summaryrefslogtreecommitdiff
path: root/libjava/classpath/gnu/javax/crypto/mac/TMMH16.java
blob: 3427317ab5e624051c29c339b49fa20729d5b459 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
/* TMMH16.java --
   Copyright (C) 2001, 2002, 2006 Free Software Foundation, Inc.

This file is a part of GNU Classpath.

GNU Classpath is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.

GNU Classpath is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License
along with GNU Classpath; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
USA

Linking this library statically or dynamically with other modules is
making a combined work based on this library.  Thus, the terms and
conditions of the GNU General Public License cover the whole
combination.

As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module.  An independent module is a module which is not derived from
or based on this library.  If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so.  If you do not wish to do so, delete this
exception statement from your version.  */


package gnu.javax.crypto.mac;

import gnu.java.security.Registry;
import gnu.java.security.prng.IRandom;
import gnu.java.security.prng.LimitReachedException;

import java.security.InvalidKeyException;
import java.util.Map;

/**
 * <i>TMMH</i> is a <i>universal</i> hash function suitable for message
 * authentication in the Wegman-Carter paradigm, as in the Stream Cipher
 * Security Transform. It is simple, quick, and especially appropriate for
 * Digital Signal Processors and other processors with a fast multiply
 * operation, though a straightforward implementation requires storage equal in
 * length to the largest message to be hashed.
 * <p>
 * <i>TMMH</i> is a simple hash function which maps a key and a message to a
 * hash value. There are two versions of TMMH: TMMH/16 and TMMH/32. <i>TMMH</i>
 * can be used as a message authentication code, as described in Section 5 (see
 * References).
 * <p>
 * The key, message, and hash value are all octet strings, and the lengths of
 * these quantities are denoted as <code>KEY_LENGTH</code>,
 * <code>MESSAGE_LENGTH</code>, and <code>TAG_LENGTH</code>, respectively.
 * The values of <code>KEY_LENGTH</code> and <code>TAG_LENGTH</code>
 * <bold>MUST</bold> be fixed for any particular fixed value of the key, and
 * must obey the alignment restrictions described below.
 * <p>
 * The parameter <code>MAX_HASH_LENGTH</code>, which denotes the maximum
 * value which <code>MESSAGE_LENGTH</code> may take, is equal to
 * <code>KEY_LENGTH - TAG_LENGTH</code>.
 * <p>
 * References:
 * <ol>
 * <li><a
 * href="http://www.ietf.org/internet-drafts/draft-mcgrew-saag-tmmh-01.txt"> The
 * Truncated Multi-Modular Hash Function (TMMH)</a>, David A. McGrew.</li>
 * </ol>
 */
public class TMMH16
    extends BaseMac
    implements Cloneable
{
  public static final String TAG_LENGTH = "gnu.crypto.mac.tmmh.tag.length";
  public static final String KEYSTREAM = "gnu.crypto.mac.tmmh.keystream";
  public static final String PREFIX = "gnu.crypto.mac.tmmh.prefix";
  private static final int P = (1 << 16) + 1; // the TMMH/16 prime
  /** caches the result of the correctness test, once executed. */
  private static Boolean valid;
  private int tagWords = 0; // the tagLength expressed in words
  private IRandom keystream = null; // the keystream generator
  private byte[] prefix; // mask to use when operating as an authentication f.
  private long keyWords; // key words counter
  private long msgLength; // in bytes
  private long msgWords; // should be = msgLength * WORD_LENGTH
  private int[] context; // the tmmh running context; length == TAG_WORDS
  private int[] K0; // the first TAG_WORDS words of the keystream
  private int[] Ki; // the sliding TAG_WORDS words of the keystream
  private int Mi; // current message word being constructed

  /** Trivial 0-arguments constructor. */
  public TMMH16()
  {
    super(Registry.TMMH16);
  }

  public int macSize()
  {
    return tagWords * 2;
  }

  public void init(Map attributes) throws InvalidKeyException,
      IllegalStateException
  {
    int wantTagLength = 0;
    Integer tagLength = (Integer) attributes.get(TAG_LENGTH); // get tag length
    if (tagLength == null)
      {
        if (tagWords == 0) // was never set
          throw new IllegalArgumentException(TAG_LENGTH);
        // else re-use
      }
    else // check if positive and is divisible by WORD_LENGTH
      {
        wantTagLength = tagLength.intValue();
        if (wantTagLength < 2 || (wantTagLength % 2 != 0))
          throw new IllegalArgumentException(TAG_LENGTH);
        else if (wantTagLength > (512 / 8)) // 512-bits is our maximum
          throw new IllegalArgumentException(TAG_LENGTH);

        tagWords = wantTagLength / 2; // init local vars
        K0 = new int[tagWords];
        Ki = new int[tagWords];
        context = new int[tagWords];
      }

    prefix = (byte[]) attributes.get(PREFIX);
    if (prefix == null) // default to all-zeroes
      prefix = new byte[tagWords * 2];
    else // ensure it's as long as it should
      {
        if (prefix.length != tagWords * 2)
          throw new IllegalArgumentException(PREFIX);
      }

    IRandom prng = (IRandom) attributes.get(KEYSTREAM); // get keystream
    if (prng == null)
      {
        if (keystream == null)
          throw new IllegalArgumentException(KEYSTREAM);
        // else reuse
      }
    else
      keystream = prng;

    reset(); // reset context variables
    for (int i = 0; i < tagWords; i++) // init starting key words
      Ki[i] = K0[i] = getNextKeyWord(keystream);
  }

  // The words of the key are denoted as K[1], K[2], ..., K[KEY_WORDS], and the
  // words of the message (after zero padding, if needed) are denoted as M[1],
  // M[2], ..., M[MSG_WORDS], where MSG_WORDS is the smallest number such that
  // 2 * MSG_WORDS is at least MESSAGE_LENGTH, and KEY_WORDS is KEY_LENGTH / 2.
  //
  // If MESSAGE_LENGTH is greater than MAX_HASH_LENGTH, then the value of
  // TMMH/16 is undefined. Implementations MUST indicate an error if asked to
  // hash a message with such a length. Otherwise, the hash value is defined
  // to be the length TAG_WORDS sequence of words in which the j-th word in the
  // sequence is defined as
  //
  // [ [ K[j] * MESSAGE_LENGTH +32 K[j+1] * M[1] +32 K[j+2] * M[2]
  // +32 ... K[j+MSG_WORDS] * M[MSG_WORDS] ] modulo p ] modulo 2^16
  //
  // where j ranges from 1 to TAG_WORDS.
  public void update(byte b)
  {
    this.update(b, keystream);
  }

  public void update(byte[] b, int offset, int len)
  {
    for (int i = 0; i < len; i++)
      this.update(b[offset + i], keystream);
  }

  // For TMMH/16, KEY_LENGTH and TAG_LENGTH MUST be a multiple of two. The key,
  // message, and hash value are treated as a sequence of unsigned sixteen bit
  // integers in network byte order. (In this section, we call such an integer
  // a word.) If MESSAGE_LENGTH is odd, then a zero byte is appended to the
  // message to align it on a word boundary, though this process does not
  // change the value of MESSAGE_LENGTH.
  //
  // ... Otherwise, the hash value is defined to be the length TAG_WORDS
  // sequence of words in which the j-th word in the sequence is defined as
  //
  // [ [ K[j] * MESSAGE_LENGTH +32 K[j+1] * M[1] +32 K[j+2] * M[2]
  // +32 ... K[j+MSG_WORDS] * M[MSG_WORDS] ] modulo p ] modulo 2^16
  //
  // where j ranges from 1 to TAG_WORDS.
  //
  // Here, TAG_WORDS is equal to TAG_LENGTH / 2, and p is equal to 2^16 + 1.
  // The symbol * denotes multiplication and the symbol +32 denotes addition
  // modulo 2^32.
  public byte[] digest()
  {
    return this.digest(keystream);
  }

  public void reset()
  {
    msgLength = msgWords = keyWords = 0L;
    Mi = 0;
    for (int i = 0; i < tagWords; i++)
      context[i] = 0;
  }

  public boolean selfTest()
  {
    if (valid == null)
      {
        // TODO: compute and test equality with one known vector
        valid = Boolean.TRUE;
      }
    return valid.booleanValue();
  }

  public Object clone() throws CloneNotSupportedException
  {
    TMMH16 result = (TMMH16) super.clone();
    if (this.keystream != null)
      result.keystream = (IRandom) this.keystream.clone();
    if (this.prefix != null)
      result.prefix = (byte[]) this.prefix.clone();
    if (this.context != null)
      result.context = (int[]) this.context.clone();
    if (this.K0 != null)
      result.K0 = (int[]) this.K0.clone();
    if (this.Ki != null)
      result.Ki = (int[]) this.Ki.clone();
    return result;
  }

  /**
   * Similar to the same method with one argument, but uses the designated
   * random number generator to compute needed keying material.
   *
   * @param b the byte to process.
   * @param prng the source of randomness to use.
   */
  public void update(byte b, IRandom prng)
  {
    Mi <<= 8; // update message buffer
    Mi |= b & 0xFF;
    msgLength++; // update message length (bytes)
    if (msgLength % 2 == 0) // got a full word
      {
        msgWords++; // update message words counter
        System.arraycopy(Ki, 1, Ki, 0, tagWords - 1); // 1. shift Ki up by 1
        Ki[tagWords - 1] = getNextKeyWord(prng); // 2. fill last box of Ki
        long t; // temp var to allow working in modulo 2^32
        for (int i = 0; i < tagWords; i++) // 3. update context
          {
            t = context[i] & 0xFFFFFFFFL;
            t += Ki[i] * Mi;
            context[i] = (int) t;
          }
        Mi = 0; // reset message buffer
      }
  }

  /**
   * Similar to the same method with three arguments, but uses the designated
   * random number generator to compute needed keying material.
   *
   * @param b the byte array to process.
   * @param offset the starting offset in <code>b</code> to start considering
   *          the bytes to process.
   * @param len the number of bytes in <code>b</code> starting from
   *          <code>offset</code> to process.
   * @param prng the source of randomness to use.
   */
  public void update(byte[] b, int offset, int len, IRandom prng)
  {
    for (int i = 0; i < len; i++)
      this.update(b[offset + i], prng);
  }

  /**
   * Similar to the same method with no arguments, but uses the designated
   * random number generator to compute needed keying material.
   *
   * @param prng the source of randomness to use.
   * @return the final result of the algorithm.
   */
  public byte[] digest(IRandom prng)
  {
    doFinalRound(prng);
    byte[] result = new byte[tagWords * 2];
    for (int i = 0, j = 0; i < tagWords; i++)
      {
        result[j] = (byte)((context[i] >>> 8) ^ prefix[j]);
        j++;
        result[j] = (byte)(context[i] ^ prefix[j]);
        j++;
      }
    reset();
    return result;
  }

  private int getNextKeyWord(IRandom prng)
  {
    int result = 0;
    try
      {
        result = (prng.nextByte() & 0xFF) << 8 | (prng.nextByte() & 0xFF);
      }
    catch (LimitReachedException x)
      {
        throw new RuntimeException(String.valueOf(x));
      }
    keyWords++; // update key words counter
    return result;
  }

  private void doFinalRound(IRandom prng)
  {
    long limit = msgLength; // formula works on real message length
    while (msgLength % 2 != 0)
      update((byte) 0x00, prng);
    long t;
    for (int i = 0; i < tagWords; i++)
      {
        t = context[i] & 0xFFFFFFFFL;
        t += K0[i] * limit;
        t %= P;
        context[i] = (int) t;
      }
  }
}