2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* RC4_HMAC_MD5 cipher implementation */
13 * MD5 and RC4 low level APIs are deprecated for public use, but still ok for
16 #include "internal/deprecated.h"
18 #include "cipher_rc4_hmac_md5.h"
20 #define NO_PAYLOAD_LENGTH ((size_t)-1)
22 #if defined(RC4_ASM) \
24 && (defined(__x86_64) \
25 || defined(__x86_64__) \
26 || defined(_M_AMD64) \
28 # define STITCHED_CALL
29 # define MOD 32 /* 32 is $MOD from rc4_md5-x86_64.pl */
35 static int cipher_hw_rc4_hmac_md5_initkey(PROV_CIPHER_CTX *bctx,
36 const uint8_t *key, size_t keylen)
38 PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
40 RC4_set_key(&ctx->ks.ks, keylen, key);
41 MD5_Init(&ctx->head); /* handy when benchmarking */
42 ctx->tail = ctx->head;
44 ctx->payload_length = NO_PAYLOAD_LENGTH;
45 bctx->removetlsfixed = MD5_DIGEST_LENGTH;
49 static int cipher_hw_rc4_hmac_md5_cipher(PROV_CIPHER_CTX *bctx,
51 const unsigned char *in, size_t len)
53 PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
54 RC4_KEY *ks = &ctx->ks.ks;
56 #if defined(STITCHED_CALL)
57 size_t rc4_off = MOD - 1 - (ks->x & (MOD - 1));
58 size_t md5_off = MD5_CBLOCK - ctx->md.num, blocks;
61 size_t plen = ctx->payload_length;
63 if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH))
67 if (plen == NO_PAYLOAD_LENGTH)
69 #if defined(STITCHED_CALL)
70 /* cipher has to "fall behind" */
71 if (rc4_off > md5_off)
72 md5_off += MD5_CBLOCK;
75 && (blocks = (plen - md5_off) / MD5_CBLOCK)
76 && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
77 MD5_Update(&ctx->md, in, md5_off);
78 RC4(ks, rc4_off, in, out);
80 rc4_md5_enc(ks, in + rc4_off, out + rc4_off,
81 &ctx->md, in + md5_off, blocks);
85 ctx->md.Nh += blocks >> 29;
86 ctx->md.Nl += blocks <<= 3;
87 if (ctx->md.Nl < (unsigned int)blocks)
94 MD5_Update(&ctx->md, in + md5_off, plen - md5_off);
96 if (plen != len) { /* "TLS" mode of operation */
98 memcpy(out + rc4_off, in + rc4_off, plen - rc4_off);
100 /* calculate HMAC and append it to payload */
101 MD5_Final(out + plen, &ctx->md);
103 MD5_Update(&ctx->md, out + plen, MD5_DIGEST_LENGTH);
104 MD5_Final(out + plen, &ctx->md);
105 /* encrypt HMAC at once */
106 RC4(ks, len - rc4_off, out + rc4_off, out + rc4_off);
108 RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off);
111 unsigned char mac[MD5_DIGEST_LENGTH];
113 #if defined(STITCHED_CALL)
114 /* digest has to "fall behind" */
115 if (md5_off > rc4_off)
116 rc4_off += 2 * MD5_CBLOCK;
118 rc4_off += MD5_CBLOCK;
121 && (blocks = (len - rc4_off) / MD5_CBLOCK)
122 && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
123 RC4(ks, rc4_off, in, out);
124 MD5_Update(&ctx->md, out, md5_off);
126 rc4_md5_enc(ks, in + rc4_off, out + rc4_off,
127 &ctx->md, out + md5_off, blocks);
128 blocks *= MD5_CBLOCK;
131 l = (ctx->md.Nl + (blocks << 3)) & 0xffffffffU;
135 ctx->md.Nh += blocks >> 29;
141 /* decrypt HMAC at once */
142 RC4(ks, len - rc4_off, in + rc4_off, out + rc4_off);
143 if (plen != NO_PAYLOAD_LENGTH) {
144 /* "TLS" mode of operation */
145 MD5_Update(&ctx->md, out + md5_off, plen - md5_off);
147 /* calculate HMAC and verify it */
148 MD5_Final(mac, &ctx->md);
150 MD5_Update(&ctx->md, mac, MD5_DIGEST_LENGTH);
151 MD5_Final(mac, &ctx->md);
153 if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH))
156 MD5_Update(&ctx->md, out + md5_off, len - md5_off);
160 ctx->payload_length = NO_PAYLOAD_LENGTH;
165 static int cipher_hw_rc4_hmac_md5_tls_init(PROV_CIPHER_CTX *bctx,
166 unsigned char *aad, size_t aad_len)
168 PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
171 if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
174 len = aad[aad_len - 2] << 8 | aad[aad_len - 1];
177 if (len < MD5_DIGEST_LENGTH)
179 len -= MD5_DIGEST_LENGTH;
180 aad[aad_len - 2] = len >> 8;
181 aad[aad_len - 1] = len;
183 ctx->payload_length = len;
185 MD5_Update(&ctx->md, aad, aad_len);
187 return MD5_DIGEST_LENGTH;
190 static void cipher_hw_rc4_hmac_md5_init_mackey(PROV_CIPHER_CTX *bctx,
191 const unsigned char *key,
194 PROV_RC4_HMAC_MD5_CTX *ctx = (PROV_RC4_HMAC_MD5_CTX *)bctx;
196 unsigned char hmac_key[64];
198 memset(hmac_key, 0, sizeof(hmac_key));
200 if (len > (int)sizeof(hmac_key)) {
201 MD5_Init(&ctx->head);
202 MD5_Update(&ctx->head, key, len);
203 MD5_Final(hmac_key, &ctx->head);
205 memcpy(hmac_key, key, len);
208 for (i = 0; i < sizeof(hmac_key); i++)
209 hmac_key[i] ^= 0x36; /* ipad */
210 MD5_Init(&ctx->head);
211 MD5_Update(&ctx->head, hmac_key, sizeof(hmac_key));
213 for (i = 0; i < sizeof(hmac_key); i++)
214 hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */
215 MD5_Init(&ctx->tail);
216 MD5_Update(&ctx->tail, hmac_key, sizeof(hmac_key));
218 OPENSSL_cleanse(hmac_key, sizeof(hmac_key));
221 static const PROV_CIPHER_HW_RC4_HMAC_MD5 rc4_hmac_md5_hw = {
223 cipher_hw_rc4_hmac_md5_initkey,
224 cipher_hw_rc4_hmac_md5_cipher
226 cipher_hw_rc4_hmac_md5_tls_init,
227 cipher_hw_rc4_hmac_md5_init_mackey
230 const PROV_CIPHER_HW *ossl_prov_cipher_hw_rc4_hmac_md5(size_t keybits)
232 return (PROV_CIPHER_HW *)&rc4_hmac_md5_hw;