1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * MD5 and HMAC-MD5 library functions
4 *
5 * md5_block_generic() is derived from cryptoapi implementation, originally
6 * based on the public domain implementation written by Colin Plumb in 1993.
7 *
8 * Copyright (c) Cryptoapi developers.
9 * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
10 * Copyright 2025 Google LLC
11 */
12
13#include <crypto/hmac.h>
14#include <crypto/md5.h>
15#include <linux/export.h>
16#include <linux/kernel.h>
17#include <linux/module.h>
18#include <linux/string.h>
19#include <linux/unaligned.h>
20#include <linux/wordpart.h>
21
22static const struct md5_block_state md5_iv = {
23 .h = { MD5_H0, MD5_H1, MD5_H2, MD5_H3 },
24};
25
26#define F1(x, y, z) (z ^ (x & (y ^ z)))
27#define F2(x, y, z) F1(z, x, y)
28#define F3(x, y, z) (x ^ y ^ z)
29#define F4(x, y, z) (y ^ (x | ~z))
30
31#define MD5STEP(f, w, x, y, z, in, s) \
32 (w += f(x, y, z) + in, w = (w << s | w >> (32 - s)) + x)
33
34static void md5_block_generic(struct md5_block_state *state,
35 const u8 data[MD5_BLOCK_SIZE])
36{
37 u32 in[MD5_BLOCK_WORDS];
38 u32 a, b, c, d;
39
40 memcpy(in, data, MD5_BLOCK_SIZE);
41 le32_to_cpu_array(buf: in, ARRAY_SIZE(in));
42
43 a = state->h[0];
44 b = state->h[1];
45 c = state->h[2];
46 d = state->h[3];
47
48 MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
49 MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
50 MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
51 MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
52 MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
53 MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
54 MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
55 MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
56 MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
57 MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
58 MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
59 MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
60 MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
61 MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
62 MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
63 MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
64
65 MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
66 MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
67 MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
68 MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
69 MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
70 MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
71 MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
72 MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
73 MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
74 MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
75 MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
76 MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
77 MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
78 MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
79 MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
80 MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
81
82 MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
83 MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
84 MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
85 MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
86 MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
87 MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
88 MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
89 MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
90 MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
91 MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
92 MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
93 MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
94 MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
95 MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
96 MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
97 MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
98
99 MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
100 MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
101 MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
102 MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
103 MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
104 MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
105 MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
106 MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
107 MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
108 MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
109 MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
110 MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
111 MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
112 MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
113 MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
114 MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
115
116 state->h[0] += a;
117 state->h[1] += b;
118 state->h[2] += c;
119 state->h[3] += d;
120}
121
122static void __maybe_unused md5_blocks_generic(struct md5_block_state *state,
123 const u8 *data, size_t nblocks)
124{
125 do {
126 md5_block_generic(state, data);
127 data += MD5_BLOCK_SIZE;
128 } while (--nblocks);
129}
130
131#ifdef CONFIG_CRYPTO_LIB_MD5_ARCH
132#include "md5.h" /* $(SRCARCH)/md5.h */
133#else
134#define md5_blocks md5_blocks_generic
135#endif
136
137void md5_init(struct md5_ctx *ctx)
138{
139 ctx->state = md5_iv;
140 ctx->bytecount = 0;
141}
142EXPORT_SYMBOL_GPL(md5_init);
143
144void md5_update(struct md5_ctx *ctx, const u8 *data, size_t len)
145{
146 size_t partial = ctx->bytecount % MD5_BLOCK_SIZE;
147
148 ctx->bytecount += len;
149
150 if (partial + len >= MD5_BLOCK_SIZE) {
151 size_t nblocks;
152
153 if (partial) {
154 size_t l = MD5_BLOCK_SIZE - partial;
155
156 memcpy(&ctx->buf[partial], data, l);
157 data += l;
158 len -= l;
159
160 md5_blocks(state: &ctx->state, data: ctx->buf, nblocks: 1);
161 }
162
163 nblocks = len / MD5_BLOCK_SIZE;
164 len %= MD5_BLOCK_SIZE;
165
166 if (nblocks) {
167 md5_blocks(state: &ctx->state, data, nblocks);
168 data += nblocks * MD5_BLOCK_SIZE;
169 }
170 partial = 0;
171 }
172 if (len)
173 memcpy(&ctx->buf[partial], data, len);
174}
175EXPORT_SYMBOL_GPL(md5_update);
176
177static void __md5_final(struct md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE])
178{
179 u64 bitcount = ctx->bytecount << 3;
180 size_t partial = ctx->bytecount % MD5_BLOCK_SIZE;
181
182 ctx->buf[partial++] = 0x80;
183 if (partial > MD5_BLOCK_SIZE - 8) {
184 memset(&ctx->buf[partial], 0, MD5_BLOCK_SIZE - partial);
185 md5_blocks(state: &ctx->state, data: ctx->buf, nblocks: 1);
186 partial = 0;
187 }
188 memset(&ctx->buf[partial], 0, MD5_BLOCK_SIZE - 8 - partial);
189 *(__le64 *)&ctx->buf[MD5_BLOCK_SIZE - 8] = cpu_to_le64(bitcount);
190 md5_blocks(state: &ctx->state, data: ctx->buf, nblocks: 1);
191
192 cpu_to_le32_array(buf: ctx->state.h, ARRAY_SIZE(ctx->state.h));
193 memcpy(out, ctx->state.h, MD5_DIGEST_SIZE);
194}
195
196void md5_final(struct md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE])
197{
198 __md5_final(ctx, out);
199 memzero_explicit(s: ctx, count: sizeof(*ctx));
200}
201EXPORT_SYMBOL_GPL(md5_final);
202
203void md5(const u8 *data, size_t len, u8 out[MD5_DIGEST_SIZE])
204{
205 struct md5_ctx ctx;
206
207 md5_init(&ctx);
208 md5_update(&ctx, data, len);
209 md5_final(&ctx, out);
210}
211EXPORT_SYMBOL_GPL(md5);
212
213static void __hmac_md5_preparekey(struct md5_block_state *istate,
214 struct md5_block_state *ostate,
215 const u8 *raw_key, size_t raw_key_len)
216{
217 union {
218 u8 b[MD5_BLOCK_SIZE];
219 unsigned long w[MD5_BLOCK_SIZE / sizeof(unsigned long)];
220 } derived_key = { 0 };
221
222 if (unlikely(raw_key_len > MD5_BLOCK_SIZE))
223 md5(raw_key, raw_key_len, derived_key.b);
224 else
225 memcpy(derived_key.b, raw_key, raw_key_len);
226
227 for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
228 derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE);
229 *istate = md5_iv;
230 md5_blocks(state: istate, data: derived_key.b, nblocks: 1);
231
232 for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
233 derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^
234 HMAC_IPAD_VALUE);
235 *ostate = md5_iv;
236 md5_blocks(state: ostate, data: derived_key.b, nblocks: 1);
237
238 memzero_explicit(s: &derived_key, count: sizeof(derived_key));
239}
240
241void hmac_md5_preparekey(struct hmac_md5_key *key,
242 const u8 *raw_key, size_t raw_key_len)
243{
244 __hmac_md5_preparekey(istate: &key->istate, ostate: &key->ostate, raw_key, raw_key_len);
245}
246EXPORT_SYMBOL_GPL(hmac_md5_preparekey);
247
248void hmac_md5_init(struct hmac_md5_ctx *ctx, const struct hmac_md5_key *key)
249{
250 ctx->hash_ctx.state = key->istate;
251 ctx->hash_ctx.bytecount = MD5_BLOCK_SIZE;
252 ctx->ostate = key->ostate;
253}
254EXPORT_SYMBOL_GPL(hmac_md5_init);
255
256void hmac_md5_init_usingrawkey(struct hmac_md5_ctx *ctx,
257 const u8 *raw_key, size_t raw_key_len)
258{
259 __hmac_md5_preparekey(istate: &ctx->hash_ctx.state, ostate: &ctx->ostate,
260 raw_key, raw_key_len);
261 ctx->hash_ctx.bytecount = MD5_BLOCK_SIZE;
262}
263EXPORT_SYMBOL_GPL(hmac_md5_init_usingrawkey);
264
265void hmac_md5_final(struct hmac_md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE])
266{
267 /* Generate the padded input for the outer hash in ctx->hash_ctx.buf. */
268 __md5_final(ctx: &ctx->hash_ctx, out: ctx->hash_ctx.buf);
269 memset(&ctx->hash_ctx.buf[MD5_DIGEST_SIZE], 0,
270 MD5_BLOCK_SIZE - MD5_DIGEST_SIZE);
271 ctx->hash_ctx.buf[MD5_DIGEST_SIZE] = 0x80;
272 *(__le64 *)&ctx->hash_ctx.buf[MD5_BLOCK_SIZE - 8] =
273 cpu_to_le64(8 * (MD5_BLOCK_SIZE + MD5_DIGEST_SIZE));
274
275 /* Compute the outer hash, which gives the HMAC value. */
276 md5_blocks(state: &ctx->ostate, data: ctx->hash_ctx.buf, nblocks: 1);
277 cpu_to_le32_array(buf: ctx->ostate.h, ARRAY_SIZE(ctx->ostate.h));
278 memcpy(out, ctx->ostate.h, MD5_DIGEST_SIZE);
279
280 memzero_explicit(s: ctx, count: sizeof(*ctx));
281}
282EXPORT_SYMBOL_GPL(hmac_md5_final);
283
284void hmac_md5(const struct hmac_md5_key *key,
285 const u8 *data, size_t data_len, u8 out[MD5_DIGEST_SIZE])
286{
287 struct hmac_md5_ctx ctx;
288
289 hmac_md5_init(&ctx, key);
290 hmac_md5_update(ctx: &ctx, data, data_len);
291 hmac_md5_final(&ctx, out);
292}
293EXPORT_SYMBOL_GPL(hmac_md5);
294
295void hmac_md5_usingrawkey(const u8 *raw_key, size_t raw_key_len,
296 const u8 *data, size_t data_len,
297 u8 out[MD5_DIGEST_SIZE])
298{
299 struct hmac_md5_ctx ctx;
300
301 hmac_md5_init_usingrawkey(&ctx, raw_key, raw_key_len);
302 hmac_md5_update(ctx: &ctx, data, data_len);
303 hmac_md5_final(&ctx, out);
304}
305EXPORT_SYMBOL_GPL(hmac_md5_usingrawkey);
306
307#ifdef md5_mod_init_arch
308static int __init md5_mod_init(void)
309{
310 md5_mod_init_arch();
311 return 0;
312}
313subsys_initcall(md5_mod_init);
314
315static void __exit md5_mod_exit(void)
316{
317}
318module_exit(md5_mod_exit);
319#endif
320
321MODULE_DESCRIPTION("MD5 and HMAC-MD5 library functions");
322MODULE_LICENSE("GPL");
323

source code of linux/lib/crypto/md5.c