1/*
2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/* RC4_HMAC_MD5 cipher implementation */
11
12#include "cipher_rc4_hmac_md5.h"
13
14#define NO_PAYLOAD_LENGTH ((size_t)-1)
15
16#if defined(RC4_ASM) \
17 && defined(MD5_ASM) \
18 && (defined(__x86_64) \
19 || defined(__x86_64__) \
20 || defined(_M_AMD64) \
21 || defined(_M_X64))
22# define STITCHED_CALL
23# define MOD 32 /* 32 is $MOD from rc4_md5-x86_64.pl */
24#else
25# define rc4_off 0
26# define md5_off 0
27#endif
28
29static int cipher_hw_rc4_hmac_md5_initkey(PROV_CIPHER_CTX *bctx,
30 const uint8_t *key, size_t keylen)
31{
32 PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
33
34 RC4_set_key(&ctx->ks.ks, keylen, key);
35 MD5_Init(&ctx->head); /* handy when benchmarking */
36 ctx->tail = ctx->head;
37 ctx->md = ctx->head;
38 ctx->payload_length = NO_PAYLOAD_LENGTH;
39 return 1;
40}
41
42static int cipher_hw_rc4_hmac_md5_cipher(PROV_CIPHER_CTX *bctx,
43 unsigned char *out,
44 const unsigned char *in, size_t len)
45{
46 PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
47 RC4_KEY *ks = &ctx->ks.ks;
48
49#if defined(STITCHED_CALL)
50 size_t rc4_off = MOD - 1 - (ks->x & (MOD - 1));
51 size_t md5_off = MD5_CBLOCK - ctx->md.num, blocks;
52 unsigned int l;
53#endif
54 size_t plen = ctx->payload_length;
55
56 if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH))
57 return 0;
58
59 if (ctx->base.enc) {
60 if (plen == NO_PAYLOAD_LENGTH)
61 plen = len;
62#if defined(STITCHED_CALL)
63 /* cipher has to "fall behind" */
64 if (rc4_off > md5_off)
65 md5_off += MD5_CBLOCK;
66
67 if (plen > md5_off
68 && (blocks = (plen - md5_off) / MD5_CBLOCK)
69 && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
70 MD5_Update(&ctx->md, in, md5_off);
71 RC4(ks, rc4_off, in, out);
72
73 rc4_md5_enc(ks, in + rc4_off, out + rc4_off,
74 &ctx->md, in + md5_off, blocks);
75 blocks *= MD5_CBLOCK;
76 rc4_off += blocks;
77 md5_off += blocks;
78 ctx->md.Nh += blocks >> 29;
79 ctx->md.Nl += blocks <<= 3;
80 if (ctx->md.Nl < (unsigned int)blocks)
81 ctx->md.Nh++;
82 } else {
83 rc4_off = 0;
84 md5_off = 0;
85 }
86#endif
87 MD5_Update(&ctx->md, in + md5_off, plen - md5_off);
88
89 if (plen != len) { /* "TLS" mode of operation */
90 if (in != out)
91 memcpy(out + rc4_off, in + rc4_off, plen - rc4_off);
92
93 /* calculate HMAC and append it to payload */
94 MD5_Final(out + plen, &ctx->md);
95 ctx->md = ctx->tail;
96 MD5_Update(&ctx->md, out + plen, MD5_DIGEST_LENGTH);
97 MD5_Final(out + plen, &ctx->md);
98 /* encrypt HMAC at once */
99 RC4(ks, len - rc4_off, out + rc4_off, out + rc4_off);
100 } else {
101 RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off);
102 }
103 } else {
104 unsigned char mac[MD5_DIGEST_LENGTH];
105
106#if defined(STITCHED_CALL)
107 /* digest has to "fall behind" */
108 if (md5_off > rc4_off)
109 rc4_off += 2 * MD5_CBLOCK;
110 else
111 rc4_off += MD5_CBLOCK;
112
113 if (len > rc4_off
114 && (blocks = (len - rc4_off) / MD5_CBLOCK)
115 && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
116 RC4(ks, rc4_off, in, out);
117 MD5_Update(&ctx->md, out, md5_off);
118
119 rc4_md5_enc(ks, in + rc4_off, out + rc4_off,
120 &ctx->md, out + md5_off, blocks);
121 blocks *= MD5_CBLOCK;
122 rc4_off += blocks;
123 md5_off += blocks;
124 l = (ctx->md.Nl + (blocks << 3)) & 0xffffffffU;
125 if (l < ctx->md.Nl)
126 ctx->md.Nh++;
127 ctx->md.Nl = l;
128 ctx->md.Nh += blocks >> 29;
129 } else {
130 md5_off = 0;
131 rc4_off = 0;
132 }
133#endif
134 /* decrypt HMAC at once */
135 RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off);
136 if (plen != NO_PAYLOAD_LENGTH) {
137 /* "TLS" mode of operation */
138 MD5_Update(&ctx->md, out + md5_off, plen - md5_off);
139
140 /* calculate HMAC and verify it */
141 MD5_Final(mac, &ctx->md);
142 ctx->md = ctx->tail;
143 MD5_Update(&ctx->md, mac, MD5_DIGEST_LENGTH);
144 MD5_Final(mac, &ctx->md);
145
146 if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH))
147 return 0;
148 } else {
149 MD5_Update(&ctx->md, out + md5_off, len - md5_off);
150 }
151 }
152
153 ctx->payload_length = NO_PAYLOAD_LENGTH;
154
155 return 1;
156}
157
158static int cipher_hw_rc4_hmac_md5_tls_init(PROV_CIPHER_CTX *bctx,
159 unsigned char *aad, size_t aad_len)
160{
161 PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
162 unsigned int len;
163
164 if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
165 return 0;
166
167 len = aad[aad_len - 2] << 8 | aad[aad_len - 1];
168
169 if (!bctx->enc) {
170 if (len < MD5_DIGEST_LENGTH)
171 return 0;
172 len -= MD5_DIGEST_LENGTH;
173 aad[aad_len - 2] = len >> 8;
174 aad[aad_len - 1] = len;
175 }
176 ctx->payload_length = len;
177 ctx->md = ctx->head;
178 MD5_Update(&ctx->md, aad, aad_len);
179
180 return MD5_DIGEST_LENGTH;
181}
182
183static void cipher_hw_rc4_hmac_md5_init_mackey(PROV_CIPHER_CTX *bctx,
184 const unsigned char *key,
185 size_t len)
186{
187 PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
188 unsigned int i;
189 unsigned char hmac_key[64];
190
191 memset(hmac_key, 0, sizeof(hmac_key));
192
193 if (len > (int)sizeof(hmac_key)) {
194 MD5_Init(&ctx->head);
195 MD5_Update(&ctx->head, key, len);
196 MD5_Final(hmac_key, &ctx->head);
197 } else {
198 memcpy(hmac_key, key, len);
199 }
200
201 for (i = 0; i < sizeof(hmac_key); i++)
202 hmac_key[i] ^= 0x36; /* ipad */
203 MD5_Init(&ctx->head);
204 MD5_Update(&ctx->head, hmac_key, sizeof(hmac_key));
205
206 for (i = 0; i < sizeof(hmac_key); i++)
207 hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */
208 MD5_Init(&ctx->tail);
209 MD5_Update(&ctx->tail, hmac_key, sizeof(hmac_key));
210
211 OPENSSL_cleanse(hmac_key, sizeof(hmac_key));
212}
213
214static const PROV_CIPHER_HW_RC4_HMAC_MD5 rc4_hmac_md5_hw = {
215 {
216 cipher_hw_rc4_hmac_md5_initkey,
217 cipher_hw_rc4_hmac_md5_cipher
218 },
219 cipher_hw_rc4_hmac_md5_tls_init,
220 cipher_hw_rc4_hmac_md5_init_mackey
221};
222const PROV_CIPHER_HW *PROV_CIPHER_HW_rc4_hmac_md5(size_t keybits)
223{
224 return (PROV_CIPHER_HW *)&rc4_hmac_md5_hw;
225}
226