// Copyright 2009 The Go Authors. All rights reserved.
// Portions Copyright 2016 Hiroshi Ioka. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
//    * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
//    * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
//    * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

// CMAC message authentication code, defined in
// NIST Special Publication SP 800-38B.

package cmac

import (
	
	
)

const (
	// minimal irreducible polynomial of degree b
	r64  = 0x1b
	r128 = 0x87
)

type cmac struct {
	k1, k2, ci, digest []byte
	p                  int // position in ci
	c                  cipher.Block
}

// TODO(rsc): Should this return an error instead of panic?

// NewCMAC returns a new instance of a CMAC message authentication code
// digest using the given Cipher.
func ( cipher.Block) hash.Hash {
	var  byte
	 := .BlockSize()
	switch  {
	case 64 / 8:
		 = r64
	case 128 / 8:
		 = r128
	default:
		panic("crypto/cmac: NewCMAC: invalid cipher block size")
	}

	 := new(cmac)
	.c = 
	.k1 = make([]byte, )
	.k2 = make([]byte, )
	.ci = make([]byte, )
	.digest = make([]byte, )

	// Subkey generation, p. 7
	.Encrypt(.k1, .k1)
	if shift1(.k1, .k1) != 0 {
		.k1[-1] ^= 
	}
	if shift1(.k1, .k2) != 0 {
		.k2[-1] ^= 
	}

	return 
}

// Reset clears the digest state, starting a new digest.
func ( *cmac) () {
	for  := range .ci {
		.ci[] = 0
	}
	.p = 0
}

// Write adds the given data to the digest state.
func ( *cmac) ( []byte) ( int,  error) {
	// Xor input into ci.
	for ,  := range  {
		// If ci is full, encrypt and start over.
		if .p >= len(.ci) {
			.c.Encrypt(.ci, .ci)
			.p = 0
		}
		.ci[.p] ^= 
		.p++
	}
	return len(), nil
}

// Sum returns the CMAC digest, one cipher block in length,
// of the data written with Write.
func ( *cmac) ( []byte) []byte {
	// Finish last block, mix in key, encrypt.
	// Don't edit ci, in case caller wants
	// to keep digesting after call to Sum.
	 := .k1
	if .p < len(.digest) {
		 = .k2
	}
	for  := 0;  < len(.ci); ++ {
		.digest[] = .ci[] ^ []
	}
	if .p < len(.digest) {
		.digest[.p] ^= 0x80
	}
	.c.Encrypt(.digest, .digest)
	return append(, .digest...)
}

func ( *cmac) () int { return len(.digest) }

func ( *cmac) () int { return 16 }

// Utility routines

func shift1(,  []byte) byte {
	var  byte
	for  := len() - 1;  >= 0; -- {
		 := [] >> 7
		[] = []<<1 | 
		 = 
	}
	return 
}