Prefer the constants EVP_CTRL_AEAD_* over EVP_CTRL_CCM_* and EVP_CTRL_GCM_*

because that's what OpenSSL 1.1 suggests. Even though that "unification" doesn't really simplify anything but is more akin to repainting the bikeshed, at least it doesn't cause any additional harm, so keeping recommendations consistent may reduce the risk of code breaking in the future. Provide an example of decryption with AES-CCM in addition to the example of encryption already in place, because there are a number of subtle and non-obvious differences that users have to pay attention to. Both ideas originally suggested by tb@.
author: schwarze <> 2024-12-29 12:27:28 +0000
committer: schwarze <> 2024-12-29 12:27:28 +0000
commit: 1890d262ab9bcbf87c2f69f6e2156d61ad9fbf2f (patch)
tree: ea808f1ae9b32c375d8dd9a547db249833960ab5
parent: 2a801fad92517eff7ef232be41af1b086dbb5a50 (diff)
download: openbsd-1890d262ab9bcbf87c2f69f6e2156d61ad9fbf2f.tar.gz
openbsd-1890d262ab9bcbf87c2f69f6e2156d61ad9fbf2f.tar.bz2
openbsd-1890d262ab9bcbf87c2f69f6e2156d61ad9fbf2f.zip
2 files changed, 110 insertions, 12 deletions
diff --git a/src/lib/libcrypto/man/EVP_aes_128_ccm.3 b/src/lib/libcrypto/man/EVP_aes_128_ccm.3
index c1faf9e325..e9023a5b67 100644
--- a/src/lib/libcrypto/man/EVP_aes_128_ccm.3
+++ b/src/lib/libcrypto/man/EVP_aes_128_ccm.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.4 2024/12/23 22:06:00 jsg Exp $
+.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.5 2024/12/29 12:27:28 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 23 2024 $
+.Dd $Mdocdate: December 29 2024 $
 .Dt EVP_AES_128_CCM 3
 .Os
 .Sh NAME
@@ -105,6 +105,11 @@ For CCM mode ciphers, the behaviour of the EVP interface is subtly
 altered and several additional
 .Xr EVP_CIPHER_CTX_ctrl 3
 operations are required to function correctly.
+Some of the
+.Dv EVP_CTRL_CCM_*
+control commands are older aliases for corresponding
+.Dv EVP_CTRL_AEAD_*
+constants as indicated below.
 .Pp
 The less cumbersome and less error-prone
 .Xr EVP_AEAD_CTX_new 3
@@ -145,7 +150,7 @@ for the length field reduces des maximum size of messages that can be sent,
 but in return allows transmitting more messages with the same key.
 It is an error to pass less than 2 or more than the default value of 8 for
 .Fa arg .
-.It Dv EVP_CTRL_CCM_SET_IVLEN
+.It Dv EVP_CTRL_AEAD_SET_IVLEN Pq == Dv EVP_CTRL_CCM_SET_IVLEN
 Set the size of the nonce to
 .Fa arg
 bytes and the size
@@ -170,7 +175,7 @@ argument, with the other two arguments pointing to the desired AES key
 and to the desired nonce.
 .Ss Encryption controls
 .Bl -tag -width Ds
-.It Dv EVP_CTRL_CCM_SET_TAG
+.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_CCM_SET_TAG
 If the
 .Fa ptr
 argument is
@@ -195,7 +200,7 @@ when
 is not configured for encrypting.
 Issuing this control command when an encryption key is already configured
 silently causes data corruption.
-.It Dv EVP_CTRL_CCM_GET_TAG
+.It Dv EVP_CTRL_AEAD_GET_TAG Pq == Dv EVP_CTRL_CCM_GET_TAG
 Store the
 .Fa arg
 bytes of the tag in the memory provided by the caller starting at
@@ -248,7 +253,7 @@ argument set to
 .Dv NULL .
 .Ss Decryption controls
 .Bl -tag -width Ds
-.It Dv EVP_CTRL_CCM_SET_TAG
+.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_CCM_SET_TAG
 If the
 .Fa ptr
 argument is not
@@ -456,6 +461,94 @@ putchar('\en');
 EVP_CIPHER_CTX_free(ctx);
 .Ed
+.Pp
+The reverse operation for the same test vector,
+i.e. decrypting and comparing the digest,
+is implemented by the following code.
+.Pp
+The variable declarations and definitions up to the call of
+.Xr EVP_CIPHER_CTX_new 3
+are the same as above.
+The chief differences are:
+.Bl -dash -width 1n -compact
+.It
+The tag is not part of the output,
+so the total output length is shorter.
+.It
+No
+.Xr memcmp 3
+of the tag takes place.
+Instead, the control command
+.Dv EVP_CTRL_CCM_SET_TAG
+requires the tag that is going to be verified as an additional argument.
+.It
+While
+.Xr EVP_EncryptFinal 3
+is an optional no-op,
+.Xr EVP_DecryptFinal 3
+is not called and would fail.
+.El
+.Bd -literal -offset indent
+const int out_len = aad_len + text_len;
+/* configuration */
+ctx = EVP_CIPHER_CTX_new();
+if (ctx == NULL)
+        err(1, "EVP_CIPHER_CTX_new");
+if (EVP_DecryptInit(ctx, EVP_aes_128_ccm(), NULL, NULL) != 1)
+        err(1, "EVP_DecryptInit(NULL)");
+if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, size_len, NULL) <= 0)
+        err(1, "EVP_CTRL_CCM_SET_L(%d)", size_len);
+if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
+    tag_len, (void *)wanted_tag) <= 0)
+        err(1, "EVP_CTRL_CCM_SET_TAG(%d)", tag_len);
+/* process input data */
+if (EVP_DecryptInit(ctx, NULL, key, nonce) != 1)
+        err(1, "EVP_DecryptInit(key, nonce)");
+if (EVP_DecryptUpdate(ctx, NULL, &irv, NULL, text_len) != 1)
+        err(1, "EVP_DecryptUpdate(len = %d)", text_len);
+if (irv != text_len)
+        errx(1, "text length: want %d, got %d", text_len, irv);
+irv = -1;
+if (EVP_DecryptUpdate(ctx, NULL, &irv, aad, aad_len) != 1)
+        err(1, "EVP_DecryptUpdate(AAD)");
+memcpy(out_p, aad, aad_len);
+out_p += aad_len;
+irv = -1;
+if (EVP_DecryptUpdate(ctx, out_p, &irv, ciphertext, text_len) != 1)
+        err(1, "EVP_DecryptUpdate(ciphertext)");
+if (irv != text_len)
+        errx(1, "text_len: want %d, got %d", text_len, irv);
+out_p += irv;
+/* Do not call EVP_DecryptFinal(3); it would fail and do nothing. */
+/* check output data */
+if (memcmp(out_buf + aad_len, plaintext, text_len) != 0)
+        errx(1, "plaintext mismatch");
+if (out_p != out_end)
+        errx(1, "end of output: want %p, got %p", out_end, out_p);
+printf("Total packet length = %d.", out_len);
+printf(" [Decrypted and Authenticated Input]");
+for (i = 0; i < out_len; i++) {
+        if (i % 16 == 0)
+                printf("\n         ");
+        if (i % 4 == 0)
+                putchar(' ');
+        printf(" %02X", out_buf[i]);
+}
+putchar('\n');
+EVP_CIPHER_CTX_free(ctx);
+.Ed
 .Sh SEE ALSO
 .Xr AES_encrypt 3 ,
 .Xr evp 3 ,
diff --git a/src/lib/libcrypto/man/EVP_aes_128_gcm.3 b/src/lib/libcrypto/man/EVP_aes_128_gcm.3
index 1e15cb79aa..53c41ea162 100644
--- a/src/lib/libcrypto/man/EVP_aes_128_gcm.3
+++ b/src/lib/libcrypto/man/EVP_aes_128_gcm.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.1 2024/12/17 18:11:44 schwarze Exp $
+.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.2 2024/12/29 12:27:28 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 17 2024 $
+.Dd $Mdocdate: December 29 2024 $
 .Dt EVP_AES_128_GCM 3
 .Os
 .Sh NAME
@@ -97,6 +97,11 @@ For GCM mode ciphers, the behaviour of the EVP interface is subtly
 altered and several additional
 .Xr EVP_CIPHER_CTX_ctrl 3
 operations are required to function correctly.
+Some of the
+.Dv EVP_CTRL_GCM_*
+control commands are older aliases for corresponding
+.Dv EVP_CTRL_AEAD_*
+constants as indicated below.
 .Pp
 To avoid using the cumbersome and error-prone API documented
 in the present manual page, consider using the functions documented in
@@ -109,7 +114,7 @@ instead.
 .\" EVP_GCM_TLS_EXPLICIT_IV_LEN and EVP_GCM_TLS_TAG_LEN (used internally
 .\" only in aes_gcm_tls_cipher(), which is unused)
 .Bl -tag -width Ds
-.It Dv EVP_CTRL_GCM_SET_IVLEN
+.It Dv EVP_CTRL_AEAD_SET_IVLEN Pq == Dv EVP_CTRL_GCM_SET_IVLEN
 Set the length of the initialization vector to
 .Fa arg
 bytes; the
@@ -124,7 +129,7 @@ Using this control command is discouraged because section 5.2.1.1 of the
 specification explicitly recommends that implementations of GCM restrict
 support to the default IV length of 12 bytes for interoperability,
 efficiency, and simplicity of design.
-.It Dv EVP_CTRL_GCM_SET_IV_FIXED
+.It Dv EVP_CTRL_AEAD_SET_IV_FIXED Pq == Dv EVP_CTRL_GCM_SET_IV_FIXED
 Usually, \-1 is passed for
 .Fa arg .
 In that case, the complete initialization vector is copied from
@@ -158,7 +163,7 @@ that may have been configured earlier and always operates on the
 last eight bytes of the initialization vector.
 It is an error to issue this command
 when no key or no initialization vector is set.
-.It Dv EVP_CTRL_GCM_GET_TAG
+.It Dv EVP_CTRL_AEAD_GET_TAG Pq == Dv EVP_CTRL_GCM_GET_TAG
 Write
 .Fa arg
 bytes of the tag value to the location pointed to by
@@ -194,7 +199,7 @@ When default lengths are in use, pass 8 for
 In that case, this control command sets the invocation field.
 It is an error to issue this command
 when no key or no initialization vector is set, or when encrypting.
-.It Dv EVP_CTRL_GCM_SET_TAG
+.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_GCM_SET_TAG
 Set the expected tag to the
 .Fa arg
 bytes located at
author	schwarze <>	2024-12-29 12:27:28 +0000
committer	schwarze <>	2024-12-29 12:27:28 +0000
commit	1890d262ab9bcbf87c2f69f6e2156d61ad9fbf2f (patch)
tree	ea808f1ae9b32c375d8dd9a547db249833960ab5
parent	2a801fad92517eff7ef232be41af1b086dbb5a50 (diff)
download	openbsd-1890d262ab9bcbf87c2f69f6e2156d61ad9fbf2f.tar.gz openbsd-1890d262ab9bcbf87c2f69f6e2156d61ad9fbf2f.tar.bz2 openbsd-1890d262ab9bcbf87c2f69f6e2156d61ad9fbf2f.zip

diff --git a/src/lib/libcrypto/man/EVP_aes_128_ccm.3 b/src/lib/libcrypto/man/EVP_aes_128_ccm.3 index c1faf9e325..e9023a5b67 100644 --- a/src/lib/libcrypto/man/EVP_aes_128_ccm.3 +++ b/src/lib/libcrypto/man/EVP_aes_128_ccm.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.4 2024/12/23 22:06:00 jsg Exp $	1	.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.5 2024/12/29 12:27:28 schwarze Exp $
2	.\" full merge up to:	2	.\" full merge up to:
3	.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100	3	.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
4	.\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100	4	.\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
@@ -67,7 +67,7 @@
67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
69	.\"	69	.\"
70	.Dd $Mdocdate: December 23 2024 $	70	.Dd $Mdocdate: December 29 2024 $
71	.Dt EVP_AES_128_CCM 3	71	.Dt EVP_AES_128_CCM 3
72	.Os	72	.Os
73	.Sh NAME	73	.Sh NAME
@@ -105,6 +105,11 @@ For CCM mode ciphers, the behaviour of the EVP interface is subtly
105	altered and several additional	105	altered and several additional
106	.Xr EVP_CIPHER_CTX_ctrl 3	106	.Xr EVP_CIPHER_CTX_ctrl 3
107	operations are required to function correctly.	107	operations are required to function correctly.
		108	Some of the
		109	.Dv EVP_CTRL_CCM_*
		110	control commands are older aliases for corresponding
		111	.Dv EVP_CTRL_AEAD_*
		112	constants as indicated below.
108	.Pp	113	.Pp
109	The less cumbersome and less error-prone	114	The less cumbersome and less error-prone
110	.Xr EVP_AEAD_CTX_new 3	115	.Xr EVP_AEAD_CTX_new 3
@@ -145,7 +150,7 @@ for the length field reduces des maximum size of messages that can be sent,
145	but in return allows transmitting more messages with the same key.	150	but in return allows transmitting more messages with the same key.
146	It is an error to pass less than 2 or more than the default value of 8 for	151	It is an error to pass less than 2 or more than the default value of 8 for
147	.Fa arg .	152	.Fa arg .
148	.It Dv EVP_CTRL_CCM_SET_IVLEN	153	.It Dv EVP_CTRL_AEAD_SET_IVLEN Pq == Dv EVP_CTRL_CCM_SET_IVLEN
149	Set the size of the nonce to	154	Set the size of the nonce to
150	.Fa arg	155	.Fa arg
151	bytes and the size	156	bytes and the size
@@ -170,7 +175,7 @@ argument, with the other two arguments pointing to the desired AES key
170	and to the desired nonce.	175	and to the desired nonce.
171	.Ss Encryption controls	176	.Ss Encryption controls
172	.Bl -tag -width Ds	177	.Bl -tag -width Ds
173	.It Dv EVP_CTRL_CCM_SET_TAG	178	.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_CCM_SET_TAG
174	If the	179	If the
175	.Fa ptr	180	.Fa ptr
176	argument is	181	argument is
@@ -195,7 +200,7 @@ when
195	is not configured for encrypting.	200	is not configured for encrypting.
196	Issuing this control command when an encryption key is already configured	201	Issuing this control command when an encryption key is already configured
197	silently causes data corruption.	202	silently causes data corruption.
198	.It Dv EVP_CTRL_CCM_GET_TAG	203	.It Dv EVP_CTRL_AEAD_GET_TAG Pq == Dv EVP_CTRL_CCM_GET_TAG
199	Store the	204	Store the
200	.Fa arg	205	.Fa arg
201	bytes of the tag in the memory provided by the caller starting at	206	bytes of the tag in the memory provided by the caller starting at
@@ -248,7 +253,7 @@ argument set to
248	.Dv NULL .	253	.Dv NULL .
249	.Ss Decryption controls	254	.Ss Decryption controls
250	.Bl -tag -width Ds	255	.Bl -tag -width Ds
251	.It Dv EVP_CTRL_CCM_SET_TAG	256	.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_CCM_SET_TAG
252	If the	257	If the
253	.Fa ptr	258	.Fa ptr
254	argument is not	259	argument is not
@@ -456,6 +461,94 @@ putchar('\en');
456		461
457	EVP_CIPHER_CTX_free(ctx);	462	EVP_CIPHER_CTX_free(ctx);
458	.Ed	463	.Ed
		464	.Pp
		465	The reverse operation for the same test vector,
		466	i.e. decrypting and comparing the digest,
		467	is implemented by the following code.
		468	.Pp
		469	The variable declarations and definitions up to the call of
		470	.Xr EVP_CIPHER_CTX_new 3
		471	are the same as above.
		472	The chief differences are:
		473	.Bl -dash -width 1n -compact
		474	.It
		475	The tag is not part of the output,
		476	so the total output length is shorter.
		477	.It
		478	No
		479	.Xr memcmp 3
		480	of the tag takes place.
		481	Instead, the control command
		482	.Dv EVP_CTRL_CCM_SET_TAG
		483	requires the tag that is going to be verified as an additional argument.
		484	.It
		485	While
		486	.Xr EVP_EncryptFinal 3
		487	is an optional no-op,
		488	.Xr EVP_DecryptFinal 3
		489	is not called and would fail.
		490	.El
		491	.Bd -literal -offset indent
		492	const int out_len = aad_len + text_len;
		493
		494	/* configuration */
		495	ctx = EVP_CIPHER_CTX_new();
		496	if (ctx == NULL)
		497	err(1, "EVP_CIPHER_CTX_new");
		498
		499	if (EVP_DecryptInit(ctx, EVP_aes_128_ccm(), NULL, NULL) != 1)
		500	err(1, "EVP_DecryptInit(NULL)");
		501
		502	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, size_len, NULL) <= 0)
		503	err(1, "EVP_CTRL_CCM_SET_L(%d)", size_len);
		504
		505	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
		506	tag_len, (void *)wanted_tag) <= 0)
		507	err(1, "EVP_CTRL_CCM_SET_TAG(%d)", tag_len);
		508
		509	/* process input data */
		510	if (EVP_DecryptInit(ctx, NULL, key, nonce) != 1)
		511	err(1, "EVP_DecryptInit(key, nonce)");
		512
		513	if (EVP_DecryptUpdate(ctx, NULL, &irv, NULL, text_len) != 1)
		514	err(1, "EVP_DecryptUpdate(len = %d)", text_len);
		515	if (irv != text_len)
		516	errx(1, "text length: want %d, got %d", text_len, irv);
		517
		518	irv = -1;
		519	if (EVP_DecryptUpdate(ctx, NULL, &irv, aad, aad_len) != 1)
		520	err(1, "EVP_DecryptUpdate(AAD)");
		521	memcpy(out_p, aad, aad_len);
		522	out_p += aad_len;
		523
		524	irv = -1;
		525	if (EVP_DecryptUpdate(ctx, out_p, &irv, ciphertext, text_len) != 1)
		526	err(1, "EVP_DecryptUpdate(ciphertext)");
		527	if (irv != text_len)
		528	errx(1, "text_len: want %d, got %d", text_len, irv);
		529	out_p += irv;
		530
		531	/* Do not call EVP_DecryptFinal(3); it would fail and do nothing. */
		532
		533	/* check output data */
		534	if (memcmp(out_buf + aad_len, plaintext, text_len) != 0)
		535	errx(1, "plaintext mismatch");
		536	if (out_p != out_end)
		537	errx(1, "end of output: want %p, got %p", out_end, out_p);
		538
		539	printf("Total packet length = %d.", out_len);
		540	printf(" [Decrypted and Authenticated Input]");
		541	for (i = 0; i < out_len; i++) {
		542	if (i % 16 == 0)
		543	printf("\n ");
		544	if (i % 4 == 0)
		545	putchar(' ');
		546	printf(" %02X", out_buf[i]);
		547	}
		548	putchar('\n');
		549
		550	EVP_CIPHER_CTX_free(ctx);
		551	.Ed
459	.Sh SEE ALSO	552	.Sh SEE ALSO
460	.Xr AES_encrypt 3 ,	553	.Xr AES_encrypt 3 ,
461	.Xr evp 3 ,	554	.Xr evp 3 ,


diff --git a/src/lib/libcrypto/man/EVP_aes_128_gcm.3 b/src/lib/libcrypto/man/EVP_aes_128_gcm.3 index 1e15cb79aa..53c41ea162 100644 --- a/src/lib/libcrypto/man/EVP_aes_128_gcm.3 +++ b/src/lib/libcrypto/man/EVP_aes_128_gcm.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.1 2024/12/17 18:11:44 schwarze Exp $	1	.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.2 2024/12/29 12:27:28 schwarze Exp $
2	.\" full merge up to:	2	.\" full merge up to:
3	.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100	3	.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
4	.\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100	4	.\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
@@ -67,7 +67,7 @@
67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
69	.\"	69	.\"
70	.Dd $Mdocdate: December 17 2024 $	70	.Dd $Mdocdate: December 29 2024 $
71	.Dt EVP_AES_128_GCM 3	71	.Dt EVP_AES_128_GCM 3
72	.Os	72	.Os
73	.Sh NAME	73	.Sh NAME
@@ -97,6 +97,11 @@ For GCM mode ciphers, the behaviour of the EVP interface is subtly
97	altered and several additional	97	altered and several additional
98	.Xr EVP_CIPHER_CTX_ctrl 3	98	.Xr EVP_CIPHER_CTX_ctrl 3
99	operations are required to function correctly.	99	operations are required to function correctly.
		100	Some of the
		101	.Dv EVP_CTRL_GCM_*
		102	control commands are older aliases for corresponding
		103	.Dv EVP_CTRL_AEAD_*
		104	constants as indicated below.
100	.Pp	105	.Pp
101	To avoid using the cumbersome and error-prone API documented	106	To avoid using the cumbersome and error-prone API documented
102	in the present manual page, consider using the functions documented in	107	in the present manual page, consider using the functions documented in
@@ -109,7 +114,7 @@ instead.
109	.\" EVP_GCM_TLS_EXPLICIT_IV_LEN and EVP_GCM_TLS_TAG_LEN (used internally	114	.\" EVP_GCM_TLS_EXPLICIT_IV_LEN and EVP_GCM_TLS_TAG_LEN (used internally
110	.\" only in aes_gcm_tls_cipher(), which is unused)	115	.\" only in aes_gcm_tls_cipher(), which is unused)
111	.Bl -tag -width Ds	116	.Bl -tag -width Ds
112	.It Dv EVP_CTRL_GCM_SET_IVLEN	117	.It Dv EVP_CTRL_AEAD_SET_IVLEN Pq == Dv EVP_CTRL_GCM_SET_IVLEN
113	Set the length of the initialization vector to	118	Set the length of the initialization vector to
114	.Fa arg	119	.Fa arg
115	bytes; the	120	bytes; the
@@ -124,7 +129,7 @@ Using this control command is discouraged because section 5.2.1.1 of the
124	specification explicitly recommends that implementations of GCM restrict	129	specification explicitly recommends that implementations of GCM restrict
125	support to the default IV length of 12 bytes for interoperability,	130	support to the default IV length of 12 bytes for interoperability,
126	efficiency, and simplicity of design.	131	efficiency, and simplicity of design.
127	.It Dv EVP_CTRL_GCM_SET_IV_FIXED	132	.It Dv EVP_CTRL_AEAD_SET_IV_FIXED Pq == Dv EVP_CTRL_GCM_SET_IV_FIXED
128	Usually, \-1 is passed for	133	Usually, \-1 is passed for
129	.Fa arg .	134	.Fa arg .
130	In that case, the complete initialization vector is copied from	135	In that case, the complete initialization vector is copied from
@@ -158,7 +163,7 @@ that may have been configured earlier and always operates on the
158	last eight bytes of the initialization vector.	163	last eight bytes of the initialization vector.
159	It is an error to issue this command	164	It is an error to issue this command
160	when no key or no initialization vector is set.	165	when no key or no initialization vector is set.
161	.It Dv EVP_CTRL_GCM_GET_TAG	166	.It Dv EVP_CTRL_AEAD_GET_TAG Pq == Dv EVP_CTRL_GCM_GET_TAG
162	Write	167	Write
163	.Fa arg	168	.Fa arg
164	bytes of the tag value to the location pointed to by	169	bytes of the tag value to the location pointed to by
@@ -194,7 +199,7 @@ When default lengths are in use, pass 8 for
194	In that case, this control command sets the invocation field.	199	In that case, this control command sets the invocation field.
195	It is an error to issue this command	200	It is an error to issue this command
196	when no key or no initialization vector is set, or when encrypting.	201	when no key or no initialization vector is set, or when encrypting.
197	.It Dv EVP_CTRL_GCM_SET_TAG	202	.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_GCM_SET_TAG
198	Set the expected tag to the	203	Set the expected tag to the
199	.Fa arg	204	.Fa arg
200	bytes located at	205	bytes located at