1 files changed, 39 insertions, 9 deletions
diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3
index 8d9ea068f9..0dcd7a14c2 100644
--- a/src/lib/libcrypto/man/EVP_chacha20.3
+++ b/src/lib/libcrypto/man/EVP_chacha20.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.3 2023/08/21 03:26:42 jsg Exp $
+.\" $OpenBSD: EVP_chacha20.3,v 1.4 2023/08/23 13:46:42 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 21 2023 $
+.Dd $Mdocdate: August 23 2023 $
 .Dt EVP_CHACHA20 3
 .Os
 .Sh NAME
@@ -114,6 +114,16 @@ objects created from
 .Pp
 .Fn EVP_chacha20_poly1305
 provides authenticated encryption with ChaCha20-Poly1305.
+Unless compatibility with other implementations
+like OpenSSL or BoringSSL is required, using
+.Xr EVP_AEAD_CTX_init 3
+with
+.Xr EVP_aead_chacha20_poly1305 3
+is recommended instead because the code then becomes transparent
+to the AEAD cipher used, more flexible, and less error prone.
+.Pp
+With
+.Fn EVP_chacha20_poly1305 ,
 .Xr EVP_EncryptInit_ex 3 ,
 .Xr EVP_DecryptInit_ex 3 ,
 and
@@ -237,6 +247,32 @@ returns 1 for success or 0 for failure.
 .Rs
 .%A A. Langley
 .%A W. Chang
+.%A N. Mavrogiannopoulos
+.%A J. Strombergson
+.%A S. Josefsson
+.%D June 2016
+.%R RFC 7905
+.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
+.Re
+.Sh HISTORY
+.Fn EVP_chacha20
+first appeared in
+.Ox 5.6 .
+.Pp
+.Fn EVP_chacha20_poly1305
+first appeared in OpenSSL 1.1.0
+.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
+and has been available since
+.Ox 7.2 .
+.Sh CAVEATS
+The original publications and code by
+.An Adam Langley
+used a modified AEAD construction that is incompatible with the common
+style used by AEAD in TLS and incompatible with RFC 7905:
+.Pp
+.Rs
+.%A A. Langley
+.%A W. Chang
 .%D November 2013
 .%R draft-agl-tls-chacha20poly1305-04
 .%T ChaCha20 and Poly1305 based Cipher Suites for TLS
@@ -249,11 +285,5 @@ returns 1 for success or 0 for failure.
 .%R RFC 7539
 .%T ChaCha20 and Poly1305 for IETF Protocols
 .Re
-.Sh HISTORY
-.Fn EVP_chacha20
-first appeared in
-.Ox 5.6 .
 .Pp
-.Fn EVP_chacha20_poly1305
+In particular, the original version used a nonce of 8 instead of 12 bytes.
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.2 .

diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3 index 8d9ea068f9..0dcd7a14c2 100644 --- a/src/lib/libcrypto/man/EVP_chacha20.3 +++ b/src/lib/libcrypto/man/EVP_chacha20.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: EVP_chacha20.3,v 1.3 2023/08/21 03:26:42 jsg Exp $	1	.\" $OpenBSD: EVP_chacha20.3,v 1.4 2023/08/23 13:46:42 schwarze Exp $
2	.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200	2	.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
@@ -65,7 +65,7 @@
65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
67	.\"	67	.\"
68	.Dd $Mdocdate: August 21 2023 $	68	.Dd $Mdocdate: August 23 2023 $
69	.Dt EVP_CHACHA20 3	69	.Dt EVP_CHACHA20 3
70	.Os	70	.Os
71	.Sh NAME	71	.Sh NAME
@@ -114,6 +114,16 @@ objects created from
114	.Pp	114	.Pp
115	.Fn EVP_chacha20_poly1305	115	.Fn EVP_chacha20_poly1305
116	provides authenticated encryption with ChaCha20-Poly1305.	116	provides authenticated encryption with ChaCha20-Poly1305.
		117	Unless compatibility with other implementations
		118	like OpenSSL or BoringSSL is required, using
		119	.Xr EVP_AEAD_CTX_init 3
		120	with
		121	.Xr EVP_aead_chacha20_poly1305 3
		122	is recommended instead because the code then becomes transparent
		123	to the AEAD cipher used, more flexible, and less error prone.
		124	.Pp
		125	With
		126	.Fn EVP_chacha20_poly1305 ,
117	.Xr EVP_EncryptInit_ex 3 ,	127	.Xr EVP_EncryptInit_ex 3 ,
118	.Xr EVP_DecryptInit_ex 3 ,	128	.Xr EVP_DecryptInit_ex 3 ,
119	and	129	and
@@ -237,6 +247,32 @@ returns 1 for success or 0 for failure.
237	.Rs	247	.Rs
238	.%A A. Langley	248	.%A A. Langley
239	.%A W. Chang	249	.%A W. Chang
		250	.%A N. Mavrogiannopoulos
		251	.%A J. Strombergson
		252	.%A S. Josefsson
		253	.%D June 2016
		254	.%R RFC 7905
		255	.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
		256	.Re
		257	.Sh HISTORY
		258	.Fn EVP_chacha20
		259	first appeared in
		260	.Ox 5.6 .
		261	.Pp
		262	.Fn EVP_chacha20_poly1305
		263	first appeared in OpenSSL 1.1.0
		264	.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
		265	and has been available since
		266	.Ox 7.2 .
		267	.Sh CAVEATS
		268	The original publications and code by
		269	.An Adam Langley
		270	used a modified AEAD construction that is incompatible with the common
		271	style used by AEAD in TLS and incompatible with RFC 7905:
		272	.Pp
		273	.Rs
		274	.%A A. Langley
		275	.%A W. Chang
240	.%D November 2013	276	.%D November 2013
241	.%R draft-agl-tls-chacha20poly1305-04	277	.%R draft-agl-tls-chacha20poly1305-04
242	.%T ChaCha20 and Poly1305 based Cipher Suites for TLS	278	.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
@@ -249,11 +285,5 @@ returns 1 for success or 0 for failure.
249	.%R RFC 7539	285	.%R RFC 7539
250	.%T ChaCha20 and Poly1305 for IETF Protocols	286	.%T ChaCha20 and Poly1305 for IETF Protocols
251	.Re	287	.Re
252	.Sh HISTORY
253	.Fn EVP_chacha20
254	first appeared in
255	.Ox 5.6 .
256	.Pp	288	.Pp
257	.Fn EVP_chacha20_poly1305	289	In particular, the original version used a nonce of 8 instead of 12 bytes.
258	first appeared in OpenSSL 1.1.0 and has been available since
259	.Ox 7.2 .