From c3cc65bd08ea212067c57bf2af4182cbe7499896 Mon Sep 17 00:00:00 2001 From: Adam Petcher Date: Wed, 29 Aug 2018 12:00:47 -0400 Subject: [PATCH] 8201317: X25519/X448 code improvements Minor code/comment improvements Reviewed-by: xuelei --- .../util/math/intpoly/IntegerPolynomial.java | 65 +++++++++++++++++-- .../sun/security/ec/XDHKeyAgreement.java | 2 +- 2 files changed, 59 insertions(+), 8 deletions(-) diff --git a/src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial.java b/src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial.java index 83555fcc352..d6aaccf8809 100644 --- a/src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial.java +++ b/src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial.java @@ -70,13 +70,28 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP { protected final int bitsPerLimb; private final long[] posModLimbs; - // must work when a==r + /** + * Multiply an IntegerPolynomial representation (a) with a long (b) and + * store the result in an IntegerPolynomial representation (r). Requires + * that a.length == r.length == numLimbs. It is allowed for a and r to be + * the same array. + */ protected abstract void multByInt(long[] a, long b, long[] r); - // must work when a==r + /** + * Multiply two IntegerPolynomial representations (a and b) and store the + * result in an IntegerPolynomial representation (r). Requires that + * a.length == b.length == r.length == numLimbs. It is allowed for a and r + * to be the same array. + */ protected abstract void mult(long[] a, long[] b, long[] r); - // must work when a==r + /** + * Multiply an IntegerPolynomial representation (a) with itself and store + * the result in an IntegerPolynomialRepresentation (r). Requires that + * a.length == r.length == numLimbs. It is allowed for a and r + * to be the same array. + */ protected abstract void square(long[] a, long[] r); IntegerPolynomial(int bitsPerLimb, @@ -240,7 +255,9 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP { carry(limbs, 0, limbs.length - 1); } - // carry out of the specified position and return the carry value + /** + * Carry out of the specified position and return the carry value. + */ protected long carryOut(long[] limbs, int index) { long carry = carryValue(limbs[index]); limbs[index] -= (carry << bitsPerLimb); @@ -261,9 +278,20 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP { } } + /** + * Carry out of the last limb and reduce back in. This method will be + * called as part of the "finalReduce" operation that puts the + * representation into a fully-reduced form. It is representation- + * specific, because representations have different amounts of empty + * space in the high-order limb. Requires that limbs.length=numLimbs. + */ protected abstract void finalCarryReduceLast(long[] limbs); - // Convert reduced limbs into a number between 0 and MODULUS-1 + /** + * Convert reduced limbs into a number between 0 and MODULUS-1. + * Requires that limbs.length == numLimbs. This method only works if the + * modulus has at most three terms. + */ protected void finalReduce(long[] limbs) { // This method works by doing several full carry/reduce operations. @@ -313,8 +341,10 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP { } - // v must be final reduced. I.e. all limbs in [0, bitsPerLimb) - // and value in [0, modulus) + /** + * Decode the value in v and store it in dst. Requires that v is final + * reduced. I.e. all limbs in [0, 2^bitsPerLimb) and value in [0, modulus). + */ protected void decode(long[] v, byte[] dst, int offset, int length) { int nextLimbIndex = 0; @@ -344,12 +374,25 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP { } } + /** + * Add two IntegerPolynomial representations (a and b) and store the result + * in an IntegerPolynomialRepresentation (dst). Requires that + * a.length == b.length == dst.length. It is allowed for a and + * dst to be the same array. + */ protected void addLimbs(long[] a, long[] b, long[] dst) { for (int i = 0; i < dst.length; i++) { dst[i] = a[i] + b[i]; } } + /** + * Branch-free conditional swap of a and b. Requires that swap is 0 or 1, + * and that a.length == b.length. If swap==0, then the values of a and b + * will be unchanged. If swap==1, then the values of a and b will be + * swapped. The behavior is undefined if swap has any value other than + * 0 or 1. + */ protected static void conditionalSwap(int swap, long[] a, long[] b) { int maskValue = 0 - swap; for (int i = 0; i < a.length; i++) { @@ -359,6 +402,9 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP { } } + /** + * Stores the reduced, little-endian value of limbs in result. + */ protected void limbsToByteArray(long[] limbs, byte[] result) { long[] reducedLimbs = limbs.clone(); @@ -367,6 +413,11 @@ public abstract class IntegerPolynomial implements IntegerFieldModuloP { decode(reducedLimbs, result, 0, result.length); } + /** + * Add the reduced number corresponding to limbs and other, and store + * the low-order bytes of the sum in result. Requires that + * limbs.length==other.length. The result array may have any length. + */ protected void addLimbsModPowerTwo(long[] limbs, long[] other, byte[] result) { diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHKeyAgreement.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHKeyAgreement.java index e15942b05c0..095e6c1d345 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHKeyAgreement.java +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHKeyAgreement.java @@ -186,7 +186,7 @@ public class XDHKeyAgreement extends KeyAgreementSpi { throw new IllegalStateException("Not initialized correctly"); } int secretLen = this.secret.length; - if (offset + secretLen > sharedSecret.length) { + if (secretLen > sharedSecret.length - offset) { throw new ShortBufferException("Need " + secretLen + " bytes, only " + (sharedSecret.length - offset) + " available");