocb_gettable_ctx_params },                      \
+    { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS,                                    \
+        (void (*)(void))cipher_ocb_settable_ctx_params },                      \
+    { 0, NULL }                                                                \
+}
+
+IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8);
+IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8);
+IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8);
+

providers/default/ciphers/cipher_aes_ocb.h

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/aes.h>
+#include "internal/ciphers/ciphercommon.h"
+
+#define OCB_MAX_TAG_LEN     AES_BLOCK_SIZE
+#define OCB_MAX_DATA_LEN    AES_BLOCK_SIZE
+#define OCB_MAX_AAD_LEN     AES_BLOCK_SIZE
+
+typedef struct prov_aes_ocb_ctx_st {
+    PROV_CIPHER_CTX base;       /* Must be first */
+    union {
+        OSSL_UNION_ALIGN;
+        AES_KEY ks;
+    } ksenc;                    /* AES key schedule to use for encryption/aad */
+    union {
+        OSSL_UNION_ALIGN;
+        AES_KEY ks;
+    } ksdec;                    /* AES key schedule to use for decryption */
+    OCB128_CONTEXT ocb;
+    unsigned int iv_state;      /* set to one of IV_STATE_XXX */
+    unsigned int key_set : 1;
+    size_t taglen;
+    size_t data_buf_len;
+    size_t aad_buf_len;
+    unsigned char tag[OCB_MAX_TAG_LEN];
+    unsigned char data_buf[OCB_MAX_DATA_LEN]; /* Store partial data blocks */
+    unsigned char aad_buf[OCB_MAX_AAD_LEN];   /* Store partial AAD blocks */
+} PROV_AES_OCB_CTX;
+
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_ocb(size_t keybits);

providers/default/ciphers/cipher_aes_ocb_hw.c

@@ -0,0 +1,115 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cipher_aes_ocb.h"
+
+#define OCB_SET_KEY_FN(fn_set_enc_key, fn_set_dec_key,                         \
+                       fn_block_enc, fn_block_dec,                             \
+                       fn_stream_enc, fn_stream_dec)                           \
+fn_set_enc_key(key, keylen * 8, &ctx->ksenc.ks);                               \
+fn_set_dec_key(key, keylen * 8, &ctx->ksdec.ks);                               \
+if (!CRYPTO_ocb128_init(&ctx->ocb, &ctx->ksenc.ks, &ctx->ksdec.ks,             \
+                        (block128_f)fn_block_enc, (block128_f)fn_block_dec,    \
+                        ctx->base.enc ? (ocb128_f)fn_stream_enc :              \
+                                        (ocb128_f)fn_stream_dec))              \
+    return 0;                                                                  \
+ctx->key_set = 1
+
+
+static int cipher_hw_aes_ocb_generic_initkey(PROV_CIPHER_CTX *vctx,
+                                             const unsigned char *key,
+                                             size_t keylen)
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+/*
+ * We set both the encrypt and decrypt key here because decrypt
+ * needs both. (i.e- AAD uses encrypt).
+ */
+# ifdef HWAES_CAPABLE
+    if (HWAES_CAPABLE) {
+        OCB_SET_KEY_FN(HWAES_set_encrypt_key, HWAES_set_decrypt_key,
+                       HWAES_encrypt, HWAES_decrypt,
+                       HWAES_ocb_encrypt, HWAES_ocb_decrypt);
+    }
+# endif
+# ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE) {
+        OCB_SET_KEY_FN(vpaes_set_encrypt_key, vpaes_set_decrypt_key,
+                       vpaes_encrypt, vpaes_decrypt, NULL, NULL);
+    } else
+# endif
+    {
+        OCB_SET_KEY_FN(AES_set_encrypt_key, AES_set_decrypt_key,
+                       AES_encrypt, AES_decrypt, NULL, NULL);
+    }
+    return 1;
+}
+
+# if defined(AESNI_CAPABLE)
+
+static int cipher_hw_aes_ocb_aesni_initkey(PROV_CIPHER_CTX *vctx,
+                                           const unsigned char *key,
+                                           size_t keylen)
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+    OCB_SET_KEY_FN(aesni_set_encrypt_key, aesni_set_decrypt_key,
+                   aesni_encrypt, aesni_decrypt,
+                   aesni_ocb_encrypt, aesni_ocb_decrypt);
+    return 1;
+}
+
+# define PROV_CIPHER_HW_declare()                                              \
+static const PROV_CIPHER_HW aesni_ocb = {                                      \
+    cipher_hw_aes_ocb_aesni_initkey,                                           \
+    NULL                                                                       \
+};
+# define PROV_CIPHER_HW_select()                                               \
+    if (AESNI_CAPABLE)                                                         \
+        return &aesni_ocb;
+
+#elif defined(SPARC_AES_CAPABLE)
+
+static int cipher_hw_aes_ocb_t4_initkey(PROV_CIPHER_CTX *vctx,
+                                        const unsigned char *key,
+                                        size_t keylen)
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+    OCB_SET_KEY_FN(aes_t4_set_encrypt_key, aes_t4_set_decrypt_key,
+                   aes_t4_encrypt, aes_t4_decrypt, NULL, NULL);
+    return 1;
+}
+
+# define PROV_CIPHER_HW_declare()                                              \
+static const PROV_CIPHER_HW aes_t4_ocb = {                                     \
+    cipher_hw_aes_ocb_t4_initkey,                                              \
+    NULL                                                                       \
+};
+# define PROV_CIPHER_HW_select()                                               \
+    if (SPARC_AES_CAPABLE)                                                     \
+        return &aes_t4_ocb;
+#else
+# define PROV_CIPHER_HW_declare()
+# define PROV_CIPHER_HW_select()
+# endif
+
+static const PROV_CIPHER_HW aes_generic_ocb = {
+    cipher_hw_aes_ocb_generic_initkey,
+    NULL
+};
+PROV_CIPHER_HW_declare()
+const PROV_CIPHER_HW *PROV_CIPHER_HW_aes_ocb(size_t keybits)
+{
+    PROV_CIPHER_HW_select()
+    return &aes_generic_ocb;
+}
+
+

providers/default/defltprov.c

@@ -116,6 +116,11 @@ static const OSSL_ALGORITHM deflt_ciphers[] = {
     { "AES-128-CTR", "default=yes", aes128ctr_functions },
     { "AES-256-XTS", "default=yes", aes256xts_functions },
     { "AES-128-XTS", "default=yes", aes128xts_functions },
+#ifndef OPENSSL_NO_OCB
+    { "AES-256-OCB", "default=yes", aes256ocb_functions },
+    { "AES-192-OCB", "default=yes", aes192ocb_functions },
+    { "AES-128-OCB", "default=yes", aes128ocb_functions },
+#endif /* OPENSSL_NO_OCB */
 /* TODO(3.0) Add aliases when they are supported */
     { "id-aes256-GCM", "default=yes", aes256gcm_functions },
     { "id-aes192-GCM", "default=yes", aes192gcm_functions },

test/recipes/30-test_evp_data/evpciph.txt

@@ -1052,6 +1052,7 @@ Ciphertext = 6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3d
 
 #AES OCB Test vectors
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD =
@@ -1060,6 +1061,7 @@ Plaintext =
 Ciphertext =
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 0001020304050607
@@ -1068,6 +1070,7 @@ Plaintext = 0001020304050607
 Ciphertext = 92B657130A74B85A
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 0001020304050607
@@ -1076,6 +1079,7 @@ Plaintext =
 Ciphertext =
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD =
@@ -1084,6 +1088,7 @@ Plaintext = 0001020304050607
 Ciphertext = 92B657130A74B85A
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F
@@ -1092,6 +1097,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F
 Ciphertext = BEA5E8798DBE7110031C144DA0B26122
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F
@@ -1100,6 +1106,7 @@ Plaintext =
 Ciphertext =
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD =
@@ -1108,6 +1115,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F
 Ciphertext = BEA5E8798DBE7110031C144DA0B26122
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F1011121314151617
@@ -1116,6 +1124,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F1011121314151617
 Ciphertext = BEA5E8798DBE7110031C144DA0B26122FCFCEE7A2A8D4D48
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F1011121314151617
@@ -1124,6 +1133,7 @@ Plaintext =
 Ciphertext =
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD =
@@ -1132,6 +1142,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F1011121314151617
 Ciphertext = BEA5E8798DBE7110031C144DA0B26122FCFCEE7A2A8D4D48
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
@@ -1140,6 +1151,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
 Ciphertext = BEA5E8798DBE7110031C144DA0B26122CEAAB9B05DF771A657149D53773463CB
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
@@ -1148,6 +1160,7 @@ Plaintext =
 Ciphertext =
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD =
@@ -1156,6 +1169,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
 Ciphertext = BEA5E8798DBE7110031C144DA0B26122CEAAB9B05DF771A657149D53773463CB
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1164,6 +1178,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = BEA5E8798DBE7110031C144DA0B26122CEAAB9B05DF771A657149D53773463CB68C65778B058A635
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1172,6 +1187,7 @@ Plaintext =
 Ciphertext =
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD =
@@ -1181,6 +1197,7 @@ Ciphertext = BEA5E8798DBE7110031C144DA0B26122CEAAB9B05DF771A657149D53773463CB68C
 
 #AES OCB Non standard test vectors - generated from reference implementation
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1189,6 +1206,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = 09a4fd29de949d9a9aa9924248422097ad4883b4713e6c214ff6567ada08a96766fc4e2ee3e3a5a1
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B0C0D0E
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1197,6 +1215,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = 5e2fa7367ffbdb3938845cfd415fcc71ec79634eb31451609d27505f5e2978f43c44213d8fa441ee
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1205,6 +1224,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C822D6
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1213,6 +1233,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F714FF
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1221,6 +1242,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB8294170634D
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1229,6 +1251,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB829417001E54E15A7576C4DF32366E0F439C7050FAA
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
@@ -1237,6 +1260,7 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
 Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB829417001E54E15A7576C4DF32366E0F439C7051CB4824B8114E9A720CBC1CE0185B156B486
 
 Cipher = aes-128-ocb
+Availablein = default
 Key = 000102030405060708090A0B0C0D0E0F
 IV = 000102030405060708090A0B
 AAD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627