/* TMMH16.java -- 
   Copyright (C) 2001, 2002, 2006 Free Software Foundation, Inc.

This file is a part of GNU Classpath.

GNU Classpath is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.

GNU Classpath is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License
along with GNU Classpath; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
USA

Linking this library statically or dynamically with other modules is
making a combined work based on this library.  Thus, the terms and
conditions of the GNU General Public License cover the whole
combination.

As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module.  An independent module is a module which is not derived from
or based on this library.  If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so.  If you do not wish to do so, delete this
exception statement from your version.  */


package gnu.javax.crypto.mac;

import gnu.java.security.Registry;
import gnu.java.security.prng.IRandom;
import gnu.java.security.prng.LimitReachedException;

import java.security.InvalidKeyException;
import java.util.Map;

/**
 * <i>TMMH</i> is a <i>universal</i> hash function suitable for message
 * authentication in the Wegman-Carter paradigm, as in the Stream Cipher
 * Security Transform. It is simple, quick, and especially appropriate for
 * Digital Signal Processors and other processors with a fast multiply
 * operation, though a straightforward implementation requires storage equal in
 * length to the largest message to be hashed.
 * <p>
 * <i>TMMH</i> is a simple hash function which maps a key and a message to a
 * hash value. There are two versions of TMMH: TMMH/16 and TMMH/32. <i>TMMH</i>
 * can be used as a message authentication code, as described in Section 5 (see
 * References).
 * <p>
 * The key, message, and hash value are all octet strings, and the lengths of
 * these quantities are denoted as <code>KEY_LENGTH</code>,
 * <code>MESSAGE_LENGTH</code>, and <code>TAG_LENGTH</code>, respectively.
 * The values of <code>KEY_LENGTH</code> and <code>TAG_LENGTH</code>
 * <bold>MUST</bold> be fixed for any particular fixed value of the key, and
 * must obey the alignment restrictions described below.
 * <p>
 * The parameter <code>MAX_HASH_LENGTH</code>, which denotes the maximum
 * value which <code>MESSAGE_LENGTH</code> may take, is equal to
 * <code>KEY_LENGTH - TAG_LENGTH</code>.
 * <p>
 * References:
 * <ol>
 * <li><a
 * href="http://www.ietf.org/internet-drafts/draft-mcgrew-saag-tmmh-01.txt"> The
 * Truncated Multi-Modular Hash Function (TMMH)</a>, David A. McGrew.</li>
 * </ol>
 */
public class TMMH16
    extends BaseMac
    implements Cloneable
{
  public static final String TAG_LENGTH = "gnu.crypto.mac.tmmh.tag.length";
  public static final String KEYSTREAM = "gnu.crypto.mac.tmmh.keystream";
  public static final String PREFIX = "gnu.crypto.mac.tmmh.prefix";
  private static final int P = (1 << 16) + 1; // the TMMH/16 prime
  /** caches the result of the correctness test, once executed. */
  private static Boolean valid;
  private int tagWords = 0; // the tagLength expressed in words
  private IRandom keystream = null; // the keystream generator
  private byte[] prefix; // mask to use when operating as an authentication f.
  private long keyWords; // key words counter
  private long msgLength; // in bytes
  private long msgWords; // should be = msgLength * WORD_LENGTH
  private int[] context; // the tmmh running context; length == TAG_WORDS
  private int[] K0; // the first TAG_WORDS words of the keystream
  private int[] Ki; // the sliding TAG_WORDS words of the keystream
  private int Mi; // current message word being constructed

  /** Trivial 0-arguments constructor. */
  public TMMH16()
  {
    super(Registry.TMMH16);
  }

  public int macSize()
  {
    return tagWords * 2;
  }

  public void init(Map attributes) throws InvalidKeyException,
      IllegalStateException
  {
    int wantTagLength = 0;
    Integer tagLength = (Integer) attributes.get(TAG_LENGTH); // get tag length
    if (tagLength == null)
      {
        if (tagWords == 0) // was never set
          throw new IllegalArgumentException(TAG_LENGTH);
        // else re-use
      }
    else // check if positive and is divisible by WORD_LENGTH
      {
        wantTagLength = tagLength.intValue();
        if (wantTagLength < 2 || (wantTagLength % 2 != 0))
          throw new IllegalArgumentException(TAG_LENGTH);
        else if (wantTagLength > (512 / 8)) // 512-bits is our maximum
          throw new IllegalArgumentException(TAG_LENGTH);

        tagWords = wantTagLength / 2; // init local vars
        K0 = new int[tagWords];
        Ki = new int[tagWords];
        context = new int[tagWords];
      }

    prefix = (byte[]) attributes.get(PREFIX);
    if (prefix == null) // default to all-zeroes
      prefix = new byte[tagWords * 2];
    else // ensure it's as long as it should
      {
        if (prefix.length != tagWords * 2)
          throw new IllegalArgumentException(PREFIX);
      }

    IRandom prng = (IRandom) attributes.get(KEYSTREAM); // get keystream
    if (prng == null)
      {
        if (keystream == null)
          throw new IllegalArgumentException(KEYSTREAM);
        // else reuse
      }
    else
      keystream = prng;

    reset(); // reset context variables
    for (int i = 0; i < tagWords; i++) // init starting key words
      Ki[i] = K0[i] = getNextKeyWord(keystream);
  }

  // The words of the key are denoted as K[1], K[2], ..., K[KEY_WORDS], and the
  // words of the message (after zero padding, if needed) are denoted as M[1],
  // M[2], ..., M[MSG_WORDS], where MSG_WORDS is the smallest number such that
  // 2 * MSG_WORDS is at least MESSAGE_LENGTH, and KEY_WORDS is KEY_LENGTH / 2.
  //
  // If MESSAGE_LENGTH is greater than MAX_HASH_LENGTH, then the value of
  // TMMH/16 is undefined. Implementations MUST indicate an error if asked to
  // hash a message with such a length. Otherwise, the hash value is defined
  // to be the length TAG_WORDS sequence of words in which the j-th word in the
  // sequence is defined as
  //
  // [ [ K[j] * MESSAGE_LENGTH +32 K[j+1] * M[1] +32 K[j+2] * M[2]
  // +32 ... K[j+MSG_WORDS] * M[MSG_WORDS] ] modulo p ] modulo 2^16
  //
  // where j ranges from 1 to TAG_WORDS.
  public void update(byte b)
  {
    this.update(b, keystream);
  }

  public void update(byte[] b, int offset, int len)
  {
    for (int i = 0; i < len; i++)
      this.update(b[offset + i], keystream);
  }

  // For TMMH/16, KEY_LENGTH and TAG_LENGTH MUST be a multiple of two. The key,
  // message, and hash value are treated as a sequence of unsigned sixteen bit
  // integers in network byte order. (In this section, we call such an integer
  // a word.) If MESSAGE_LENGTH is odd, then a zero byte is appended to the
  // message to align it on a word boundary, though this process does not
  // change the value of MESSAGE_LENGTH.
  //
  // ... Otherwise, the hash value is defined to be the length TAG_WORDS
  // sequence of words in which the j-th word in the sequence is defined as
  //
  // [ [ K[j] * MESSAGE_LENGTH +32 K[j+1] * M[1] +32 K[j+2] * M[2]
  // +32 ... K[j+MSG_WORDS] * M[MSG_WORDS] ] modulo p ] modulo 2^16
  //
  // where j ranges from 1 to TAG_WORDS.
  //
  // Here, TAG_WORDS is equal to TAG_LENGTH / 2, and p is equal to 2^16 + 1.
  // The symbol * denotes multiplication and the symbol +32 denotes addition
  // modulo 2^32.
  public byte[] digest()
  {
    return this.digest(keystream);
  }

  public void reset()
  {
    msgLength = msgWords = keyWords = 0L;
    Mi = 0;
    for (int i = 0; i < tagWords; i++)
      context[i] = 0;
  }

  public boolean selfTest()
  {
    if (valid == null)
      {
        // TODO: compute and test equality with one known vector
        valid = Boolean.TRUE;
      }
    return valid.booleanValue();
  }

  public Object clone() throws CloneNotSupportedException
  {
    TMMH16 result = (TMMH16) super.clone();
    if (this.keystream != null)
      result.keystream = (IRandom) this.keystream.clone();
    if (this.prefix != null)
      result.prefix = (byte[]) this.prefix.clone();
    if (this.context != null)
      result.context = (int[]) this.context.clone();
    if (this.K0 != null)
      result.K0 = (int[]) this.K0.clone();
    if (this.Ki != null)
      result.Ki = (int[]) this.Ki.clone();
    return result;
  }

  /**
   * Similar to the same method with one argument, but uses the designated
   * random number generator to compute needed keying material.
   * 
   * @param b the byte to process.
   * @param prng the source of randomness to use.
   */
  public void update(byte b, IRandom prng)
  {
    Mi <<= 8; // update message buffer
    Mi |= b & 0xFF;
    msgLength++; // update message length (bytes)
    if (msgLength % 2 == 0) // got a full word
      {
        msgWords++; // update message words counter
        System.arraycopy(Ki, 1, Ki, 0, tagWords - 1); // 1. shift Ki up by 1
        Ki[tagWords - 1] = getNextKeyWord(prng); // 2. fill last box of Ki
        long t; // temp var to allow working in modulo 2^32
        for (int i = 0; i < tagWords; i++) // 3. update context
          {
            t = context[i] & 0xFFFFFFFFL;
            t += Ki[i] * Mi;
            context[i] = (int) t;
          }
        Mi = 0; // reset message buffer
      }
  }

  /**
   * Similar to the same method with three arguments, but uses the designated
   * random number generator to compute needed keying material.
   * 
   * @param b the byte array to process.
   * @param offset the starting offset in <code>b</code> to start considering
   *          the bytes to process.
   * @param len the number of bytes in <code>b</code> starting from
   *          <code>offset</code> to process.
   * @param prng the source of randomness to use.
   */
  public void update(byte[] b, int offset, int len, IRandom prng)
  {
    for (int i = 0; i < len; i++)
      this.update(b[offset + i], prng);
  }

  /**
   * Similar to the same method with no arguments, but uses the designated
   * random number generator to compute needed keying material.
   * 
   * @param prng the source of randomness to use.
   * @return the final result of the algorithm.
   */
  public byte[] digest(IRandom prng)
  {
    doFinalRound(prng);
    byte[] result = new byte[tagWords * 2];
    for (int i = 0, j = 0; i < tagWords; i++)
      {
        result[j] = (byte)((context[i] >>> 8) ^ prefix[j]);
        j++;
        result[j] = (byte)(context[i] ^ prefix[j]);
        j++;
      }
    reset();
    return result;
  }

  private int getNextKeyWord(IRandom prng)
  {
    int result = 0;
    try
      {
        result = (prng.nextByte() & 0xFF) << 8 | (prng.nextByte() & 0xFF);
      }
    catch (LimitReachedException x)
      {
        throw new RuntimeException(String.valueOf(x));
      }
    keyWords++; // update key words counter
    return result;
  }

  private void doFinalRound(IRandom prng)
  {
    long limit = msgLength; // formula works on real message length
    while (msgLength % 2 != 0)
      update((byte) 0x00, prng);
    long t;
    for (int i = 0; i < tagWords; i++)
      {
        t = context[i] & 0xFFFFFFFFL;
        t += K0[i] * limit;
        t %= P;
        context[i] = (int) t;
      }
  }
}