EVP_MAC-CMAC.7ossl - Man Page

The CMAC EVP_MAC implementation

Description

Support for computing CMAC MACs through the EVP_MAC API.

This implementation uses EVP_CIPHER functions to get access to the underlying cipher.

Identity

This implementation is identified with this name and properties, to be used with EVP_MAC_fetch():

"CMAC", "provider=default" or "provider=fips"

Supported parameters

The general description of these parameters can be found in "PARAMETERS" in EVP_MAC(3).

The following parameter can be set with EVP_MAC_CTX_set_params():

"key" (OSSL_MAC_PARAM_KEY) <octet string>

Sets the MAC key. Setting this parameter is identical to passing a key to EVP_MAC_init(3).

"cipher" (OSSL_MAC_PARAM_CIPHER) <UTF8 string>

Sets the name of the underlying cipher to be used. The mode of the cipher must be CBC.

"properties" (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>

Sets the properties to be queried when trying to fetch the underlying cipher. This must be given together with the cipher naming parameter to be considered valid.

"encrypt-check" (OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK) <integer>

This option is used by the OpenSSL FIPS provider. If required this parameter should be set before EVP_MAC_init()

The default value of 1 causes an error when a unapproved Triple-DES encryption operation is triggered. Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0. This option breaks FIPS compliance if it causes the approved "fips-indicator" to return 0.

The following parameters can be retrieved with EVP_MAC_CTX_get_params():

"size" (OSSL_MAC_PARAM_SIZE) <unsigned integer>

The "size" parameter can also be retrieved with with EVP_MAC_CTX_get_mac_size(). The length of the "size" parameter is equal to that of an unsigned int.

"block-size" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>

Gets the MAC block size.  The "block-size" parameter can also be retrieved with EVP_MAC_CTX_get_block_size().

"fips-indicator" (OSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>

This option is used by the OpenSSL FIPS provider.

A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. This may be used after calling EVP_MAC_final(). It may return 0 if the "encrypt-check" option is set to 0.

See Also

EVP_MAC_CTX_get_params(3), EVP_MAC_CTX_set_params(3), "PARAMETERS" in EVP_MAC(3), OSSL_PARAM(3)

Referenced By

EVP_MAC.3ossl(3), EVP_SIGNATURE-HMAC.7ossl(7), fips_module.7ossl(7), openssl-mac.1ossl(1), ossl-guide-migration.7ossl(7), OSSL_PROVIDER-default.7ossl(7), OSSL_PROVIDER-FIPS.7ossl(7), provider-mac.7ossl(7).

2025-04-15 3.5.0 OpenSSL