// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// CMAC message authentication code, defined in
// NIST Special Publication SP 800-38B.
package block
import (
"hash";
"os";
)
const (
// minimal irreducible polynomial of degree b
r64 = 0x1b;
r128 = 0x87;
)
type cmac struct {
k1, k2, ci, digest []byte;
p int; // position in ci
c Cipher;
}
// TODO(rsc): Should this return an error instead of panic?
// NewCMAC returns a new instance of a CMAC message authentication code
// digest using the given Cipher.
func NewCMAC(c Cipher) hash.Hash {
var r byte;
n := c.BlockSize();
switch n {
case 64 / 8:
r = r64
case 128 / 8:
r = r128
default:
panic("crypto/block: NewCMAC: invalid cipher block size", n)
}
d := new(cmac);
d.c = c;
d.k1 = make([]byte, n);
d.k2 = make([]byte, n);
d.ci = make([]byte, n);
d.digest = make([]byte, n);
// Subkey generation, p. 7
c.Encrypt(d.k1, d.k1);
if shift1(d.k1, d.k1) != 0 {
d.k1[n-1] ^= r
}
if shift1(d.k1, d.k2) != 0 {
d.k2[n-1] ^= r
}
return d;
}
// Reset clears the digest state, starting a new digest.
func (d *cmac) Reset() {
for i := range d.ci {
d.ci[i] = 0
}
d.p = 0;
}
// Write adds the given data to the digest state.
func (d *cmac) Write(p []byte) (n int, err os.Error) {
// Xor input into ci.
for _, c := range p {
// If ci is full, encrypt and start over.
if d.p >= len(d.ci) {
d.c.Encrypt(d.ci, d.ci);
d.p = 0;
}
d.ci[d.p] ^= c;
d.p++;
}
return len(p), nil;
}
// Sum returns the CMAC digest, one cipher block in length,
// of the data written with Write.
func (d *cmac) Sum() []byte {
// Finish last block, mix in key, encrypt.
// Don't edit ci, in case caller wants
// to keep digesting after call to Sum.
k := d.k1;
if d.p < len(d.digest) {
k = d.k2
}
for i := 0; i < len(d.ci); i++ {
d.digest[i] = d.ci[i] ^ k[i]
}
if d.p < len(d.digest) {
d.digest[d.p] ^= 0x80
}
d.c.Encrypt(d.digest, d.digest);
return d.digest;
}
func (d *cmac) Size() int { return len(d.digest) }
|