xref: /aosp_15_r20/external/boringssl/src/crypto/fipsmodule/md5/md5.c (revision 8fb009dc861624b67b6cdb62ea21f0f22d0c584b) 
1 /* Copyright (C) 1995-1998 Eric Young ([email protected])
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young ([email protected]).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson ([email protected]).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young ([email protected])"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson ([email protected])"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <openssl/md5.h>
58 
59 #include <string.h>
60 
61 #include <openssl/mem.h>
62 
63 #include "../../internal.h"
64 #include "../digest/md32_common.h"
65 #include "internal.h"
66 
67 
MD5(const uint8_t * data,size_t len,uint8_t out[MD5_DIGEST_LENGTH])68 uint8_t *MD5(const uint8_t *data, size_t len, uint8_t out[MD5_DIGEST_LENGTH]) {
69   MD5_CTX ctx;
70   MD5_Init(&ctx);
71   MD5_Update(&ctx, data, len);
72   MD5_Final(out, &ctx);
73 
74   return out;
75 }
76 
MD5_Init(MD5_CTX * md5)77 int MD5_Init(MD5_CTX *md5) {
78   OPENSSL_memset(md5, 0, sizeof(MD5_CTX));
79   md5->h[0] = 0x67452301UL;
80   md5->h[1] = 0xefcdab89UL;
81   md5->h[2] = 0x98badcfeUL;
82   md5->h[3] = 0x10325476UL;
83   return 1;
84 }
85 
86 #if defined(MD5_ASM)
87 #define md5_block_data_order md5_block_asm_data_order
88 #else
89 static void md5_block_data_order(uint32_t *state, const uint8_t *data,
90                                  size_t num);
91 #endif
92 
MD5_Transform(MD5_CTX * c,const uint8_t data[MD5_CBLOCK])93 void MD5_Transform(MD5_CTX *c, const uint8_t data[MD5_CBLOCK]) {
94   md5_block_data_order(c->h, data, 1);
95 }
96 
MD5_Update(MD5_CTX * c,const void * data,size_t len)97 int MD5_Update(MD5_CTX *c, const void *data, size_t len) {
98   crypto_md32_update(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num,
99                      &c->Nh, &c->Nl, data, len);
100   return 1;
101 }
102 
MD5_Final(uint8_t out[MD5_DIGEST_LENGTH],MD5_CTX * c)103 int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *c) {
104   crypto_md32_final(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num,
105                     c->Nh, c->Nl, /*is_big_endian=*/0);
106 
107   CRYPTO_store_u32_le(out, c->h[0]);
108   CRYPTO_store_u32_le(out + 4, c->h[1]);
109   CRYPTO_store_u32_le(out + 8, c->h[2]);
110   CRYPTO_store_u32_le(out + 12, c->h[3]);
111   return 1;
112 }
113 
114 // As pointed out by Wei Dai <[email protected]>, the above can be
115 // simplified to the code below.  Wei attributes these optimizations
116 // to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
117 #define F(b, c, d) ((((c) ^ (d)) & (b)) ^ (d))
118 #define G(b, c, d) ((((b) ^ (c)) & (d)) ^ (c))
119 #define H(b, c, d) ((b) ^ (c) ^ (d))
120 #define I(b, c, d) (((~(d)) | (b)) ^ (c))
121 
122 #define R0(a, b, c, d, k, s, t)            \
123   do {                                     \
124     (a) += ((k) + (t) + F((b), (c), (d))); \
125     (a) = CRYPTO_rotl_u32(a, s);           \
126     (a) += (b);                            \
127   } while (0)
128 
129 #define R1(a, b, c, d, k, s, t)            \
130   do {                                     \
131     (a) += ((k) + (t) + G((b), (c), (d))); \
132     (a) = CRYPTO_rotl_u32(a, s);           \
133     (a) += (b);                            \
134   } while (0)
135 
136 #define R2(a, b, c, d, k, s, t)            \
137   do {                                     \
138     (a) += ((k) + (t) + H((b), (c), (d))); \
139     (a) = CRYPTO_rotl_u32(a, s);           \
140     (a) += (b);                            \
141   } while (0)
142 
143 #define R3(a, b, c, d, k, s, t)            \
144   do {                                     \
145     (a) += ((k) + (t) + I((b), (c), (d))); \
146     (a) = CRYPTO_rotl_u32(a, s);           \
147     (a) += (b);                            \
148   } while (0)
149 
150 #ifndef MD5_ASM
151 #ifdef X
152 #undef X
153 #endif
md5_block_data_order(uint32_t * state,const uint8_t * data,size_t num)154 static void md5_block_data_order(uint32_t *state, const uint8_t *data,
155                                  size_t num) {
156   uint32_t A, B, C, D;
157   uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12,
158       XX13, XX14, XX15;
159 #define X(i) XX##i
160 
161   A = state[0];
162   B = state[1];
163   C = state[2];
164   D = state[3];
165 
166   for (; num--;) {
167     X(0) = CRYPTO_load_u32_le(data);
168     data += 4;
169     X(1) = CRYPTO_load_u32_le(data);
170     data += 4;
171     // Round 0
172     R0(A, B, C, D, X(0), 7, 0xd76aa478L);
173     X(2) = CRYPTO_load_u32_le(data);
174     data += 4;
175     R0(D, A, B, C, X(1), 12, 0xe8c7b756L);
176     X(3) = CRYPTO_load_u32_le(data);
177     data += 4;
178     R0(C, D, A, B, X(2), 17, 0x242070dbL);
179     X(4) = CRYPTO_load_u32_le(data);
180     data += 4;
181     R0(B, C, D, A, X(3), 22, 0xc1bdceeeL);
182     X(5) = CRYPTO_load_u32_le(data);
183     data += 4;
184     R0(A, B, C, D, X(4), 7, 0xf57c0fafL);
185     X(6) = CRYPTO_load_u32_le(data);
186     data += 4;
187     R0(D, A, B, C, X(5), 12, 0x4787c62aL);
188     X(7) = CRYPTO_load_u32_le(data);
189     data += 4;
190     R0(C, D, A, B, X(6), 17, 0xa8304613L);
191     X(8) = CRYPTO_load_u32_le(data);
192     data += 4;
193     R0(B, C, D, A, X(7), 22, 0xfd469501L);
194     X(9) = CRYPTO_load_u32_le(data);
195     data += 4;
196     R0(A, B, C, D, X(8), 7, 0x698098d8L);
197     X(10) = CRYPTO_load_u32_le(data);
198     data += 4;
199     R0(D, A, B, C, X(9), 12, 0x8b44f7afL);
200     X(11) = CRYPTO_load_u32_le(data);
201     data += 4;
202     R0(C, D, A, B, X(10), 17, 0xffff5bb1L);
203     X(12) = CRYPTO_load_u32_le(data);
204     data += 4;
205     R0(B, C, D, A, X(11), 22, 0x895cd7beL);
206     X(13) = CRYPTO_load_u32_le(data);
207     data += 4;
208     R0(A, B, C, D, X(12), 7, 0x6b901122L);
209     X(14) = CRYPTO_load_u32_le(data);
210     data += 4;
211     R0(D, A, B, C, X(13), 12, 0xfd987193L);
212     X(15) = CRYPTO_load_u32_le(data);
213     data += 4;
214     R0(C, D, A, B, X(14), 17, 0xa679438eL);
215     R0(B, C, D, A, X(15), 22, 0x49b40821L);
216     // Round 1
217     R1(A, B, C, D, X(1), 5, 0xf61e2562L);
218     R1(D, A, B, C, X(6), 9, 0xc040b340L);
219     R1(C, D, A, B, X(11), 14, 0x265e5a51L);
220     R1(B, C, D, A, X(0), 20, 0xe9b6c7aaL);
221     R1(A, B, C, D, X(5), 5, 0xd62f105dL);
222     R1(D, A, B, C, X(10), 9, 0x02441453L);
223     R1(C, D, A, B, X(15), 14, 0xd8a1e681L);
224     R1(B, C, D, A, X(4), 20, 0xe7d3fbc8L);
225     R1(A, B, C, D, X(9), 5, 0x21e1cde6L);
226     R1(D, A, B, C, X(14), 9, 0xc33707d6L);
227     R1(C, D, A, B, X(3), 14, 0xf4d50d87L);
228     R1(B, C, D, A, X(8), 20, 0x455a14edL);
229     R1(A, B, C, D, X(13), 5, 0xa9e3e905L);
230     R1(D, A, B, C, X(2), 9, 0xfcefa3f8L);
231     R1(C, D, A, B, X(7), 14, 0x676f02d9L);
232     R1(B, C, D, A, X(12), 20, 0x8d2a4c8aL);
233     // Round 2
234     R2(A, B, C, D, X(5), 4, 0xfffa3942L);
235     R2(D, A, B, C, X(8), 11, 0x8771f681L);
236     R2(C, D, A, B, X(11), 16, 0x6d9d6122L);
237     R2(B, C, D, A, X(14), 23, 0xfde5380cL);
238     R2(A, B, C, D, X(1), 4, 0xa4beea44L);
239     R2(D, A, B, C, X(4), 11, 0x4bdecfa9L);
240     R2(C, D, A, B, X(7), 16, 0xf6bb4b60L);
241     R2(B, C, D, A, X(10), 23, 0xbebfbc70L);
242     R2(A, B, C, D, X(13), 4, 0x289b7ec6L);
243     R2(D, A, B, C, X(0), 11, 0xeaa127faL);
244     R2(C, D, A, B, X(3), 16, 0xd4ef3085L);
245     R2(B, C, D, A, X(6), 23, 0x04881d05L);
246     R2(A, B, C, D, X(9), 4, 0xd9d4d039L);
247     R2(D, A, B, C, X(12), 11, 0xe6db99e5L);
248     R2(C, D, A, B, X(15), 16, 0x1fa27cf8L);
249     R2(B, C, D, A, X(2), 23, 0xc4ac5665L);
250     // Round 3
251     R3(A, B, C, D, X(0), 6, 0xf4292244L);
252     R3(D, A, B, C, X(7), 10, 0x432aff97L);
253     R3(C, D, A, B, X(14), 15, 0xab9423a7L);
254     R3(B, C, D, A, X(5), 21, 0xfc93a039L);
255     R3(A, B, C, D, X(12), 6, 0x655b59c3L);
256     R3(D, A, B, C, X(3), 10, 0x8f0ccc92L);
257     R3(C, D, A, B, X(10), 15, 0xffeff47dL);
258     R3(B, C, D, A, X(1), 21, 0x85845dd1L);
259     R3(A, B, C, D, X(8), 6, 0x6fa87e4fL);
260     R3(D, A, B, C, X(15), 10, 0xfe2ce6e0L);
261     R3(C, D, A, B, X(6), 15, 0xa3014314L);
262     R3(B, C, D, A, X(13), 21, 0x4e0811a1L);
263     R3(A, B, C, D, X(4), 6, 0xf7537e82L);
264     R3(D, A, B, C, X(11), 10, 0xbd3af235L);
265     R3(C, D, A, B, X(2), 15, 0x2ad7d2bbL);
266     R3(B, C, D, A, X(9), 21, 0xeb86d391L);
267 
268     A = state[0] += A;
269     B = state[1] += B;
270     C = state[2] += C;
271     D = state[3] += D;
272   }
273 }
274 #undef X
275 #endif
276 
277 #undef F
278 #undef G
279 #undef H
280 #undef I
281 #undef R0
282 #undef R1
283 #undef R2
284 #undef R3
285