1=pod 2 3=head1 NAME 4 5EVP_CIPHER_fetch, 6EVP_CIPHER_up_ref, 7EVP_CIPHER_free, 8EVP_CIPHER_CTX_new, 9EVP_CIPHER_CTX_reset, 10EVP_CIPHER_CTX_free, 11EVP_EncryptInit_ex, 12EVP_EncryptInit_ex2, 13EVP_EncryptUpdate, 14EVP_EncryptFinal_ex, 15EVP_DecryptInit_ex, 16EVP_DecryptInit_ex2, 17EVP_DecryptUpdate, 18EVP_DecryptFinal_ex, 19EVP_CipherInit_ex, 20EVP_CipherInit_ex2, 21EVP_CipherUpdate, 22EVP_CipherFinal_ex, 23EVP_CIPHER_CTX_set_key_length, 24EVP_CIPHER_CTX_ctrl, 25EVP_EncryptInit, 26EVP_EncryptFinal, 27EVP_DecryptInit, 28EVP_DecryptFinal, 29EVP_CipherInit, 30EVP_CipherFinal, 31EVP_Cipher, 32EVP_get_cipherbyname, 33EVP_get_cipherbynid, 34EVP_get_cipherbyobj, 35EVP_CIPHER_is_a, 36EVP_CIPHER_get0_name, 37EVP_CIPHER_get0_description, 38EVP_CIPHER_names_do_all, 39EVP_CIPHER_get0_provider, 40EVP_CIPHER_get_nid, 41EVP_CIPHER_get_params, 42EVP_CIPHER_gettable_params, 43EVP_CIPHER_get_block_size, 44EVP_CIPHER_get_key_length, 45EVP_CIPHER_get_iv_length, 46EVP_CIPHER_get_flags, 47EVP_CIPHER_get_mode, 48EVP_CIPHER_get_type, 49EVP_CIPHER_CTX_cipher, 50EVP_CIPHER_CTX_get0_cipher, 51EVP_CIPHER_CTX_get1_cipher, 52EVP_CIPHER_CTX_get0_name, 53EVP_CIPHER_CTX_get_nid, 54EVP_CIPHER_CTX_get_params, 55EVP_CIPHER_gettable_ctx_params, 56EVP_CIPHER_CTX_gettable_params, 57EVP_CIPHER_CTX_set_params, 58EVP_CIPHER_settable_ctx_params, 59EVP_CIPHER_CTX_settable_params, 60EVP_CIPHER_CTX_get_block_size, 61EVP_CIPHER_CTX_get_key_length, 62EVP_CIPHER_CTX_get_iv_length, 63EVP_CIPHER_CTX_get_tag_length, 64EVP_CIPHER_CTX_get_app_data, 65EVP_CIPHER_CTX_set_app_data, 66EVP_CIPHER_CTX_flags, 67EVP_CIPHER_CTX_set_flags, 68EVP_CIPHER_CTX_clear_flags, 69EVP_CIPHER_CTX_test_flags, 70EVP_CIPHER_CTX_get_type, 71EVP_CIPHER_CTX_get_mode, 72EVP_CIPHER_CTX_get_num, 73EVP_CIPHER_CTX_set_num, 74EVP_CIPHER_CTX_is_encrypting, 75EVP_CIPHER_param_to_asn1, 76EVP_CIPHER_asn1_to_param, 77EVP_CIPHER_CTX_set_padding, 78EVP_enc_null, 79EVP_CIPHER_do_all_provided, 80EVP_CIPHER_nid, 81EVP_CIPHER_name, 82EVP_CIPHER_block_size, 83EVP_CIPHER_key_length, 84EVP_CIPHER_iv_length, 85EVP_CIPHER_flags, 86EVP_CIPHER_mode, 87EVP_CIPHER_type, 88EVP_CIPHER_CTX_encrypting, 89EVP_CIPHER_CTX_nid, 90EVP_CIPHER_CTX_block_size, 91EVP_CIPHER_CTX_key_length, 92EVP_CIPHER_CTX_iv_length, 93EVP_CIPHER_CTX_tag_length, 94EVP_CIPHER_CTX_num, 95EVP_CIPHER_CTX_type, 96EVP_CIPHER_CTX_mode 97- EVP cipher routines 98 99=head1 SYNOPSIS 100 101=for openssl generic 102 103 #include <openssl/evp.h> 104 105 EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, 106 const char *properties); 107 int EVP_CIPHER_up_ref(EVP_CIPHER *cipher); 108 void EVP_CIPHER_free(EVP_CIPHER *cipher); 109 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); 110 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx); 111 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx); 112 113 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 114 ENGINE *impl, const unsigned char *key, const unsigned char *iv); 115 int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 116 const unsigned char *key, const unsigned char *iv, 117 const OSSL_PARAM params[]); 118 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, 119 int *outl, const unsigned char *in, int inl); 120 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); 121 122 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 123 ENGINE *impl, const unsigned char *key, const unsigned char *iv); 124 int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 125 const unsigned char *key, const unsigned char *iv, 126 const OSSL_PARAM params[]); 127 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, 128 int *outl, const unsigned char *in, int inl); 129 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); 130 131 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 132 ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc); 133 int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 134 const unsigned char *key, const unsigned char *iv, 135 int enc, const OSSL_PARAM params[]); 136 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, 137 int *outl, const unsigned char *in, int inl); 138 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); 139 140 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 141 const unsigned char *key, const unsigned char *iv); 142 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); 143 144 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 145 const unsigned char *key, const unsigned char *iv); 146 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); 147 148 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 149 const unsigned char *key, const unsigned char *iv, int enc); 150 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); 151 152 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 153 const unsigned char *in, unsigned int inl); 154 155 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding); 156 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); 157 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int cmd, int p1, void *p2); 158 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key); 159 void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); 160 void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); 161 int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); 162 163 const EVP_CIPHER *EVP_get_cipherbyname(const char *name); 164 const EVP_CIPHER *EVP_get_cipherbynid(int nid); 165 const EVP_CIPHER *EVP_get_cipherbyobj(const ASN1_OBJECT *a); 166 167 int EVP_CIPHER_get_nid(const EVP_CIPHER *e); 168 int EVP_CIPHER_is_a(const EVP_CIPHER *cipher, const char *name); 169 int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher, 170 void (*fn)(const char *name, void *data), 171 void *data); 172 const char *EVP_CIPHER_get0_name(const EVP_CIPHER *cipher); 173 const char *EVP_CIPHER_get0_description(const EVP_CIPHER *cipher); 174 const OSSL_PROVIDER *EVP_CIPHER_get0_provider(const EVP_CIPHER *cipher); 175 int EVP_CIPHER_get_block_size(const EVP_CIPHER *e); 176 int EVP_CIPHER_get_key_length(const EVP_CIPHER *e); 177 int EVP_CIPHER_get_iv_length(const EVP_CIPHER *e); 178 unsigned long EVP_CIPHER_get_flags(const EVP_CIPHER *e); 179 unsigned long EVP_CIPHER_get_mode(const EVP_CIPHER *e); 180 int EVP_CIPHER_get_type(const EVP_CIPHER *cipher); 181 182 const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx); 183 EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(const EVP_CIPHER_CTX *ctx); 184 int EVP_CIPHER_CTX_get_nid(const EVP_CIPHER_CTX *ctx); 185 const char *EVP_CIPHER_CTX_get0_name(const EVP_CIPHER_CTX *ctx); 186 187 int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[]); 188 int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[]); 189 int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]); 190 const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher); 191 const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher); 192 const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher); 193 const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *ctx); 194 const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx); 195 int EVP_CIPHER_CTX_get_block_size(const EVP_CIPHER_CTX *ctx); 196 int EVP_CIPHER_CTX_get_key_length(const EVP_CIPHER_CTX *ctx); 197 int EVP_CIPHER_CTX_get_iv_length(const EVP_CIPHER_CTX *ctx); 198 int EVP_CIPHER_CTX_get_tag_length(const EVP_CIPHER_CTX *ctx); 199 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); 200 void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data); 201 int EVP_CIPHER_CTX_get_type(const EVP_CIPHER_CTX *ctx); 202 int EVP_CIPHER_CTX_get_mode(const EVP_CIPHER_CTX *ctx); 203 int EVP_CIPHER_CTX_get_num(const EVP_CIPHER_CTX *ctx); 204 int EVP_CIPHER_CTX_set_num(EVP_CIPHER_CTX *ctx, int num); 205 int EVP_CIPHER_CTX_is_encrypting(const EVP_CIPHER_CTX *ctx); 206 207 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); 208 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); 209 210 void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx, 211 void (*fn)(EVP_CIPHER *cipher, void *arg), 212 void *arg); 213 214 #define EVP_CIPHER_nid EVP_CIPHER_get_nid 215 #define EVP_CIPHER_name EVP_CIPHER_get0_name 216 #define EVP_CIPHER_block_size EVP_CIPHER_get_block_size 217 #define EVP_CIPHER_key_length EVP_CIPHER_get_key_length 218 #define EVP_CIPHER_iv_length EVP_CIPHER_get_iv_length 219 #define EVP_CIPHER_flags EVP_CIPHER_get_flags 220 #define EVP_CIPHER_mode EVP_CIPHER_get_mode 221 #define EVP_CIPHER_type EVP_CIPHER_get_type 222 #define EVP_CIPHER_CTX_encrypting EVP_CIPHER_CTX_is_encrypting 223 #define EVP_CIPHER_CTX_nid EVP_CIPHER_CTX_get_nid 224 #define EVP_CIPHER_CTX_block_size EVP_CIPHER_CTX_get_block_size 225 #define EVP_CIPHER_CTX_key_length EVP_CIPHER_CTX_get_key_length 226 #define EVP_CIPHER_CTX_iv_length EVP_CIPHER_CTX_get_iv_length 227 #define EVP_CIPHER_CTX_tag_length EVP_CIPHER_CTX_get_tag_length 228 #define EVP_CIPHER_CTX_num EVP_CIPHER_CTX_get_num 229 #define EVP_CIPHER_CTX_type EVP_CIPHER_CTX_get_type 230 #define EVP_CIPHER_CTX_mode EVP_CIPHER_CTX_get_mode 231 232The following function has been deprecated since OpenSSL 3.0, and can be 233hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value, 234see L<openssl_user_macros(7)>: 235 236 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); 237 238The following function has been deprecated since OpenSSL 1.1.0, and can be 239hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value, 240see L<openssl_user_macros(7)>: 241 242 int EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx); 243 244=head1 DESCRIPTION 245 246The EVP cipher routines are a high-level interface to certain 247symmetric ciphers. 248 249The B<EVP_CIPHER> type is a structure for cipher method implementation. 250 251=over 4 252 253=item EVP_CIPHER_fetch() 254 255Fetches the cipher implementation for the given I<algorithm> from any provider 256offering it, within the criteria given by the I<properties>. 257See L<crypto(7)/ALGORITHM FETCHING> for further information. 258 259The returned value must eventually be freed with EVP_CIPHER_free(). 260 261Fetched B<EVP_CIPHER> structures are reference counted. 262 263=item EVP_CIPHER_up_ref() 264 265Increments the reference count for an B<EVP_CIPHER> structure. 266 267=item EVP_CIPHER_free() 268 269Decrements the reference count for the fetched B<EVP_CIPHER> structure. 270If the reference count drops to 0 then the structure is freed. 271 272=item EVP_CIPHER_CTX_new() 273 274Allocates and returns a cipher context. 275 276=item EVP_CIPHER_CTX_free() 277 278Clears all information from a cipher context and frees any allocated memory 279associated with it, including I<ctx> itself. This function should be called after 280all operations using a cipher are complete so sensitive information does not 281remain in memory. 282 283=item EVP_CIPHER_CTX_ctrl() 284 285I<This is a legacy method.> EVP_CIPHER_CTX_set_params() and 286EVP_CIPHER_CTX_get_params() is the mechanism that should be used to set and get 287parameters that are used by providers. 288 289Performs cipher-specific control actions on context I<ctx>. The control command 290is indicated in I<cmd> and any additional arguments in I<p1> and I<p2>. 291EVP_CIPHER_CTX_ctrl() must be called after EVP_CipherInit_ex2(). Other restrictions 292may apply depending on the control type and cipher implementation. 293 294If this function happens to be used with a fetched B<EVP_CIPHER>, it will 295translate the controls that are known to OpenSSL into L<OSSL_PARAM(3)> 296parameters with keys defined by OpenSSL and call EVP_CIPHER_CTX_get_params() or 297EVP_CIPHER_CTX_set_params() as is appropriate for each control command. 298 299See L</CONTROLS> below for more information, including what translations are 300being done. 301 302=item EVP_CIPHER_get_params() 303 304Retrieves the requested list of algorithm I<params> from a CIPHER I<cipher>. 305See L</PARAMETERS> below for more information. 306 307=item EVP_CIPHER_CTX_get_params() 308 309Retrieves the requested list of I<params> from CIPHER context I<ctx>. 310See L</PARAMETERS> below for more information. 311 312=item EVP_CIPHER_CTX_set_params() 313 314Sets the list of I<params> into a CIPHER context I<ctx>. 315See L</PARAMETERS> below for more information. 316 317=item EVP_CIPHER_gettable_params() 318 319Get a constant B<OSSL_PARAM> array that describes the retrievable parameters 320that can be used with EVP_CIPHER_get_params(). See L<OSSL_PARAM(3)> for the 321use of B<OSSL_PARAM> as a parameter descriptor. 322 323=item EVP_CIPHER_gettable_ctx_params() and EVP_CIPHER_CTX_gettable_params() 324 325Get a constant B<OSSL_PARAM> array that describes the retrievable parameters 326that can be used with EVP_CIPHER_CTX_get_params(). 327EVP_CIPHER_gettable_ctx_params() returns the parameters that can be retrieved 328from the algorithm, whereas EVP_CIPHER_CTX_gettable_params() returns the 329parameters that can be retrieved in the context's current state. 330See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as a parameter descriptor. 331 332=item EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params() 333 334Get a constant B<OSSL_PARAM> array that describes the settable parameters 335that can be used with EVP_CIPHER_CTX_set_params(). 336EVP_CIPHER_settable_ctx_params() returns the parameters that can be set from the 337algorithm, whereas EVP_CIPHER_CTX_settable_params() returns the parameters that 338can be set in the context's current state. 339See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as a parameter descriptor. 340 341=item EVP_EncryptInit_ex2() 342 343Sets up cipher context I<ctx> for encryption with cipher I<type>. I<type> is 344typically supplied by calling EVP_CIPHER_fetch(). I<type> may also be set 345using legacy functions such as EVP_aes_256_cbc(), but this is not recommended 346for new applications. I<key> is the symmetric key to use and I<iv> is the IV to 347use (if necessary), the actual number of bytes used for the key and IV depends 348on the cipher. The parameters I<params> will be set on the context after 349initialisation. It is possible to set all parameters to NULL except I<type> in 350an initial call and supply the remaining parameters in subsequent calls, all of 351which have I<type> set to NULL. This is done when the default cipher parameters 352are not appropriate. 353For B<EVP_CIPH_GCM_MODE> the IV will be generated internally if it is not 354specified. 355 356=item EVP_EncryptInit_ex() 357 358This legacy function is similar to EVP_EncryptInit_ex2() when I<impl> is NULL. 359The implementation of the I<type> from the I<impl> engine will be used if it 360exists. 361 362=item EVP_EncryptUpdate() 363 364Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to 365I<out>. This function can be called multiple times to encrypt successive blocks 366of data. The amount of data written depends on the block alignment of the 367encrypted data. 368For most ciphers and modes, the amount of data written can be anything 369from zero bytes to (inl + cipher_block_size - 1) bytes. 370For wrap cipher modes, the amount of data written can be anything 371from zero bytes to (inl + cipher_block_size) bytes. 372For stream ciphers, the amount of data written can be anything from zero 373bytes to inl bytes. 374Thus, I<out> should contain sufficient room for the operation being performed. 375The actual number of bytes written is placed in I<outl>. It also 376checks if I<in> and I<out> are partially overlapping, and if they are 3770 is returned to indicate failure. 378 379If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts 380the "final" data, that is any data that remains in a partial block. 381It uses standard block padding (aka PKCS padding) as described in 382the NOTES section, below. The encrypted 383final data is written to I<out> which should have sufficient space for 384one cipher block. The number of bytes written is placed in I<outl>. After 385this function is called the encryption operation is finished and no further 386calls to EVP_EncryptUpdate() should be made. 387 388If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more 389data and it will return an error if any data remains in a partial block: 390that is if the total data length is not a multiple of the block size. 391 392=item EVP_DecryptInit_ex2(), EVP_DecryptInit_ex(), EVP_DecryptUpdate() 393and EVP_DecryptFinal_ex() 394 395These functions are the corresponding decryption operations. 396EVP_DecryptFinal() will return an error code if padding is enabled and the 397final block is not correctly formatted. The parameters and restrictions are 398identical to the encryption operations except that if padding is enabled the 399decrypted data buffer I<out> passed to EVP_DecryptUpdate() should have 400sufficient room for (I<inl> + cipher_block_size) bytes unless the cipher block 401size is 1 in which case I<inl> bytes is sufficient. 402 403=item EVP_CipherInit_ex2(), EVP_CipherInit_ex(), EVP_CipherUpdate() and 404EVP_CipherFinal_ex() 405 406These functions can be used for decryption or encryption. The operation 407performed depends on the value of the I<enc> parameter. It should be set to 1 408for encryption, 0 for decryption and -1 to leave the value unchanged 409(the actual value of 'enc' being supplied in a previous call). 410 411=item EVP_CIPHER_CTX_reset() 412 413Clears all information from a cipher context and free up any allocated memory 414associated with it, except the I<ctx> itself. This function should be called 415anytime I<ctx> is reused by another 416EVP_CipherInit() / EVP_CipherUpdate() / EVP_CipherFinal() series of calls. 417 418=item EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() 419 420Behave in a similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex() and 421EVP_CipherInit_ex() except if the I<type> is not a fetched cipher they use the 422default implementation of the I<type>. 423 424=item EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() 425 426Identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and 427EVP_CipherFinal_ex(). In previous releases they also cleaned up 428the I<ctx>, but this is no longer done and EVP_CIPHER_CTX_cleanup() 429must be called to free any context resources. 430 431=item EVP_Cipher() 432 433Encrypts or decrypts a maximum I<inl> amount of bytes from I<in> and leaves the 434result in I<out>. 435 436For legacy ciphers - If the cipher doesn't have the flag 437B<EVP_CIPH_FLAG_CUSTOM_CIPHER> set, then I<inl> must be a multiple of 438EVP_CIPHER_get_block_size(). If it isn't, the result is undefined. If the cipher 439has that flag set, then I<inl> can be any size. 440 441Due to the constraints of the API contract of this function it shouldn't be used 442in applications, please consider using EVP_CipherUpdate() and 443EVP_CipherFinal_ex() instead. 444 445=item EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() 446 447Returns an B<EVP_CIPHER> structure when passed a cipher name, a cipher B<NID> or 448an B<ASN1_OBJECT> structure respectively. 449 450EVP_get_cipherbyname() will return NULL for algorithms such as "AES-128-SIV", 451"AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were previously only 452accessible via low level interfaces. 453 454The EVP_get_cipherbyname() function is present for backwards compatibility with 455OpenSSL prior to version 3 and is different to the EVP_CIPHER_fetch() function 456since it does not attempt to "fetch" an implementation of the cipher. 457Additionally, it only knows about ciphers that are built-in to OpenSSL and have 458an associated NID. Similarly EVP_get_cipherbynid() and EVP_get_cipherbyobj() 459also return objects without an associated implementation. 460 461When the cipher objects returned by these functions are used (such as in a call 462to EVP_EncryptInit_ex()) an implementation of the cipher will be implicitly 463fetched from the loaded providers. This fetch could fail if no suitable 464implementation is available. Use EVP_CIPHER_fetch() instead to explicitly fetch 465the algorithm and an associated implementation from a provider. 466 467See L<crypto(7)/ALGORITHM FETCHING> for more information about fetching. 468 469The cipher objects returned from these functions do not need to be freed with 470EVP_CIPHER_free(). 471 472=item EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid() 473 474Return the NID of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> 475structure. The actual NID value is an internal value which may not have a 476corresponding OBJECT IDENTIFIER. 477 478=item EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags() 479 480Sets, clears and tests I<ctx> flags. See L</FLAGS> below for more information. 481 482For provided ciphers EVP_CIPHER_CTX_set_flags() should be called only after the 483fetched cipher has been assigned to the I<ctx>. It is recommended to use 484L</PARAMETERS> instead. 485 486=item EVP_CIPHER_CTX_set_padding() 487 488Enables or disables padding. This function should be called after the context 489is set up for encryption or decryption with EVP_EncryptInit_ex2(), 490EVP_DecryptInit_ex2() or EVP_CipherInit_ex2(). By default encryption operations 491are padded using standard block padding and the padding is checked and removed 492when decrypting. If the I<pad> parameter is zero then no padding is 493performed, the total amount of data encrypted or decrypted must then 494be a multiple of the block size or an error will occur. 495 496=item EVP_CIPHER_get_key_length() and EVP_CIPHER_CTX_get_key_length() 497 498Return the key length of a cipher when passed an B<EVP_CIPHER> or 499B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum 500key length for all ciphers. Note: although EVP_CIPHER_get_key_length() is fixed for 501a given cipher, the value of EVP_CIPHER_CTX_get_key_length() may be different for 502variable key length ciphers. 503 504=item EVP_CIPHER_CTX_set_key_length() 505 506Sets the key length of the cipher context. 507If the cipher is a fixed length cipher then attempting to set the key 508length to any value other than the fixed value is an error. 509 510=item EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length() 511 512Return the IV length of a cipher when passed an B<EVP_CIPHER> or 513B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV. 514The constant B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers. 515 516=item EVP_CIPHER_CTX_get_tag_length() 517 518Returns the tag length of an AEAD cipher when passed a B<EVP_CIPHER_CTX>. It will 519return zero if the cipher does not support a tag. It returns a default value if 520the tag length has not been set. 521 522=item EVP_CIPHER_get_block_size() and EVP_CIPHER_CTX_get_block_size() 523 524Return the block size of a cipher when passed an B<EVP_CIPHER> or 525B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_BLOCK_LENGTH> is also the 526maximum block length for all ciphers. 527 528=item EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type() 529 530Return the type of the passed cipher or context. This "type" is the actual NID 531of the cipher OBJECT IDENTIFIER and as such it ignores the cipher parameters 532(40 bit RC2 and 128 bit RC2 have the same NID). If the cipher does not have an 533object identifier or does not have ASN1 support this function will return 534B<NID_undef>. 535 536=item EVP_CIPHER_is_a() 537 538Returns 1 if I<cipher> is an implementation of an algorithm that's identifiable 539with I<name>, otherwise 0. If I<cipher> is a legacy cipher (it's the return 540value from the likes of EVP_aes128() rather than the result of an 541EVP_CIPHER_fetch()), only cipher names registered with the default library 542context (see L<OSSL_LIB_CTX(3)>) will be considered. 543 544=item EVP_CIPHER_get0_name() and EVP_CIPHER_CTX_get0_name() 545 546Return the name of the passed cipher or context. For fetched ciphers with 547multiple names, only one of them is returned. See also EVP_CIPHER_names_do_all(). 548 549=item EVP_CIPHER_names_do_all() 550 551Traverses all names for the I<cipher>, and calls I<fn> with each name and 552I<data>. This is only useful with fetched B<EVP_CIPHER>s. 553 554=item EVP_CIPHER_get0_description() 555 556Returns a description of the cipher, meant for display and human consumption. 557The description is at the discretion of the cipher implementation. 558 559=item EVP_CIPHER_get0_provider() 560 561Returns an B<OSSL_PROVIDER> pointer to the provider that implements the given 562B<EVP_CIPHER>. 563 564=item EVP_CIPHER_CTX_get0_cipher() 565 566Returns the B<EVP_CIPHER> structure when passed an B<EVP_CIPHER_CTX> structure. 567EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to 568the caller. 569 570=item EVP_CIPHER_get_mode() and EVP_CIPHER_CTX_get_mode() 571 572Return the block cipher mode: 573EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, 574EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, 575EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE or EVP_CIPH_SIV_MODE. 576If the cipher is a stream cipher then EVP_CIPH_STREAM_CIPHER is returned. 577 578=item EVP_CIPHER_get_flags() 579 580Returns any flags associated with the cipher. See L</FLAGS> 581for a list of currently defined flags. 582 583=item EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num() 584 585Gets or sets the cipher specific "num" parameter for the associated I<ctx>. 586Built-in ciphers typically use this to track how much of the current underlying block 587has been "used" already. 588 589=item EVP_CIPHER_CTX_is_encrypting() 590 591Reports whether the I<ctx> is being used for encryption or decryption. 592 593=item EVP_CIPHER_CTX_flags() 594 595A deprecated macro calling C<EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx))>. 596Do not use. 597 598=item EVP_CIPHER_param_to_asn1() 599 600Sets the AlgorithmIdentifier "parameter" based on the passed cipher. This will 601typically include any parameters and an IV. The cipher IV (if any) must be set 602when this call is made. This call should be made before the cipher is actually 603"used" (before any EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). 604This function may fail if the cipher does not have any ASN1 support. 605 606=item EVP_CIPHER_asn1_to_param() 607 608Sets the cipher parameters based on an ASN1 AlgorithmIdentifier "parameter". 609The precise effect depends on the cipher. In the case of B<RC2>, for example, 610it will set the IV and effective key length. 611This function should be called after the base cipher type is set but before 612the key is set. For example EVP_CipherInit() will be called with the IV and 613key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally 614EVP_CipherInit() again with all parameters except the key set to NULL. It is 615possible for this function to fail if the cipher does not have any ASN1 support 616or the parameters cannot be set (for example the RC2 effective key length 617is not supported. 618 619=item EVP_CIPHER_CTX_rand_key() 620 621Generates a random key of the appropriate length based on the cipher context. 622The B<EVP_CIPHER> can provide its own random key generation routine to support 623keys of a specific form. I<key> must point to a buffer at least as big as the 624value returned by EVP_CIPHER_CTX_get_key_length(). 625 626=item EVP_CIPHER_do_all_provided() 627 628Traverses all ciphers implemented by all activated providers in the given 629library context I<libctx>, and for each of the implementations, calls the given 630function I<fn> with the implementation method and the given I<arg> as argument. 631 632=back 633 634=head1 PARAMETERS 635 636See L<OSSL_PARAM(3)> for information about passing parameters. 637 638=head2 Gettable EVP_CIPHER parameters 639 640When EVP_CIPHER_fetch() is called it internally calls EVP_CIPHER_get_params() 641and caches the results. 642 643EVP_CIPHER_get_params() can be used with the following B<OSSL_PARAM> keys: 644 645=over 4 646 647=item "mode" (B<OSSL_CIPHER_PARAM_MODE>) <unsigned integer> 648 649Gets the mode for the associated cipher algorithm I<cipher>. 650See L</EVP_CIPHER_get_mode() and EVP_CIPHER_CTX_get_mode()> for a list of valid modes. 651Use EVP_CIPHER_get_mode() to retrieve the cached value. 652 653=item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer> 654 655Gets the key length for the associated cipher algorithm I<cipher>. 656Use EVP_CIPHER_get_key_length() to retrieve the cached value. 657 658=item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>) <unsigned integer> 659 660Gets the IV length for the associated cipher algorithm I<cipher>. 661Use EVP_CIPHER_get_iv_length() to retrieve the cached value. 662 663=item "blocksize" (B<OSSL_CIPHER_PARAM_BLOCK_SIZE>) <unsigned integer> 664 665Gets the block size for the associated cipher algorithm I<cipher>. 666The block size should be 1 for stream ciphers. 667Note that the block size for a cipher may be different to the block size for 668the underlying encryption/decryption primitive. 669For example AES in CTR mode has a block size of 1 (because it operates like a 670stream cipher), even though AES has a block size of 16. 671Use EVP_CIPHER_get_block_size() to retreive the cached value. 672 673=item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer> 674 675Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0. 676Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) to retrieve the 677cached value. 678 679=item "custom-iv" (B<OSSL_CIPHER_PARAM_CUSTOM_IV>) <integer> 680 681Gets 1 if the cipher algorithm I<cipher> has a custom IV, otherwise it gets 0. 682Storing and initializing the IV is left entirely to the implementation, if a 683custom IV is used. 684Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_CUSTOM_IV) to retrieve the 685cached value. 686 687=item "cts" (B<OSSL_CIPHER_PARAM_CTS>) <integer> 688 689Gets 1 if the cipher algorithm I<cipher> uses ciphertext stealing, 690otherwise it gets 0. 691This is currently used to indicate that the cipher is a one shot that only 692allows a single call to EVP_CipherUpdate(). 693Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_CTS) to retrieve the 694cached value. 695 696=item "tls-multi" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK>) <integer> 697 698Gets 1 if the cipher algorithm I<cipher> supports interleaving of crypto blocks, 699otherwise it gets 0. The interleaving is an optimization only applicable to certain 700TLS ciphers. 701Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) to retrieve the 702cached value. 703 704=item "has-randkey" (B<OSSL_CIPHER_PARAM_HAS_RANDKEY>) <integer> 705 706Gets 1 if the cipher algorithm I<cipher> supports the gettable EVP_CIPHER_CTX 707parameter B<OSSL_CIPHER_PARAM_RANDOM_KEY>. Only DES and 3DES set this to 1, 708all other OpenSSL ciphers return 0. 709 710=back 711 712=head2 Gettable and Settable EVP_CIPHER_CTX parameters 713 714The following B<OSSL_PARAM> keys can be used with both EVP_CIPHER_CTX_get_params() 715and EVP_CIPHER_CTX_set_params(). 716 717=over 4 718 719=item "padding" (B<OSSL_CIPHER_PARAM_PADDING>) <unsigned integer> 720 721Gets or sets the padding mode for the cipher context I<ctx>. 722Padding is enabled if the value is 1, and disabled if the value is 0. 723See also EVP_CIPHER_CTX_set_padding(). 724 725=item "num" (B<OSSL_CIPHER_PARAM_NUM>) <unsigned integer> 726 727Gets or sets the cipher specific "num" parameter for the cipher context I<ctx>. 728Built-in ciphers typically use this to track how much of the current underlying 729block has been "used" already. 730See also EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num(). 731 732=item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer> 733 734Gets or sets the key length for the cipher context I<ctx>. 735The length of the "keylen" parameter should not exceed that of a B<size_t>. 736See also EVP_CIPHER_CTX_get_key_length() and EVP_CIPHER_CTX_set_key_length(). 737 738=item "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>) <octet string> 739 740Gets or sets the AEAD tag for the associated cipher context I<ctx>. 741See L<EVP_EncryptInit(3)/AEAD Interface>. 742 743=item "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>) <unsigned integer> 744 745Gets or sets the effective keybits used for a RC2 cipher. 746The length of the "keybits" parameter should not exceed that of a B<size_t>. 747 748=item "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>) <unsigned integer> 749 750Gets or sets the number of rounds to be used for a cipher. 751This is used by the RC5 cipher. 752 753=item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string> 754 755Used to pass the DER encoded AlgorithmIdentifier parameter to or from 756the cipher implementation. Functions like L<EVP_CIPHER_param_to_asn1(3)> 757and L<EVP_CIPHER_asn1_to_param(3)> use this parameter for any implementation 758that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set. 759 760=item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string> 761 762Gets or sets the cipher text stealing mode. For all modes the output size is the 763same as the input size. The input length must be greater than or equal to the 764block size. (The block size for AES and CAMELLIA is 16 bytes). 765 766Valid values for the mode are: 767 768=over 4 769 770=item "CS1" 771 772The NIST variant of cipher text stealing. 773For input lengths that are multiples of the block size it is equivalent to 774using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last 775cipher text block is a partial block. 776 777=item "CS2" 778 779For input lengths that are multiples of the block size it is equivalent to 780using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as 781"CS3" mode. 782 783=item "CS3" 784 785The Kerberos5 variant of cipher text stealing which always swaps the last 786cipher text block with the previous block (which may be a partial or full block 787depending on the input length). If the input length is exactly one full block 788then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher. 789 790=back 791 792The default is "CS1". 793This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", 794"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS". 795 796=item "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>) <unsigned integer> 797 798Sets or gets the number of records being sent in one go for a tls1 multiblock 799cipher operation (either 4 or 8 records). 800 801=back 802 803=head2 Gettable EVP_CIPHER_CTX parameters 804 805The following B<OSSL_PARAM> keys can be used with EVP_CIPHER_CTX_get_params(): 806 807=over 4 808 809=item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN> and <B<OSSL_CIPHER_PARAM_AEAD_IVLEN>) <unsigned integer> 810 811Gets the IV length for the cipher context I<ctx>. 812The length of the "ivlen" parameter should not exceed that of a B<size_t>. 813See also EVP_CIPHER_CTX_get_iv_length(). 814 815=item "iv" (B<OSSL_CIPHER_PARAM_IV>) <octet string OR octet ptr> 816 817Gets the IV used to initialize the associated cipher context I<ctx>. 818See also EVP_CIPHER_CTX_get_original_iv(). 819 820=item "updated-iv" (B<OSSL_CIPHER_PARAM_UPDATED_IV>) <octet string OR octet ptr> 821 822Gets the updated pseudo-IV state for the associated cipher context, e.g., 823the previous ciphertext block for CBC mode or the iteratively encrypted IV 824value for OFB mode. Note that octet pointer access is deprecated and is 825provided only for backwards compatibility with historical libcrypto APIs. 826See also EVP_CIPHER_CTX_get_updated_iv(). 827 828=item "randkey" (B<OSSL_CIPHER_PARAM_RANDOM_KEY>) <octet string> 829 830Gets an implementation specific randomly generated key for the associated 831cipher context I<ctx>. This is currently only supported by DES and 3DES (which set 832the key to odd parity). 833 834=item "taglen" (B<OSSL_CIPHER_PARAM_AEAD_TAGLEN>) <unsigned integer> 835 836Gets the tag length to be used for an AEAD cipher for the associated cipher 837context I<ctx>. It gets a default value if it has not been set. 838The length of the "taglen" parameter should not exceed that of a B<size_t>. 839See also EVP_CIPHER_CTX_get_tag_length(). 840 841=item "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>) <unsigned integer> 842 843Gets the length of the tag that will be added to a TLS record for the AEAD 844tag for the associated cipher context I<ctx>. 845The length of the "tlsaadpad" parameter should not exceed that of a B<size_t>. 846 847=item "tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>) <octet string> 848 849Gets the invocation field generated for encryption. 850Can only be called after "tlsivfixed" is set. 851This is only used for GCM mode. 852 853=item "tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>) <unsigned integer> 854 855Get the total length of the record returned from the "tls1multi_enc" operation. 856 857=item "tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>) <unsigned integer> 858 859Gets the maximum record length for a TLS1 multiblock cipher operation. 860The length of the "tls1multi_maxbufsz" parameter should not exceed that of a B<size_t>. 861 862=item "tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) <unsigned integer> 863 864Gets the result of running the "tls1multi_aad" operation. 865 866=item "tls-mac" (B<OSSL_CIPHER_PARAM_TLS_MAC>) <octet ptr> 867 868Used to pass the TLS MAC data. 869 870=back 871 872=head2 Settable EVP_CIPHER_CTX parameters 873 874The following B<OSSL_PARAM> keys can be used with EVP_CIPHER_CTX_set_params(): 875 876=over 4 877 878=item "mackey" (B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>) <octet string> 879 880Sets the MAC key used by composite AEAD ciphers such as AES-CBC-HMAC-SHA256. 881 882=item "speed" (B<OSSL_CIPHER_PARAM_SPEED>) <unsigned integer> 883 884Sets the speed option for the associated cipher context. This is only supported 885by AES SIV ciphers which disallow multiple operations by default. 886Setting "speed" to 1 allows another encrypt or decrypt operation to be 887performed. This is used for performance testing. 888 889=item "use-bits" (B<OSSL_CIPHER_PARAM_USE_BITS>) <unsigned integer> 890 891Determines if the input length I<inl> passed to EVP_EncryptUpdate(), 892EVP_DecryptUpdate() and EVP_CipherUpdate() is the number of bits or number of bytes. 893Setting "use-bits" to 1 uses bits. The default is in bytes. 894This is only used for B<CFB1> ciphers. 895 896This can be set using EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS). 897 898=item "tls-version" (B<OSSL_CIPHER_PARAM_TLS_VERSION>) <integer> 899 900Sets the TLS version. 901 902=item "tls-mac-size" (B<OSSL_CIPHER_PARAM_TLS_MAC_SIZE>) <unsigned integer> 903 904Set the TLS MAC size. 905 906=item "tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>) <octet string> 907 908Sets TLSv1.2 AAD information for the associated cipher context I<ctx>. 909TLSv1.2 AAD information is always 13 bytes in length and is as defined for the 910"additional_data" field described in section 6.2.3.3 of RFC5246. 911 912=item "tlsivfixed" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>) <octet string> 913 914Sets the fixed portion of an IV for an AEAD cipher used in a TLS record 915encryption/ decryption for the associated cipher context. 916TLS record encryption/decryption always occurs "in place" so that the input and 917output buffers are always the same memory location. 918AEAD IVs in TLSv1.2 consist of an implicit "fixed" part and an explicit part 919that varies with every record. 920Setting a TLS fixed IV changes a cipher to encrypt/decrypt TLS records. 921TLS records are encrypted/decrypted using a single OSSL_FUNC_cipher_cipher call per 922record. 923For a record decryption the first bytes of the input buffer will be the explicit 924part of the IV and the final bytes of the input buffer will be the AEAD tag. 925The length of the explicit part of the IV and the tag length will depend on the 926cipher in use and will be defined in the RFC for the relevant ciphersuite. 927In order to allow for "in place" decryption the plaintext output should be 928written to the same location in the output buffer that the ciphertext payload 929was read from, i.e. immediately after the explicit IV. 930 931When encrypting a record the first bytes of the input buffer should be empty to 932allow space for the explicit IV, as will the final bytes where the tag will 933be written. 934The length of the input buffer will include the length of the explicit IV, the 935payload, and the tag bytes. 936The cipher implementation should generate the explicit IV and write it to the 937beginning of the output buffer, do "in place" encryption of the payload and 938write that to the output buffer, and finally add the tag onto the end of the 939output buffer. 940 941Whether encrypting or decrypting the value written to I<*outl> in the 942OSSL_FUNC_cipher_cipher call should be the length of the payload excluding the explicit 943IV length and the tag length. 944 945=item "tlsivinv" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>) <octet string> 946 947Sets the invocation field used for decryption. 948Can only be called after "tlsivfixed" is set. 949This is only used for GCM mode. 950 951=item "tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>) <octet string> 952 953Triggers a multiblock TLS1 encrypt operation for a TLS1 aware cipher that 954supports sending 4 or 8 records in one go. 955The cipher performs both the MAC and encrypt stages and constructs the record 956headers itself. 957"tls1multi_enc" supplies the output buffer for the encrypt operation, 958"tls1multi_encin" & "tls1multi_interleave" must also be set in order to supply 959values to the encrypt operation. 960 961=item "tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) <octet string> 962 963Supplies the data to encrypt for a TLS1 multiblock cipher operation. 964 965=item "tls1multi_maxsndfrag" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT>) <unsigned integer> 966 967Sets the maximum send fragment size for a TLS1 multiblock cipher operation. 968It must be set before using "tls1multi_maxbufsz". 969The length of the "tls1multi_maxsndfrag" parameter should not exceed that of a B<size_t>. 970 971=item "tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) <octet string> 972 973Sets the authenticated additional data used by a TLS1 multiblock cipher operation. 974The supplied data consists of 13 bytes of record data containing: 975Bytes 0-7: The sequence number of the first record 976Byte 8: The record type 977Byte 9-10: The protocol version 978Byte 11-12: Input length (Always 0) 979 980"tls1multi_interleave" must also be set for this operation. 981 982=back 983 984=head1 CONTROLS 985 986The Mappings from EVP_CIPHER_CTX_ctrl() identifiers to PARAMETERS are listed 987in the following section. See the L</PARAMETERS> section for more details. 988 989EVP_CIPHER_CTX_ctrl() can be used to send the following standard controls: 990 991=over 4 992 993=item EVP_CTRL_AEAD_SET_IVLEN and EVP_CTRL_GET_IVLEN 994 995When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and 996EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the 997key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>). 998 999=item EVP_CTRL_AEAD_SET_IV_FIXED 1000 1001When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1002with an L<OSSL_PARAM(3)> item with the key "tlsivfixed" 1003(B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>). 1004 1005=item EVP_CTRL_AEAD_SET_MAC_KEY 1006 1007When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1008with an L<OSSL_PARAM(3)> item with the key "mackey" 1009(B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>). 1010 1011=item EVP_CTRL_AEAD_SET_TAG and EVP_CTRL_AEAD_GET_TAG 1012 1013When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and 1014EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the 1015key "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>). 1016 1017=item EVP_CTRL_CCM_SET_L 1018 1019When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1020with an L<OSSL_PARAM(3)> item with the key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>) 1021with a value of (15 - L) 1022 1023=item EVP_CTRL_COPY 1024 1025There is no OSSL_PARAM mapping for this. Use EVP_CIPHER_CTX_copy() instead. 1026 1027=item EVP_CTRL_GCM_SET_IV_INV 1028 1029When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1030with an L<OSSL_PARAM(3)> item with the key "tlsivinv" 1031(B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>). 1032 1033=item EVP_CTRL_RAND_KEY 1034 1035When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1036with an L<OSSL_PARAM(3)> item with the key "randkey" 1037(B<OSSL_CIPHER_PARAM_RANDOM_KEY>). 1038 1039=item EVP_CTRL_SET_KEY_LENGTH 1040 1041When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1042with an L<OSSL_PARAM(3)> item with the key "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>). 1043 1044=item EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS 1045 1046When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and 1047EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the 1048key "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>). 1049 1050=item EVP_CTRL_SET_RC5_ROUNDS and EVP_CTRL_GET_RC5_ROUNDS 1051 1052When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and 1053EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the 1054key "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>). 1055 1056=item EVP_CTRL_SET_SPEED 1057 1058When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1059with an L<OSSL_PARAM(3)> item with the key "speed" (B<OSSL_CIPHER_PARAM_SPEED>). 1060 1061=item EVP_CTRL_GCM_IV_GEN 1062 1063When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_get_params() gets called 1064with an L<OSSL_PARAM(3)> item with the key 1065"tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>). 1066 1067=item EVP_CTRL_AEAD_TLS1_AAD 1068 1069When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called 1070with an L<OSSL_PARAM(3)> item with the key 1071"tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>) 1072followed by EVP_CIPHER_CTX_get_params() with a key of 1073"tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>). 1074 1075=item EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE 1076 1077When used with a fetched B<EVP_CIPHER>, 1078EVP_CIPHER_CTX_set_params() gets called with an L<OSSL_PARAM(3)> item with the 1079key OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT 1080followed by EVP_CIPHER_CTX_get_params() with a key of 1081"tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>). 1082 1083=item EVP_CTRL_TLS1_1_MULTIBLOCK_AAD 1084 1085When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1086with L<OSSL_PARAM(3)> items with the keys 1087"tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) and 1088"tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>) 1089followed by EVP_CIPHER_CTX_get_params() with keys of 1090"tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) and 1091"tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>). 1092 1093=item EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT 1094 1095When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called 1096with L<OSSL_PARAM(3)> items with the keys 1097"tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>), 1098"tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) and 1099"tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>), 1100followed by EVP_CIPHER_CTX_get_params() with a key of 1101"tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>). 1102 1103=back 1104 1105=head1 FLAGS 1106 1107EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags(). 1108can be used to manipulate and test these B<EVP_CIPHER_CTX> flags: 1109 1110=over 4 1111 1112=item EVP_CIPH_NO_PADDING 1113 1114Used by EVP_CIPHER_CTX_set_padding(). 1115 1116See also L</Gettable and Settable EVP_CIPHER_CTX parameters> "padding" 1117 1118=item EVP_CIPH_FLAG_LENGTH_BITS 1119 1120See L</Settable EVP_CIPHER_CTX parameters> "use-bits". 1121 1122=item EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 1123 1124Used for Legacy purposes only. This flag needed to be set to indicate the 1125cipher handled wrapping. 1126 1127=back 1128 1129EVP_CIPHER_flags() uses the following flags that 1130have mappings to L</Gettable EVP_CIPHER parameters>: 1131 1132=over 4 1133 1134=item EVP_CIPH_FLAG_AEAD_CIPHER 1135 1136See L</Gettable EVP_CIPHER parameters> "aead". 1137 1138=item EVP_CIPH_CUSTOM_IV 1139 1140See L</Gettable EVP_CIPHER parameters> "custom-iv". 1141 1142=item EVP_CIPH_FLAG_CTS 1143 1144See L</Gettable EVP_CIPHER parameters> "cts". 1145 1146=item EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK; 1147 1148See L</Gettable EVP_CIPHER parameters> "tls-multi". 1149 1150=item EVP_CIPH_RAND_KEY 1151 1152See L</Gettable EVP_CIPHER parameters> "has-randkey". 1153 1154=back 1155 1156EVP_CIPHER_flags() uses the following flags for legacy purposes only: 1157 1158=over 4 1159 1160=item EVP_CIPH_VARIABLE_LENGTH 1161 1162=item EVP_CIPH_FLAG_CUSTOM_CIPHER 1163 1164=item EVP_CIPH_ALWAYS_CALL_INIT 1165 1166=item EVP_CIPH_CTRL_INIT 1167 1168=item EVP_CIPH_CUSTOM_KEY_LENGTH 1169 1170=item EVP_CIPH_CUSTOM_COPY 1171 1172=item EVP_CIPH_FLAG_DEFAULT_ASN1 1173 1174See L<EVP_CIPHER_meth_set_flags(3)> for further information related to the above 1175flags. 1176 1177=back 1178 1179=head1 RETURN VALUES 1180 1181EVP_CIPHER_fetch() returns a pointer to a B<EVP_CIPHER> for success 1182and B<NULL> for failure. 1183 1184EVP_CIPHER_up_ref() returns 1 for success or 0 otherwise. 1185 1186EVP_CIPHER_CTX_new() returns a pointer to a newly created 1187B<EVP_CIPHER_CTX> for success and B<NULL> for failure. 1188 1189EVP_EncryptInit_ex2(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex() 1190return 1 for success and 0 for failure. 1191 1192EVP_DecryptInit_ex2() and EVP_DecryptUpdate() return 1 for success and 0 for failure. 1193EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success. 1194 1195EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure. 1196EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success. 1197 1198EVP_Cipher() returns the amount of encrypted / decrypted bytes, or -1 1199on failure if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the 1200cipher. EVP_Cipher() returns 1 on success or 0 on failure, if the flag 1201B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher. 1202 1203EVP_CIPHER_CTX_reset() returns 1 for success and 0 for failure. 1204 1205EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() 1206return an B<EVP_CIPHER> structure or NULL on error. 1207 1208EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid() return a NID. 1209 1210EVP_CIPHER_get_block_size() and EVP_CIPHER_CTX_get_block_size() return the 1211block size. 1212 1213EVP_CIPHER_get_key_length() and EVP_CIPHER_CTX_get_key_length() return the key 1214length. 1215 1216EVP_CIPHER_CTX_set_padding() always returns 1. 1217 1218EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length() return the IV 1219length or zero if the cipher does not use an IV. 1220 1221EVP_CIPHER_CTX_get_tag_length() return the tag length or zero if the cipher 1222does not use a tag. 1223 1224EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type() return the NID of the 1225cipher's OBJECT IDENTIFIER or NID_undef if it has no defined 1226OBJECT IDENTIFIER. 1227 1228EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure. 1229 1230EVP_CIPHER_CTX_get_num() returns a nonnegative num value or 1231B<EVP_CTRL_RET_UNSUPPORTED> if the implementation does not support the call 1232or on any other error. 1233 1234EVP_CIPHER_CTX_set_num() returns 1 on success and 0 if the implementation 1235does not support the call or on any other error. 1236 1237EVP_CIPHER_CTX_is_encrypting() returns 1 if the I<ctx> is set up for encryption 12380 otherwise. 1239 1240EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater 1241than zero for success and zero or a negative number on failure. 1242 1243EVP_CIPHER_CTX_rand_key() returns 1 for success. 1244 1245EVP_CIPHER_names_do_all() returns 1 if the callback was called for all names. 1246A return value of 0 means that the callback was not called for any names. 1247 1248=head1 CIPHER LISTING 1249 1250All algorithms have a fixed key length unless otherwise stated. 1251 1252Refer to L</SEE ALSO> for the full list of ciphers available through the EVP 1253interface. 1254 1255=over 4 1256 1257=item EVP_enc_null() 1258 1259Null cipher: does nothing. 1260 1261=back 1262 1263=head1 AEAD INTERFACE 1264 1265The EVP interface for Authenticated Encryption with Associated Data (AEAD) 1266modes are subtly altered and several additional I<ctrl> operations are supported 1267depending on the mode specified. 1268 1269To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(), 1270EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output 1271parameter I<out> set to B<NULL>. 1272 1273When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal() 1274indicates whether the operation was successful. If it does not indicate success, 1275the authentication operation has failed and any output data B<MUST NOT> be used 1276as it is corrupted. 1277 1278=head2 GCM and OCB Modes 1279 1280The following I<ctrl>s are supported in GCM and OCB modes. 1281 1282=over 4 1283 1284=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) 1285 1286Sets the IV length. This call can only be made before specifying an IV. If 1287not called a default IV length is used. 1288 1289For GCM AES and OCB AES the default is 12 (i.e. 96 bits). For OCB mode the 1290maximum is 15. 1291 1292=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag) 1293 1294Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>. 1295This call can only be made when encrypting data and B<after> all data has been 1296processed (e.g. after an EVP_EncryptFinal() call). 1297 1298For OCB, C<taglen> must either be 16 or the value previously set via 1299B<EVP_CTRL_AEAD_SET_TAG>. 1300 1301=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag) 1302 1303When decrypting, this call sets the expected tag to C<taglen> bytes from C<tag>. 1304C<taglen> must be between 1 and 16 inclusive. 1305The tag must be set prior to any call to EVP_DecryptFinal() or 1306EVP_DecryptFinal_ex(). 1307 1308For GCM, this call is only valid when decrypting data. 1309 1310For OCB, this call is valid when decrypting data to set the expected tag, 1311and when encrypting to set the desired tag length. 1312 1313In OCB mode, calling this when encrypting with C<tag> set to C<NULL> sets the 1314tag length. The tag length can only be set before specifying an IV. If this is 1315not called prior to setting the IV during encryption, then a default tag length 1316is used. 1317 1318For OCB AES, the default tag length is 16 (i.e. 128 bits). It is also the 1319maximum tag length for OCB. 1320 1321=back 1322 1323=head2 CCM Mode 1324 1325The EVP interface for CCM mode is similar to that of the GCM mode but with a 1326few additional requirements and different I<ctrl> values. 1327 1328For CCM mode, the total plaintext or ciphertext length B<MUST> be passed to 1329EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() with the output 1330and input parameters (I<in> and I<out>) set to B<NULL> and the length passed in 1331the I<inl> parameter. 1332 1333The following I<ctrl>s are supported in CCM mode. 1334 1335=over 4 1336 1337=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag) 1338 1339This call is made to set the expected B<CCM> tag value when decrypting or 1340the length of the tag (with the C<tag> parameter set to NULL) when encrypting. 1341The tag length is often referred to as B<M>. If not set a default value is 1342used (12 for AES). When decrypting, the tag needs to be set before passing 1343in data to be decrypted, but as in GCM and OCB mode, it can be set after 1344passing additional authenticated data (see L</AEAD INTERFACE>). 1345 1346=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL) 1347 1348Sets the CCM B<L> value. If not set a default is used (8 for AES). 1349 1350=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) 1351 1352Sets the CCM nonce (IV) length. This call can only be made before specifying a 1353nonce value. The nonce length is given by B<15 - L> so it is 7 by default for 1354AES. 1355 1356=back 1357 1358=head2 SIV Mode 1359 1360For SIV mode ciphers the behaviour of the EVP interface is subtly 1361altered and several additional ctrl operations are supported. 1362 1363To specify any additional authenticated data (AAD) and/or a Nonce, a call to 1364EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made 1365with the output parameter I<out> set to B<NULL>. 1366 1367RFC5297 states that the Nonce is the last piece of AAD before the actual 1368encrypt/decrypt takes place. The API does not differentiate the Nonce from 1369other AAD. 1370 1371When decrypting the return value of EVP_DecryptFinal() or EVP_CipherFinal() 1372indicates if the operation was successful. If it does not indicate success 1373the authentication operation has failed and any output data B<MUST NOT> 1374be used as it is corrupted. 1375 1376The following ctrls are supported in both SIV modes. 1377 1378=over 4 1379 1380=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag); 1381 1382Writes I<taglen> bytes of the tag value to the buffer indicated by I<tag>. 1383This call can only be made when encrypting data and B<after> all data has been 1384processed (e.g. after an EVP_EncryptFinal() call). For SIV mode the taglen must 1385be 16. 1386 1387=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag); 1388 1389Sets the expected tag to I<taglen> bytes from I<tag>. This call is only legal 1390when decrypting data and must be made B<before> any data is processed (e.g. 1391before any EVP_DecryptUpdate() call). For SIV mode the taglen must be 16. 1392 1393=back 1394 1395SIV mode makes two passes over the input data, thus, only one call to 1396EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made 1397with I<out> set to a non-B<NULL> value. A call to EVP_Decrypt_Final() or 1398EVP_CipherFinal() is not required, but will indicate if the update 1399operation succeeded. 1400 1401=head2 ChaCha20-Poly1305 1402 1403The following I<ctrl>s are supported for the ChaCha20-Poly1305 AEAD algorithm. 1404 1405=over 4 1406 1407=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) 1408 1409Sets the nonce length. This call can only be made before specifying the nonce. 1410If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum 1411nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set 1412then the nonce is automatically padded with leading 0 bytes to make it 12 bytes 1413in length. 1414 1415=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag) 1416 1417Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>. 1418This call can only be made when encrypting data and B<after> all data has been 1419processed (e.g. after an EVP_EncryptFinal() call). 1420 1421C<taglen> specified here must be 16 (B<POLY1305_BLOCK_SIZE>, i.e. 128-bits) or 1422less. 1423 1424=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag) 1425 1426Sets the expected tag to C<taglen> bytes from C<tag>. 1427The tag length can only be set before specifying an IV. 1428C<taglen> must be between 1 and 16 (B<POLY1305_BLOCK_SIZE>) inclusive. 1429This call is only valid when decrypting data. 1430 1431=back 1432 1433=head1 NOTES 1434 1435Where possible the B<EVP> interface to symmetric ciphers should be used in 1436preference to the low-level interfaces. This is because the code then becomes 1437transparent to the cipher used and much more flexible. Additionally, the 1438B<EVP> interface will ensure the use of platform specific cryptographic 1439acceleration such as AES-NI (the low-level interfaces do not provide the 1440guarantee). 1441 1442PKCS padding works by adding B<n> padding bytes of value B<n> to make the total 1443length of the encrypted data a multiple of the block size. Padding is always 1444added so if the data is already a multiple of the block size B<n> will equal 1445the block size. For example if the block size is 8 and 11 bytes are to be 1446encrypted then 5 padding bytes of value 5 will be added. 1447 1448When decrypting the final block is checked to see if it has the correct form. 1449 1450Although the decryption operation can produce an error if padding is enabled, 1451it is not a strong test that the input data or key is correct. A random block 1452has better than 1 in 256 chance of being of the correct format and problems with 1453the input data earlier on will not produce a final decrypt error. 1454 1455If padding is disabled then the decryption operation will always succeed if 1456the total amount of data decrypted is a multiple of the block size. 1457 1458The functions EVP_EncryptInit(), EVP_EncryptInit_ex(), 1459EVP_EncryptFinal(), EVP_DecryptInit(), EVP_DecryptInit_ex(), 1460EVP_CipherInit(), EVP_CipherInit_ex() and EVP_CipherFinal() are obsolete 1461but are retained for compatibility with existing code. New code should 1462use EVP_EncryptInit_ex2(), EVP_EncryptFinal_ex(), EVP_DecryptInit_ex2(), 1463EVP_DecryptFinal_ex(), EVP_CipherInit_ex2() and EVP_CipherFinal_ex() 1464because they can reuse an existing context without allocating and freeing 1465it up on each call. 1466 1467There are some differences between functions EVP_CipherInit() and 1468EVP_CipherInit_ex(), significant in some circumstances. EVP_CipherInit() fills 1469the passed context object with zeros. As a consequence, EVP_CipherInit() does 1470not allow step-by-step initialization of the ctx when the I<key> and I<iv> are 1471passed in separate calls. It also means that the flags set for the CTX are 1472removed, and it is especially important for the 1473B<EVP_CIPHER_CTX_FLAG_WRAP_ALLOW> flag treated specially in 1474EVP_CipherInit_ex(). 1475 1476EVP_get_cipherbynid(), and EVP_get_cipherbyobj() are implemented as macros. 1477 1478=head1 BUGS 1479 1480B<EVP_MAX_KEY_LENGTH> and B<EVP_MAX_IV_LENGTH> only refer to the internal 1481ciphers with default key lengths. If custom ciphers exceed these values the 1482results are unpredictable. This is because it has become standard practice to 1483define a generic key as a fixed unsigned char array containing 1484B<EVP_MAX_KEY_LENGTH> bytes. 1485 1486The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested 1487for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode. 1488 1489=head1 EXAMPLES 1490 1491Encrypt a string using IDEA: 1492 1493 int do_crypt(char *outfile) 1494 { 1495 unsigned char outbuf[1024]; 1496 int outlen, tmplen; 1497 /* 1498 * Bogus key and IV: we'd normally set these from 1499 * another source. 1500 */ 1501 unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; 1502 unsigned char iv[] = {1,2,3,4,5,6,7,8}; 1503 char intext[] = "Some Crypto Text"; 1504 EVP_CIPHER_CTX *ctx; 1505 FILE *out; 1506 1507 ctx = EVP_CIPHER_CTX_new(); 1508 EVP_EncryptInit_ex2(ctx, EVP_idea_cbc(), key, iv, NULL); 1509 1510 if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) { 1511 /* Error */ 1512 EVP_CIPHER_CTX_free(ctx); 1513 return 0; 1514 } 1515 /* 1516 * Buffer passed to EVP_EncryptFinal() must be after data just 1517 * encrypted to avoid overwriting it. 1518 */ 1519 if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) { 1520 /* Error */ 1521 EVP_CIPHER_CTX_free(ctx); 1522 return 0; 1523 } 1524 outlen += tmplen; 1525 EVP_CIPHER_CTX_free(ctx); 1526 /* 1527 * Need binary mode for fopen because encrypted data is 1528 * binary data. Also cannot use strlen() on it because 1529 * it won't be NUL terminated and may contain embedded 1530 * NULs. 1531 */ 1532 out = fopen(outfile, "wb"); 1533 if (out == NULL) { 1534 /* Error */ 1535 return 0; 1536 } 1537 fwrite(outbuf, 1, outlen, out); 1538 fclose(out); 1539 return 1; 1540 } 1541 1542The ciphertext from the above example can be decrypted using the B<openssl> 1543utility with the command line (shown on two lines for clarity): 1544 1545 openssl idea -d \ 1546 -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 <filename 1547 1548General encryption and decryption function example using FILE I/O and AES128 1549with a 128-bit key: 1550 1551 int do_crypt(FILE *in, FILE *out, int do_encrypt) 1552 { 1553 /* Allow enough space in output buffer for additional block */ 1554 unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; 1555 int inlen, outlen; 1556 EVP_CIPHER_CTX *ctx; 1557 /* 1558 * Bogus key and IV: we'd normally set these from 1559 * another source. 1560 */ 1561 unsigned char key[] = "0123456789abcdeF"; 1562 unsigned char iv[] = "1234567887654321"; 1563 1564 /* Don't set key or IV right away; we want to check lengths */ 1565 ctx = EVP_CIPHER_CTX_new(); 1566 EVP_CipherInit_ex2(ctx, EVP_aes_128_cbc(), NULL, NULL, 1567 do_encrypt, NULL); 1568 OPENSSL_assert(EVP_CIPHER_CTX_get_key_length(ctx) == 16); 1569 OPENSSL_assert(EVP_CIPHER_CTX_get_iv_length(ctx) == 16); 1570 1571 /* Now we can set key and IV */ 1572 EVP_CipherInit_ex2(ctx, NULL, key, iv, do_encrypt, NULL); 1573 1574 for (;;) { 1575 inlen = fread(inbuf, 1, 1024, in); 1576 if (inlen <= 0) 1577 break; 1578 if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) { 1579 /* Error */ 1580 EVP_CIPHER_CTX_free(ctx); 1581 return 0; 1582 } 1583 fwrite(outbuf, 1, outlen, out); 1584 } 1585 if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) { 1586 /* Error */ 1587 EVP_CIPHER_CTX_free(ctx); 1588 return 0; 1589 } 1590 fwrite(outbuf, 1, outlen, out); 1591 1592 EVP_CIPHER_CTX_free(ctx); 1593 return 1; 1594 } 1595 1596Encryption using AES-CBC with a 256-bit key with "CS1" ciphertext stealing. 1597 1598 int encrypt(const unsigned char *key, const unsigned char *iv, 1599 const unsigned char *msg, size_t msg_len, unsigned char *out) 1600 { 1601 /* 1602 * This assumes that key size is 32 bytes and the iv is 16 bytes. 1603 * For ciphertext stealing mode the length of the ciphertext "out" will be 1604 * the same size as the plaintext size "msg_len". 1605 * The "msg_len" can be any size >= 16. 1606 */ 1607 int ret = 0, encrypt = 1, outlen, len; 1608 EVP_CIPHER_CTX *ctx = NULL; 1609 EVP_CIPHER *cipher = NULL; 1610 OSSL_PARAM params[2]; 1611 1612 ctx = EVP_CIPHER_CTX_new(); 1613 cipher = EVP_CIPHER_fetch(NULL, "AES-256-CBC-CTS", NULL); 1614 if (ctx == NULL || cipher == NULL) 1615 goto err; 1616 1617 /* 1618 * The default is "CS1" so this is not really needed, 1619 * but would be needed to set either "CS2" or "CS3". 1620 */ 1621 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE, 1622 "CS1", 0); 1623 params[1] = OSSL_PARAM_construct_end(); 1624 1625 if (!EVP_CipherInit_ex2(ctx, cipher, key, iv, encrypt, params)) 1626 goto err; 1627 1628 /* NOTE: CTS mode does not support multiple calls to EVP_CipherUpdate() */ 1629 if (!EVP_CipherUpdate(ctx, encrypted, &outlen, msg, msglen)) 1630 goto err; 1631 if (!EVP_CipherFinal_ex(ctx, encrypted + outlen, &len)) 1632 goto err; 1633 ret = 1; 1634 err: 1635 EVP_CIPHER_free(cipher); 1636 EVP_CIPHER_CTX_free(ctx); 1637 return ret; 1638 } 1639 1640=head1 SEE ALSO 1641 1642L<evp(7)>, 1643L<property(7)>, 1644L<crypto(7)/ALGORITHM FETCHING>, 1645L<provider-cipher(7)>, 1646L<life_cycle-cipher(7)> 1647 1648Supported ciphers are listed in: 1649 1650L<EVP_aes_128_gcm(3)>, 1651L<EVP_aria_128_gcm(3)>, 1652L<EVP_bf_cbc(3)>, 1653L<EVP_camellia_128_ecb(3)>, 1654L<EVP_cast5_cbc(3)>, 1655L<EVP_chacha20(3)>, 1656L<EVP_des_cbc(3)>, 1657L<EVP_desx_cbc(3)>, 1658L<EVP_idea_cbc(3)>, 1659L<EVP_rc2_cbc(3)>, 1660L<EVP_rc4(3)>, 1661L<EVP_rc5_32_12_16_cbc(3)>, 1662L<EVP_seed_cbc(3)>, 1663L<EVP_sm4_cbc(3)>, 1664 1665=head1 HISTORY 1666 1667Support for OCB mode was added in OpenSSL 1.1.0. 1668 1669B<EVP_CIPHER_CTX> was made opaque in OpenSSL 1.1.0. As a result, 1670EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup() 1671disappeared. EVP_CIPHER_CTX_init() remains as an alias for 1672EVP_CIPHER_CTX_reset(). 1673 1674The EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0; use 1675EVP_CIPHER_CTX_get0_cipher() instead. 1676 1677The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(), 1678EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(), 1679EVP_CIPHER_CTX_get0_cipher(), EVP_CIPHER_CTX_get1_cipher(), 1680EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(), 1681EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(), 1682EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(), 1683EVP_CIPHER_CTX_settable_params() and EVP_CIPHER_CTX_gettable_params() 1684functions were added in 3.0. 1685 1686The EVP_CIPHER_nid(), EVP_CIPHER_name(), EVP_CIPHER_block_size(), 1687EVP_CIPHER_key_length(), EVP_CIPHER_iv_length(), EVP_CIPHER_flags(), 1688EVP_CIPHER_mode(), EVP_CIPHER_type(), EVP_CIPHER_CTX_nid(), 1689EVP_CIPHER_CTX_block_size(), EVP_CIPHER_CTX_key_length(), 1690EVP_CIPHER_CTX_iv_length(), EVP_CIPHER_CTX_tag_length(), 1691EVP_CIPHER_CTX_num(), EVP_CIPHER_CTX_type(), and EVP_CIPHER_CTX_mode() 1692functions were renamed to include C<get> or C<get0> in their names in 1693OpenSSL 3.0, respectively. The old names are kept as non-deprecated 1694alias macros. 1695 1696The EVP_CIPHER_CTX_encrypting() function was renamed to 1697EVP_CIPHER_CTX_is_encrypting() in OpenSSL 3.0. The old name is kept as 1698non-deprecated alias macro. 1699 1700The EVP_CIPHER_CTX_flags() macro was deprecated in OpenSSL 1.1.0. 1701 1702=head1 COPYRIGHT 1703 1704Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. 1705 1706Licensed under the Apache License 2.0 (the "License"). You may not use 1707this file except in compliance with the License. You can obtain a copy 1708in the file LICENSE in the source distribution or at 1709L<https://www.openssl.org/source/license.html>. 1710 1711=cut 1712