Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/com/sun/crypto/provider/GHASH.java
38922 views
/*1* Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.2* Copyright (c) 2015 Red Hat, Inc.3* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.4*5* This code is free software; you can redistribute it and/or modify it6* under the terms of the GNU General Public License version 2 only, as7* published by the Free Software Foundation. Oracle designates this8* particular file as subject to the "Classpath" exception as provided9* by Oracle in the LICENSE file that accompanied this code.10*11* This code is distributed in the hope that it will be useful, but WITHOUT12* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or13* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License14* version 2 for more details (a copy is included in the LICENSE file that15* accompanied this code).16*17* You should have received a copy of the GNU General Public License version18* 2 along with this work; if not, write to the Free Software Foundation,19* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.20*21* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA22* or visit www.oracle.com if you need additional information or have any23* questions.24*/25/*26* (C) Copyright IBM Corp. 201327*/2829package com.sun.crypto.provider;3031import java.security.ProviderException;3233/**34* This class represents the GHASH function defined in NIST 800-38D35* under section 6.4. It needs to be constructed w/ a hash subkey, i.e.36* block H. Given input of 128-bit blocks, it will process and output37* a 128-bit block.38*39* <p>This function is used in the implementation of GCM mode.40*41* @since 1.842*/43final class GHASH {4445private static long getLong(byte[] buffer, int offset) {46long result = 0;47int end = offset + 8;48for (int i = offset; i < end; ++i) {49result = (result << 8) + (buffer[i] & 0xFF);50}51return result;52}5354private static void putLong(byte[] buffer, int offset, long value) {55int end = offset + 8;56for (int i = end - 1; i >= offset; --i) {57buffer[i] = (byte) value;58value >>= 8;59}60}6162private static final int AES_BLOCK_SIZE = 16;6364// Multiplies state[0], state[1] by subkeyH[0], subkeyH[1].65private static void blockMult(long[] st, long[] subH) {66long Z0 = 0;67long Z1 = 0;68long V0 = subH[0];69long V1 = subH[1];70long X;7172// Separate loops for processing state[0] and state[1].73X = st[0];74for (int i = 0; i < 64; i++) {75// Zi+1 = Zi if bit i of x is 076long mask = X >> 63;77Z0 ^= V0 & mask;78Z1 ^= V1 & mask;7980// Save mask for conditional reduction below.81mask = (V1 << 63) >> 63;8283// V = rightshift(V)84long carry = V0 & 1;85V0 = V0 >>> 1;86V1 = (V1 >>> 1) | (carry << 63);8788// Conditional reduction modulo P128.89V0 ^= 0xe100000000000000L & mask;90X <<= 1;91}9293X = st[1];94for (int i = 64; i < 127; i++) {95// Zi+1 = Zi if bit i of x is 096long mask = X >> 63;97Z0 ^= V0 & mask;98Z1 ^= V1 & mask;99100// Save mask for conditional reduction below.101mask = (V1 << 63) >> 63;102103// V = rightshift(V)104long carry = V0 & 1;105V0 = V0 >>> 1;106V1 = (V1 >>> 1) | (carry << 63);107108// Conditional reduction.109V0 ^= 0xe100000000000000L & mask;110X <<= 1;111}112113// calculate Z128114long mask = X >> 63;115Z0 ^= V0 & mask;116Z1 ^= V1 & mask;117118// Save result.119st[0] = Z0;120st[1] = Z1;121122}123124/* subkeyH and state are stored in long[] for GHASH intrinsic use */125126// hash subkey H; should not change after the object has been constructed127private final long[] subkeyH;128129// buffer for storing hash130private final long[] state;131132// variables for save/restore calls133private long stateSave0, stateSave1;134135/**136* Initializes the cipher in the specified mode with the given key137* and iv.138*139* @param subkeyH the hash subkey140*141* @exception ProviderException if the given key is inappropriate for142* initializing this digest143*/144GHASH(byte[] subkeyH) throws ProviderException {145if ((subkeyH == null) || subkeyH.length != AES_BLOCK_SIZE) {146throw new ProviderException("Internal error");147}148state = new long[2];149this.subkeyH = new long[2];150this.subkeyH[0] = getLong(subkeyH, 0);151this.subkeyH[1] = getLong(subkeyH, 8);152}153154/**155* Resets the GHASH object to its original state, i.e. blank w/156* the same subkey H. Used after digest() is called and to re-use157* this object for different data w/ the same H.158*/159void reset() {160state[0] = 0;161state[1] = 0;162}163164/**165* Save the current snapshot of this GHASH object.166*/167void save() {168stateSave0 = state[0];169stateSave1 = state[1];170}171172/**173* Restores this object using the saved snapshot.174*/175void restore() {176state[0] = stateSave0;177state[1] = stateSave1;178}179180private static void processBlock(byte[] data, int ofs, long[] st, long[] subH) {181st[0] ^= getLong(data, ofs);182st[1] ^= getLong(data, ofs + 8);183blockMult(st, subH);184}185186void update(byte[] in) {187update(in, 0, in.length);188}189190void update(byte[] in, int inOfs, int inLen) {191if (inLen == 0) {192return;193}194ghashRangeCheck(in, inOfs, inLen, state, subkeyH);195processBlocks(in, inOfs, inLen/AES_BLOCK_SIZE, state, subkeyH);196}197198private static void ghashRangeCheck(byte[] in, int inOfs, int inLen, long[] st, long[] subH) {199if (inLen < 0) {200throw new RuntimeException("invalid input length: " + inLen);201}202if (inOfs < 0) {203throw new RuntimeException("invalid offset: " + inOfs);204}205if (inLen > in.length - inOfs) {206throw new RuntimeException("input length out of bound: " +207inLen + " > " + (in.length - inOfs));208}209if (inLen % AES_BLOCK_SIZE != 0) {210throw new RuntimeException("input length/block size mismatch: " +211inLen);212}213214// These two checks are for C2 checking215if (st.length != 2) {216throw new RuntimeException("internal state has invalid length: " +217st.length);218}219if (subH.length != 2) {220throw new RuntimeException("internal subkeyH has invalid length: " +221subH.length);222}223}224/*225* This is an intrinsified method. The method's argument list must match226* the hotspot signature. This method and methods called by it, cannot227* throw exceptions or allocate arrays as it will breaking intrinsics228*/229private static void processBlocks(byte[] data, int inOfs, int blocks, long[] st, long[] subH) {230int offset = inOfs;231while (blocks > 0) {232processBlock(data, offset, st, subH);233blocks--;234offset += AES_BLOCK_SIZE;235}236}237238byte[] digest() {239byte[] result = new byte[AES_BLOCK_SIZE];240putLong(result, 0, state[0]);241putLong(result, 8, state[1]);242reset();243return result;244}245}246247248