1 files changed, 0 insertions, 411 deletions
diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
deleted file mode 100644
index 8b3b8adb0f..0000000000
--- a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
+++ /dev/null
@@ -1,411 +0,0 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.16 2024/07/21 08:36:43 tb Exp $
-.\"
-.\" Copyright (c) 2014, Google Inc.
-.\" Parts of the text were written by Adam Langley and David Benjamin.
-.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 21 2024 $
-.Dt EVP_AEAD_CTX_INIT 3
-.Os
-.Sh NAME
-.Nm EVP_AEAD_CTX_new ,
-.Nm EVP_AEAD_CTX_free ,
-.Nm EVP_AEAD_CTX_init ,
-.Nm EVP_AEAD_CTX_cleanup ,
-.Nm EVP_AEAD_CTX_open ,
-.Nm EVP_AEAD_CTX_seal ,
-.Nm EVP_AEAD_key_length ,
-.Nm EVP_AEAD_max_overhead ,
-.Nm EVP_AEAD_max_tag_len ,
-.Nm EVP_AEAD_nonce_length ,
-.Nm EVP_aead_aes_128_gcm ,
-.Nm EVP_aead_aes_256_gcm ,
-.Nm EVP_aead_chacha20_poly1305 ,
-.Nm EVP_aead_xchacha20_poly1305
-.Nd authenticated encryption with additional data
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_AEAD_CTX *
-.Fn EVP_AEAD_CTX_new void
-.Ft void
-.Fo EVP_AEAD_CTX_free
-.Fa "EVP_AEAD_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_AEAD_CTX_init
-.Fa "EVP_AEAD_CTX *ctx"
-.Fa "const EVP_AEAD *aead"
-.Fa "const unsigned char *key"
-.Fa "size_t key_len"
-.Fa "size_t tag_len"
-.Fa "ENGINE *engine"
-.Fc
-.Ft void
-.Fo EVP_AEAD_CTX_cleanup
-.Fa "EVP_AEAD_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_AEAD_CTX_open
-.Fa "const EVP_AEAD_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "size_t *out_len"
-.Fa "size_t max_out_len"
-.Fa "const unsigned char *nonce"
-.Fa "size_t nonce_len"
-.Fa "const unsigned char *in"
-.Fa "size_t in_len"
-.Fa "const unsigned char *ad"
-.Fa "size_t ad_len"
-.Fc
-.Ft int
-.Fo EVP_AEAD_CTX_seal
-.Fa "const EVP_AEAD_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "size_t *out_len"
-.Fa "size_t max_out_len"
-.Fa "const unsigned char *nonce"
-.Fa "size_t nonce_len"
-.Fa "const unsigned char *in"
-.Fa "size_t in_len"
-.Fa "const unsigned char *ad"
-.Fa "size_t ad_len"
-.Fc
-.Ft size_t
-.Fo EVP_AEAD_key_length
-.Fa "const EVP_AEAD *aead"
-.Fc
-.Ft size_t
-.Fo EVP_AEAD_max_overhead
-.Fa "const EVP_AEAD *aead"
-.Fc
-.Ft size_t
-.Fo EVP_AEAD_max_tag_len
-.Fa "const EVP_AEAD *aead"
-.Fc
-.Ft size_t
-.Fo EVP_AEAD_nonce_length
-.Fa "const EVP_AEAD *aead"
-.Fc
-.Ft const EVP_AEAD *
-.Fo EVP_aead_aes_128_gcm
-.Fa void
-.Fc
-.Ft const EVP_AEAD *
-.Fo EVP_aead_aes_256_gcm
-.Fa void
-.Fc
-.Ft const EVP_AEAD *
-.Fo EVP_aead_chacha20_poly1305
-.Fa void
-.Fc
-.Ft const EVP_AEAD *
-.Fo EVP_aead_xchacha20_poly1305
-.Fa void
-.Fc
-.Sh DESCRIPTION
-AEAD (Authenticated Encryption with Additional Data) couples
-confidentiality and integrity in a single primitive.
-AEAD algorithms take a key and can then seal and open individual
-messages.
-Each message has a unique, per-message nonce and, optionally, additional
-data which is authenticated but not included in the output.
-.Pp
-.Fn EVP_AEAD_CTX_new
-allocates a new context for use with
-.Fn EVP_AEAD_CTX_init .
-It can be cleaned up for reuse with
-.Fn EVP_AEAD_CTX_cleanup
-and must be freed with
-.Fn EVP_AEAD_CTX_free .
-.Pp
-.Fn EVP_AEAD_CTX_free
-cleans up
-.Fa ctx
-and frees the space allocated to it.
-.Pp
-.Fn EVP_AEAD_CTX_init
-initializes the context
-.Fa ctx
-for the given AEAD algorithm
-.Fa aead .
-The
-.Fa engine
-argument must be
-.Dv NULL
-for the default implementation;
-other values are not supported.
-Authentication tags may be truncated by passing a tag length.
-A
-.Fa tag_len
-argument of
-.Dv EVP_AEAD_DEFAULT_TAG_LENGTH ,
-which has the value 0, causes the default tag length to be used.
-.Pp
-.Fn EVP_AEAD_CTX_cleanup
-frees any data allocated for the context
-.Fa ctx .
-After
-.Fn EVP_AEAD_CTX_cleanup ,
-.Fa ctx
-is in the same state as after
-.Fn EVP_AEAD_CTX_new .
-.Pp
-.Fn EVP_AEAD_CTX_open
-authenticates the input
-.Fa in
-and optional additional data
-.Fa ad ,
-decrypting the input and writing it as output
-.Fa out .
-This function may be called (with the same
-.Vt EVP_AEAD_CTX )
-concurrently with itself or with
-.Fn EVP_AEAD_CTX_seal .
-At most the number of input bytes are written as output.
-In order to ensure success,
-.Fa max_out_len
-should be at least the same as the input length
-.Fa in_len .
-On successful return
-.Fa out_len
-is set to the actual number of bytes written.
-The length of the
-.Fa nonce
-specified with
-.Fa nonce_len
-must be equal to the result of EVP_AEAD_nonce_length for this AEAD.
-.Fn EVP_AEAD_CTX_open
-never results in partial output.
-If
-.Fa max_out_len
-is insufficient, zero will be returned and
-.Fa out_len
-will be set to zero.
-If the input and output are aliased then
-.Fa out
-must be <=
-.Fa in .
-.Pp
-.Fn EVP_AEAD_CTX_seal
-encrypts and authenticates the input and authenticates any additional
-data provided in
-.Fa ad ,
-the encrypted input and authentication tag being written as output
-.Fa out .
-This function may be called (with the same
-.Vt EVP_AEAD_CTX )
-concurrently with itself or with
-.Fn EVP_AEAD_CTX_open .
-At most
-.Fa max_out_len
-bytes are written as output and, in order to ensure success, this value
-should be the
-.Fa in_len
-plus the result of
-.Fn EVP_AEAD_max_overhead .
-On successful return,
-.Fa out_len
-is set to the actual number of bytes written.
-The length of the
-.Fa nonce
-specified with
-.Fa nonce_len
-must be equal to the result of
-.Fn EVP_AEAD_nonce_length
-for this AEAD.
-.Fn EVP_AEAD_CTX_seal
-never results in a partial output.
-If
-.Fa max_out_len
-is insufficient, zero will be returned and
-.Fa out_len
-will be set to zero.
-If the input and output are aliased then
-.Fa out
-must be <=
-.Fa in .
-.Pp
-.Fn EVP_AEAD_key_length ,
-.Fn EVP_AEAD_max_overhead ,
-.Fn EVP_AEAD_max_tag_len ,
-and
-.Fn EVP_AEAD_nonce_length
-provide information about the AEAD algorithm
-.Fa aead .
-.Pp
-.Fn EVP_AEAD_max_tag_len
-returns the maximum tag length that can be used with the given
-.Fa aead .
-This is the largest value that can be passed as the
-.Fa tag_len
-argument to
-.Fn EVP_AEAD_CTX_init .
-No built-in
-.Vt EVP_AEAD
-object has a maximum tag length larger than the constant
-.Dv EVP_AEAD_MAX_TAG_LENGTH .
-.Pp
-All cipher algorithms have a fixed key length unless otherwise stated.
-The following ciphers are available:
-.Bl -tag -width Ds -offset indent
-.It Fn EVP_aead_aes_128_gcm
-AES-128 in Galois Counter Mode, using a
-.Fa key_len
-of 16 bytes and a
-.Fa nonce_len
-of 12 bytes.
-.It Fn EVP_aead_aes_256_gcm
-AES-256 in Galois Counter Mode, using a
-.Fa key_len
-of 32 bytes and a
-.Fa nonce_len
-of 12 bytes.
-.It Fn EVP_aead_chacha20_poly1305
-ChaCha20 with a Poly1305 authenticator, using a
-.Fa key_len
-of 32 bytes and a
-.Fa nonce_len
-of 12 bytes.
-The constant
-.Dv EVP_CHACHAPOLY_TLS_TAG_LEN
-specifies the length of the authentication tag in bytes and has a value of 16.
-.It Fn EVP_aead_xchacha20_poly1305
-XChaCha20 with a Poly1305 authenticator, using a
-.Fa key_len
-of 32 bytes and a
-.Fa nonce_len
-of 24 bytes.
-.El
-.Pp
-Unless compatibility with other implementations
-like OpenSSL or BoringSSL is required, using the
-.Sy EVP_AEAD
-interface to AEAD ciphers is recommended
-in preference to the functions documented in the
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_aes_256_gcm 3 ,
-and
-.Xr EVP_chacha20_poly1305 3
-manual pages.
-The code then becomes transparent to the AEAD cipher used
-and much more flexible.
-It is also safer to use as it prevents common mistakes with the EVP APIs.
-.Sh RETURN VALUES
-.Fn EVP_AEAD_CTX_new
-returns the new
-.Vt EVP_AEAD_CTX
-object on success;
-otherwise
-.Dv NULL
-is returned and
-.Va errno
-is set to
-.Er ENOMEM .
-.Pp
-.Fn EVP_AEAD_CTX_init ,
-.Fn EVP_AEAD_CTX_open ,
-and
-.Fn EVP_AEAD_CTX_seal
-return 1 for success or zero for failure.
-.Pp
-.Fn EVP_AEAD_key_length
-returns the length of the key used for this AEAD.
-.Pp
-.Fn EVP_AEAD_max_overhead
-returns the maximum number of additional bytes added by the act of
-sealing data with the AEAD.
-.Pp
-.Fn EVP_AEAD_max_tag_len
-returns the maximum tag length when using this AEAD.
-.Pp
-.Fn EVP_AEAD_nonce_length
-returns the length of the per-message nonce.
-.Sh EXAMPLES
-Encrypt a string using ChaCha20-Poly1305:
-.Bd -literal -offset indent
-const EVP_AEAD *aead = EVP_aead_chacha20_poly1305();
-static const unsigned char nonce[32] = {0};
-size_t buf_len, nonce_len;
-EVP_AEAD_CTX *ctx;
-ctx = EVP_AEAD_CTX_new();
-EVP_AEAD_CTX_init(ctx, aead, key32, EVP_AEAD_key_length(aead),
-    EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
-nonce_len = EVP_AEAD_nonce_length(aead);
-EVP_AEAD_CTX_seal(ctx, out, &out_len, BUFSIZE, nonce,
-    nonce_len, in, in_len, NULL, 0);
-EVP_AEAD_CTX_free(ctx);
-.Ed
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-.Rs
-.%A A. Langley
-.%A W. Chang
-.%A N. Mavrogiannopoulos
-.%A J. Strombergson
-.%A S. Josefsson
-.%D June 2016
-.%R RFC 7905
-.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
-.Re
-.Pp
-.Rs
-.%A S. Arciszewski
-.%D October 2018
-.%R draft-arciszewski-xchacha-02
-.%T XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305
-.Re
-.Sh HISTORY
-AEAD is based on the implementation by
-.An Adam Langley
-.\" OpenSSL commit 9a8646510b Sep 9 12:13:24 2013 -0400
-for Chromium/BoringSSL and first appeared in
-.Ox 5.6 .
-.Pp
-.Fn EVP_AEAD_CTX_new
-and
-.Fn EVP_AEAD_CTX_free
-first appeared in
-.Ox 7.1 .
-.Sh CAVEATS
-The original publications and code by
-.An Adam Langley
-used a modified AEAD construction that is incompatible with the common
-style used by AEAD in TLS and incompatible with RFC 7905:
-.Pp
-.Rs
-.%A A. Langley
-.%A W. Chang
-.%D November 2013
-.%R draft-agl-tls-chacha20poly1305-04
-.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
-.Re
-.Pp
-.Rs
-.%A Y. Nir
-.%A A. Langley
-.%D June 2018
-.%R RFC 8439
-.%T ChaCha20 and Poly1305 for IETF Protocols
-.Re
-.Pp
-In particular, the original version used a
-.Fa nonce_len
-of 8 bytes.

diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 deleted file mode 100644 index 8b3b8adb0f..0000000000 --- a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 +++ /dev/null
@@ -1,411 +0,0 @@
1	.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.16 2024/07/21 08:36:43 tb Exp $
2	.\"
3	.\" Copyright (c) 2014, Google Inc.
4	.\" Parts of the text were written by Adam Langley and David Benjamin.
5	.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
6	.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
7	.\"
8	.\" Permission to use, copy, modify, and/or distribute this software for any
9	.\" purpose with or without fee is hereby granted, provided that the above
10	.\" copyright notice and this permission notice appear in all copies.
11	.\"
12	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19	.\"
20	.Dd $Mdocdate: July 21 2024 $
21	.Dt EVP_AEAD_CTX_INIT 3
22	.Os
23	.Sh NAME
24	.Nm EVP_AEAD_CTX_new ,
25	.Nm EVP_AEAD_CTX_free ,
26	.Nm EVP_AEAD_CTX_init ,
27	.Nm EVP_AEAD_CTX_cleanup ,
28	.Nm EVP_AEAD_CTX_open ,
29	.Nm EVP_AEAD_CTX_seal ,
30	.Nm EVP_AEAD_key_length ,
31	.Nm EVP_AEAD_max_overhead ,
32	.Nm EVP_AEAD_max_tag_len ,
33	.Nm EVP_AEAD_nonce_length ,
34	.Nm EVP_aead_aes_128_gcm ,
35	.Nm EVP_aead_aes_256_gcm ,
36	.Nm EVP_aead_chacha20_poly1305 ,
37	.Nm EVP_aead_xchacha20_poly1305
38	.Nd authenticated encryption with additional data
39	.Sh SYNOPSIS
40	.In openssl/evp.h
41	.Ft EVP_AEAD_CTX *
42	.Fn EVP_AEAD_CTX_new void
43	.Ft void
44	.Fo EVP_AEAD_CTX_free
45	.Fa "EVP_AEAD_CTX *ctx"
46	.Fc
47	.Ft int
48	.Fo EVP_AEAD_CTX_init
49	.Fa "EVP_AEAD_CTX *ctx"
50	.Fa "const EVP_AEAD *aead"
51	.Fa "const unsigned char *key"
52	.Fa "size_t key_len"
53	.Fa "size_t tag_len"
54	.Fa "ENGINE *engine"
55	.Fc
56	.Ft void
57	.Fo EVP_AEAD_CTX_cleanup
58	.Fa "EVP_AEAD_CTX *ctx"
59	.Fc
60	.Ft int
61	.Fo EVP_AEAD_CTX_open
62	.Fa "const EVP_AEAD_CTX *ctx"
63	.Fa "unsigned char *out"
64	.Fa "size_t *out_len"
65	.Fa "size_t max_out_len"
66	.Fa "const unsigned char *nonce"
67	.Fa "size_t nonce_len"
68	.Fa "const unsigned char *in"
69	.Fa "size_t in_len"
70	.Fa "const unsigned char *ad"
71	.Fa "size_t ad_len"
72	.Fc
73	.Ft int
74	.Fo EVP_AEAD_CTX_seal
75	.Fa "const EVP_AEAD_CTX *ctx"
76	.Fa "unsigned char *out"
77	.Fa "size_t *out_len"
78	.Fa "size_t max_out_len"
79	.Fa "const unsigned char *nonce"
80	.Fa "size_t nonce_len"
81	.Fa "const unsigned char *in"
82	.Fa "size_t in_len"
83	.Fa "const unsigned char *ad"
84	.Fa "size_t ad_len"
85	.Fc
86	.Ft size_t
87	.Fo EVP_AEAD_key_length
88	.Fa "const EVP_AEAD *aead"
89	.Fc
90	.Ft size_t
91	.Fo EVP_AEAD_max_overhead
92	.Fa "const EVP_AEAD *aead"
93	.Fc
94	.Ft size_t
95	.Fo EVP_AEAD_max_tag_len
96	.Fa "const EVP_AEAD *aead"
97	.Fc
98	.Ft size_t
99	.Fo EVP_AEAD_nonce_length
100	.Fa "const EVP_AEAD *aead"
101	.Fc
102	.Ft const EVP_AEAD *
103	.Fo EVP_aead_aes_128_gcm
104	.Fa void
105	.Fc
106	.Ft const EVP_AEAD *
107	.Fo EVP_aead_aes_256_gcm
108	.Fa void
109	.Fc
110	.Ft const EVP_AEAD *
111	.Fo EVP_aead_chacha20_poly1305
112	.Fa void
113	.Fc
114	.Ft const EVP_AEAD *
115	.Fo EVP_aead_xchacha20_poly1305
116	.Fa void
117	.Fc
118	.Sh DESCRIPTION
119	AEAD (Authenticated Encryption with Additional Data) couples
120	confidentiality and integrity in a single primitive.
121	AEAD algorithms take a key and can then seal and open individual
122	messages.
123	Each message has a unique, per-message nonce and, optionally, additional
124	data which is authenticated but not included in the output.
125	.Pp
126	.Fn EVP_AEAD_CTX_new
127	allocates a new context for use with
128	.Fn EVP_AEAD_CTX_init .
129	It can be cleaned up for reuse with
130	.Fn EVP_AEAD_CTX_cleanup
131	and must be freed with
132	.Fn EVP_AEAD_CTX_free .
133	.Pp
134	.Fn EVP_AEAD_CTX_free
135	cleans up
136	.Fa ctx
137	and frees the space allocated to it.
138	.Pp
139	.Fn EVP_AEAD_CTX_init
140	initializes the context
141	.Fa ctx
142	for the given AEAD algorithm
143	.Fa aead .
144	The
145	.Fa engine
146	argument must be
147	.Dv NULL
148	for the default implementation;
149	other values are not supported.
150	Authentication tags may be truncated by passing a tag length.
151	A
152	.Fa tag_len
153	argument of
154	.Dv EVP_AEAD_DEFAULT_TAG_LENGTH ,
155	which has the value 0, causes the default tag length to be used.
156	.Pp
157	.Fn EVP_AEAD_CTX_cleanup
158	frees any data allocated for the context
159	.Fa ctx .
160	After
161	.Fn EVP_AEAD_CTX_cleanup ,
162	.Fa ctx
163	is in the same state as after
164	.Fn EVP_AEAD_CTX_new .
165	.Pp
166	.Fn EVP_AEAD_CTX_open
167	authenticates the input
168	.Fa in
169	and optional additional data
170	.Fa ad ,
171	decrypting the input and writing it as output
172	.Fa out .
173	This function may be called (with the same
174	.Vt EVP_AEAD_CTX )
175	concurrently with itself or with
176	.Fn EVP_AEAD_CTX_seal .
177	At most the number of input bytes are written as output.
178	In order to ensure success,
179	.Fa max_out_len
180	should be at least the same as the input length
181	.Fa in_len .
182	On successful return
183	.Fa out_len
184	is set to the actual number of bytes written.
185	The length of the
186	.Fa nonce
187	specified with
188	.Fa nonce_len
189	must be equal to the result of EVP_AEAD_nonce_length for this AEAD.
190	.Fn EVP_AEAD_CTX_open
191	never results in partial output.
192	If
193	.Fa max_out_len
194	is insufficient, zero will be returned and
195	.Fa out_len
196	will be set to zero.
197	If the input and output are aliased then
198	.Fa out
199	must be <=
200	.Fa in .
201	.Pp
202	.Fn EVP_AEAD_CTX_seal
203	encrypts and authenticates the input and authenticates any additional
204	data provided in
205	.Fa ad ,
206	the encrypted input and authentication tag being written as output
207	.Fa out .
208	This function may be called (with the same
209	.Vt EVP_AEAD_CTX )
210	concurrently with itself or with
211	.Fn EVP_AEAD_CTX_open .
212	At most
213	.Fa max_out_len
214	bytes are written as output and, in order to ensure success, this value
215	should be the
216	.Fa in_len
217	plus the result of
218	.Fn EVP_AEAD_max_overhead .
219	On successful return,
220	.Fa out_len
221	is set to the actual number of bytes written.
222	The length of the
223	.Fa nonce
224	specified with
225	.Fa nonce_len
226	must be equal to the result of
227	.Fn EVP_AEAD_nonce_length
228	for this AEAD.
229	.Fn EVP_AEAD_CTX_seal
230	never results in a partial output.
231	If
232	.Fa max_out_len
233	is insufficient, zero will be returned and
234	.Fa out_len
235	will be set to zero.
236	If the input and output are aliased then
237	.Fa out
238	must be <=
239	.Fa in .
240	.Pp
241	.Fn EVP_AEAD_key_length ,
242	.Fn EVP_AEAD_max_overhead ,
243	.Fn EVP_AEAD_max_tag_len ,
244	and
245	.Fn EVP_AEAD_nonce_length
246	provide information about the AEAD algorithm
247	.Fa aead .
248	.Pp
249	.Fn EVP_AEAD_max_tag_len
250	returns the maximum tag length that can be used with the given
251	.Fa aead .
252	This is the largest value that can be passed as the
253	.Fa tag_len
254	argument to
255	.Fn EVP_AEAD_CTX_init .
256	No built-in
257	.Vt EVP_AEAD
258	object has a maximum tag length larger than the constant
259	.Dv EVP_AEAD_MAX_TAG_LENGTH .
260	.Pp
261	All cipher algorithms have a fixed key length unless otherwise stated.
262	The following ciphers are available:
263	.Bl -tag -width Ds -offset indent
264	.It Fn EVP_aead_aes_128_gcm
265	AES-128 in Galois Counter Mode, using a
266	.Fa key_len
267	of 16 bytes and a
268	.Fa nonce_len
269	of 12 bytes.
270	.It Fn EVP_aead_aes_256_gcm
271	AES-256 in Galois Counter Mode, using a
272	.Fa key_len
273	of 32 bytes and a
274	.Fa nonce_len
275	of 12 bytes.
276	.It Fn EVP_aead_chacha20_poly1305
277	ChaCha20 with a Poly1305 authenticator, using a
278	.Fa key_len
279	of 32 bytes and a
280	.Fa nonce_len
281	of 12 bytes.
282	The constant
283	.Dv EVP_CHACHAPOLY_TLS_TAG_LEN
284	specifies the length of the authentication tag in bytes and has a value of 16.
285	.It Fn EVP_aead_xchacha20_poly1305
286	XChaCha20 with a Poly1305 authenticator, using a
287	.Fa key_len
288	of 32 bytes and a
289	.Fa nonce_len
290	of 24 bytes.
291	.El
292	.Pp
293	Unless compatibility with other implementations
294	like OpenSSL or BoringSSL is required, using the
295	.Sy EVP_AEAD
296	interface to AEAD ciphers is recommended
297	in preference to the functions documented in the
298	.Xr EVP_EncryptInit 3 ,
299	.Xr EVP_aes_256_gcm 3 ,
300	and
301	.Xr EVP_chacha20_poly1305 3
302	manual pages.
303	The code then becomes transparent to the AEAD cipher used
304	and much more flexible.
305	It is also safer to use as it prevents common mistakes with the EVP APIs.
306	.Sh RETURN VALUES
307	.Fn EVP_AEAD_CTX_new
308	returns the new
309	.Vt EVP_AEAD_CTX
310	object on success;
311	otherwise
312	.Dv NULL
313	is returned and
314	.Va errno
315	is set to
316	.Er ENOMEM .
317	.Pp
318	.Fn EVP_AEAD_CTX_init ,
319	.Fn EVP_AEAD_CTX_open ,
320	and
321	.Fn EVP_AEAD_CTX_seal
322	return 1 for success or zero for failure.
323	.Pp
324	.Fn EVP_AEAD_key_length
325	returns the length of the key used for this AEAD.
326	.Pp
327	.Fn EVP_AEAD_max_overhead
328	returns the maximum number of additional bytes added by the act of
329	sealing data with the AEAD.
330	.Pp
331	.Fn EVP_AEAD_max_tag_len
332	returns the maximum tag length when using this AEAD.
333	.Pp
334	.Fn EVP_AEAD_nonce_length
335	returns the length of the per-message nonce.
336	.Sh EXAMPLES
337	Encrypt a string using ChaCha20-Poly1305:
338	.Bd -literal -offset indent
339	const EVP_AEAD *aead = EVP_aead_chacha20_poly1305();
340	static const unsigned char nonce[32] = {0};
341	size_t buf_len, nonce_len;
342	EVP_AEAD_CTX *ctx;
343
344	ctx = EVP_AEAD_CTX_new();
345	EVP_AEAD_CTX_init(ctx, aead, key32, EVP_AEAD_key_length(aead),
346	EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
347	nonce_len = EVP_AEAD_nonce_length(aead);
348
349	EVP_AEAD_CTX_seal(ctx, out, &out_len, BUFSIZE, nonce,
350	nonce_len, in, in_len, NULL, 0);
351
352	EVP_AEAD_CTX_free(ctx);
353	.Ed
354	.Sh SEE ALSO
355	.Xr evp 3 ,
356	.Xr EVP_EncryptInit 3
357	.Sh STANDARDS
358	.Rs
359	.%A A. Langley
360	.%A W. Chang
361	.%A N. Mavrogiannopoulos
362	.%A J. Strombergson
363	.%A S. Josefsson
364	.%D June 2016
365	.%R RFC 7905
366	.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
367	.Re
368	.Pp
369	.Rs
370	.%A S. Arciszewski
371	.%D October 2018
372	.%R draft-arciszewski-xchacha-02
373	.%T XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305
374	.Re
375	.Sh HISTORY
376	AEAD is based on the implementation by
377	.An Adam Langley
378	.\" OpenSSL commit 9a8646510b Sep 9 12:13:24 2013 -0400
379	for Chromium/BoringSSL and first appeared in
380	.Ox 5.6 .
381	.Pp
382	.Fn EVP_AEAD_CTX_new
383	and
384	.Fn EVP_AEAD_CTX_free
385	first appeared in
386	.Ox 7.1 .
387	.Sh CAVEATS
388	The original publications and code by
389	.An Adam Langley
390	used a modified AEAD construction that is incompatible with the common
391	style used by AEAD in TLS and incompatible with RFC 7905:
392	.Pp
393	.Rs
394	.%A A. Langley
395	.%A W. Chang
396	.%D November 2013
397	.%R draft-agl-tls-chacha20poly1305-04
398	.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
399	.Re
400	.Pp
401	.Rs
402	.%A Y. Nir
403	.%A A. Langley
404	.%D June 2018
405	.%R RFC 8439
406	.%T ChaCha20 and Poly1305 for IETF Protocols
407	.Re
408	.Pp
409	In particular, the original version used a
410	.Fa nonce_len
411	of 8 bytes.