NASA-AMMOS · BrianSipos · Aug 22, 2025 · Aug 22, 2025 · Aug 22, 2025 · Aug 27, 2025
@@ -124,6 +124,10 @@ typedef struct BSL_AuthCtx_s
      * @note Private value
      */
     size_t block_size;
+    /** Storage for input blocks.
+     * After init this is sized to #block_size.
+     */
+    BSL_Data_t in_buf;
 } BSL_AuthCtx_t;
 
 /**
@@ -141,6 +145,14 @@ typedef struct BSL_Cipher_s
     void *keyhandle;
     /// block size of cipher context
     size_t block_size;
+    /** Storage for input blocks.
+     * After init this is sized to #block_size.
+     */
+    BSL_Data_t in_buf;
+    /** Storage for output blocks.
+     * After init this is sized to #block_size.
+     */
+    BSL_Data_t out_buf;
 } BSL_Cipher_t;
 
 /**
@@ -242,12 +254,12 @@ int BSL_Crypto_UnwrapKey(void *kek_handle, BSL_Data_t *wrapped_key, void **cek_h
 
 /**
  * Initialize crypto context resources and set as encoding or decoding
- * @param cipher_ctx pointer to context to initialize
+ * @param[out] cipher_ctx pointer to context to initialize
  * @param aes_var AES GCM variant to use
  * @param enc enum for BSL_CRYPTO_ENCRYPT or BSL_CRYPTO_DECRYPT
- * @param init_vec pointer to initialization vector (IV) data
- * @param iv_len length of IV data
- * @param key_handle key handle to use
+ * @param[in] init_vec pointer to initialization vector (IV) data
+ * @param[in] iv_len length of IV data
+ * @param[in] key_handle key handle to use
  * @return 0 if successful
  */
 int BSL_Cipher_Init(BSL_Cipher_t *cipher_ctx, BSL_CipherMode_e enc, BSL_CryptoCipherAESVariant_e aes_var,
@@ -275,11 +287,6 @@ int BSL_Crypto_RemoveRegistryKey(const char *keyid);
  */
 int BSL_Cipher_AddAAD(BSL_Cipher_t *cipher_ctx, const void *aad, int aad_len);
 
-/**
- * @todo Doxygen
- */
-int BSL_Cipher_AddData(BSL_Cipher_t *cipher_ctx, BSL_Data_t plaintext, BSL_Data_t ciphertext);
-
 /**
  * Add data to encrypt or decrypt to the context sequentially
  * @param cipher_ctx pointer to context to add data to
@@ -289,6 +296,9 @@ int BSL_Cipher_AddData(BSL_Cipher_t *cipher_ctx, BSL_Data_t plaintext, BSL_Data_
  */
 int BSL_Cipher_AddSeq(BSL_Cipher_t *cipher_ctx, BSL_SeqReader_t *reader, BSL_SeqWriter_t *writer);
 
+/// @overload
+int BSL_Cipher_AddData(BSL_Cipher_t *cipher_ctx, const BSL_Data_t *input, BSL_Data_t *output);
+
 /**
  * Get the tag of the crypto operation
  * @param cipher_ctx pointer to context to get tag from
@@ -314,6 +324,7 @@ int BSL_Cipher_SetTag(BSL_Cipher_t *cipher_ctx, const void *tag);
  * @return 0 if successful
  */
 int BSL_Cipher_FinalizeSeq(BSL_Cipher_t *cipher_ctx, BSL_SeqWriter_t *writer);
+/// @overload
 int BSL_Cipher_FinalizeData(BSL_Cipher_t *cipher_ctx, BSL_Data_t *extra);
 
 /**

@@ -377,6 +377,9 @@ int BSL_AuthCtx_Init(BSL_AuthCtx_t *hmac_ctx, void *keyhandle, BSL_CryptoCipherS
         BSL_LOG_ERR("invalid block size zero, assuming %zu", hmac_ctx->block_size);
     }
 
+    res = BSL_Data_InitBuffer(&hmac_ctx->in_buf, hmac_ctx->block_size);
+    CHK_PROPERTY(!res);
+
     key_info->stats.stats[BSL_CRYPTO_KEYSTATS_TIMES_USED]++;
 
     return 0;
@@ -426,6 +429,7 @@ int BSL_AuthCtx_Finalize(BSL_AuthCtx_t *hmac_ctx, void **hmac, size_t *hmac_len)
 
 int BSL_AuthCtx_Deinit(BSL_AuthCtx_t *hmac_ctx)
 {
+    BSL_Data_Deinit(&hmac_ctx->in_buf);
     EVP_MD_CTX_free(hmac_ctx->libhandle);
     memset(hmac_ctx, 0, sizeof(BSL_AuthCtx_t));
     return 0;
@@ -477,6 +481,12 @@ int BSL_Cipher_Init(BSL_Cipher_t *cipher_ctx, BSL_CipherMode_e enc, BSL_CryptoCi
     res = EVP_CipherInit_ex(cipher_ctx->libhandle, NULL, NULL, key->raw.ptr, init_vec, -1);
     CHK_PROPERTY(res == 1);
 
+    res = BSL_Data_InitBuffer(&cipher_ctx->in_buf, cipher_ctx->block_size);
+    CHK_PROPERTY(!res);
+
+    res = BSL_Data_InitBuffer(&cipher_ctx->out_buf, cipher_ctx->block_size);
+    CHK_PROPERTY(!res);
+
     key->stats.stats[BSL_CRYPTO_KEYSTATS_TIMES_USED]++;
 
     return 0;
@@ -495,17 +505,17 @@ int BSL_Cipher_AddAAD(BSL_Cipher_t *cipher_ctx, const void *aad, int aad_len)
     return 0;
 }
 
-int BSL_Cipher_AddData(BSL_Cipher_t *cipher_ctx, BSL_Data_t plaintext, BSL_Data_t ciphertext)
+int BSL_Cipher_AddData(BSL_Cipher_t *cipher_ctx, const BSL_Data_t *input, BSL_Data_t *output)
 {
     ASSERT_ARG_NONNULL(cipher_ctx);
-    int cipherlen = (int)ciphertext.len;
-    if (EVP_CipherUpdate(cipher_ctx->libhandle, ciphertext.ptr, &cipherlen, plaintext.ptr, (int)plaintext.len) != 1)
+    int cipherlen = (int)output->len;
+    if (EVP_CipherUpdate(cipher_ctx->libhandle, output->ptr, &cipherlen, input->ptr, (int)input->len) != 1)
     {
         return -1;
     }
 
     BSL_CryptoKey_t *key = (BSL_CryptoKey_t *)cipher_ctx->keyhandle;
-    key->stats.stats[BSL_CRYPTO_KEYSTATS_BYTES_PROCESSED] += plaintext.len;
+    key->stats.stats[BSL_CRYPTO_KEYSTATS_BYTES_PROCESSED] += input->len;
 
     return cipherlen;
 }
@@ -576,7 +586,7 @@ int BSL_Cipher_FinalizeData(BSL_Cipher_t *cipher_ctx, BSL_Data_t *extra)
     CHK_PROPERTY(res == 1);
     BSL_LOG_DEBUG("extra->len = %zu | got len = %d", extra->len, len);
     memset(extra->ptr, 0, extra->len);
-    BSL_LOG_INFO("Completed EVP_CipherFinal_ex");
+    BSL_LOG_DEBUG("Completed EVP_CipherFinal_ex");
     if (len > 0)
     {
         memcpy(extra->ptr, buf, sizeof(buf));
@@ -590,11 +600,8 @@ int BSL_Cipher_FinalizeSeq(BSL_Cipher_t *cipher_ctx, BSL_SeqWriter_t *writer)
     CHK_ARG_NONNULL(cipher_ctx);
     CHK_ARG_NONNULL(writer);
 
-    // finalize can add 1 cipher block
-    uint8_t buf[cipher_ctx->block_size];
-
     int evp_len = 0;
-    int res     = EVP_CipherFinal_ex(cipher_ctx->libhandle, buf, &evp_len);
+    int res     = EVP_CipherFinal_ex(cipher_ctx->libhandle, cipher_ctx->out_buf.ptr, &evp_len);
     if (res != 1)
     {
         BSL_LOG_ERR("EVP_CipherFinal_ex error %s", ERR_error_string(ERR_get_error(), NULL));
@@ -604,7 +611,7 @@ int BSL_Cipher_FinalizeSeq(BSL_Cipher_t *cipher_ctx, BSL_SeqWriter_t *writer)
     if (evp_len > 0)
     {
         size_t bsl_len = evp_len;
-        BSL_SeqWriter_Put(writer, buf, bsl_len);
+        BSL_SeqWriter_Put(writer, cipher_ctx->out_buf.ptr, bsl_len);
     }
 
     return 0;
@@ -613,6 +620,8 @@ int BSL_Cipher_FinalizeSeq(BSL_Cipher_t *cipher_ctx, BSL_SeqWriter_t *writer)
 int BSL_Cipher_Deinit(BSL_Cipher_t *cipher_ctx)
 {
     CHK_ARG_NONNULL(cipher_ctx);
+    BSL_Data_Deinit(&cipher_ctx->out_buf);
+    BSL_Data_Deinit(&cipher_ctx->in_buf);
     EVP_CIPHER_CTX_free(cipher_ctx->libhandle);
     memset(cipher_ctx, 0, sizeof(*cipher_ctx));
     return BSL_SUCCESS;