2 Copyright (C) 2001, 2002, 2006 Free Software Foundation, Inc.
4 This file is a part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or (at
9 your option) any later version.
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; if not, write to the Free Software
18 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
39 package gnu.javax.crypto.mac;
41 import gnu.java.security.Registry;
42 import gnu.java.security.prng.IRandom;
43 import gnu.java.security.prng.LimitReachedException;
45 import java.security.InvalidKeyException;
49 * <i>TMMH</i> is a <i>universal</i> hash function suitable for message
50 * authentication in the Wegman-Carter paradigm, as in the Stream Cipher
51 * Security Transform. It is simple, quick, and especially appropriate for
52 * Digital Signal Processors and other processors with a fast multiply
53 * operation, though a straightforward implementation requires storage equal in
54 * length to the largest message to be hashed.
56 * <i>TMMH</i> is a simple hash function which maps a key and a message to a
57 * hash value. There are two versions of TMMH: TMMH/16 and TMMH/32. <i>TMMH</i>
58 * can be used as a message authentication code, as described in Section 5 (see
61 * The key, message, and hash value are all octet strings, and the lengths of
62 * these quantities are denoted as <code>KEY_LENGTH</code>,
63 * <code>MESSAGE_LENGTH</code>, and <code>TAG_LENGTH</code>, respectively.
64 * The values of <code>KEY_LENGTH</code> and <code>TAG_LENGTH</code>
65 * <bold>MUST</bold> be fixed for any particular fixed value of the key, and
66 * must obey the alignment restrictions described below.
68 * The parameter <code>MAX_HASH_LENGTH</code>, which denotes the maximum
69 * value which <code>MESSAGE_LENGTH</code> may take, is equal to
70 * <code>KEY_LENGTH - TAG_LENGTH</code>.
75 * href="http://www.ietf.org/internet-drafts/draft-mcgrew-saag-tmmh-01.txt"> The
76 * Truncated Multi-Modular Hash Function (TMMH)</a>, David A. McGrew.</li>
83 public static final String TAG_LENGTH = "gnu.crypto.mac.tmmh.tag.length";
84 public static final String KEYSTREAM = "gnu.crypto.mac.tmmh.keystream";
85 public static final String PREFIX = "gnu.crypto.mac.tmmh.prefix";
86 private static final int P = (1 << 16) + 1; // the TMMH/16 prime
87 /** caches the result of the correctness test, once executed. */
88 private static Boolean valid;
89 private int tagWords = 0; // the tagLength expressed in words
90 private IRandom keystream = null; // the keystream generator
91 private byte[] prefix; // mask to use when operating as an authentication f.
92 private long keyWords; // key words counter
93 private long msgLength; // in bytes
94 private long msgWords; // should be = msgLength * WORD_LENGTH
95 private int[] context; // the tmmh running context; length == TAG_WORDS
96 private int[] K0; // the first TAG_WORDS words of the keystream
97 private int[] Ki; // the sliding TAG_WORDS words of the keystream
98 private int Mi; // current message word being constructed
100 /** Trivial 0-arguments constructor. */
103 super(Registry.TMMH16);
111 public void init(Map attributes) throws InvalidKeyException,
112 IllegalStateException
114 int wantTagLength = 0;
115 Integer tagLength = (Integer) attributes.get(TAG_LENGTH); // get tag length
116 if (tagLength == null)
118 if (tagWords == 0) // was never set
119 throw new IllegalArgumentException(TAG_LENGTH);
122 else // check if positive and is divisible by WORD_LENGTH
124 wantTagLength = tagLength.intValue();
125 if (wantTagLength < 2 || (wantTagLength % 2 != 0))
126 throw new IllegalArgumentException(TAG_LENGTH);
127 else if (wantTagLength > (512 / 8)) // 512-bits is our maximum
128 throw new IllegalArgumentException(TAG_LENGTH);
130 tagWords = wantTagLength / 2; // init local vars
131 K0 = new int[tagWords];
132 Ki = new int[tagWords];
133 context = new int[tagWords];
136 prefix = (byte[]) attributes.get(PREFIX);
137 if (prefix == null) // default to all-zeroes
138 prefix = new byte[tagWords * 2];
139 else // ensure it's as long as it should
141 if (prefix.length != tagWords * 2)
142 throw new IllegalArgumentException(PREFIX);
145 IRandom prng = (IRandom) attributes.get(KEYSTREAM); // get keystream
148 if (keystream == null)
149 throw new IllegalArgumentException(KEYSTREAM);
155 reset(); // reset context variables
156 for (int i = 0; i < tagWords; i++) // init starting key words
157 Ki[i] = K0[i] = getNextKeyWord(keystream);
160 // The words of the key are denoted as K[1], K[2], ..., K[KEY_WORDS], and the
161 // words of the message (after zero padding, if needed) are denoted as M[1],
162 // M[2], ..., M[MSG_WORDS], where MSG_WORDS is the smallest number such that
163 // 2 * MSG_WORDS is at least MESSAGE_LENGTH, and KEY_WORDS is KEY_LENGTH / 2.
165 // If MESSAGE_LENGTH is greater than MAX_HASH_LENGTH, then the value of
166 // TMMH/16 is undefined. Implementations MUST indicate an error if asked to
167 // hash a message with such a length. Otherwise, the hash value is defined
168 // to be the length TAG_WORDS sequence of words in which the j-th word in the
169 // sequence is defined as
171 // [ [ K[j] * MESSAGE_LENGTH +32 K[j+1] * M[1] +32 K[j+2] * M[2]
172 // +32 ... K[j+MSG_WORDS] * M[MSG_WORDS] ] modulo p ] modulo 2^16
174 // where j ranges from 1 to TAG_WORDS.
175 public void update(byte b)
177 this.update(b, keystream);
180 public void update(byte[] b, int offset, int len)
182 for (int i = 0; i < len; i++)
183 this.update(b[offset + i], keystream);
186 // For TMMH/16, KEY_LENGTH and TAG_LENGTH MUST be a multiple of two. The key,
187 // message, and hash value are treated as a sequence of unsigned sixteen bit
188 // integers in network byte order. (In this section, we call such an integer
189 // a word.) If MESSAGE_LENGTH is odd, then a zero byte is appended to the
190 // message to align it on a word boundary, though this process does not
191 // change the value of MESSAGE_LENGTH.
193 // ... Otherwise, the hash value is defined to be the length TAG_WORDS
194 // sequence of words in which the j-th word in the sequence is defined as
196 // [ [ K[j] * MESSAGE_LENGTH +32 K[j+1] * M[1] +32 K[j+2] * M[2]
197 // +32 ... K[j+MSG_WORDS] * M[MSG_WORDS] ] modulo p ] modulo 2^16
199 // where j ranges from 1 to TAG_WORDS.
201 // Here, TAG_WORDS is equal to TAG_LENGTH / 2, and p is equal to 2^16 + 1.
202 // The symbol * denotes multiplication and the symbol +32 denotes addition
204 public byte[] digest()
206 return this.digest(keystream);
211 msgLength = msgWords = keyWords = 0L;
213 for (int i = 0; i < tagWords; i++)
217 public boolean selfTest()
221 // TODO: compute and test equality with one known vector
222 valid = Boolean.TRUE;
224 return valid.booleanValue();
227 public Object clone() throws CloneNotSupportedException
229 TMMH16 result = (TMMH16) super.clone();
230 if (this.keystream != null)
231 result.keystream = (IRandom) this.keystream.clone();
232 if (this.prefix != null)
233 result.prefix = (byte[]) this.prefix.clone();
234 if (this.context != null)
235 result.context = (int[]) this.context.clone();
237 result.K0 = (int[]) this.K0.clone();
239 result.Ki = (int[]) this.Ki.clone();
244 * Similar to the same method with one argument, but uses the designated
245 * random number generator to compute needed keying material.
247 * @param b the byte to process.
248 * @param prng the source of randomness to use.
250 public void update(byte b, IRandom prng)
252 Mi <<= 8; // update message buffer
254 msgLength++; // update message length (bytes)
255 if (msgLength % 2 == 0) // got a full word
257 msgWords++; // update message words counter
258 System.arraycopy(Ki, 1, Ki, 0, tagWords - 1); // 1. shift Ki up by 1
259 Ki[tagWords - 1] = getNextKeyWord(prng); // 2. fill last box of Ki
260 long t; // temp var to allow working in modulo 2^32
261 for (int i = 0; i < tagWords; i++) // 3. update context
263 t = context[i] & 0xFFFFFFFFL;
265 context[i] = (int) t;
267 Mi = 0; // reset message buffer
272 * Similar to the same method with three arguments, but uses the designated
273 * random number generator to compute needed keying material.
275 * @param b the byte array to process.
276 * @param offset the starting offset in <code>b</code> to start considering
277 * the bytes to process.
278 * @param len the number of bytes in <code>b</code> starting from
279 * <code>offset</code> to process.
280 * @param prng the source of randomness to use.
282 public void update(byte[] b, int offset, int len, IRandom prng)
284 for (int i = 0; i < len; i++)
285 this.update(b[offset + i], prng);
289 * Similar to the same method with no arguments, but uses the designated
290 * random number generator to compute needed keying material.
292 * @param prng the source of randomness to use.
293 * @return the final result of the algorithm.
295 public byte[] digest(IRandom prng)
298 byte[] result = new byte[tagWords * 2];
299 for (int i = 0, j = 0; i < tagWords; i++)
301 result[j] = (byte)((context[i] >>> 8) ^ prefix[j]);
303 result[j] = (byte)(context[i] ^ prefix[j]);
310 private int getNextKeyWord(IRandom prng)
315 result = (prng.nextByte() & 0xFF) << 8 | (prng.nextByte() & 0xFF);
317 catch (LimitReachedException x)
319 throw new RuntimeException(String.valueOf(x));
321 keyWords++; // update key words counter
325 private void doFinalRound(IRandom prng)
327 long limit = msgLength; // formula works on real message length
328 while (msgLength % 2 != 0)
329 update((byte) 0x00, prng);
331 for (int i = 0; i < tagWords; i++)
333 t = context[i] & 0xFFFFFFFFL;
336 context[i] = (int) t;