// Copyright 2009 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // CMAC message authentication code, defined in // NIST Special Publication SP 800-38B. package block import ( "hash"; "os"; ) const ( // minimal irreducible polynomial of degree b r64 = 0x1b; r128 = 0x87; ) type cmac struct { k1, k2, ci, digest []byte; p int; // position in ci c Cipher; } // TODO(rsc): Should this return an error instead of panic? // NewCMAC returns a new instance of a CMAC message authentication code // digest using the given Cipher. func NewCMAC(c Cipher) hash.Hash { var r byte; n := c.BlockSize(); switch n { case 64 / 8: r = r64 case 128 / 8: r = r128 default: panic("crypto/block: NewCMAC: invalid cipher block size", n) } d := new(cmac); d.c = c; d.k1 = make([]byte, n); d.k2 = make([]byte, n); d.ci = make([]byte, n); d.digest = make([]byte, n); // Subkey generation, p. 7 c.Encrypt(d.k1, d.k1); if shift1(d.k1, d.k1) != 0 { d.k1[n-1] ^= r } if shift1(d.k1, d.k2) != 0 { d.k2[n-1] ^= r } return d; } // Reset clears the digest state, starting a new digest. func (d *cmac) Reset() { for i := range d.ci { d.ci[i] = 0 } d.p = 0; } // Write adds the given data to the digest state. func (d *cmac) Write(p []byte) (n int, err os.Error) { // Xor input into ci. for _, c := range p { // If ci is full, encrypt and start over. if d.p >= len(d.ci) { d.c.Encrypt(d.ci, d.ci); d.p = 0; } d.ci[d.p] ^= c; d.p++; } return len(p), nil; } // Sum returns the CMAC digest, one cipher block in length, // of the data written with Write. func (d *cmac) Sum() []byte { // Finish last block, mix in key, encrypt. // Don't edit ci, in case caller wants // to keep digesting after call to Sum. k := d.k1; if d.p < len(d.digest) { k = d.k2 } for i := 0; i < len(d.ci); i++ { d.digest[i] = d.ci[i] ^ k[i] } if d.p < len(d.digest) { d.digest[d.p] ^= 0x80 } d.c.Encrypt(d.digest, d.digest); return d.digest; } func (d *cmac) Size() int { return len(d.digest) }