AES-CMAC digest with EVP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

AES-CMAC digest with EVP

Daniel Andrade
Hello,

I have two buffers, one with a key and one with some data. The objective
is to calculate the AES-CMAC of the data with this key. I managed to
compute the AES-CMAC using type `EVP_aes_128_cbc()` with the low-level
interface:

1. CMAC_CTX *ctx = CMAC_CTX_new()
2. CMAC_Init
3. CMAC_Update
4. CMAC_Final
5. CMAC_CTX_free

Can this be done with the high-level EVP interface?

The EVP_DigestSign* set of functions expects a type EVP_MD, but
EVP_aes_128_cbc() is of type EVP_CIPHER.

Daniel
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AES-CMAC digest with EVP

Dr. Stephen Henson
On Wed, Aug 30, 2017, Daniel Andrade wrote:

> Hello,
>
> I have two buffers, one with a key and one with some data. The
> objective is to calculate the AES-CMAC of the data with this key. I
> managed to compute the AES-CMAC using type `EVP_aes_128_cbc()` with
> the low-level interface:
>
> 1. CMAC_CTX *ctx = CMAC_CTX_new()
> 2. CMAC_Init
> 3. CMAC_Update
> 4. CMAC_Final
> 5. CMAC_CTX_free
>
> Can this be done with the high-level EVP interface?
>
> The EVP_DigestSign* set of functions expects a type EVP_MD, but
> EVP_aes_128_cbc() is of type EVP_CIPHER.
>

Yes it is possible. One way is to create a new key using
EVP_PKEY_new_mac_key() with type EVP_PKEY_CMAC. You pass that key to
EVP_DigestSign*() with the digest set to NULL. You then have to set the cipher
to use with the EVP_PKEY_CTRL_CIPHER ctrl (unfortunately there is currently no
macro for this).

Then calling EVP_DigestSignUpdate() and EVP_DigestSignaFinal() should work in
the usual way and produce the correct CMAC.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users