1 /*
   2  * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.provider;
  27 
  28 import jdk.internal.HotSpotIntrinsicCandidate;
  29 import static sun.security.provider.ByteArrayAccess.*;
  30 import java.nio.*;
  31 import java.util.*;
  32 import java.security.*;
  33 
  34 /**
  35  * This class implements the Secure Hash Algorithm SHA-3 developed by
  36  * the National Institute of Standards and Technology along with the
  37  * National Security Agency as defined in FIPS PUB 202.
  38  *
  39  * <p>It implements java.security.MessageDigestSpi, and can be used
  40  * through Java Cryptography Architecture (JCA), as a pluggable
  41  * MessageDigest implementation.
  42  *
  43  * @since       9
  44  * @author      Valerie Peng
  45  */
  46 abstract class SHA3 extends DigestBase {
  47 
  48     private static final int WIDTH = 200; // in bytes, e.g. 1600 bits
  49     private static final int DM = 5; // dimension of lanes
  50 
  51     private static final int NR = 24; // number of rounds
  52 
  53     // precomputed round constants needed by the step mapping Iota
  54     private static final long[] RC_CONSTANTS = {
  55         0x01L, 0x8082L, 0x800000000000808aL,
  56         0x8000000080008000L, 0x808bL, 0x80000001L,
  57         0x8000000080008081L, 0x8000000000008009L, 0x8aL,
  58         0x88L, 0x80008009L, 0x8000000aL,
  59         0x8000808bL, 0x800000000000008bL, 0x8000000000008089L,
  60         0x8000000000008003L, 0x8000000000008002L, 0x8000000000000080L,
  61         0x800aL, 0x800000008000000aL, 0x8000000080008081L,
  62         0x8000000000008080L, 0x80000001L, 0x8000000080008008L,
  63     };
  64 
  65     private final byte suffix;
  66     private byte[] state = new byte[WIDTH];
  67     private long[] lanes = new long[DM*DM];
  68 
  69     /**
  70      * Creates a new SHA-3 object.
  71      */
  72     SHA3(String name, int digestLength, byte suffix, int c) {
  73         super(name, digestLength, (WIDTH - c));
  74         this.suffix = suffix;
  75     }
  76 
  77     private void implCompressCheck(byte[] b, int ofs) {
  78         Objects.requireNonNull(b);
  79     }
  80 
  81     /**
  82      * Core compression function. Processes blockSize bytes at a time
  83      * and updates the state of this object.
  84      */
  85     void implCompress(byte[] b, int ofs) {
  86         implCompressCheck(b, ofs);
  87         implCompress0(b, ofs);
  88     }
  89 
  90     @HotSpotIntrinsicCandidate
  91     private void implCompress0(byte[] b, int ofs) {
  92        for (int i = 0; i < buffer.length; i++) {
  93            state[i] ^= b[ofs++];
  94        }
  95        keccak();
  96     }
  97 
  98     /**
  99      * Return the digest. Subclasses do not need to reset() themselves,
 100      * DigestBase calls implReset() when necessary.
 101      */
 102     void implDigest(byte[] out, int ofs) {
 103         int numOfPadding =
 104             setPaddingBytes(suffix, buffer, (int)(bytesProcessed % buffer.length));
 105         if (numOfPadding < 1) {
 106             throw new ProviderException("Incorrect pad size: " + numOfPadding);
 107         }
 108         implCompress(buffer, 0);
 109         System.arraycopy(state, 0, out, ofs, engineGetDigestLength());
 110     }
 111 
 112     /**
 113      * Resets the internal state to start a new hash.
 114      */
 115     void implReset() {
 116         Arrays.fill(state, (byte)0);
 117         Arrays.fill(lanes, 0L);
 118     }
 119 
 120     /**
 121      * Utility function for padding the specified data based on the
 122      * pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" required
 123      * for SHA-3 hash (section 6.1).
 124      */
 125     private static int setPaddingBytes(byte suffix, byte[] in, int len) {
 126         if (len != in.length) {
 127             // erase leftover values
 128             Arrays.fill(in, len, in.length, (byte)0);
 129             // directly store the padding bytes into the input
 130             // as the specified buffer is allocated w/ size = rateR
 131             in[len] |= suffix;
 132             in[in.length - 1] |= (byte) 0x80;
 133         }
 134         return (in.length - len);
 135     }
 136 
 137     /**
 138      * Utility function for transforming the specified byte array 's'
 139      * into array of lanes 'm' as defined in section 3.1.2.
 140      */
 141     private static void bytes2Lanes(byte[] s, long[] m) {
 142         int sOfs = 0;
 143         // Conversion traverses along x-axis before y-axis
 144         for (int y = 0; y < DM; y++, sOfs += 40) {
 145             b2lLittle(s, sOfs, m, DM*y, 40);
 146         }
 147     }
 148 
 149     /**
 150      * Utility function for transforming the specified array of
 151      * lanes 'm' into a byte array 's' as defined in section 3.1.3.
 152      */
 153     private static void lanes2Bytes(long[] m, byte[] s) {
 154         int sOfs = 0;
 155         // Conversion traverses along x-axis before y-axis
 156         for (int y = 0; y < DM; y++, sOfs += 40) {
 157             l2bLittle(m, DM*y, s, sOfs, 40);
 158         }
 159     }
 160 
 161     /**
 162      * Step mapping Theta as defined in section 3.2.1 .
 163      */
 164     private static long[] smTheta(long[] a) {
 165         long c0 = a[0]^a[5]^a[10]^a[15]^a[20];
 166         long c1 = a[1]^a[6]^a[11]^a[16]^a[21];
 167         long c2 = a[2]^a[7]^a[12]^a[17]^a[22];
 168         long c3 = a[3]^a[8]^a[13]^a[18]^a[23];
 169         long c4 = a[4]^a[9]^a[14]^a[19]^a[24];
 170         long d0 = c4 ^ Long.rotateLeft(c1, 1);
 171         long d1 = c0 ^ Long.rotateLeft(c2, 1);
 172         long d2 = c1 ^ Long.rotateLeft(c3, 1);
 173         long d3 = c2 ^ Long.rotateLeft(c4, 1);
 174         long d4 = c3 ^ Long.rotateLeft(c0, 1);
 175         for (int y = 0; y < a.length; y += DM) {
 176             a[y] ^= d0;
 177             a[y+1] ^= d1;
 178             a[y+2] ^= d2;
 179             a[y+3] ^= d3;
 180             a[y+4] ^= d4;
 181         }
 182         return a;
 183     }
 184 
 185     /**
 186      * Merged Step mapping Rho (section 3.2.2) and Pi (section 3.2.3).
 187      * for performance. Optimization is achieved by precalculating
 188      * shift constants for the following loop
 189      *   int xNext, yNext;
 190      *   for (int t = 0, x = 1, y = 0; t <= 23; t++, x = xNext, y = yNext) {
 191      *        int numberOfShift = ((t + 1)*(t + 2)/2) % 64;
 192      *        a[y][x] = Long.rotateLeft(a[y][x], numberOfShift);
 193      *        xNext = y;
 194      *        yNext = (2 * x + 3 * y) % DM;
 195      *   }
 196      * and with inplace permutation.
 197      */
 198     private static long[] smPiRho(long[] a) {
 199         long tmp = Long.rotateLeft(a[10], 3);
 200         a[10] = Long.rotateLeft(a[1], 1);
 201         a[1] = Long.rotateLeft(a[6], 44);
 202         a[6] = Long.rotateLeft(a[9], 20);
 203         a[9] = Long.rotateLeft(a[22], 61);
 204         a[22] = Long.rotateLeft(a[14], 39);
 205         a[14] = Long.rotateLeft(a[20], 18);
 206         a[20] = Long.rotateLeft(a[2], 62);
 207         a[2] = Long.rotateLeft(a[12], 43);
 208         a[12] = Long.rotateLeft(a[13], 25);
 209         a[13] = Long.rotateLeft(a[19], 8);
 210         a[19] = Long.rotateLeft(a[23], 56);
 211         a[23] = Long.rotateLeft(a[15], 41);
 212         a[15] = Long.rotateLeft(a[4], 27);
 213         a[4] = Long.rotateLeft(a[24], 14);
 214         a[24] = Long.rotateLeft(a[21], 2);
 215         a[21] = Long.rotateLeft(a[8], 55);
 216         a[8] = Long.rotateLeft(a[16], 45);
 217         a[16] = Long.rotateLeft(a[5], 36);
 218         a[5] = Long.rotateLeft(a[3], 28);
 219         a[3] = Long.rotateLeft(a[18], 21);
 220         a[18] = Long.rotateLeft(a[17], 15);
 221         a[17] = Long.rotateLeft(a[11], 10);
 222         a[11] = Long.rotateLeft(a[7], 6);
 223         a[7] = tmp;
 224         return a;
 225     }
 226 
 227     /**
 228      * Step mapping Chi as defined in section 3.2.4.
 229      */
 230     private static long[] smChi(long[] a) {
 231         for (int y = 0; y < a.length; y+=DM) {
 232             long ay0 = a[y];
 233             long ay1 = a[y+1];
 234             long ay2 = a[y+2];
 235             long ay3 = a[y+3];
 236             long ay4 = a[y+4];
 237             a[y] = ay0 ^ ((~ay1) & ay2);
 238             a[y+1] = ay1 ^ ((~ay2) & ay3);
 239             a[y+2] = ay2 ^ ((~ay3) & ay4);
 240             a[y+3] = ay3 ^ ((~ay4) & ay0);
 241             a[y+4] = ay4 ^ ((~ay0) & ay1);
 242         }
 243         return a;
 244     }
 245 
 246     /**
 247      * Step mapping Iota as defined in section 3.2.5.
 248      */
 249     private static long[] smIota(long[] a, int rndIndex) {
 250         a[0] ^= RC_CONSTANTS[rndIndex];
 251         return a;
 252     }
 253 
 254     /**
 255      * The function Keccak as defined in section 5.2 with
 256      * rate r = 1600 and capacity c = (digest length x 2).
 257      */
 258     private void keccak() {
 259         // convert the 200-byte state into 25 lanes
 260         bytes2Lanes(state, lanes);
 261         // process the lanes through step mappings
 262         for (int ir = 0; ir < NR; ir++) {
 263             smIota(smChi(smPiRho(smTheta(lanes))), ir);
 264         }
 265         // convert the resulting 25 lanes back into 200-byte state
 266         lanes2Bytes(lanes, state);
 267     }
 268 
 269     public Object clone() throws CloneNotSupportedException {
 270         SHA3 copy = (SHA3) super.clone();
 271         copy.state = copy.state.clone();
 272         copy.lanes = new long[DM*DM];
 273         return copy;
 274     }
 275 
 276     /**
 277      * SHA3-224 implementation class.
 278      */
 279     public static final class SHA224 extends SHA3 {
 280         public SHA224() {
 281             super("SHA3-224", 28, (byte)0x06, 56);
 282         }
 283     }
 284 
 285     /**
 286      * SHA3-256 implementation class.
 287      */
 288     public static final class SHA256 extends SHA3 {
 289         public SHA256() {
 290             super("SHA3-256", 32, (byte)0x06, 64);
 291         }
 292     }
 293 
 294     /**
 295      * SHAs-384 implementation class.
 296      */
 297     public static final class SHA384 extends SHA3 {
 298         public SHA384() {
 299             super("SHA3-384", 48, (byte)0x06, 96);
 300         }
 301     }
 302 
 303     /**
 304      * SHA3-512 implementation class.
 305      */
 306     public static final class SHA512 extends SHA3 {
 307         public SHA512() {
 308             super("SHA3-512", 64, (byte)0x06, 128);
 309         }
 310     }
 311 }