| 1 | /* |
|---|---|
| 2 | * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | /* RC4_HMAC_MD5 cipher implementation */ |
| 11 | |
| 12 | #include "cipher_rc4_hmac_md5.h" |
| 13 | |
| 14 | #define NO_PAYLOAD_LENGTH ((size_t)-1) |
| 15 | |
| 16 | #if defined(RC4_ASM) \ |
| 17 | && defined(MD5_ASM) \ |
| 18 | && (defined(__x86_64) \ |
| 19 | || defined(__x86_64__) \ |
| 20 | || defined(_M_AMD64) \ |
| 21 | || defined(_M_X64)) |
| 22 | # define STITCHED_CALL |
| 23 | # define MOD 32 /* 32 is $MOD from rc4_md5-x86_64.pl */ |
| 24 | #else |
| 25 | # define rc4_off 0 |
| 26 | # define md5_off 0 |
| 27 | #endif |
| 28 | |
| 29 | static int cipher_hw_rc4_hmac_md5_initkey(PROV_CIPHER_CTX *bctx, |
| 30 | const uint8_t *key, size_t keylen) |
| 31 | { |
| 32 | PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx; |
| 33 | |
| 34 | RC4_set_key(&ctx->ks.ks, keylen, key); |
| 35 | MD5_Init(&ctx->head); /* handy when benchmarking */ |
| 36 | ctx->tail = ctx->head; |
| 37 | ctx->md = ctx->head; |
| 38 | ctx->payload_length = NO_PAYLOAD_LENGTH; |
| 39 | return 1; |
| 40 | } |
| 41 | |
| 42 | static int cipher_hw_rc4_hmac_md5_cipher(PROV_CIPHER_CTX *bctx, |
| 43 | unsigned char *out, |
| 44 | const unsigned char *in, size_t len) |
| 45 | { |
| 46 | PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx; |
| 47 | RC4_KEY *ks = &ctx->ks.ks; |
| 48 | |
| 49 | #if defined(STITCHED_CALL) |
| 50 | size_t rc4_off = MOD - 1 - (ks->x & (MOD - 1)); |
| 51 | size_t md5_off = MD5_CBLOCK - ctx->md.num, blocks; |
| 52 | unsigned int l; |
| 53 | #endif |
| 54 | size_t plen = ctx->payload_length; |
| 55 | |
| 56 | if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH)) |
| 57 | return 0; |
| 58 | |
| 59 | if (ctx->base.enc) { |
| 60 | if (plen == NO_PAYLOAD_LENGTH) |
| 61 | plen = len; |
| 62 | #if defined(STITCHED_CALL) |
| 63 | /* cipher has to "fall behind" */ |
| 64 | if (rc4_off > md5_off) |
| 65 | md5_off += MD5_CBLOCK; |
| 66 | |
| 67 | if (plen > md5_off |
| 68 | && (blocks = (plen - md5_off) / MD5_CBLOCK) |
| 69 | && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) { |
| 70 | MD5_Update(&ctx->md, in, md5_off); |
| 71 | RC4(ks, rc4_off, in, out); |
| 72 | |
| 73 | rc4_md5_enc(ks, in + rc4_off, out + rc4_off, |
| 74 | &ctx->md, in + md5_off, blocks); |
| 75 | blocks *= MD5_CBLOCK; |
| 76 | rc4_off += blocks; |
| 77 | md5_off += blocks; |
| 78 | ctx->md.Nh += blocks >> 29; |
| 79 | ctx->md.Nl += blocks <<= 3; |
| 80 | if (ctx->md.Nl < (unsigned int)blocks) |
| 81 | ctx->md.Nh++; |
| 82 | } else { |
| 83 | rc4_off = 0; |
| 84 | md5_off = 0; |
| 85 | } |
| 86 | #endif |
| 87 | MD5_Update(&ctx->md, in + md5_off, plen - md5_off); |
| 88 | |
| 89 | if (plen != len) { /* "TLS" mode of operation */ |
| 90 | if (in != out) |
| 91 | memcpy(out + rc4_off, in + rc4_off, plen - rc4_off); |
| 92 | |
| 93 | /* calculate HMAC and append it to payload */ |
| 94 | MD5_Final(out + plen, &ctx->md); |
| 95 | ctx->md = ctx->tail; |
| 96 | MD5_Update(&ctx->md, out + plen, MD5_DIGEST_LENGTH); |
| 97 | MD5_Final(out + plen, &ctx->md); |
| 98 | /* encrypt HMAC at once */ |
| 99 | RC4(ks, len - rc4_off, out + rc4_off, out + rc4_off); |
| 100 | } else { |
| 101 | RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off); |
| 102 | } |
| 103 | } else { |
| 104 | unsigned char mac[MD5_DIGEST_LENGTH]; |
| 105 | |
| 106 | #if defined(STITCHED_CALL) |
| 107 | /* digest has to "fall behind" */ |
| 108 | if (md5_off > rc4_off) |
| 109 | rc4_off += 2 * MD5_CBLOCK; |
| 110 | else |
| 111 | rc4_off += MD5_CBLOCK; |
| 112 | |
| 113 | if (len > rc4_off |
| 114 | && (blocks = (len - rc4_off) / MD5_CBLOCK) |
| 115 | && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) { |
| 116 | RC4(ks, rc4_off, in, out); |
| 117 | MD5_Update(&ctx->md, out, md5_off); |
| 118 | |
| 119 | rc4_md5_enc(ks, in + rc4_off, out + rc4_off, |
| 120 | &ctx->md, out + md5_off, blocks); |
| 121 | blocks *= MD5_CBLOCK; |
| 122 | rc4_off += blocks; |
| 123 | md5_off += blocks; |
| 124 | l = (ctx->md.Nl + (blocks << 3)) & 0xffffffffU; |
| 125 | if (l < ctx->md.Nl) |
| 126 | ctx->md.Nh++; |
| 127 | ctx->md.Nl = l; |
| 128 | ctx->md.Nh += blocks >> 29; |
| 129 | } else { |
| 130 | md5_off = 0; |
| 131 | rc4_off = 0; |
| 132 | } |
| 133 | #endif |
| 134 | /* decrypt HMAC at once */ |
| 135 | RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off); |
| 136 | if (plen != NO_PAYLOAD_LENGTH) { |
| 137 | /* "TLS" mode of operation */ |
| 138 | MD5_Update(&ctx->md, out + md5_off, plen - md5_off); |
| 139 | |
| 140 | /* calculate HMAC and verify it */ |
| 141 | MD5_Final(mac, &ctx->md); |
| 142 | ctx->md = ctx->tail; |
| 143 | MD5_Update(&ctx->md, mac, MD5_DIGEST_LENGTH); |
| 144 | MD5_Final(mac, &ctx->md); |
| 145 | |
| 146 | if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH)) |
| 147 | return 0; |
| 148 | } else { |
| 149 | MD5_Update(&ctx->md, out + md5_off, len - md5_off); |
| 150 | } |
| 151 | } |
| 152 | |
| 153 | ctx->payload_length = NO_PAYLOAD_LENGTH; |
| 154 | |
| 155 | return 1; |
| 156 | } |
| 157 | |
| 158 | static int cipher_hw_rc4_hmac_md5_tls_init(PROV_CIPHER_CTX *bctx, |
| 159 | unsigned char *aad, size_t aad_len) |
| 160 | { |
| 161 | PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx; |
| 162 | unsigned int len; |
| 163 | |
| 164 | if (aad_len != EVP_AEAD_TLS1_AAD_LEN) |
| 165 | return 0; |
| 166 | |
| 167 | len = aad[aad_len - 2] << 8 | aad[aad_len - 1]; |
| 168 | |
| 169 | if (!bctx->enc) { |
| 170 | if (len < MD5_DIGEST_LENGTH) |
| 171 | return 0; |
| 172 | len -= MD5_DIGEST_LENGTH; |
| 173 | aad[aad_len - 2] = len >> 8; |
| 174 | aad[aad_len - 1] = len; |
| 175 | } |
| 176 | ctx->payload_length = len; |
| 177 | ctx->md = ctx->head; |
| 178 | MD5_Update(&ctx->md, aad, aad_len); |
| 179 | |
| 180 | return MD5_DIGEST_LENGTH; |
| 181 | } |
| 182 | |
| 183 | static void cipher_hw_rc4_hmac_md5_init_mackey(PROV_CIPHER_CTX *bctx, |
| 184 | const unsigned char *key, |
| 185 | size_t len) |
| 186 | { |
| 187 | PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx; |
| 188 | unsigned int i; |
| 189 | unsigned char hmac_key[64]; |
| 190 | |
| 191 | memset(hmac_key, 0, sizeof(hmac_key)); |
| 192 | |
| 193 | if (len > (int)sizeof(hmac_key)) { |
| 194 | MD5_Init(&ctx->head); |
| 195 | MD5_Update(&ctx->head, key, len); |
| 196 | MD5_Final(hmac_key, &ctx->head); |
| 197 | } else { |
| 198 | memcpy(hmac_key, key, len); |
| 199 | } |
| 200 | |
| 201 | for (i = 0; i < sizeof(hmac_key); i++) |
| 202 | hmac_key[i] ^= 0x36; /* ipad */ |
| 203 | MD5_Init(&ctx->head); |
| 204 | MD5_Update(&ctx->head, hmac_key, sizeof(hmac_key)); |
| 205 | |
| 206 | for (i = 0; i < sizeof(hmac_key); i++) |
| 207 | hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ |
| 208 | MD5_Init(&ctx->tail); |
| 209 | MD5_Update(&ctx->tail, hmac_key, sizeof(hmac_key)); |
| 210 | |
| 211 | OPENSSL_cleanse(hmac_key, sizeof(hmac_key)); |
| 212 | } |
| 213 | |
| 214 | static const PROV_CIPHER_HW_RC4_HMAC_MD5 rc4_hmac_md5_hw = { |
| 215 | { |
| 216 | cipher_hw_rc4_hmac_md5_initkey, |
| 217 | cipher_hw_rc4_hmac_md5_cipher |
| 218 | }, |
| 219 | cipher_hw_rc4_hmac_md5_tls_init, |
| 220 | cipher_hw_rc4_hmac_md5_init_mackey |
| 221 | }; |
| 222 | const PROV_CIPHER_HW *PROV_CIPHER_HW_rc4_hmac_md5(size_t keybits) |
| 223 | { |
| 224 | return (PROV_CIPHER_HW *)&rc4_hmac_md5_hw; |
| 225 | } |
| 226 |
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.