EVP_CipherUpdate() setting AAD for AES-256-OCB returns incorrect `outlen`

[jorangreef]

In OpenSSL 1.1.1a, setting AAD for AES-256-OCB mode using EVP_CipherUpdate() returns a surprising outlen. I would have expected outlen to match aad_size but it seems to be truncated down to the nearest multiple of blocks, unlike ciphers such as GCM or ChaCha20-Poly1305.

int outlen = 0;
EVP_CipherUpdate(ctx, NULL, &outlen, aad, aad_size);
if (outlen != aad_size) {
  printf("outlen=%i aad_size=%i\n", outlen, aad_size);
}
assert(outlen == aad_size);

[mattcaswell]

Looking at the documentation it seems quite undefined what outlen actually means in the case of AAD. The docs just say that out should be NULL and then in will be taken as the AAD.

Note that ChaCha20 is a stream cipher so the "block" size is 1. With something like AES128-GCM even though the underlying primitive has a block size of 16, the GCM mode effectively turns it into something like a stream cipher such that the effective block size is also 1. EVP_CIPHER_block_size() for both of these AEAD ciphers returns 1. On the other hand AES128-OCB is a true block cipher and EVP_CIPHER_block_size() returns 16 for this cipher.

In terms of AAD, GCM and ChaCha-Poly1305 can handle data 1 byte at a time, whereas OCB has to handle it one block at a time hence the discrepancy in the value of outlen.

[jorangreef]

Thanks Matt, I was just concerned that OCB is returning the floor of the number of blocks, rather than the ceil. This gave me pause.

Is it safe to pass unpadded AAD data to OCB in a single CipherUpdate call?

I saw in the source that openssl/test/evp_test.c sometimes checks frag and calls CipherUpdate over multiple calls. I couldn't figure out what this was about.

[mattcaswell]

Is it safe to pass unpadded AAD data to OCB in a single CipherUpdate call?

Yes

I saw in the source that openssl/test/evp_test.c sometimes checks frag and calls CipherUpdate over multiple calls. I couldn't figure out what this was about.

It's just there for testing what happens if you supply data broken up into multiple calls to CipherUpdate rather than doing it all in one go.

[jorangreef]

Looking at the documentation it seems quite undefined what outlen actually means in the case of AAD. The docs just say that out should be NULL and then in will be taken as the AAD.

Can this be clarified in the docs to avoid someone else making the same mistake in future?

It would be great to know what should be expected of outlen for all ciphers, if only to help with assertions (that's how I came across this).

[mattcaswell]

Yes - we should clarify this. I'll leave this issue open for now as a reminder.

[erbsland-dev]

@mattcaswell I can write a PR to add the required documentation. You seem to have a good understanding of this topic. Do you have any recommendations on what to highlight?

[erbsland-dev]

I would add a note like this to the documentation:

diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index f89fc9ae05..5da7c4dfc0 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -1338,6 +1338,15 @@ EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output
 parameter I<out> set to B<NULL>. In this case, on success, the parameter
 I<outl> is set to the number of bytes authenticated.
 
+Please note that the number of authenticated bytes returned by
+EVP_CipherUpdate() depends on the cipher used. Stream ciphers, such as ChaCha20
+or ciphers in GCM mode, can handle 1 byte at a time, resulting in an effective
+"block" size of 1. Conversely, ciphers in OCB mode must process data one block
+at a time, and the block size is returned.
+
+Regardless of the returned size, it is safe to pass unpadded data to an
+EVP_CipherUpdate() call in a single operation.
+
 When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal()
 indicates whether the operation was successful. If it does not indicate success,
 the authentication operation has failed and any output data B<MUST NOT> be used