crypto: add GHASH implementation.

crypto/ghash.h

Index: crypto/ghash.h
diff --git a/crypto/ghash.h b/crypto/ghash.h
new file mode 100644
index 0000000000000000000000000000000000000000..e4f45ad9f4ef507ecd3d1972cfbb7b444bef890a
--- /dev/null
+++ b/crypto/ghash.h
@@ -0,0 +1,82 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/basictypes.h"
+
+namespace crypto {
+
+// GaloisHash implements the polynomial authenticator part of GCM as specified
+// in http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+// Specifically it implements the GHASH function, defined in section 6.4 of
+// that document.
+//
+// In SP-800-38D, GHASH is always called with an argument of a certain form:
+//   GHASH_H (A || 0^v || C || 0^u || [len(A)]_64 || [len(C)]_64)
+// This assumption is built into the GaloisHash interface.

[wtc, 2012/10/25 00:54:51]

As we discussed in the conference call this afternoon, this
comment is still inaccurate.

[agl, 2012/10/25 16:38:09]

I have updated it again.

+//
+// WARNING: do not use this as a generic authenticator. Polynomial
+// authenticators must be used in the correct manner and any use outside of GCM
+// requires careful consideration.
+//
+// WARNING: this code is not constant time. However, in all likelihood, nor is
+// the implementation of AES that is used.
+class GaloisHash {
+ public:
+  explicit GaloisHash(const uint8 key[16]);
+
+  // Reset prepares to digest a fresh message with the same key. This is more
+  // efficient than creating a fresh object.
+  void Reset();
+
+  // UpdateAdditional hashes in `additional' data. This is data that is not
+  // encrypted, but is covered by the authenticator. All additional data must
+  // be written before any ciphertext is written.
+  void UpdateAdditional(const uint8* data, size_t length);
+
+  // UpdateCiphertext hashes in ciphertext to be authenticated.
+  void UpdateCiphertext(const uint8* data, size_t length);
+
+  // Finish completes the hash computation and at most |len| bytes of the

[wtc, 2012/10/25 00:54:51]

Add "writes" before "at most".

[agl, 2012/10/25 16:38:09]

Done.

+  // result to |output|.
+  void Finish(void* output, size_t len);
+
+ private:
+  enum State {
+    kHashingAdditionalData,
+    kHashingCiphertext,
+    kComplete,
+  };
+
+  struct FieldElement {
+    uint64 low, hi;
+  };
+
+  // Add returns |x|+|y|.
+  static FieldElement Add(const FieldElement& x, const FieldElement& y);
+  // Double returns 2*|x|.
+  static FieldElement Double(const FieldElement& x);
+  // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and
+  // table[i] = i*h for i=0..15.
+  static void MulAfterPrecomputation(const FieldElement* table,
+                                     FieldElement* x);
+  // Mul16 sets |x| = 16*|x|.
+  static void Mul16(FieldElement* x);
+
+  // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|.
+  void UpdateBlocks(const uint8* bytes, size_t num_blocks);
+  // Update processes |length| bytes from |bytes| and calls UpdateBlocks on as
+  // much data as possible. It uses |buf_| to buffer any remaining data and
+  // always consumes all of |bytes|.
+  void Update(const uint8* bytes, size_t length);
+
+  FieldElement y_;
+  State state_;
+  size_t additional_bytes_;
+  size_t ciphertext_bytes_;
+  uint8 buf_[16];
+  size_t buf_used_;
+  FieldElement product_table_[16];
+};
+
+}  // namespace crypto