1 files changed, 0 insertions, 292 deletions
diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3
deleted file mode 100644
index 8fc79dbf2b..0000000000
--- a/src/lib/libcrypto/man/EVP_chacha20.3
+++ /dev/null
@@ -1,292 +0,0 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.8 2024/12/09 11:55:52 schwarze Exp $
-.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ronald Tse <ronald.tse@ribose.com>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 9 2024 $
-.Dt EVP_CHACHA20 3
-.Os
-.Sh NAME
-.Nm EVP_chacha20 ,
-.Nm EVP_chacha20_poly1305
-.Nd ChaCha20 stream cipher for EVP
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_chacha20 void
-.Ft const EVP_CIPHER *
-.Fn EVP_chacha20_poly1305 void
-.Sh DESCRIPTION
-.Fn EVP_chacha20
-provides the ChaCha20 stream cipher in the EVP framework.
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-and
-.Xr EVP_CipherInit_ex 3
-take a
-.Fa key
-argument of 32 bytes = 256 bits and an
-.Fa iv
-argument of 16 bytes = 128 bits, internally using
-.Xr ChaCha_set_key 3
-and
-.Xr ChaCha_set_iv 3 .
-The lower 8 bytes = 64 bits of
-.Fa iv
-are used as counter and the remaining 8 bytes are used as
-the initialization vector of
-.Xr ChaCha_set_iv 3 .
-.Xr EVP_EncryptUpdate 3 ,
-.Xr EVP_EncryptFinal_ex 3 ,
-.Xr EVP_DecryptUpdate 3 ,
-and
-.Xr EVP_DecryptFinal_ex 3
-internally use
-.Xr ChaCha 3
-to perform encryption and decryption.
-.Xr EVP_CIPHER_CTX_ctrl 3
-always fails for
-.Fa ctx
-objects created from
-.Fn EVP_chacha20 .
-.Pp
-.Fn EVP_chacha20_poly1305
-provides authenticated encryption with ChaCha20-Poly1305.
-Unless compatibility with other implementations
-like OpenSSL or BoringSSL is required, using
-.Xr EVP_AEAD_CTX_init 3
-with
-.Xr EVP_aead_chacha20_poly1305 3
-is recommended instead because the code then becomes transparent
-to the AEAD cipher used, more flexible, and less error prone.
-.Pp
-With
-.Fn EVP_chacha20_poly1305 ,
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-and
-.Xr EVP_CipherInit_ex 3
-take a
-.Fa key
-argument of 32 bytes = 256 bits and an
-.Fa iv
-argument of 12 bytes = 96 bits.
-This supports additional authenticated data (AAD) and produces a 128-bit
-authentication tag.
-The constant
-.Dv EVP_CHACHAPOLY_TLS_TAG_LEN
-specifies the length of the authentication tag in bytes and has a value of 16.
-.Pp
-The following
-.Fa type
-arguments are supported for
-.Xr EVP_CIPHER_CTX_ctrl 3 :
-.Bl -tag -width Ds
-.It Dv EVP_CTRL_AEAD_GET_TAG
-Copy the number of bytes indicated by the
-.Fa arg
-argument from the tag to the location indicated by the
-.Fa ptr
-argument;
-to be called after
-.Xr EVP_EncryptFinal_ex 3 .
-This control operation fails if the
-.Fa ctx
-is not configured for encryption or if
-.Fa arg
-is less than 1 or greater than 16.
-.It Dv EVP_CTRL_AEAD_SET_TAG
-Copy the number of bytes indicated by the
-.Fa arg
-argument from the location indicated by the
-.Fa ptr
-argument and designate them as the expected tag length and tag,
-causing subsequent
-.Xr EVP_DecryptFinal_ex 3
-to fail if the tag calculated during decryption does not match.
-It is strongly recommended to specify
-.Fa arg
-as exactly 16.
-Otherwise, only the initial part of the tag may be compared
-and mismatches near the end of the tag may get silently ignored.
-This control operation fails if the
-.Fa ctx
-is configured for encryption or if
-.Fa arg
-is less than 1 or greater than 16.
-If the
-.Fa ptr
-argument is a
-.Dv NULL
-pointer, this control operation succeeds without having any effect.
-.It Dv EVP_CTRL_AEAD_SET_IV_FIXED
-Set the initialization vector by reading the 12 bytes pointed to by the
-.Fa ptr
-argument, independently of
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-and
-.Xr EVP_CipherInit_ex 3 .
-This control operation fails if the
-.Fa arg
-argument is not exactly 12.
-.It Dv EVP_CTRL_AEAD_SET_IVLEN
-Instruct subsequent
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-or
-.Xr EVP_CipherInit_ex 3
-to expect an
-.Fa iv
-argument shorter than the default of 12 bytes; the
-.Fa arg
-argument specifies the number of bytes to be used.
-The initialization functions will only read
-the specified smaller number of bytes from
-.Fa iv
-and internally zero-pad them on the left.
-Using this is not recommended because it is likely more fragile
-and less often tested than the equivalent method of simply providing
-a full-sized
-.Fa iv .
-This control operation fails if
-.Fa arg
-is less than 1 or greater than 16.
-.It Dv EVP_CTRL_INIT
-Set the length of the initialization vector to the default value
-of 12 bytes and clear the Poly1305 internal state.
-The application program usually does not need to invoke this control
-operation manually because it is automatically called internally by
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-and
-.Xr EVP_CipherInit_ex 3 .
-.El
-.Sh RETURN VALUES
-.Fn EVP_chacha20
-and
-.Fn EVP_chacha20_poly1305
-return pointers to static
-.Vt EVP_CIPHER
-objects that contain the implementations of the symmetric cipher.
-.Pp
-If
-.Fa ctx
-was created from
-.Fn EVP_chacha20
-or
-.Fn EVP_chacha20_poly1305 ,
-.Xr EVP_CIPHER_CTX_ctrl 3
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr ChaCha 3 ,
-.Xr evp 3 ,
-.Xr EVP_aead_chacha20_poly1305 3 ,
-.Xr EVP_CIPHER_meth_new 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-.Rs
-.%A A. Langley
-.%A W. Chang
-.%A N. Mavrogiannopoulos
-.%A J. Strombergson
-.%A S. Josefsson
-.%D June 2016
-.%R RFC 7905
-.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
-.Re
-.Sh HISTORY
-.Fn EVP_chacha20
-first appeared in
-.Ox 5.6 .
-.Pp
-.Fn EVP_chacha20_poly1305
-first appeared in OpenSSL 1.1.0
-.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
-and has been available since
-.Ox 7.2 .
-.Sh CAVEATS
-The original publications and code by
-.An Adam Langley
-used a modified AEAD construction that is incompatible with the common
-style used by AEAD in TLS and incompatible with RFC 7905:
-.Pp
-.Rs
-.%A A. Langley
-.%A W. Chang
-.%D November 2013
-.%R draft-agl-tls-chacha20poly1305-04
-.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
-.Re
-.Pp
-.Rs
-.%A Y. Nir
-.%A A. Langley
-.%D May 2018
-.%R RFC 8439
-.%T ChaCha20 and Poly1305 for IETF Protocols
-.Re
-.Pp
-In particular, the original version used a nonce of 8 instead of 12 bytes.

diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3 deleted file mode 100644 index 8fc79dbf2b..0000000000 --- a/src/lib/libcrypto/man/EVP_chacha20.3 +++ /dev/null
@@ -1,292 +0,0 @@
1	.\" $OpenBSD: EVP_chacha20.3,v 1.8 2024/12/09 11:55:52 schwarze Exp $
2	.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
3	.\"
4	.\" This file is a derived work.
5	.\" The changes are covered by the following Copyright and license:
6	.\"
7	.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
8	.\"
9	.\" Permission to use, copy, modify, and distribute this software for any
10	.\" purpose with or without fee is hereby granted, provided that the above
11	.\" copyright notice and this permission notice appear in all copies.
12	.\"
13	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20	.\"
21	.\" The original file was written by Ronald Tse <ronald.tse@ribose.com>.
22	.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved.
23	.\"
24	.\" Redistribution and use in source and binary forms, with or without
25	.\" modification, are permitted provided that the following conditions
26	.\" are met:
27	.\"
28	.\" 1. Redistributions of source code must retain the above copyright
29	.\" notice, this list of conditions and the following disclaimer.
30	.\"
31	.\" 2. Redistributions in binary form must reproduce the above copyright
32	.\" notice, this list of conditions and the following disclaimer in
33	.\" the documentation and/or other materials provided with the
34	.\" distribution.
35	.\"
36	.\" 3. All advertising materials mentioning features or use of this
37	.\" software must display the following acknowledgment:
38	.\" "This product includes software developed by the OpenSSL Project
39	.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
40	.\"
41	.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
42	.\" endorse or promote products derived from this software without
43	.\" prior written permission. For written permission, please contact
44	.\" openssl-core@openssl.org.
45	.\"
46	.\" 5. Products derived from this software may not be called "OpenSSL"
47	.\" nor may "OpenSSL" appear in their names without prior written
48	.\" permission of the OpenSSL Project.
49	.\"
50	.\" 6. Redistributions of any form whatsoever must retain the following
51	.\" acknowledgment:
52	.\" "This product includes software developed by the OpenSSL Project
53	.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
54	.\"
55	.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
56	.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
57	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
58	.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
59	.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
60	.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
61	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
62	.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
63	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
64	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
67	.\"
68	.Dd $Mdocdate: December 9 2024 $
69	.Dt EVP_CHACHA20 3
70	.Os
71	.Sh NAME
72	.Nm EVP_chacha20 ,
73	.Nm EVP_chacha20_poly1305
74	.Nd ChaCha20 stream cipher for EVP
75	.Sh SYNOPSIS
76	.In openssl/evp.h
77	.Ft const EVP_CIPHER *
78	.Fn EVP_chacha20 void
79	.Ft const EVP_CIPHER *
80	.Fn EVP_chacha20_poly1305 void
81	.Sh DESCRIPTION
82	.Fn EVP_chacha20
83	provides the ChaCha20 stream cipher in the EVP framework.
84	.Xr EVP_EncryptInit_ex 3 ,
85	.Xr EVP_DecryptInit_ex 3 ,
86	and
87	.Xr EVP_CipherInit_ex 3
88	take a
89	.Fa key
90	argument of 32 bytes = 256 bits and an
91	.Fa iv
92	argument of 16 bytes = 128 bits, internally using
93	.Xr ChaCha_set_key 3
94	and
95	.Xr ChaCha_set_iv 3 .
96	The lower 8 bytes = 64 bits of
97	.Fa iv
98	are used as counter and the remaining 8 bytes are used as
99	the initialization vector of
100	.Xr ChaCha_set_iv 3 .
101	.Xr EVP_EncryptUpdate 3 ,
102	.Xr EVP_EncryptFinal_ex 3 ,
103	.Xr EVP_DecryptUpdate 3 ,
104	and
105	.Xr EVP_DecryptFinal_ex 3
106	internally use
107	.Xr ChaCha 3
108	to perform encryption and decryption.
109	.Xr EVP_CIPHER_CTX_ctrl 3
110	always fails for
111	.Fa ctx
112	objects created from
113	.Fn EVP_chacha20 .
114	.Pp
115	.Fn EVP_chacha20_poly1305
116	provides authenticated encryption with ChaCha20-Poly1305.
117	Unless compatibility with other implementations
118	like OpenSSL or BoringSSL is required, using
119	.Xr EVP_AEAD_CTX_init 3
120	with
121	.Xr EVP_aead_chacha20_poly1305 3
122	is recommended instead because the code then becomes transparent
123	to the AEAD cipher used, more flexible, and less error prone.
124	.Pp
125	With
126	.Fn EVP_chacha20_poly1305 ,
127	.Xr EVP_EncryptInit_ex 3 ,
128	.Xr EVP_DecryptInit_ex 3 ,
129	and
130	.Xr EVP_CipherInit_ex 3
131	take a
132	.Fa key
133	argument of 32 bytes = 256 bits and an
134	.Fa iv
135	argument of 12 bytes = 96 bits.
136	This supports additional authenticated data (AAD) and produces a 128-bit
137	authentication tag.
138	The constant
139	.Dv EVP_CHACHAPOLY_TLS_TAG_LEN
140	specifies the length of the authentication tag in bytes and has a value of 16.
141	.Pp
142	The following
143	.Fa type
144	arguments are supported for
145	.Xr EVP_CIPHER_CTX_ctrl 3 :
146	.Bl -tag -width Ds
147	.It Dv EVP_CTRL_AEAD_GET_TAG
148	Copy the number of bytes indicated by the
149	.Fa arg
150	argument from the tag to the location indicated by the
151	.Fa ptr
152	argument;
153	to be called after
154	.Xr EVP_EncryptFinal_ex 3 .
155	This control operation fails if the
156	.Fa ctx
157	is not configured for encryption or if
158	.Fa arg
159	is less than 1 or greater than 16.
160	.It Dv EVP_CTRL_AEAD_SET_TAG
161	Copy the number of bytes indicated by the
162	.Fa arg
163	argument from the location indicated by the
164	.Fa ptr
165	argument and designate them as the expected tag length and tag,
166	causing subsequent
167	.Xr EVP_DecryptFinal_ex 3
168	to fail if the tag calculated during decryption does not match.
169	It is strongly recommended to specify
170	.Fa arg
171	as exactly 16.
172	Otherwise, only the initial part of the tag may be compared
173	and mismatches near the end of the tag may get silently ignored.
174	This control operation fails if the
175	.Fa ctx
176	is configured for encryption or if
177	.Fa arg
178	is less than 1 or greater than 16.
179	If the
180	.Fa ptr
181	argument is a
182	.Dv NULL
183	pointer, this control operation succeeds without having any effect.
184	.It Dv EVP_CTRL_AEAD_SET_IV_FIXED
185	Set the initialization vector by reading the 12 bytes pointed to by the
186	.Fa ptr
187	argument, independently of
188	.Xr EVP_EncryptInit_ex 3 ,
189	.Xr EVP_DecryptInit_ex 3 ,
190	and
191	.Xr EVP_CipherInit_ex 3 .
192	This control operation fails if the
193	.Fa arg
194	argument is not exactly 12.
195	.It Dv EVP_CTRL_AEAD_SET_IVLEN
196	Instruct subsequent
197	.Xr EVP_EncryptInit_ex 3 ,
198	.Xr EVP_DecryptInit_ex 3 ,
199	or
200	.Xr EVP_CipherInit_ex 3
201	to expect an
202	.Fa iv
203	argument shorter than the default of 12 bytes; the
204	.Fa arg
205	argument specifies the number of bytes to be used.
206	The initialization functions will only read
207	the specified smaller number of bytes from
208	.Fa iv
209	and internally zero-pad them on the left.
210	Using this is not recommended because it is likely more fragile
211	and less often tested than the equivalent method of simply providing
212	a full-sized
213	.Fa iv .
214	This control operation fails if
215	.Fa arg
216	is less than 1 or greater than 16.
217	.It Dv EVP_CTRL_INIT
218	Set the length of the initialization vector to the default value
219	of 12 bytes and clear the Poly1305 internal state.
220	The application program usually does not need to invoke this control
221	operation manually because it is automatically called internally by
222	.Xr EVP_EncryptInit_ex 3 ,
223	.Xr EVP_DecryptInit_ex 3 ,
224	and
225	.Xr EVP_CipherInit_ex 3 .
226	.El
227	.Sh RETURN VALUES
228	.Fn EVP_chacha20
229	and
230	.Fn EVP_chacha20_poly1305
231	return pointers to static
232	.Vt EVP_CIPHER
233	objects that contain the implementations of the symmetric cipher.
234	.Pp
235	If
236	.Fa ctx
237	was created from
238	.Fn EVP_chacha20
239	or
240	.Fn EVP_chacha20_poly1305 ,
241	.Xr EVP_CIPHER_CTX_ctrl 3
242	returns 1 for success or 0 for failure.
243	.Sh SEE ALSO
244	.Xr ChaCha 3 ,
245	.Xr evp 3 ,
246	.Xr EVP_aead_chacha20_poly1305 3 ,
247	.Xr EVP_CIPHER_meth_new 3 ,
248	.Xr EVP_EncryptInit 3
249	.Sh STANDARDS
250	.Rs
251	.%A A. Langley
252	.%A W. Chang
253	.%A N. Mavrogiannopoulos
254	.%A J. Strombergson
255	.%A S. Josefsson
256	.%D June 2016
257	.%R RFC 7905
258	.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
259	.Re
260	.Sh HISTORY
261	.Fn EVP_chacha20
262	first appeared in
263	.Ox 5.6 .
264	.Pp
265	.Fn EVP_chacha20_poly1305
266	first appeared in OpenSSL 1.1.0
267	.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
268	and has been available since
269	.Ox 7.2 .
270	.Sh CAVEATS
271	The original publications and code by
272	.An Adam Langley
273	used a modified AEAD construction that is incompatible with the common
274	style used by AEAD in TLS and incompatible with RFC 7905:
275	.Pp
276	.Rs
277	.%A A. Langley
278	.%A W. Chang
279	.%D November 2013
280	.%R draft-agl-tls-chacha20poly1305-04
281	.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
282	.Re
283	.Pp
284	.Rs
285	.%A Y. Nir
286	.%A A. Langley
287	.%D May 2018
288	.%R RFC 8439
289	.%T ChaCha20 and Poly1305 for IETF Protocols
290	.Re
291	.Pp
292	In particular, the original version used a nonce of 8 instead of 12 bytes.