jdk-sandbox: comparison jdk/src/java.base/share/classes/com/sun/crypto/provider/GHASH.java

equal deleted inserted replaced

-:4996a75e8bfb
+:e4c16ed7bffa
 /*
 * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2015 Red Hat, Inc.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * (C) Copyright IBM Corp. 2013
 */
 package com.sun.crypto.provider;
-import java.util.Arrays;
+import java.security.ProviderException;
-import java.security.*;
-import static com.sun.crypto.provider.AESConstants.AES_BLOCK_SIZE;
 /**
 * This class represents the GHASH function defined in NIST 800-38D
 * under section 6.4. It needs to be constructed w/ a hash subkey, i.e.
 * block H. Given input of 128-bit blocks, it will process and output
 *
 * @since 1.8
 */
 final class GHASH {
-private static final byte P128 = (byte) 0xe1; //reduction polynomial
+private static long getLong(byte[] buffer, int offset) {
+long result = 0;
-private static boolean getBit(byte[] b, int pos) {
+int end = offset + 8;
-int p = pos / 8;
+for (int i = offset; i < end; ++i) {
-pos %= 8;
+result = (result << 8) + (buffer[i] & 0xFF);
-int i = (b[p] >>> (7 - pos)) & 1;
+}
-return i != 0;
+return result;
 }
-private static void shift(byte[] b) {
+private static void putLong(byte[] buffer, int offset, long value) {
-byte temp, temp2;
+int end = offset + 8;
-temp2 = 0;
+for (int i = end - 1; i >= offset; --i) {
-for (int i = 0; i < b.length; i++) {
+buffer[i] = (byte) value;
-temp = (byte) ((b[i] & 0x01) << 7);
+value >>= 8;
-b[i] = (byte) ((b[i] & 0xff) >>> 1);
+}
-b[i] = (byte) (b[i] | temp2);
+}
-temp2 = temp;
-}
+private static final int AES_BLOCK_SIZE = 16;
-}
+// Multiplies state0, state1 by V0, V1.
-// Given block X and Y, returns the muliplication of X * Y
+private void blockMult(long V0, long V1) {
-private static byte[] blockMult(byte[] x, byte[] y) {
+long Z0 = 0;
-if (x.length != AES_BLOCK_SIZE || y.length != AES_BLOCK_SIZE) {
+long Z1 = 0;
-throw new RuntimeException("illegal input sizes");
+long X;
-}
-byte[] z = new byte[AES_BLOCK_SIZE];
+// Separate loops for processing state0 and state1.
-byte[] v = y.clone();
+X = state0;
-// calculate Z1-Z127 and V1-V127
+for (int i = 0; i < 64; i++) {
-for (int i = 0; i < 127; i++) {
 // Zi+1 = Zi if bit i of x is 0
-if (getBit(x, i)) {
+long mask = X >> 63;
-for (int n = 0; n < z.length; n++) {
+Z0 ^= V0 & mask;
-z[n] ^= v[n];
+Z1 ^= V1 & mask;
-}
-}
+// Save mask for conditional reduction below.
-boolean lastBitOfV = getBit(v, 127);
+mask = (V1 << 63) >> 63;
-shift(v);
-if (lastBitOfV) v[0] ^= P128;
+// V = rightshift(V)
-}
+long carry = V0 & 1;
+V0 = V0 >>> 1;
+V1 = (V1 >>> 1) | (carry << 63);
+// Conditional reduction modulo P128.
+V0 ^= 0xe100000000000000L & mask;
+X <<= 1;
+}
+X = state1;
+for (int i = 64; i < 127; i++) {
+// Zi+1 = Zi if bit i of x is 0
+long mask = X >> 63;
+Z0 ^= V0 & mask;
+Z1 ^= V1 & mask;
+// Save mask for conditional reduction below.
+mask = (V1 << 63) >> 63;
+// V = rightshift(V)
+long carry = V0 & 1;
+V0 = V0 >>> 1;
+V1 = (V1 >>> 1) | (carry << 63);
+// Conditional reduction.
+V0 ^= 0xe100000000000000L & mask;
+X <<= 1;
+}
 // calculate Z128
-if (getBit(x, 127)) {
+long mask = X >> 63;
-for (int n = 0; n < z.length; n++) {
+Z0 ^= V0 & mask;
-z[n] ^= v[n];
+Z1 ^= V1 & mask;
-}
-}
+// Save result.
-return z;
+state0 = Z0;
+state1 = Z1;
 }
 // hash subkey H; should not change after the object has been constructed
-private final byte[] subkeyH;
+private final long subkeyH0, subkeyH1;
 // buffer for storing hash
-private byte[] state;
+private long state0, state1;
 // variables for save/restore calls
-private byte[] stateSave = null;
+private long stateSave0, stateSave1;
 /**
 * Initializes the cipher in the specified mode with the given key
 * and iv.
 *
 */
 GHASH(byte[] subkeyH) throws ProviderException {
 if ((subkeyH == null) || subkeyH.length != AES_BLOCK_SIZE) {
 throw new ProviderException("Internal error");
 }
-this.subkeyH = subkeyH;
+this.subkeyH0 = getLong(subkeyH, 0);
-this.state = new byte[AES_BLOCK_SIZE];
+this.subkeyH1 = getLong(subkeyH, 8);
 }
 /**
 * Resets the GHASH object to its original state, i.e. blank w/
 * the same subkey H. Used after digest() is called and to re-use
 * this object for different data w/ the same H.
 */
 void reset() {
-Arrays.fill(state, (byte) 0);
+state0 = 0;
+state1 = 0;
 }
 /**
 * Save the current snapshot of this GHASH object.
 */
 void save() {
-stateSave = state.clone();
+stateSave0 = state0;
+stateSave1 = state1;
 }
 /**
 * Restores this object using the saved snapshot.
 */
 void restore() {
-state = stateSave;
+state0 = stateSave0;
+state1 = stateSave1;
 }
 private void processBlock(byte[] data, int ofs) {
 if (data.length - ofs < AES_BLOCK_SIZE) {
 throw new RuntimeException("need complete block");
 }
-for (int n = 0; n < state.length; n++) {
+state0 ^= getLong(data, ofs);
-state[n] ^= data[ofs + n];
+state1 ^= getLong(data, ofs + 8);
-}
+blockMult(subkeyH0, subkeyH1);
-state = blockMult(state, subkeyH);
 }
 void update(byte[] in) {
 update(in, 0, in.length);
 }
 processBlock(in, i);
 }
 }
 byte[] digest() {
-try {
+byte[] result = new byte[AES_BLOCK_SIZE];
-return state.clone();
+putLong(result, 0, state0);
-} finally {
+putLong(result, 8, state1);
 reset();
-}
+return result;
 }
 }

changeset 28851	e4c16ed7bffa
parent 25859	3317bb8137f4
child 31462	1d0b519af651