src/pkg/crypto/block/cmac.go - go - Git at Google

 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 // CMAC message authentication code, defined in
 // NIST Special Publication SP 800-38B.

 package block

 import "os"

 const (
 	// minimal irreducible polynomial of degree b
 	r64 = 0x1b;
 	r128 = 0x87;
 )

 type cmac struct {
 	k1, k2, ci, digest []byte;
 	p int;	// position in ci
 	c Cipher;
 }

 // TODO(rsc): Should this return an error instead of panic?

 // NewCMAC returns a new instance of a CMAC message authentication code
 // digest using the given Cipher.
 func NewCMAC(c Cipher) Digest {
 	var r byte;
 	n := c.BlockSize();
 	switch n {
 	case 64/8:
 		r = r64;
 	case 128/8:
 		r = r128;
 	default:
 		panic("crypto/block: NewCMAC: invalid cipher block size", n);
 	}

 	d := new(cmac);
 	d.c = c;
 	d.k1 = make([]byte, n);
 	d.k2 = make([]byte, n);
 	d.ci = make([]byte, n);
 	d.digest = make([]byte, n);

 	// Subkey generation, p. 7
 	c.Encrypt(d.k1, d.k1);
 	if shift1(d.k1, d.k1) != 0 {
 		d.k1[n-1] ^= r;
 	}
 	if shift1(d.k1, d.k2) != 0 {
 		d.k2[n-1] ^= r;
 	}

 	return d;
 }

 // Reset clears the digest state, starting a new digest.
 func (d *cmac) Reset() {
 	for i := range d.ci {
 		d.ci[i] = 0;
 	}
 	d.p = 0;
 }

 // Write adds the given data to the digest state.
 func (d *cmac) Write(p []byte) (n int, err os.Error) {
 	// Xor input into ci.
 	for _, c := range p {
 		// If ci is full, encrypt and start over.
 		if d.p >= len(d.ci) {
 			d.c.Encrypt(d.ci, d.ci);
 			d.p = 0;
 		}
 		d.ci[d.p] ^= c;
 		d.p++;
 	}
 	return len(p), nil;
 }

 // Sum returns the CMAC digest, one cipher block in length,
 // of the data written with Write.
 func (d *cmac) Sum() []byte {
 	// Finish last block, mix in key, encrypt.
 	// Don't edit ci, in case caller wants
 	// to keep digesting after call to Sum.
 	k := d.k1;
 	if d.p < len(d.digest) {
 		k = d.k2;
 	}
 	for i := 0; i < len(d.ci); i++ {
 		d.digest[i] = d.ci[i] ^ k[i];
 	}
 	if d.p < len(d.digest) {
 		d.digest[d.p] ^= 0x80;
 	}
 	d.c.Encrypt(d.digest, d.digest);
 	return d.digest;
 }
	// Copyright 2009 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	// CMAC message authentication code, defined in
	// NIST Special Publication SP 800-38B.

	package block

	import "os"

	const (
	// minimal irreducible polynomial of degree b
	r64 = 0x1b;
	r128 = 0x87;
	)

	type cmac struct {
	k1, k2, ci, digest []byte;
	p int; // position in ci
	c Cipher;
	}

	// TODO(rsc): Should this return an error instead of panic?

	// NewCMAC returns a new instance of a CMAC message authentication code
	// digest using the given Cipher.
	func NewCMAC(c Cipher) Digest {
	var r byte;
	n := c.BlockSize();
	switch n {
	case 64/8:
	r = r64;
	case 128/8:
	r = r128;
	default:
	panic("crypto/block: NewCMAC: invalid cipher block size", n);
	}

	d := new(cmac);
	d.c = c;
	d.k1 = make([]byte, n);
	d.k2 = make([]byte, n);
	d.ci = make([]byte, n);
	d.digest = make([]byte, n);

	// Subkey generation, p. 7
	c.Encrypt(d.k1, d.k1);
	if shift1(d.k1, d.k1) != 0 {
	d.k1[n-1] ^= r;
	}
	if shift1(d.k1, d.k2) != 0 {
	d.k2[n-1] ^= r;
	}

	return d;
	}

	// Reset clears the digest state, starting a new digest.
	func (d *cmac) Reset() {
	for i := range d.ci {
	d.ci[i] = 0;
	}
	d.p = 0;
	}

	// Write adds the given data to the digest state.
	func (d *cmac) Write(p []byte) (n int, err os.Error) {
	// Xor input into ci.
	for _, c := range p {
	// If ci is full, encrypt and start over.
	if d.p >= len(d.ci) {
	d.c.Encrypt(d.ci, d.ci);
	d.p = 0;
	}
	d.ci[d.p] ^= c;
	d.p++;
	}
	return len(p), nil;
	}

	// Sum returns the CMAC digest, one cipher block in length,
	// of the data written with Write.
	func (d *cmac) Sum() []byte {
	// Finish last block, mix in key, encrypt.
	// Don't edit ci, in case caller wants
	// to keep digesting after call to Sum.
	k := d.k1;
	if d.p < len(d.digest) {
	k = d.k2;
	}
	for i := 0; i < len(d.ci); i++ {
	d.digest[i] = d.ci[i] ^ k[i];
	}
	if d.p < len(d.digest) {
	d.digest[d.p] ^= 0x80;
	}
	d.c.Encrypt(d.digest, d.digest);
	return d.digest;
	}