crypto: add GHASH implementation.

crypto/ghash.h

+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/basictypes.h"
+
+namespace crypto {
+
+// GaliosHash implements the polynomial authenticator part of GCM as specified

[wtc, 2012/10/19 21:35:22]

Typo: Galios => Galois

[agl, 2012/10/22 21:50:56]

Done.

+// in http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+// Specifically it implements the GHASH function, defined in section 6.4 of

[wtc, 2012/10/19 21:35:22]

Since your GaliosHash function hashes the lengths of the
additional data and ciphertext, it is actually the original
GHASH specified by McGrew and Viega, not the final GHASH
specified in NIST SP 800-38D. This difference was mentioned
in the footnote on page 9 of 800-38D.

[agl, 2012/10/22 21:50:56]

Both the original paper and SP-800-38D produce the same results. The footnote
remarks that the boundary between GHASH and GCM has moved. In SP-800-38D, GHASH
takes a single data argument, which happens to include the lengths of the
authenticated and encrypted data at the end. In the original paper [1], GHASH
takes a pair of data arguments and the behaviour of appending the lengths is
contained within GHASH.

I've made a note of this in the comment, but I believe that the implementation
works exactly the same, although this code could not cope with SP-800-38D's
GHASH being called with a non-standard argument form.


[1] http://eprint.iacr.org/2004/193.pdf, end of section 2.

+// that document.
+//
+// WARNING: do not use this as a generic authenticator. Polynomial
+// authenticators must be used in the correct manner and any use outside of GCM
+// requires careful consideration.
+//
+// WARNING: this code is not constant time. However, in all likelihood, nor is
+// the implementation of AES that is used.
+class GaliosHash {
+ public:
+  explicit GaliosHash(const uint8 key[16]);
+
+  // Reset prepares to digest a fresh message with the same key. This is more
+  // efficient than creating a fresh object.
+  void Reset();
+
+  // UpdateAdditional hashes in `additional' data. This is data that is not
+  // encrypted, but is covered by the authenticator. All additional data must
+  // be written before any ciphertext is written.
+  void UpdateAdditional(const uint8* data, size_t length);
+
+  // UpdateCiphertext hashes in ciphertext to be authenticated.
+  void UpdateCiphertext(const uint8* data, size_t length);
+
+  // Digest finishes the hash computation and writes the result into |result|.
+  void Digest(uint8 result[16]);

[wtc, 2012/10/19 21:35:22]

This method should probably be named Finish(), with a prototype
similar to the Finish() method in crypto/secure_hash.h.

[agl, 2012/10/22 21:50:56]

Done.

+
+ private:
+  enum State {
+    kHashingAdditionalData,
+    kHashingCiphertext,
+    kComplete,
+  };
+
+  struct FieldElement {
+    uint64 low, hi;
+  };
+
+  // Add returns |x|+|y|.
+  static FieldElement Add(const FieldElement& x, const FieldElement& y);
+  // Double returns 2*|x|.
+  static FieldElement Double(const FieldElement& x);
+  // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and
+  // table[i] = i*h for i=0..15.
+  static void MulAfterPrecomputation(const FieldElement* table,
+                                     FieldElement* x);
+  // Mul16 sets |x| = 16*|x|.
+  static void Mul16(FieldElement* x);
+
+  // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|.
+  void UpdateBlocks(const uint8* bytes, size_t num_blocks);
+  void Update(const uint8* bytes, size_t length);

[wtc, 2012/10/19 21:35:22]

Nit: document Update().

[agl, 2012/10/22 21:50:56]

Done.

+
+  FieldElement y_;
+  State state_;
+  size_t additional_bytes_;
+  size_t ciphertext_bytes_;
+  uint8 buf_[16];
+  size_t buf_used_;
+  FieldElement productTable[16];

[wtc, 2012/10/19 21:35:22]

productTable => product_table_

Note the trailing _.

[agl, 2012/10/22 21:50:56]

Done.

+};
+
+}  // namespace crypto