|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
declare(strict_types = 1); |
|
4
|
|
|
|
|
5
|
|
|
namespace Sop\GCM; |
|
6
|
|
|
|
|
7
|
|
|
/** |
|
8
|
|
|
* Implements GHASH function. |
|
9
|
|
|
* |
|
10
|
|
|
* This algorithm is specified in NIST SP-300-38D section 6.4. |
|
11
|
|
|
* |
|
12
|
|
|
* @see http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf |
|
13
|
|
|
*/ |
|
14
|
|
|
class GHASH |
|
15
|
|
|
{ |
|
16
|
|
|
/** |
|
17
|
|
|
* Fixed R-block. |
|
18
|
|
|
* |
|
19
|
|
|
* @var string |
|
20
|
|
|
*/ |
|
21
|
|
|
const R = "\xE1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; |
|
22
|
|
|
|
|
23
|
|
|
/** |
|
24
|
|
|
* Hash subkey. |
|
25
|
|
|
* |
|
26
|
|
|
* @var string |
|
27
|
|
|
*/ |
|
28
|
|
|
protected $_subkey; |
|
29
|
|
|
|
|
30
|
|
|
/** |
|
31
|
|
|
* Constructor. |
|
32
|
|
|
* |
|
33
|
|
|
* @param string $subkey Hash subkey |
|
34
|
|
|
*/ |
|
35
|
49 |
|
public function __construct(string $subkey) |
|
36
|
|
|
{ |
|
37
|
49 |
|
if (16 !== strlen($subkey)) { |
|
38
|
1 |
|
throw new \LengthException('Subkey must be 128 bits.'); |
|
39
|
|
|
} |
|
40
|
48 |
|
$this->_subkey = $subkey; |
|
41
|
48 |
|
} |
|
42
|
|
|
|
|
43
|
|
|
/** |
|
44
|
|
|
* Functor method for `compute`. |
|
45
|
|
|
* |
|
46
|
|
|
* @param string $arg |
|
47
|
|
|
* |
|
48
|
|
|
* @return string |
|
49
|
|
|
*/ |
|
50
|
48 |
|
public function __invoke(string $arg): string |
|
51
|
|
|
{ |
|
52
|
48 |
|
return $this->compute($arg); |
|
53
|
|
|
} |
|
54
|
|
|
|
|
55
|
|
|
/** |
|
56
|
|
|
* Compute hash. |
|
57
|
|
|
* |
|
58
|
|
|
* @param string $X Input string |
|
59
|
|
|
* |
|
60
|
|
|
* @return string Hash |
|
61
|
|
|
*/ |
|
62
|
51 |
|
public function compute(string $X): string |
|
63
|
|
|
{ |
|
64
|
51 |
|
$len = strlen($X); |
|
65
|
51 |
|
if (0 !== $len % 16) { |
|
66
|
1 |
|
throw new \UnexpectedValueException( |
|
67
|
1 |
|
'Input string must be a multiple of 128 bits.'); |
|
68
|
|
|
} |
|
69
|
50 |
|
$Y = GCM::ZB_128; |
|
70
|
|
|
// number of 128-bit blocks |
|
71
|
50 |
|
$m = $len >> 4; |
|
72
|
50 |
|
for ($i = 0; $i < $m; ++$i) { |
|
73
|
50 |
|
$xi = substr($X, $i << 4, 16); |
|
74
|
50 |
|
$Y = $this->_mult($Y ^ $xi, $this->_subkey); |
|
75
|
|
|
} |
|
76
|
50 |
|
return $Y; |
|
77
|
|
|
} |
|
78
|
|
|
|
|
79
|
|
|
/** |
|
80
|
|
|
* Apply block multiplication operation. |
|
81
|
|
|
* |
|
82
|
|
|
* See NIST SP-800-38D, chapter 6.3 for the details. |
|
83
|
|
|
* |
|
84
|
|
|
* @param string $X |
|
85
|
|
|
* @param string $Y |
|
86
|
|
|
* |
|
87
|
|
|
* @return string |
|
88
|
|
|
*/ |
|
89
|
50 |
|
private function _mult(string $X, string $Y): string |
|
90
|
|
|
{ |
|
91
|
50 |
|
$x = GCM::strToGMP($X); |
|
92
|
50 |
|
$Z = GCM::strToGMP(GCM::ZB_128); |
|
93
|
50 |
|
$V = GCM::strToGMP($Y); |
|
94
|
50 |
|
$R = GCM::strToGMP(self::R); |
|
95
|
50 |
|
for ($i = 0; $i < 128; ++$i) { |
|
96
|
|
|
// if bit at X[i] is set |
|
97
|
50 |
|
if (gmp_testbit($x, 127 - $i)) { |
|
98
|
46 |
|
$Z ^= $V; |
|
99
|
|
|
} |
|
100
|
|
|
// if LSB(Vi) = 0 |
|
101
|
50 |
|
if (!gmp_testbit($V, 0)) { |
|
102
|
50 |
|
$V >>= 1; |
|
103
|
|
|
} else { |
|
104
|
50 |
|
$V = ($V >> 1) ^ $R; |
|
105
|
|
|
} |
|
106
|
|
|
} |
|
107
|
50 |
|
return GCM::gmpToStr($Z, 16); |
|
108
|
|
|
} |
|
109
|
|
|
} |
|
110
|
|
|
|
sop /
gcm
