summaryrefslogtreecommitdiffstats
path: root/crypto/ghash.h
blob: 6dc247be28e9417a8bd3c5ebb950e470173adf0f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "base/basictypes.h"
#include "crypto/crypto_export.h"

namespace crypto {

// GaloisHash implements the polynomial authenticator part of GCM as specified
// in http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
// Specifically it implements the GHASH function, defined in section 2.3 of
// that document.
//
// In SP-800-38D, GHASH is defined differently and takes only a single data
// argument. But it is always called with an argument of a certain form:
//   GHASH_H (A || 0^v || C || 0^u || [len(A)]_64 || [len(C)]_64)
// This mirrors how the gcm-revised-spec.pdf version of GHASH handles its two
// data arguments. The two GHASH functions therefore differ only in whether the
// data is formatted inside or outside of the function.
//
// WARNING: do not use this as a generic authenticator. Polynomial
// authenticators must be used in the correct manner and any use outside of GCM
// requires careful consideration.
//
// WARNING: this code is not constant time. However, in all likelihood, nor is
// the implementation of AES that is used.
class CRYPTO_EXPORT_PRIVATE GaloisHash {
 public:
  explicit GaloisHash(const uint8 key[16]);

  // Reset prepares to digest a fresh message with the same key. This is more
  // efficient than creating a fresh object.
  void Reset();

  // UpdateAdditional hashes in `additional' data. This is data that is not
  // encrypted, but is covered by the authenticator. All additional data must
  // be written before any ciphertext is written.
  void UpdateAdditional(const uint8* data, size_t length);

  // UpdateCiphertext hashes in ciphertext to be authenticated.
  void UpdateCiphertext(const uint8* data, size_t length);

  // Finish completes the hash computation and writes at most |len| bytes of
  // the result to |output|.
  void Finish(void* output, size_t len);

 private:
  enum State {
    kHashingAdditionalData,
    kHashingCiphertext,
    kComplete,
  };

  struct FieldElement {
    uint64 low, hi;
  };

  // Add returns |x|+|y|.
  static FieldElement Add(const FieldElement& x, const FieldElement& y);
  // Double returns 2*|x|.
  static FieldElement Double(const FieldElement& x);
  // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and
  // table[i] = i*h for i=0..15.
  static void MulAfterPrecomputation(const FieldElement* table,
                                     FieldElement* x);
  // Mul16 sets |x| = 16*|x|.
  static void Mul16(FieldElement* x);

  // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|.
  void UpdateBlocks(const uint8* bytes, size_t num_blocks);
  // Update processes |length| bytes from |bytes| and calls UpdateBlocks on as
  // much data as possible. It uses |buf_| to buffer any remaining data and
  // always consumes all of |bytes|.
  void Update(const uint8* bytes, size_t length);

  FieldElement y_;
  State state_;
  size_t additional_bytes_;
  size_t ciphertext_bytes_;
  uint8 buf_[16];
  size_t buf_used_;
  FieldElement product_table_[16];
};

}  // namespace crypto