Add EVP_AEAD_CTX_init(3) manpage to document the new(ish) AEAD API.

The "authenticated encryption with additional data" API is used for ciphers like AES-GCM or ChaCha20-Poly1305. The manpage is a beginning and certainly needs more work, especially improvements in the EXAMPLES section. Based on agl's source code comments. Converted from pod to mandoc by schwarze@ OK schwarze@ jsing@
author: reyk <> 2015-10-14 07:41:28 +0000
committer: reyk <> 2015-10-14 07:41:28 +0000
commit: 9d97a73291fdf754ac433bb870b979ef8c5ff3c4 (patch)
tree: 7f4867395e575d1b4040494f072e867f05b550b7 /src
parent: 9e151aaca6e7363dac26dfe6ce30adf712fc7102 (diff)
download: openbsd-9d97a73291fdf754ac433bb870b979ef8c5ff3c4.tar.gz
openbsd-9d97a73291fdf754ac433bb870b979ef8c5ff3c4.tar.bz2
openbsd-9d97a73291fdf754ac433bb870b979ef8c5ff3c4.zip
4 files changed, 285 insertions, 1 deletions
diff --git a/src/lib/libcrypto/doc/evp.pod b/src/lib/libcrypto/doc/evp.pod
index 57c761d01f..dfd96d3b98 100644
--- a/src/lib/libcrypto/doc/evp.pod
+++ b/src/lib/libcrypto/doc/evp.pod
@@ -25,6 +25,9 @@ functions.
 Symmetric encryption is available with the L<B<EVP_Encrypt>I<...>|EVP_EncryptInit(3)>
 functions.  The L<B<EVP_Digest>I<...>|EVP_DigestInit(3)> functions provide message digests.
+Authenticated encryption with additional data (AEAD) is available with
+the L<B<EVP_AEAD>I<...>|EVP_AEAD_CTX_init(3)> functions.
 The B<EVP_PKEY>I<...> functions provide a high level interface to
 asymmetric algorithms. To create a new EVP_PKEY see
 L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>. EVP_PKEYs can be associated
@@ -81,6 +84,7 @@ using the high level interface.
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
 L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_AEAD_CTX_init(3)|EVP_AEAD_CTX_init(3)>,
 L<EVP_OpenInit(3)|EVP_OpenInit(3)>,
 L<EVP_SealInit(3)|EVP_SealInit(3)>,
 L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)>,
diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
new file mode 100644
index 0000000000..47531123b4
--- /dev/null
+++ b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
@@ -0,0 +1,275 @@
+.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.1 2015/10/14 07:41:28 reyk Exp $
+.\"
+.\" Copyright (c) 2014, Google Inc.
+.\" Parts of the text were written by Adam Langley and David Benjamin.
+.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 14 2015 $
+.Dt EVP_AEAD_CTX_INIT 3
+.Os
+.Sh NAME
+.Nm EVP_AEAD_CTX_init ,
+.Nm EVP_AEAD_CTX_cleanup ,
+.Nm EVP_AEAD_CTX_open ,
+.Nm EVP_AEAD_CTX_seal ,
+.Nm EVP_AEAD_key_length ,
+.Nm EVP_AEAD_max_overhead ,
+.Nm EVP_AEAD_max_tag_len ,
+.Nm EVP_AEAD_nonce_length ,
+.Nm EVP_aead_aes_128_gcm ,
+.Nm EVP_aead_aes_256_gcm ,
+.Nm EVP_aead_chacha20_poly1305
+.Nd authenticated encryption with additional data
+.Sh SYNOPSIS
+.In openssl/evp.h
+.Ft int
+.Fo EVP_AEAD_CTX_init
+.Fa "EVP_AEAD_CTX *ctx"
+.Fa "const EVP_AEAD *aead"
+.Fa "const unsigned char *key"
+.Fa "size_t key_len"
+.Fa "size_t tag_len"
+.Fa "ENGINE *impl"
+.Fc
+.Ft void
+.Fo EVP_AEAD_CTX_cleanup
+.Fa "EVP_AEAD_CTX *ctx"
+.Fc
+.Ft int
+.Fo EVP_AEAD_CTX_open
+.Fa "const EVP_AEAD_CTX *ctx"
+.Fa "unsigned char *out"
+.Fa "size_t *out_len"
+.Fa "size_t max_out_len"
+.Fa "const unsigned char *nonce"
+.Fa "size_t nonce_len"
+.Fa "const unsigned char *in"
+.Fa "size_t in_len"
+.Fa "const unsigned char *ad"
+.Fa "size_t ad_len"
+.Fc
+.Ft int
+.Fo EVP_AEAD_CTX_seal
+.Fa "const EVP_AEAD_CTX *ctx"
+.Fa "unsigned char *out"
+.Fa "size_t *out_len"
+.Fa "size_t max_out_len"
+.Fa "const unsigned char *nonce"
+.Fa "size_t nonce_len"
+.Fa "const unsigned char *in"
+.Fa "size_t in_len"
+.Fa "const unsigned char *ad"
+.Fa "size_t ad_len"
+.Fc
+.Ft size_t
+.Fo EVP_AEAD_key_length
+.Fa "const EVP_AEAD *aead"
+.Fc
+.Ft size_t
+.Fo EVP_AEAD_max_overhead
+.Fa "const EVP_AEAD *aead"
+.Fc
+.Ft size_t
+.Fo EVP_AEAD_max_tag_len
+.Fa "const EVP_AEAD *aead"
+.Fc
+.Ft size_t
+.Fo EVP_AEAD_nonce_length
+.Fa "const EVP_AEAD *aead"
+.Fc
+.Ft const EVP_AEAD *
+.Fo EVP_aead_aes_128_gcm
+.Fa void
+.Fc
+.Ft const EVP_AEAD *
+.Fo EVP_aead_aes_256_gcm
+.Fa void
+.Fc
+.Ft const EVP_AEAD *
+.Fo EVP_aead_chacha20_poly1305
+.Fa void
+.Fc
+.Sh DESCRIPTION
+AEAD (Authenticated Encryption with Additional Data) couples
+confidentiality and integrity in a single primitive.
+AEAD algorithms take a key and can then seal and open individual
+messages.
+Each message has a unique, per-message nonce and, optionally, additional
+data which is authenticated but not included in the output.
+.Pp
+.Fn EVP_AEAD_CTX_init
+initializes the context
+.Fa ctx
+for the given AEAD algorithm
+.Fa aead .
+The
+.Fa impl argument must be
+.Dv NULL
+for the default implementation;
+other values are currently not supported.
+Authentication tags may be truncated by passing a tag length.
+A tag length of zero indicates the default tag length should be used.
+.Pp
+.Fn EVP_AEAD_CTX_cleanup
+frees any data allocated for the context
+.Fa ctx .
+.Pp
+.Fn EVP_AEAD_CTX_open
+authenticates the input
+.Fa in
+and optional additional data
+.Fa ad ,
+decrypting the input and writing it as output
+.Fa out .
+This function may be called (with the same
+.Vt EVP_AEAD_CTX )
+concurrently with itself or with
+.Fn EVP_AEAD_CTX_seal .
+At most the number of input bytes are written as output.
+In order to ensure success,
+.Fa max_out_len
+should be at least the same as the input length
+.Fa in_len .
+On successful return
+.Fa out_len
+is set to the actual number of bytes written.
+The length of the
+.Fa nonce
+specified with
+.Fa nonce_len
+must be equal to the result of EVP_AEAD_nonce_length for this AEAD.
+.Fn EVP_AEAD_CTX_open
+never results in partial output.
+If
+.Fa max_out_len
+is insufficient, zero will be returned and
+.Fa out_len
+will be set to zero.
+If the input and output are aliased then
+.Fa out
+must be <=
+.Fa in .
+.Pp
+.Fn EVP_AEAD_CTX_seal
+encrypts and authenticates the input and authenticates any additional
+data provided in
+.Fa ad ,
+the encrypted input and authentication tag being written as output
+.Fa out .
+This function may be called (with the same
+.Vt EVP_AEAD_CTX )
+concurrently with itself or with
+.Fn EVP_AEAD_CTX_open .
+At most
+.Fa max_out_len
+bytes are written as output and, in order to ensure success, this value
+should be the
+.Fa in_len
+plus the result of
+.Xr EVP_AEAD_overhead 3 .
+On successful return,
+.Fa out_len
+is set to the actual number of bytes written.
+The length of the
+.Fa nonce
+specified with
+.Fa nonce_len
+must be equal to the result of
+.Fn EVP_AEAD_nonce_length
+for this AEAD.
+.Fn EVP_AEAD_CTX_seal
+never results in a partial output.
+If
+.Fa max_out_len
+is insufficient, zero will be returned and
+.Fa out_len
+will be set to zero.
+If the input and output are aliased then
+.Fa out
+must be <=
+.Fa in .
+.Pp
+.Fn EVP_AEAD_key_length ,
+.Fn EVP_AEAD_max_overhead ,
+.Fn EVP_AEAD_max_tag_len ,
+and
+.Fn EVP_AEAD_nonce_length
+provide information about the AEAD algorithm
+.Fa aead .
+.Pp
+All cipher algorithms have a fixed key length unless otherwise stated.
+The following ciphers are available:
+.Bl -tag -width Ds -offset indent
+.It Fn EVP_aead_aes_128_gcm
+AES-128 in Galois Counter Mode.
+.It Fn EVP_aead_aes_256_gcm
+AES-256 in Galois Counter Mode.
+.It Fn EVP_aead_chacha20_poly1305
+ChaCha20 with a Poly1305 authenticator.
+.El
+.Pp
+Where possible the
+.Sy EVP_AEAD
+interface to AEAD ciphers should be used in preference to the older
+.Sy EVP
+variants or to the low level interfaces.
+This is because the code then becomes transparent to the AEAD cipher
+used and much more flexible,
+it is also safer to use as it prevents common mistakes with the native APIs.
+.Sh RETURN VALUES
+.Fn EVP_AEAD_CTX_init ,
+.Fn EVP_AEAD_CTX_open ,
+and
+.Fn EVP_AEAD_CTX_seal
+return 1 for success or zero for failure.
+.Pp
+.Fn EVP_AEAD_key_length
+returns the length of the key used for this AEAD.
+.Pp
+.Fn EVP_AEAD_max_overhead
+returns the maximum number of additional bytes added by the act of
+sealing data with the AEAD.
+.Pp
+.Fn EVP_AEAD_max_tag_len
+returns the maximum tag length when using this AEAD.
+This is the largest value that can be passed as a tag length to
+.Fn EVP_AEAD_CTX_init .
+.Pp
+.Fn EVP_AEAD_nonce_length
+returns the length of the per-message nonce.
+.Sh EXAMPLES
+Encrypt a string using ChaCha20-Poly1305:
+.Bd -literal
+.\" XXX
+const EVP_AEAD *aead = EVP_aead_chacha20_poly1305();
+static const unsigned char nonce[32] = {0};
+size_t buf_len, nonce_len;
+EVP_AEAD_CTX ctx;
+EVP_AEAD_CTX_init(&ctx, aead, key32, EVP_AEAD_key_length(aead),
+    EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
+nonce_len = EVP_AEAD_nonce_length(aead);
+EVP_AEAD_CTX_seal(&ctx, out, &out_len, BUFSIZE, nonce,
+    nonce_len, in, in_len, NULL, 0);
+EVP_AEAD_CTX_cleanup(&ctx);
+.Ed
+.Sh SEE ALSO
+.Xr evp 3
+.Sh HISTORY
+AEAD is based on the implementation by Adam Langley for
+Chromium/BoringSSL and first appeared in
+.Ox 5.6 .
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 1ebde6fc16..d896f436bc 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.24 2015/09/17 14:43:23 bcook Exp $
+# $OpenBSD: Makefile,v 1.25 2015/10/14 07:41:28 reyk Exp $
 .include <bsd.own.mk>           # for NOMAN
@@ -52,6 +52,7 @@ MAN=	\
        BN_swap.3 \
        BN_zero.3 \
        BUF_MEM_new.3 \
+        EVP_AEAD_CTX_init.3 \
 GENMAN= \
        CONF_modules_free.3 \
diff --git a/src/lib/libssl/src/doc/crypto/evp.pod b/src/lib/libssl/src/doc/crypto/evp.pod
index 57c761d01f..dfd96d3b98 100644
--- a/src/lib/libssl/src/doc/crypto/evp.pod
+++ b/src/lib/libssl/src/doc/crypto/evp.pod
@@ -25,6 +25,9 @@ functions.
 Symmetric encryption is available with the L<B<EVP_Encrypt>I<...>|EVP_EncryptInit(3)>
 functions.  The L<B<EVP_Digest>I<...>|EVP_DigestInit(3)> functions provide message digests.
+Authenticated encryption with additional data (AEAD) is available with
+the L<B<EVP_AEAD>I<...>|EVP_AEAD_CTX_init(3)> functions.
 The B<EVP_PKEY>I<...> functions provide a high level interface to
 asymmetric algorithms. To create a new EVP_PKEY see
 L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>. EVP_PKEYs can be associated
@@ -81,6 +84,7 @@ using the high level interface.
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
 L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_AEAD_CTX_init(3)|EVP_AEAD_CTX_init(3)>,
 L<EVP_OpenInit(3)|EVP_OpenInit(3)>,
 L<EVP_SealInit(3)|EVP_SealInit(3)>,
 L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)>,
author	reyk <>	2015-10-14 07:41:28 +0000
committer	reyk <>	2015-10-14 07:41:28 +0000
commit	9d97a73291fdf754ac433bb870b979ef8c5ff3c4 (patch)
tree	7f4867395e575d1b4040494f072e867f05b550b7 /src
parent	9e151aaca6e7363dac26dfe6ce30adf712fc7102 (diff)
download	openbsd-9d97a73291fdf754ac433bb870b979ef8c5ff3c4.tar.gz openbsd-9d97a73291fdf754ac433bb870b979ef8c5ff3c4.tar.bz2 openbsd-9d97a73291fdf754ac433bb870b979ef8c5ff3c4.zip

diff --git a/src/lib/libcrypto/doc/evp.pod b/src/lib/libcrypto/doc/evp.pod index 57c761d01f..dfd96d3b98 100644 --- a/src/lib/libcrypto/doc/evp.pod +++ b/src/lib/libcrypto/doc/evp.pod
@@ -25,6 +25,9 @@ functions.
25	Symmetric encryption is available with the L<B<EVP_Encrypt>I<...>\|EVP_EncryptInit(3)>	25	Symmetric encryption is available with the L<B<EVP_Encrypt>I<...>\|EVP_EncryptInit(3)>
26	functions. The L<B<EVP_Digest>I<...>\|EVP_DigestInit(3)> functions provide message digests.	26	functions. The L<B<EVP_Digest>I<...>\|EVP_DigestInit(3)> functions provide message digests.
27		27
		28	Authenticated encryption with additional data (AEAD) is available with
		29	the L<B<EVP_AEAD>I<...>\|EVP_AEAD_CTX_init(3)> functions.
		30
28	The B<EVP_PKEY>I<...> functions provide a high level interface to	31	The B<EVP_PKEY>I<...> functions provide a high level interface to
29	asymmetric algorithms. To create a new EVP_PKEY see	32	asymmetric algorithms. To create a new EVP_PKEY see
30	L<EVP_PKEY_new(3)\|EVP_PKEY_new(3)>. EVP_PKEYs can be associated	33	L<EVP_PKEY_new(3)\|EVP_PKEY_new(3)>. EVP_PKEYs can be associated
@@ -81,6 +84,7 @@ using the high level interface.
81		84
82	L<EVP_DigestInit(3)\|EVP_DigestInit(3)>,	85	L<EVP_DigestInit(3)\|EVP_DigestInit(3)>,
83	L<EVP_EncryptInit(3)\|EVP_EncryptInit(3)>,	86	L<EVP_EncryptInit(3)\|EVP_EncryptInit(3)>,
		87	L<EVP_AEAD_CTX_init(3)\|EVP_AEAD_CTX_init(3)>,
84	L<EVP_OpenInit(3)\|EVP_OpenInit(3)>,	88	L<EVP_OpenInit(3)\|EVP_OpenInit(3)>,
85	L<EVP_SealInit(3)\|EVP_SealInit(3)>,	89	L<EVP_SealInit(3)\|EVP_SealInit(3)>,
86	L<EVP_DigestSignInit(3)\|EVP_DigestSignInit(3)>,	90	L<EVP_DigestSignInit(3)\|EVP_DigestSignInit(3)>,


diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 new file mode 100644 index 0000000000..47531123b4 --- /dev/null +++ b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
@@ -0,0 +1,275 @@
		1	.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.1 2015/10/14 07:41:28 reyk Exp $
		2	.\"
		3	.\" Copyright (c) 2014, Google Inc.
		4	.\" Parts of the text were written by Adam Langley and David Benjamin.
		5	.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
		6	.\"
		7	.\" Permission to use, copy, modify, and/or distribute this software for any
		8	.\" purpose with or without fee is hereby granted, provided that the above
		9	.\" copyright notice and this permission notice appear in all copies.
		10	.\"
		11	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		12	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		13	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		14	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		15	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		16	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		17	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		18	.\"
		19	.Dd $Mdocdate: October 14 2015 $
		20	.Dt EVP_AEAD_CTX_INIT 3
		21	.Os
		22	.Sh NAME
		23	.Nm EVP_AEAD_CTX_init ,
		24	.Nm EVP_AEAD_CTX_cleanup ,
		25	.Nm EVP_AEAD_CTX_open ,
		26	.Nm EVP_AEAD_CTX_seal ,
		27	.Nm EVP_AEAD_key_length ,
		28	.Nm EVP_AEAD_max_overhead ,
		29	.Nm EVP_AEAD_max_tag_len ,
		30	.Nm EVP_AEAD_nonce_length ,
		31	.Nm EVP_aead_aes_128_gcm ,
		32	.Nm EVP_aead_aes_256_gcm ,
		33	.Nm EVP_aead_chacha20_poly1305
		34	.Nd authenticated encryption with additional data
		35	.Sh SYNOPSIS
		36	.In openssl/evp.h
		37	.Ft int
		38	.Fo EVP_AEAD_CTX_init
		39	.Fa "EVP_AEAD_CTX *ctx"
		40	.Fa "const EVP_AEAD *aead"
		41	.Fa "const unsigned char *key"
		42	.Fa "size_t key_len"
		43	.Fa "size_t tag_len"
		44	.Fa "ENGINE *impl"
		45	.Fc
		46	.Ft void
		47	.Fo EVP_AEAD_CTX_cleanup
		48	.Fa "EVP_AEAD_CTX *ctx"
		49	.Fc
		50	.Ft int
		51	.Fo EVP_AEAD_CTX_open
		52	.Fa "const EVP_AEAD_CTX *ctx"
		53	.Fa "unsigned char *out"
		54	.Fa "size_t *out_len"
		55	.Fa "size_t max_out_len"
		56	.Fa "const unsigned char *nonce"
		57	.Fa "size_t nonce_len"
		58	.Fa "const unsigned char *in"
		59	.Fa "size_t in_len"
		60	.Fa "const unsigned char *ad"
		61	.Fa "size_t ad_len"
		62	.Fc
		63	.Ft int
		64	.Fo EVP_AEAD_CTX_seal
		65	.Fa "const EVP_AEAD_CTX *ctx"
		66	.Fa "unsigned char *out"
		67	.Fa "size_t *out_len"
		68	.Fa "size_t max_out_len"
		69	.Fa "const unsigned char *nonce"
		70	.Fa "size_t nonce_len"
		71	.Fa "const unsigned char *in"
		72	.Fa "size_t in_len"
		73	.Fa "const unsigned char *ad"
		74	.Fa "size_t ad_len"
		75	.Fc
		76	.Ft size_t
		77	.Fo EVP_AEAD_key_length
		78	.Fa "const EVP_AEAD *aead"
		79	.Fc
		80	.Ft size_t
		81	.Fo EVP_AEAD_max_overhead
		82	.Fa "const EVP_AEAD *aead"
		83	.Fc
		84	.Ft size_t
		85	.Fo EVP_AEAD_max_tag_len
		86	.Fa "const EVP_AEAD *aead"
		87	.Fc
		88	.Ft size_t
		89	.Fo EVP_AEAD_nonce_length
		90	.Fa "const EVP_AEAD *aead"
		91	.Fc
		92	.Ft const EVP_AEAD *
		93	.Fo EVP_aead_aes_128_gcm
		94	.Fa void
		95	.Fc
		96	.Ft const EVP_AEAD *
		97	.Fo EVP_aead_aes_256_gcm
		98	.Fa void
		99	.Fc
		100	.Ft const EVP_AEAD *
		101	.Fo EVP_aead_chacha20_poly1305
		102	.Fa void
		103	.Fc
		104	.Sh DESCRIPTION
		105	AEAD (Authenticated Encryption with Additional Data) couples
		106	confidentiality and integrity in a single primitive.
		107	AEAD algorithms take a key and can then seal and open individual
		108	messages.
		109	Each message has a unique, per-message nonce and, optionally, additional
		110	data which is authenticated but not included in the output.
		111	.Pp
		112	.Fn EVP_AEAD_CTX_init
		113	initializes the context
		114	.Fa ctx
		115	for the given AEAD algorithm
		116	.Fa aead .
		117	The
		118	.Fa impl argument must be
		119	.Dv NULL
		120	for the default implementation;
		121	other values are currently not supported.
		122	Authentication tags may be truncated by passing a tag length.
		123	A tag length of zero indicates the default tag length should be used.
		124	.Pp
		125	.Fn EVP_AEAD_CTX_cleanup
		126	frees any data allocated for the context
		127	.Fa ctx .
		128	.Pp
		129	.Fn EVP_AEAD_CTX_open
		130	authenticates the input
		131	.Fa in
		132	and optional additional data
		133	.Fa ad ,
		134	decrypting the input and writing it as output
		135	.Fa out .
		136	This function may be called (with the same
		137	.Vt EVP_AEAD_CTX )
		138	concurrently with itself or with
		139	.Fn EVP_AEAD_CTX_seal .
		140	At most the number of input bytes are written as output.
		141	In order to ensure success,
		142	.Fa max_out_len
		143	should be at least the same as the input length
		144	.Fa in_len .
		145	On successful return
		146	.Fa out_len
		147	is set to the actual number of bytes written.
		148	The length of the
		149	.Fa nonce
		150	specified with
		151	.Fa nonce_len
		152	must be equal to the result of EVP_AEAD_nonce_length for this AEAD.
		153	.Fn EVP_AEAD_CTX_open
		154	never results in partial output.
		155	If
		156	.Fa max_out_len
		157	is insufficient, zero will be returned and
		158	.Fa out_len
		159	will be set to zero.
		160	If the input and output are aliased then
		161	.Fa out
		162	must be <=
		163	.Fa in .
		164	.Pp
		165	.Fn EVP_AEAD_CTX_seal
		166	encrypts and authenticates the input and authenticates any additional
		167	data provided in
		168	.Fa ad ,
		169	the encrypted input and authentication tag being written as output
		170	.Fa out .
		171	This function may be called (with the same
		172	.Vt EVP_AEAD_CTX )
		173	concurrently with itself or with
		174	.Fn EVP_AEAD_CTX_open .
		175	At most
		176	.Fa max_out_len
		177	bytes are written as output and, in order to ensure success, this value
		178	should be the
		179	.Fa in_len
		180	plus the result of
		181	.Xr EVP_AEAD_overhead 3 .
		182	On successful return,
		183	.Fa out_len
		184	is set to the actual number of bytes written.
		185	The length of the
		186	.Fa nonce
		187	specified with
		188	.Fa nonce_len
		189	must be equal to the result of
		190	.Fn EVP_AEAD_nonce_length
		191	for this AEAD.
		192	.Fn EVP_AEAD_CTX_seal
		193	never results in a partial output.
		194	If
		195	.Fa max_out_len
		196	is insufficient, zero will be returned and
		197	.Fa out_len
		198	will be set to zero.
		199	If the input and output are aliased then
		200	.Fa out
		201	must be <=
		202	.Fa in .
		203	.Pp
		204	.Fn EVP_AEAD_key_length ,
		205	.Fn EVP_AEAD_max_overhead ,
		206	.Fn EVP_AEAD_max_tag_len ,
		207	and
		208	.Fn EVP_AEAD_nonce_length
		209	provide information about the AEAD algorithm
		210	.Fa aead .
		211	.Pp
		212	All cipher algorithms have a fixed key length unless otherwise stated.
		213	The following ciphers are available:
		214	.Bl -tag -width Ds -offset indent
		215	.It Fn EVP_aead_aes_128_gcm
		216	AES-128 in Galois Counter Mode.
		217	.It Fn EVP_aead_aes_256_gcm
		218	AES-256 in Galois Counter Mode.
		219	.It Fn EVP_aead_chacha20_poly1305
		220	ChaCha20 with a Poly1305 authenticator.
		221	.El
		222	.Pp
		223	Where possible the
		224	.Sy EVP_AEAD
		225	interface to AEAD ciphers should be used in preference to the older
		226	.Sy EVP
		227	variants or to the low level interfaces.
		228	This is because the code then becomes transparent to the AEAD cipher
		229	used and much more flexible,
		230	it is also safer to use as it prevents common mistakes with the native APIs.
		231	.Sh RETURN VALUES
		232	.Fn EVP_AEAD_CTX_init ,
		233	.Fn EVP_AEAD_CTX_open ,
		234	and
		235	.Fn EVP_AEAD_CTX_seal
		236	return 1 for success or zero for failure.
		237	.Pp
		238	.Fn EVP_AEAD_key_length
		239	returns the length of the key used for this AEAD.
		240	.Pp
		241	.Fn EVP_AEAD_max_overhead
		242	returns the maximum number of additional bytes added by the act of
		243	sealing data with the AEAD.
		244	.Pp
		245	.Fn EVP_AEAD_max_tag_len
		246	returns the maximum tag length when using this AEAD.
		247	This is the largest value that can be passed as a tag length to
		248	.Fn EVP_AEAD_CTX_init .
		249	.Pp
		250	.Fn EVP_AEAD_nonce_length
		251	returns the length of the per-message nonce.
		252	.Sh EXAMPLES
		253	Encrypt a string using ChaCha20-Poly1305:
		254	.Bd -literal
		255	.\" XXX
		256	const EVP_AEAD *aead = EVP_aead_chacha20_poly1305();
		257	static const unsigned char nonce[32] = {0};
		258	size_t buf_len, nonce_len;
		259	EVP_AEAD_CTX ctx;
		260
		261	EVP_AEAD_CTX_init(&ctx, aead, key32, EVP_AEAD_key_length(aead),
		262	EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
		263	nonce_len = EVP_AEAD_nonce_length(aead);
		264
		265	EVP_AEAD_CTX_seal(&ctx, out, &out_len, BUFSIZE, nonce,
		266	nonce_len, in, in_len, NULL, 0);
		267
		268	EVP_AEAD_CTX_cleanup(&ctx);
		269	.Ed
		270	.Sh SEE ALSO
		271	.Xr evp 3
		272	.Sh HISTORY
		273	AEAD is based on the implementation by Adam Langley for
		274	Chromium/BoringSSL and first appeared in
		275	.Ox 5.6 .


diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index 1ebde6fc16..d896f436bc 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.24 2015/09/17 14:43:23 bcook Exp $	1	# $OpenBSD: Makefile,v 1.25 2015/10/14 07:41:28 reyk Exp $
2		2
3	.include <bsd.own.mk> # for NOMAN	3	.include <bsd.own.mk> # for NOMAN
4		4
@@ -52,6 +52,7 @@ MAN= \
52	BN_swap.3 \	52	BN_swap.3 \
53	BN_zero.3 \	53	BN_zero.3 \
54	BUF_MEM_new.3 \	54	BUF_MEM_new.3 \
		55	EVP_AEAD_CTX_init.3 \
55		56
56	GENMAN= \	57	GENMAN= \
57	CONF_modules_free.3 \	58	CONF_modules_free.3 \


diff --git a/src/lib/libssl/src/doc/crypto/evp.pod b/src/lib/libssl/src/doc/crypto/evp.pod index 57c761d01f..dfd96d3b98 100644 --- a/src/lib/libssl/src/doc/crypto/evp.pod +++ b/src/lib/libssl/src/doc/crypto/evp.pod
@@ -25,6 +25,9 @@ functions.
25	Symmetric encryption is available with the L<B<EVP_Encrypt>I<...>\|EVP_EncryptInit(3)>	25	Symmetric encryption is available with the L<B<EVP_Encrypt>I<...>\|EVP_EncryptInit(3)>
26	functions. The L<B<EVP_Digest>I<...>\|EVP_DigestInit(3)> functions provide message digests.	26	functions. The L<B<EVP_Digest>I<...>\|EVP_DigestInit(3)> functions provide message digests.
27		27
		28	Authenticated encryption with additional data (AEAD) is available with
		29	the L<B<EVP_AEAD>I<...>\|EVP_AEAD_CTX_init(3)> functions.
		30
28	The B<EVP_PKEY>I<...> functions provide a high level interface to	31	The B<EVP_PKEY>I<...> functions provide a high level interface to
29	asymmetric algorithms. To create a new EVP_PKEY see	32	asymmetric algorithms. To create a new EVP_PKEY see
30	L<EVP_PKEY_new(3)\|EVP_PKEY_new(3)>. EVP_PKEYs can be associated	33	L<EVP_PKEY_new(3)\|EVP_PKEY_new(3)>. EVP_PKEYs can be associated
@@ -81,6 +84,7 @@ using the high level interface.
81		84
82	L<EVP_DigestInit(3)\|EVP_DigestInit(3)>,	85	L<EVP_DigestInit(3)\|EVP_DigestInit(3)>,
83	L<EVP_EncryptInit(3)\|EVP_EncryptInit(3)>,	86	L<EVP_EncryptInit(3)\|EVP_EncryptInit(3)>,
		87	L<EVP_AEAD_CTX_init(3)\|EVP_AEAD_CTX_init(3)>,
84	L<EVP_OpenInit(3)\|EVP_OpenInit(3)>,	88	L<EVP_OpenInit(3)\|EVP_OpenInit(3)>,
85	L<EVP_SealInit(3)\|EVP_SealInit(3)>,	89	L<EVP_SealInit(3)\|EVP_SealInit(3)>,
86	L<EVP_DigestSignInit(3)\|EVP_DigestSignInit(3)>,	90	L<EVP_DigestSignInit(3)\|EVP_DigestSignInit(3)>,