OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/basictypes.h" | 5 #include <stddef.h> |
| 6 #include <stdint.h> |
| 7 |
6 #include "crypto/crypto_export.h" | 8 #include "crypto/crypto_export.h" |
7 | 9 |
8 namespace crypto { | 10 namespace crypto { |
9 | 11 |
10 // GaloisHash implements the polynomial authenticator part of GCM as specified | 12 // GaloisHash implements the polynomial authenticator part of GCM as specified |
11 // in http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm
-revised-spec.pdf | 13 // in http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm
-revised-spec.pdf |
12 // Specifically it implements the GHASH function, defined in section 2.3 of | 14 // Specifically it implements the GHASH function, defined in section 2.3 of |
13 // that document. | 15 // that document. |
14 // | 16 // |
15 // In SP-800-38D, GHASH is defined differently and takes only a single data | 17 // In SP-800-38D, GHASH is defined differently and takes only a single data |
16 // argument. But it is always called with an argument of a certain form: | 18 // argument. But it is always called with an argument of a certain form: |
17 // GHASH_H (A || 0^v || C || 0^u || [len(A)]_64 || [len(C)]_64) | 19 // GHASH_H (A || 0^v || C || 0^u || [len(A)]_64 || [len(C)]_64) |
18 // This mirrors how the gcm-revised-spec.pdf version of GHASH handles its two | 20 // This mirrors how the gcm-revised-spec.pdf version of GHASH handles its two |
19 // data arguments. The two GHASH functions therefore differ only in whether the | 21 // data arguments. The two GHASH functions therefore differ only in whether the |
20 // data is formatted inside or outside of the function. | 22 // data is formatted inside or outside of the function. |
21 // | 23 // |
22 // WARNING: do not use this as a generic authenticator. Polynomial | 24 // WARNING: do not use this as a generic authenticator. Polynomial |
23 // authenticators must be used in the correct manner and any use outside of GCM | 25 // authenticators must be used in the correct manner and any use outside of GCM |
24 // requires careful consideration. | 26 // requires careful consideration. |
25 // | 27 // |
26 // WARNING: this code is not constant time. However, in all likelihood, nor is | 28 // WARNING: this code is not constant time. However, in all likelihood, nor is |
27 // the implementation of AES that is used. | 29 // the implementation of AES that is used. |
28 class CRYPTO_EXPORT GaloisHash { | 30 class CRYPTO_EXPORT GaloisHash { |
29 public: | 31 public: |
30 explicit GaloisHash(const uint8 key[16]); | 32 explicit GaloisHash(const uint8_t key[16]); |
31 | 33 |
32 // Reset prepares to digest a fresh message with the same key. This is more | 34 // Reset prepares to digest a fresh message with the same key. This is more |
33 // efficient than creating a fresh object. | 35 // efficient than creating a fresh object. |
34 void Reset(); | 36 void Reset(); |
35 | 37 |
36 // UpdateAdditional hashes in `additional' data. This is data that is not | 38 // UpdateAdditional hashes in `additional' data. This is data that is not |
37 // encrypted, but is covered by the authenticator. All additional data must | 39 // encrypted, but is covered by the authenticator. All additional data must |
38 // be written before any ciphertext is written. | 40 // be written before any ciphertext is written. |
39 void UpdateAdditional(const uint8* data, size_t length); | 41 void UpdateAdditional(const uint8_t* data, size_t length); |
40 | 42 |
41 // UpdateCiphertext hashes in ciphertext to be authenticated. | 43 // UpdateCiphertext hashes in ciphertext to be authenticated. |
42 void UpdateCiphertext(const uint8* data, size_t length); | 44 void UpdateCiphertext(const uint8_t* data, size_t length); |
43 | 45 |
44 // Finish completes the hash computation and writes at most |len| bytes of | 46 // Finish completes the hash computation and writes at most |len| bytes of |
45 // the result to |output|. | 47 // the result to |output|. |
46 void Finish(void* output, size_t len); | 48 void Finish(void* output, size_t len); |
47 | 49 |
48 private: | 50 private: |
49 enum State { | 51 enum State { |
50 kHashingAdditionalData, | 52 kHashingAdditionalData, |
51 kHashingCiphertext, | 53 kHashingCiphertext, |
52 kComplete, | 54 kComplete, |
53 }; | 55 }; |
54 | 56 |
55 struct FieldElement { | 57 struct FieldElement { |
56 uint64 low, hi; | 58 uint64_t low, hi; |
57 }; | 59 }; |
58 | 60 |
59 // Add returns |x|+|y|. | 61 // Add returns |x|+|y|. |
60 static FieldElement Add(const FieldElement& x, const FieldElement& y); | 62 static FieldElement Add(const FieldElement& x, const FieldElement& y); |
61 // Double returns 2*|x|. | 63 // Double returns 2*|x|. |
62 static FieldElement Double(const FieldElement& x); | 64 static FieldElement Double(const FieldElement& x); |
63 // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and | 65 // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and |
64 // table[i] = i*h for i=0..15. | 66 // table[i] = i*h for i=0..15. |
65 static void MulAfterPrecomputation(const FieldElement* table, | 67 static void MulAfterPrecomputation(const FieldElement* table, |
66 FieldElement* x); | 68 FieldElement* x); |
67 // Mul16 sets |x| = 16*|x|. | 69 // Mul16 sets |x| = 16*|x|. |
68 static void Mul16(FieldElement* x); | 70 static void Mul16(FieldElement* x); |
69 | 71 |
70 // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|. | 72 // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|. |
71 void UpdateBlocks(const uint8* bytes, size_t num_blocks); | 73 void UpdateBlocks(const uint8_t* bytes, size_t num_blocks); |
72 // Update processes |length| bytes from |bytes| and calls UpdateBlocks on as | 74 // Update processes |length| bytes from |bytes| and calls UpdateBlocks on as |
73 // much data as possible. It uses |buf_| to buffer any remaining data and | 75 // much data as possible. It uses |buf_| to buffer any remaining data and |
74 // always consumes all of |bytes|. | 76 // always consumes all of |bytes|. |
75 void Update(const uint8* bytes, size_t length); | 77 void Update(const uint8_t* bytes, size_t length); |
76 | 78 |
77 FieldElement y_; | 79 FieldElement y_; |
78 State state_; | 80 State state_; |
79 size_t additional_bytes_; | 81 size_t additional_bytes_; |
80 size_t ciphertext_bytes_; | 82 size_t ciphertext_bytes_; |
81 uint8 buf_[16]; | 83 uint8_t buf_[16]; |
82 size_t buf_used_; | 84 size_t buf_used_; |
83 FieldElement product_table_[16]; | 85 FieldElement product_table_[16]; |
84 }; | 86 }; |
85 | 87 |
86 } // namespace crypto | 88 } // namespace crypto |
OLD | NEW |