Roll src/third_party/WebKit e0eac24:489c548 (svn 193311:193320)
[chromium-blink-merge.git] / crypto / ghash.h
blob6dc247be28e9417a8bd3c5ebb950e470173adf0f
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/basictypes.h"
6 #include "crypto/crypto_export.h"
8 namespace crypto {
10 // GaloisHash implements the polynomial authenticator part of GCM as specified
11 // in http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
12 // Specifically it implements the GHASH function, defined in section 2.3 of
13 // that document.
15 // In SP-800-38D, GHASH is defined differently and takes only a single data
16 // argument. But it is always called with an argument of a certain form:
17 // GHASH_H (A || 0^v || C || 0^u || [len(A)]_64 || [len(C)]_64)
18 // This mirrors how the gcm-revised-spec.pdf version of GHASH handles its two
19 // data arguments. The two GHASH functions therefore differ only in whether the
20 // data is formatted inside or outside of the function.
22 // WARNING: do not use this as a generic authenticator. Polynomial
23 // authenticators must be used in the correct manner and any use outside of GCM
24 // requires careful consideration.
26 // WARNING: this code is not constant time. However, in all likelihood, nor is
27 // the implementation of AES that is used.
28 class CRYPTO_EXPORT_PRIVATE GaloisHash {
29 public:
30 explicit GaloisHash(const uint8 key[16]);
32 // Reset prepares to digest a fresh message with the same key. This is more
33 // efficient than creating a fresh object.
34 void Reset();
36 // UpdateAdditional hashes in `additional' data. This is data that is not
37 // encrypted, but is covered by the authenticator. All additional data must
38 // be written before any ciphertext is written.
39 void UpdateAdditional(const uint8* data, size_t length);
41 // UpdateCiphertext hashes in ciphertext to be authenticated.
42 void UpdateCiphertext(const uint8* data, size_t length);
44 // Finish completes the hash computation and writes at most |len| bytes of
45 // the result to |output|.
46 void Finish(void* output, size_t len);
48 private:
49 enum State {
50 kHashingAdditionalData,
51 kHashingCiphertext,
52 kComplete,
55 struct FieldElement {
56 uint64 low, hi;
59 // Add returns |x|+|y|.
60 static FieldElement Add(const FieldElement& x, const FieldElement& y);
61 // Double returns 2*|x|.
62 static FieldElement Double(const FieldElement& x);
63 // MulAfterPrecomputation sets |x| = |x|*h where h is |table[1]| and
64 // table[i] = i*h for i=0..15.
65 static void MulAfterPrecomputation(const FieldElement* table,
66 FieldElement* x);
67 // Mul16 sets |x| = 16*|x|.
68 static void Mul16(FieldElement* x);
70 // UpdateBlocks processes |num_blocks| 16-bytes blocks from |bytes|.
71 void UpdateBlocks(const uint8* bytes, size_t num_blocks);
72 // Update processes |length| bytes from |bytes| and calls UpdateBlocks on as
73 // much data as possible. It uses |buf_| to buffer any remaining data and
74 // always consumes all of |bytes|.
75 void Update(const uint8* bytes, size_t length);
77 FieldElement y_;
78 State state_;
79 size_t additional_bytes_;
80 size_t ciphertext_bytes_;
81 uint8 buf_[16];
82 size_t buf_used_;
83 FieldElement product_table_[16];
86 } // namespace crypto