1.\" $OpenBSD: CMAC_Init.3,v 1.6 2024/03/02 09:30:21 tb Exp $ 2.\" 3.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: March 2 2024 $ 18.Dt CMAC_INIT 3 19.Os 20.Sh NAME 21.Nm CMAC_CTX_new , 22.Nm CMAC_Init , 23.Nm CMAC_Update , 24.Nm CMAC_Final , 25.Nm CMAC_CTX_copy , 26.Nm CMAC_CTX_get0_cipher_ctx , 27.Nm CMAC_CTX_cleanup , 28.Nm CMAC_CTX_free 29.Nd Cipher-based message authentication code 30.Sh SYNOPSIS 31.In openssl/cmac.h 32.Ft CMAC_CTX * 33.Fn CMAC_CTX_new void 34.Ft int 35.Fo CMAC_Init 36.Fa "CMAC_CTX *ctx" 37.Fa "const void *key" 38.Fa "size_t key_len" 39.Fa "const EVP_CIPHER *cipher" 40.Fa "ENGINE *engine" 41.Fc 42.Ft int 43.Fo CMAC_Update 44.Fa "CMAC_CTX *ctx" 45.Fa "const void *in_data" 46.Fa "size_t in_len" 47.Fc 48.Ft int 49.Fo CMAC_Final 50.Fa "CMAC_CTX *ctx" 51.Fa "unsigned char *out_mac" 52.Fa "size_t *out_len" 53.Fc 54.Ft EVP_CIPHER_CTX * 55.Fn CMAC_CTX_get0_cipher_ctx "CMAC_CTX *ctx" 56.Ft void 57.Fn CMAC_CTX_cleanup "CMAC_CTX *ctx" 58.Ft void 59.Fn CMAC_CTX_free "CMAC_CTX *ctx" 60.Sh DESCRIPTION 61CMAC is a message authentication code algorithm that can employ an 62arbitrary block cipher using a symmetric key. 63.Pp 64The present manual page describes low-level functions implementing CMAC. 65Instead of using these functions directly, 66application programs normally call 67.Xr EVP_PKEY_CTX_new_id 3 68with an argument of 69.Dv EVP_PKEY_CMAC 70and then pass the resulting 71.Vt EVP_MD_CTX 72object to 73.Xr EVP_DigestInit_ex 3 . 74.Pp 75The CMAC API is object-oriented. 76Calculating a message authentication code requires a 77.Vt CMAC_CTX 78object. 79Usually, the functions 80.Fn CMAC_CTX_new , 81.Fn CMAC_Init , 82.Fn CMAC_Update , 83.Fn CMAC_Final , 84and 85.Fn CMAC_CTX_free 86need to be called in this order. 87.Pp 88.Fn CMAC_CTX_new 89allocates a new 90.Vt CMAC_CTX 91object, initializes the embedded 92.Vt EVP_CIPHER_CTX 93object, and marks the object itself as uninitialized. 94.Pp 95.Fn CMAC_Init 96selects the given block 97.Fa cipher 98for use by 99.Fa ctx . 100Functions to obtain suitable 101.Vt EVP_CIPHER 102objects are listed in the CIPHER LISTING section of the 103.Xr EVP_Cipher 3 104manual page. 105Unless 106.Fa key 107is 108.Dv NULL , 109.Fn CMAC_Init 110also initializes 111.Fa ctx 112for use with the given symmetric 113.Fa key 114that is 115.Fa key_len 116bytes long. 117In particular, it calculates and internally stores the two subkeys 118and initializes 119.Fa ctx 120for subsequently feeding in data with 121.Fn CMAC_Update . 122The 123.Fa engine 124argument is ignored; passing 125.Dv NULL 126is recommended. 127.Pp 128If 129.Fa ctx 130is already initialized, 131.Fn CMAC_Init 132can be called again with 133.Fa key 134and 135.Fa cipher 136both set to 137.Dv NULL 138and 139.Fa key_len 140set to 0. 141In that case, any data already processed is discarded and 142.Fa ctx 143is re-initialized to start reading data anew. 144.Pp 145.Fn CMAC_Update 146processes 147.Fa in_len 148bytes of input data pointed to by 149.Fa in_data . 150Depending on the number of input bytes already cached in 151.Fa ctx , 152on 153.Fa in_len , 154and on the block size, this may encrypt zero or more blocks. 155Unless 156.Fa in_len 157is zero, this function leaves at least one byte and at most one 158block of input cached but unprocessed inside the 159.Fa ctx 160object. 161.Fn CMAC_Update 162can be called multiple times 163to concatenate several chunks of input data of varying sizes. 164.Pp 165.Fn CMAC_Final 166stores the length of the message authentication code in bytes, 167which equals the cipher block size, into 168.Pf * Fa out_len . 169Unless 170.Fa out_mac 171is 172.Dv NULL , 173it encrypts the last block, padding it if required, and copies the 174resulting message authentication code to 175.Fa out_mac . 176The caller is responsible for providing a buffer of sufficient size. 177.Pp 178.Fn CMAC_CTX_copy 179performs a deep copy of the already initialized 180.Fa in_ctx 181into 182.Fa out_ctx . 183.Pp 184.Fn CMAC_CTX_cleanup 185zeros out both subkeys and all temporary data in 186.Fa ctx 187and in the embedded 188.Vt EVP_CIPHER_CTX 189object, frees all allocated memory associated with it, 190except for 191.Fa ctx 192itself, and marks it as uninitialized, 193such that it can be reused for subsequent 194.Fn CMAC_Init . 195.Pp 196.Fn CMAC_CTX_free 197calls 198.Fn CMAC_CTX_cleanup , 199then frees 200.Fa ctx 201itself. 202If 203.Fa ctx 204is 205.Dv NULL , 206no action occurs. 207.Sh RETURN VALUES 208.Fn CMAC_CTX_new 209returns the new context object or 210.Dv NULL 211in case of failure. 212It succeeds unless memory is exhausted. 213.Pp 214.Fn CMAC_Init , 215.Fn CMAC_Update , 216.Fn CMAC_Final , 217and 218.Fn CMAC_CTX_copy 219return 1 on success or 0 on failure. 220.Fn CMAC_Init 221fails if initializing the embedded 222.Vt EVP_CIPHER_CTX 223object fails. 224The others fail if 225.Fa in_ctx 226is uninitialized. 227.Fn CMAC_Update 228and 229.Fn CMAC_Final 230also fail if encrypting a block fails, and 231.Fn CMAC_CTX_copy 232if copying the embedded 233.Vt EVP_CIPHER_CTX 234object fails, which can for example happen when memory is exhausted. 235.Pp 236.Fn CMAC_CTX_get0_cipher_ctx 237returns an internal pointer to the 238.Vt EVP_CIPHER_CTX 239object that is embedded in 240.Fa ctx . 241.Sh ERRORS 242The CMAC code itself does not use the 243.In openssl/err.h 244framework, so in general, the reasons for failure cannot be found out with 245.Xr ERR_get_error 3 . 246However, since the 247.Xr EVP_Cipher 3 248functions are used internally, entries may still get pushed onto 249the error stack in some cases of failure. 250.Sh SEE ALSO 251.Xr EVP_aes_128_cbc 3 , 252.Xr EVP_Cipher 3 , 253.Xr EVP_DigestInit 3 , 254.Xr EVP_PKEY_CTX_new_id 3 , 255.Xr HMAC 3 256.Sh STANDARDS 257.Rs 258.%A Morris Dworkin 259.%T "Recommendation for Block Cipher Modes of Operation:\ 260 The CMAC Mode for Authentication" 261.%I National Institute of Standards and Technology 262.%R NIST Special Publication 800-38B 263.%U https://doi.org/10.6028/NIST.SP.800-38B 264.%C Gaithersburg, Maryland 265.%D May 2005, updated October 6, 2016 266.Re 267.Sh HISTORY 268These functions first appeared in OpenSSL 1.0.1 269and have been available since 270.Ox 5.3 . 271