diff --git a/src/java.base/share/classes/sun/security/ec/ed/EdDSAParameters.java b/src/java.base/share/classes/sun/security/ec/ed/EdDSAParameters.java index 6e06a890bbd..ef6720dc033 100644 --- a/src/java.base/share/classes/sun/security/ec/ed/EdDSAParameters.java +++ b/src/java.base/share/classes/sun/security/ec/ed/EdDSAParameters.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,7 +25,7 @@ package sun.security.ec.ed; import sun.security.ec.ParametersMap; -import sun.security.provider.SHAKE256; +import sun.security.provider.SHA3.SHAKE256; import sun.security.util.ObjectIdentifier; import sun.security.util.KnownOIDs; import sun.security.util.math.*; diff --git a/src/java.base/share/classes/sun/security/pkcs/PKCS7.java b/src/java.base/share/classes/sun/security/pkcs/PKCS7.java index 23925869b9f..324cc3e7cec 100644 --- a/src/java.base/share/classes/sun/security/pkcs/PKCS7.java +++ b/src/java.base/share/classes/sun/security/pkcs/PKCS7.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -38,7 +38,7 @@ import java.security.*; import java.util.function.Function; import sun.security.jca.JCAUtil; -import sun.security.provider.SHAKE256; +import sun.security.provider.SHA3.SHAKE256; import sun.security.timestamp.*; import sun.security.util.*; import sun.security.x509.*; diff --git a/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java b/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java index ed075354a16..699e68d053c 100644 --- a/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java +++ b/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java @@ -32,7 +32,7 @@ import java.security.cert.*; import java.security.spec.PSSParameterSpec; import java.util.*; -import sun.security.provider.SHAKE256; +import sun.security.provider.SHA3.SHAKE256; import sun.security.timestamp.TimestampToken; import sun.security.util.*; import sun.security.x509.AlgorithmId; diff --git a/src/java.base/share/classes/sun/security/provider/SHA3.java b/src/java.base/share/classes/sun/security/provider/SHA3.java index eaccf2a88e9..75430c63916 100644 --- a/src/java.base/share/classes/sun/security/provider/SHA3.java +++ b/src/java.base/share/classes/sun/security/provider/SHA3.java @@ -34,6 +34,8 @@ import java.util.Objects; import jdk.internal.vm.annotation.IntrinsicCandidate; +import static java.lang.Math.min; + /** * This class implements the Secure Hash Algorithm SHA-3 developed by * the National Institute of Standards and Technology along with the @@ -46,7 +48,7 @@ import jdk.internal.vm.annotation.IntrinsicCandidate; * @since 9 * @author Valerie Peng */ -abstract class SHA3 extends DigestBase { +public abstract class SHA3 extends DigestBase { private static final int WIDTH = 200; // in bytes, e.g. 1600 bits private static final int DM = 5; // dimension of state matrix @@ -65,9 +67,24 @@ abstract class SHA3 extends DigestBase { 0x8000000000008080L, 0x80000001L, 0x8000000080008008L, }; + // The starting byte combining the 2 or 4-bit domain separator and + // leading bits of the 10*1 padding, see Table 6 in B.2 of FIPS PUB 202 + // for examples private final byte suffix; + + // the state matrix flattened into an array private long[] state = new long[DM*DM]; + // The byte offset in the state where the next squeeze() will start. + // -1 indicates that either we are in the absorbing phase (only + // update() calls were made so far) in an extendable-output function (XOF) + // or the class was initialized as a hash. + // The first squeeze() call (after a possibly empty sequence of update() + // calls) will set it to 0 at its start. + // When a squeeze() call uses up all available bytes from this state + // and so a new keccak() call is made, squeezeOffset is reset to 0. + protected int squeezeOffset = -1; + static final VarHandle asLittleEndian = MethodHandles.byteArrayViewVarHandle(long[].class, ByteOrder.LITTLE_ENDIAN).withInvokeExactBehavior(); @@ -75,7 +92,7 @@ abstract class SHA3 extends DigestBase { /** * Creates a new SHA-3 object. */ - SHA3(String name, int digestLength, byte suffix, int c) { + private SHA3(String name, int digestLength, byte suffix, int c) { super(name, digestLength, (WIDTH - c)); this.suffix = suffix; } @@ -103,54 +120,141 @@ abstract class SHA3 extends DigestBase { keccak(); } + void finishAbsorb() { + int numOfPadding = + setPaddingBytes(suffix, buffer, (int)(bytesProcessed % blockSize)); + if (numOfPadding < 1) { + throw new ProviderException("Incorrect pad size: " + numOfPadding); + } + implCompress(buffer, 0); + } + /** * Return the digest. Subclasses do not need to reset() themselves, * DigestBase calls implReset() when necessary. */ void implDigest(byte[] out, int ofs) { + // Moving this allocation to the block where it is used causes a little + // performance drop, that is why it is here. byte[] byteState = new byte[8]; - int numOfPadding = - setPaddingBytes(suffix, buffer, (int)(bytesProcessed % blockSize)); - if (numOfPadding < 1) { - throw new ProviderException("Incorrect pad size: " + numOfPadding); + if (engineGetDigestLength() == 0) { + // This is an XOF, so the digest() call is illegal. + throw new ProviderException("Calling digest() is not allowed in an XOF"); } - implCompress(buffer, 0); - int availableBytes = blockSize; // i.e. buffer.length + + finishAbsorb(); + + int availableBytes = blockSize; int numBytes = engineGetDigestLength(); + while (numBytes > availableBytes) { - for (int i = 0; i < availableBytes / 8 ; i++) { + for (int i = 0; i < availableBytes / 8; i++) { asLittleEndian.set(out, ofs, state[i]); ofs += 8; } numBytes -= availableBytes; keccak(); } - int numLongs = (numBytes + 7) / 8; + int numLongs = numBytes / 8; - for (int i = 0; i < numLongs - 1; i++) { + for (int i = 0; i < numLongs; i++) { asLittleEndian.set(out, ofs, state[i]); ofs += 8; } - if (numBytes == numLongs * 8) { - asLittleEndian.set(out, ofs, state[numLongs - 1]); - } else { - asLittleEndian.set(byteState, 0, state[numLongs - 1]); - System.arraycopy(byteState, 0, - out, ofs, numBytes - (numLongs - 1) * 8); + if (numBytes % 8 != 0) { + asLittleEndian.set(byteState, 0, state[numLongs]); + System.arraycopy(byteState, 0, out, ofs, numBytes % 8); } } + void implSqueeze(byte[] output, int offset, int numBytes) { + // Moving this allocation to the block where it is used causes a little + // performance drop, that is why it is here. + byte[] byteState = new byte[8]; + if (engineGetDigestLength() != 0) { + // This is not an XOF, so the squeeze() call is illegal. + throw new ProviderException("Squeezing is only allowed in XOF mode."); + } + + if (squeezeOffset == -1) { + finishAbsorb(); + squeezeOffset = 0; + } + + int availableBytes = blockSize - squeezeOffset; + + while (numBytes > availableBytes) { + int longOffset = squeezeOffset / 8; + int bytesToCopy = 0; + + if (longOffset * 8 < squeezeOffset) { + asLittleEndian.set(byteState, 0, state[longOffset]); + longOffset++; + bytesToCopy = longOffset * 8 - squeezeOffset; + System.arraycopy(byteState, 8 - bytesToCopy, + output, offset, bytesToCopy); + offset += bytesToCopy; + } + for (int i = longOffset; i < blockSize / 8; i++) { + asLittleEndian.set(output, offset, state[i]); + offset += 8; + } + keccak(); + squeezeOffset = 0; + numBytes -= availableBytes; + availableBytes = blockSize; + } + // now numBytes <= availableBytes + int longOffset = squeezeOffset / 8; + + if (longOffset * 8 < squeezeOffset) { + asLittleEndian.set(byteState, 0, state[longOffset]); + int bytesToCopy = min((longOffset + 1) * 8 - squeezeOffset, numBytes); + System.arraycopy(byteState, squeezeOffset - 8 * longOffset, + output, offset, bytesToCopy); + longOffset++; + numBytes -= bytesToCopy; + offset += bytesToCopy; + squeezeOffset += bytesToCopy; + + if (numBytes == 0) return; + } + + int numLongs = numBytes / 8; + + for (int i = longOffset; i < longOffset + numLongs; i++) { + asLittleEndian.set(output, offset, state[i]); + offset += 8; + numBytes -= 8; + squeezeOffset += 8; + } + + if (numBytes > 0) { + asLittleEndian.set(byteState, 0, state[squeezeOffset / 8]); + System.arraycopy(byteState, 0, output, offset, numBytes); + squeezeOffset += numBytes; + } + } + + byte[] implSqueeze(int numBytes) { + byte[] result = new byte[numBytes]; + implSqueeze(result, 0, numBytes); + return result; + } + /** * Resets the internal state to start a new hash. */ void implReset() { Arrays.fill(state, 0L); + squeezeOffset = -1; } /** * Utility function for padding the specified data based on the - * pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" required - * for SHA-3 hash (section 6.1). + * pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" or 4-bit + * suffix "1111" required for SHA-3 hash functions (section 6.1) and + * extendable-output functions (section 6.1) respectively. */ private static int setPaddingBytes(byte suffix, byte[] in, int len) { if (len != in.length) { @@ -169,16 +273,20 @@ abstract class SHA3 extends DigestBase { * rate r = 1600 and capacity c. */ private void keccak() { + keccak(state); + } + + public static void keccak(long[] stateArr) { long a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12; long a13, a14, a15, a16, a17, a18, a19, a20, a21, a22, a23, a24; // move data into local variables - a0 = state[0]; a1 = state[1]; a2 = state[2]; a3 = state[3]; a4 = state[4]; - a5 = state[5]; a6 = state[6]; a7 = state[7]; a8 = state[8]; a9 = state[9]; - a10 = state[10]; a11 = state[11]; a12 = state[12]; a13 = state[13]; a14 = state[14]; - a15 = state[15]; a16 = state[16]; a17 = state[17]; a18 = state[18]; a19 = state[19]; - a20 = state[20]; a21 = state[21]; a22 = state[22]; a23 = state[23]; a24 = state[24]; + a0 = stateArr[0]; a1 = stateArr[1]; a2 = stateArr[2]; a3 = stateArr[3]; a4 = stateArr[4]; + a5 = stateArr[5]; a6 = stateArr[6]; a7 = stateArr[7]; a8 = stateArr[8]; a9 = stateArr[9]; + a10 = stateArr[10]; a11 = stateArr[11]; a12 = stateArr[12]; a13 = stateArr[13]; a14 = stateArr[14]; + a15 = stateArr[15]; a16 = stateArr[16]; a17 = stateArr[17]; a18 = stateArr[18]; a19 = stateArr[19]; + a20 = stateArr[20]; a21 = stateArr[21]; a22 = stateArr[22]; a23 = stateArr[23]; a24 = stateArr[24]; - // process the lanes through step mappings + // process the stateArr through step mappings for (int ir = 0; ir < NR; ir++) { // Step mapping Theta as defined in section 3.2.1. long c0 = a0^a5^a10^a15^a20; @@ -280,11 +388,11 @@ abstract class SHA3 extends DigestBase { a0 ^= RC_CONSTANTS[ir]; } - state[0] = a0; state[1] = a1; state[2] = a2; state[3] = a3; state[4] = a4; - state[5] = a5; state[6] = a6; state[7] = a7; state[8] = a8; state[9] = a9; - state[10] = a10; state[11] = a11; state[12] = a12; state[13] = a13; state[14] = a14; - state[15] = a15; state[16] = a16; state[17] = a17; state[18] = a18; state[19] = a19; - state[20] = a20; state[21] = a21; state[22] = a22; state[23] = a23; state[24] = a24; + stateArr[0] = a0; stateArr[1] = a1; stateArr[2] = a2; stateArr[3] = a3; stateArr[4] = a4; + stateArr[5] = a5; stateArr[6] = a6; stateArr[7] = a7; stateArr[8] = a8; stateArr[9] = a9; + stateArr[10] = a10; stateArr[11] = a11; stateArr[12] = a12; stateArr[13] = a13; stateArr[14] = a14; + stateArr[15] = a15; stateArr[16] = a16; stateArr[17] = a17; stateArr[18] = a18; stateArr[19] = a19; + stateArr[20] = a20; stateArr[21] = a21; stateArr[22] = a22; stateArr[23] = a23; stateArr[24] = a24; } public Object clone() throws CloneNotSupportedException { @@ -328,4 +436,85 @@ abstract class SHA3 extends DigestBase { super("SHA3-512", 64, (byte)0x06, 128); } } + + public abstract static class SHA3XOF extends SHA3 { + public SHA3XOF(String name, int digestLength, byte offset, int c) { + super(name, digestLength, offset, c); + } + public void update(byte in) { + if (squeezeOffset != -1) { + throw new ProviderException("update() after squeeze() is not allowed."); + } + engineUpdate(in); + } + public void update(byte[] in, int off, int len) { + if (squeezeOffset != -1) { + throw new ProviderException("update() after squeeze() is not allowed."); + } + engineUpdate(in, off, len); + } + + public void update(byte[] in) { + if (squeezeOffset != -1) { + throw new ProviderException("update() after squeeze() is not allowed."); + } + engineUpdate(in, 0, in.length); + } + + public byte[] digest() { + return engineDigest(); + } + + public void squeeze(byte[] output, int offset, int numBytes) { + implSqueeze(output, offset, numBytes); + } + public byte[] squeeze(int numBytes) { + return implSqueeze(numBytes); + } + + public void reset() { + engineReset(); + } + } + + /* + * The SHAKE128 extendable output function. + */ + public static final class SHAKE128 extends SHA3XOF { + // d is the required number of output bytes. + // If this constructor is used with d > 0, the squeezing methods + // will throw a ProviderException. + public SHAKE128(int d) { + super("SHAKE128", d, (byte) 0x1F, 32); + } + + // If this constructor is used to get an instance of the class, then, + // after the last update, one can get the generated bytes using the + // squeezing methods. + // Calling digest method will throw a ProviderException. + public SHAKE128() { + super("SHAKE128", 0, (byte) 0x1F, 32); + } + } + + /* + * The SHAKE256 extendable output function. + */ + public static final class SHAKE256 extends SHA3XOF { + // d is the required number of output bytes. + // If this constructor is used with d > 0, the squeezing methods will + // throw a ProviderException. + public SHAKE256(int d) { + super("SHAKE256", d, (byte) 0x1F, 64); + } + + // If this constructor is used to get an instance of the class, then, + // after the last update, one can get the generated bytes using the + // squeezing methods. + // Calling a digest method will throw a ProviderException. + public SHAKE256() { + super("SHAKE256", 0, (byte) 0x1F, 64); + } + } + } diff --git a/src/java.base/share/classes/sun/security/provider/SHAKE128.java b/src/java.base/share/classes/sun/security/provider/SHAKE128.java deleted file mode 100644 index 0d62497b3b4..00000000000 --- a/src/java.base/share/classes/sun/security/provider/SHAKE128.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ -package sun.security.provider; - -/* - * The SHAKE128 extendable output function. - */ -public final class SHAKE128 extends SHA3 { - public SHAKE128(int d) { - super("SHAKE128", d, (byte) 0x1F, 32); - } - - public void update(byte in) { - engineUpdate(in); - } - public void update(byte[] in, int off, int len) { - engineUpdate(in, off, len); - } - - public byte[] digest() { - return engineDigest(); - } - - public void reset() { - engineReset(); - } -} diff --git a/src/java.base/share/classes/sun/security/provider/SHAKE256.java b/src/java.base/share/classes/sun/security/provider/SHAKE256.java deleted file mode 100644 index 5dab92fdd78..00000000000 --- a/src/java.base/share/classes/sun/security/provider/SHAKE256.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ -package sun.security.provider; - -/* - * The SHAKE256 extendable output function. - */ -public final class SHAKE256 extends SHA3 { - public SHAKE256(int d) { - super("SHAKE256", d, (byte) 0x1F, 64); - } - - public void update(byte in) { - engineUpdate(in); - } - public void update(byte[] in, int off, int len) { - engineUpdate(in, off, len); - } - - public byte[] digest() { - return engineDigest(); - } - - public void reset() { - engineReset(); - } -} diff --git a/test/jdk/sun/security/ec/ed/TestEdOps.java b/test/jdk/sun/security/ec/ed/TestEdOps.java index 6ef1446db46..82b7f2c507f 100644 --- a/test/jdk/sun/security/ec/ed/TestEdOps.java +++ b/test/jdk/sun/security/ec/ed/TestEdOps.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,7 +40,7 @@ import java.security.spec.*; import java.util.Arrays; import java.util.HexFormat; -import sun.security.provider.SHAKE256; +import sun.security.provider.SHA3.SHAKE256; public class TestEdOps { diff --git a/test/jdk/sun/security/provider/MessageDigest/SHAKEsqueeze.java b/test/jdk/sun/security/provider/MessageDigest/SHAKEsqueeze.java new file mode 100644 index 00000000000..5cdcce00e35 --- /dev/null +++ b/test/jdk/sun/security/provider/MessageDigest/SHAKEsqueeze.java @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8338587 + * @summary Ensure squeeze and digest always have the same output + * @library /test/lib + * @modules java.base/sun.security.provider + */ + +import jdk.test.lib.Asserts; +import jdk.test.lib.security.SeededSecureRandom; +import sun.security.provider.SHA3; + +import java.io.ByteArrayOutputStream; +import java.util.Arrays; + +public class SHAKEsqueeze { + public static void main(String[] args) throws Exception { + var r = SeededSecureRandom.one(); + var atlast = 0; + // Random test on SHAKE + for (var i = 0; i < 1_000_000; i++) { + var s = new SHA3.SHAKE256(0); + var in = new ByteArrayOutputStream(); + while (r.nextBoolean()) { + var b = r.nBytes(r.nextInt(200)); + if (b.length > 0 && r.nextBoolean()) { + // Test update(b) + s.update(b[0]); + in.write(b[0]); + } else if (r.nextBoolean()) { + // Test update(byte[]) + s.update(b); + in.write(b); + } else { + // Test update(byte[], offset, len) + var prepend = r.nextInt(100); + var append = r.nextInt(100); + var bb = new byte[prepend + b.length + append]; + r.nextBytes(bb); + System.arraycopy(b, 0, bb, prepend, b.length); + s.update(bb, prepend, b.length); + in.write(b); + } + } + + // Squeeze for multiple times + var out = new ByteArrayOutputStream(); + do { + var n = r.nextInt(200); + out.write(s.squeeze(n)); + } while (out.size() == 0 || r.nextBoolean()); + var b1 = out.toByteArray(); + + // Digest for one time + var s2 = new SHA3.SHAKE256(b1.length); + s2.update(in.toByteArray()); + var b2 = s2.digest(); + + atlast = Arrays.hashCode(b2) * 17 + atlast; + Asserts.assertEqualsByteArray(b1, b2); + } + // Just to provide a visual clue to show that the same + // SeededSecureRandom seed results in same final result + // so that the test can be exactly reproduced. + System.out.println("Final hash: " + atlast); + } +} diff --git a/test/lib/jdk/test/lib/security/SeededSecureRandom.java b/test/lib/jdk/test/lib/security/SeededSecureRandom.java index f897677390e..305a91c41d2 100644 --- a/test/lib/jdk/test/lib/security/SeededSecureRandom.java +++ b/test/lib/jdk/test/lib/security/SeededSecureRandom.java @@ -65,4 +65,10 @@ public class SeededSecureRandom extends SecureRandom { rnd.nextBytes(out); return out; } + + public byte[] nBytes(int n) { + var out = new byte[n]; + nextBytes(out); + return out; + } }