Mention key and nonce lengths of AEAD ciphers.

Mention portability considerations regarding the EVP_AEAD API. Avoid confusing words like "older" and "native" API, be specific. Mention RFC 7905. Move publications we don't implement from STANDARDS to CAVEATS. Based on input from jsing@ and tb@, OK tb@.
author: schwarze <> 2023-08-23 13:46:42 +0000
committer: schwarze <> 2023-08-23 13:46:42 +0000
commit: 9d69391e5251ee35dc538692199d321a60667efe (patch)
tree: 51a4c75176f2af72188f1dd4458f1ca22aba1a88 /src/lib/libcrypto/man/EVP_chacha20.3
parent: 527bcb70fc87367cb2701726052dec1d8346d62d (diff)
download: openbsd-9d69391e5251ee35dc538692199d321a60667efe.tar.gz
openbsd-9d69391e5251ee35dc538692199d321a60667efe.tar.bz2
openbsd-9d69391e5251ee35dc538692199d321a60667efe.zip
1 files changed, 39 insertions, 9 deletions
diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3
index 8d9ea068f9..0dcd7a14c2 100644
--- a/src/lib/libcrypto/man/EVP_chacha20.3
+++ b/src/lib/libcrypto/man/EVP_chacha20.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.3 2023/08/21 03:26:42 jsg Exp $
+.\" $OpenBSD: EVP_chacha20.3,v 1.4 2023/08/23 13:46:42 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 21 2023 $
+.Dd $Mdocdate: August 23 2023 $
 .Dt EVP_CHACHA20 3
 .Os
 .Sh NAME
@@ -114,6 +114,16 @@ objects created from
 .Pp
 .Fn EVP_chacha20_poly1305
 provides authenticated encryption with ChaCha20-Poly1305.
+Unless compatibility with other implementations
+like OpenSSL or BoringSSL is required, using
+.Xr EVP_AEAD_CTX_init 3
+with
+.Xr EVP_aead_chacha20_poly1305 3
+is recommended instead because the code then becomes transparent
+to the AEAD cipher used, more flexible, and less error prone.
+.Pp
+With
+.Fn EVP_chacha20_poly1305 ,
 .Xr EVP_EncryptInit_ex 3 ,
 .Xr EVP_DecryptInit_ex 3 ,
 and
@@ -237,6 +247,32 @@ returns 1 for success or 0 for failure.
 .Rs
 .%A A. Langley
 .%A W. Chang
+.%A N. Mavrogiannopoulos
+.%A J. Strombergson
+.%A S. Josefsson
+.%D June 2016
+.%R RFC 7905
+.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
+.Re
+.Sh HISTORY
+.Fn EVP_chacha20
+first appeared in
+.Ox 5.6 .
+.Pp
+.Fn EVP_chacha20_poly1305
+first appeared in OpenSSL 1.1.0
+.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
+and has been available since
+.Ox 7.2 .
+.Sh CAVEATS
+The original publications and code by
+.An Adam Langley
+used a modified AEAD construction that is incompatible with the common
+style used by AEAD in TLS and incompatible with RFC 7905:
+.Pp
+.Rs
+.%A A. Langley
+.%A W. Chang
 .%D November 2013
 .%R draft-agl-tls-chacha20poly1305-04
 .%T ChaCha20 and Poly1305 based Cipher Suites for TLS
@@ -249,11 +285,5 @@ returns 1 for success or 0 for failure.
 .%R RFC 7539
 .%T ChaCha20 and Poly1305 for IETF Protocols
 .Re
-.Sh HISTORY
-.Fn EVP_chacha20
-first appeared in
-.Ox 5.6 .
 .Pp
-.Fn EVP_chacha20_poly1305
+In particular, the original version used a nonce of 8 instead of 12 bytes.
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.2 .
author	schwarze <>	2023-08-23 13:46:42 +0000
committer	schwarze <>	2023-08-23 13:46:42 +0000
commit	9d69391e5251ee35dc538692199d321a60667efe (patch)
tree	51a4c75176f2af72188f1dd4458f1ca22aba1a88 /src/lib/libcrypto/man/EVP_chacha20.3
parent	527bcb70fc87367cb2701726052dec1d8346d62d (diff)
download	openbsd-9d69391e5251ee35dc538692199d321a60667efe.tar.gz openbsd-9d69391e5251ee35dc538692199d321a60667efe.tar.bz2 openbsd-9d69391e5251ee35dc538692199d321a60667efe.zip

diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3 index 8d9ea068f9..0dcd7a14c2 100644 --- a/src/lib/libcrypto/man/EVP_chacha20.3 +++ b/src/lib/libcrypto/man/EVP_chacha20.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: EVP_chacha20.3,v 1.3 2023/08/21 03:26:42 jsg Exp $	1	.\" $OpenBSD: EVP_chacha20.3,v 1.4 2023/08/23 13:46:42 schwarze Exp $
2	.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200	2	.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
@@ -65,7 +65,7 @@
65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
67	.\"	67	.\"
68	.Dd $Mdocdate: August 21 2023 $	68	.Dd $Mdocdate: August 23 2023 $
69	.Dt EVP_CHACHA20 3	69	.Dt EVP_CHACHA20 3
70	.Os	70	.Os
71	.Sh NAME	71	.Sh NAME
@@ -114,6 +114,16 @@ objects created from
114	.Pp	114	.Pp
115	.Fn EVP_chacha20_poly1305	115	.Fn EVP_chacha20_poly1305
116	provides authenticated encryption with ChaCha20-Poly1305.	116	provides authenticated encryption with ChaCha20-Poly1305.
		117	Unless compatibility with other implementations
		118	like OpenSSL or BoringSSL is required, using
		119	.Xr EVP_AEAD_CTX_init 3
		120	with
		121	.Xr EVP_aead_chacha20_poly1305 3
		122	is recommended instead because the code then becomes transparent
		123	to the AEAD cipher used, more flexible, and less error prone.
		124	.Pp
		125	With
		126	.Fn EVP_chacha20_poly1305 ,
117	.Xr EVP_EncryptInit_ex 3 ,	127	.Xr EVP_EncryptInit_ex 3 ,
118	.Xr EVP_DecryptInit_ex 3 ,	128	.Xr EVP_DecryptInit_ex 3 ,
119	and	129	and
@@ -237,6 +247,32 @@ returns 1 for success or 0 for failure.
237	.Rs	247	.Rs
238	.%A A. Langley	248	.%A A. Langley
239	.%A W. Chang	249	.%A W. Chang
		250	.%A N. Mavrogiannopoulos
		251	.%A J. Strombergson
		252	.%A S. Josefsson
		253	.%D June 2016
		254	.%R RFC 7905
		255	.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
		256	.Re
		257	.Sh HISTORY
		258	.Fn EVP_chacha20
		259	first appeared in
		260	.Ox 5.6 .
		261	.Pp
		262	.Fn EVP_chacha20_poly1305
		263	first appeared in OpenSSL 1.1.0
		264	.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
		265	and has been available since
		266	.Ox 7.2 .
		267	.Sh CAVEATS
		268	The original publications and code by
		269	.An Adam Langley
		270	used a modified AEAD construction that is incompatible with the common
		271	style used by AEAD in TLS and incompatible with RFC 7905:
		272	.Pp
		273	.Rs
		274	.%A A. Langley
		275	.%A W. Chang
240	.%D November 2013	276	.%D November 2013
241	.%R draft-agl-tls-chacha20poly1305-04	277	.%R draft-agl-tls-chacha20poly1305-04
242	.%T ChaCha20 and Poly1305 based Cipher Suites for TLS	278	.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
@@ -249,11 +285,5 @@ returns 1 for success or 0 for failure.
249	.%R RFC 7539	285	.%R RFC 7539
250	.%T ChaCha20 and Poly1305 for IETF Protocols	286	.%T ChaCha20 and Poly1305 for IETF Protocols
251	.Re	287	.Re
252	.Sh HISTORY
253	.Fn EVP_chacha20
254	first appeared in
255	.Ox 5.6 .
256	.Pp	288	.Pp
257	.Fn EVP_chacha20_poly1305	289	In particular, the original version used a nonce of 8 instead of 12 bytes.
258	first appeared in OpenSSL 1.1.0 and has been available since
259	.Ox 7.2 .