1 /* 2 * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.provider; 27 28 import static sun.security.provider.ByteArrayAccess.*; 29 import java.nio.*; 30 import java.util.*; 31 import java.security.*; 32 33 /** 34 * This class implements the Secure Hash Algorithm SHA-3 developed by 35 * the National Institute of Standards and Technology along with the 36 * National Security Agency as defined in FIPS PUB 202. 37 * 38 * <p>It implements java.security.MessageDigestSpi, and can be used 39 * through Java Cryptography Architecture (JCA), as a pluggable 40 * MessageDigest implementation. 41 * 42 * @since 9 43 * @author Valerie Peng 44 */ 45 abstract class SHA3 extends DigestBase { 46 47 private static final int WIDTH = 200; // in bytes, e.g. 1600 bits 48 private static final int DM = 5; // dimension of lanes 49 50 private static final int NR = 24; // number of rounds 51 52 // precomputed round constants needed by the step mapping Iota 53 private static final long[] RC_CONSTANTS = { 54 0x01L, 0x8082L, 0x800000000000808aL, 55 0x8000000080008000L, 0x808bL, 0x80000001L, 56 0x8000000080008081L, 0x8000000000008009L, 0x8aL, 57 0x88L, 0x80008009L, 0x8000000aL, 58 0x8000808bL, 0x800000000000008bL, 0x8000000000008089L, 59 0x8000000000008003L, 0x8000000000008002L, 0x8000000000000080L, 60 0x800aL, 0x800000008000000aL, 0x8000000080008081L, 61 0x8000000000008080L, 0x80000001L, 0x8000000080008008L, 62 }; 63 64 private byte[] state = new byte[WIDTH]; 65 private final long[] lanes = new long[DM*DM]; 66 67 /** 68 * Creates a new SHA-3 object. 69 */ SHA3(String name, int digestLength)70 SHA3(String name, int digestLength) { 71 super(name, digestLength, (WIDTH - (2 * digestLength))); 72 } 73 74 /** 75 * Core compression function. Processes blockSize bytes at a time 76 * and updates the state of this object. 77 */ implCompress(byte[] b, int ofs)78 void implCompress(byte[] b, int ofs) { 79 for (int i = 0; i < buffer.length; i++) { 80 state[i] ^= b[ofs++]; 81 } 82 keccak(); 83 } 84 85 /** 86 * Return the digest. Subclasses do not need to reset() themselves, 87 * DigestBase calls implReset() when necessary. 88 */ implDigest(byte[] out, int ofs)89 void implDigest(byte[] out, int ofs) { 90 int numOfPadding = 91 setPaddingBytes(buffer, (int)(bytesProcessed % buffer.length)); 92 if (numOfPadding < 1) { 93 throw new ProviderException("Incorrect pad size: " + numOfPadding); 94 } 95 for (int i = 0; i < buffer.length; i++) { 96 state[i] ^= buffer[i]; 97 } 98 keccak(); 99 System.arraycopy(state, 0, out, ofs, engineGetDigestLength()); 100 } 101 102 /** 103 * Resets the internal state to start a new hash. 104 */ implReset()105 void implReset() { 106 Arrays.fill(state, (byte)0); 107 Arrays.fill(lanes, 0L); 108 } 109 110 /** 111 * Utility function for padding the specified data based on the 112 * pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" required 113 * for SHA-3 hash (section 6.1). 114 */ setPaddingBytes(byte[] in, int len)115 private static int setPaddingBytes(byte[] in, int len) { 116 if (len != in.length) { 117 // erase leftover values 118 Arrays.fill(in, len, in.length, (byte)0); 119 // directly store the padding bytes into the input 120 // as the specified buffer is allocated w/ size = rateR 121 in[len] |= (byte) 0x06; 122 in[in.length - 1] |= (byte) 0x80; 123 } 124 return (in.length - len); 125 } 126 127 /** 128 * Utility function for transforming the specified byte array 's' 129 * into array of lanes 'm' as defined in section 3.1.2. 130 */ bytes2Lanes(byte[] s, long[] m)131 private static void bytes2Lanes(byte[] s, long[] m) { 132 int sOfs = 0; 133 // Conversion traverses along x-axis before y-axis 134 for (int y = 0; y < DM; y++, sOfs += 40) { 135 b2lLittle(s, sOfs, m, DM*y, 40); 136 } 137 } 138 139 /** 140 * Utility function for transforming the specified array of 141 * lanes 'm' into a byte array 's' as defined in section 3.1.3. 142 */ lanes2Bytes(long[] m, byte[] s)143 private static void lanes2Bytes(long[] m, byte[] s) { 144 int sOfs = 0; 145 // Conversion traverses along x-axis before y-axis 146 for (int y = 0; y < DM; y++, sOfs += 40) { 147 l2bLittle(m, DM*y, s, sOfs, 40); 148 } 149 } 150 151 /** 152 * Step mapping Theta as defined in section 3.2.1 . 153 */ smTheta(long[] a)154 private static long[] smTheta(long[] a) { 155 long c0 = a[0]^a[5]^a[10]^a[15]^a[20]; 156 long c1 = a[1]^a[6]^a[11]^a[16]^a[21]; 157 long c2 = a[2]^a[7]^a[12]^a[17]^a[22]; 158 long c3 = a[3]^a[8]^a[13]^a[18]^a[23]; 159 long c4 = a[4]^a[9]^a[14]^a[19]^a[24]; 160 long d0 = c4 ^ Long.rotateLeft(c1, 1); 161 long d1 = c0 ^ Long.rotateLeft(c2, 1); 162 long d2 = c1 ^ Long.rotateLeft(c3, 1); 163 long d3 = c2 ^ Long.rotateLeft(c4, 1); 164 long d4 = c3 ^ Long.rotateLeft(c0, 1); 165 for (int y = 0; y < a.length; y += DM) { 166 a[y] ^= d0; 167 a[y+1] ^= d1; 168 a[y+2] ^= d2; 169 a[y+3] ^= d3; 170 a[y+4] ^= d4; 171 } 172 return a; 173 } 174 175 /** 176 * Merged Step mapping Rho (section 3.2.2) and Pi (section 3.2.3). 177 * for performance. Optimization is achieved by precalculating 178 * shift constants for the following loop 179 * int xNext, yNext; 180 * for (int t = 0, x = 1, y = 0; t <= 23; t++, x = xNext, y = yNext) { 181 * int numberOfShift = ((t + 1)*(t + 2)/2) % 64; 182 * a[y][x] = Long.rotateLeft(a[y][x], numberOfShift); 183 * xNext = y; 184 * yNext = (2 * x + 3 * y) % DM; 185 * } 186 * and with inplace permutation. 187 */ smPiRho(long[] a)188 private static long[] smPiRho(long[] a) { 189 long tmp = Long.rotateLeft(a[10], 3); 190 a[10] = Long.rotateLeft(a[1], 1); 191 a[1] = Long.rotateLeft(a[6], 44); 192 a[6] = Long.rotateLeft(a[9], 20); 193 a[9] = Long.rotateLeft(a[22], 61); 194 a[22] = Long.rotateLeft(a[14], 39); 195 a[14] = Long.rotateLeft(a[20], 18); 196 a[20] = Long.rotateLeft(a[2], 62); 197 a[2] = Long.rotateLeft(a[12], 43); 198 a[12] = Long.rotateLeft(a[13], 25); 199 a[13] = Long.rotateLeft(a[19], 8); 200 a[19] = Long.rotateLeft(a[23], 56); 201 a[23] = Long.rotateLeft(a[15], 41); 202 a[15] = Long.rotateLeft(a[4], 27); 203 a[4] = Long.rotateLeft(a[24], 14); 204 a[24] = Long.rotateLeft(a[21], 2); 205 a[21] = Long.rotateLeft(a[8], 55); 206 a[8] = Long.rotateLeft(a[16], 45); 207 a[16] = Long.rotateLeft(a[5], 36); 208 a[5] = Long.rotateLeft(a[3], 28); 209 a[3] = Long.rotateLeft(a[18], 21); 210 a[18] = Long.rotateLeft(a[17], 15); 211 a[17] = Long.rotateLeft(a[11], 10); 212 a[11] = Long.rotateLeft(a[7], 6); 213 a[7] = tmp; 214 return a; 215 } 216 217 /** 218 * Step mapping Chi as defined in section 3.2.4. 219 */ smChi(long[] a)220 private static long[] smChi(long[] a) { 221 for (int y = 0; y < a.length; y+=DM) { 222 long ay0 = a[y]; 223 long ay1 = a[y+1]; 224 long ay2 = a[y+2]; 225 long ay3 = a[y+3]; 226 long ay4 = a[y+4]; 227 a[y] = ay0 ^ ((~ay1) & ay2); 228 a[y+1] = ay1 ^ ((~ay2) & ay3); 229 a[y+2] = ay2 ^ ((~ay3) & ay4); 230 a[y+3] = ay3 ^ ((~ay4) & ay0); 231 a[y+4] = ay4 ^ ((~ay0) & ay1); 232 } 233 return a; 234 } 235 236 /** 237 * Step mapping Iota as defined in section 3.2.5. 238 */ smIota(long[] a, int rndIndex)239 private static long[] smIota(long[] a, int rndIndex) { 240 a[0] ^= RC_CONSTANTS[rndIndex]; 241 return a; 242 } 243 244 /** 245 * The function Keccak as defined in section 5.2 with 246 * rate r = 1600 and capacity c = (digest length x 2). 247 */ keccak()248 private void keccak() { 249 // convert the 200-byte state into 25 lanes 250 bytes2Lanes(state, lanes); 251 // process the lanes through step mappings 252 for (int ir = 0; ir < NR; ir++) { 253 smIota(smChi(smPiRho(smTheta(lanes))), ir); 254 } 255 // convert the resulting 25 lanes back into 200-byte state 256 lanes2Bytes(lanes, state); 257 } 258 clone()259 public Object clone() throws CloneNotSupportedException { 260 SHA3 copy = (SHA3) super.clone(); 261 copy.state = copy.state.clone(); 262 return copy; 263 } 264 265 /** 266 * SHA3-224 implementation class. 267 */ 268 public static final class SHA224 extends SHA3 { SHA224()269 public SHA224() { 270 super("SHA3-224", 28); 271 } 272 } 273 274 /** 275 * SHA3-256 implementation class. 276 */ 277 public static final class SHA256 extends SHA3 { SHA256()278 public SHA256() { 279 super("SHA3-256", 32); 280 } 281 } 282 283 /** 284 * SHAs-384 implementation class. 285 */ 286 public static final class SHA384 extends SHA3 { SHA384()287 public SHA384() { 288 super("SHA3-384", 48); 289 } 290 } 291 292 /** 293 * SHA3-512 implementation class. 294 */ 295 public static final class SHA512 extends SHA3 { SHA512()296 public SHA512() { 297 super("SHA3-512", 64); 298 } 299 } 300 } 301