1 /** 2 * \file cmac.h 3 * 4 * \brief This file contains CMAC definitions and functions. 5 * 6 * The Cipher-based Message Authentication Code (CMAC) Mode for 7 * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>. 8 */ 9 /* 10 * Copyright The Mbed TLS Contributors 11 * SPDX-License-Identifier: Apache-2.0 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 */ 25 26 #ifndef MBEDTLS_CMAC_H 27 #define MBEDTLS_CMAC_H 28 29 #if !defined(MBEDTLS_CONFIG_FILE) 30 #include "mbedtls/config.h" 31 #else 32 #include MBEDTLS_CONFIG_FILE 33 #endif 34 35 #include "mbedtls/cipher.h" 36 37 #ifdef __cplusplus 38 extern "C" { 39 #endif 40 41 /* MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED is deprecated and should not be used. */ 42 /** CMAC hardware accelerator failed. */ 43 #define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A 44 45 #define MBEDTLS_AES_BLOCK_SIZE 16 46 #define MBEDTLS_DES3_BLOCK_SIZE 8 47 48 #if defined(MBEDTLS_AES_C) 49 #define MBEDTLS_CIPHER_BLKSIZE_MAX 16 /**< The longest block used by CMAC is that of AES. */ 50 #else 51 #define MBEDTLS_CIPHER_BLKSIZE_MAX 8 /**< The longest block used by CMAC is that of 3DES. */ 52 #endif 53 54 #if !defined(MBEDTLS_CMAC_ALT) 55 56 /** 57 * The CMAC context structure. 58 */ 59 struct mbedtls_cmac_context_t 60 { 61 /** The internal state of the CMAC algorithm. */ 62 unsigned char state[MBEDTLS_CIPHER_BLKSIZE_MAX]; 63 64 /** Unprocessed data - either data that was not block aligned and is still 65 * pending processing, or the final block. */ 66 unsigned char unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX]; 67 68 /** The length of data pending processing. */ 69 size_t unprocessed_len; 70 }; 71 72 #else /* !MBEDTLS_CMAC_ALT */ 73 #include "cmac_alt.h" 74 #endif /* !MBEDTLS_CMAC_ALT */ 75 76 /** 77 * \brief Initialises and allocate CMAC context memory 78 * Must be called with an initialized cipher context. 79 * 80 * \param ctx The cipher context used for the CMAC operation, initialized 81 * as one of the following types: MBEDTLS_CIPHER_AES_128_ECB, 82 * MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB, 83 * or MBEDTLS_CIPHER_DES_EDE3_ECB. 84 * \return \c 0 on success. 85 * \return A cipher-specific error code on failure. 86 */ 87 int mbedtls_cipher_cmac_setup(mbedtls_cipher_context_t *ctx); 88 89 /** 90 * \brief This function starts a new CMAC computation 91 * by setting the CMAC key, and preparing to authenticate 92 * the input data. 93 * It must be called with an initialized cipher context. 94 * 95 * Once this function has completed, data can be supplied 96 * to the CMAC computation by calling 97 * mbedtls_cipher_cmac_update(). 98 * 99 * To start a CMAC computation using the same key as a previous 100 * CMAC computation, use mbedtls_cipher_cmac_finish(). 101 * 102 * \note When the CMAC implementation is supplied by an alternate 103 * implementation (through #MBEDTLS_CMAC_ALT), some ciphers 104 * may not be supported by that implementation, and thus 105 * return an error. Alternate implementations must support 106 * AES-128 and AES-256, and may support AES-192 and 3DES. 107 * 108 * \param ctx The cipher context used for the CMAC operation, initialized 109 * as one of the following types: MBEDTLS_CIPHER_AES_128_ECB, 110 * MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB, 111 * or MBEDTLS_CIPHER_DES_EDE3_ECB. 112 * \param key The CMAC key. 113 * \param keybits The length of the CMAC key in bits. 114 * Must be supported by the cipher. 115 * 116 * \return \c 0 on success. 117 * \return A cipher-specific error code on failure. 118 */ 119 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, 120 const unsigned char *key, size_t keybits ); 121 122 /** 123 * \brief This function feeds an input buffer into an ongoing CMAC 124 * computation. 125 * 126 * The CMAC computation must have previously been started 127 * by calling mbedtls_cipher_cmac_starts() or 128 * mbedtls_cipher_cmac_reset(). 129 * 130 * Call this function as many times as needed to input the 131 * data to be authenticated. 132 * Once all of the required data has been input, 133 * call mbedtls_cipher_cmac_finish() to obtain the result 134 * of the CMAC operation. 135 * 136 * \param ctx The cipher context used for the CMAC operation. 137 * \param input The buffer holding the input data. 138 * \param ilen The length of the input data. 139 * 140 * \return \c 0 on success. 141 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA 142 * if parameter verification fails. 143 */ 144 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, 145 const unsigned char *input, size_t ilen ); 146 147 /** 148 * \brief This function finishes an ongoing CMAC operation, and 149 * writes the result to the output buffer. 150 * 151 * It should be followed either by 152 * mbedtls_cipher_cmac_reset(), which starts another CMAC 153 * operation with the same key, or mbedtls_cipher_free(), 154 * which clears the cipher context. 155 * 156 * \param ctx The cipher context used for the CMAC operation. 157 * \param output The output buffer for the CMAC checksum result. 158 * 159 * \return \c 0 on success. 160 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA 161 * if parameter verification fails. 162 */ 163 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, 164 unsigned char *output ); 165 166 /** 167 * \brief This function starts a new CMAC operation with the same 168 * key as the previous one. 169 * 170 * It should be called after finishing the previous CMAC 171 * operation with mbedtls_cipher_cmac_finish(). 172 * After calling this function, 173 * call mbedtls_cipher_cmac_update() to supply the new 174 * CMAC operation with data. 175 * 176 * \param ctx The cipher context used for the CMAC operation. 177 * 178 * \return \c 0 on success. 179 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA 180 * if parameter verification fails. 181 */ 182 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx ); 183 184 /** 185 * \brief This function calculates the full generic CMAC 186 * on the input buffer with the provided key. 187 * 188 * The function allocates the context, performs the 189 * calculation, and frees the context. 190 * 191 * The CMAC result is calculated as 192 * output = generic CMAC(cmac key, input buffer). 193 * 194 * \note When the CMAC implementation is supplied by an alternate 195 * implementation (through #MBEDTLS_CMAC_ALT), some ciphers 196 * may not be supported by that implementation, and thus 197 * return an error. Alternate implementations must support 198 * AES-128 and AES-256, and may support AES-192 and 3DES. 199 * 200 * \param cipher_info The cipher information. 201 * \param key The CMAC key. 202 * \param keylen The length of the CMAC key in bits. 203 * \param input The buffer holding the input data. 204 * \param ilen The length of the input data. 205 * \param output The buffer for the generic CMAC result. 206 * 207 * \return \c 0 on success. 208 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA 209 * if parameter verification fails. 210 */ 211 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, 212 const unsigned char *key, size_t keylen, 213 const unsigned char *input, size_t ilen, 214 unsigned char *output ); 215 216 #if defined(MBEDTLS_AES_C) 217 /** 218 * \brief This function implements the AES-CMAC-PRF-128 pseudorandom 219 * function, as defined in 220 * <em>RFC-4615: The Advanced Encryption Standard-Cipher-based 221 * Message Authentication Code-Pseudo-Random Function-128 222 * (AES-CMAC-PRF-128) Algorithm for the Internet Key 223 * Exchange Protocol (IKE).</em> 224 * 225 * \param key The key to use. 226 * \param key_len The key length in Bytes. 227 * \param input The buffer holding the input data. 228 * \param in_len The length of the input data in Bytes. 229 * \param output The buffer holding the generated 16 Bytes of 230 * pseudorandom output. 231 * 232 * \return \c 0 on success. 233 */ 234 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len, 235 const unsigned char *input, size_t in_len, 236 unsigned char output[16] ); 237 #endif /* MBEDTLS_AES_C */ 238 239 #if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) ) 240 /** 241 * \brief The CMAC checkup routine. 242 * 243 * \note In case the CMAC routines are provided by an alternative 244 * implementation (i.e. #MBEDTLS_CMAC_ALT is defined), the 245 * checkup routine will succeed even if the implementation does 246 * not support the less widely used AES-192 or 3DES primitives. 247 * The self-test requires at least AES-128 and AES-256 to be 248 * supported by the underlying implementation. 249 * 250 * \return \c 0 on success. 251 * \return \c 1 on failure. 252 */ 253 int mbedtls_cmac_self_test( int verbose ); 254 #endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ 255 256 #ifdef __cplusplus 257 } 258 #endif 259 260 #endif /* MBEDTLS_CMAC_H */ 261