1/* 2 * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * MD5 and RC4 low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14#include "internal/deprecated.h" 15 16#include "internal/cryptlib.h" 17#include <openssl/opensslconf.h> 18 19#include <stdio.h> 20#include <string.h> 21 22#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5) 23 24# include <openssl/crypto.h> 25# include <openssl/evp.h> 26# include <openssl/objects.h> 27# include <openssl/rc4.h> 28# include <openssl/md5.h> 29# include "crypto/evp.h" 30 31typedef struct { 32 RC4_KEY ks; 33 MD5_CTX head, tail, md; 34 size_t payload_length; 35} EVP_RC4_HMAC_MD5; 36 37# define NO_PAYLOAD_LENGTH ((size_t)-1) 38 39void rc4_md5_enc(RC4_KEY *key, const void *in0, void *out, 40 MD5_CTX *ctx, const void *inp, size_t blocks); 41 42# define data(ctx) ((EVP_RC4_HMAC_MD5 *)EVP_CIPHER_CTX_get_cipher_data(ctx)) 43 44static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx, 45 const unsigned char *inkey, 46 const unsigned char *iv, int enc) 47{ 48 EVP_RC4_HMAC_MD5 *key = data(ctx); 49 const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); 50 51 if (keylen <= 0) 52 return 0; 53 54 RC4_set_key(&key->ks, keylen, inkey); 55 56 MD5_Init(&key->head); /* handy when benchmarking */ 57 key->tail = key->head; 58 key->md = key->head; 59 60 key->payload_length = NO_PAYLOAD_LENGTH; 61 62 return 1; 63} 64 65# if defined(RC4_ASM) && defined(MD5_ASM) && ( \ 66 defined(__x86_64) || defined(__x86_64__) || \ 67 defined(_M_AMD64) || defined(_M_X64) ) 68# define STITCHED_CALL 69# endif 70 71# if !defined(STITCHED_CALL) 72# define rc4_off 0 73# define md5_off 0 74# endif 75 76static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 77 const unsigned char *in, size_t len) 78{ 79 EVP_RC4_HMAC_MD5 *key = data(ctx); 80# if defined(STITCHED_CALL) 81 size_t rc4_off = 32 - 1 - (key->ks.x & (32 - 1)), /* 32 is $MOD from 82 * rc4_md5-x86_64.pl */ 83 md5_off = MD5_CBLOCK - key->md.num, blocks; 84 unsigned int l; 85# endif 86 size_t plen = key->payload_length; 87 88 if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH)) 89 return 0; 90 91 if (EVP_CIPHER_CTX_is_encrypting(ctx)) { 92 if (plen == NO_PAYLOAD_LENGTH) 93 plen = len; 94# if defined(STITCHED_CALL) 95 /* cipher has to "fall behind" */ 96 if (rc4_off > md5_off) 97 md5_off += MD5_CBLOCK; 98 99 if (plen > md5_off && (blocks = (plen - md5_off) / MD5_CBLOCK) && 100 (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) { 101 MD5_Update(&key->md, in, md5_off); 102 RC4(&key->ks, rc4_off, in, out); 103 104 rc4_md5_enc(&key->ks, in + rc4_off, out + rc4_off, 105 &key->md, in + md5_off, blocks); 106 blocks *= MD5_CBLOCK; 107 rc4_off += blocks; 108 md5_off += blocks; 109 key->md.Nh += blocks >> 29; 110 key->md.Nl += blocks <<= 3; 111 if (key->md.Nl < (unsigned int)blocks) 112 key->md.Nh++; 113 } else { 114 rc4_off = 0; 115 md5_off = 0; 116 } 117# endif 118 MD5_Update(&key->md, in + md5_off, plen - md5_off); 119 120 if (plen != len) { /* "TLS" mode of operation */ 121 if (in != out) 122 memcpy(out + rc4_off, in + rc4_off, plen - rc4_off); 123 124 /* calculate HMAC and append it to payload */ 125 MD5_Final(out + plen, &key->md); 126 key->md = key->tail; 127 MD5_Update(&key->md, out + plen, MD5_DIGEST_LENGTH); 128 MD5_Final(out + plen, &key->md); 129 /* encrypt HMAC at once */ 130 RC4(&key->ks, len - rc4_off, out + rc4_off, out + rc4_off); 131 } else { 132 RC4(&key->ks, len - rc4_off, in + rc4_off, out + rc4_off); 133 } 134 } else { 135 unsigned char mac[MD5_DIGEST_LENGTH]; 136# if defined(STITCHED_CALL) 137 /* digest has to "fall behind" */ 138 if (md5_off > rc4_off) 139 rc4_off += 2 * MD5_CBLOCK; 140 else 141 rc4_off += MD5_CBLOCK; 142 143 if (len > rc4_off && (blocks = (len - rc4_off) / MD5_CBLOCK) && 144 (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) { 145 RC4(&key->ks, rc4_off, in, out); 146 MD5_Update(&key->md, out, md5_off); 147 148 rc4_md5_enc(&key->ks, in + rc4_off, out + rc4_off, 149 &key->md, out + md5_off, blocks); 150 blocks *= MD5_CBLOCK; 151 rc4_off += blocks; 152 md5_off += blocks; 153 l = (key->md.Nl + (blocks << 3)) & 0xffffffffU; 154 if (l < key->md.Nl) 155 key->md.Nh++; 156 key->md.Nl = l; 157 key->md.Nh += blocks >> 29; 158 } else { 159 md5_off = 0; 160 rc4_off = 0; 161 } 162# endif 163 /* decrypt HMAC at once */ 164 RC4(&key->ks, len - rc4_off, in + rc4_off, out + rc4_off); 165 if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */ 166 MD5_Update(&key->md, out + md5_off, plen - md5_off); 167 168 /* calculate HMAC and verify it */ 169 MD5_Final(mac, &key->md); 170 key->md = key->tail; 171 MD5_Update(&key->md, mac, MD5_DIGEST_LENGTH); 172 MD5_Final(mac, &key->md); 173 174 if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH)) 175 return 0; 176 } else { 177 MD5_Update(&key->md, out + md5_off, len - md5_off); 178 } 179 } 180 181 key->payload_length = NO_PAYLOAD_LENGTH; 182 183 return 1; 184} 185 186static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, 187 void *ptr) 188{ 189 EVP_RC4_HMAC_MD5 *key = data(ctx); 190 191 switch (type) { 192 case EVP_CTRL_AEAD_SET_MAC_KEY: 193 { 194 unsigned int i; 195 unsigned char hmac_key[64]; 196 197 memset(hmac_key, 0, sizeof(hmac_key)); 198 199 if (arg > (int)sizeof(hmac_key)) { 200 MD5_Init(&key->head); 201 MD5_Update(&key->head, ptr, arg); 202 MD5_Final(hmac_key, &key->head); 203 } else { 204 memcpy(hmac_key, ptr, arg); 205 } 206 207 for (i = 0; i < sizeof(hmac_key); i++) 208 hmac_key[i] ^= 0x36; /* ipad */ 209 MD5_Init(&key->head); 210 MD5_Update(&key->head, hmac_key, sizeof(hmac_key)); 211 212 for (i = 0; i < sizeof(hmac_key); i++) 213 hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */ 214 MD5_Init(&key->tail); 215 MD5_Update(&key->tail, hmac_key, sizeof(hmac_key)); 216 217 OPENSSL_cleanse(hmac_key, sizeof(hmac_key)); 218 219 return 1; 220 } 221 case EVP_CTRL_AEAD_TLS1_AAD: 222 { 223 unsigned char *p = ptr; 224 unsigned int len; 225 226 if (arg != EVP_AEAD_TLS1_AAD_LEN) 227 return -1; 228 229 len = p[arg - 2] << 8 | p[arg - 1]; 230 231 if (!EVP_CIPHER_CTX_is_encrypting(ctx)) { 232 if (len < MD5_DIGEST_LENGTH) 233 return -1; 234 len -= MD5_DIGEST_LENGTH; 235 p[arg - 2] = len >> 8; 236 p[arg - 1] = len; 237 } 238 key->payload_length = len; 239 key->md = key->head; 240 MD5_Update(&key->md, p, arg); 241 242 return MD5_DIGEST_LENGTH; 243 } 244 default: 245 return -1; 246 } 247} 248 249static EVP_CIPHER r4_hmac_md5_cipher = { 250# ifdef NID_rc4_hmac_md5 251 NID_rc4_hmac_md5, 252# else 253 NID_undef, 254# endif 255 1, EVP_RC4_KEY_SIZE, 0, 256 EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH | 257 EVP_CIPH_FLAG_AEAD_CIPHER, 258 EVP_ORIG_GLOBAL, 259 rc4_hmac_md5_init_key, 260 rc4_hmac_md5_cipher, 261 NULL, 262 sizeof(EVP_RC4_HMAC_MD5), 263 NULL, 264 NULL, 265 rc4_hmac_md5_ctrl, 266 NULL 267}; 268 269const EVP_CIPHER *EVP_rc4_hmac_md5(void) 270{ 271 return &r4_hmac_md5_cipher; 272} 273#endif 274