/* |
|
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. |
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
* |
|
* This code is free software; you can redistribute it and/or modify it |
|
* under the terms of the GNU General Public License version 2 only, as |
|
* published by the Free Software Foundation. Oracle designates this |
|
* particular file as subject to the "Classpath" exception as provided |
|
* by Oracle in the LICENSE file that accompanied this code. |
|
* |
|
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
* version 2 for more details (a copy is included in the LICENSE file that |
|
* accompanied this code). |
|
* |
|
* You should have received a copy of the GNU General Public License version |
|
* 2 along with this work; if not, write to the Free Software Foundation, |
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
* |
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
* or visit www.oracle.com if you need additional information or have any |
|
* questions. |
|
*/ |
|
package sun.security.provider; |
|
import static sun.security.provider.ByteArrayAccess.*; |
|
import java.nio.*; |
|
import java.util.*; |
|
import java.security.*; |
|
/** |
|
* This class implements the Secure Hash Algorithm SHA-3 developed by |
|
* the National Institute of Standards and Technology along with the |
|
* National Security Agency as defined in FIPS PUB 202. |
|
* |
|
* <p>It implements java.security.MessageDigestSpi, and can be used |
|
* through Java Cryptography Architecture (JCA), as a pluggable |
|
* MessageDigest implementation. |
|
* |
|
* @since 9 |
|
* @author Valerie Peng |
|
*/ |
|
abstract class SHA3 extends DigestBase { |
|
private static final int WIDTH = 200; // in bytes, e.g. 1600 bits |
|
private static final int DM = 5; // dimension of lanes |
|
private static final int NR = 24; // number of rounds |
|
// precomputed round constants needed by the step mapping Iota |
|
private static final long[] RC_CONSTANTS = { |
|
0x01L, 0x8082L, 0x800000000000808aL, |
|
0x8000000080008000L, 0x808bL, 0x80000001L, |
|
0x8000000080008081L, 0x8000000000008009L, 0x8aL, |
|
0x88L, 0x80008009L, 0x8000000aL, |
|
0x8000808bL, 0x800000000000008bL, 0x8000000000008089L, |
|
0x8000000000008003L, 0x8000000000008002L, 0x8000000000000080L, |
|
0x800aL, 0x800000008000000aL, 0x8000000080008081L, |
|
0x8000000000008080L, 0x80000001L, 0x8000000080008008L, |
|
}; |
|
private byte[] state = new byte[WIDTH]; |
|
private final long[] lanes = new long[DM*DM]; |
|
/** |
|
* Creates a new SHA-3 object. |
|
*/ |
|
SHA3(String name, int digestLength) { |
|
super(name, digestLength, (WIDTH - (2 * digestLength))); |
|
} |
|
/** |
|
* Core compression function. Processes blockSize bytes at a time |
|
* and updates the state of this object. |
|
*/ |
|
void implCompress(byte[] b, int ofs) { |
|
for (int i = 0; i < buffer.length; i++) { |
|
state[i] ^= b[ofs++]; |
|
} |
|
keccak(); |
|
} |
|
/** |
|
* Return the digest. Subclasses do not need to reset() themselves, |
|
* DigestBase calls implReset() when necessary. |
|
*/ |
|
void implDigest(byte[] out, int ofs) { |
|
int numOfPadding = |
|
setPaddingBytes(buffer, (int)(bytesProcessed % buffer.length)); |
|
if (numOfPadding < 1) { |
|
throw new ProviderException("Incorrect pad size: " + numOfPadding); |
|
} |
|
for (int i = 0; i < buffer.length; i++) { |
|
state[i] ^= buffer[i]; |
|
} |
|
keccak(); |
|
System.arraycopy(state, 0, out, ofs, engineGetDigestLength()); |
|
} |
|
/** |
|
* Resets the internal state to start a new hash. |
|
*/ |
|
void implReset() { |
|
Arrays.fill(state, (byte)0); |
|
Arrays.fill(lanes, 0L); |
|
} |
|
/** |
|
* Utility function for padding the specified data based on the |
|
* pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" required |
|
* for SHA-3 hash (section 6.1). |
|
*/ |
|
private static int setPaddingBytes(byte[] in, int len) { |
|
if (len != in.length) { |
|
// erase leftover values |
|
Arrays.fill(in, len, in.length, (byte)0); |
|
// directly store the padding bytes into the input |
|
// as the specified buffer is allocated w/ size = rateR |
|
in[len] |= (byte) 0x06; |
|
in[in.length - 1] |= (byte) 0x80; |
|
} |
|
return (in.length - len); |
|
} |
|
/** |
|
* Utility function for transforming the specified byte array 's' |
|
* into array of lanes 'm' as defined in section 3.1.2. |
|
*/ |
|
private static void bytes2Lanes(byte[] s, long[] m) { |
|
int sOfs = 0; |
|
// Conversion traverses along x-axis before y-axis |
|
for (int y = 0; y < DM; y++, sOfs += 40) { |
|
b2lLittle(s, sOfs, m, DM*y, 40); |
|
} |
|
} |
|
/** |
|
* Utility function for transforming the specified array of |
|
* lanes 'm' into a byte array 's' as defined in section 3.1.3. |
|
*/ |
|
private static void lanes2Bytes(long[] m, byte[] s) { |
|
int sOfs = 0; |
|
// Conversion traverses along x-axis before y-axis |
|
for (int y = 0; y < DM; y++, sOfs += 40) { |
|
l2bLittle(m, DM*y, s, sOfs, 40); |
|
} |
|
} |
|
/** |
|
* Step mapping Theta as defined in section 3.2.1 . |
|
*/ |
|
private static long[] smTheta(long[] a) { |
|
long c0 = a[0]^a[5]^a[10]^a[15]^a[20]; |
|
long c1 = a[1]^a[6]^a[11]^a[16]^a[21]; |
|
long c2 = a[2]^a[7]^a[12]^a[17]^a[22]; |
|
long c3 = a[3]^a[8]^a[13]^a[18]^a[23]; |
|
long c4 = a[4]^a[9]^a[14]^a[19]^a[24]; |
|
long d0 = c4 ^ Long.rotateLeft(c1, 1); |
|
long d1 = c0 ^ Long.rotateLeft(c2, 1); |
|
long d2 = c1 ^ Long.rotateLeft(c3, 1); |
|
long d3 = c2 ^ Long.rotateLeft(c4, 1); |
|
long d4 = c3 ^ Long.rotateLeft(c0, 1); |
|
for (int y = 0; y < a.length; y += DM) { |
|
a[y] ^= d0; |
|
a[y+1] ^= d1; |
|
a[y+2] ^= d2; |
|
a[y+3] ^= d3; |
|
a[y+4] ^= d4; |
|
} |
|
return a; |
|
} |
|
/** |
|
* Merged Step mapping Rho (section 3.2.2) and Pi (section 3.2.3). |
|
* for performance. Optimization is achieved by precalculating |
|
* shift constants for the following loop |
|
* int xNext, yNext; |
|
* for (int t = 0, x = 1, y = 0; t <= 23; t++, x = xNext, y = yNext) { |
|
* int numberOfShift = ((t + 1)*(t + 2)/2) % 64; |
|
* a[y][x] = Long.rotateLeft(a[y][x], numberOfShift); |
|
* xNext = y; |
|
* yNext = (2 * x + 3 * y) % DM; |
|
* } |
|
* and with inplace permutation. |
|
*/ |
|
private static long[] smPiRho(long[] a) { |
|
long tmp = Long.rotateLeft(a[10], 3); |
|
a[10] = Long.rotateLeft(a[1], 1); |
|
a[1] = Long.rotateLeft(a[6], 44); |
|
a[6] = Long.rotateLeft(a[9], 20); |
|
a[9] = Long.rotateLeft(a[22], 61); |
|
a[22] = Long.rotateLeft(a[14], 39); |
|
a[14] = Long.rotateLeft(a[20], 18); |
|
a[20] = Long.rotateLeft(a[2], 62); |
|
a[2] = Long.rotateLeft(a[12], 43); |
|
a[12] = Long.rotateLeft(a[13], 25); |
|
a[13] = Long.rotateLeft(a[19], 8); |
|
a[19] = Long.rotateLeft(a[23], 56); |
|
a[23] = Long.rotateLeft(a[15], 41); |
|
a[15] = Long.rotateLeft(a[4], 27); |
|
a[4] = Long.rotateLeft(a[24], 14); |
|
a[24] = Long.rotateLeft(a[21], 2); |
|
a[21] = Long.rotateLeft(a[8], 55); |
|
a[8] = Long.rotateLeft(a[16], 45); |
|
a[16] = Long.rotateLeft(a[5], 36); |
|
a[5] = Long.rotateLeft(a[3], 28); |
|
a[3] = Long.rotateLeft(a[18], 21); |
|
a[18] = Long.rotateLeft(a[17], 15); |
|
a[17] = Long.rotateLeft(a[11], 10); |
|
a[11] = Long.rotateLeft(a[7], 6); |
|
a[7] = tmp; |
|
return a; |
|
} |
|
/** |
|
* Step mapping Chi as defined in section 3.2.4. |
|
*/ |
|
private static long[] smChi(long[] a) { |
|
for (int y = 0; y < a.length; y+=DM) { |
|
long ay0 = a[y]; |
|
long ay1 = a[y+1]; |
|
long ay2 = a[y+2]; |
|
long ay3 = a[y+3]; |
|
long ay4 = a[y+4]; |
|
a[y] = ay0 ^ ((~ay1) & ay2); |
|
a[y+1] = ay1 ^ ((~ay2) & ay3); |
|
a[y+2] = ay2 ^ ((~ay3) & ay4); |
|
a[y+3] = ay3 ^ ((~ay4) & ay0); |
|
a[y+4] = ay4 ^ ((~ay0) & ay1); |
|
} |
|
return a; |
|
} |
|
/** |
|
* Step mapping Iota as defined in section 3.2.5. |
|
*/ |
|
private static long[] smIota(long[] a, int rndIndex) { |
|
a[0] ^= RC_CONSTANTS[rndIndex]; |
|
return a; |
|
} |
|
/** |
|
* The function Keccak as defined in section 5.2 with |
|
* rate r = 1600 and capacity c = (digest length x 2). |
|
*/ |
|
private void keccak() { |
|
// convert the 200-byte state into 25 lanes |
|
bytes2Lanes(state, lanes); |
|
// process the lanes through step mappings |
|
for (int ir = 0; ir < NR; ir++) { |
|
smIota(smChi(smPiRho(smTheta(lanes))), ir); |
|
} |
|
// convert the resulting 25 lanes back into 200-byte state |
|
lanes2Bytes(lanes, state); |
|
} |
|
public Object clone() throws CloneNotSupportedException { |
|
SHA3 copy = (SHA3) super.clone(); |
|
copy.state = copy.state.clone(); |
|
return copy; |
|
} |
|
/** |
|
* SHA3-224 implementation class. |
|
*/ |
|
public static final class SHA224 extends SHA3 { |
|
public SHA224() { |
|
super("SHA3-224", 28); |
|
} |
|
} |
|
/** |
|
* SHA3-256 implementation class. |
|
*/ |
|
public static final class SHA256 extends SHA3 { |
|
public SHA256() { |
|
super("SHA3-256", 32); |
|
} |
|
} |
|
/** |
|
* SHAs-384 implementation class. |
|
*/ |
|
public static final class SHA384 extends SHA3 { |
|
public SHA384() { |
|
super("SHA3-384", 48); |
|
} |
|
} |
|
/** |
|
* SHA3-512 implementation class. |
|
*/ |
|
public static final class SHA512 extends SHA3 { |
|
public SHA512() { |
|
super("SHA3-512", 64); |
|
} |
|
} |
|
} |