59 lines
		
	
	
		
			2.0 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			59 lines
		
	
	
		
			2.0 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2017 The Go Authors. All rights reserved.
 | ||
| // Use of this source code is governed by a BSD-style
 | ||
| // license that can be found in the LICENSE file.
 | ||
| 
 | ||
| /*
 | ||
| Package auth authenticates a message using a secret key.
 | ||
| 
 | ||
| The Sum function, viewed as a function of the message for a uniform random
 | ||
| key, is designed to meet the standard notion of unforgeability. This means
 | ||
| that an attacker cannot find authenticators for any messages not authenticated
 | ||
| by the sender, even if the attacker has adaptively influenced the messages
 | ||
| authenticated by the sender. For a formal definition see, e.g., Section 2.4
 | ||
| of Bellare, Kilian, and Rogaway, "The security of the cipher block chaining
 | ||
| message authentication code," Journal of Computer and System Sciences 61 (2000),
 | ||
| 362–399; http://www-cse.ucsd.edu/~mihir/papers/cbc.html.
 | ||
| 
 | ||
| auth does not make any promises regarding "strong" unforgeability; perhaps
 | ||
| one valid authenticator can be converted into another valid authenticator for
 | ||
| the same message. NaCl also does not make any promises regarding "truncated
 | ||
| unforgeability."
 | ||
| 
 | ||
| This package is interoperable with NaCl: https://nacl.cr.yp.to/auth.html.
 | ||
| */
 | ||
| package auth
 | ||
| 
 | ||
| import (
 | ||
| 	"crypto/hmac"
 | ||
| 	"crypto/sha512"
 | ||
| )
 | ||
| 
 | ||
| const (
 | ||
| 	// Size is the size, in bytes, of an authenticated digest.
 | ||
| 	Size = 32
 | ||
| 	// KeySize is the size, in bytes, of an authentication key.
 | ||
| 	KeySize = 32
 | ||
| )
 | ||
| 
 | ||
| // Sum generates an authenticator for m using a secret key and returns the
 | ||
| // 32-byte digest.
 | ||
| func Sum(m []byte, key *[KeySize]byte) *[Size]byte {
 | ||
| 	mac := hmac.New(sha512.New, key[:])
 | ||
| 	mac.Write(m)
 | ||
| 	out := new([KeySize]byte)
 | ||
| 	copy(out[:], mac.Sum(nil)[:Size])
 | ||
| 	return out
 | ||
| }
 | ||
| 
 | ||
| // Verify checks that digest is a valid authenticator of message m under the
 | ||
| // given secret key. Verify does not leak timing information.
 | ||
| func Verify(digest []byte, m []byte, key *[KeySize]byte) bool {
 | ||
| 	if len(digest) != Size {
 | ||
| 		return false
 | ||
| 	}
 | ||
| 	mac := hmac.New(sha512.New, key[:])
 | ||
| 	mac.Write(m)
 | ||
| 	expectedMAC := mac.Sum(nil) // first 256 bits of 512-bit sum
 | ||
| 	return hmac.Equal(digest, expectedMAC[:Size])
 | ||
| }
 |