1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <openssl/cipher.h>
58 #include <openssl/nid.h>
59 
60 #include "../internal.h"
61 
62 
63 #define c2l(c, l)                         \
64   do {                                    \
65     (l) = ((uint32_t)(*((c)++)));         \
66     (l) |= ((uint32_t)(*((c)++))) << 8L;  \
67     (l) |= ((uint32_t)(*((c)++))) << 16L; \
68     (l) |= ((uint32_t)(*((c)++))) << 24L; \
69   } while (0)
70 
71 #define c2ln(c, l1, l2, n)                     \
72   do {                                         \
73     (c) += (n);                                \
74     (l1) = (l2) = 0;                           \
75     switch (n) {                               \
76       case 8:                                  \
77         (l2) = ((uint32_t)(*(--(c)))) << 24L;  \
78         OPENSSL_FALLTHROUGH;                   \
79       case 7:                                  \
80         (l2) |= ((uint32_t)(*(--(c)))) << 16L; \
81         OPENSSL_FALLTHROUGH;                   \
82       case 6:                                  \
83         (l2) |= ((uint32_t)(*(--(c)))) << 8L;  \
84         OPENSSL_FALLTHROUGH;                   \
85       case 5:                                  \
86         (l2) |= ((uint32_t)(*(--(c))));        \
87         OPENSSL_FALLTHROUGH;                   \
88       case 4:                                  \
89         (l1) = ((uint32_t)(*(--(c)))) << 24L;  \
90         OPENSSL_FALLTHROUGH;                   \
91       case 3:                                  \
92         (l1) |= ((uint32_t)(*(--(c)))) << 16L; \
93         OPENSSL_FALLTHROUGH;                   \
94       case 2:                                  \
95         (l1) |= ((uint32_t)(*(--(c)))) << 8L;  \
96         OPENSSL_FALLTHROUGH;                   \
97       case 1:                                  \
98         (l1) |= ((uint32_t)(*(--(c))));        \
99     }                                          \
100   } while (0)
101 
102 #define l2c(l, c)                              \
103   do {                                         \
104     *((c)++) = (uint8_t)(((l)) & 0xff);        \
105     *((c)++) = (uint8_t)(((l) >> 8L) & 0xff);  \
106     *((c)++) = (uint8_t)(((l) >> 16L) & 0xff); \
107     *((c)++) = (uint8_t)(((l) >> 24L) & 0xff); \
108   } while (0)
109 
110 #define l2cn(l1, l2, c, n)                          \
111   do {                                              \
112     (c) += (n);                                     \
113     switch (n) {                                    \
114       case 8:                                       \
115         *(--(c)) = (uint8_t)(((l2) >> 24L) & 0xff); \
116         OPENSSL_FALLTHROUGH;                        \
117       case 7:                                       \
118         *(--(c)) = (uint8_t)(((l2) >> 16L) & 0xff); \
119         OPENSSL_FALLTHROUGH;                        \
120       case 6:                                       \
121         *(--(c)) = (uint8_t)(((l2) >> 8L) & 0xff);  \
122         OPENSSL_FALLTHROUGH;                        \
123       case 5:                                       \
124         *(--(c)) = (uint8_t)(((l2)) & 0xff);        \
125         OPENSSL_FALLTHROUGH;                        \
126       case 4:                                       \
127         *(--(c)) = (uint8_t)(((l1) >> 24L) & 0xff); \
128         OPENSSL_FALLTHROUGH;                        \
129       case 3:                                       \
130         *(--(c)) = (uint8_t)(((l1) >> 16L) & 0xff); \
131         OPENSSL_FALLTHROUGH;                        \
132       case 2:                                       \
133         *(--(c)) = (uint8_t)(((l1) >> 8L) & 0xff);  \
134         OPENSSL_FALLTHROUGH;                        \
135       case 1:                                       \
136         *(--(c)) = (uint8_t)(((l1)) & 0xff);        \
137     }                                               \
138   } while (0)
139 
140 typedef struct rc2_key_st { uint16_t data[64]; } RC2_KEY;
141 
RC2_encrypt(uint32_t * d,RC2_KEY * key)142 static void RC2_encrypt(uint32_t *d, RC2_KEY *key) {
143   int i, n;
144   uint16_t *p0, *p1;
145   uint16_t x0, x1, x2, x3, t;
146   uint32_t l;
147 
148   l = d[0];
149   x0 = (uint16_t)l & 0xffff;
150   x1 = (uint16_t)(l >> 16L);
151   l = d[1];
152   x2 = (uint16_t)l & 0xffff;
153   x3 = (uint16_t)(l >> 16L);
154 
155   n = 3;
156   i = 5;
157 
158   p0 = p1 = &key->data[0];
159   for (;;) {
160     t = (x0 + (x1 & ~x3) + (x2 & x3) + *(p0++)) & 0xffff;
161     x0 = (t << 1) | (t >> 15);
162     t = (x1 + (x2 & ~x0) + (x3 & x0) + *(p0++)) & 0xffff;
163     x1 = (t << 2) | (t >> 14);
164     t = (x2 + (x3 & ~x1) + (x0 & x1) + *(p0++)) & 0xffff;
165     x2 = (t << 3) | (t >> 13);
166     t = (x3 + (x0 & ~x2) + (x1 & x2) + *(p0++)) & 0xffff;
167     x3 = (t << 5) | (t >> 11);
168 
169     if (--i == 0) {
170       if (--n == 0) {
171         break;
172       }
173       i = (n == 2) ? 6 : 5;
174 
175       x0 += p1[x3 & 0x3f];
176       x1 += p1[x0 & 0x3f];
177       x2 += p1[x1 & 0x3f];
178       x3 += p1[x2 & 0x3f];
179     }
180   }
181 
182   d[0] = (uint32_t)(x0 & 0xffff) | ((uint32_t)(x1 & 0xffff) << 16L);
183   d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L);
184 }
185 
RC2_decrypt(uint32_t * d,RC2_KEY * key)186 static void RC2_decrypt(uint32_t *d, RC2_KEY *key) {
187   int i, n;
188   uint16_t *p0, *p1;
189   uint16_t x0, x1, x2, x3, t;
190   uint32_t l;
191 
192   l = d[0];
193   x0 = (uint16_t)l & 0xffff;
194   x1 = (uint16_t)(l >> 16L);
195   l = d[1];
196   x2 = (uint16_t)l & 0xffff;
197   x3 = (uint16_t)(l >> 16L);
198 
199   n = 3;
200   i = 5;
201 
202   p0 = &key->data[63];
203   p1 = &key->data[0];
204   for (;;) {
205     t = ((x3 << 11) | (x3 >> 5)) & 0xffff;
206     x3 = (t - (x0 & ~x2) - (x1 & x2) - *(p0--)) & 0xffff;
207     t = ((x2 << 13) | (x2 >> 3)) & 0xffff;
208     x2 = (t - (x3 & ~x1) - (x0 & x1) - *(p0--)) & 0xffff;
209     t = ((x1 << 14) | (x1 >> 2)) & 0xffff;
210     x1 = (t - (x2 & ~x0) - (x3 & x0) - *(p0--)) & 0xffff;
211     t = ((x0 << 15) | (x0 >> 1)) & 0xffff;
212     x0 = (t - (x1 & ~x3) - (x2 & x3) - *(p0--)) & 0xffff;
213 
214     if (--i == 0) {
215       if (--n == 0) {
216         break;
217       }
218       i = (n == 2) ? 6 : 5;
219 
220       x3 = (x3 - p1[x2 & 0x3f]) & 0xffff;
221       x2 = (x2 - p1[x1 & 0x3f]) & 0xffff;
222       x1 = (x1 - p1[x0 & 0x3f]) & 0xffff;
223       x0 = (x0 - p1[x3 & 0x3f]) & 0xffff;
224     }
225   }
226 
227   d[0] = (uint32_t)(x0 & 0xffff) | ((uint32_t)(x1 & 0xffff) << 16L);
228   d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L);
229 }
230 
RC2_cbc_encrypt(const uint8_t * in,uint8_t * out,size_t length,RC2_KEY * ks,uint8_t * iv,int encrypt)231 static void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
232                             RC2_KEY *ks, uint8_t *iv, int encrypt) {
233   uint32_t tin0, tin1;
234   uint32_t tout0, tout1, xor0, xor1;
235   long l = length;
236   uint32_t tin[2];
237 
238   if (encrypt) {
239     c2l(iv, tout0);
240     c2l(iv, tout1);
241     iv -= 8;
242     for (l -= 8; l >= 0; l -= 8) {
243       c2l(in, tin0);
244       c2l(in, tin1);
245       tin0 ^= tout0;
246       tin1 ^= tout1;
247       tin[0] = tin0;
248       tin[1] = tin1;
249       RC2_encrypt(tin, ks);
250       tout0 = tin[0];
251       l2c(tout0, out);
252       tout1 = tin[1];
253       l2c(tout1, out);
254     }
255     if (l != -8) {
256       c2ln(in, tin0, tin1, l + 8);
257       tin0 ^= tout0;
258       tin1 ^= tout1;
259       tin[0] = tin0;
260       tin[1] = tin1;
261       RC2_encrypt(tin, ks);
262       tout0 = tin[0];
263       l2c(tout0, out);
264       tout1 = tin[1];
265       l2c(tout1, out);
266     }
267     l2c(tout0, iv);
268     l2c(tout1, iv);
269   } else {
270     c2l(iv, xor0);
271     c2l(iv, xor1);
272     iv -= 8;
273     for (l -= 8; l >= 0; l -= 8) {
274       c2l(in, tin0);
275       tin[0] = tin0;
276       c2l(in, tin1);
277       tin[1] = tin1;
278       RC2_decrypt(tin, ks);
279       tout0 = tin[0] ^ xor0;
280       tout1 = tin[1] ^ xor1;
281       l2c(tout0, out);
282       l2c(tout1, out);
283       xor0 = tin0;
284       xor1 = tin1;
285     }
286     if (l != -8) {
287       c2l(in, tin0);
288       tin[0] = tin0;
289       c2l(in, tin1);
290       tin[1] = tin1;
291       RC2_decrypt(tin, ks);
292       tout0 = tin[0] ^ xor0;
293       tout1 = tin[1] ^ xor1;
294       l2cn(tout0, tout1, out, l + 8);
295       xor0 = tin0;
296       xor1 = tin1;
297     }
298     l2c(xor0, iv);
299     l2c(xor1, iv);
300   }
301   tin[0] = tin[1] = 0;
302 }
303 
304 static const uint8_t key_table[256] = {
305     0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79,
306     0x4a, 0xa0, 0xd8, 0x9d, 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e,
307     0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, 0x17, 0x9a, 0x59, 0xf5,
308     0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32,
309     0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22,
310     0x5c, 0x6b, 0x4e, 0x82, 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c,
311     0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, 0x12, 0x75, 0xca, 0x1f,
312     0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26,
313     0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b,
314     0xbc, 0x94, 0x43, 0x03, 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7,
315     0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, 0x08, 0xe8, 0xea, 0xde,
316     0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a,
317     0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e,
318     0x04, 0x18, 0xa4, 0xec, 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc,
319     0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, 0x99, 0x7c, 0x3a, 0x85,
320     0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31,
321     0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10,
322     0x67, 0x6c, 0xba, 0xc9, 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c,
323     0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, 0x0d, 0x38, 0x34, 0x1b,
324     0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e,
325     0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68,
326     0xfe, 0x7f, 0xc1, 0xad,
327 };
328 
RC2_set_key(RC2_KEY * key,int len,const uint8_t * data,int bits)329 static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {
330   int i, j;
331   uint8_t *k;
332   uint16_t *ki;
333   unsigned int c, d;
334 
335   k = (uint8_t *)&key->data[0];
336   *k = 0;  // for if there is a zero length key
337 
338   if (len > 128) {
339     len = 128;
340   }
341   if (bits <= 0) {
342     bits = 1024;
343   }
344   if (bits > 1024) {
345     bits = 1024;
346   }
347 
348   for (i = 0; i < len; i++) {
349     k[i] = data[i];
350   }
351 
352   // expand table
353   d = k[len - 1];
354   j = 0;
355   for (i = len; i < 128; i++, j++) {
356     d = key_table[(k[j] + d) & 0xff];
357     k[i] = d;
358   }
359 
360   // hmm.... key reduction to 'bits' bits
361 
362   j = (bits + 7) >> 3;
363   i = 128 - j;
364   c = (0xff >> (-bits & 0x07));
365 
366   d = key_table[k[i] & c];
367   k[i] = d;
368   while (i--) {
369     d = key_table[k[i + j] ^ d];
370     k[i] = d;
371   }
372 
373   // copy from bytes into uint16_t's
374   ki = &(key->data[63]);
375   for (i = 127; i >= 0; i -= 2) {
376     *(ki--) = ((k[i] << 8) | k[i - 1]) & 0xffff;
377   }
378 }
379 
380 typedef struct {
381   int key_bits;  // effective key bits
382   RC2_KEY ks;    // key schedule
383 } EVP_RC2_KEY;
384 
rc2_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)385 static int rc2_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
386                         const uint8_t *iv, int enc) {
387   EVP_RC2_KEY *rc2_key = (EVP_RC2_KEY *)ctx->cipher_data;
388   RC2_set_key(&rc2_key->ks, EVP_CIPHER_CTX_key_length(ctx), key,
389               rc2_key->key_bits);
390   return 1;
391 }
392 
rc2_cbc_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t inl)393 static int rc2_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
394                           size_t inl) {
395   EVP_RC2_KEY *key = (EVP_RC2_KEY *)ctx->cipher_data;
396   static const size_t kChunkSize = 0x10000;
397 
398   while (inl >= kChunkSize) {
399     RC2_cbc_encrypt(in, out, kChunkSize, &key->ks, ctx->iv, ctx->encrypt);
400     inl -= kChunkSize;
401     in += kChunkSize;
402     out += kChunkSize;
403   }
404   if (inl) {
405     RC2_cbc_encrypt(in, out, inl, &key->ks, ctx->iv, ctx->encrypt);
406   }
407   return 1;
408 }
409 
rc2_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)410 static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) {
411   EVP_RC2_KEY *key = (EVP_RC2_KEY *)ctx->cipher_data;
412 
413   switch (type) {
414     case EVP_CTRL_INIT:
415       key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
416       return 1;
417     case EVP_CTRL_SET_RC2_KEY_BITS:
418       // Should be overridden by later call to |EVP_CTRL_INIT|, but
419       // people call it, so it may as well work.
420       key->key_bits = arg;
421       return 1;
422 
423     default:
424       return -1;
425   }
426 }
427 
428 static const EVP_CIPHER rc2_40_cbc = {
429     NID_rc2_40_cbc,
430     8 /* block size */,
431     5 /* 40 bit */,
432     8 /* iv len */,
433     sizeof(EVP_RC2_KEY),
434     EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
435     NULL /* app_data */,
436     rc2_init_key,
437     rc2_cbc_cipher,
438     NULL,
439     rc2_ctrl,
440 };
441 
EVP_rc2_40_cbc(void)442 const EVP_CIPHER *EVP_rc2_40_cbc(void) {
443   return &rc2_40_cbc;
444 }
445 
446 static const EVP_CIPHER rc2_cbc = {
447     NID_rc2_cbc,
448     8 /* block size */,
449     16 /* 128 bit */,
450     8 /* iv len */,
451     sizeof(EVP_RC2_KEY),
452     EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
453     NULL /* app_data */,
454     rc2_init_key,
455     rc2_cbc_cipher,
456     NULL,
457     rc2_ctrl,
458 };
459 
EVP_rc2_cbc(void)460 const EVP_CIPHER *EVP_rc2_cbc(void) {
461   return &rc2_cbc;
462 }
463