mirror of
https://github.com/octoleo/restic.git
synced 2024-11-17 18:45:15 +00:00
946c8399e2
Exclude minio-go for now (pin to 3.x.y).
59 lines
2.0 KiB
Go
59 lines
2.0 KiB
Go
// Copyright 2017 The Go Authors. All rights reserved.
|
||
// Use of this source code is governed by a BSD-style
|
||
// license that can be found in the LICENSE file.
|
||
|
||
/*
|
||
Package auth authenticates a message using a secret key.
|
||
|
||
The Sum function, viewed as a function of the message for a uniform random
|
||
key, is designed to meet the standard notion of unforgeability. This means
|
||
that an attacker cannot find authenticators for any messages not authenticated
|
||
by the sender, even if the attacker has adaptively influenced the messages
|
||
authenticated by the sender. For a formal definition see, e.g., Section 2.4
|
||
of Bellare, Kilian, and Rogaway, "The security of the cipher block chaining
|
||
message authentication code," Journal of Computer and System Sciences 61 (2000),
|
||
362–399; http://www-cse.ucsd.edu/~mihir/papers/cbc.html.
|
||
|
||
auth does not make any promises regarding "strong" unforgeability; perhaps
|
||
one valid authenticator can be converted into another valid authenticator for
|
||
the same message. NaCl also does not make any promises regarding "truncated
|
||
unforgeability."
|
||
|
||
This package is interoperable with NaCl: https://nacl.cr.yp.to/auth.html.
|
||
*/
|
||
package auth
|
||
|
||
import (
|
||
"crypto/hmac"
|
||
"crypto/sha512"
|
||
)
|
||
|
||
const (
|
||
// Size is the size, in bytes, of an authenticated digest.
|
||
Size = 32
|
||
// KeySize is the size, in bytes, of an authentication key.
|
||
KeySize = 32
|
||
)
|
||
|
||
// Sum generates an authenticator for m using a secret key and returns the
|
||
// 32-byte digest.
|
||
func Sum(m []byte, key *[KeySize]byte) *[Size]byte {
|
||
mac := hmac.New(sha512.New, key[:])
|
||
mac.Write(m)
|
||
out := new([KeySize]byte)
|
||
copy(out[:], mac.Sum(nil)[:Size])
|
||
return out
|
||
}
|
||
|
||
// Verify checks that digest is a valid authenticator of message m under the
|
||
// given secret key. Verify does not leak timing information.
|
||
func Verify(digest []byte, m []byte, key *[KeySize]byte) bool {
|
||
if len(digest) != Size {
|
||
return false
|
||
}
|
||
mac := hmac.New(sha512.New, key[:])
|
||
mac.Write(m)
|
||
expectedMAC := mac.Sum(nil) // first 256 bits of 512-bit sum
|
||
return hmac.Equal(digest, expectedMAC[:Size])
|
||
}
|