1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
/* Copyright (c) 2016, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <CCryptoBoringSSL_base.h>
#include <assert.h>
#include <string.h>
#include "internal.h"
#include "../../internal.h"
// byte_reverse reverses the order of the bytes in |b->c|.
static void byte_reverse(uint8_t b[16]) {
uint64_t hi = CRYPTO_load_u64_le(b);
uint64_t lo = CRYPTO_load_u64_le(b + 8);
CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo));
CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi));
}
// reverse_and_mulX_ghash interprets |b| as a reversed element of the GHASH
// field, multiplies that by 'x' and serialises the result back into |b|, but
// with GHASH's backwards bit ordering.
static void reverse_and_mulX_ghash(uint8_t b[16]) {
uint64_t hi = CRYPTO_load_u64_le(b);
uint64_t lo = CRYPTO_load_u64_le(b + 8);
const crypto_word_t carry = constant_time_eq_w(hi & 1, 1);
hi >>= 1;
hi |= lo << 63;
lo >>= 1;
lo ^= ((uint64_t) constant_time_select_w(carry, 0xe1, 0)) << 56;
CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo));
CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi));
}
// POLYVAL(H, X_1, ..., X_n) =
// ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
// ByteReverse(X_n))).
//
// See https://www.rfc-editor.org/rfc/rfc8452.html#appendix-A.
void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) {
alignas(8) uint8_t H[16];
OPENSSL_memcpy(H, key, 16);
reverse_and_mulX_ghash(H);
int is_avx;
CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, &is_avx, H);
OPENSSL_memset(&ctx->S, 0, sizeof(ctx->S));
}
void CRYPTO_POLYVAL_update_blocks(struct polyval_ctx *ctx, const uint8_t *in,
size_t in_len) {
assert((in_len & 15) == 0);
alignas(8) uint8_t buf[32 * 16];
while (in_len > 0) {
size_t todo = in_len;
if (todo > sizeof(buf)) {
todo = sizeof(buf);
}
OPENSSL_memcpy(buf, in, todo);
in += todo;
in_len -= todo;
size_t blocks = todo / 16;
for (size_t i = 0; i < blocks; i++) {
byte_reverse(buf + 16 * i);
}
ctx->ghash(ctx->S, ctx->Htable, buf, todo);
}
}
void CRYPTO_POLYVAL_finish(const struct polyval_ctx *ctx, uint8_t out[16]) {
OPENSSL_memcpy(out, &ctx->S, 16);
byte_reverse(out);
}
|
