Chromium Code Reviews Chromium Code Reviews
Issue 11175015:
crypto: add GHASH implementation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "base/basictypes.h" | |
| 6 | |
| 7 namespace crypto { | |
| 8 | |
| 9 // GaloisHash implements the polynomial authenticator part of GCM as specified | |
| 10 // in http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf | |
| 11 // Specifically it implements the GHASH function, defined in section 6.4 of | |
| 12 // that document. | |
| 13 // | |
| 14 // In SP-800-38D, GHASH is always called with an argument of a certain form: | |
| 15 // GHASH_H (A || 0^v || C || 0^u || [len(A)]_64 || [len(C)]_64) | |
| 16 // This assumption is built into the GaloisHash interface. | |
|
wtc
2012/10/25 00:54:51
As we discussed in the conference call this aftern
agl
2012/10/25 16:38:09
I have updated it again.
| |
| 17 // | |
| 18 // WARNING: do not use this as a generic authenticator. Polynomial | |
| 19 // authenticators must be used in the correct manner and any use outside of GCM | |
| 20 // requires careful consideration. | |
| 21 // | |
| 22 // WARNING: this code is not constant time. However, in all likelihood, nor is | |
| 23 // the implementation of AES that is used. | |
| 24 class GaloisHash { | |
| 25 public: | |
| 26 explicit GaloisHash(const uint8 key[16]); | |
| 27 | |
| 28 // Reset prepares to digest a fresh message with the same key. This is more | |
| 29 // efficient than creating a fresh object. | |
| 30 void Reset(); | |
| 31 | |
| 32 // UpdateAdditional hashes in `additional' data. This is data that is not | |
| 33 // encrypted, but is covered by the authenticator. All additional data must | |
| 34 // be written before any ciphertext is written. | |
| 35 void UpdateAdditional(const uint8* data, size_t length); | |
| 36 | |
| 37 // UpdateCiphertext hashes in ciphertext to be authenticated. | |
| 38 void UpdateCiphertext(const uint8* data, size_t length); | |
| 39 | |
| 40 // Finish completes the hash computation and at most |len| bytes of the | |
|
wtc
2012/10/25 00:54:51
Add "writes" before "at most".
agl
2012/10/25 16:38:09
Done.
| |
| 41 // result to |output|. | |
| 42 void Finish(void* output, size_t len); | |
| 43 | |
| 44 private: | |
| 45 enum State { | |
| 46 kHashingAdditionalData, | |
| 47 kHashingCiphertext, | |
| 48 kComplete, | |
| 49 }; | |
| 50 | |
| 51 struct FieldElement { | |
| 52 uint64 low, hi; | |
| 53 }; | |
| 54 | |
| 55 // Add returns |x|+|y|. | |
| 56 static FieldElement Add(const FieldElement& x, const FieldElement& y); | |
| 57 // Double returns 2*|x|. | |
| 58 static FieldElement Double(const FieldElement& x); | |
| 59 // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and | |
| 60 // table[i] = i*h for i=0..15. | |
| 61 static void MulAfterPrecomputation(const FieldElement* table, | |
| 62 FieldElement* x); | |
| 63 // Mul16 sets |x| = 16*|x|. | |
| 64 static void Mul16(FieldElement* x); | |
| 65 | |
| 66 // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|. | |
| 67 void UpdateBlocks(const uint8* bytes, size_t num_blocks); | |
| 68 // Update processes |length| bytes from |bytes| and calls UpdateBlocks on as | |
| 69 // much data as possible. It uses |buf_| to buffer any remaining data and | |
| 70 // always consumes all of |bytes|. | |
| 71 void Update(const uint8* bytes, size_t length); | |
| 72 | |
| 73 FieldElement y_; | |
| 74 State state_; | |
| 75 size_t additional_bytes_; | |
| 76 size_t ciphertext_bytes_; | |
| 77 uint8 buf_[16]; | |
| 78 size_t buf_used_; | |
| 79 FieldElement product_table_[16]; | |
| 80 }; | |
| 81 | |
| 82 } // namespace crypto | |
| OLD | NEW |
