Chromium Code Reviews Chromium Code Reviews
Issue 11175015:
crypto: add GHASH implementation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: crypto/ghash.h |
| diff --git a/crypto/ghash.h b/crypto/ghash.h |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..66b4f4a65e940856092149c30536e231e30dfe1e |
| --- /dev/null |
| +++ b/crypto/ghash.h |
| @@ -0,0 +1,74 @@ |
| +// Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "base/basictypes.h" |
| + |
| +namespace crypto { |
| + |
| +// GaliosHash implements the polynomial authenticator part of GCM as specified |
|
wtc
2012/10/19 21:35:22
Typo: Galios => Galois
agl
2012/10/22 21:50:56
Done.
|
| +// in http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf |
| +// Specifically it implements the GHASH function, defined in section 6.4 of |
|
wtc
2012/10/19 21:35:22
Since your GaliosHash function hashes the lengths
agl
2012/10/22 21:50:56
Both the original paper and SP-800-38D produce the
|
| +// that document. |
| +// |
| +// WARNING: do not use this as a generic authenticator. Polynomial |
| +// authenticators must be used in the correct manner and any use outside of GCM |
| +// requires careful consideration. |
| +// |
| +// WARNING: this code is not constant time. However, in all likelihood, nor is |
| +// the implementation of AES that is used. |
| +class GaliosHash { |
| + public: |
| + explicit GaliosHash(const uint8 key[16]); |
| + |
| + // Reset prepares to digest a fresh message with the same key. This is more |
| + // efficient than creating a fresh object. |
| + void Reset(); |
| + |
| + // UpdateAdditional hashes in `additional' data. This is data that is not |
| + // encrypted, but is covered by the authenticator. All additional data must |
| + // be written before any ciphertext is written. |
| + void UpdateAdditional(const uint8* data, size_t length); |
| + |
| + // UpdateCiphertext hashes in ciphertext to be authenticated. |
| + void UpdateCiphertext(const uint8* data, size_t length); |
| + |
| + // Digest finishes the hash computation and writes the result into |result|. |
| + void Digest(uint8 result[16]); |
|
wtc
2012/10/19 21:35:22
This method should probably be named Finish(), wit
agl
2012/10/22 21:50:56
Done.
|
| + |
| + private: |
| + enum State { |
| + kHashingAdditionalData, |
| + kHashingCiphertext, |
| + kComplete, |
| + }; |
| + |
| + struct FieldElement { |
| + uint64 low, hi; |
| + }; |
| + |
| + // Add returns |x|+|y|. |
| + static FieldElement Add(const FieldElement& x, const FieldElement& y); |
| + // Double returns 2*|x|. |
| + static FieldElement Double(const FieldElement& x); |
| + // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and |
| + // table[i] = i*h for i=0..15. |
| + static void MulAfterPrecomputation(const FieldElement* table, |
| + FieldElement* x); |
| + // Mul16 sets |x| = 16*|x|. |
| + static void Mul16(FieldElement* x); |
| + |
| + // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|. |
| + void UpdateBlocks(const uint8* bytes, size_t num_blocks); |
| + void Update(const uint8* bytes, size_t length); |
|
wtc
2012/10/19 21:35:22
Nit: document Update().
agl
2012/10/22 21:50:56
Done.
|
| + |
| + FieldElement y_; |
| + State state_; |
| + size_t additional_bytes_; |
| + size_t ciphertext_bytes_; |
| + uint8 buf_[16]; |
| + size_t buf_used_; |
| + FieldElement productTable[16]; |
|
wtc
2012/10/19 21:35:22
productTable => product_table_
Note the trailing
agl
2012/10/22 21:50:56
Done.
|
| +}; |
| + |
| +} // namespace crypto |
