• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1/* Copyright 2016 The BoringSSL Authors
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/base.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include "internal.h"
21#include "../../internal.h"
22
23
24// byte_reverse reverses the order of the bytes in |b->c|.
25static void byte_reverse(uint8_t b[16]) {
26  uint64_t hi = CRYPTO_load_u64_le(b);
27  uint64_t lo = CRYPTO_load_u64_le(b + 8);
28  CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo));
29  CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi));
30}
31
32// reverse_and_mulX_ghash interprets |b| as a reversed element of the GHASH
33// field, multiplies that by 'x' and serialises the result back into |b|, but
34// with GHASH's backwards bit ordering.
35static void reverse_and_mulX_ghash(uint8_t b[16]) {
36  uint64_t hi = CRYPTO_load_u64_le(b);
37  uint64_t lo = CRYPTO_load_u64_le(b + 8);
38  const crypto_word_t carry = constant_time_eq_w(hi & 1, 1);
39  hi >>= 1;
40  hi |= lo << 63;
41  lo >>= 1;
42  lo ^= ((uint64_t) constant_time_select_w(carry, 0xe1, 0)) << 56;
43
44  CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo));
45  CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi));
46}
47
48// POLYVAL(H, X_1, ..., X_n) =
49// ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
50// ByteReverse(X_n))).
51//
52// See https://www.rfc-editor.org/rfc/rfc8452.html#appendix-A.
53
54void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) {
55  alignas(8) uint8_t H[16];
56  OPENSSL_memcpy(H, key, 16);
57  reverse_and_mulX_ghash(H);
58
59  CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, H);
60  OPENSSL_memset(&ctx->S, 0, sizeof(ctx->S));
61}
62
63void CRYPTO_POLYVAL_update_blocks(struct polyval_ctx *ctx, const uint8_t *in,
64                                  size_t in_len) {
65  assert((in_len & 15) == 0);
66  alignas(8) uint8_t buf[32 * 16];
67
68  while (in_len > 0) {
69    size_t todo = in_len;
70    if (todo > sizeof(buf)) {
71      todo = sizeof(buf);
72    }
73    OPENSSL_memcpy(buf, in, todo);
74    in += todo;
75    in_len -= todo;
76
77    size_t blocks = todo / 16;
78    for (size_t i = 0; i < blocks; i++) {
79      byte_reverse(buf + 16 * i);
80    }
81
82    ctx->ghash(ctx->S, ctx->Htable, buf, todo);
83  }
84}
85
86void CRYPTO_POLYVAL_finish(const struct polyval_ctx *ctx, uint8_t out[16]) {
87  OPENSSL_memcpy(out, &ctx->S, 16);
88  byte_reverse(out);
89}
90