1 /* 2 * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.provider; 27 28 import jdk.internal.HotSpotIntrinsicCandidate; 29 import static sun.security.provider.ByteArrayAccess.*; 30 import java.nio.*; 31 import java.util.*; 32 import java.security.*; 33 34 /** 35 * This class implements the Secure Hash Algorithm SHA-3 developed by 36 * the National Institute of Standards and Technology along with the 37 * National Security Agency as defined in FIPS PUB 202. 38 * 39 * <p>It implements java.security.MessageDigestSpi, and can be used 40 * through Java Cryptography Architecture (JCA), as a pluggable 41 * MessageDigest implementation. 42 * 43 * @since 9 44 * @author Valerie Peng 45 */ 46 abstract class SHA3 extends DigestBase { 47 48 private static final int WIDTH = 200; // in bytes, e.g. 1600 bits 49 private static final int DM = 5; // dimension of lanes 50 51 private static final int NR = 24; // number of rounds 52 53 // precomputed round constants needed by the step mapping Iota 54 private static final long[] RC_CONSTANTS = { 55 0x01L, 0x8082L, 0x800000000000808aL, 56 0x8000000080008000L, 0x808bL, 0x80000001L, 57 0x8000000080008081L, 0x8000000000008009L, 0x8aL, 58 0x88L, 0x80008009L, 0x8000000aL, 59 0x8000808bL, 0x800000000000008bL, 0x8000000000008089L, 60 0x8000000000008003L, 0x8000000000008002L, 0x8000000000000080L, 61 0x800aL, 0x800000008000000aL, 0x8000000080008081L, 62 0x8000000000008080L, 0x80000001L, 0x8000000080008008L, 63 }; 64 65 private final byte suffix; 66 private byte[] state = new byte[WIDTH]; 67 private long[] lanes = new long[DM*DM]; 68 69 /** 70 * Creates a new SHA-3 object. 71 */ 72 SHA3(String name, int digestLength, byte suffix, int c) { 73 super(name, digestLength, (WIDTH - c)); 74 this.suffix = suffix; 75 } 76 77 private void implCompressCheck(byte[] b, int ofs) { 78 Objects.requireNonNull(b); 79 } 80 81 /** 82 * Core compression function. Processes blockSize bytes at a time 83 * and updates the state of this object. 84 */ 85 void implCompress(byte[] b, int ofs) { 86 implCompressCheck(b, ofs); 87 implCompress0(b, ofs); 88 } 89 90 @HotSpotIntrinsicCandidate 91 private void implCompress0(byte[] b, int ofs) { 92 for (int i = 0; i < buffer.length; i++) { 93 state[i] ^= b[ofs++]; 94 } 95 keccak(); 96 } 97 98 /** 99 * Return the digest. Subclasses do not need to reset() themselves, 100 * DigestBase calls implReset() when necessary. 101 */ 102 void implDigest(byte[] out, int ofs) { 103 int numOfPadding = 104 setPaddingBytes(suffix, buffer, (int)(bytesProcessed % buffer.length)); 105 if (numOfPadding < 1) { 106 throw new ProviderException("Incorrect pad size: " + numOfPadding); 107 } 108 implCompress(buffer, 0); 109 System.arraycopy(state, 0, out, ofs, engineGetDigestLength()); 110 } 111 112 /** 113 * Resets the internal state to start a new hash. 114 */ 115 void implReset() { 116 Arrays.fill(state, (byte)0); 117 Arrays.fill(lanes, 0L); 118 } 119 120 /** 121 * Utility function for padding the specified data based on the 122 * pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" required 123 * for SHA-3 hash (section 6.1). 124 */ 125 private static int setPaddingBytes(byte suffix, byte[] in, int len) { 126 if (len != in.length) { 127 // erase leftover values 128 Arrays.fill(in, len, in.length, (byte)0); 129 // directly store the padding bytes into the input 130 // as the specified buffer is allocated w/ size = rateR 131 in[len] |= suffix; 132 in[in.length - 1] |= (byte) 0x80; 133 } 134 return (in.length - len); 135 } 136 137 /** 138 * Utility function for transforming the specified byte array 's' 139 * into array of lanes 'm' as defined in section 3.1.2. 140 */ 141 private static void bytes2Lanes(byte[] s, long[] m) { 142 int sOfs = 0; 143 // Conversion traverses along x-axis before y-axis 144 for (int y = 0; y < DM; y++, sOfs += 40) { 145 b2lLittle(s, sOfs, m, DM*y, 40); 146 } 147 } 148 149 /** 150 * Utility function for transforming the specified array of 151 * lanes 'm' into a byte array 's' as defined in section 3.1.3. 152 */ 153 private static void lanes2Bytes(long[] m, byte[] s) { 154 int sOfs = 0; 155 // Conversion traverses along x-axis before y-axis 156 for (int y = 0; y < DM; y++, sOfs += 40) { 157 l2bLittle(m, DM*y, s, sOfs, 40); 158 } 159 } 160 161 /** 162 * Step mapping Theta as defined in section 3.2.1 . 163 */ 164 private static long[] smTheta(long[] a) { 165 long c0 = a[0]^a[5]^a[10]^a[15]^a[20]; 166 long c1 = a[1]^a[6]^a[11]^a[16]^a[21]; 167 long c2 = a[2]^a[7]^a[12]^a[17]^a[22]; 168 long c3 = a[3]^a[8]^a[13]^a[18]^a[23]; 169 long c4 = a[4]^a[9]^a[14]^a[19]^a[24]; 170 long d0 = c4 ^ Long.rotateLeft(c1, 1); 171 long d1 = c0 ^ Long.rotateLeft(c2, 1); 172 long d2 = c1 ^ Long.rotateLeft(c3, 1); 173 long d3 = c2 ^ Long.rotateLeft(c4, 1); 174 long d4 = c3 ^ Long.rotateLeft(c0, 1); 175 for (int y = 0; y < a.length; y += DM) { 176 a[y] ^= d0; 177 a[y+1] ^= d1; 178 a[y+2] ^= d2; 179 a[y+3] ^= d3; 180 a[y+4] ^= d4; 181 } 182 return a; 183 } 184 185 /** 186 * Merged Step mapping Rho (section 3.2.2) and Pi (section 3.2.3). 187 * for performance. Optimization is achieved by precalculating 188 * shift constants for the following loop 189 * int xNext, yNext; 190 * for (int t = 0, x = 1, y = 0; t <= 23; t++, x = xNext, y = yNext) { 191 * int numberOfShift = ((t + 1)*(t + 2)/2) % 64; 192 * a[y][x] = Long.rotateLeft(a[y][x], numberOfShift); 193 * xNext = y; 194 * yNext = (2 * x + 3 * y) % DM; 195 * } 196 * and with inplace permutation. 197 */ 198 private static long[] smPiRho(long[] a) { 199 long tmp = Long.rotateLeft(a[10], 3); 200 a[10] = Long.rotateLeft(a[1], 1); 201 a[1] = Long.rotateLeft(a[6], 44); 202 a[6] = Long.rotateLeft(a[9], 20); 203 a[9] = Long.rotateLeft(a[22], 61); 204 a[22] = Long.rotateLeft(a[14], 39); 205 a[14] = Long.rotateLeft(a[20], 18); 206 a[20] = Long.rotateLeft(a[2], 62); 207 a[2] = Long.rotateLeft(a[12], 43); 208 a[12] = Long.rotateLeft(a[13], 25); 209 a[13] = Long.rotateLeft(a[19], 8); 210 a[19] = Long.rotateLeft(a[23], 56); 211 a[23] = Long.rotateLeft(a[15], 41); 212 a[15] = Long.rotateLeft(a[4], 27); 213 a[4] = Long.rotateLeft(a[24], 14); 214 a[24] = Long.rotateLeft(a[21], 2); 215 a[21] = Long.rotateLeft(a[8], 55); 216 a[8] = Long.rotateLeft(a[16], 45); 217 a[16] = Long.rotateLeft(a[5], 36); 218 a[5] = Long.rotateLeft(a[3], 28); 219 a[3] = Long.rotateLeft(a[18], 21); 220 a[18] = Long.rotateLeft(a[17], 15); 221 a[17] = Long.rotateLeft(a[11], 10); 222 a[11] = Long.rotateLeft(a[7], 6); 223 a[7] = tmp; 224 return a; 225 } 226 227 /** 228 * Step mapping Chi as defined in section 3.2.4. 229 */ 230 private static long[] smChi(long[] a) { 231 for (int y = 0; y < a.length; y+=DM) { 232 long ay0 = a[y]; 233 long ay1 = a[y+1]; 234 long ay2 = a[y+2]; 235 long ay3 = a[y+3]; 236 long ay4 = a[y+4]; 237 a[y] = ay0 ^ ((~ay1) & ay2); 238 a[y+1] = ay1 ^ ((~ay2) & ay3); 239 a[y+2] = ay2 ^ ((~ay3) & ay4); 240 a[y+3] = ay3 ^ ((~ay4) & ay0); 241 a[y+4] = ay4 ^ ((~ay0) & ay1); 242 } 243 return a; 244 } 245 246 /** 247 * Step mapping Iota as defined in section 3.2.5. 248 */ 249 private static long[] smIota(long[] a, int rndIndex) { 250 a[0] ^= RC_CONSTANTS[rndIndex]; 251 return a; 252 } 253 254 /** 255 * The function Keccak as defined in section 5.2 with 256 * rate r = 1600 and capacity c = (digest length x 2). 257 */ 258 private void keccak() { 259 // convert the 200-byte state into 25 lanes 260 bytes2Lanes(state, lanes); 261 // process the lanes through step mappings 262 for (int ir = 0; ir < NR; ir++) { 263 smIota(smChi(smPiRho(smTheta(lanes))), ir); 264 } 265 // convert the resulting 25 lanes back into 200-byte state 266 lanes2Bytes(lanes, state); 267 } 268 269 public Object clone() throws CloneNotSupportedException { 270 SHA3 copy = (SHA3) super.clone(); 271 copy.state = copy.state.clone(); 272 copy.lanes = new long[DM*DM]; 273 return copy; 274 } 275 276 /** 277 * SHA3-224 implementation class. 278 */ 279 public static final class SHA224 extends SHA3 { 280 public SHA224() { 281 super("SHA3-224", 28, (byte)0x06, 56); 282 } 283 } 284 285 /** 286 * SHA3-256 implementation class. 287 */ 288 public static final class SHA256 extends SHA3 { 289 public SHA256() { 290 super("SHA3-256", 32, (byte)0x06, 64); 291 } 292 } 293 294 /** 295 * SHAs-384 implementation class. 296 */ 297 public static final class SHA384 extends SHA3 { 298 public SHA384() { 299 super("SHA3-384", 48, (byte)0x06, 96); 300 } 301 } 302 303 /** 304 * SHA3-512 implementation class. 305 */ 306 public static final class SHA512 extends SHA3 { 307 public SHA512() { 308 super("SHA3-512", 64, (byte)0x06, 128); 309 } 310 } 311 }