| Index: crypto/ghash.h
|
| diff --git a/crypto/ghash.h b/crypto/ghash.h
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..6dc247be28e9417a8bd3c5ebb950e470173adf0f
|
| --- /dev/null
|
| +++ b/crypto/ghash.h
|
| @@ -0,0 +1,86 @@
|
| +// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "base/basictypes.h"
|
| +#include "crypto/crypto_export.h"
|
| +
|
| +namespace crypto {
|
| +
|
| +// GaloisHash implements the polynomial authenticator part of GCM as specified
|
| +// in http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
|
| +// Specifically it implements the GHASH function, defined in section 2.3 of
|
| +// that document.
|
| +//
|
| +// In SP-800-38D, GHASH is defined differently and takes only a single data
|
| +// argument. But it is always called with an argument of a certain form:
|
| +// GHASH_H (A || 0^v || C || 0^u || [len(A)]_64 || [len(C)]_64)
|
| +// This mirrors how the gcm-revised-spec.pdf version of GHASH handles its two
|
| +// data arguments. The two GHASH functions therefore differ only in whether the
|
| +// data is formatted inside or outside of the function.
|
| +//
|
| +// WARNING: do not use this as a generic authenticator. Polynomial
|
| +// authenticators must be used in the correct manner and any use outside of GCM
|
| +// requires careful consideration.
|
| +//
|
| +// WARNING: this code is not constant time. However, in all likelihood, nor is
|
| +// the implementation of AES that is used.
|
| +class CRYPTO_EXPORT_PRIVATE GaloisHash {
|
| + public:
|
| + explicit GaloisHash(const uint8 key[16]);
|
| +
|
| + // Reset prepares to digest a fresh message with the same key. This is more
|
| + // efficient than creating a fresh object.
|
| + void Reset();
|
| +
|
| + // UpdateAdditional hashes in `additional' data. This is data that is not
|
| + // encrypted, but is covered by the authenticator. All additional data must
|
| + // be written before any ciphertext is written.
|
| + void UpdateAdditional(const uint8* data, size_t length);
|
| +
|
| + // UpdateCiphertext hashes in ciphertext to be authenticated.
|
| + void UpdateCiphertext(const uint8* data, size_t length);
|
| +
|
| + // Finish completes the hash computation and writes at most |len| bytes of
|
| + // the result to |output|.
|
| + void Finish(void* output, size_t len);
|
| +
|
| + private:
|
| + enum State {
|
| + kHashingAdditionalData,
|
| + kHashingCiphertext,
|
| + kComplete,
|
| + };
|
| +
|
| + struct FieldElement {
|
| + uint64 low, hi;
|
| + };
|
| +
|
| + // Add returns |x|+|y|.
|
| + static FieldElement Add(const FieldElement& x, const FieldElement& y);
|
| + // Double returns 2*|x|.
|
| + static FieldElement Double(const FieldElement& x);
|
| + // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and
|
| + // table[i] = i*h for i=0..15.
|
| + static void MulAfterPrecomputation(const FieldElement* table,
|
| + FieldElement* x);
|
| + // Mul16 sets |x| = 16*|x|.
|
| + static void Mul16(FieldElement* x);
|
| +
|
| + // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|.
|
| + void UpdateBlocks(const uint8* bytes, size_t num_blocks);
|
| + // Update processes |length| bytes from |bytes| and calls UpdateBlocks on as
|
| + // much data as possible. It uses |buf_| to buffer any remaining data and
|
| + // always consumes all of |bytes|.
|
| + void Update(const uint8* bytes, size_t length);
|
| +
|
| + FieldElement y_;
|
| + State state_;
|
| + size_t additional_bytes_;
|
| + size_t ciphertext_bytes_;
|
| + uint8 buf_[16];
|
| + size_t buf_used_;
|
| + FieldElement product_table_[16];
|
| +};
|
| +
|
| +} // namespace crypto
|
|
|
Chromium Code Reviews
