2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* RC4_HMAC_MD5 cipher implementation */
13 * MD5 and RC4 low level APIs are deprecated for public use, but still ok for
16 #include "internal/deprecated.h"
18 #include "cipher_rc4_hmac_md5.h"
20 #define NO_PAYLOAD_LENGTH ((size_t)-1)
22 #if defined(RC4_ASM) \
24 && (defined(__x86_64) \
25 || defined(__x86_64__) \
26 || defined(_M_AMD64) \
28 # define STITCHED_CALL
29 # define MOD 32 /* 32 is $MOD from rc4_md5-x86_64.pl */
35 static int cipher_hw_rc4_hmac_md5_initkey(PROV_CIPHER_CTX
*bctx
,
36 const uint8_t *key
, size_t keylen
)
38 PROV_RC4_HMAC_MD5_CTX
*ctx
= (PROV_RC4_HMAC_MD5_CTX
*)bctx
;
40 RC4_set_key(&ctx
->ks
.ks
, keylen
, key
);
41 MD5_Init(&ctx
->head
); /* handy when benchmarking */
42 ctx
->tail
= ctx
->head
;
44 ctx
->payload_length
= NO_PAYLOAD_LENGTH
;
48 static int cipher_hw_rc4_hmac_md5_cipher(PROV_CIPHER_CTX
*bctx
,
50 const unsigned char *in
, size_t len
)
52 PROV_RC4_HMAC_MD5_CTX
*ctx
= (PROV_RC4_HMAC_MD5_CTX
*)bctx
;
53 RC4_KEY
*ks
= &ctx
->ks
.ks
;
55 #if defined(STITCHED_CALL)
56 size_t rc4_off
= MOD
- 1 - (ks
->x
& (MOD
- 1));
57 size_t md5_off
= MD5_CBLOCK
- ctx
->md
.num
, blocks
;
60 size_t plen
= ctx
->payload_length
;
62 if (plen
!= NO_PAYLOAD_LENGTH
&& len
!= (plen
+ MD5_DIGEST_LENGTH
))
66 if (plen
== NO_PAYLOAD_LENGTH
)
68 #if defined(STITCHED_CALL)
69 /* cipher has to "fall behind" */
70 if (rc4_off
> md5_off
)
71 md5_off
+= MD5_CBLOCK
;
74 && (blocks
= (plen
- md5_off
) / MD5_CBLOCK
)
75 && (OPENSSL_ia32cap_P
[0] & (1 << 20)) == 0) {
76 MD5_Update(&ctx
->md
, in
, md5_off
);
77 RC4(ks
, rc4_off
, in
, out
);
79 rc4_md5_enc(ks
, in
+ rc4_off
, out
+ rc4_off
,
80 &ctx
->md
, in
+ md5_off
, blocks
);
84 ctx
->md
.Nh
+= blocks
>> 29;
85 ctx
->md
.Nl
+= blocks
<<= 3;
86 if (ctx
->md
.Nl
< (unsigned int)blocks
)
93 MD5_Update(&ctx
->md
, in
+ md5_off
, plen
- md5_off
);
95 if (plen
!= len
) { /* "TLS" mode of operation */
97 memcpy(out
+ rc4_off
, in
+ rc4_off
, plen
- rc4_off
);
99 /* calculate HMAC and append it to payload */
100 MD5_Final(out
+ plen
, &ctx
->md
);
102 MD5_Update(&ctx
->md
, out
+ plen
, MD5_DIGEST_LENGTH
);
103 MD5_Final(out
+ plen
, &ctx
->md
);
104 /* encrypt HMAC at once */
105 RC4(ks
, len
- rc4_off
, out
+ rc4_off
, out
+ rc4_off
);
107 RC4(ks
, len
- rc4_off
, in
+ rc4_off
, out
+ rc4_off
);
110 unsigned char mac
[MD5_DIGEST_LENGTH
];
112 #if defined(STITCHED_CALL)
113 /* digest has to "fall behind" */
114 if (md5_off
> rc4_off
)
115 rc4_off
+= 2 * MD5_CBLOCK
;
117 rc4_off
+= MD5_CBLOCK
;
120 && (blocks
= (len
- rc4_off
) / MD5_CBLOCK
)
121 && (OPENSSL_ia32cap_P
[0] & (1 << 20)) == 0) {
122 RC4(ks
, rc4_off
, in
, out
);
123 MD5_Update(&ctx
->md
, out
, md5_off
);
125 rc4_md5_enc(ks
, in
+ rc4_off
, out
+ rc4_off
,
126 &ctx
->md
, out
+ md5_off
, blocks
);
127 blocks
*= MD5_CBLOCK
;
130 l
= (ctx
->md
.Nl
+ (blocks
<< 3)) & 0xffffffffU
;
134 ctx
->md
.Nh
+= blocks
>> 29;
140 /* decrypt HMAC at once */
141 RC4(ks
, len
- rc4_off
, in
+ rc4_off
, out
+ rc4_off
);
142 if (plen
!= NO_PAYLOAD_LENGTH
) {
143 /* "TLS" mode of operation */
144 MD5_Update(&ctx
->md
, out
+ md5_off
, plen
- md5_off
);
146 /* calculate HMAC and verify it */
147 MD5_Final(mac
, &ctx
->md
);
149 MD5_Update(&ctx
->md
, mac
, MD5_DIGEST_LENGTH
);
150 MD5_Final(mac
, &ctx
->md
);
152 if (CRYPTO_memcmp(out
+ plen
, mac
, MD5_DIGEST_LENGTH
))
155 MD5_Update(&ctx
->md
, out
+ md5_off
, len
- md5_off
);
159 ctx
->payload_length
= NO_PAYLOAD_LENGTH
;
164 static int cipher_hw_rc4_hmac_md5_tls_init(PROV_CIPHER_CTX
*bctx
,
165 unsigned char *aad
, size_t aad_len
)
167 PROV_RC4_HMAC_MD5_CTX
*ctx
= (PROV_RC4_HMAC_MD5_CTX
*)bctx
;
170 if (aad_len
!= EVP_AEAD_TLS1_AAD_LEN
)
173 len
= aad
[aad_len
- 2] << 8 | aad
[aad_len
- 1];
176 if (len
< MD5_DIGEST_LENGTH
)
178 len
-= MD5_DIGEST_LENGTH
;
179 aad
[aad_len
- 2] = len
>> 8;
180 aad
[aad_len
- 1] = len
;
182 ctx
->payload_length
= len
;
184 MD5_Update(&ctx
->md
, aad
, aad_len
);
186 return MD5_DIGEST_LENGTH
;
189 static void cipher_hw_rc4_hmac_md5_init_mackey(PROV_CIPHER_CTX
*bctx
,
190 const unsigned char *key
,
193 PROV_RC4_HMAC_MD5_CTX
*ctx
= (PROV_RC4_HMAC_MD5_CTX
*)bctx
;
195 unsigned char hmac_key
[64];
197 memset(hmac_key
, 0, sizeof(hmac_key
));
199 if (len
> (int)sizeof(hmac_key
)) {
200 MD5_Init(&ctx
->head
);
201 MD5_Update(&ctx
->head
, key
, len
);
202 MD5_Final(hmac_key
, &ctx
->head
);
204 memcpy(hmac_key
, key
, len
);
207 for (i
= 0; i
< sizeof(hmac_key
); i
++)
208 hmac_key
[i
] ^= 0x36; /* ipad */
209 MD5_Init(&ctx
->head
);
210 MD5_Update(&ctx
->head
, hmac_key
, sizeof(hmac_key
));
212 for (i
= 0; i
< sizeof(hmac_key
); i
++)
213 hmac_key
[i
] ^= 0x36 ^ 0x5c; /* opad */
214 MD5_Init(&ctx
->tail
);
215 MD5_Update(&ctx
->tail
, hmac_key
, sizeof(hmac_key
));
217 OPENSSL_cleanse(hmac_key
, sizeof(hmac_key
));
220 static const PROV_CIPHER_HW_RC4_HMAC_MD5 rc4_hmac_md5_hw
= {
222 cipher_hw_rc4_hmac_md5_initkey
,
223 cipher_hw_rc4_hmac_md5_cipher
225 cipher_hw_rc4_hmac_md5_tls_init
,
226 cipher_hw_rc4_hmac_md5_init_mackey
228 const PROV_CIPHER_HW
*PROV_CIPHER_HW_rc4_hmac_md5(size_t keybits
)
230 return (PROV_CIPHER_HW
*)&rc4_hmac_md5_hw
;