1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/cipher.h>
58 #include <openssl/nid.h>
59
60 #include "internal.h"
61
62
63 #define c2l(c, l) \
64 do { \
65 (l) = ((uint32_t)(*((c)++))); \
66 (l) |= ((uint32_t)(*((c)++))) << 8L; \
67 (l) |= ((uint32_t)(*((c)++))) << 16L; \
68 (l) |= ((uint32_t)(*((c)++))) << 24L; \
69 } while (0)
70
71 #define c2ln(c, l1, l2, n) \
72 do { \
73 (c) += (n); \
74 (l1) = (l2) = 0; \
75 switch (n) { \
76 case 8: \
77 (l2) = ((uint32_t)(*(--(c)))) << 24L; \
78 case 7: \
79 (l2) |= ((uint32_t)(*(--(c)))) << 16L; \
80 case 6: \
81 (l2) |= ((uint32_t)(*(--(c)))) << 8L; \
82 case 5: \
83 (l2) |= ((uint32_t)(*(--(c)))); \
84 case 4: \
85 (l1) = ((uint32_t)(*(--(c)))) << 24L; \
86 case 3: \
87 (l1) |= ((uint32_t)(*(--(c)))) << 16L; \
88 case 2: \
89 (l1) |= ((uint32_t)(*(--(c)))) << 8L; \
90 case 1: \
91 (l1) |= ((uint32_t)(*(--(c)))); \
92 } \
93 } while (0)
94
95 #define l2c(l, c) \
96 do { \
97 *((c)++) = (uint8_t)(((l)) & 0xff); \
98 *((c)++) = (uint8_t)(((l) >> 8L) & 0xff); \
99 *((c)++) = (uint8_t)(((l) >> 16L) & 0xff); \
100 *((c)++) = (uint8_t)(((l) >> 24L) & 0xff); \
101 } while (0)
102
103 #define l2cn(l1, l2, c, n) \
104 do { \
105 (c) += (n); \
106 switch (n) { \
107 case 8: \
108 *(--(c)) = (uint8_t)(((l2) >> 24L) & 0xff); \
109 case 7: \
110 *(--(c)) = (uint8_t)(((l2) >> 16L) & 0xff); \
111 case 6: \
112 *(--(c)) = (uint8_t)(((l2) >> 8L) & 0xff); \
113 case 5: \
114 *(--(c)) = (uint8_t)(((l2)) & 0xff); \
115 case 4: \
116 *(--(c)) = (uint8_t)(((l1) >> 24L) & 0xff); \
117 case 3: \
118 *(--(c)) = (uint8_t)(((l1) >> 16L) & 0xff); \
119 case 2: \
120 *(--(c)) = (uint8_t)(((l1) >> 8L) & 0xff); \
121 case 1: \
122 *(--(c)) = (uint8_t)(((l1)) & 0xff); \
123 } \
124 } while (0)
125
126 typedef struct rc2_key_st { uint16_t data[64]; } RC2_KEY;
127
RC2_encrypt(uint32_t * d,RC2_KEY * key)128 static void RC2_encrypt(uint32_t *d, RC2_KEY *key) {
129 int i, n;
130 uint16_t *p0, *p1;
131 uint16_t x0, x1, x2, x3, t;
132 uint32_t l;
133
134 l = d[0];
135 x0 = (uint16_t)l & 0xffff;
136 x1 = (uint16_t)(l >> 16L);
137 l = d[1];
138 x2 = (uint16_t)l & 0xffff;
139 x3 = (uint16_t)(l >> 16L);
140
141 n = 3;
142 i = 5;
143
144 p0 = p1 = &key->data[0];
145 for (;;) {
146 t = (x0 + (x1 & ~x3) + (x2 & x3) + *(p0++)) & 0xffff;
147 x0 = (t << 1) | (t >> 15);
148 t = (x1 + (x2 & ~x0) + (x3 & x0) + *(p0++)) & 0xffff;
149 x1 = (t << 2) | (t >> 14);
150 t = (x2 + (x3 & ~x1) + (x0 & x1) + *(p0++)) & 0xffff;
151 x2 = (t << 3) | (t >> 13);
152 t = (x3 + (x0 & ~x2) + (x1 & x2) + *(p0++)) & 0xffff;
153 x3 = (t << 5) | (t >> 11);
154
155 if (--i == 0) {
156 if (--n == 0) {
157 break;
158 }
159 i = (n == 2) ? 6 : 5;
160
161 x0 += p1[x3 & 0x3f];
162 x1 += p1[x0 & 0x3f];
163 x2 += p1[x1 & 0x3f];
164 x3 += p1[x2 & 0x3f];
165 }
166 }
167
168 d[0] = (uint32_t)(x0 & 0xffff) | ((uint32_t)(x1 & 0xffff) << 16L);
169 d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L);
170 }
171
RC2_decrypt(uint32_t * d,RC2_KEY * key)172 static void RC2_decrypt(uint32_t *d, RC2_KEY *key) {
173 int i, n;
174 uint16_t *p0, *p1;
175 uint16_t x0, x1, x2, x3, t;
176 uint32_t l;
177
178 l = d[0];
179 x0 = (uint16_t)l & 0xffff;
180 x1 = (uint16_t)(l >> 16L);
181 l = d[1];
182 x2 = (uint16_t)l & 0xffff;
183 x3 = (uint16_t)(l >> 16L);
184
185 n = 3;
186 i = 5;
187
188 p0 = &key->data[63];
189 p1 = &key->data[0];
190 for (;;) {
191 t = ((x3 << 11) | (x3 >> 5)) & 0xffff;
192 x3 = (t - (x0 & ~x2) - (x1 & x2) - *(p0--)) & 0xffff;
193 t = ((x2 << 13) | (x2 >> 3)) & 0xffff;
194 x2 = (t - (x3 & ~x1) - (x0 & x1) - *(p0--)) & 0xffff;
195 t = ((x1 << 14) | (x1 >> 2)) & 0xffff;
196 x1 = (t - (x2 & ~x0) - (x3 & x0) - *(p0--)) & 0xffff;
197 t = ((x0 << 15) | (x0 >> 1)) & 0xffff;
198 x0 = (t - (x1 & ~x3) - (x2 & x3) - *(p0--)) & 0xffff;
199
200 if (--i == 0) {
201 if (--n == 0) {
202 break;
203 }
204 i = (n == 2) ? 6 : 5;
205
206 x3 = (x3 - p1[x2 & 0x3f]) & 0xffff;
207 x2 = (x2 - p1[x1 & 0x3f]) & 0xffff;
208 x1 = (x1 - p1[x0 & 0x3f]) & 0xffff;
209 x0 = (x0 - p1[x3 & 0x3f]) & 0xffff;
210 }
211 }
212
213 d[0] = (uint32_t)(x0 & 0xffff) | ((uint32_t)(x1 & 0xffff) << 16L);
214 d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L);
215 }
216
RC2_cbc_encrypt(const uint8_t * in,uint8_t * out,size_t length,RC2_KEY * ks,uint8_t * iv,int encrypt)217 static void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
218 RC2_KEY *ks, uint8_t *iv, int encrypt) {
219 uint32_t tin0, tin1;
220 uint32_t tout0, tout1, xor0, xor1;
221 long l = length;
222 uint32_t tin[2];
223
224 if (encrypt) {
225 c2l(iv, tout0);
226 c2l(iv, tout1);
227 iv -= 8;
228 for (l -= 8; l >= 0; l -= 8) {
229 c2l(in, tin0);
230 c2l(in, tin1);
231 tin0 ^= tout0;
232 tin1 ^= tout1;
233 tin[0] = tin0;
234 tin[1] = tin1;
235 RC2_encrypt(tin, ks);
236 tout0 = tin[0];
237 l2c(tout0, out);
238 tout1 = tin[1];
239 l2c(tout1, out);
240 }
241 if (l != -8) {
242 c2ln(in, tin0, tin1, l + 8);
243 tin0 ^= tout0;
244 tin1 ^= tout1;
245 tin[0] = tin0;
246 tin[1] = tin1;
247 RC2_encrypt(tin, ks);
248 tout0 = tin[0];
249 l2c(tout0, out);
250 tout1 = tin[1];
251 l2c(tout1, out);
252 }
253 l2c(tout0, iv);
254 l2c(tout1, iv);
255 } else {
256 c2l(iv, xor0);
257 c2l(iv, xor1);
258 iv -= 8;
259 for (l -= 8; l >= 0; l -= 8) {
260 c2l(in, tin0);
261 tin[0] = tin0;
262 c2l(in, tin1);
263 tin[1] = tin1;
264 RC2_decrypt(tin, ks);
265 tout0 = tin[0] ^ xor0;
266 tout1 = tin[1] ^ xor1;
267 l2c(tout0, out);
268 l2c(tout1, out);
269 xor0 = tin0;
270 xor1 = tin1;
271 }
272 if (l != -8) {
273 c2l(in, tin0);
274 tin[0] = tin0;
275 c2l(in, tin1);
276 tin[1] = tin1;
277 RC2_decrypt(tin, ks);
278 tout0 = tin[0] ^ xor0;
279 tout1 = tin[1] ^ xor1;
280 l2cn(tout0, tout1, out, l + 8);
281 xor0 = tin0;
282 xor1 = tin1;
283 }
284 l2c(xor0, iv);
285 l2c(xor1, iv);
286 }
287 tin[0] = tin[1] = 0;
288 }
289
290 static const uint8_t key_table[256] = {
291 0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79,
292 0x4a, 0xa0, 0xd8, 0x9d, 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e,
293 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, 0x17, 0x9a, 0x59, 0xf5,
294 0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32,
295 0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22,
296 0x5c, 0x6b, 0x4e, 0x82, 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c,
297 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, 0x12, 0x75, 0xca, 0x1f,
298 0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26,
299 0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b,
300 0xbc, 0x94, 0x43, 0x03, 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7,
301 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, 0x08, 0xe8, 0xea, 0xde,
302 0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a,
303 0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e,
304 0x04, 0x18, 0xa4, 0xec, 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc,
305 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, 0x99, 0x7c, 0x3a, 0x85,
306 0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31,
307 0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10,
308 0x67, 0x6c, 0xba, 0xc9, 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c,
309 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, 0x0d, 0x38, 0x34, 0x1b,
310 0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e,
311 0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68,
312 0xfe, 0x7f, 0xc1, 0xad,
313 };
314
RC2_set_key(RC2_KEY * key,int len,const uint8_t * data,int bits)315 static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {
316 int i, j;
317 uint8_t *k;
318 uint16_t *ki;
319 unsigned int c, d;
320
321 k = (uint8_t *)&key->data[0];
322 *k = 0; /* for if there is a zero length key */
323
324 if (len > 128) {
325 len = 128;
326 }
327 if (bits <= 0) {
328 bits = 1024;
329 }
330 if (bits > 1024) {
331 bits = 1024;
332 }
333
334 for (i = 0; i < len; i++) {
335 k[i] = data[i];
336 }
337
338 /* expand table */
339 d = k[len - 1];
340 j = 0;
341 for (i = len; i < 128; i++, j++) {
342 d = key_table[(k[j] + d) & 0xff];
343 k[i] = d;
344 }
345
346 /* hmm.... key reduction to 'bits' bits */
347
348 j = (bits + 7) >> 3;
349 i = 128 - j;
350 c = (0xff >> (-bits & 0x07));
351
352 d = key_table[k[i] & c];
353 k[i] = d;
354 while (i--) {
355 d = key_table[k[i + j] ^ d];
356 k[i] = d;
357 }
358
359 /* copy from bytes into uint16_t's */
360 ki = &(key->data[63]);
361 for (i = 127; i >= 0; i -= 2) {
362 *(ki--) = ((k[i] << 8) | k[i - 1]) & 0xffff;
363 }
364 }
365
366 typedef struct {
367 int key_bits; /* effective key bits */
368 RC2_KEY ks; /* key schedule */
369 } EVP_RC2_KEY;
370
rc2_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)371 static int rc2_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
372 const uint8_t *iv, int enc) {
373 EVP_RC2_KEY *rc2_key = (EVP_RC2_KEY *)ctx->cipher_data;
374 RC2_set_key(&rc2_key->ks, EVP_CIPHER_CTX_key_length(ctx), key,
375 rc2_key->key_bits);
376 return 1;
377 }
378
rc2_cbc_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t inl)379 static int rc2_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
380 size_t inl) {
381 EVP_RC2_KEY *key = (EVP_RC2_KEY *)ctx->cipher_data;
382 static const size_t kChunkSize = 0x10000;
383
384 while (inl >= kChunkSize) {
385 RC2_cbc_encrypt(in, out, kChunkSize, &key->ks, ctx->iv, ctx->encrypt);
386 inl -= kChunkSize;
387 in += kChunkSize;
388 out += kChunkSize;
389 }
390 if (inl) {
391 RC2_cbc_encrypt(in, out, inl, &key->ks, ctx->iv, ctx->encrypt);
392 }
393 return 1;
394 }
395
rc2_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)396 static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) {
397 EVP_RC2_KEY *key = (EVP_RC2_KEY *)ctx->cipher_data;
398
399 switch (type) {
400 case EVP_CTRL_INIT:
401 key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
402 return 1;
403 case EVP_CTRL_SET_RC2_KEY_BITS:
404 /* Should be overridden by later call to |EVP_CTRL_INIT|, but
405 * people call it, so it may as well work. */
406 key->key_bits = arg;
407 return 1;
408
409 default:
410 return -1;
411 }
412 }
413
414 static const EVP_CIPHER rc2_40_cbc = {
415 NID_rc2_40_cbc,
416 8 /* block size */,
417 5 /* 40 bit */,
418 8 /* iv len */,
419 sizeof(EVP_RC2_KEY),
420 EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
421 NULL /* app_data */,
422 rc2_init_key,
423 rc2_cbc_cipher,
424 NULL,
425 rc2_ctrl,
426 };
427
EVP_rc2_40_cbc(void)428 const EVP_CIPHER *EVP_rc2_40_cbc(void) {
429 return &rc2_40_cbc;
430 }
431
432 static const EVP_CIPHER rc2_cbc = {
433 NID_rc2_cbc,
434 8 /* block size */,
435 16 /* 128 bit */,
436 8 /* iv len */,
437 sizeof(EVP_RC2_KEY),
438 EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
439 NULL /* app_data */,
440 rc2_init_key,
441 rc2_cbc_cipher,
442 NULL,
443 rc2_ctrl,
444 };
445
EVP_rc2_cbc(void)446 const EVP_CIPHER *EVP_rc2_cbc(void) {
447 return &rc2_cbc;
448 }
449