Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 1 | // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #include "base/basictypes.h" |
| 6 | #include "crypto/crypto_export.h" |
| 7 | |
| 8 | namespace crypto { |
| 9 | |
| 10 | // GaloisHash implements the polynomial authenticator part of GCM as specified |
| 11 | // in http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf |
| 12 | // Specifically it implements the GHASH function, defined in section 2.3 of |
| 13 | // that document. |
| 14 | // |
| 15 | // In SP-800-38D, GHASH is defined differently and takes only a single data |
| 16 | // argument. But it is always called with an argument of a certain form: |
| 17 | // GHASH_H (A || 0^v || C || 0^u || [len(A)]_64 || [len(C)]_64) |
| 18 | // This mirrors how the gcm-revised-spec.pdf version of GHASH handles its two |
| 19 | // data arguments. The two GHASH functions therefore differ only in whether the |
| 20 | // data is formatted inside or outside of the function. |
| 21 | // |
| 22 | // WARNING: do not use this as a generic authenticator. Polynomial |
| 23 | // authenticators must be used in the correct manner and any use outside of GCM |
| 24 | // requires careful consideration. |
| 25 | // |
| 26 | // WARNING: this code is not constant time. However, in all likelihood, nor is |
| 27 | // the implementation of AES that is used. |
| 28 | class CRYPTO_EXPORT_PRIVATE GaloisHash { |
| 29 | public: |
| 30 | explicit GaloisHash(const uint8 key[16]); |
| 31 | |
| 32 | // Reset prepares to digest a fresh message with the same key. This is more |
| 33 | // efficient than creating a fresh object. |
| 34 | void Reset(); |
| 35 | |
| 36 | // UpdateAdditional hashes in `additional' data. This is data that is not |
| 37 | // encrypted, but is covered by the authenticator. All additional data must |
| 38 | // be written before any ciphertext is written. |
| 39 | void UpdateAdditional(const uint8* data, size_t length); |
| 40 | |
| 41 | // UpdateCiphertext hashes in ciphertext to be authenticated. |
| 42 | void UpdateCiphertext(const uint8* data, size_t length); |
| 43 | |
| 44 | // Finish completes the hash computation and writes at most |len| bytes of |
| 45 | // the result to |output|. |
| 46 | void Finish(void* output, size_t len); |
| 47 | |
| 48 | private: |
| 49 | enum State { |
| 50 | kHashingAdditionalData, |
| 51 | kHashingCiphertext, |
| 52 | kComplete, |
| 53 | }; |
| 54 | |
| 55 | struct FieldElement { |
| 56 | uint64 low, hi; |
| 57 | }; |
| 58 | |
| 59 | // Add returns |x|+|y|. |
| 60 | static FieldElement Add(const FieldElement& x, const FieldElement& y); |
| 61 | // Double returns 2*|x|. |
| 62 | static FieldElement Double(const FieldElement& x); |
| 63 | // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and |
| 64 | // table[i] = i*h for i=0..15. |
| 65 | static void MulAfterPrecomputation(const FieldElement* table, |
| 66 | FieldElement* x); |
| 67 | // Mul16 sets |x| = 16*|x|. |
| 68 | static void Mul16(FieldElement* x); |
| 69 | |
| 70 | // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|. |
| 71 | void UpdateBlocks(const uint8* bytes, size_t num_blocks); |
| 72 | // Update processes |length| bytes from |bytes| and calls UpdateBlocks on as |
| 73 | // much data as possible. It uses |buf_| to buffer any remaining data and |
| 74 | // always consumes all of |bytes|. |
| 75 | void Update(const uint8* bytes, size_t length); |
| 76 | |
| 77 | FieldElement y_; |
| 78 | State state_; |
| 79 | size_t additional_bytes_; |
| 80 | size_t ciphertext_bytes_; |
| 81 | uint8 buf_[16]; |
| 82 | size_t buf_used_; |
| 83 | FieldElement product_table_[16]; |
| 84 | }; |
| 85 | |
| 86 | } // namespace crypto |