[thirdparty/openssl.git] / providers / implementations / ciphers / cipher_rc4_hmac_md5_hw.c

/*
 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* RC4_HMAC_MD5 cipher implementation */

#include "cipher_rc4_hmac_md5.h"

#define NO_PAYLOAD_LENGTH ((size_t)-1)

#if defined(RC4_ASM)                                                           \
    && defined(MD5_ASM)                                                        \
    && (defined(__x86_64)                                                      \
        || defined(__x86_64__)                                                 \
        || defined(_M_AMD64)                                                   \
        || defined(_M_X64))
# define STITCHED_CALL
# define MOD 32 /* 32 is $MOD from rc4_md5-x86_64.pl */
#else
# define rc4_off 0
# define md5_off 0
#endif

static int cipher_hw_rc4_hmac_md5_initkey(PROV_CIPHER_CTX *bctx,
                                          const uint8_t *key, size_t keylen)
{
    PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;

    RC4_set_key(&ctx->ks.ks, keylen, key);
    MD5_Init(&ctx->head);       /* handy when benchmarking */
    ctx->tail = ctx->head;
    ctx->md = ctx->head;
    ctx->payload_length = NO_PAYLOAD_LENGTH;
    return 1;
}

static int cipher_hw_rc4_hmac_md5_cipher(PROV_CIPHER_CTX *bctx,
                                         unsigned char *out,
                                         const unsigned char *in, size_t len)
{
    PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
    RC4_KEY *ks = &ctx->ks.ks;

#if defined(STITCHED_CALL)
    size_t rc4_off = MOD - 1 - (ks->x & (MOD - 1));
    size_t md5_off = MD5_CBLOCK - ctx->md.num, blocks;
    unsigned int l;
#endif
    size_t plen = ctx->payload_length;

    if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH))
        return 0;

    if (ctx->base.enc) {
        if (plen == NO_PAYLOAD_LENGTH)
            plen = len;
#if defined(STITCHED_CALL)
        /* cipher has to "fall behind" */
        if (rc4_off > md5_off)
            md5_off += MD5_CBLOCK;

        if (plen > md5_off
                && (blocks = (plen - md5_off) / MD5_CBLOCK)
                && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
            MD5_Update(&ctx->md, in, md5_off);
            RC4(ks, rc4_off, in, out);

            rc4_md5_enc(ks, in + rc4_off, out + rc4_off,
                        &ctx->md, in + md5_off, blocks);
            blocks *= MD5_CBLOCK;
            rc4_off += blocks;
            md5_off += blocks;
            ctx->md.Nh += blocks >> 29;
            ctx->md.Nl += blocks <<= 3;
            if (ctx->md.Nl < (unsigned int)blocks)
                ctx->md.Nh++;
        } else {
            rc4_off = 0;
            md5_off = 0;
        }
#endif
        MD5_Update(&ctx->md, in + md5_off, plen - md5_off);

        if (plen != len) {      /* "TLS" mode of operation */
            if (in != out)
                memcpy(out + rc4_off, in + rc4_off, plen - rc4_off);

            /* calculate HMAC and append it to payload */
            MD5_Final(out + plen, &ctx->md);
            ctx->md = ctx->tail;
            MD5_Update(&ctx->md, out + plen, MD5_DIGEST_LENGTH);
            MD5_Final(out + plen, &ctx->md);
            /* encrypt HMAC at once */
            RC4(ks, len - rc4_off, out + rc4_off, out + rc4_off);
        } else {
            RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off);
        }
    } else {
        unsigned char mac[MD5_DIGEST_LENGTH];

#if defined(STITCHED_CALL)
        /* digest has to "fall behind" */
        if (md5_off > rc4_off)
            rc4_off += 2 * MD5_CBLOCK;
        else
            rc4_off += MD5_CBLOCK;

        if (len > rc4_off
                && (blocks = (len - rc4_off) / MD5_CBLOCK)
                && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
            RC4(ks, rc4_off, in, out);
            MD5_Update(&ctx->md, out, md5_off);

            rc4_md5_enc(ks, in + rc4_off, out + rc4_off,
                        &ctx->md, out + md5_off, blocks);
            blocks *= MD5_CBLOCK;
            rc4_off += blocks;
            md5_off += blocks;
            l = (ctx->md.Nl + (blocks << 3)) & 0xffffffffU;
            if (l < ctx->md.Nl)
                ctx->md.Nh++;
            ctx->md.Nl = l;
            ctx->md.Nh += blocks >> 29;
        } else {
            md5_off = 0;
            rc4_off = 0;
        }
#endif
        /* decrypt HMAC at once */
        RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off);
        if (plen != NO_PAYLOAD_LENGTH) {
            /* "TLS" mode of operation */
            MD5_Update(&ctx->md, out + md5_off, plen - md5_off);

            /* calculate HMAC and verify it */
            MD5_Final(mac, &ctx->md);
            ctx->md = ctx->tail;
            MD5_Update(&ctx->md, mac, MD5_DIGEST_LENGTH);
            MD5_Final(mac, &ctx->md);

            if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH))
                return 0;
        } else {
            MD5_Update(&ctx->md, out + md5_off, len - md5_off);
        }
    }

    ctx->payload_length = NO_PAYLOAD_LENGTH;

    return 1;
}

static int cipher_hw_rc4_hmac_md5_tls_init(PROV_CIPHER_CTX *bctx,
                                           unsigned char *aad, size_t aad_len)
{
    PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
    unsigned int len;

    if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
        return 0;

    len = aad[aad_len - 2] << 8 | aad[aad_len - 1];

    if (!bctx->enc) {
        if (len < MD5_DIGEST_LENGTH)
            return 0;
        len -= MD5_DIGEST_LENGTH;
        aad[aad_len - 2] = len >> 8;
        aad[aad_len - 1] = len;
    }
    ctx->payload_length = len;
    ctx->md = ctx->head;
    MD5_Update(&ctx->md, aad, aad_len);

    return MD5_DIGEST_LENGTH;
}

static void cipher_hw_rc4_hmac_md5_init_mackey(PROV_CIPHER_CTX *bctx,
                                               const unsigned char *key,
                                               size_t len)
{
    PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
    unsigned int i;
    unsigned char hmac_key[64];

    memset(hmac_key, 0, sizeof(hmac_key));

    if (len > (int)sizeof(hmac_key)) {
        MD5_Init(&ctx->head);
        MD5_Update(&ctx->head, key, len);
        MD5_Final(hmac_key, &ctx->head);
    } else {
        memcpy(hmac_key, key, len);
    }

    for (i = 0; i < sizeof(hmac_key); i++)
        hmac_key[i] ^= 0x36; /* ipad */
    MD5_Init(&ctx->head);
    MD5_Update(&ctx->head, hmac_key, sizeof(hmac_key));

    for (i = 0; i < sizeof(hmac_key); i++)
        hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */
    MD5_Init(&ctx->tail);
    MD5_Update(&ctx->tail, hmac_key, sizeof(hmac_key));

    OPENSSL_cleanse(hmac_key, sizeof(hmac_key));
}

static const PROV_CIPHER_HW_RC4_HMAC_MD5 rc4_hmac_md5_hw = {
    {
      cipher_hw_rc4_hmac_md5_initkey,
      cipher_hw_rc4_hmac_md5_cipher
    },
    cipher_hw_rc4_hmac_md5_tls_init,
    cipher_hw_rc4_hmac_md5_init_mackey
};
const PROV_CIPHER_HW *PROV_CIPHER_HW_rc4_hmac_md5(size_t keybits)
{
    return (PROV_CIPHER_HW *)&rc4_hmac_md5_hw;
}
Commit	Line	Data
8fece335 SL	1	/*
	2	* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/* RC4_HMAC_MD5 cipher implementation */
	11
	12	#include "cipher_rc4_hmac_md5.h"
	13
	14	#define NO_PAYLOAD_LENGTH ((size_t)-1)
	15
	16	#if defined(RC4_ASM) \
	17	&& defined(MD5_ASM) \
	18	&& (defined(__x86_64) \
	19	\|\| defined(__x86_64__) \
	20	\|\| defined(_M_AMD64) \
	21	\|\| defined(_M_X64))
	22	# define STITCHED_CALL
	23	# define MOD 32 /* 32 is $MOD from rc4_md5-x86_64.pl */
	24	#else
	25	# define rc4_off 0
	26	# define md5_off 0
	27	#endif
	28
	29	static int cipher_hw_rc4_hmac_md5_initkey(PROV_CIPHER_CTX *bctx,
	30	const uint8_t *key, size_t keylen)
	31	{
	32	PROV_RC4_HMAC_MD5_CTX ctx = (PROV_RC4_HMAC_MD5_CTX )bctx;
	33
	34	RC4_set_key(&ctx->ks.ks, keylen, key);
	35	MD5_Init(&ctx->head); /* handy when benchmarking */
	36	ctx->tail = ctx->head;
	37	ctx->md = ctx->head;
	38	ctx->payload_length = NO_PAYLOAD_LENGTH;
	39	return 1;
	40	}
	41
	42	static int cipher_hw_rc4_hmac_md5_cipher(PROV_CIPHER_CTX *bctx,
	43	unsigned char *out,
	44	const unsigned char *in, size_t len)
	45	{
	46	PROV_RC4_HMAC_MD5_CTX ctx = (PROV_RC4_HMAC_MD5_CTX )bctx;
	47	RC4_KEY *ks = &ctx->ks.ks;
	48
	49	#if defined(STITCHED_CALL)
	50	size_t rc4_off = MOD - 1 - (ks->x & (MOD - 1));
	51	size_t md5_off = MD5_CBLOCK - ctx->md.num, blocks;
	52	unsigned int l;
	53	#endif
	54	size_t plen = ctx->payload_length;
	55
	56	if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH))
	57	return 0;
	58
	59	if (ctx->base.enc) {
	60	if (plen == NO_PAYLOAD_LENGTH)
	61	plen = len;
	62	#if defined(STITCHED_CALL)
	63	/* cipher has to "fall behind" */
	64	if (rc4_off > md5_off)
65	md5_off += MD5_CBLOCK;
66
67	if (plen > md5_off
68	&& (blocks = (plen - md5_off) / MD5_CBLOCK)
69	&& (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
70	MD5_Update(&ctx->md, in, md5_off);
71	RC4(ks, rc4_off, in, out);
72
73	rc4_md5_enc(ks, in + rc4_off, out + rc4_off,
74	&ctx->md, in + md5_off, blocks);
75	blocks *= MD5_CBLOCK;
76	rc4_off += blocks;
77	md5_off += blocks;
78	ctx->md.Nh += blocks >> 29;
79	ctx->md.Nl += blocks <<= 3;
80	if (ctx->md.Nl < (unsigned int)blocks)
81	ctx->md.Nh++;
82	} else {
83	rc4_off = 0;
84	md5_off = 0;
85	}
86	#endif
87	MD5_Update(&ctx->md, in + md5_off, plen - md5_off);
88
89	if (plen != len) { /* "TLS" mode of operation */
90	if (in != out)
91	memcpy(out + rc4_off, in + rc4_off, plen - rc4_off);
92
93	/* calculate HMAC and append it to payload */
94	MD5_Final(out + plen, &ctx->md);
95	ctx->md = ctx->tail;
96	MD5_Update(&ctx->md, out + plen, MD5_DIGEST_LENGTH);
97	MD5_Final(out + plen, &ctx->md);
98	/* encrypt HMAC at once */
99	RC4(ks, len - rc4_off, out + rc4_off, out + rc4_off);
100	} else {
101	RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off);
102	}
103	} else {
104	unsigned char mac[MD5_DIGEST_LENGTH];
105
106	#if defined(STITCHED_CALL)
107	/* digest has to "fall behind" */
108	if (md5_off > rc4_off)
109	rc4_off += 2 * MD5_CBLOCK;
110	else
111	rc4_off += MD5_CBLOCK;
112
113	if (len > rc4_off
114	&& (blocks = (len - rc4_off) / MD5_CBLOCK)
115	&& (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
116	RC4(ks, rc4_off, in, out);
117	MD5_Update(&ctx->md, out, md5_off);
118
119	rc4_md5_enc(ks, in + rc4_off, out + rc4_off,
120	&ctx->md, out + md5_off, blocks);
121	blocks *= MD5_CBLOCK;
122	rc4_off += blocks;
123	md5_off += blocks;
124	l = (ctx->md.Nl + (blocks << 3)) & 0xffffffffU;
125	if (l < ctx->md.Nl)
126	ctx->md.Nh++;
127	ctx->md.Nl = l;
128	ctx->md.Nh += blocks >> 29;
129	} else {
130	md5_off = 0;
131	rc4_off = 0;
132	}
133	#endif
134	/* decrypt HMAC at once */
135	RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off);
136	if (plen != NO_PAYLOAD_LENGTH) {
137	/* "TLS" mode of operation */
138	MD5_Update(&ctx->md, out + md5_off, plen - md5_off);
139
140	/* calculate HMAC and verify it */
141	MD5_Final(mac, &ctx->md);
142	ctx->md = ctx->tail;
143	MD5_Update(&ctx->md, mac, MD5_DIGEST_LENGTH);
144	MD5_Final(mac, &ctx->md);
145
146	if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH))
147	return 0;
148	} else {
149	MD5_Update(&ctx->md, out + md5_off, len - md5_off);
150	}
151	}
152
153	ctx->payload_length = NO_PAYLOAD_LENGTH;
154
155	return 1;
156	}
157
158	static int cipher_hw_rc4_hmac_md5_tls_init(PROV_CIPHER_CTX *bctx,
159	unsigned char *aad, size_t aad_len)
160	{
161	PROV_RC4_HMAC_MD5_CTX ctx = (PROV_RC4_HMAC_MD5_CTX )bctx;
162	unsigned int len;
163
164	if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
165	return 0;
166
167	len = aad[aad_len - 2] << 8 \| aad[aad_len - 1];
168
169	if (!bctx->enc) {
170	if (len < MD5_DIGEST_LENGTH)
171	return 0;
172	len -= MD5_DIGEST_LENGTH;
173	aad[aad_len - 2] = len >> 8;
174	aad[aad_len - 1] = len;
175	}
176	ctx->payload_length = len;
177	ctx->md = ctx->head;
178	MD5_Update(&ctx->md, aad, aad_len);
179
180	return MD5_DIGEST_LENGTH;
181	}
182
183	static void cipher_hw_rc4_hmac_md5_init_mackey(PROV_CIPHER_CTX *bctx,
184	const unsigned char *key,
185	size_t len)
186	{
187	PROV_RC4_HMAC_MD5_CTX ctx = (PROV_RC4_HMAC_MD5_CTX )bctx;
188	unsigned int i;
189	unsigned char hmac_key[64];
190
191	memset(hmac_key, 0, sizeof(hmac_key));
192
193	if (len > (int)sizeof(hmac_key)) {
194	MD5_Init(&ctx->head);
195	MD5_Update(&ctx->head, key, len);
196	MD5_Final(hmac_key, &ctx->head);
197	} else {
198	memcpy(hmac_key, key, len);
199	}
200
201	for (i = 0; i < sizeof(hmac_key); i++)
202	hmac_key[i] ^= 0x36; /* ipad */
203	MD5_Init(&ctx->head);
204	MD5_Update(&ctx->head, hmac_key, sizeof(hmac_key));
205
206	for (i = 0; i < sizeof(hmac_key); i++)
207	hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */
208	MD5_Init(&ctx->tail);
209	MD5_Update(&ctx->tail, hmac_key, sizeof(hmac_key));
210
211	OPENSSL_cleanse(hmac_key, sizeof(hmac_key));
212	}
213
214	static const PROV_CIPHER_HW_RC4_HMAC_MD5 rc4_hmac_md5_hw = {
215	{
216	cipher_hw_rc4_hmac_md5_initkey,
217	cipher_hw_rc4_hmac_md5_cipher
218	},
219	cipher_hw_rc4_hmac_md5_tls_init,
220	cipher_hw_rc4_hmac_md5_init_mackey
221	};
222	const PROV_CIPHER_HW *PROV_CIPHER_HW_rc4_hmac_md5(size_t keybits)
223	{
224	return (PROV_CIPHER_HW *)&rc4_hmac_md5_hw;
225	}