Close some major gaps in the documentation of EVP_Cipher(3),

and describe EVP_CIPHER_CTX_init(3) in a less misleading way. Joint work with and OK tb@.
author: schwarze <> 2023-12-26 19:09:08 +0000
committer: schwarze <> 2023-12-26 19:09:08 +0000
commit: 5819b47a5811023ede6a0f5e8dad4fcad600e467 (patch)
tree: 5da03066ee2b8cd9033f859ad8906283ea6af741 /src/lib
parent: d9fc8c2bb8070dda582528ac18d1b7c5dbdbc66e (diff)
download: openbsd-5819b47a5811023ede6a0f5e8dad4fcad600e467.tar.gz
openbsd-5819b47a5811023ede6a0f5e8dad4fcad600e467.tar.bz2
openbsd-5819b47a5811023ede6a0f5e8dad4fcad600e467.zip
1 files changed, 65 insertions, 10 deletions
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
index 3bb40018f5..50df2e764d 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
@@ -1,11 +1,11 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.1 2023/12/01 10:40:21 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.2 2023/12/26 19:09:08 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
 .\"
-.\" Copyright (c) 2018, 2019 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2018, 2019, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 1 2023 $
+.Dd $Mdocdate: December 26 2023 $
 .Dt EVP_CIPHER_CTX_INIT 3
 .Os
 .Sh NAME
@@ -95,11 +95,18 @@
 .Fc
 .Sh DESCRIPTION
 .Fn EVP_CIPHER_CTX_init
-is a deprecated function to clear a cipher context on the stack
+is a deprecated function that could be used to clear a cipher context
-before use.
+on the stack before
-Do not use it on a cipher context returned from
+.Vt EVP_CIPHER_CTX
+was made opaque.
+Calling it on a cipher context just returned from
 .Xr EVP_CIPHER_CTX_new 3
-or one that was already used.
+has no effect.
+Calling it on a cipher context that was already used leaks memory.
+Instead, use
+.Xr EVP_CIPHER_CTX_reset 3
+or
+.Xr EVP_CIPHER_CTX_free 3 .
 .Pp
 .Fn EVP_CIPHER_CTX_cleanup
 is a deprecated alias for
@@ -111,7 +118,41 @@ and frees all allocated memory associated with it, except the
 object itself.
 .Pp
 .Fn EVP_Cipher
-encrypts or decrypts aligned blocks of data
+exposes implementation details of the functions
+.Xr EVP_CipherUpdate 3
+and
+.Xr EVP_CipherFinal 3
+that should never have become part of the public API.
+.Pp
+If the flag
+.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
+is set for the cipher used by
+.Fa ctx ,
+behaviour depends on
+.Fa in .
+If that argument is
+.Dv NULL
+and
+.Fa inl
+is 0, behaviour is similar to
+.Xr EVP_CipherFinal 3 ;
+if
+.Fa inl
+is not 0, behaviour is undefined.
+If
+.Fa in
+is not
+.Dv NULL ,
+behaviour is similar to
+.Xr EVP_CipherUpdate 3 .
+In both cases, the exceptions to the similarity are that arguments
+and return values differ.
+.Pp
+If the flag
+.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
+is not set for the cipher used by
+.Fa ctx ,
+it encrypts or decrypts aligned blocks of data
 whose lengths match the cipher block size.
 It requires that the previous encryption or decryption operation
 using the same
@@ -133,9 +174,17 @@ the overhead incurred by using
 is minimal.
 .Sh RETURN VALUES
 .Fn EVP_CIPHER_CTX_cleanup
-and
+returns 1 for success or 0 for failure.
+.Pp
+With
+.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER ,
 .Fn EVP_Cipher
-return 1 for success or 0 for failure.
+returns the number of bytes written to
+.Fa out
+for success or \-1 for failure.
+Without
+.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER ,
+it returns 1 for success or 0 for failure.
 .Sh SEE ALSO
 .Xr evp 3 ,
 .Xr EVP_EncryptInit 3
@@ -148,3 +197,9 @@ first appeared in SSLeay 0.8.0.
 first appeared in SSLeay 0.9.0.
 All these functions have been available since
 .Ox 2.4 .
+.Sh CAVEATS
+Checking the return value of
+.Fn EVP_Cipher
+requires unusual caution: zero signals success if
+.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
+is set or failure otherwise.
author	schwarze <>	2023-12-26 19:09:08 +0000
committer	schwarze <>	2023-12-26 19:09:08 +0000
commit	5819b47a5811023ede6a0f5e8dad4fcad600e467 (patch)
tree	5da03066ee2b8cd9033f859ad8906283ea6af741 /src/lib
parent	d9fc8c2bb8070dda582528ac18d1b7c5dbdbc66e (diff)
download	openbsd-5819b47a5811023ede6a0f5e8dad4fcad600e467.tar.gz openbsd-5819b47a5811023ede6a0f5e8dad4fcad600e467.tar.bz2 openbsd-5819b47a5811023ede6a0f5e8dad4fcad600e467.zip

diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3 index 3bb40018f5..50df2e764d 100644 --- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3 +++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
@@ -1,11 +1,11 @@
1	.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.1 2023/12/01 10:40:21 schwarze Exp $	1	.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.2 2023/12/26 19:09:08 schwarze Exp $
2	.\" full merge up to:	2	.\" full merge up to:
3	.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100	3	.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
4	.\"	4	.\"
5	.\" This file is a derived work.	5	.\" This file is a derived work.
6	.\" The changes are covered by the following Copyright and license:	6	.\" The changes are covered by the following Copyright and license:
7	.\"	7	.\"
8	.\" Copyright (c) 2018, 2019 Ingo Schwarze <schwarze@openbsd.org>	8	.\" Copyright (c) 2018, 2019, 2023 Ingo Schwarze <schwarze@openbsd.org>
9	.\"	9	.\"
10	.\" Permission to use, copy, modify, and distribute this software for any	10	.\" Permission to use, copy, modify, and distribute this software for any
11	.\" purpose with or without fee is hereby granted, provided that the above	11	.\" purpose with or without fee is hereby granted, provided that the above
@@ -68,7 +68,7 @@
68	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	68	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
69	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	69	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
70	.\"	70	.\"
71	.Dd $Mdocdate: December 1 2023 $	71	.Dd $Mdocdate: December 26 2023 $
72	.Dt EVP_CIPHER_CTX_INIT 3	72	.Dt EVP_CIPHER_CTX_INIT 3
73	.Os	73	.Os
74	.Sh NAME	74	.Sh NAME
@@ -95,11 +95,18 @@
95	.Fc	95	.Fc
96	.Sh DESCRIPTION	96	.Sh DESCRIPTION
97	.Fn EVP_CIPHER_CTX_init	97	.Fn EVP_CIPHER_CTX_init
98	is a deprecated function to clear a cipher context on the stack	98	is a deprecated function that could be used to clear a cipher context
99	before use.	99	on the stack before
100	Do not use it on a cipher context returned from	100	.Vt EVP_CIPHER_CTX
		101	was made opaque.
		102	Calling it on a cipher context just returned from
101	.Xr EVP_CIPHER_CTX_new 3	103	.Xr EVP_CIPHER_CTX_new 3
102	or one that was already used.	104	has no effect.
		105	Calling it on a cipher context that was already used leaks memory.
		106	Instead, use
		107	.Xr EVP_CIPHER_CTX_reset 3
		108	or
		109	.Xr EVP_CIPHER_CTX_free 3 .
103	.Pp	110	.Pp
104	.Fn EVP_CIPHER_CTX_cleanup	111	.Fn EVP_CIPHER_CTX_cleanup
105	is a deprecated alias for	112	is a deprecated alias for
@@ -111,7 +118,41 @@ and frees all allocated memory associated with it, except the
111	object itself.	118	object itself.
112	.Pp	119	.Pp
113	.Fn EVP_Cipher	120	.Fn EVP_Cipher
114	encrypts or decrypts aligned blocks of data	121	exposes implementation details of the functions
		122	.Xr EVP_CipherUpdate 3
		123	and
		124	.Xr EVP_CipherFinal 3
		125	that should never have become part of the public API.
		126	.Pp
		127	If the flag
		128	.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
		129	is set for the cipher used by
		130	.Fa ctx ,
		131	behaviour depends on
		132	.Fa in .
		133	If that argument is
		134	.Dv NULL
		135	and
		136	.Fa inl
		137	is 0, behaviour is similar to
		138	.Xr EVP_CipherFinal 3 ;
		139	if
		140	.Fa inl
		141	is not 0, behaviour is undefined.
		142	If
		143	.Fa in
		144	is not
		145	.Dv NULL ,
		146	behaviour is similar to
		147	.Xr EVP_CipherUpdate 3 .
		148	In both cases, the exceptions to the similarity are that arguments
		149	and return values differ.
		150	.Pp
		151	If the flag
		152	.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
		153	is not set for the cipher used by
		154	.Fa ctx ,
		155	it encrypts or decrypts aligned blocks of data
115	whose lengths match the cipher block size.	156	whose lengths match the cipher block size.
116	It requires that the previous encryption or decryption operation	157	It requires that the previous encryption or decryption operation
117	using the same	158	using the same
@@ -133,9 +174,17 @@ the overhead incurred by using
133	is minimal.	174	is minimal.
134	.Sh RETURN VALUES	175	.Sh RETURN VALUES
135	.Fn EVP_CIPHER_CTX_cleanup	176	.Fn EVP_CIPHER_CTX_cleanup
136	and	177	returns 1 for success or 0 for failure.
		178	.Pp
		179	With
		180	.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER ,
137	.Fn EVP_Cipher	181	.Fn EVP_Cipher
138	return 1 for success or 0 for failure.	182	returns the number of bytes written to
		183	.Fa out
		184	for success or \-1 for failure.
		185	Without
		186	.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER ,
		187	it returns 1 for success or 0 for failure.
139	.Sh SEE ALSO	188	.Sh SEE ALSO
140	.Xr evp 3 ,	189	.Xr evp 3 ,
141	.Xr EVP_EncryptInit 3	190	.Xr EVP_EncryptInit 3
@@ -148,3 +197,9 @@ first appeared in SSLeay 0.8.0.
148	first appeared in SSLeay 0.9.0.	197	first appeared in SSLeay 0.9.0.
149	All these functions have been available since	198	All these functions have been available since
150	.Ox 2.4 .	199	.Ox 2.4 .
		200	.Sh CAVEATS
		201	Checking the return value of
		202	.Fn EVP_Cipher
		203	requires unusual caution: zero signals success if
		204	.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
		205	is set or failure otherwise.