gitweb.dragonflybsd.org Git - dragonfly.git/blame_incremental - crypto/openssl/crypto/evp/e_rc4_hmac

... / ...

Commit	Line	Data
	1	/* ====================================================================
	2	* Copyright (c) 2011 The OpenSSL Project. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	*
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	*
	11	* 2. Redistributions in binary form must reproduce the above copyright
	12	* notice, this list of conditions and the following disclaimer in
	13	* the documentation and/or other materials provided with the
	14	* distribution.
	15	*
	16	* 3. All advertising materials mentioning features or use of this
	17	* software must display the following acknowledgment:
	18	* "This product includes software developed by the OpenSSL Project
	19	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	20	*
	21	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	22	* endorse or promote products derived from this software without
	23	* prior written permission. For written permission, please contact
	24	* licensing@OpenSSL.org.
	25	*
	26	* 5. Products derived from this software may not be called "OpenSSL"
	27	* nor may "OpenSSL" appear in their names without prior written
	28	* permission of the OpenSSL Project.
	29	*
	30	* 6. Redistributions of any form whatsoever must retain the following
	31	* acknowledgment:
	32	* "This product includes software developed by the OpenSSL Project
	33	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	34	*
	35	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	36	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	37	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	38	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	39	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	40	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	41	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	42	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	43	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	44	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	45	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	46	* OF THE POSSIBILITY OF SUCH DAMAGE.
	47	* ====================================================================
	48	*/
	49
	50	#include <openssl/opensslconf.h>
	51
	52	#include <stdio.h>
	53	#include <string.h>
	54
	55	#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5)
	56
	57	#include <openssl/evp.h>
	58	#include <openssl/objects.h>
	59	#include <openssl/rc4.h>
	60	#include <openssl/md5.h>
	61
	62	#ifndef EVP_CIPH_FLAG_AEAD_CIPHER
	63	#define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
	64	#define EVP_CTRL_AEAD_TLS1_AAD 0x16
	65	#define EVP_CTRL_AEAD_SET_MAC_KEY 0x17
	66	#endif
	67
	68	/* FIXME: surely this is available elsewhere? */
	69	#define EVP_RC4_KEY_SIZE 16
	70
	71	typedef struct
	72	{
	73	RC4_KEY ks;
	74	MD5_CTX head,tail,md;
	75	size_t payload_length;
	76	} EVP_RC4_HMAC_MD5;
	77
	78	void rc4_md5_enc (RC4_KEY key, const void in0, void *out,
	79	MD5_CTX ctx,const void inp,size_t blocks);
	80
	81	#define data(ctx) ((EVP_RC4_HMAC_MD5 *)(ctx)->cipher_data)
	82
	83	static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx,
	84	const unsigned char *inkey,
	85	const unsigned char *iv, int enc)
	86	{
	87	EVP_RC4_HMAC_MD5 *key = data(ctx);
	88
	89	RC4_set_key(&key->ks,EVP_CIPHER_CTX_key_length(ctx),
	90	inkey);
	91
	92	MD5_Init(&key->head); /* handy when benchmarking */
	93	key->tail = key->head;
	94	key->md = key->head;
	95
	96	key->payload_length = 0;
	97
	98	return 1;
	99	}
	100
	101	#if !defined(OPENSSL_NO_ASM) && ( \
	102	defined(__x86_64) \|\| defined(__x86_64__) \|\| \
	103	defined(_M_AMD64) \|\| defined(_M_X64) \|\| \
	104	defined(__INTEL__) ) && \
	105	!(defined(__APPLE__) && defined(__MACH__))
	106	#define STITCHED_CALL
	107	#endif
	108
	109	#if !defined(STITCHED_CALL)
	110	#define rc4_off 0
	111	#define md5_off 0
	112	#endif
	113
	114	static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
	115	const unsigned char *in, size_t len)
	116	{
	117	EVP_RC4_HMAC_MD5 *key = data(ctx);
	118	#if defined(STITCHED_CALL)
	119	size_t rc4_off = 32-1-(key->ks.x&(32-1)), /* 32 is $MOD from rc4_md5-x86_64.pl */
	120	md5_off = MD5_CBLOCK-key->md.num,
	121	blocks;
	122	unsigned int l;
	123	#endif
	124	size_t plen = key->payload_length;
	125
	126	if (plen && len!=(plen+MD5_DIGEST_LENGTH)) return 0;
	127
	128	if (ctx->encrypt) {
	129	if (plen==0) plen = len;
	130	#if defined(STITCHED_CALL)
	131	/* cipher has to "fall behind" */
	132	if (rc4_off>md5_off) md5_off+=MD5_CBLOCK;
	133
	134	if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK)) {
	135	MD5_Update(&key->md,in,md5_off);
	136	RC4(&key->ks,rc4_off,in,out);
	137
	138	rc4_md5_enc(&key->ks,in+rc4_off,out+rc4_off,
	139	&key->md,in+md5_off,blocks);
	140	blocks *= MD5_CBLOCK;
	141	rc4_off += blocks;
	142	md5_off += blocks;
	143	key->md.Nh += blocks>>29;
	144	key->md.Nl += blocks<<=3;
	145	if (key->md.Nl<(unsigned int)blocks) key->md.Nh++;
	146	} else {
	147	rc4_off = 0;
	148	md5_off = 0;
	149	}
	150	#endif
	151	MD5_Update(&key->md,in+md5_off,plen-md5_off);
	152
	153	if (plen!=len) { /* "TLS" mode of operation */
	154	if (in!=out)
	155	memcpy(out+rc4_off,in+rc4_off,plen-rc4_off);
	156
	157	/* calculate HMAC and append it to payload */
	158	MD5_Final(out+plen,&key->md);
	159	key->md = key->tail;
	160	MD5_Update(&key->md,out+plen,MD5_DIGEST_LENGTH);
	161	MD5_Final(out+plen,&key->md);
	162	/* encrypt HMAC at once */
	163	RC4(&key->ks,len-rc4_off,out+rc4_off,out+rc4_off);
	164	} else {
	165	RC4(&key->ks,len-rc4_off,in+rc4_off,out+rc4_off);
	166	}
	167	} else {
	168	unsigned char mac[MD5_DIGEST_LENGTH];
	169	#if defined(STITCHED_CALL)
	170	/* digest has to "fall behind" */
	171	if (md5_off>rc4_off) rc4_off += 2*MD5_CBLOCK;
	172	else rc4_off += MD5_CBLOCK;
	173
	174	if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK)) {
	175	RC4(&key->ks,rc4_off,in,out);
	176	MD5_Update(&key->md,out,md5_off);
	177
	178	rc4_md5_enc(&key->ks,in+rc4_off,out+rc4_off,
	179	&key->md,out+md5_off,blocks);
	180	blocks *= MD5_CBLOCK;
	181	rc4_off += blocks;
	182	md5_off += blocks;
	183	l = (key->md.Nl+(blocks<<3))&0xffffffffU;
	184	if (l<key->md.Nl) key->md.Nh++;
	185	key->md.Nl = l;
	186	key->md.Nh += blocks>>29;
	187	} else {
	188	md5_off=0;
	189	rc4_off=0;
	190	}
	191	#endif
	192	/* decrypt HMAC at once */
	193	RC4(&key->ks,len-rc4_off,in+rc4_off,out+rc4_off);
	194	if (plen) { /* "TLS" mode of operation */
	195	MD5_Update(&key->md,out+md5_off,plen-md5_off);
	196
	197	/* calculate HMAC and verify it */
	198	MD5_Final(mac,&key->md);
	199	key->md = key->tail;
	200	MD5_Update(&key->md,mac,MD5_DIGEST_LENGTH);
	201	MD5_Final(mac,&key->md);
	202
	203	if (memcmp(out+plen,mac,MD5_DIGEST_LENGTH))
	204	return 0;
	205	} else {
	206	MD5_Update(&key->md,out+md5_off,len-md5_off);
	207	}
	208	}
	209
	210	key->payload_length = 0;
	211
	212	return 1;
	213	}
	214
	215	static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX ctx, int type, int arg, void ptr)
	216	{
	217	EVP_RC4_HMAC_MD5 *key = data(ctx);
	218
	219	switch (type)
	220	{
	221	case EVP_CTRL_AEAD_SET_MAC_KEY:
	222	{
	223	unsigned int i;
	224	unsigned char hmac_key[64];
	225
	226	memset (hmac_key,0,sizeof(hmac_key));
	227
	228	if (arg > (int)sizeof(hmac_key)) {
	229	MD5_Init(&key->head);
	230	MD5_Update(&key->head,ptr,arg);
	231	MD5_Final(hmac_key,&key->head);
	232	} else {
	233	memcpy(hmac_key,ptr,arg);
	234	}
	235
	236	for (i=0;i<sizeof(hmac_key);i++)
	237	hmac_key[i] ^= 0x36; /* ipad */
	238	MD5_Init(&key->head);
	239	MD5_Update(&key->head,hmac_key,sizeof(hmac_key));
	240
	241	for (i=0;i<sizeof(hmac_key);i++)
	242	hmac_key[i] ^= 0x36^0x5c; /* opad */
	243	MD5_Init(&key->tail);
	244	MD5_Update(&key->tail,hmac_key,sizeof(hmac_key));
	245
	246	return 1;
	247	}
	248	case EVP_CTRL_AEAD_TLS1_AAD:
	249	{
	250	unsigned char *p=ptr;
	251	unsigned int len=p[arg-2]<<8\|p[arg-1];
	252
	253	if (!ctx->encrypt)
	254	{
	255	len -= MD5_DIGEST_LENGTH;
	256	p[arg-2] = len>>8;
	257	p[arg-1] = len;
	258	}
	259	key->payload_length=len;
	260	key->md = key->head;
	261	MD5_Update(&key->md,p,arg);
	262
	263	return MD5_DIGEST_LENGTH;
	264	}
	265	default:
	266	return -1;
	267	}
	268	}
	269
	270	static EVP_CIPHER r4_hmac_md5_cipher=
	271	{
	272	#ifdef NID_rc4_hmac_md5
	273	NID_rc4_hmac_md5,
	274	#else
	275	NID_undef,
	276	#endif
	277	1,EVP_RC4_KEY_SIZE,0,
	278	EVP_CIPH_STREAM_CIPHER\|EVP_CIPH_VARIABLE_LENGTH\|EVP_CIPH_FLAG_AEAD_CIPHER,
	279	rc4_hmac_md5_init_key,
	280	rc4_hmac_md5_cipher,
	281	NULL,
	282	sizeof(EVP_RC4_HMAC_MD5),
	283	NULL,
	284	NULL,
	285	rc4_hmac_md5_ctrl,
	286	NULL
	287	};
	288
	289	const EVP_CIPHER *EVP_rc4_hmac_md5(void)
	290	{
	291	return(&r4_hmac_md5_cipher);
	292	}
	293	#endif