/src/openssl/crypto/evp/e_rc4_hmac_md5.c

Source
/*
 * Copyright 2011-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * MD5 and RC4 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include "internal/cryptlib.h"
#include <openssl/opensslconf.h>

#include <stdio.h>
#include <string.h>

#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5)

#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/rc4.h>
#include <openssl/md5.h>
#include "crypto/evp.h"

typedef struct {
    RC4_KEY ks;
    MD5_CTX head, tail, md;
    size_t payload_length;
} EVP_RC4_HMAC_MD5;

#define NO_PAYLOAD_LENGTH ((size_t)-1)

void rc4_md5_enc(RC4_KEY *key, const void *in0, void *out,
    MD5_CTX *ctx, const void *inp, size_t blocks);

#define data(ctx) ((EVP_RC4_HMAC_MD5 *)EVP_CIPHER_CTX_get_cipher_data(ctx))

static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx,
    const unsigned char *inkey,
    const unsigned char *iv, int enc)
{
    EVP_RC4_HMAC_MD5 *key = data(ctx);
    const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);

    if (keylen <= 0)
        return 0;

    RC4_set_key(&key->ks, keylen, inkey);

    MD5_Init(&key->head); /* handy when benchmarking */
    key->tail = key->head;
    key->md = key->head;

    key->payload_length = NO_PAYLOAD_LENGTH;

    return 1;
}

#if defined(RC4_ASM) && defined(MD5_ASM) && (defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64))
#define STITCHED_CALL
#endif

#if !defined(STITCHED_CALL)
#define rc4_off 0
#define md5_off 0
#endif

static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
{
    EVP_RC4_HMAC_MD5 *key = data(ctx);
#if defined(STITCHED_CALL)
    size_t rc4_off = 32 - 1 - (key->ks.x & (32 - 1)), /* 32 is $MOD from
                                                       * rc4_md5-x86_64.pl */
        md5_off = MD5_CBLOCK - key->md.num, blocks;
    unsigned int l;
#endif
    size_t plen = key->payload_length;

    if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH))
        return 0;

    if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
        if (plen == NO_PAYLOAD_LENGTH)
            plen = len;
#if defined(STITCHED_CALL)
        /* cipher has to "fall behind" */
        if (rc4_off > md5_off)
            md5_off += MD5_CBLOCK;

        if (plen > md5_off && (blocks = (plen - md5_off) / MD5_CBLOCK) && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
            MD5_Update(&key->md, in, md5_off);
            RC4(&key->ks, rc4_off, in, out);

            rc4_md5_enc(&key->ks, in + rc4_off, out + rc4_off,
                &key->md, in + md5_off, blocks);
            blocks *= MD5_CBLOCK;
            rc4_off += blocks;
            md5_off += blocks;
            key->md.Nh += (unsigned int)(blocks >> 29);
            key->md.Nl += (unsigned int)(blocks <<= 3);
            if (key->md.Nl < (unsigned int)blocks)
                key->md.Nh++;
        } else {
            rc4_off = 0;
            md5_off = 0;
        }
#endif
        MD5_Update(&key->md, in + md5_off, plen - md5_off);

        if (plen != len) { /* "TLS" mode of operation */
            if (in != out)
                memcpy(out + rc4_off, in + rc4_off, plen - rc4_off);

            /* calculate HMAC and append it to payload */
            MD5_Final(out + plen, &key->md);
            key->md = key->tail;
            MD5_Update(&key->md, out + plen, MD5_DIGEST_LENGTH);
            MD5_Final(out + plen, &key->md);
            /* encrypt HMAC at once */
            RC4(&key->ks, len - rc4_off, out + rc4_off, out + rc4_off);
        } else {
            RC4(&key->ks, len - rc4_off, in + rc4_off, out + rc4_off);
        }
    } else {
        unsigned char mac[MD5_DIGEST_LENGTH];
#if defined(STITCHED_CALL)
        /* digest has to "fall behind" */
        if (md5_off > rc4_off)
            rc4_off += 2 * MD5_CBLOCK;
        else
            rc4_off += MD5_CBLOCK;

        if (len > rc4_off && (blocks = (len - rc4_off) / MD5_CBLOCK) && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
            RC4(&key->ks, rc4_off, in, out);
            MD5_Update(&key->md, out, md5_off);

            rc4_md5_enc(&key->ks, in + rc4_off, out + rc4_off,
                &key->md, out + md5_off, blocks);
            blocks *= MD5_CBLOCK;
            rc4_off += blocks;
            md5_off += blocks;
            l = (key->md.Nl + (blocks << 3)) & 0xffffffffU;
            if (l < key->md.Nl)
                key->md.Nh++;
            key->md.Nl = l;
            key->md.Nh += (unsigned int)(blocks >> 29);
        } else {
            md5_off = 0;
            rc4_off = 0;
        }
#endif
        /* decrypt HMAC at once */
        RC4(&key->ks, len - rc4_off, in + rc4_off, out + rc4_off);
        if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */
            MD5_Update(&key->md, out + md5_off, plen - md5_off);

            /* calculate HMAC and verify it */
            MD5_Final(mac, &key->md);
            key->md = key->tail;
            MD5_Update(&key->md, mac, MD5_DIGEST_LENGTH);
            MD5_Final(mac, &key->md);

            if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH))
                return 0;
        } else {
            MD5_Update(&key->md, out + md5_off, len - md5_off);
        }
    }

    key->payload_length = NO_PAYLOAD_LENGTH;

    return 1;
}

static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
    void *ptr)
{
    EVP_RC4_HMAC_MD5 *key = data(ctx);

    switch (type) {
    case EVP_CTRL_AEAD_SET_MAC_KEY: {
        unsigned int i;
        unsigned char hmac_key[64];

        memset(hmac_key, 0, sizeof(hmac_key));

        if (arg > (int)sizeof(hmac_key)) {
            MD5_Init(&key->head);
            MD5_Update(&key->head, ptr, arg);
            MD5_Final(hmac_key, &key->head);
        } else {
            memcpy(hmac_key, ptr, arg);
        }

        for (i = 0; i < sizeof(hmac_key); i++)
            hmac_key[i] ^= 0x36; /* ipad */
        MD5_Init(&key->head);
        MD5_Update(&key->head, hmac_key, sizeof(hmac_key));

        for (i = 0; i < sizeof(hmac_key); i++)
            hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */
        MD5_Init(&key->tail);
        MD5_Update(&key->tail, hmac_key, sizeof(hmac_key));

        OPENSSL_cleanse(hmac_key, sizeof(hmac_key));

        return 1;
    }
    case EVP_CTRL_AEAD_TLS1_AAD: {
        unsigned char *p = ptr;
        unsigned int len;

        if (arg != EVP_AEAD_TLS1_AAD_LEN)
            return -1;

        len = p[arg - 2] << 8 | p[arg - 1];

        if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
            if (len < MD5_DIGEST_LENGTH)
                return -1;
            len -= MD5_DIGEST_LENGTH;
            p[arg - 2] = len >> 8;
            p[arg - 1] = len;
        }
        key->payload_length = len;
        key->md = key->head;
        MD5_Update(&key->md, p, arg);

        return MD5_DIGEST_LENGTH;
    }
    default:
        return -1;
    }
}

static const EVP_CIPHER r4_hmac_md5_cipher = {
#ifdef NID_rc4_hmac_md5
    NID_rc4_hmac_md5,
#else
    NID_undef,
#endif
    1, EVP_RC4_KEY_SIZE, 0,
    EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_FLAG_AEAD_CIPHER,
    EVP_ORIG_GLOBAL,
    rc4_hmac_md5_init_key,
    rc4_hmac_md5_cipher,
    NULL,
    sizeof(EVP_RC4_HMAC_MD5),
    NULL,
    NULL,
    rc4_hmac_md5_ctrl,
    NULL
};

const EVP_CIPHER *EVP_rc4_hmac_md5(void)
{
    return &r4_hmac_md5_cipher;
}
#endif

Coverage Report

Created: 2025-12-10 06:24

Line	Count	Source
1		/*
2		* Copyright 2011-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* MD5 and RC4 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include "internal/cryptlib.h"
17		#include <openssl/opensslconf.h>
18
19		#include <stdio.h>
20		#include <string.h>
21
22		#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5)
23
24		#include <openssl/crypto.h>
25		#include <openssl/evp.h>
26		#include <openssl/objects.h>
27		#include <openssl/rc4.h>
28		#include <openssl/md5.h>
29		#include "crypto/evp.h"
30
31		typedef struct {
32		RC4_KEY ks;
33		MD5_CTX head, tail, md;
34		size_t payload_length;
35		} EVP_RC4_HMAC_MD5;
36
37	0	#define NO_PAYLOAD_LENGTH ((size_t)-1)
38
39		void rc4_md5_enc(RC4_KEY key, const void in0, void *out,
40		MD5_CTX ctx, const void inp, size_t blocks);
41
42	0	#define data(ctx) ((EVP_RC4_HMAC_MD5 *)EVP_CIPHER_CTX_get_cipher_data(ctx))
43
44		static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx,
45		const unsigned char *inkey,
46		const unsigned char *iv, int enc)
47	0	{
48	0	EVP_RC4_HMAC_MD5 *key = data(ctx);
49	0	const int keylen = EVP_CIPHER_CTX_get_key_length(ctx);
50
51	0	if (keylen <= 0)
52	0	return 0;
53
54	0	RC4_set_key(&key->ks, keylen, inkey);
55
56	0	MD5_Init(&key->head); /* handy when benchmarking */
57	0	key->tail = key->head;
58	0	key->md = key->head;
59
60	0	key->payload_length = NO_PAYLOAD_LENGTH;
61
62	0	return 1;
63	0	}
64
65		#if defined(RC4_ASM) && defined(MD5_ASM) && (defined(__x86_64) \|\| defined(__x86_64__) \|\| defined(_M_AMD64) \|\| defined(_M_X64))
66		#define STITCHED_CALL
67		#endif
68
69		#if !defined(STITCHED_CALL)
70	0	#define rc4_off 0
71	0	#define md5_off 0
72		#endif
73
74		static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
75		const unsigned char *in, size_t len)
76	0	{
77	0	EVP_RC4_HMAC_MD5 *key = data(ctx);
78		#if defined(STITCHED_CALL)
79		size_t rc4_off = 32 - 1 - (key->ks.x & (32 - 1)), /* 32 is $MOD from
80		* rc4_md5-x86_64.pl */
81		md5_off = MD5_CBLOCK - key->md.num, blocks;
82		unsigned int l;
83		#endif
84	0	size_t plen = key->payload_length;
85
86	0	if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH))
87	0	return 0;
88
89	0	if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
90	0	if (plen == NO_PAYLOAD_LENGTH)
91	0	plen = len;
92		#if defined(STITCHED_CALL)
93		/* cipher has to "fall behind" */
94		if (rc4_off > md5_off)
95		md5_off += MD5_CBLOCK;
96
97		if (plen > md5_off && (blocks = (plen - md5_off) / MD5_CBLOCK) && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
98		MD5_Update(&key->md, in, md5_off);
99		RC4(&key->ks, rc4_off, in, out);
100
101		rc4_md5_enc(&key->ks, in + rc4_off, out + rc4_off,
102		&key->md, in + md5_off, blocks);
103		blocks *= MD5_CBLOCK;
104		rc4_off += blocks;
105		md5_off += blocks;
106		key->md.Nh += (unsigned int)(blocks >> 29);
107		key->md.Nl += (unsigned int)(blocks <<= 3);
108		if (key->md.Nl < (unsigned int)blocks)
109		key->md.Nh++;
110		} else {
111		rc4_off = 0;
112		md5_off = 0;
113		}
114		#endif
115	0	MD5_Update(&key->md, in + md5_off, plen - md5_off);
116
117	0	if (plen != len) { /* "TLS" mode of operation */
118	0	if (in != out)
119	0	memcpy(out + rc4_off, in + rc4_off, plen - rc4_off);
120
121		/* calculate HMAC and append it to payload */
122	0	MD5_Final(out + plen, &key->md);
123	0	key->md = key->tail;
124	0	MD5_Update(&key->md, out + plen, MD5_DIGEST_LENGTH);
125	0	MD5_Final(out + plen, &key->md);
126		/* encrypt HMAC at once */
127	0	RC4(&key->ks, len - rc4_off, out + rc4_off, out + rc4_off);
128	0	} else {
129	0	RC4(&key->ks, len - rc4_off, in + rc4_off, out + rc4_off);
130	0	}
131	0	} else {
132	0	unsigned char mac[MD5_DIGEST_LENGTH];
133		#if defined(STITCHED_CALL)
134		/* digest has to "fall behind" */
135		if (md5_off > rc4_off)
136		rc4_off += 2 * MD5_CBLOCK;
137		else
138		rc4_off += MD5_CBLOCK;
139
140		if (len > rc4_off && (blocks = (len - rc4_off) / MD5_CBLOCK) && (OPENSSL_ia32cap_P[0] & (1 << 20)) == 0) {
141		RC4(&key->ks, rc4_off, in, out);
142		MD5_Update(&key->md, out, md5_off);
143
144		rc4_md5_enc(&key->ks, in + rc4_off, out + rc4_off,
145		&key->md, out + md5_off, blocks);
146		blocks *= MD5_CBLOCK;
147		rc4_off += blocks;
148		md5_off += blocks;
149		l = (key->md.Nl + (blocks << 3)) & 0xffffffffU;
150		if (l < key->md.Nl)
151		key->md.Nh++;
152		key->md.Nl = l;
153		key->md.Nh += (unsigned int)(blocks >> 29);
154		} else {
155		md5_off = 0;
156		rc4_off = 0;
157		}
158		#endif
159		/* decrypt HMAC at once */
160	0	RC4(&key->ks, len - rc4_off, in + rc4_off, out + rc4_off);
161	0	if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */
162	0	MD5_Update(&key->md, out + md5_off, plen - md5_off);
163
164		/* calculate HMAC and verify it */
165	0	MD5_Final(mac, &key->md);
166	0	key->md = key->tail;
167	0	MD5_Update(&key->md, mac, MD5_DIGEST_LENGTH);
168	0	MD5_Final(mac, &key->md);
169
170	0	if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH))
171	0	return 0;
172	0	} else {
173	0	MD5_Update(&key->md, out + md5_off, len - md5_off);
174	0	}
175	0	}
176
177	0	key->payload_length = NO_PAYLOAD_LENGTH;
178
179	0	return 1;
180	0	}
181
182		static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
183		void *ptr)
184	0	{
185	0	EVP_RC4_HMAC_MD5 *key = data(ctx);
186
187	0	switch (type) {
188	0	case EVP_CTRL_AEAD_SET_MAC_KEY: {
189	0	unsigned int i;
190	0	unsigned char hmac_key[64];
191
192	0	memset(hmac_key, 0, sizeof(hmac_key));
193
194	0	if (arg > (int)sizeof(hmac_key)) {
195	0	MD5_Init(&key->head);
196	0	MD5_Update(&key->head, ptr, arg);
197	0	MD5_Final(hmac_key, &key->head);
198	0	} else {
199	0	memcpy(hmac_key, ptr, arg);
200	0	}
201
202	0	for (i = 0; i < sizeof(hmac_key); i++)
203	0	hmac_key[i] ^= 0x36; /* ipad */
204	0	MD5_Init(&key->head);
205	0	MD5_Update(&key->head, hmac_key, sizeof(hmac_key));
206
207	0	for (i = 0; i < sizeof(hmac_key); i++)
208	0	hmac_key[i] ^= 0x36 ^ 0x5c; /* opad */
209	0	MD5_Init(&key->tail);
210	0	MD5_Update(&key->tail, hmac_key, sizeof(hmac_key));
211
212	0	OPENSSL_cleanse(hmac_key, sizeof(hmac_key));
213
214	0	return 1;
215	0	}
216	0	case EVP_CTRL_AEAD_TLS1_AAD: {
217	0	unsigned char *p = ptr;
218	0	unsigned int len;
219
220	0	if (arg != EVP_AEAD_TLS1_AAD_LEN)
221	0	return -1;
222
223	0	len = p[arg - 2] << 8 \| p[arg - 1];
224
225	0	if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
226	0	if (len < MD5_DIGEST_LENGTH)
227	0	return -1;
228	0	len -= MD5_DIGEST_LENGTH;
229	0	p[arg - 2] = len >> 8;
230	0	p[arg - 1] = len;
231	0	}
232	0	key->payload_length = len;
233	0	key->md = key->head;
234	0	MD5_Update(&key->md, p, arg);
235
236	0	return MD5_DIGEST_LENGTH;
237	0	}
238	0	default:
239	0	return -1;
240	0	}
241	0	}
242
243		static const EVP_CIPHER r4_hmac_md5_cipher = {
244		#ifdef NID_rc4_hmac_md5
245		NID_rc4_hmac_md5,
246		#else
247		NID_undef,
248		#endif
249		1, EVP_RC4_KEY_SIZE, 0,
250		EVP_CIPH_STREAM_CIPHER \| EVP_CIPH_VARIABLE_LENGTH \| EVP_CIPH_FLAG_AEAD_CIPHER,
251		EVP_ORIG_GLOBAL,
252		rc4_hmac_md5_init_key,
253		rc4_hmac_md5_cipher,
254		NULL,
255		sizeof(EVP_RC4_HMAC_MD5),
256		NULL,
257		NULL,
258		rc4_hmac_md5_ctrl,
259		NULL
260		};
261
262		const EVP_CIPHER *EVP_rc4_hmac_md5(void)
263	3	{
264	3	return &r4_hmac_md5_cipher;
265	3	}
266		#endif