Only compile AES CMAC PRF support if MBEDTLS_AES_C is defined and other cleanups

include/mbedtls/cmac.h

@@ -33,12 +33,12 @@ extern "C" {
 #endif
 
 /**
- * \brief          CCM context structure
+ * \brief          CMAC context structure
  */
 typedef struct {
     mbedtls_cipher_context_t cipher_ctx;    /*!< cipher context used */
-    unsigned char* K1;
-    unsigned char* K2;
+    unsigned char* K1; /*!< CMAC Subkey 1 */
+    unsigned char* K2; /*!< CMAC Subkey 2 */
 }
 mbedtls_cmac_context;
 
@@ -52,12 +52,12 @@ mbedtls_cmac_context;
 void mbedtls_cmac_init( mbedtls_cmac_context *ctx );
 
 /**
- * \brief           CMAC initialization
+ * \brief           Initialize the CMAC context
  *
  * \param ctx       CMAC context to be initialized
- * \param cipher    cipher to use (a 128-bit block cipher)
+ * \param cipher    cipher to use
  * \param key       encryption key
- * \param keybits   key size in bits (must be acceptable by the cipher)
+ * \param keybits   encryption key size in bits (must be acceptable by the cipher)
  *
  * \return          0 if successful, or a cipher specific error code
  */
@@ -68,20 +68,22 @@ int mbedtls_cmac_setkey( mbedtls_cmac_context *ctx,
 
 /**
  * \brief           Free a CMAC context and underlying cipher sub-context
+ *                  Securely wipes sub keys and other sensitive data.
  *
  * \param ctx       CMAC context to free
  */
 void mbedtls_cmac_free( mbedtls_cmac_context *ctx );
 
 /**
- * \brief           CMAC generate
+ * \brief           Generate a CMAC tag.
  *
  * \param ctx       CMAC context
  * \param input     buffer holding the input data
  * \param in_len    length of the input data in bytes
  * \param tag       buffer for holding the generated tag
  * \param tag_len   length of the tag to generate in bytes
- *                  must be between 4, 6, 8, 10, 14 or 16
+ *                  Must be 4, 6, 8 if cipher block size is 64
+ *                  Must be 4, 6, 8 0, 14 or 16 if cipher block size is 128
  *
  * \return          0 if successful
  */
@@ -90,47 +92,48 @@ int mbedtls_cmac_generate( mbedtls_cmac_context *ctx,
                            unsigned char *tag, size_t tag_len );
 
 /**
- * \brief           CMAC verify
+ * \brief           Verify a CMAC tag.
  *
  * \param ctx       CMAC context
  * \param input     buffer holding the input data
  * \param in_len    length of the input data in bytes
  * \param tag       buffer holding the tag to verify
  * \param tag_len   length of the tag to verify in bytes
- *                  must be 4, 6, 8, 10, 14 or 16
- *
- * \return          0 if successful and authenticated,
+ *                  Must be 4, 6, 8 if cipher block size is 64
+ *                  Must be 4, 6, 8 0, 14 or 16 if cipher block size is 128
+ * \return          0 if successful and authenticated
  *                  MBEDTLS_ERR_CMAC_VERIFY_FAILED if tag does not match
  */
 int mbedtls_cmac_verify( mbedtls_cmac_context *ctx,
                          const unsigned char *input, size_t in_len,
                          const unsigned char *tag, size_t tag_len );
 
+#ifdef MBEDTLS_AES_C
 /**
  * \brief           AES-CMAC-128-PRF
- *  See RFC
+ *                  See RFC 4615 for details
  *
  * \param key       PRF key
  * \param key_len   PRF key length
  * \param input     buffer holding the input data
  * \param in_len    length of the input data in bytes
  * \param tag       buffer holding the tag to verify (16 bytes)
- *                  TODO: update description of tag
  *
  * \return          0 if successful
  */
 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
                               const unsigned char *input, size_t in_len,
-                              unsigned char *tag );
+                              unsigned char tag[16] );
+#endif /* MBEDTLS_AES_C */
 
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) )
 /**
  * \brief          Checkup routine
  *
  * \return         0 if successful, or 1 if the test failed
  */
 int mbedtls_cmac_self_test( int verbose );
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+#endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
 
 #ifdef __cplusplus
 }

library/cmac.c

@@ -89,7 +89,7 @@ static int cmac_multiply_by_u( unsigned char *output,
     } else if( blocksize == 8 ) {
         R_n = R_64;
     } else {
-        return MBEDTLS_ERR_CMAC_BAD_INPUT;
+        return( MBEDTLS_ERR_CMAC_BAD_INPUT );
     }
 
 
@@ -113,7 +113,7 @@ static int cmac_multiply_by_u( unsigned char *output,
 #endif
 
     output[starting_index] ^= R_n & mask;
-    return 0;
+    return( 0 );
 }
 
 /*
@@ -149,7 +149,7 @@ static int cmac_generate_subkeys( mbedtls_cmac_context *ctx )
     exit:
         mbedtls_zeroize( L, sizeof( L ) );
 		free( L );
-        return ret;
+        return( ret );
 }
 
 /*
@@ -341,16 +341,17 @@ int mbedtls_cmac_verify( mbedtls_cmac_context *ctx,
 
     exit:
 	    free( check_tag );
-        return ret;
+        return( ret );
 }
 
+#ifdef MBEDTLS_AES_C
 /*
  * PRF based on CMAC with AES-128
  * See RFC 4615
  */
 int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
                               const unsigned char *input, size_t in_len,
-                              unsigned char *tag )
+                              unsigned char tag[16] )
 {
     int ret;
     mbedtls_cmac_context ctx;
@@ -393,9 +394,8 @@ int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
     exit:
 	     mbedtls_cmac_free( &ctx );
 	     return( ret );
-
-
 }
+#endif /* MBEDTLS_AES_C */
 
 #ifdef MBEDTLS_SELF_TEST
 /*