1 | /* |
2 | * Copyright 2004-2014 H2 Group. Multiple-Licensed under the MPL 2.0, |
3 | * and the EPL 1.0 (http://h2database.com/html/license.html). |
4 | * Initial Developer: H2 Group |
5 | */ |
6 | package org.h2.security; |
7 | |
8 | import java.util.Arrays; |
9 | |
10 | /** |
11 | * This class implements the cryptographic hash function SHA-256. |
12 | */ |
13 | public class SHA256 { |
14 | |
15 | /** |
16 | * The first 32 bits of the fractional parts of the cube roots of the first |
17 | * sixty-four prime numbers. |
18 | */ |
19 | private static final int[] K = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, |
20 | 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, |
21 | 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, |
22 | 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, |
23 | 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, |
24 | 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, |
25 | 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, |
26 | 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, |
27 | 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, |
28 | 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, |
29 | 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, |
30 | 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, |
31 | 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, |
32 | 0xc67178f2 }; |
33 | |
34 | private static final int[] HH = { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, |
35 | 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 }; |
36 | |
37 | private final byte[] result = new byte[32]; |
38 | private final int[] w = new int[64]; |
39 | private final int[] hh = new int[8]; |
40 | |
41 | /** |
42 | * Calculate the hash code by using the given salt. The salt is appended |
43 | * after the data before the hash code is calculated. After generating the |
44 | * hash code, the data and all internal buffers are filled with zeros to |
45 | * avoid keeping insecure data in memory longer than required (and possibly |
46 | * swapped to disk). |
47 | * |
48 | * @param data the data to hash |
49 | * @param salt the salt to use |
50 | * @return the hash code |
51 | */ |
52 | public static byte[] getHashWithSalt(byte[] data, byte[] salt) { |
53 | byte[] buff = new byte[data.length + salt.length]; |
54 | System.arraycopy(data, 0, buff, 0, data.length); |
55 | System.arraycopy(salt, 0, buff, data.length, salt.length); |
56 | return getHash(buff, true); |
57 | } |
58 | |
59 | /** |
60 | * Calculate the hash of a password by prepending the user name and a '@' |
61 | * character. Both the user name and the password are encoded to a byte |
62 | * array using UTF-16. After generating the hash code, the password array |
63 | * and all internal buffers are filled with zeros to avoid keeping the plain |
64 | * text password in memory longer than required (and possibly swapped to |
65 | * disk). |
66 | * |
67 | * @param userName the user name |
68 | * @param password the password |
69 | * @return the hash code |
70 | */ |
71 | public static byte[] getKeyPasswordHash(String userName, char[] password) { |
72 | String user = userName + "@"; |
73 | byte[] buff = new byte[2 * (user.length() + password.length)]; |
74 | int n = 0; |
75 | for (int i = 0, length = user.length(); i < length; i++) { |
76 | char c = user.charAt(i); |
77 | buff[n++] = (byte) (c >> 8); |
78 | buff[n++] = (byte) c; |
79 | } |
80 | for (char c : password) { |
81 | buff[n++] = (byte) (c >> 8); |
82 | buff[n++] = (byte) c; |
83 | } |
84 | Arrays.fill(password, (char) 0); |
85 | return getHash(buff, true); |
86 | } |
87 | |
88 | /** |
89 | * Calculate the hash-based message authentication code. |
90 | * |
91 | * @param key the key |
92 | * @param message the message |
93 | * @return the hash |
94 | */ |
95 | public static byte[] getHMAC(byte[] key, byte[] message) { |
96 | key = normalizeKeyForHMAC(key); |
97 | int len = message.length; |
98 | int byteLen = 64 + Math.max(32, len); |
99 | int intLen = getIntCount(byteLen); |
100 | byte[] byteBuff = new byte[intLen * 4]; |
101 | int[] intBuff = new int[intLen]; |
102 | SHA256 sha = new SHA256(); |
103 | byte[] iKey = new byte[64 + len]; |
104 | byte[] oKey = new byte[64 + 32]; |
105 | sha.calculateHMAC(key, message, len, iKey, oKey, byteBuff, intBuff); |
106 | return sha.result; |
107 | } |
108 | |
109 | private void calculateHMAC(byte[] key, byte[] message, int len, |
110 | byte[] iKey, byte[] oKey, byte[] byteBuff, int[] intBuff) { |
111 | Arrays.fill(iKey, 0, 64, (byte) 0x36); |
112 | xor(iKey, key, 64); |
113 | System.arraycopy(message, 0, iKey, 64, len); |
114 | calculateHash(iKey, 64 + len, byteBuff, intBuff); |
115 | Arrays.fill(oKey, 0, 64, (byte) 0x5c); |
116 | xor(oKey, key, 64); |
117 | System.arraycopy(result, 0, oKey, 64, 32); |
118 | calculateHash(oKey, 64 + 32, byteBuff, intBuff); |
119 | } |
120 | |
121 | private static byte[] normalizeKeyForHMAC(byte[] key) { |
122 | if (key.length > 64) { |
123 | key = getHash(key, false); |
124 | } |
125 | if (key.length < 64) { |
126 | key = Arrays.copyOf(key, 64); |
127 | } |
128 | return key; |
129 | } |
130 | |
131 | private static void xor(byte[] target, byte[] data, int len) { |
132 | for (int i = 0; i < len; i++) { |
133 | target[i] ^= data[i]; |
134 | } |
135 | } |
136 | |
137 | /** |
138 | * Calculate the hash using the password-based key derivation function 2. |
139 | * |
140 | * @param password the password |
141 | * @param salt the salt |
142 | * @param iterations the number of iterations |
143 | * @param resultLen the number of bytes in the result |
144 | * @return the result |
145 | */ |
146 | public static byte[] getPBKDF2(byte[] password, byte[] salt, |
147 | int iterations, int resultLen) { |
148 | byte[] result = new byte[resultLen]; |
149 | byte[] key = normalizeKeyForHMAC(password); |
150 | SHA256 sha = new SHA256(); |
151 | int len = 64 + Math.max(32, salt.length + 4); |
152 | byte[] message = new byte[len]; |
153 | int intLen = getIntCount(len); |
154 | byte[] byteBuff = new byte[intLen * 4]; |
155 | int[] intBuff = new int[intLen]; |
156 | byte[] iKey = new byte[64 + len]; |
157 | byte[] oKey = new byte[64 + 32]; |
158 | for (int k = 1, offset = 0; offset < resultLen; k++, offset += 32) { |
159 | for (int i = 0; i < iterations; i++) { |
160 | if (i == 0) { |
161 | System.arraycopy(salt, 0, message, 0, salt.length); |
162 | writeInt(message, salt.length, k); |
163 | len = salt.length + 4; |
164 | } else { |
165 | System.arraycopy(sha.result, 0, message, 0, 32); |
166 | len = 32; |
167 | } |
168 | sha.calculateHMAC(key, message, len, iKey, oKey, byteBuff, intBuff); |
169 | for (int j = 0; j < 32 && j + offset < resultLen; j++) { |
170 | result[j + offset] ^= sha.result[j]; |
171 | } |
172 | } |
173 | } |
174 | Arrays.fill(password, (byte) 0); |
175 | Arrays.fill(key, (byte) 0); |
176 | return result; |
177 | } |
178 | |
179 | /** |
180 | * Calculate the hash code for the given data. |
181 | * |
182 | * @param data the data to hash |
183 | * @param nullData if the data should be filled with zeros after calculating |
184 | * the hash code |
185 | * @return the hash code |
186 | */ |
187 | public static byte[] getHash(byte[] data, boolean nullData) { |
188 | int len = data.length; |
189 | int intLen = getIntCount(len); |
190 | byte[] byteBuff = new byte[intLen * 4]; |
191 | int[] intBuff = new int[intLen]; |
192 | SHA256 sha = new SHA256(); |
193 | sha.calculateHash(data, len, byteBuff, intBuff); |
194 | if (nullData) { |
195 | sha.fillWithNull(); |
196 | Arrays.fill(intBuff, 0); |
197 | Arrays.fill(byteBuff, (byte) 0); |
198 | Arrays.fill(data, (byte) 0); |
199 | } |
200 | return sha.result; |
201 | } |
202 | |
203 | private static int getIntCount(int byteCount) { |
204 | return ((byteCount + 9 + 63) / 64) * 16; |
205 | } |
206 | |
207 | private void fillWithNull() { |
208 | Arrays.fill(w, 0); |
209 | Arrays.fill(hh, 0); |
210 | } |
211 | |
212 | private void calculateHash(byte[] data, int len, |
213 | byte[] byteBuff, int[] intBuff) { |
214 | int[] w = this.w; |
215 | int[] hh = this.hh; |
216 | byte[] result = this.result; |
217 | int intLen = getIntCount(len); |
218 | System.arraycopy(data, 0, byteBuff, 0, len); |
219 | byteBuff[len] = (byte) 0x80; |
220 | Arrays.fill(byteBuff, len + 1, intLen * 4, (byte) 0); |
221 | for (int i = 0, j = 0; j < intLen; i += 4, j++) { |
222 | intBuff[j] = readInt(byteBuff, i); |
223 | } |
224 | intBuff[intLen - 2] = len >>> 29; |
225 | intBuff[intLen - 1] = len << 3; |
226 | System.arraycopy(HH, 0, hh, 0, 8); |
227 | for (int block = 0; block < intLen; block += 16) { |
228 | for (int i = 0; i < 16; i++) { |
229 | w[i] = intBuff[block + i]; |
230 | } |
231 | for (int i = 16; i < 64; i++) { |
232 | int x = w[i - 2]; |
233 | int theta1 = rot(x, 17) ^ rot(x, 19) ^ (x >>> 10); |
234 | x = w[i - 15]; |
235 | int theta0 = rot(x, 7) ^ rot(x, 18) ^ (x >>> 3); |
236 | w[i] = theta1 + w[i - 7] + theta0 + w[i - 16]; |
237 | } |
238 | |
239 | int a = hh[0], b = hh[1], c = hh[2], d = hh[3]; |
240 | int e = hh[4], f = hh[5], g = hh[6], h = hh[7]; |
241 | |
242 | for (int i = 0; i < 64; i++) { |
243 | int t1 = h + (rot(e, 6) ^ rot(e, 11) ^ rot(e, 25)) |
244 | + ((e & f) ^ ((~e) & g)) + K[i] + w[i]; |
245 | int t2 = (rot(a, 2) ^ rot(a, 13) ^ rot(a, 22)) |
246 | + ((a & b) ^ (a & c) ^ (b & c)); |
247 | h = g; |
248 | g = f; |
249 | f = e; |
250 | e = d + t1; |
251 | d = c; |
252 | c = b; |
253 | b = a; |
254 | a = t1 + t2; |
255 | } |
256 | hh[0] += a; |
257 | hh[1] += b; |
258 | hh[2] += c; |
259 | hh[3] += d; |
260 | hh[4] += e; |
261 | hh[5] += f; |
262 | hh[6] += g; |
263 | hh[7] += h; |
264 | } |
265 | for (int i = 0; i < 8; i++) { |
266 | writeInt(result, i * 4, hh[i]); |
267 | } |
268 | } |
269 | |
270 | private static int rot(int i, int count) { |
271 | return Integer.rotateRight(i, count); |
272 | } |
273 | |
274 | private static int readInt(byte[] b, int i) { |
275 | return ((b[i] & 0xff) << 24) + ((b[i + 1] & 0xff) << 16) |
276 | + ((b[i + 2] & 0xff) << 8) + (b[i + 3] & 0xff); |
277 | } |
278 | |
279 | private static void writeInt(byte[] b, int i, int value) { |
280 | b[i] = (byte) (value >> 24); |
281 | b[i + 1] = (byte) (value >> 16); |
282 | b[i + 2] = (byte) (value >> 8); |
283 | b[i + 3] = (byte) value; |
284 | } |
285 | |
286 | } |