1.\" $OpenBSD: CMAC_Init.3,v 1.9 2024/11/12 00:42:28 schwarze Exp $ 2.\" 3.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: November 12 2024 $ 18.Dt CMAC_INIT 3 19.Os 20.Sh NAME 21.Nm CMAC_CTX_new , 22.Nm CMAC_Init , 23.Nm CMAC_Update , 24.Nm CMAC_Final , 25.Nm CMAC_CTX_copy , 26.Nm CMAC_CTX_get0_cipher_ctx , 27.Nm CMAC_CTX_cleanup , 28.Nm CMAC_CTX_free 29.Nd Cipher-based message authentication code 30.Sh SYNOPSIS 31.In openssl/cmac.h 32.Ft CMAC_CTX * 33.Fn CMAC_CTX_new void 34.Ft int 35.Fo CMAC_Init 36.Fa "CMAC_CTX *ctx" 37.Fa "const void *key" 38.Fa "size_t key_len" 39.Fa "const EVP_CIPHER *cipher" 40.Fa "ENGINE *engine" 41.Fc 42.Ft int 43.Fo CMAC_Update 44.Fa "CMAC_CTX *ctx" 45.Fa "const void *in_data" 46.Fa "size_t in_len" 47.Fc 48.Ft int 49.Fo CMAC_Final 50.Fa "CMAC_CTX *ctx" 51.Fa "unsigned char *out_mac" 52.Fa "size_t *out_len" 53.Fc 54.Ft int 55.Fo CMAC_CTX_copy 56.Fa "CMAC_CTX *out_ctx" 57.Fa "CMAC_CTX *in_ctx" 58.Fc 59.Ft EVP_CIPHER_CTX * 60.Fn CMAC_CTX_get0_cipher_ctx "CMAC_CTX *ctx" 61.Ft void 62.Fn CMAC_CTX_cleanup "CMAC_CTX *ctx" 63.Ft void 64.Fn CMAC_CTX_free "CMAC_CTX *ctx" 65.Sh DESCRIPTION 66CMAC is a message authentication code algorithm that can employ an 67arbitrary block cipher using a symmetric key. 68.Pp 69The present manual page describes low-level functions implementing CMAC. 70Instead of using these functions directly, 71application programs normally call 72.Xr EVP_PKEY_new_CMAC_key 3 73and then pass the resulting 74.Vt EVP_PKEY 75object to 76.Xr EVP_DigestSignInit 3 . 77.Pp 78The CMAC API is object-oriented. 79Calculating a message authentication code requires a 80.Vt CMAC_CTX 81object. 82Usually, the functions 83.Fn CMAC_CTX_new , 84.Fn CMAC_Init , 85.Fn CMAC_Update , 86.Fn CMAC_Final , 87and 88.Fn CMAC_CTX_free 89need to be called in this order. 90.Pp 91.Fn CMAC_CTX_new 92allocates a new 93.Vt CMAC_CTX 94object, initializes the embedded 95.Vt EVP_CIPHER_CTX 96object, and marks the object itself as uninitialized. 97.Pp 98.Fn CMAC_Init 99selects the given block 100.Fa cipher 101for use by 102.Fa ctx . 103Functions to obtain suitable 104.Vt EVP_CIPHER 105objects are listed in the CIPHER LISTING section of the 106.Xr EVP_EncryptInit 3 107manual page. 108Unless 109.Fa key 110is 111.Dv NULL , 112.Fn CMAC_Init 113also initializes 114.Fa ctx 115for use with the given symmetric 116.Fa key 117that is 118.Fa key_len 119bytes long. 120In particular, it calculates and internally stores the two subkeys 121and initializes 122.Fa ctx 123for subsequently feeding in data with 124.Fn CMAC_Update . 125The 126.Fa engine 127argument is ignored; passing 128.Dv NULL 129is recommended. 130.Pp 131If 132.Fa ctx 133is already initialized, 134.Fn CMAC_Init 135can be called again with 136.Fa key 137and 138.Fa cipher 139both set to 140.Dv NULL 141and 142.Fa key_len 143set to 0. 144In that case, any data already processed is discarded and 145.Fa ctx 146is re-initialized to start reading data anew. 147.Pp 148.Fn CMAC_Update 149processes 150.Fa in_len 151bytes of input data pointed to by 152.Fa in_data . 153Depending on the number of input bytes already cached in 154.Fa ctx , 155on 156.Fa in_len , 157and on the block size, this may encrypt zero or more blocks. 158Unless 159.Fa in_len 160is zero, this function leaves at least one byte and at most one 161block of input cached but unprocessed inside the 162.Fa ctx 163object. 164.Fn CMAC_Update 165can be called multiple times 166to concatenate several chunks of input data of varying sizes. 167.Pp 168.Fn CMAC_Final 169stores the length of the message authentication code in bytes, 170which equals the cipher block size, into 171.Pf * Fa out_len . 172Unless 173.Fa out_mac 174is 175.Dv NULL , 176it encrypts the last block, padding it if required, and copies the 177resulting message authentication code to 178.Fa out_mac . 179The caller is responsible for providing a buffer of sufficient size. 180.Pp 181.Fn CMAC_CTX_copy 182performs a deep copy of the already initialized 183.Fa in_ctx 184into 185.Fa out_ctx . 186.Pp 187.Fn CMAC_CTX_cleanup 188zeros out both subkeys and all temporary data in 189.Fa ctx 190and in the embedded 191.Vt EVP_CIPHER_CTX 192object, frees all allocated memory associated with it, 193except for 194.Fa ctx 195itself, and marks it as uninitialized, 196such that it can be reused for subsequent 197.Fn CMAC_Init . 198.Pp 199.Fn CMAC_CTX_free 200calls 201.Fn CMAC_CTX_cleanup , 202then frees 203.Fa ctx 204itself. 205If 206.Fa ctx 207is 208.Dv NULL , 209no action occurs. 210.Sh RETURN VALUES 211.Fn CMAC_CTX_new 212returns the new context object or 213.Dv NULL 214in case of failure. 215It succeeds unless memory is exhausted. 216.Pp 217.Fn CMAC_Init , 218.Fn CMAC_Update , 219.Fn CMAC_Final , 220and 221.Fn CMAC_CTX_copy 222return 1 on success or 0 on failure. 223.Fn CMAC_Init 224fails if initializing the embedded 225.Vt EVP_CIPHER_CTX 226object fails. 227The others fail if 228.Fa in_ctx 229is uninitialized. 230.Fn CMAC_Update 231and 232.Fn CMAC_Final 233also fail if encrypting a block fails, and 234.Fn CMAC_CTX_copy 235if copying the embedded 236.Vt EVP_CIPHER_CTX 237object fails, which can for example happen when memory is exhausted. 238.Pp 239.Fn CMAC_CTX_get0_cipher_ctx 240returns an internal pointer to the 241.Vt EVP_CIPHER_CTX 242object that is embedded in 243.Fa ctx . 244.Sh ERRORS 245The CMAC code itself does not use the 246.In openssl/err.h 247framework, so in general, the reasons for failure cannot be found out with 248.Xr ERR_get_error 3 . 249However, since the 250.Xr EVP_EncryptInit 3 251functions are used internally, entries may still get pushed onto 252the error stack in some cases of failure. 253.Sh SEE ALSO 254.Xr EVP_aes_128_cbc 3 , 255.Xr EVP_DigestSignInit 3 , 256.Xr EVP_EncryptInit 3 , 257.Xr EVP_PKEY_new_CMAC_key 3 , 258.Xr HMAC 3 259.Sh STANDARDS 260.Rs 261.%A Morris Dworkin 262.%T "Recommendation for Block Cipher Modes of Operation:\ 263 The CMAC Mode for Authentication" 264.%I National Institute of Standards and Technology 265.%R NIST Special Publication 800-38B 266.%U https://doi.org/10.6028/NIST.SP.800-38B 267.%C Gaithersburg, Maryland 268.%D May 2005, updated October 6, 2016 269.Re 270.Sh HISTORY 271These functions first appeared in OpenSSL 1.0.1 272and have been available since 273.Ox 5.3 . 274