1 /* $OpenBSD: md4.c,v 1.18 2024/06/01 07:36:16 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include <stdint.h>
61 #include <stdlib.h>
62 #include <string.h>
63
64 #include <openssl/opensslconf.h>
65
66 #include <openssl/md4.h>
67
68 #include "crypto_internal.h"
69
70 /* Ensure that MD4_LONG and uint32_t are equivalent size. */
71 CTASSERT(sizeof(MD4_LONG) == sizeof(uint32_t));
72
73 static inline uint32_t
md4_f(uint32_t x,uint32_t y,uint32_t z)74 md4_f(uint32_t x, uint32_t y, uint32_t z)
75 {
76 return (x & y) | (~x & z);
77 }
78
79 static inline uint32_t
md4_g(uint32_t x,uint32_t y,uint32_t z)80 md4_g(uint32_t x, uint32_t y, uint32_t z)
81 {
82 return (x & y) | (x & z) | (y & z);
83 }
84
85 static inline uint32_t
md4_h(uint32_t x,uint32_t y,uint32_t z)86 md4_h(uint32_t x, uint32_t y, uint32_t z)
87 {
88 return x ^ y ^ z;
89 }
90
91 static inline void
md4_round1(uint32_t * a,uint32_t b,uint32_t c,uint32_t d,uint32_t x,uint32_t s)92 md4_round1(uint32_t *a, uint32_t b, uint32_t c, uint32_t d, uint32_t x,
93 uint32_t s)
94 {
95 *a = crypto_rol_u32(*a + md4_f(b, c, d) + x, s);
96 }
97
98 static inline void
md4_round2(uint32_t * a,uint32_t b,uint32_t c,uint32_t d,uint32_t x,uint32_t s)99 md4_round2(uint32_t *a, uint32_t b, uint32_t c, uint32_t d, uint32_t x,
100 uint32_t s)
101 {
102 *a = crypto_rol_u32(*a + md4_g(b, c, d) + x + 0x5a827999UL, s);
103 }
104
105 static inline void
md4_round3(uint32_t * a,uint32_t b,uint32_t c,uint32_t d,uint32_t x,uint32_t s)106 md4_round3(uint32_t *a, uint32_t b, uint32_t c, uint32_t d, uint32_t x,
107 uint32_t s)
108 {
109 *a = crypto_rol_u32(*a + md4_h(b, c, d) + x + 0x6ed9eba1UL, s);
110 }
111
112 static void
md4_block_data_order(MD4_CTX * c,const void * _in,size_t num)113 md4_block_data_order(MD4_CTX *c, const void *_in, size_t num)
114 {
115 const uint8_t *in = _in;
116 const MD4_LONG *in32;
117 unsigned int A, B, C, D;
118 unsigned int X0, X1, X2, X3, X4, X5, X6, X7,
119 X8, X9, X10, X11, X12, X13, X14, X15;
120
121 while (num-- > 0) {
122 A = c->A;
123 B = c->B;
124 C = c->C;
125 D = c->D;
126
127 if ((uintptr_t)in % 4 == 0) {
128 /* Input is 32 bit aligned. */
129 in32 = (const MD4_LONG *)in;
130 X0 = le32toh(in32[0]);
131 X1 = le32toh(in32[1]);
132 X2 = le32toh(in32[2]);
133 X3 = le32toh(in32[3]);
134 X4 = le32toh(in32[4]);
135 X5 = le32toh(in32[5]);
136 X6 = le32toh(in32[6]);
137 X7 = le32toh(in32[7]);
138 X8 = le32toh(in32[8]);
139 X9 = le32toh(in32[9]);
140 X10 = le32toh(in32[10]);
141 X11 = le32toh(in32[11]);
142 X12 = le32toh(in32[12]);
143 X13 = le32toh(in32[13]);
144 X14 = le32toh(in32[14]);
145 X15 = le32toh(in32[15]);
146 } else {
147 /* Input is not 32 bit aligned. */
148 X0 = crypto_load_le32toh(&in[0 * 4]);
149 X1 = crypto_load_le32toh(&in[1 * 4]);
150 X2 = crypto_load_le32toh(&in[2 * 4]);
151 X3 = crypto_load_le32toh(&in[3 * 4]);
152 X4 = crypto_load_le32toh(&in[4 * 4]);
153 X5 = crypto_load_le32toh(&in[5 * 4]);
154 X6 = crypto_load_le32toh(&in[6 * 4]);
155 X7 = crypto_load_le32toh(&in[7 * 4]);
156 X8 = crypto_load_le32toh(&in[8 * 4]);
157 X9 = crypto_load_le32toh(&in[9 * 4]);
158 X10 = crypto_load_le32toh(&in[10 * 4]);
159 X11 = crypto_load_le32toh(&in[11 * 4]);
160 X12 = crypto_load_le32toh(&in[12 * 4]);
161 X13 = crypto_load_le32toh(&in[13 * 4]);
162 X14 = crypto_load_le32toh(&in[14 * 4]);
163 X15 = crypto_load_le32toh(&in[15 * 4]);
164 }
165 in += MD4_CBLOCK;
166
167 md4_round1(&A, B, C, D, X0, 3);
168 md4_round1(&D, A, B, C, X1, 7);
169 md4_round1(&C, D, A, B, X2, 11);
170 md4_round1(&B, C, D, A, X3, 19);
171 md4_round1(&A, B, C, D, X4, 3);
172 md4_round1(&D, A, B, C, X5, 7);
173 md4_round1(&C, D, A, B, X6, 11);
174 md4_round1(&B, C, D, A, X7, 19);
175 md4_round1(&A, B, C, D, X8, 3);
176 md4_round1(&D, A, B, C, X9, 7);
177 md4_round1(&C, D, A, B, X10, 11);
178 md4_round1(&B, C, D, A, X11, 19);
179 md4_round1(&A, B, C, D, X12, 3);
180 md4_round1(&D, A, B, C, X13, 7);
181 md4_round1(&C, D, A, B, X14, 11);
182 md4_round1(&B, C, D, A, X15, 19);
183
184 /* Round 1 */
185 md4_round2(&A, B, C, D, X0, 3);
186 md4_round2(&D, A, B, C, X4, 5);
187 md4_round2(&C, D, A, B, X8, 9);
188 md4_round2(&B, C, D, A, X12, 13);
189 md4_round2(&A, B, C, D, X1, 3);
190 md4_round2(&D, A, B, C, X5, 5);
191 md4_round2(&C, D, A, B, X9, 9);
192 md4_round2(&B, C, D, A, X13, 13);
193 md4_round2(&A, B, C, D, X2, 3);
194 md4_round2(&D, A, B, C, X6, 5);
195 md4_round2(&C, D, A, B, X10, 9);
196 md4_round2(&B, C, D, A, X14, 13);
197 md4_round2(&A, B, C, D, X3, 3);
198 md4_round2(&D, A, B, C, X7, 5);
199 md4_round2(&C, D, A, B, X11, 9);
200 md4_round2(&B, C, D, A, X15, 13);
201
202 /* Round 2 */
203 md4_round3(&A, B, C, D, X0, 3);
204 md4_round3(&D, A, B, C, X8, 9);
205 md4_round3(&C, D, A, B, X4, 11);
206 md4_round3(&B, C, D, A, X12, 15);
207 md4_round3(&A, B, C, D, X2, 3);
208 md4_round3(&D, A, B, C, X10, 9);
209 md4_round3(&C, D, A, B, X6, 11);
210 md4_round3(&B, C, D, A, X14, 15);
211 md4_round3(&A, B, C, D, X1, 3);
212 md4_round3(&D, A, B, C, X9, 9);
213 md4_round3(&C, D, A, B, X5, 11);
214 md4_round3(&B, C, D, A, X13, 15);
215 md4_round3(&A, B, C, D, X3, 3);
216 md4_round3(&D, A, B, C, X11, 9);
217 md4_round3(&C, D, A, B, X7, 11);
218 md4_round3(&B, C, D, A, X15, 15);
219
220 c->A += A;
221 c->B += B;
222 c->C += C;
223 c->D += D;
224 }
225 }
226
227 int
MD4_Init(MD4_CTX * c)228 MD4_Init(MD4_CTX *c)
229 {
230 memset(c, 0, sizeof(*c));
231
232 c->A = 0x67452301UL;
233 c->B = 0xefcdab89UL;
234 c->C = 0x98badcfeUL;
235 c->D = 0x10325476UL;
236
237 return 1;
238 }
239 LCRYPTO_ALIAS(MD4_Init);
240
241 int
MD4_Update(MD4_CTX * c,const void * data_,size_t len)242 MD4_Update(MD4_CTX *c, const void *data_, size_t len)
243 {
244 const unsigned char *data = data_;
245 unsigned char *p;
246 MD4_LONG l;
247 size_t n;
248
249 if (len == 0)
250 return 1;
251
252 l = (c->Nl + (((MD4_LONG)len) << 3))&0xffffffffUL;
253 /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
254 * Wei Dai <weidai@eskimo.com> for pointing it out. */
255 if (l < c->Nl) /* overflow */
256 c->Nh++;
257 c->Nh+=(MD4_LONG)(len>>29); /* might cause compiler warning on 16-bit */
258 c->Nl = l;
259
260 n = c->num;
261 if (n != 0) {
262 p = (unsigned char *)c->data;
263
264 if (len >= MD4_CBLOCK || len + n >= MD4_CBLOCK) {
265 memcpy (p + n, data, MD4_CBLOCK - n);
266 md4_block_data_order (c, p, 1);
267 n = MD4_CBLOCK - n;
268 data += n;
269 len -= n;
270 c->num = 0;
271 memset(p, 0, MD4_CBLOCK); /* keep it zeroed */
272 } else {
273 memcpy(p + n, data, len);
274 c->num += (unsigned int)len;
275 return 1;
276 }
277 }
278
279 n = len / MD4_CBLOCK;
280 if (n > 0) {
281 md4_block_data_order(c, data, n);
282 n *= MD4_CBLOCK;
283 data += n;
284 len -= n;
285 }
286
287 if (len != 0) {
288 p = (unsigned char *)c->data;
289 c->num = (unsigned int)len;
290 memcpy(p, data, len);
291 }
292 return 1;
293 }
294 LCRYPTO_ALIAS(MD4_Update);
295
296 void
MD4_Transform(MD4_CTX * c,const unsigned char * data)297 MD4_Transform(MD4_CTX *c, const unsigned char *data)
298 {
299 md4_block_data_order(c, data, 1);
300 }
301 LCRYPTO_ALIAS(MD4_Transform);
302
303 int
MD4_Final(unsigned char * md,MD4_CTX * c)304 MD4_Final(unsigned char *md, MD4_CTX *c)
305 {
306 unsigned char *p = (unsigned char *)c->data;
307 size_t n = c->num;
308
309 p[n] = 0x80; /* there is always room for one */
310 n++;
311
312 if (n > (MD4_CBLOCK - 8)) {
313 memset(p + n, 0, MD4_CBLOCK - n);
314 n = 0;
315 md4_block_data_order(c, p, 1);
316 }
317
318 memset(p + n, 0, MD4_CBLOCK - 8 - n);
319 c->data[MD4_LBLOCK - 2] = htole32(c->Nl);
320 c->data[MD4_LBLOCK - 1] = htole32(c->Nh);
321
322 md4_block_data_order(c, p, 1);
323 c->num = 0;
324 memset(p, 0, MD4_CBLOCK);
325
326 crypto_store_htole32(&md[0 * 4], c->A);
327 crypto_store_htole32(&md[1 * 4], c->B);
328 crypto_store_htole32(&md[2 * 4], c->C);
329 crypto_store_htole32(&md[3 * 4], c->D);
330
331 return 1;
332 }
333 LCRYPTO_ALIAS(MD4_Final);
334
335 unsigned char *
MD4(const unsigned char * d,size_t n,unsigned char * md)336 MD4(const unsigned char *d, size_t n, unsigned char *md)
337 {
338 MD4_CTX c;
339
340 if (!MD4_Init(&c))
341 return NULL;
342 MD4_Update(&c, d, n);
343 MD4_Final(md, &c);
344 explicit_bzero(&c, sizeof(c));
345 return (md);
346 }
347 LCRYPTO_ALIAS(MD4);
348