Merge from mainline (167278:168000).

[official-gcc/graphite-test-results.git] / libgo / go / crypto / block / cmac.go

// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// CMAC message authentication code, defined in
// NIST Special Publication SP 800-38B.

package block

import (
        "hash"
        "os"
)

const (
        // minimal irreducible polynomial of degree b
        r64  = 0x1b
        r128 = 0x87
)

type cmac struct {
        k1, k2, ci, digest []byte
        p                  int // position in ci
        c                  Cipher
}

// TODO(rsc): Should this return an error instead of panic?

// NewCMAC returns a new instance of a CMAC message authentication code
// digest using the given Cipher.
func NewCMAC(c Cipher) hash.Hash {
        var r byte
        n := c.BlockSize()
        switch n {
        case 64 / 8:
                r = r64
        case 128 / 8:
                r = r128
        default:
                panic("crypto/block: NewCMAC: invalid cipher block size")
        }

        d := new(cmac)
        d.c = c
        d.k1 = make([]byte, n)
        d.k2 = make([]byte, n)
        d.ci = make([]byte, n)
        d.digest = make([]byte, n)

        // Subkey generation, p. 7
        c.Encrypt(d.k1, d.k1)
        if shift1(d.k1, d.k1) != 0 {
                d.k1[n-1] ^= r
        }
        if shift1(d.k2, d.k1) != 0 {
                d.k2[n-1] ^= r
        }

        return d
}

// Reset clears the digest state, starting a new digest.
func (d *cmac) Reset() {
        for i := range d.ci {
                d.ci[i] = 0
        }
        d.p = 0
}

// Write adds the given data to the digest state.
func (d *cmac) Write(p []byte) (n int, err os.Error) {
        // Xor input into ci.
        for _, c := range p {
                // If ci is full, encrypt and start over.
                if d.p >= len(d.ci) {
                        d.c.Encrypt(d.ci, d.ci)
                        d.p = 0
                }
                d.ci[d.p] ^= c
                d.p++
        }
        return len(p), nil
}

// Sum returns the CMAC digest, one cipher block in length,
// of the data written with Write.
func (d *cmac) Sum() []byte {
        // Finish last block, mix in key, encrypt.
        // Don't edit ci, in case caller wants
        // to keep digesting after call to Sum.
        k := d.k1
        if d.p < len(d.digest) {
                k = d.k2
        }
        for i := 0; i < len(d.ci); i++ {
                d.digest[i] = d.ci[i] ^ k[i]
        }
        if d.p < len(d.digest) {
                d.digest[d.p] ^= 0x80
        }
        d.c.Encrypt(d.digest, d.digest)
        return d.digest
}

func (d *cmac) Size() int { return len(d.digest) }