1 files changed, 185 insertions, 19 deletions
diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3
index 000ac88290..01193638b8 100644
--- a/src/lib/libcrypto/man/EVP_chacha20.3
+++ b/src/lib/libcrypto/man/EVP_chacha20.3
@@ -1,9 +1,25 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.1 2023/08/15 11:26:49 schwarze Exp $
+.\" $OpenBSD: EVP_chacha20.3,v 1.2 2023/08/16 13:47:18 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
-.\" This file was written by Ronald Tse <ronald.tse@ribose.com>
+.\" This file is a derived work.
-.\" and Matt Caswell <matt@openssl.org>.
+.\" The changes are covered by the following Copyright and license:
-.\" Copyright (c) 2017, 2019 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Ronald Tse <ronald.tse@ribose.com>.
+.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -49,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 15 2023 $
+.Dd $Mdocdate: August 16 2023 $
 .Dt EVP_CHACHA20 3
 .Os
 .Sh NAME
@@ -65,29 +81,179 @@
 .Sh DESCRIPTION
 .Fn EVP_chacha20
 provides the ChaCha20 stream cipher in the EVP framework.
-The key length is 256 bits, the IV is 128 bits long.
+.Xr EVP_EncryptInit_ex 3 ,
-The first 32 bits consists of a counter in little-endian order followed
+.Xr EVP_DecryptInit_ex 3 ,
-by a 96 bit nonce.
+and
-For example a nonce of:
+.Xr EVP_CipherInit_ex 3
-.Pp
+take a
-000000000000000000000002
+.Fa key
-.Pp
+argument of 32 bytes = 256 bits and an
-With an initial counter of 42 (2a in hex) would be expressed as:
+.Fa iv
-.Pp
+argument of 16 bytes = 128 bits, internally using
-2a000000000000000000000000000002
+.Xr ChaCha_set_key 3
+and
+.Xr ChaCha_set_iv 3 .
+Due to the symmetry of the internal cipher state, interpreting the
+.Fa iv
+argument as a 4 byte counter followed by a 12 byte nonce
+or interpreting it as an 8 byte counter followed by an 8 byte nonce
+is functionally equivalent.
+.Xr EVP_EncryptUpdate 3 ,
+.Xr EVP_EncryptFinal_ex 3 ,
+.Xr EVP_DecryptUpdate 3 ,
+and
+.Xr EVP_DecryptFinal_ex 3
+internally use
+.Xr ChaCha 3
+to perform encryption and decryption.
+.Xr EVP_CIPHER_CTX_ctrl 3
+always fails for
+.Fa ctx
+objects created from
+.Fn EVP_chacha20 .
 .Pp
 .Fn EVP_chacha20_poly1305
 provides authenticated encryption with ChaCha20-Poly1305.
-Like
+.Xr EVP_EncryptInit_ex 3 ,
-.Fn EVP_chacha20 ,
+.Xr EVP_DecryptInit_ex 3 ,
-the key is 256 bits and the IV is 96 bits.
+and
+.Xr EVP_CipherInit_ex 3
+take a
+.Fa key
+argument of 32 bytes = 256 bits and an
+.Fa iv
+argument of 12 bytes = 96 bits.
 This supports additional authenticated data (AAD) and produces a 128-bit
 authentication tag.
+.Pp
+The following
+.Fa type
+arguments are supported for
+.Xr EVP_CIPHER_CTX_ctrl 3 :
+.Bl -tag -width Ds
+.It Dv EVP_CTRL_AEAD_GET_TAG
+Copy the number of bytes indicated by the
+.Fa arg
+argument from the tag to the location indicated by the
+.Fa ptr
+argument;
+to be called after
+.Xr EVP_EncryptFinal_ex 3 .
+This control operation fails if the
+.Fa ctx
+is not configured for encryption or if
+.Fa arg
+is less than 1 or greater than 16.
+.It Dv EVP_CTRL_AEAD_SET_TAG
+Copy the number of bytes indicated by the
+.Fa arg
+argument from the location indicated by the
+.Fa ptr
+argument and designate them as the expected tag length and tag,
+causing subsequent
+.Xr EVP_DecryptFinal_ex 3
+to fail if the tag calculated during decryption does not match.
+It is strongly recommended to specify
+.Fa arg
+as exactly 16.
+Otherwise, only the initial part of the tag may be compared
+and mismatches near the end of the tag may get silently irgnored.
+This control operation fails if the
+.Fa ctx
+is configured for encryption or if
+.Fa arg
+is less than 1 or greater than 16.
+If the
+.Fa ptr
+argument is a
+.Dv NULL
+pointer, this control operation succeeds without having any effect.
+.It EVP_CTRL_AEAD_SET_IV_FIXED
+Set the initialization vector by reading the 12 bytes pointed to by the
+.Fa ptr
+argument, independently of
+.Xr EVP_EncryptInit_ex 3 ,
+.Xr EVP_DecryptInit_ex 3 ,
+and
+.Xr EVP_CipherInit_ex 3 .
+This control operation fails if the
+.Fa arg
+argument is not exactly 12.
+.It Dv EVP_CTRL_AEAD_SET_IVLEN
+Instruct subsequent
+.Xr EVP_EncryptInit_ex 3 ,
+.Xr EVP_DecryptInit_ex 3 ,
+or
+.Xr EVP_CipherInit_ex 3
+to expect an
+.Fa iv
+argument shorter than the default of 12 bytes; the
+.Fa arg
+argument specifies the number of bytes to be used.
+The initialization functions will only read
+the specified smaller number of bytes from
+.Fa iv
+and internally zero-pad them on the left.
+Using this is not recommended because it is likely more fragile
+and less often tested than the equivalent method of simply providing
+a full-sized
+.Fa iv .
+This control operation fails if
+.Fa arg
+is less than 1 or greater than 16.
+.It Dv EVP_CTRL_INIT
+Set the length of the initialization vector to the default value
+of 12 bytes and clear the Poly1305 internal state.
+The application program usually does not need to invoke this contol
+operation manually because it is automatically called internally by
+.Xr EVP_EncryptInit_ex 3 ,
+.Xr EVP_DecryptInit_ex 3 ,
+and
+.Xr EVP_CipherInit_ex 3 .
+.El
 .Sh RETURN VALUES
-These functions return return pointers to static
+.Fn EVP_chacha20
+and
+.Fn EVP_chacha20_poly1305
+return pointers to static
 .Vt EVP_CIPHER
 objects that contain the implementations of the symmetric cipher.
+.Pp
+If
+.Fa ctx
+was created from
+.Fn EVP_chacha20
+or
+.Fn EVP_chacha20_poly1305 ,
+.Xr EVP_CIPHER_CTX_ctrl 3
+returns 1 for success or 0 for failure.
 .Sh SEE ALSO
+.Xr ChaCha 3 ,
 .Xr evp 3 ,
+.Xr EVP_aead_chacha20_poly1305 3 ,
 .Xr EVP_CIPHER_meth_new 3 ,
 .Xr EVP_EncryptInit 3
+.Sh STANDARDS
+.Rs
+.%A A. Langley
+.%A W. Chang
+.%D November 2013
+.%R draft-agl-tls-chacha20poly1305-04
+.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
+.Re
+.Pp
+.Rs
+.%A Y. Nir
+.%A A. Langley
+.%D May 2015
+.%R RFC 7539
+.%T ChaCha20 and Poly1305 for IETF Protocols
+.Re
+.Sh HISTORY
+.Fn EVP_chacha20
+first appeared in
+.Ox 5.6 .
+.Pp
+.Fn EVP_chacha20_poly1305
+first appeared in OpenSSL 1.1.0 and has been available since
+.Ox 7.2 .

diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3 index 000ac88290..01193638b8 100644 --- a/src/lib/libcrypto/man/EVP_chacha20.3 +++ b/src/lib/libcrypto/man/EVP_chacha20.3
@@ -1,9 +1,25 @@
1	.\" $OpenBSD: EVP_chacha20.3,v 1.1 2023/08/15 11:26:49 schwarze Exp $	1	.\" $OpenBSD: EVP_chacha20.3,v 1.2 2023/08/16 13:47:18 schwarze Exp $
2	.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200	2	.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
3	.\"	3	.\"
4	.\" This file was written by Ronald Tse <ronald.tse@ribose.com>	4	.\" This file is a derived work.
5	.\" and Matt Caswell <matt@openssl.org>.	5	.\" The changes are covered by the following Copyright and license:
6	.\" Copyright (c) 2017, 2019 The OpenSSL Project. All rights reserved.	6	.\"
		7	.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
		8	.\"
		9	.\" Permission to use, copy, modify, and distribute this software for any
		10	.\" purpose with or without fee is hereby granted, provided that the above
		11	.\" copyright notice and this permission notice appear in all copies.
		12	.\"
		13	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		14	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		15	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		16	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		17	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		18	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		19	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		20	.\"
		21	.\" The original file was written by Ronald Tse <ronald.tse@ribose.com>.
		22	.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved.
7	.\"	23	.\"
8	.\" Redistribution and use in source and binary forms, with or without	24	.\" Redistribution and use in source and binary forms, with or without
9	.\" modification, are permitted provided that the following conditions	25	.\" modification, are permitted provided that the following conditions
@@ -49,7 +65,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	67	.\"
52	.Dd $Mdocdate: August 15 2023 $	68	.Dd $Mdocdate: August 16 2023 $
53	.Dt EVP_CHACHA20 3	69	.Dt EVP_CHACHA20 3
54	.Os	70	.Os
55	.Sh NAME	71	.Sh NAME
@@ -65,29 +81,179 @@
65	.Sh DESCRIPTION	81	.Sh DESCRIPTION
66	.Fn EVP_chacha20	82	.Fn EVP_chacha20
67	provides the ChaCha20 stream cipher in the EVP framework.	83	provides the ChaCha20 stream cipher in the EVP framework.
68	The key length is 256 bits, the IV is 128 bits long.	84	.Xr EVP_EncryptInit_ex 3 ,
69	The first 32 bits consists of a counter in little-endian order followed	85	.Xr EVP_DecryptInit_ex 3 ,
70	by a 96 bit nonce.	86	and
71	For example a nonce of:	87	.Xr EVP_CipherInit_ex 3
72	.Pp	88	take a
73	000000000000000000000002	89	.Fa key
74	.Pp	90	argument of 32 bytes = 256 bits and an
75	With an initial counter of 42 (2a in hex) would be expressed as:	91	.Fa iv
76	.Pp	92	argument of 16 bytes = 128 bits, internally using
77	2a000000000000000000000000000002	93	.Xr ChaCha_set_key 3
		94	and
		95	.Xr ChaCha_set_iv 3 .
		96	Due to the symmetry of the internal cipher state, interpreting the
		97	.Fa iv
		98	argument as a 4 byte counter followed by a 12 byte nonce
		99	or interpreting it as an 8 byte counter followed by an 8 byte nonce
		100	is functionally equivalent.
		101	.Xr EVP_EncryptUpdate 3 ,
		102	.Xr EVP_EncryptFinal_ex 3 ,
		103	.Xr EVP_DecryptUpdate 3 ,
		104	and
		105	.Xr EVP_DecryptFinal_ex 3
		106	internally use
		107	.Xr ChaCha 3
		108	to perform encryption and decryption.
		109	.Xr EVP_CIPHER_CTX_ctrl 3
		110	always fails for
		111	.Fa ctx
		112	objects created from
		113	.Fn EVP_chacha20 .
78	.Pp	114	.Pp
79	.Fn EVP_chacha20_poly1305	115	.Fn EVP_chacha20_poly1305
80	provides authenticated encryption with ChaCha20-Poly1305.	116	provides authenticated encryption with ChaCha20-Poly1305.
81	Like	117	.Xr EVP_EncryptInit_ex 3 ,
82	.Fn EVP_chacha20 ,	118	.Xr EVP_DecryptInit_ex 3 ,
83	the key is 256 bits and the IV is 96 bits.	119	and
		120	.Xr EVP_CipherInit_ex 3
		121	take a
		122	.Fa key
		123	argument of 32 bytes = 256 bits and an
		124	.Fa iv
		125	argument of 12 bytes = 96 bits.
84	This supports additional authenticated data (AAD) and produces a 128-bit	126	This supports additional authenticated data (AAD) and produces a 128-bit
85	authentication tag.	127	authentication tag.
		128	.Pp
		129	The following
		130	.Fa type
		131	arguments are supported for
		132	.Xr EVP_CIPHER_CTX_ctrl 3 :
		133	.Bl -tag -width Ds
		134	.It Dv EVP_CTRL_AEAD_GET_TAG
		135	Copy the number of bytes indicated by the
		136	.Fa arg
		137	argument from the tag to the location indicated by the
		138	.Fa ptr
		139	argument;
		140	to be called after
		141	.Xr EVP_EncryptFinal_ex 3 .
		142	This control operation fails if the
		143	.Fa ctx
		144	is not configured for encryption or if
		145	.Fa arg
		146	is less than 1 or greater than 16.
		147	.It Dv EVP_CTRL_AEAD_SET_TAG
		148	Copy the number of bytes indicated by the
		149	.Fa arg
		150	argument from the location indicated by the
		151	.Fa ptr
		152	argument and designate them as the expected tag length and tag,
		153	causing subsequent
		154	.Xr EVP_DecryptFinal_ex 3
		155	to fail if the tag calculated during decryption does not match.
		156	It is strongly recommended to specify
		157	.Fa arg
		158	as exactly 16.
		159	Otherwise, only the initial part of the tag may be compared
		160	and mismatches near the end of the tag may get silently irgnored.
		161	This control operation fails if the
		162	.Fa ctx
		163	is configured for encryption or if
		164	.Fa arg
		165	is less than 1 or greater than 16.
		166	If the
		167	.Fa ptr
		168	argument is a
		169	.Dv NULL
		170	pointer, this control operation succeeds without having any effect.
		171	.It EVP_CTRL_AEAD_SET_IV_FIXED
		172	Set the initialization vector by reading the 12 bytes pointed to by the
		173	.Fa ptr
		174	argument, independently of
		175	.Xr EVP_EncryptInit_ex 3 ,
		176	.Xr EVP_DecryptInit_ex 3 ,
		177	and
		178	.Xr EVP_CipherInit_ex 3 .
		179	This control operation fails if the
		180	.Fa arg
		181	argument is not exactly 12.
		182	.It Dv EVP_CTRL_AEAD_SET_IVLEN
		183	Instruct subsequent
		184	.Xr EVP_EncryptInit_ex 3 ,
		185	.Xr EVP_DecryptInit_ex 3 ,
		186	or
		187	.Xr EVP_CipherInit_ex 3
		188	to expect an
		189	.Fa iv
		190	argument shorter than the default of 12 bytes; the
		191	.Fa arg
		192	argument specifies the number of bytes to be used.
		193	The initialization functions will only read
		194	the specified smaller number of bytes from
		195	.Fa iv
		196	and internally zero-pad them on the left.
		197	Using this is not recommended because it is likely more fragile
		198	and less often tested than the equivalent method of simply providing
		199	a full-sized
		200	.Fa iv .
		201	This control operation fails if
		202	.Fa arg
		203	is less than 1 or greater than 16.
		204	.It Dv EVP_CTRL_INIT
		205	Set the length of the initialization vector to the default value
		206	of 12 bytes and clear the Poly1305 internal state.
		207	The application program usually does not need to invoke this contol
		208	operation manually because it is automatically called internally by
		209	.Xr EVP_EncryptInit_ex 3 ,
		210	.Xr EVP_DecryptInit_ex 3 ,
		211	and
		212	.Xr EVP_CipherInit_ex 3 .
		213	.El
86	.Sh RETURN VALUES	214	.Sh RETURN VALUES
87	These functions return return pointers to static	215	.Fn EVP_chacha20
		216	and
		217	.Fn EVP_chacha20_poly1305
		218	return pointers to static
88	.Vt EVP_CIPHER	219	.Vt EVP_CIPHER
89	objects that contain the implementations of the symmetric cipher.	220	objects that contain the implementations of the symmetric cipher.
		221	.Pp
		222	If
		223	.Fa ctx
		224	was created from
		225	.Fn EVP_chacha20
		226	or
		227	.Fn EVP_chacha20_poly1305 ,
		228	.Xr EVP_CIPHER_CTX_ctrl 3
		229	returns 1 for success or 0 for failure.
90	.Sh SEE ALSO	230	.Sh SEE ALSO
		231	.Xr ChaCha 3 ,
91	.Xr evp 3 ,	232	.Xr evp 3 ,
		233	.Xr EVP_aead_chacha20_poly1305 3 ,
92	.Xr EVP_CIPHER_meth_new 3 ,	234	.Xr EVP_CIPHER_meth_new 3 ,
93	.Xr EVP_EncryptInit 3	235	.Xr EVP_EncryptInit 3
		236	.Sh STANDARDS
		237	.Rs
		238	.%A A. Langley
		239	.%A W. Chang
		240	.%D November 2013
		241	.%R draft-agl-tls-chacha20poly1305-04
		242	.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
		243	.Re
		244	.Pp
		245	.Rs
		246	.%A Y. Nir
		247	.%A A. Langley
		248	.%D May 2015
		249	.%R RFC 7539
		250	.%T ChaCha20 and Poly1305 for IETF Protocols
		251	.Re
		252	.Sh HISTORY
		253	.Fn EVP_chacha20
		254	first appeared in
		255	.Ox 5.6 .
		256	.Pp
		257	.Fn EVP_chacha20_poly1305
		258	first appeared in OpenSSL 1.1.0 and has been available since
		259	.Ox 7.2 .