// Given the supplied cipher, whose block size must be 16 bytes, return two
// subkeys that can be used in MAC generation. See section 5.3 of NIST SP
// 800-38B. Note that the other NIST-approved block size of 8 bytes is not
// supported by this function.
func generateSubkeys(ciph cipher.Block) (k1 []byte, k2 []byte) {
if ciph.BlockSize() != blockSize {
panic("generateSubkeys requires a cipher with a block size of 16 bytes.")
}
// Step 1
l := make([]byte, blockSize)
ciph.Encrypt(l, subkeyZero)
// Step 2: Derive the first subkey.
if common.Msb(l) == 0 {
// TODO(jacobsa): Accept a destination buffer in ShiftLeft and then hoist
// the allocation in the else branch below.
k1 = common.ShiftLeft(l)
} else {
k1 = make([]byte, blockSize)
common.Xor(k1, common.ShiftLeft(l), subkeyRb)
}
// Step 3: Derive the second subkey.
if common.Msb(k1) == 0 {
k2 = common.ShiftLeft(k1)
} else {
k2 = make([]byte, blockSize)
common.Xor(k2, common.ShiftLeft(k1), subkeyRb)
}
return
}
func (t *MsbTest) MostSignficantIsZero() {
bufs := [][]byte{
[]byte{fromBinary("00000000")},
[]byte{fromBinary("01000000")},
[]byte{fromBinary("01100000")},
[]byte{fromBinary("00000000"), fromBinary("10000000")},
}
for i, buf := range bufs {
ExpectEq(0, common.Msb(buf), "Test case %d: %v", i, buf)
}
}
// Given a 128-bit binary string, shift the string left by one bit and XOR the
// result with 0x00...87 if the bit shifted off was one. This is the dbl
// function of RFC 5297.
func dbl(b []byte) []byte {
if len(b) != aes.BlockSize {
panic("dbl requires a 16-byte buffer.")
}
shiftedOne := common.Msb(b) == 1
b = common.ShiftLeft(b)
if shiftedOne {
tmp := make([]byte, aes.BlockSize)
common.Xor(tmp, b, dblRb)
b = tmp
}
return b
}
func (t *MsbTest) EmptyBuffer() {
f := func() { common.Msb([]byte{}) }
ExpectThat(f, Panics(HasSubstr("empty")))
}
func (t *MsbTest) NilBuffer() {
f := func() { common.Msb(nil) }
ExpectThat(f, Panics(HasSubstr("empty")))
}