/src/boringssl/crypto/cipher_extra/e_rc2.c

Source (jump to first uncovered line)
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.] */

#include <openssl/cipher.h>
#include <openssl/nid.h>

#include "../fipsmodule/cipher/internal.h"
#include "../internal.h"


#define c2l(c, l)                         \
  do {                                    \
    (l) = ((uint32_t)(*((c)++)));         \
    (l) |= ((uint32_t)(*((c)++))) << 8L;  \
    (l) |= ((uint32_t)(*((c)++))) << 16L; \
    (l) |= ((uint32_t)(*((c)++))) << 24L; \
  } while (0)

#define c2ln(c, l1, l2, n)                     \
  do {                                         \
    (c) += (n);                                \
    (l1) = (l2) = 0;                           \
    switch (n) {                               \
      case 8:                                  \
        (l2) = ((uint32_t)(*(--(c)))) << 24L;  \
        OPENSSL_FALLTHROUGH;                   \
      case 7:                                  \
        (l2) |= ((uint32_t)(*(--(c)))) << 16L; \
        OPENSSL_FALLTHROUGH;                   \
      case 6:                                  \
        (l2) |= ((uint32_t)(*(--(c)))) << 8L;  \
        OPENSSL_FALLTHROUGH;                   \
      case 5:                                  \
        (l2) |= ((uint32_t)(*(--(c))));        \
        OPENSSL_FALLTHROUGH;                   \
      case 4:                                  \
        (l1) = ((uint32_t)(*(--(c)))) << 24L;  \
        OPENSSL_FALLTHROUGH;                   \
      case 3:                                  \
        (l1) |= ((uint32_t)(*(--(c)))) << 16L; \
        OPENSSL_FALLTHROUGH;                   \
      case 2:                                  \
        (l1) |= ((uint32_t)(*(--(c)))) << 8L;  \
        OPENSSL_FALLTHROUGH;                   \
      case 1:                                  \
        (l1) |= ((uint32_t)(*(--(c))));        \
    }                                          \
  } while (0)

#define l2c(l, c)                              \
  do {                                         \
    *((c)++) = (uint8_t)(((l)) & 0xff);        \
    *((c)++) = (uint8_t)(((l) >> 8L) & 0xff);  \
    *((c)++) = (uint8_t)(((l) >> 16L) & 0xff); \
    *((c)++) = (uint8_t)(((l) >> 24L) & 0xff); \
  } while (0)

#define l2cn(l1, l2, c, n)                          \
  do {                                              \
    (c) += (n);                                     \
    switch (n) {                                    \
      case 8:                                       \
        *(--(c)) = (uint8_t)(((l2) >> 24L) & 0xff); \
        OPENSSL_FALLTHROUGH;                        \
      case 7:                                       \
        *(--(c)) = (uint8_t)(((l2) >> 16L) & 0xff); \
        OPENSSL_FALLTHROUGH;                        \
      case 6:                                       \
        *(--(c)) = (uint8_t)(((l2) >> 8L) & 0xff);  \
        OPENSSL_FALLTHROUGH;                        \
      case 5:                                       \
        *(--(c)) = (uint8_t)(((l2)) & 0xff);        \
        OPENSSL_FALLTHROUGH;                        \
      case 4:                                       \
        *(--(c)) = (uint8_t)(((l1) >> 24L) & 0xff); \
        OPENSSL_FALLTHROUGH;                        \
      case 3:                                       \
        *(--(c)) = (uint8_t)(((l1) >> 16L) & 0xff); \
        OPENSSL_FALLTHROUGH;                        \
      case 2:                                       \
        *(--(c)) = (uint8_t)(((l1) >> 8L) & 0xff);  \
        OPENSSL_FALLTHROUGH;                        \
      case 1:                                       \
        *(--(c)) = (uint8_t)(((l1)) & 0xff);        \
    }                                               \
  } while (0)

typedef struct rc2_key_st { uint16_t data[64]; } RC2_KEY;

static void RC2_encrypt(uint32_t *d, RC2_KEY *key) {
  int i, n;
  uint16_t *p0, *p1;
  uint16_t x0, x1, x2, x3, t;
  uint32_t l;

  l = d[0];
  x0 = (uint16_t)l & 0xffff;
  x1 = (uint16_t)(l >> 16L);
  l = d[1];
  x2 = (uint16_t)l & 0xffff;
  x3 = (uint16_t)(l >> 16L);

  n = 3;
  i = 5;

  p0 = p1 = &key->data[0];
  for (;;) {
    t = (x0 + (x1 & ~x3) + (x2 & x3) + *(p0++)) & 0xffff;
    x0 = (t << 1) | (t >> 15);
    t = (x1 + (x2 & ~x0) + (x3 & x0) + *(p0++)) & 0xffff;
    x1 = (t << 2) | (t >> 14);
    t = (x2 + (x3 & ~x1) + (x0 & x1) + *(p0++)) & 0xffff;
    x2 = (t << 3) | (t >> 13);
    t = (x3 + (x0 & ~x2) + (x1 & x2) + *(p0++)) & 0xffff;
    x3 = (t << 5) | (t >> 11);

    if (--i == 0) {
      if (--n == 0) {
        break;
      }
      i = (n == 2) ? 6 : 5;

      x0 += p1[x3 & 0x3f];
      x1 += p1[x0 & 0x3f];
      x2 += p1[x1 & 0x3f];
      x3 += p1[x2 & 0x3f];
    }
  }

  d[0] = (uint32_t)(x0 & 0xffff) | ((uint32_t)(x1 & 0xffff) << 16L);
  d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L);
}

static void RC2_decrypt(uint32_t *d, RC2_KEY *key) {
  int i, n;
  uint16_t *p0, *p1;
  uint16_t x0, x1, x2, x3, t;
  uint32_t l;

  l = d[0];
  x0 = (uint16_t)l & 0xffff;
  x1 = (uint16_t)(l >> 16L);
  l = d[1];
  x2 = (uint16_t)l & 0xffff;
  x3 = (uint16_t)(l >> 16L);

  n = 3;
  i = 5;

  p0 = &key->data[63];
  p1 = &key->data[0];
  for (;;) {
    t = ((x3 << 11) | (x3 >> 5)) & 0xffff;
    x3 = (t - (x0 & ~x2) - (x1 & x2) - *(p0--)) & 0xffff;
    t = ((x2 << 13) | (x2 >> 3)) & 0xffff;
    x2 = (t - (x3 & ~x1) - (x0 & x1) - *(p0--)) & 0xffff;
    t = ((x1 << 14) | (x1 >> 2)) & 0xffff;
    x1 = (t - (x2 & ~x0) - (x3 & x0) - *(p0--)) & 0xffff;
    t = ((x0 << 15) | (x0 >> 1)) & 0xffff;
    x0 = (t - (x1 & ~x3) - (x2 & x3) - *(p0--)) & 0xffff;

    if (--i == 0) {
      if (--n == 0) {
        break;
      }
      i = (n == 2) ? 6 : 5;

      x3 = (x3 - p1[x2 & 0x3f]) & 0xffff;
      x2 = (x2 - p1[x1 & 0x3f]) & 0xffff;
      x1 = (x1 - p1[x0 & 0x3f]) & 0xffff;
      x0 = (x0 - p1[x3 & 0x3f]) & 0xffff;
    }
  }

  d[0] = (uint32_t)(x0 & 0xffff) | ((uint32_t)(x1 & 0xffff) << 16L);
  d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L);
}

static void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
                            RC2_KEY *ks, uint8_t *iv, int encrypt) {
  uint32_t tin0, tin1;
  uint32_t tout0, tout1, xor0, xor1;
  long l = length;
  uint32_t tin[2];

  if (encrypt) {
    c2l(iv, tout0);
    c2l(iv, tout1);
    iv -= 8;
    for (l -= 8; l >= 0; l -= 8) {
      c2l(in, tin0);
      c2l(in, tin1);
      tin0 ^= tout0;
      tin1 ^= tout1;
      tin[0] = tin0;
      tin[1] = tin1;
      RC2_encrypt(tin, ks);
      tout0 = tin[0];
      l2c(tout0, out);
      tout1 = tin[1];
      l2c(tout1, out);
    }
    if (l != -8) {
      c2ln(in, tin0, tin1, l + 8);
      tin0 ^= tout0;
      tin1 ^= tout1;
      tin[0] = tin0;
      tin[1] = tin1;
      RC2_encrypt(tin, ks);
      tout0 = tin[0];
      l2c(tout0, out);
      tout1 = tin[1];
      l2c(tout1, out);
    }
    l2c(tout0, iv);
    l2c(tout1, iv);
  } else {
    c2l(iv, xor0);
    c2l(iv, xor1);
    iv -= 8;
    for (l -= 8; l >= 0; l -= 8) {
      c2l(in, tin0);
      tin[0] = tin0;
      c2l(in, tin1);
      tin[1] = tin1;
      RC2_decrypt(tin, ks);
      tout0 = tin[0] ^ xor0;
      tout1 = tin[1] ^ xor1;
      l2c(tout0, out);
      l2c(tout1, out);
      xor0 = tin0;
      xor1 = tin1;
    }
    if (l != -8) {
      c2l(in, tin0);
      tin[0] = tin0;
      c2l(in, tin1);
      tin[1] = tin1;
      RC2_decrypt(tin, ks);
      tout0 = tin[0] ^ xor0;
      tout1 = tin[1] ^ xor1;
      l2cn(tout0, tout1, out, l + 8);
      xor0 = tin0;
      xor1 = tin1;
    }
    l2c(xor0, iv);
    l2c(xor1, iv);
  }
  tin[0] = tin[1] = 0;
}

static const uint8_t key_table[256] = {
    0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79,
    0x4a, 0xa0, 0xd8, 0x9d, 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e,
    0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, 0x17, 0x9a, 0x59, 0xf5,
    0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32,
    0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22,
    0x5c, 0x6b, 0x4e, 0x82, 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c,
    0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, 0x12, 0x75, 0xca, 0x1f,
    0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26,
    0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b,
    0xbc, 0x94, 0x43, 0x03, 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7,
    0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, 0x08, 0xe8, 0xea, 0xde,
    0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a,
    0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e,
    0x04, 0x18, 0xa4, 0xec, 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc,
    0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, 0x99, 0x7c, 0x3a, 0x85,
    0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31,
    0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10,
    0x67, 0x6c, 0xba, 0xc9, 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c,
    0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, 0x0d, 0x38, 0x34, 0x1b,
    0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e,
    0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68,
    0xfe, 0x7f, 0xc1, 0xad,
};

static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {
  int i, j;
  uint8_t *k;
  uint16_t *ki;
  unsigned int c, d;

  k = (uint8_t *)&key->data[0];
  *k = 0;  // for if there is a zero length key

  if (len > 128) {
    len = 128;
  }
  if (bits <= 0) {
    bits = 1024;
  }
  if (bits > 1024) {
    bits = 1024;
  }

  for (i = 0; i < len; i++) {
    k[i] = data[i];
  }

  // expand table
  d = k[len - 1];
  j = 0;
  for (i = len; i < 128; i++, j++) {
    d = key_table[(k[j] + d) & 0xff];
    k[i] = d;
  }

  // hmm.... key reduction to 'bits' bits

  j = (bits + 7) >> 3;
  i = 128 - j;
  c = (0xff >> (-bits & 0x07));

  d = key_table[k[i] & c];
  k[i] = d;
  while (i--) {
    d = key_table[k[i + j] ^ d];
    k[i] = d;
  }

  // copy from bytes into uint16_t's
  ki = &(key->data[63]);
  for (i = 127; i >= 0; i -= 2) {
    *(ki--) = ((k[i] << 8) | k[i - 1]) & 0xffff;
  }
}

typedef struct {
  int key_bits;  // effective key bits
  RC2_KEY ks;    // key schedule
} EVP_RC2_KEY;

static int rc2_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
                        const uint8_t *iv, int enc) {
  EVP_RC2_KEY *rc2_key = (EVP_RC2_KEY *)ctx->cipher_data;
  RC2_set_key(&rc2_key->ks, EVP_CIPHER_CTX_key_length(ctx), key,
              rc2_key->key_bits);
  return 1;
}

static int rc2_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
                          size_t inl) {
  EVP_RC2_KEY *key = (EVP_RC2_KEY *)ctx->cipher_data;
  static const size_t kChunkSize = 0x10000;

  while (inl >= kChunkSize) {
    RC2_cbc_encrypt(in, out, kChunkSize, &key->ks, ctx->iv, ctx->encrypt);
    inl -= kChunkSize;
    in += kChunkSize;
    out += kChunkSize;
  }
  if (inl) {
    RC2_cbc_encrypt(in, out, inl, &key->ks, ctx->iv, ctx->encrypt);
  }
  return 1;
}

static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) {
  EVP_RC2_KEY *key = (EVP_RC2_KEY *)ctx->cipher_data;

  switch (type) {
    case EVP_CTRL_INIT:
      key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
      return 1;
    case EVP_CTRL_SET_RC2_KEY_BITS:
      // Should be overridden by later call to |EVP_CTRL_INIT|, but
      // people call it, so it may as well work.
      key->key_bits = arg;
      return 1;

    default:
      return -1;
  }
}

static const EVP_CIPHER rc2_40_cbc = {
    .nid = NID_rc2_40_cbc,
    .block_size = 8,
    .key_len = 5 /* 40 bit */,
    .iv_len = 8,
    .ctx_size = sizeof(EVP_RC2_KEY),
    .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
    .init = rc2_init_key,
    .cipher = rc2_cbc_cipher,
    .ctrl = rc2_ctrl,
};

const EVP_CIPHER *EVP_rc2_40_cbc(void) { return &rc2_40_cbc; }

static const EVP_CIPHER rc2_cbc = {
    .nid = NID_rc2_cbc,
    .block_size = 8,
    .key_len = 16 /* 128 bit */,
    .iv_len = 8,
    .ctx_size = sizeof(EVP_RC2_KEY),
    .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
    .init = rc2_init_key,
    .cipher = rc2_cbc_cipher,
    .ctrl = rc2_ctrl,
};

const EVP_CIPHER *EVP_rc2_cbc(void) { return &rc2_cbc; }

Coverage Report

Created: 2024-11-21 07:03

Line	Count	Source (jump to first uncovered line)
1		/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2		* All rights reserved.
3		*
4		* This package is an SSL implementation written
5		* by Eric Young (eay@cryptsoft.com).
6		* The implementation was written so as to conform with Netscapes SSL.
7		*
8		* This library is free for commercial and non-commercial use as long as
9		* the following conditions are aheared to. The following conditions
10		* apply to all code found in this distribution, be it the RC4, RSA,
11		* lhash, DES, etc., code; not just the SSL code. The SSL documentation
12		* included with this distribution is covered by the same copyright terms
13		* except that the holder is Tim Hudson (tjh@cryptsoft.com).
14		*
15		* Copyright remains Eric Young's, and as such any Copyright notices in
16		* the code are not to be removed.
17		* If this package is used in a product, Eric Young should be given attribution
18		* as the author of the parts of the library used.
19		* This can be in the form of a textual message at program startup or
20		* in documentation (online or textual) provided with the package.
21		*
22		* Redistribution and use in source and binary forms, with or without
23		* modification, are permitted provided that the following conditions
24		* are met:
25		* 1. Redistributions of source code must retain the copyright
26		* notice, this list of conditions and the following disclaimer.
27		* 2. Redistributions in binary form must reproduce the above copyright
28		* notice, this list of conditions and the following disclaimer in the
29		* documentation and/or other materials provided with the distribution.
30		* 3. All advertising materials mentioning features or use of this software
31		* must display the following acknowledgement:
32		* "This product includes cryptographic software written by
33		* Eric Young (eay@cryptsoft.com)"
34		* The word 'cryptographic' can be left out if the rouines from the library
35		* being used are not cryptographic related :-).
36		* 4. If you include any Windows specific code (or a derivative thereof) from
37		* the apps directory (application code) you must include an acknowledgement:
38		* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39		*
40		* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43		* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46		* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49		* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50		* SUCH DAMAGE.
51		*
52		* The licence and distribution terms for any publically available version or
53		* derivative of this code cannot be changed. i.e. this code cannot simply be
54		* copied and put under another distribution licence
55		* [including the GNU Public Licence.] */
56
57		#include <openssl/cipher.h>
58		#include <openssl/nid.h>
59
60		#include "../fipsmodule/cipher/internal.h"
61		#include "../internal.h"
62
63
64		#define c2l(c, l) \
65	2.78k	do { \
66	2.78k	(l) = ((uint32_t)(*((c)++))); \
67	2.78k	(l) \|= ((uint32_t)(*((c)++))) << 8L; \
68	2.78k	(l) \|= ((uint32_t)(*((c)++))) << 16L; \
69	2.78k	(l) \|= ((uint32_t)(*((c)++))) << 24L; \
70	2.78k	} while (0)
71
72		#define c2ln(c, l1, l2, n) \
73	0	do { \
74	0	(c) += (n); \
75	0	(l1) = (l2) = 0; \
76	0	switch (n) { \
77	0	case 8: \
78	0	(l2) = ((uint32_t)(*(--(c)))) << 24L; \
79	0	OPENSSL_FALLTHROUGH; \
80	0	case 7: \
81	0	(l2) \|= ((uint32_t)(*(--(c)))) << 16L; \
82	0	OPENSSL_FALLTHROUGH; \
83	0	case 6: \
84	0	(l2) \|= ((uint32_t)(*(--(c)))) << 8L; \
85	0	OPENSSL_FALLTHROUGH; \
86	0	case 5: \
87	0	(l2) \|= ((uint32_t)(*(--(c)))); \
88	0	OPENSSL_FALLTHROUGH; \
89	0	case 4: \
90	0	(l1) = ((uint32_t)(*(--(c)))) << 24L; \
91	0	OPENSSL_FALLTHROUGH; \
92	0	case 3: \
93	0	(l1) \|= ((uint32_t)(*(--(c)))) << 16L; \
94	0	OPENSSL_FALLTHROUGH; \
95	0	case 2: \
96	0	(l1) \|= ((uint32_t)(*(--(c)))) << 8L; \
97	0	OPENSSL_FALLTHROUGH; \
98	0	case 1: \
99	0	(l1) \|= ((uint32_t)(*(--(c)))); \
100	0	} \
101	0	} while (0)
102
103		#define l2c(l, c) \
104	2.78k	do { \
105	2.78k	*((c)++) = (uint8_t)(((l)) & 0xff); \
106	2.78k	*((c)++) = (uint8_t)(((l) >> 8L) & 0xff); \
107	2.78k	*((c)++) = (uint8_t)(((l) >> 16L) & 0xff); \
108	2.78k	*((c)++) = (uint8_t)(((l) >> 24L) & 0xff); \
109	2.78k	} while (0)
110
111		#define l2cn(l1, l2, c, n) \
112	0	do { \
113	0	(c) += (n); \
114	0	switch (n) { \
115	0	case 8: \
116	0	*(--(c)) = (uint8_t)(((l2) >> 24L) & 0xff); \
117	0	OPENSSL_FALLTHROUGH; \
118	0	case 7: \
119	0	*(--(c)) = (uint8_t)(((l2) >> 16L) & 0xff); \
120	0	OPENSSL_FALLTHROUGH; \
121	0	case 6: \
122	0	*(--(c)) = (uint8_t)(((l2) >> 8L) & 0xff); \
123	0	OPENSSL_FALLTHROUGH; \
124	0	case 5: \
125	0	*(--(c)) = (uint8_t)(((l2)) & 0xff); \
126	0	OPENSSL_FALLTHROUGH; \
127	0	case 4: \
128	0	*(--(c)) = (uint8_t)(((l1) >> 24L) & 0xff); \
129	0	OPENSSL_FALLTHROUGH; \
130	0	case 3: \
131	0	*(--(c)) = (uint8_t)(((l1) >> 16L) & 0xff); \
132	0	OPENSSL_FALLTHROUGH; \
133	0	case 2: \
134	0	*(--(c)) = (uint8_t)(((l1) >> 8L) & 0xff); \
135	0	OPENSSL_FALLTHROUGH; \
136	0	case 1: \
137	0	*(--(c)) = (uint8_t)(((l1)) & 0xff); \
138	0	} \
139	0	} while (0)
140
141		typedef struct rc2_key_st { uint16_t data[64]; } RC2_KEY;
142
143	117	static void RC2_encrypt(uint32_t d, RC2_KEY key) {
144	117	int i, n;
145	117	uint16_t p0, p1;
146	117	uint16_t x0, x1, x2, x3, t;
147	117	uint32_t l;
148
149	117	l = d[0];
150	117	x0 = (uint16_t)l & 0xffff;
151	117	x1 = (uint16_t)(l >> 16L);
152	117	l = d[1];
153	117	x2 = (uint16_t)l & 0xffff;
154	117	x3 = (uint16_t)(l >> 16L);
155
156	117	n = 3;
157	117	i = 5;
158
159	117	p0 = p1 = &key->data[0];
160	1.87k	for (;;) {
161	1.87k	t = (x0 + (x1 & ~x3) + (x2 & x3) + *(p0++)) & 0xffff;
162	1.87k	x0 = (t << 1) \| (t >> 15);
163	1.87k	t = (x1 + (x2 & ~x0) + (x3 & x0) + *(p0++)) & 0xffff;
164	1.87k	x1 = (t << 2) \| (t >> 14);
165	1.87k	t = (x2 + (x3 & ~x1) + (x0 & x1) + *(p0++)) & 0xffff;
166	1.87k	x2 = (t << 3) \| (t >> 13);
167	1.87k	t = (x3 + (x0 & ~x2) + (x1 & x2) + *(p0++)) & 0xffff;
168	1.87k	x3 = (t << 5) \| (t >> 11);
169
170	1.87k	if (--i == 0) {
171	351	if (--n == 0) {
172	117	break;
173	117	}
174	234	i = (n == 2) ? 6 : 5;
175
176	234	x0 += p1[x3 & 0x3f];
177	234	x1 += p1[x0 & 0x3f];
178	234	x2 += p1[x1 & 0x3f];
179	234	x3 += p1[x2 & 0x3f];
180	234	}
181	1.87k	}
182
183	117	d[0] = (uint32_t)(x0 & 0xffff) \| ((uint32_t)(x1 & 0xffff) << 16L);
184	117	d[1] = (uint32_t)(x2 & 0xffff) \| ((uint32_t)(x3 & 0xffff) << 16L);
185	117	}
186
187	1.01k	static void RC2_decrypt(uint32_t d, RC2_KEY key) {
188	1.01k	int i, n;
189	1.01k	uint16_t p0, p1;
190	1.01k	uint16_t x0, x1, x2, x3, t;
191	1.01k	uint32_t l;
192
193	1.01k	l = d[0];
194	1.01k	x0 = (uint16_t)l & 0xffff;
195	1.01k	x1 = (uint16_t)(l >> 16L);
196	1.01k	l = d[1];
197	1.01k	x2 = (uint16_t)l & 0xffff;
198	1.01k	x3 = (uint16_t)(l >> 16L);
199
200	1.01k	n = 3;
201	1.01k	i = 5;
202
203	1.01k	p0 = &key->data[63];
204	1.01k	p1 = &key->data[0];
205	16.2k	for (;;) {
206	16.2k	t = ((x3 << 11) \| (x3 >> 5)) & 0xffff;
207	16.2k	x3 = (t - (x0 & ~x2) - (x1 & x2) - *(p0--)) & 0xffff;
208	16.2k	t = ((x2 << 13) \| (x2 >> 3)) & 0xffff;
209	16.2k	x2 = (t - (x3 & ~x1) - (x0 & x1) - *(p0--)) & 0xffff;
210	16.2k	t = ((x1 << 14) \| (x1 >> 2)) & 0xffff;
211	16.2k	x1 = (t - (x2 & ~x0) - (x3 & x0) - *(p0--)) & 0xffff;
212	16.2k	t = ((x0 << 15) \| (x0 >> 1)) & 0xffff;
213	16.2k	x0 = (t - (x1 & ~x3) - (x2 & x3) - *(p0--)) & 0xffff;
214
215	16.2k	if (--i == 0) {
216	3.05k	if (--n == 0) {
217	1.01k	break;
218	1.01k	}
219	2.03k	i = (n == 2) ? 6 : 5;
220
221	2.03k	x3 = (x3 - p1[x2 & 0x3f]) & 0xffff;
222	2.03k	x2 = (x2 - p1[x1 & 0x3f]) & 0xffff;
223	2.03k	x1 = (x1 - p1[x0 & 0x3f]) & 0xffff;
224	2.03k	x0 = (x0 - p1[x3 & 0x3f]) & 0xffff;
225	2.03k	}
226	16.2k	}
227
228	1.01k	d[0] = (uint32_t)(x0 & 0xffff) \| ((uint32_t)(x1 & 0xffff) << 16L);
229	1.01k	d[1] = (uint32_t)(x2 & 0xffff) \| ((uint32_t)(x3 & 0xffff) << 16L);
230	1.01k	}
231
232		static void RC2_cbc_encrypt(const uint8_t in, uint8_t out, size_t length,
233	258	RC2_KEY ks, uint8_t iv, int encrypt) {
234	258	uint32_t tin0, tin1;
235	258	uint32_t tout0, tout1, xor0, xor1;
236	258	long l = length;
237	258	uint32_t tin[2];
238
239	258	if (encrypt) {
240	115	c2l(iv, tout0);
241	115	c2l(iv, tout1);
242	115	iv -= 8;
243	232	for (l -= 8; l >= 0; l -= 8) {
244	117	c2l(in, tin0);
245	117	c2l(in, tin1);
246	117	tin0 ^= tout0;
247	117	tin1 ^= tout1;
248	117	tin[0] = tin0;
249	117	tin[1] = tin1;
250	117	RC2_encrypt(tin, ks);
251	117	tout0 = tin[0];
252	117	l2c(tout0, out);
253	117	tout1 = tin[1];
254	117	l2c(tout1, out);
255	117	}
256	115	if (l != -8) {
257	0	c2ln(in, tin0, tin1, l + 8);
258	0	tin0 ^= tout0;
259	0	tin1 ^= tout1;
260	0	tin[0] = tin0;
261	0	tin[1] = tin1;
262	0	RC2_encrypt(tin, ks);
263	0	tout0 = tin[0];
264	0	l2c(tout0, out);
265	0	tout1 = tin[1];
266	0	l2c(tout1, out);
267	0	}
268	115	l2c(tout0, iv);
269	115	l2c(tout1, iv);
270	143	} else {
271	143	c2l(iv, xor0);
272	143	c2l(iv, xor1);
273	143	iv -= 8;
274	1.16k	for (l -= 8; l >= 0; l -= 8) {
275	1.01k	c2l(in, tin0);
276	1.01k	tin[0] = tin0;
277	1.01k	c2l(in, tin1);
278	1.01k	tin[1] = tin1;
279	1.01k	RC2_decrypt(tin, ks);
280	1.01k	tout0 = tin[0] ^ xor0;
281	1.01k	tout1 = tin[1] ^ xor1;
282	1.01k	l2c(tout0, out);
283	1.01k	l2c(tout1, out);
284	1.01k	xor0 = tin0;
285	1.01k	xor1 = tin1;
286	1.01k	}
287	143	if (l != -8) {
288	0	c2l(in, tin0);
289	0	tin[0] = tin0;
290	0	c2l(in, tin1);
291	0	tin[1] = tin1;
292	0	RC2_decrypt(tin, ks);
293	0	tout0 = tin[0] ^ xor0;
294	0	tout1 = tin[1] ^ xor1;
295	0	l2cn(tout0, tout1, out, l + 8);
296	0	xor0 = tin0;
297	0	xor1 = tin1;
298	0	}
299	143	l2c(xor0, iv);
300	143	l2c(xor1, iv);
301	143	}
302	258	tin[0] = tin[1] = 0;
303	258	}
304
305		static const uint8_t key_table[256] = {
306		0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79,
307		0x4a, 0xa0, 0xd8, 0x9d, 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e,
308		0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, 0x17, 0x9a, 0x59, 0xf5,
309		0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32,
310		0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22,
311		0x5c, 0x6b, 0x4e, 0x82, 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c,
312		0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, 0x12, 0x75, 0xca, 0x1f,
313		0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26,
314		0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b,
315		0xbc, 0x94, 0x43, 0x03, 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7,
316		0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, 0x08, 0xe8, 0xea, 0xde,
317		0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a,
318		0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e,
319		0x04, 0x18, 0xa4, 0xec, 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc,
320		0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, 0x99, 0x7c, 0x3a, 0x85,
321		0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31,
322		0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10,
323		0x67, 0x6c, 0xba, 0xc9, 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c,
324		0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, 0x0d, 0x38, 0x34, 0x1b,
325		0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e,
326		0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68,
327		0xfe, 0x7f, 0xc1, 0xad,
328		};
329
330	138	static void RC2_set_key(RC2_KEY key, int len, const uint8_t data, int bits) {
331	138	int i, j;
332	138	uint8_t *k;
333	138	uint16_t *ki;
334	138	unsigned int c, d;
335
336	138	k = (uint8_t *)&key->data[0];
337	138	*k = 0; // for if there is a zero length key
338
339	138	if (len > 128) {
340	0	len = 128;
341	0	}
342	138	if (bits <= 0) {
343	0	bits = 1024;
344	0	}
345	138	if (bits > 1024) {
346	0	bits = 1024;
347	0	}
348
349	3.84k	for (i = 0; i < len; i++) {
350	3.70k	k[i] = data[i];
351	3.70k	}
352
353		// expand table
354	138	d = k[len - 1];
355	138	j = 0;
356	14.0k	for (i = len; i < 128; i++, j++) {
357	13.9k	d = key_table[(k[j] + d) & 0xff];
358	13.9k	k[i] = d;
359	13.9k	}
360
361		// hmm.... key reduction to 'bits' bits
362
363	138	j = (bits + 7) >> 3;
364	138	i = 128 - j;
365	138	c = (0xff >> (-bits & 0x07));
366
367	138	d = key_table[k[i] & c];
368	138	k[i] = d;
369	16.4k	while (i--) {
370	16.3k	d = key_table[k[i + j] ^ d];
371	16.3k	k[i] = d;
372	16.3k	}
373
374		// copy from bytes into uint16_t's
375	138	ki = &(key->data[63]);
376	8.97k	for (i = 127; i >= 0; i -= 2) {
377	8.83k	*(ki--) = ((k[i] << 8) \| k[i - 1]) & 0xffff;
378	8.83k	}
379	138	}
380
381		typedef struct {
382		int key_bits; // effective key bits
383		RC2_KEY ks; // key schedule
384		} EVP_RC2_KEY;
385
386		static int rc2_init_key(EVP_CIPHER_CTX ctx, const uint8_t key,
387	138	const uint8_t *iv, int enc) {
388	138	EVP_RC2_KEY rc2_key = (EVP_RC2_KEY )ctx->cipher_data;
389	138	RC2_set_key(&rc2_key->ks, EVP_CIPHER_CTX_key_length(ctx), key,
390	138	rc2_key->key_bits);
391	138	return 1;
392	138	}
393
394		static int rc2_cbc_cipher(EVP_CIPHER_CTX ctx, uint8_t out, const uint8_t *in,
395	258	size_t inl) {
396	258	EVP_RC2_KEY key = (EVP_RC2_KEY )ctx->cipher_data;
397	258	static const size_t kChunkSize = 0x10000;
398
399	258	while (inl >= kChunkSize) {
400	0	RC2_cbc_encrypt(in, out, kChunkSize, &key->ks, ctx->iv, ctx->encrypt);
401	0	inl -= kChunkSize;
402	0	in += kChunkSize;
403	0	out += kChunkSize;
404	0	}
405	258	if (inl) {
406	258	RC2_cbc_encrypt(in, out, inl, &key->ks, ctx->iv, ctx->encrypt);
407	258	}
408	258	return 1;
409	258	}
410
411	138	static int rc2_ctrl(EVP_CIPHER_CTX ctx, int type, int arg, void ptr) {
412	138	EVP_RC2_KEY key = (EVP_RC2_KEY )ctx->cipher_data;
413
414	138	switch (type) {
415	138	case EVP_CTRL_INIT:
416	138	key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
417	138	return 1;
418	0	case EVP_CTRL_SET_RC2_KEY_BITS:
419		// Should be overridden by later call to \|EVP_CTRL_INIT\|, but
420		// people call it, so it may as well work.
421	0	key->key_bits = arg;
422	0	return 1;
423
424	0	default:
425	0	return -1;
426	138	}
427	138	}
428
429		static const EVP_CIPHER rc2_40_cbc = {
430		.nid = NID_rc2_40_cbc,
431		.block_size = 8,
432		.key_len = 5 /* 40 bit */,
433		.iv_len = 8,
434		.ctx_size = sizeof(EVP_RC2_KEY),
435		.flags = EVP_CIPH_CBC_MODE \| EVP_CIPH_VARIABLE_LENGTH \| EVP_CIPH_CTRL_INIT,
436		.init = rc2_init_key,
437		.cipher = rc2_cbc_cipher,
438		.ctrl = rc2_ctrl,
439		};
440
441	175	const EVP_CIPHER *EVP_rc2_40_cbc(void) { return &rc2_40_cbc; }
442
443		static const EVP_CIPHER rc2_cbc = {
444		.nid = NID_rc2_cbc,
445		.block_size = 8,
446		.key_len = 16 /* 128 bit */,
447		.iv_len = 8,
448		.ctx_size = sizeof(EVP_RC2_KEY),
449		.flags = EVP_CIPH_CBC_MODE \| EVP_CIPH_VARIABLE_LENGTH \| EVP_CIPH_CTRL_INIT,
450		.init = rc2_init_key,
451		.cipher = rc2_cbc_cipher,
452		.ctrl = rc2_ctrl,
453		};
454
455	128	const EVP_CIPHER *EVP_rc2_cbc(void) { return &rc2_cbc; }