xref: /linux/lib/crypto/md5.c (revision 056a5087d87ead77dedbe9cf5bde53b7cd4b4651) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * MD5 and HMAC-MD5 library functions
4  *
5  * md5_block() is derived from cryptoapi implementation, originally based on the
6  * public domain implementation written by Colin Plumb in 1993.
7  *
8  * Copyright (c) Cryptoapi developers.
9  * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
10  * Copyright 2025 Google LLC
11  */
12 
13 #include <crypto/hmac.h>
14 #include <crypto/md5.h>
15 #include <linux/export.h>
16 #include <linux/kernel.h>
17 #include <linux/module.h>
18 #include <linux/string.h>
19 #include <linux/unaligned.h>
20 #include <linux/wordpart.h>
21 
22 static const struct md5_block_state md5_iv = {
23 	.h = { MD5_H0, MD5_H1, MD5_H2, MD5_H3 },
24 };
25 
26 #define F1(x, y, z) (z ^ (x & (y ^ z)))
27 #define F2(x, y, z) F1(z, x, y)
28 #define F3(x, y, z) (x ^ y ^ z)
29 #define F4(x, y, z) (y ^ (x | ~z))
30 
31 #define MD5STEP(f, w, x, y, z, in, s) \
32 	(w += f(x, y, z) + in, w = rol32(w, s) + x)
33 
34 static void md5_block(struct md5_block_state *state,
35 		      const u8 data[MD5_BLOCK_SIZE])
36 {
37 	u32 in[MD5_BLOCK_WORDS];
38 	u32 a, b, c, d;
39 
40 	memcpy(in, data, MD5_BLOCK_SIZE);
41 	le32_to_cpu_array(in, ARRAY_SIZE(in));
42 
43 	a = state->h[0];
44 	b = state->h[1];
45 	c = state->h[2];
46 	d = state->h[3];
47 
48 	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
49 	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
50 	MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
51 	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
52 	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
53 	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
54 	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
55 	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
56 	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
57 	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
58 	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
59 	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
60 	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
61 	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
62 	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
63 	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
64 
65 	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
66 	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
67 	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
68 	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
69 	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
70 	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
71 	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
72 	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
73 	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
74 	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
75 	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
76 	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
77 	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
78 	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
79 	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
80 	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
81 
82 	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
83 	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
84 	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
85 	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
86 	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
87 	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
88 	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
89 	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
90 	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
91 	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
92 	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
93 	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
94 	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
95 	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
96 	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
97 	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
98 
99 	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
100 	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
101 	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
102 	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
103 	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
104 	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
105 	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
106 	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
107 	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
108 	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
109 	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
110 	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
111 	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
112 	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
113 	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
114 	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
115 
116 	state->h[0] += a;
117 	state->h[1] += b;
118 	state->h[2] += c;
119 	state->h[3] += d;
120 }
121 
122 static void md5_blocks(struct md5_block_state *state,
123 		       const u8 *data, size_t nblocks)
124 {
125 	do {
126 		md5_block(state, data);
127 		data += MD5_BLOCK_SIZE;
128 	} while (--nblocks);
129 }
130 
131 void md5_init(struct md5_ctx *ctx)
132 {
133 	ctx->state = md5_iv;
134 	ctx->bytecount = 0;
135 }
136 EXPORT_SYMBOL_GPL(md5_init);
137 
138 void md5_update(struct md5_ctx *ctx, const u8 *data, size_t len)
139 {
140 	size_t partial = ctx->bytecount % MD5_BLOCK_SIZE;
141 
142 	ctx->bytecount += len;
143 
144 	if (partial + len >= MD5_BLOCK_SIZE) {
145 		size_t nblocks;
146 
147 		if (partial) {
148 			size_t l = MD5_BLOCK_SIZE - partial;
149 
150 			memcpy(&ctx->buf[partial], data, l);
151 			data += l;
152 			len -= l;
153 
154 			md5_blocks(&ctx->state, ctx->buf, 1);
155 		}
156 
157 		nblocks = len / MD5_BLOCK_SIZE;
158 		len %= MD5_BLOCK_SIZE;
159 
160 		if (nblocks) {
161 			md5_blocks(&ctx->state, data, nblocks);
162 			data += nblocks * MD5_BLOCK_SIZE;
163 		}
164 		partial = 0;
165 	}
166 	if (len)
167 		memcpy(&ctx->buf[partial], data, len);
168 }
169 EXPORT_SYMBOL_GPL(md5_update);
170 
171 static void __md5_final(struct md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE])
172 {
173 	u64 bitcount = ctx->bytecount << 3;
174 	size_t partial = ctx->bytecount % MD5_BLOCK_SIZE;
175 
176 	ctx->buf[partial++] = 0x80;
177 	if (partial > MD5_BLOCK_SIZE - 8) {
178 		memset(&ctx->buf[partial], 0, MD5_BLOCK_SIZE - partial);
179 		md5_blocks(&ctx->state, ctx->buf, 1);
180 		partial = 0;
181 	}
182 	memset(&ctx->buf[partial], 0, MD5_BLOCK_SIZE - 8 - partial);
183 	*(__le64 *)&ctx->buf[MD5_BLOCK_SIZE - 8] = cpu_to_le64(bitcount);
184 	md5_blocks(&ctx->state, ctx->buf, 1);
185 
186 	cpu_to_le32_array(ctx->state.h, ARRAY_SIZE(ctx->state.h));
187 	memcpy(out, ctx->state.h, MD5_DIGEST_SIZE);
188 }
189 
190 void md5_final(struct md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE])
191 {
192 	__md5_final(ctx, out);
193 	memzero_explicit(ctx, sizeof(*ctx));
194 }
195 EXPORT_SYMBOL_GPL(md5_final);
196 
197 void md5(const u8 *data, size_t len, u8 out[MD5_DIGEST_SIZE])
198 {
199 	struct md5_ctx ctx;
200 
201 	md5_init(&ctx);
202 	md5_update(&ctx, data, len);
203 	md5_final(&ctx, out);
204 }
205 EXPORT_SYMBOL_GPL(md5);
206 
207 static void __hmac_md5_preparekey(struct md5_block_state *istate,
208 				  struct md5_block_state *ostate,
209 				  const u8 *raw_key, size_t raw_key_len)
210 {
211 	union {
212 		u8 b[MD5_BLOCK_SIZE];
213 		unsigned long w[MD5_BLOCK_SIZE / sizeof(unsigned long)];
214 	} derived_key = { 0 };
215 
216 	if (unlikely(raw_key_len > MD5_BLOCK_SIZE))
217 		md5(raw_key, raw_key_len, derived_key.b);
218 	else
219 		memcpy(derived_key.b, raw_key, raw_key_len);
220 
221 	for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
222 		derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE);
223 	*istate = md5_iv;
224 	md5_blocks(istate, derived_key.b, 1);
225 
226 	for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
227 		derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^
228 						HMAC_IPAD_VALUE);
229 	*ostate = md5_iv;
230 	md5_blocks(ostate, derived_key.b, 1);
231 
232 	memzero_explicit(&derived_key, sizeof(derived_key));
233 }
234 
235 void hmac_md5_preparekey(struct hmac_md5_key *key,
236 			 const u8 *raw_key, size_t raw_key_len)
237 {
238 	__hmac_md5_preparekey(&key->istate, &key->ostate, raw_key, raw_key_len);
239 }
240 EXPORT_SYMBOL_GPL(hmac_md5_preparekey);
241 
242 void hmac_md5_init(struct hmac_md5_ctx *ctx, const struct hmac_md5_key *key)
243 {
244 	ctx->hash_ctx.state = key->istate;
245 	ctx->hash_ctx.bytecount = MD5_BLOCK_SIZE;
246 	ctx->ostate = key->ostate;
247 }
248 EXPORT_SYMBOL_GPL(hmac_md5_init);
249 
250 void hmac_md5_init_usingrawkey(struct hmac_md5_ctx *ctx,
251 			       const u8 *raw_key, size_t raw_key_len)
252 {
253 	__hmac_md5_preparekey(&ctx->hash_ctx.state, &ctx->ostate,
254 			      raw_key, raw_key_len);
255 	ctx->hash_ctx.bytecount = MD5_BLOCK_SIZE;
256 }
257 EXPORT_SYMBOL_GPL(hmac_md5_init_usingrawkey);
258 
259 void hmac_md5_final(struct hmac_md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE])
260 {
261 	/* Generate the padded input for the outer hash in ctx->hash_ctx.buf. */
262 	__md5_final(&ctx->hash_ctx, ctx->hash_ctx.buf);
263 	memset(&ctx->hash_ctx.buf[MD5_DIGEST_SIZE], 0,
264 	       MD5_BLOCK_SIZE - MD5_DIGEST_SIZE);
265 	ctx->hash_ctx.buf[MD5_DIGEST_SIZE] = 0x80;
266 	*(__le64 *)&ctx->hash_ctx.buf[MD5_BLOCK_SIZE - 8] =
267 		cpu_to_le64(8 * (MD5_BLOCK_SIZE + MD5_DIGEST_SIZE));
268 
269 	/* Compute the outer hash, which gives the HMAC value. */
270 	md5_blocks(&ctx->ostate, ctx->hash_ctx.buf, 1);
271 	cpu_to_le32_array(ctx->ostate.h, ARRAY_SIZE(ctx->ostate.h));
272 	memcpy(out, ctx->ostate.h, MD5_DIGEST_SIZE);
273 
274 	memzero_explicit(ctx, sizeof(*ctx));
275 }
276 EXPORT_SYMBOL_GPL(hmac_md5_final);
277 
278 void hmac_md5(const struct hmac_md5_key *key,
279 	      const u8 *data, size_t data_len, u8 out[MD5_DIGEST_SIZE])
280 {
281 	struct hmac_md5_ctx ctx;
282 
283 	hmac_md5_init(&ctx, key);
284 	hmac_md5_update(&ctx, data, data_len);
285 	hmac_md5_final(&ctx, out);
286 }
287 EXPORT_SYMBOL_GPL(hmac_md5);
288 
289 void hmac_md5_usingrawkey(const u8 *raw_key, size_t raw_key_len,
290 			  const u8 *data, size_t data_len,
291 			  u8 out[MD5_DIGEST_SIZE])
292 {
293 	struct hmac_md5_ctx ctx;
294 
295 	hmac_md5_init_usingrawkey(&ctx, raw_key, raw_key_len);
296 	hmac_md5_update(&ctx, data, data_len);
297 	hmac_md5_final(&ctx, out);
298 }
299 EXPORT_SYMBOL_GPL(hmac_md5_usingrawkey);
300 
301 #ifdef md5_mod_init_arch
302 static int __init md5_mod_init(void)
303 {
304 	md5_mod_init_arch();
305 	return 0;
306 }
307 subsys_initcall(md5_mod_init);
308 
309 static void __exit md5_mod_exit(void)
310 {
311 }
312 module_exit(md5_mod_exit);
313 #endif
314 
315 MODULE_DESCRIPTION("MD5 and HMAC-MD5 library functions");
316 MODULE_LICENSE("GPL");
317