1 /*
2 * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.provider;
27
28 import java.util.Objects;
29
30 import static sun.security.provider.ByteArrayAccess.*;
31 import jdk.internal.HotSpotIntrinsicCandidate;
32
33 /**
34 * This class implements the Secure Hash Algorithm (SHA) developed by
35 * the National Institute of Standards and Technology along with the
36 * National Security Agency. This is the updated version of SHA
37 * fip-180 as superseded by fip-180-1.
38 *
39 * <p>It implement JavaSecurity MessageDigest, and can be used by in
40 * the Java Security framework, as a pluggable implementation, as a
41 * filter for the digest stream classes.
42 *
43 * @author Roger Riggs
44 * @author Benjamin Renaud
45 * @author Andreas Sterbenz
46 */
47 public final class SHA extends DigestBase {
48
49 // Buffer of int's and count of characters accumulated
50 // 64 bytes are included in each hash block so the low order
51 // bits of count are used to know how to pack the bytes into ints
52 // and to know when to compute the block and start the next one.
53 private int[] W;
54
55 // state of this
56 private int[] state;
57
58 /**
59 * Creates a new SHA object.
60 */
61 public SHA() {
62 super("SHA-1", 20, 64);
63 state = new int[5];
64 W = new int[80];
65 implReset();
66 }
67
68 /*
69 * Clones this object.
70 */
71 public Object clone() throws CloneNotSupportedException {
72 SHA copy = (SHA) super.clone();
73 copy.state = copy.state.clone();
74 copy.W = new int[80];
75 return copy;
76 }
77
78 /**
79 * Resets the buffers and hash value to start a new hash.
80 */
81 void implReset() {
82 state[0] = 0x67452301;
83 state[1] = 0xefcdab89;
84 state[2] = 0x98badcfe;
85 state[3] = 0x10325476;
86 state[4] = 0xc3d2e1f0;
87 }
88
89 /**
90 * Computes the final hash and copies the 20 bytes to the output array.
91 */
92 void implDigest(byte[] out, int ofs) {
93 long bitsProcessed = bytesProcessed << 3;
94
95 int index = (int)bytesProcessed & 0x3f;
96 int padLen = (index < 56) ? (56 - index) : (120 - index);
97 engineUpdate(padding, 0, padLen);
98
99 i2bBig4((int)(bitsProcessed >>> 32), buffer, 56);
100 i2bBig4((int)bitsProcessed, buffer, 60);
101 implCompress(buffer, 0);
102
103 i2bBig(state, 0, out, ofs, 20);
104 }
105
106 // Constants for each round
107 private final static int round1_kt = 0x5a827999;
108 private final static int round2_kt = 0x6ed9eba1;
109 private final static int round3_kt = 0x8f1bbcdc;
110 private final static int round4_kt = 0xca62c1d6;
111
112 /**
113 * Compute a the hash for the current block.
114 *
115 * This is in the same vein as Peter Gutmann's algorithm listed in
116 * the back of Applied Cryptography, Compact implementation of
117 * "old" NIST Secure Hash Algorithm.
118 */
119 void implCompress(byte[] buf, int ofs) {
120 implCompressCheck(buf, ofs);
121 implCompress0(buf, ofs);
122 }
123
124 private void implCompressCheck(byte[] buf, int ofs) {
125 Objects.requireNonNull(buf);
126
127 // The checks performed by the method 'b2iBig64'
128 // are sufficient for the case when the method
129 // 'implCompressImpl' is replaced with a compiler
130 // intrinsic.
131 b2iBig64(buf, ofs, W);
132 }
133
134 // The method 'implCompressImpl seems not to use its parameters.
135 // The method can, however, be replaced with a compiler intrinsic
136 // that operates directly on the array 'buf' (starting from
137 // offset 'ofs') and not on array 'W', therefore 'buf' and 'ofs'
138 // must be passed as parameter to the method.
139 @HotSpotIntrinsicCandidate
140 private void implCompress0(byte[] buf, int ofs) {
141 // The first 16 ints have the byte stream, compute the rest of
142 // the buffer
143 for (int t = 16; t <= 79; t++) {
144 int temp = W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16];
145 W[t] = (temp << 1) | (temp >>> 31);
146 }
147
148 int a = state[0];
149 int b = state[1];
150 int c = state[2];
151 int d = state[3];
152 int e = state[4];
153
154 // Round 1
155 for (int i = 0; i < 20; i++) {
156 int temp = ((a<<5) | (a>>>(32-5))) +
157 ((b&c)|((~b)&d))+ e + W[i] + round1_kt;
158 e = d;
159 d = c;
160 c = ((b<<30) | (b>>>(32-30)));
161 b = a;
162 a = temp;
163 }
164
165 // Round 2
166 for (int i = 20; i < 40; i++) {
167 int temp = ((a<<5) | (a>>>(32-5))) +
168 (b ^ c ^ d) + e + W[i] + round2_kt;
169 e = d;
170 d = c;
171 c = ((b<<30) | (b>>>(32-30)));
172 b = a;
173 a = temp;
174 }
175
176 // Round 3
177 for (int i = 40; i < 60; i++) {
178 int temp = ((a<<5) | (a>>>(32-5))) +
179 ((b&c)|(b&d)|(c&d)) + e + W[i] + round3_kt;
180 e = d;
181 d = c;
182 c = ((b<<30) | (b>>>(32-30)));
183 b = a;
184 a = temp;
185 }
186
187 // Round 4
188 for (int i = 60; i < 80; i++) {
189 int temp = ((a<<5) | (a>>>(32-5))) +
190 (b ^ c ^ d) + e + W[i] + round4_kt;
191 e = d;
192 d = c;
193 c = ((b<<30) | (b>>>(32-30)));
194 b = a;
195 a = temp;
196 }
197 state[0] += a;
198 state[1] += b;
199 state[2] += c;
200 state[3] += d;
201 state[4] += e;
202 }
203
204 }