[thirdparty/openssl.git] / doc / man3 / EVP_MAC.pod

=pod

=head1 NAME

EVP_MAC, EVP_MAC_fetch, EVP_MAC_up_ref, EVP_MAC_free, EVP_MAC_name,
EVP_MAC_provider, EVP_MAC_get_params, EVP_MAC_gettable_params,
EVP_MAC_CTX, EVP_MAC_CTX_new, EVP_MAC_CTX_free, EVP_MAC_CTX_dup,
EVP_MAC_CTX_mac, EVP_MAC_CTX_get_params, EVP_MAC_CTX_set_params,
EVP_MAC_size, EVP_MAC_init, EVP_MAC_update, EVP_MAC_final,
EVP_MAC_CTX_gettable_params, EVP_MAC_CTX_settable_params,
EVP_MAC_do_all_ex - EVP MAC routines

=head1 SYNOPSIS

 #include <openssl/evp.h>

 typedef struct evp_mac_st EVP_MAC;
 typedef struct evp_mac_ctx_st EVP_MAC_CTX;

 EVP_MAC *EVP_MAC_fetch(OPENSSL_CTX *libctx, const char *algorithm,
                        const char *properties);
 int EVP_MAC_up_ref(EVP_MAC *mac);
 void EVP_MAC_free(EVP_MAC *mac);
 const char *EVP_MAC_name(const EVP_MAC *mac);
 const OSSL_PROVIDER *EVP_MAC_provider(const EVP_MAC *mac);
 int EVP_MAC_get_params(EVP_MAC *mac, OSSL_PARAM params[]);

 EVP_MAC_CTX *EVP_MAC_CTX_new(EVP_MAC *mac);
 void EVP_MAC_CTX_free(EVP_MAC_CTX *ctx);
 EVP_MAC_CTX *EVP_MAC_CTX_dup(const EVP_MAC_CTX *src);
 EVP_MAC *EVP_MAC_CTX_mac(EVP_MAC_CTX *ctx);
 int EVP_MAC_CTX_get_params(EVP_MAC_CTX *ctx, OSSL_PARAM params[]);
 int EVP_MAC_CTX_set_params(EVP_MAC_CTX *ctx, const OSSL_PARAM params[]);

 size_t EVP_MAC_size(EVP_MAC_CTX *ctx);
 int EVP_MAC_init(EVP_MAC_CTX *ctx);
 int EVP_MAC_update(EVP_MAC_CTX *ctx, const unsigned char *data, size_t datalen);
 int EVP_MAC_final(EVP_MAC_CTX *ctx,
                   unsigned char *out, size_t *outl, size_t outsize);

 const OSSL_PARAM *EVP_MAC_gettable_params(const EVP_MAC *mac);
 const OSSL_PARAM *EVP_MAC_CTX_gettable_params(const EVP_MAC *mac);
 const OSSL_PARAM *EVP_MAC_CTX_settable_params(const EVP_MAC *mac);

 void EVP_MAC_do_all_ex(OPENSSL_CTX *libctx,
                        void (*fn)(EVP_MAC *mac, void *arg),
                        void *arg);

=head1 DESCRIPTION

These types and functions help the application to calculate MACs of
different types and with different underlying algorithms if there are
any.

MACs are a bit complex insofar that some of them use other algorithms
for actual computation.  HMAC uses a digest, and CMAC uses a cipher.
Therefore, there are sometimes two contexts to keep track of, one for
the MAC algorithm itself and one for the underlying computation
algorithm if there is one.

To make things less ambiguous, this manual talks about a "context" or
"MAC context", which is to denote the MAC level context, and about a
"underlying context", or "computation context", which is to denote the
context for the underlying computation algorithm if there is one.

=head2 Types

B<EVP_MAC> is a type that holds the implementation of a MAC.

B<EVP_MAC_CTX> is a context type that holds internal MAC information
as well as a reference to a computation context, for those MACs that
rely on an underlying computation algorithm.

=head2 Algorithm implementation fetching

EVP_MAC_fetch() fetches an implementation of a MAC I<algorithm>, given
a library context I<libctx> and a set of I<properties>.
See L<provider(7)/Fetching algorithms> for further information.

The returned value must eventually be freed with
L<EVP_MAC_free(3)>.

EVP_MAC_up_ref() increments the reference count of an already fetched
MAC.

EVP_MAC_free() frees a fetched algorithm.
NULL is a valid parameter, for which this function is a no-op.

=head2 Context manipulation functions

EVP_MAC_CTX_new() creates a new context for the MAC type I<mac>.
The created context can then be used with most other functions
described here.

EVP_MAC_CTX_free() frees the contents of the context, including an
underlying context if there is one, as well as the context itself.
NULL is a valid parameter, for which this function is a no-op.

EVP_MAC_CTX_dup() duplicates the I<src> context and returns a newly allocated
context.

EVP_MAC_CTX_mac() returns the B<EVP_MAC> associated with the context
I<ctx>.

=head2 Computing functions

EVP_MAC_init() sets up the underlying context with information given
through diverse controls.
This should be called before calling EVP_MAC_update() and
EVP_MAC_final().

EVP_MAC_update() adds I<datalen> bytes from I<data> to the MAC input.

EVP_MAC_final() does the final computation and stores the result in
the memory pointed at by I<out> of size I<outsize>, and sets the number
of bytes written in I<*outl> at.
If I<out> is B<NULL> or I<outsize> is too small, then no computation
is made.
To figure out what the output length will be and allocate space for it
dynamically, simply call with I<out> being B<NULL> and I<outl>
pointing at a valid location, then allocate space and make a second
call with I<out> pointing at the allocated space.

EVP_MAC_get_params() retrieves details about the implementation
I<mac>.
The set of parameters given with I<params> determine exactly what
parameters should be retrieved.
Note that a parameter that is unknown in the underlying context is
simply ignored.

EVP_MAC_CTX_get_params() retrieves chosen parameters, given the
context I<ctx> and its underlying context.
The set of parameters given with I<params> determine exactly what
parameters should be retrieved.
Note that a parameter that is unknown in the underlying context is
simply ignored.

EVP_MAC_CTX_set_params() passes chosen parameters to the underlying
context, given a context I<ctx>.
The set of parameters given with I<params> determine exactly what
parameters are passed down.
Note that a parameter that is unknown in the underlying context is
simply ignored.
Also, what happens when a needed parameter isn't passed down is
defined by the implementation.

EVP_MAC_gettable_params(), EVP_MAC_CTX_gettable_params() and
EVP_MAC_CTX_settable_params() get a constant B<OSSL_PARAM> array that
decribes the retrievable and settable parameters, i.e. parameters that
can be used with EVP_MAC_CTX_get_params(), EVP_MAC_CTX_get_params()
and EVP_MAC_CTX_set_params(), respectively.
See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as parameter descriptor.

=head2 Information functions

EVP_MAC_size() returns the MAC output size for the given context.

EVP_MAC_name() returns the name of the given MAC implementation.

EVP_MAC_provider() returns the provider that holds the implementation
of the given I<mac>.

EVP_MAC_do_all_ex() traverses all MAC implemented by all activated
providers in the given library context I<libctx>, and for each of the
implementations, calls the given function I<fn> with the implementation method
and the given I<arg> as argument.

=head1 PARAMETER NAMES

The standard parameter names are:

=over 4

=item OSSL_MAC_PARAM_KEY ("key") <octet string>

Its value is the MAC key as an array of bytes.

For MACs that use an underlying computation algorithm, the algorithm
must be set first, see parameter names "algorithm" below.

=item OSSL_MAC_PARAM_IV ("iv") <octet string>

Some MAC implementations require an IV, this parameter sets the IV.

=item OSSL_MAC_PARAM_CUSTOM ("custom") <octet string>

Some MAC implementations (KMAC, BLAKE2) accept a Customization String,
this parameter sets the Customization String. The default value is the
empty string.

=item OSSL_MAC_PARAM_SALT ("salt") <octet string>

This option is used by BLAKE2 MAC.

=item OSSL_MAC_PARAM_XOF ("xof") <int>

It's a simple flag, the value 0 or 1 are expected.

This option is used by KMAC.

=item OSSL_MAC_PARAM_FLAGS ("flags") <int>

These will set the MAC flags to the given numbers.
Some MACs do not support this option.

=item OSSL_MAC_PARAM_ENGINE ("engine") <utf8string>

=item OSSL_MAC_PARAM_MD ("md") <utf8string>

=item OSSL_MAC_PARAM_DIGEST ("digest") <utf8string>

=item OSSL_MAC_PARAM_CIPHER ("cipher") <utf8string>

=item OSSL_MAC_PARAM_ALGORITHM ("algorithm") <utf8string>

For MAC implementations that use an underlying computation algorithm,
these parameters set what the algorithm should be, and the engine that
implements the algorithm if needed.

The value is always the name of the intended engine or algorithm.

Note that not all algorithms may support all digests.
HMAC does not support variable output length digests such as SHAKE128
or SHAKE256.

Also note that OSSL_MAC_PARAM_ALGORITHM can be use generically instead
of OSSL_MAC_PARAM_MD, OSSL_MAC_PARAM_DIGEST or OSSL_MAC_PARAM_CIPHER,
and that OSSL_MAC_PARAM_MD and OSSL_MAC_PARAM_DIGEST are also interchangable.

=item OSSL_MAC_PARAM_SIZE <unsigned int>

For MAC implementations that support it, set the output size that
EVP_MAC_final() should produce.
The allowed sizes vary between MAC implementations.

=back

All these parameters should be used before the calls to any of
EVP_MAC_init(), EVP_MAC_update() and EVP_MAC_final() for a full
computation.
Anything else may give undefined results.

=head1 RETURN VALUES

EVP_MAC_fetch() returns a pointer to a newly fetched EVP_MAC, or
NULL if allocation failed.

EVP_MAC_up_ref() returns 1 on success, 0 on error.

EVP_MAC_free() returns nothing at all.

EVP_MAC_name() returns the name of the MAC, or NULL if NULL was
passed.

EVP_MAC_provider() returns a pointer to the provider for the MAC, or
NULL on error.

EVP_MAC_CTX_new() and EVP_MAC_CTX_dup() return a pointer to a newly
created EVP_MAC_CTX, or NULL if allocation failed.

EVP_MAC_CTX_free() returns nothing at all.

EVP_MAC_CTX_get_params() and EVP_MAC_CTX_set_params() return 1 on
success, 0 on error.

EVP_MAC_init(), EVP_MAC_update(), and EVP_MAC_final() return 1 on success, 0
on error.

EVP_MAC_size() returns the expected output size, or 0 if it isn't
set.
If it isn't set, a call to EVP_MAC_init() should get it set.

EVP_MAC_do_all_ex() returns nothing at all.

=head1 EXAMPLE

  #include <stdlib.h>
  #include <stdio.h>
  #include <string.h>
  #include <stdarg.h>
  #include <unistd.h>

  #include <openssl/evp.h>
  #include <openssl/err.h>
  #include <openssl/params.h>

  int main() {
      EVP_MAC *mac = EVP_MAC_fetch(NULL, getenv("MY_MAC"), NULL);
      const char *cipher = getenv("MY_MAC_CIPHER");
      const char *digest = getenv("MY_MAC_DIGEST");
      const char *key = getenv("MY_KEY");
      EVP_MAC_CTX *ctx = NULL;

      unsigned char buf[4096];
      ssize_t read_l;
      size_t final_l;

      size_t i;

      OSSL_PARAM params[4];
      size_t params_n = 0;

      if (cipher != NULL)
          params[params_n++] =
              OSSL_PARAM_construct_utf8_string("cipher", cipher,
                                               strlen(cipher) + 1, NULL);
      if (digest != NULL)
          params[params_n++] =
              OSSL_PARAM_construct_utf8_string("digest", digest,
                                               strlen(digest) + 1, NULL);
      params[params_n++] =
          OSSL_PARAM_construct_octet_string("key", key, strlen(key), NULL);
      params[params_n] = OSSL_PARAM_construct_end();

      if (mac == NULL
          || key == NULL
          || (ctx = EVP_MAC_CTX_new(mac)) == NULL
          || EVP_MAC_CTX_set_params(ctx, params) <= 0)
          goto err;

      if (!EVP_MAC_init(ctx))
          goto err;

      while ( (read_l = read(STDIN_FILENO, buf, sizeof(buf))) < 0) {
          if (!EVP_MAC_update(ctx, buf, read_l))
              goto err;
      }

      if (!EVP_MAC_final(ctx, buf, &final_l))
          goto err;

      printf("Result: ");
      for (i = 0; i < final_l; i++)
          printf("%02X", buf[i]);
      printf("\n");

      EVP_MAC_CTX_free(ctx);
      EVP_MAC_free(mac);
      exit(0);

   err:
      EVP_MAC_CTX_free(ctx);
      EVP_MAC_free(mac);
      fprintf(stderr, "Something went wrong\n");
      ERR_print_errors_fp(stderr);
      exit (1);
  }

A run of this program, called with correct environment variables, can
look like this:

  $ MY_MAC=cmac MY_KEY=secret0123456789 MY_MAC_CIPHER=aes-128-cbc \
    LD_LIBRARY_PATH=. ./foo < foo.c
  Result: ECCAAFF041B22A2299EB90A1B53B6D45

(in this example, that program was stored in F<foo.c> and compiled to
F<./foo>)

=head1 SEE ALSO

L<property(7)>
L<OSSL_PARAM(3)>,
L<EVP_MAC_BLAKE2(7)>,
L<EVP_MAC_CMAC(7)>,
L<EVP_MAC_GMAC(7)>,
L<EVP_MAC_HMAC(7)>,
L<EVP_MAC_KMAC(7)>,
L<EVP_MAC_SIPHASH(7)>,
L<EVP_MAC_POLY1305(7)>

=head1 HISTORY

These functions were added in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
567db2c1 RL	1	=pod
	2
	3	=head1 NAME
	4
e74bd290	5	EVP_MAC, EVP_MAC_fetch, EVP_MAC_up_ref, EVP_MAC_free, EVP_MAC_name,
7dd0f299	6	EVP_MAC_provider, EVP_MAC_get_params, EVP_MAC_gettable_params,
e74bd290 RL	7	EVP_MAC_CTX, EVP_MAC_CTX_new, EVP_MAC_CTX_free, EVP_MAC_CTX_dup,
	8	EVP_MAC_CTX_mac, EVP_MAC_CTX_get_params, EVP_MAC_CTX_set_params,
	9	EVP_MAC_size, EVP_MAC_init, EVP_MAC_update, EVP_MAC_final,
d1cafb08 RL	10	EVP_MAC_CTX_gettable_params, EVP_MAC_CTX_settable_params,
d1cafb08 RL	11	EVP_MAC_do_all_ex - EVP MAC routines
567db2c1 RL	12
	13	=head1 SYNOPSIS
	14
	15	#include <openssl/evp.h>
	16
	17	typedef struct evp_mac_st EVP_MAC;
	18	typedef struct evp_mac_ctx_st EVP_MAC_CTX;
	19
e74bd290 RL	20	EVP_MAC EVP_MAC_fetch(OPENSSL_CTX libctx, const char *algorithm,
	21	const char *properties);
	22	int EVP_MAC_up_ref(EVP_MAC *mac);
	23	void EVP_MAC_free(EVP_MAC *mac);
	24	const char EVP_MAC_name(const EVP_MAC mac);
7dd0f299	25	const OSSL_PROVIDER EVP_MAC_provider(const EVP_MAC mac);
e74bd290 RL	26	int EVP_MAC_get_params(EVP_MAC *mac, OSSL_PARAM params[]);
	27
	28	EVP_MAC_CTX EVP_MAC_CTX_new(EVP_MAC mac);
567db2c1	29	void EVP_MAC_CTX_free(EVP_MAC_CTX *ctx);
be5fc053	30	EVP_MAC_CTX EVP_MAC_CTX_dup(const EVP_MAC_CTX src);
e74bd290 RL	31	EVP_MAC EVP_MAC_CTX_mac(EVP_MAC_CTX ctx);
	32	int EVP_MAC_CTX_get_params(EVP_MAC_CTX *ctx, OSSL_PARAM params[]);
	33	int EVP_MAC_CTX_set_params(EVP_MAC_CTX *ctx, const OSSL_PARAM params[]);
	34
567db2c1 RL	35	size_t EVP_MAC_size(EVP_MAC_CTX *ctx);
	36	int EVP_MAC_init(EVP_MAC_CTX *ctx);
	37	int EVP_MAC_update(EVP_MAC_CTX ctx, const unsigned char data, size_t datalen);
e74bd290 RL	38	int EVP_MAC_final(EVP_MAC_CTX *ctx,
	39	unsigned char out, size_t outl, size_t outsize);
	40
	41	const OSSL_PARAM EVP_MAC_gettable_params(const EVP_MAC mac);
	42	const OSSL_PARAM EVP_MAC_CTX_gettable_params(const EVP_MAC mac);
	43	const OSSL_PARAM EVP_MAC_CTX_settable_params(const EVP_MAC mac);
567db2c1	44
d1cafb08 RL	45	void EVP_MAC_do_all_ex(OPENSSL_CTX *libctx,
	46	void (fn)(EVP_MAC mac, void *arg),
	47	void *arg);
	48
567db2c1 RL	49	=head1 DESCRIPTION
	50
	51	These types and functions help the application to calculate MACs of
	52	different types and with different underlying algorithms if there are
	53	any.
	54
	55	MACs are a bit complex insofar that some of them use other algorithms
	56	for actual computation. HMAC uses a digest, and CMAC uses a cipher.
	57	Therefore, there are sometimes two contexts to keep track of, one for
	58	the MAC algorithm itself and one for the underlying computation
	59	algorithm if there is one.
	60
	61	To make things less ambiguous, this manual talks about a "context" or
	62	"MAC context", which is to denote the MAC level context, and about a
	63	"underlying context", or "computation context", which is to denote the
	64	context for the underlying computation algorithm if there is one.
	65
	66	=head2 Types
	67
	68	B<EVP_MAC> is a type that holds the implementation of a MAC.
	69
	70	B<EVP_MAC_CTX> is a context type that holds internal MAC information
	71	as well as a reference to a computation context, for those MACs that
	72	rely on an underlying computation algorithm.
	73
e74bd290 RL	74	=head2 Algorithm implementation fetching
	75
	76	EVP_MAC_fetch() fetches an implementation of a MAC I<algorithm>, given
	77	a library context I<libctx> and a set of I<properties>.
	78	See L<provider(7)/Fetching algorithms> for further information.
	79
	80	The returned value must eventually be freed with
	81	L<EVP_MAC_free(3)>.
	82
	83	EVP_MAC_up_ref() increments the reference count of an already fetched
	84	MAC.
	85
	86	EVP_MAC_free() frees a fetched algorithm.
	87	NULL is a valid parameter, for which this function is a no-op.
	88
567db2c1 RL	89	=head2 Context manipulation functions
567db2c1 RL	90
e74bd290	91	EVP_MAC_CTX_new() creates a new context for the MAC type I<mac>.
567db2c1 RL	92	The created context can then be used with most other functions
	93	described here.
	94
	95	EVP_MAC_CTX_free() frees the contents of the context, including an
	96	underlying context if there is one, as well as the context itself.
e74bd290	97	NULL is a valid parameter, for which this function is a no-op.
567db2c1	98
e74bd290	99	EVP_MAC_CTX_dup() duplicates the I<src> context and returns a newly allocated
be5fc053	100	context.
567db2c1 RL	101
567db2c1 RL	102	EVP_MAC_CTX_mac() returns the B<EVP_MAC> associated with the context
e74bd290	103	I<ctx>.
567db2c1 RL	104
	105	=head2 Computing functions
	106
	107	EVP_MAC_init() sets up the underlying context with information given
	108	through diverse controls.
	109	This should be called before calling EVP_MAC_update() and
	110	EVP_MAC_final().
	111
e74bd290	112	EVP_MAC_update() adds I<datalen> bytes from I<data> to the MAC input.
567db2c1 RL	113
567db2c1 RL	114	EVP_MAC_final() does the final computation and stores the result in
e74bd290 RL	115	the memory pointed at by I<out> of size I<outsize>, and sets the number
	116	of bytes written in I<*outl> at.
	117	If I<out> is B<NULL> or I<outsize> is too small, then no computation
	118	is made.
567db2c1	119	To figure out what the output length will be and allocate space for it
e74bd290	120	dynamically, simply call with I<out> being B<NULL> and I<outl>
567db2c1	121	pointing at a valid location, then allocate space and make a second
e74bd290 RL	122	call with I<out> pointing at the allocated space.
	123
	124	EVP_MAC_get_params() retrieves details about the implementation
	125	I<mac>.
	126	The set of parameters given with I<params> determine exactly what
	127	parameters should be retrieved.
	128	Note that a parameter that is unknown in the underlying context is
	129	simply ignored.
	130
	131	EVP_MAC_CTX_get_params() retrieves chosen parameters, given the
	132	context I<ctx> and its underlying context.
	133	The set of parameters given with I<params> determine exactly what
	134	parameters should be retrieved.
	135	Note that a parameter that is unknown in the underlying context is
	136	simply ignored.
	137
	138	EVP_MAC_CTX_set_params() passes chosen parameters to the underlying
	139	context, given a context I<ctx>.
	140	The set of parameters given with I<params> determine exactly what
	141	parameters are passed down.
	142	Note that a parameter that is unknown in the underlying context is
	143	simply ignored.
	144	Also, what happens when a needed parameter isn't passed down is
	145	defined by the implementation.
	146
	147	EVP_MAC_gettable_params(), EVP_MAC_CTX_gettable_params() and
	148	EVP_MAC_CTX_settable_params() get a constant B<OSSL_PARAM> array that
	149	decribes the retrievable and settable parameters, i.e. parameters that
	150	can be used with EVP_MAC_CTX_get_params(), EVP_MAC_CTX_get_params()
	151	and EVP_MAC_CTX_set_params(), respectively.
	152	See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as parameter descriptor.
567db2c1 RL	153
	154	=head2 Information functions
	155
	156	EVP_MAC_size() returns the MAC output size for the given context.
	157
567db2c1 RL	158	EVP_MAC_name() returns the name of the given MAC implementation.
567db2c1 RL	159
7dd0f299 RL	160	EVP_MAC_provider() returns the provider that holds the implementation
	161	of the given I<mac>.
	162
d1cafb08 RL	163	EVP_MAC_do_all_ex() traverses all MAC implemented by all activated
	164	providers in the given library context I<libctx>, and for each of the
	165	implementations, calls the given function I<fn> with the implementation method
	166	and the given I<arg> as argument.
	167
e74bd290	168	=head1 PARAMETER NAMES
567db2c1	169
e74bd290	170	The standard parameter names are:
567db2c1 RL	171
	172	=over 4
	173
e74bd290	174	=item OSSL_MAC_PARAM_KEY ("key") <octet string>
567db2c1	175
e74bd290	176	Its value is the MAC key as an array of bytes.
567db2c1 RL	177
567db2c1 RL	178	For MACs that use an underlying computation algorithm, the algorithm
e74bd290	179	must be set first, see parameter names "algorithm" below.
afc580b9	180
e74bd290	181	=item OSSL_MAC_PARAM_IV ("iv") <octet string>
afc580b9	182
e74bd290	183	Some MAC implementations require an IV, this parameter sets the IV.
6e624a64	184
e74bd290	185	=item OSSL_MAC_PARAM_CUSTOM ("custom") <octet string>
6e624a64	186
13b3cd7b	187	Some MAC implementations (KMAC, BLAKE2) accept a Customization String,
e74bd290 RL	188	this parameter sets the Customization String. The default value is the
e74bd290 RL	189	empty string.
6e624a64	190
e74bd290	191	=item OSSL_MAC_PARAM_SALT ("salt") <octet string>
13b3cd7b AS	192
	193	This option is used by BLAKE2 MAC.
	194
e74bd290	195	=item OSSL_MAC_PARAM_XOF ("xof") <int>
6e624a64	196
e74bd290	197	It's a simple flag, the value 0 or 1 are expected.
6e624a64 SL	198
	199	This option is used by KMAC.
	200
e74bd290	201	=item OSSL_MAC_PARAM_FLAGS ("flags") <int>
567db2c1 RL	202
	203	These will set the MAC flags to the given numbers.
	204	Some MACs do not support this option.
	205
e74bd290 RL	206	=item OSSL_MAC_PARAM_ENGINE ("engine") <utf8string>
	207
	208	=item OSSL_MAC_PARAM_MD ("md") <utf8string>
567db2c1	209
e74bd290	210	=item OSSL_MAC_PARAM_DIGEST ("digest") <utf8string>
567db2c1	211
e74bd290 RL	212	=item OSSL_MAC_PARAM_CIPHER ("cipher") <utf8string>
	213
	214	=item OSSL_MAC_PARAM_ALGORITHM ("algorithm") <utf8string>
567db2c1 RL	215
567db2c1 RL	216	For MAC implementations that use an underlying computation algorithm,
e74bd290	217	these parameters set what the algorithm should be, and the engine that
567db2c1 RL	218	implements the algorithm if needed.
567db2c1 RL	219
e74bd290	220	The value is always the name of the intended engine or algorithm.
567db2c1	221
e74bd290 RL	222	Note that not all algorithms may support all digests.
	223	HMAC does not support variable output length digests such as SHAKE128
	224	or SHAKE256.
567db2c1	225
e74bd290 RL	226	Also note that OSSL_MAC_PARAM_ALGORITHM can be use generically instead
	227	of OSSL_MAC_PARAM_MD, OSSL_MAC_PARAM_DIGEST or OSSL_MAC_PARAM_CIPHER,
	228	and that OSSL_MAC_PARAM_MD and OSSL_MAC_PARAM_DIGEST are also interchangable.
567db2c1	229
e74bd290	230	=item OSSL_MAC_PARAM_SIZE <unsigned int>
567db2c1 RL	231
	232	For MAC implementations that support it, set the output size that
	233	EVP_MAC_final() should produce.
	234	The allowed sizes vary between MAC implementations.
	235
	236	=back
	237
e74bd290	238	All these parameters should be used before the calls to any of
567db2c1 RL	239	EVP_MAC_init(), EVP_MAC_update() and EVP_MAC_final() for a full
	240	computation.
	241	Anything else may give undefined results.
	242
e74bd290	243	=head1 RETURN VALUES
567db2c1	244
e74bd290 RL	245	EVP_MAC_fetch() returns a pointer to a newly fetched EVP_MAC, or
e74bd290 RL	246	NULL if allocation failed.
567db2c1	247
e74bd290 RL	248	EVP_MAC_up_ref() returns 1 on success, 0 on error.
	249
	250	EVP_MAC_free() returns nothing at all.
	251
	252	EVP_MAC_name() returns the name of the MAC, or NULL if NULL was
	253	passed.
567db2c1	254
7dd0f299 RL	255	EVP_MAC_provider() returns a pointer to the provider for the MAC, or
	256	NULL on error.
	257
e74bd290 RL	258	EVP_MAC_CTX_new() and EVP_MAC_CTX_dup() return a pointer to a newly
e74bd290 RL	259	created EVP_MAC_CTX, or NULL if allocation failed.
567db2c1 RL	260
	261	EVP_MAC_CTX_free() returns nothing at all.
	262
e74bd290 RL	263	EVP_MAC_CTX_get_params() and EVP_MAC_CTX_set_params() return 1 on
e74bd290 RL	264	success, 0 on error.
567db2c1	265
e74bd290 RL	266	EVP_MAC_init(), EVP_MAC_update(), and EVP_MAC_final() return 1 on success, 0
e74bd290 RL	267	on error.
567db2c1 RL	268
	269	EVP_MAC_size() returns the expected output size, or 0 if it isn't
	270	set.
	271	If it isn't set, a call to EVP_MAC_init() should get it set.
	272
d1cafb08	273	EVP_MAC_do_all_ex() returns nothing at all.
567db2c1 RL	274
	275	=head1 EXAMPLE
	276
	277	#include <stdlib.h>
	278	#include <stdio.h>
	279	#include <string.h>
	280	#include <stdarg.h>
	281	#include <unistd.h>
	282
	283	#include <openssl/evp.h>
	284	#include <openssl/err.h>
e74bd290	285	#include <openssl/params.h>
567db2c1 RL	286
567db2c1 RL	287	int main() {
e74bd290 RL	288	EVP_MAC *mac = EVP_MAC_fetch(NULL, getenv("MY_MAC"), NULL);
	289	const char *cipher = getenv("MY_MAC_CIPHER");
	290	const char *digest = getenv("MY_MAC_DIGEST");
567db2c1 RL	291	const char *key = getenv("MY_KEY");
	292	EVP_MAC_CTX *ctx = NULL;
	293
	294	unsigned char buf[4096];
	295	ssize_t read_l;
	296	size_t final_l;
	297
	298	size_t i;
	299
e74bd290 RL	300	OSSL_PARAM params[4];
	301	size_t params_n = 0;
	302
	303	if (cipher != NULL)
	304	params[params_n++] =
	305	OSSL_PARAM_construct_utf8_string("cipher", cipher,
	306	strlen(cipher) + 1, NULL);
	307	if (digest != NULL)
	308	params[params_n++] =
	309	OSSL_PARAM_construct_utf8_string("digest", digest,
	310	strlen(digest) + 1, NULL);
	311	params[params_n++] =
	312	OSSL_PARAM_construct_octet_string("key", key, strlen(key), NULL);
	313	params[params_n] = OSSL_PARAM_construct_end();
	314
567db2c1 RL	315	if (mac == NULL
	316	\|\| key == NULL
	317	\|\| (ctx = EVP_MAC_CTX_new(mac)) == NULL
e74bd290	318	\|\| EVP_MAC_CTX_set_params(ctx, params) <= 0)
567db2c1 RL	319	goto err;
	320
	321	if (!EVP_MAC_init(ctx))
	322	goto err;
	323
	324	while ( (read_l = read(STDIN_FILENO, buf, sizeof(buf))) < 0) {
	325	if (!EVP_MAC_update(ctx, buf, read_l))
	326	goto err;
	327	}
	328
	329	if (!EVP_MAC_final(ctx, buf, &final_l))
	330	goto err;
	331
	332	printf("Result: ");
	333	for (i = 0; i < final_l; i++)
	334	printf("%02X", buf[i]);
	335	printf("\n");
	336
	337	EVP_MAC_CTX_free(ctx);
e74bd290	338	EVP_MAC_free(mac);
567db2c1 RL	339	exit(0);
	340
	341	err:
	342	EVP_MAC_CTX_free(ctx);
e74bd290	343	EVP_MAC_free(mac);
567db2c1 RL	344	fprintf(stderr, "Something went wrong\n");
	345	ERR_print_errors_fp(stderr);
	346	exit (1);
	347	}
	348
	349	A run of this program, called with correct environment variables, can
	350	look like this:
	351
	352	$ MY_MAC=cmac MY_KEY=secret0123456789 MY_MAC_CIPHER=aes-128-cbc \
	353	LD_LIBRARY_PATH=. ./foo < foo.c
	354	Result: ECCAAFF041B22A2299EB90A1B53B6D45
	355
	356	(in this example, that program was stored in F<foo.c> and compiled to
	357	F<./foo>)
	358
	359	=head1 SEE ALSO
	360
e74bd290 RL	361	L<property(7)>
e74bd290 RL	362	L<OSSL_PARAM(3)>,
13b3cd7b	363	L<EVP_MAC_BLAKE2(7)>,
6723f867	364	L<EVP_MAC_CMAC(7)>,
afc580b9	365	L<EVP_MAC_GMAC(7)>,
c89d9cda	366	L<EVP_MAC_HMAC(7)>,
6e624a64	367	L<EVP_MAC_KMAC(7)>,
c1da4b2a PY	368	L<EVP_MAC_SIPHASH(7)>,
c1da4b2a PY	369	L<EVP_MAC_POLY1305(7)>
567db2c1	370
be5fc053 KR	371	=head1 HISTORY
be5fc053 KR	372
4674aaf4	373	These functions were added in OpenSSL 3.0.
be5fc053	374
567db2c1 RL	375	=head1 COPYRIGHT
567db2c1 RL	376
e74bd290	377	Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
567db2c1	378
4746f25a	379	Licensed under the Apache License 2.0 (the "License"). You may not use
567db2c1 RL	380	this file except in compliance with the License. You can obtain a copy
	381	in the file LICENSE in the source distribution or at
	382	L<https://www.openssl.org/source/license.html>.
	383
	384	=cut