xref: /openssl/doc/man3/EVP_EncryptInit.pod (revision 982a9b8b)
1=pod
2
3=head1 NAME
4
5EVP_CIPHER_fetch,
6EVP_CIPHER_up_ref,
7EVP_CIPHER_free,
8EVP_CIPHER_CTX_new,
9EVP_CIPHER_CTX_reset,
10EVP_CIPHER_CTX_free,
11EVP_CIPHER_CTX_dup,
12EVP_CIPHER_CTX_copy,
13EVP_EncryptInit_ex,
14EVP_EncryptInit_ex2,
15EVP_EncryptUpdate,
16EVP_EncryptFinal_ex,
17EVP_DecryptInit_ex,
18EVP_DecryptInit_ex2,
19EVP_DecryptUpdate,
20EVP_DecryptFinal_ex,
21EVP_CipherInit_ex,
22EVP_CipherInit_ex2,
23EVP_CipherUpdate,
24EVP_CipherFinal_ex,
25EVP_CIPHER_CTX_set_key_length,
26EVP_CIPHER_CTX_ctrl,
27EVP_EncryptInit,
28EVP_EncryptFinal,
29EVP_DecryptInit,
30EVP_DecryptFinal,
31EVP_CipherInit,
32EVP_CipherFinal,
33EVP_Cipher,
34EVP_CIPHER_can_pipeline,
35EVP_CipherPipelineEncryptInit,
36EVP_CipherPipelineDecryptInit,
37EVP_CipherPipelineUpdate,
38EVP_CipherPipelineFinal,
39EVP_get_cipherbyname,
40EVP_get_cipherbynid,
41EVP_get_cipherbyobj,
42EVP_CIPHER_is_a,
43EVP_CIPHER_get0_name,
44EVP_CIPHER_get0_description,
45EVP_CIPHER_names_do_all,
46EVP_CIPHER_get0_provider,
47EVP_CIPHER_get_nid,
48EVP_CIPHER_get_params,
49EVP_CIPHER_gettable_params,
50EVP_CIPHER_get_block_size,
51EVP_CIPHER_get_key_length,
52EVP_CIPHER_get_iv_length,
53EVP_CIPHER_get_flags,
54EVP_CIPHER_get_mode,
55EVP_CIPHER_get_type,
56EVP_CIPHER_CTX_cipher,
57EVP_CIPHER_CTX_get0_cipher,
58EVP_CIPHER_CTX_get1_cipher,
59EVP_CIPHER_CTX_get0_name,
60EVP_CIPHER_CTX_get_nid,
61EVP_CIPHER_CTX_get_params,
62EVP_CIPHER_gettable_ctx_params,
63EVP_CIPHER_CTX_gettable_params,
64EVP_CIPHER_CTX_set_params,
65EVP_CIPHER_settable_ctx_params,
66EVP_CIPHER_CTX_settable_params,
67EVP_CIPHER_CTX_get_block_size,
68EVP_CIPHER_CTX_get_key_length,
69EVP_CIPHER_CTX_get_iv_length,
70EVP_CIPHER_CTX_get_tag_length,
71EVP_CIPHER_CTX_get_app_data,
72EVP_CIPHER_CTX_set_app_data,
73EVP_CIPHER_CTX_flags,
74EVP_CIPHER_CTX_set_flags,
75EVP_CIPHER_CTX_clear_flags,
76EVP_CIPHER_CTX_test_flags,
77EVP_CIPHER_CTX_get_type,
78EVP_CIPHER_CTX_get_mode,
79EVP_CIPHER_CTX_get_num,
80EVP_CIPHER_CTX_set_num,
81EVP_CIPHER_CTX_is_encrypting,
82EVP_CIPHER_param_to_asn1,
83EVP_CIPHER_asn1_to_param,
84EVP_CIPHER_CTX_set_padding,
85EVP_enc_null,
86EVP_CIPHER_do_all_provided,
87EVP_CIPHER_nid,
88EVP_CIPHER_name,
89EVP_CIPHER_block_size,
90EVP_CIPHER_key_length,
91EVP_CIPHER_iv_length,
92EVP_CIPHER_flags,
93EVP_CIPHER_mode,
94EVP_CIPHER_type,
95EVP_CIPHER_CTX_encrypting,
96EVP_CIPHER_CTX_nid,
97EVP_CIPHER_CTX_block_size,
98EVP_CIPHER_CTX_key_length,
99EVP_CIPHER_CTX_iv_length,
100EVP_CIPHER_CTX_tag_length,
101EVP_CIPHER_CTX_num,
102EVP_CIPHER_CTX_type,
103EVP_CIPHER_CTX_mode
104- EVP cipher routines
105
106=head1 SYNOPSIS
107
108=for openssl generic
109
110 #include <openssl/evp.h>
111
112 EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
113                              const char *properties);
114 int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
115 void EVP_CIPHER_free(EVP_CIPHER *cipher);
116 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
117 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
118 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
119 EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in);
120 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in);
121
122 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
123                        ENGINE *impl, const unsigned char *key, const unsigned char *iv);
124 int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
125                         const unsigned char *key, const unsigned char *iv,
126                         const OSSL_PARAM params[]);
127 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
128                       int *outl, const unsigned char *in, int inl);
129 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
130
131 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
132                        ENGINE *impl, const unsigned char *key, const unsigned char *iv);
133 int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
134                         const unsigned char *key, const unsigned char *iv,
135                         const OSSL_PARAM params[]);
136 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
137                       int *outl, const unsigned char *in, int inl);
138 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
139
140 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
141                       ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
142 int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
143                        const unsigned char *key, const unsigned char *iv,
144                        int enc, const OSSL_PARAM params[]);
145 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
146                      int *outl, const unsigned char *in, int inl);
147 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
148
149 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
150                     const unsigned char *key, const unsigned char *iv);
151 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
152
153 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
154                     const unsigned char *key, const unsigned char *iv);
155 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
156
157 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
158                    const unsigned char *key, const unsigned char *iv, int enc);
159 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
160
161 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
162                const unsigned char *in, unsigned int inl);
163
164 int EVP_CIPHER_can_pipeline(const EVP_CIPHER *cipher, int enc);
165 int EVP_CipherPipelineEncryptInit(EVP_CIPHER_CTX *ctx,
166                                   const EVP_CIPHER *cipher,
167                                   const unsigned char *key, size_t keylen,
168                                   size_t numpipes,
169                                   const unsigned char **iv, size_t ivlen);
170 int EVP_CipherPipelineDecryptInit(EVP_CIPHER_CTX *ctx,
171                                   const EVP_CIPHER *cipher,
172                                   const unsigned char *key, size_t keylen,
173                                   size_t numpipes,
174                                   const unsigned char **iv, size_t ivlen);
175 int EVP_CipherPipelineUpdate(EVP_CIPHER_CTX *ctx,
176                              unsigned char **out, size_t *outl,
177                              const size_t *outsize,
178                              const unsigned char **in, const size_t *inl);
179 int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
180                             unsigned char **outm, size_t *outl,
181                             const size_t *outsize);
182
183 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
184 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
185 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int cmd, int p1, void *p2);
186 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key);
187 void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
188 void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
189 int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
190
191 const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
192 const EVP_CIPHER *EVP_get_cipherbynid(int nid);
193 const EVP_CIPHER *EVP_get_cipherbyobj(const ASN1_OBJECT *a);
194
195 int EVP_CIPHER_get_nid(const EVP_CIPHER *e);
196 int EVP_CIPHER_is_a(const EVP_CIPHER *cipher, const char *name);
197 int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher,
198                             void (*fn)(const char *name, void *data),
199                             void *data);
200 const char *EVP_CIPHER_get0_name(const EVP_CIPHER *cipher);
201 const char *EVP_CIPHER_get0_description(const EVP_CIPHER *cipher);
202 const OSSL_PROVIDER *EVP_CIPHER_get0_provider(const EVP_CIPHER *cipher);
203 int EVP_CIPHER_get_block_size(const EVP_CIPHER *e);
204 int EVP_CIPHER_get_key_length(const EVP_CIPHER *e);
205 int EVP_CIPHER_get_iv_length(const EVP_CIPHER *e);
206 unsigned long EVP_CIPHER_get_flags(const EVP_CIPHER *e);
207 unsigned long EVP_CIPHER_get_mode(const EVP_CIPHER *e);
208 int EVP_CIPHER_get_type(const EVP_CIPHER *cipher);
209
210 const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx);
211 EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(const EVP_CIPHER_CTX *ctx);
212 int EVP_CIPHER_CTX_get_nid(const EVP_CIPHER_CTX *ctx);
213 const char *EVP_CIPHER_CTX_get0_name(const EVP_CIPHER_CTX *ctx);
214
215 int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[]);
216 int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[]);
217 int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]);
218 const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher);
219 const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher);
220 const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher);
221 const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *ctx);
222 const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx);
223 int EVP_CIPHER_CTX_get_block_size(const EVP_CIPHER_CTX *ctx);
224 int EVP_CIPHER_CTX_get_key_length(const EVP_CIPHER_CTX *ctx);
225 int EVP_CIPHER_CTX_get_iv_length(const EVP_CIPHER_CTX *ctx);
226 int EVP_CIPHER_CTX_get_tag_length(const EVP_CIPHER_CTX *ctx);
227 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx);
228 void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data);
229 int EVP_CIPHER_CTX_get_type(const EVP_CIPHER_CTX *ctx);
230 int EVP_CIPHER_CTX_get_mode(const EVP_CIPHER_CTX *ctx);
231 int EVP_CIPHER_CTX_get_num(const EVP_CIPHER_CTX *ctx);
232 int EVP_CIPHER_CTX_set_num(EVP_CIPHER_CTX *ctx, int num);
233 int EVP_CIPHER_CTX_is_encrypting(const EVP_CIPHER_CTX *ctx);
234
235 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
236 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
237
238 void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
239                                 void (*fn)(EVP_CIPHER *cipher, void *arg),
240                                 void *arg);
241
242 #define EVP_CIPHER_nid EVP_CIPHER_get_nid
243 #define EVP_CIPHER_name EVP_CIPHER_get0_name
244 #define EVP_CIPHER_block_size EVP_CIPHER_get_block_size
245 #define EVP_CIPHER_key_length EVP_CIPHER_get_key_length
246 #define EVP_CIPHER_iv_length EVP_CIPHER_get_iv_length
247 #define EVP_CIPHER_flags EVP_CIPHER_get_flags
248 #define EVP_CIPHER_mode EVP_CIPHER_get_mode
249 #define EVP_CIPHER_type EVP_CIPHER_get_type
250 #define EVP_CIPHER_CTX_encrypting EVP_CIPHER_CTX_is_encrypting
251 #define EVP_CIPHER_CTX_nid EVP_CIPHER_CTX_get_nid
252 #define EVP_CIPHER_CTX_block_size EVP_CIPHER_CTX_get_block_size
253 #define EVP_CIPHER_CTX_key_length EVP_CIPHER_CTX_get_key_length
254 #define EVP_CIPHER_CTX_iv_length EVP_CIPHER_CTX_get_iv_length
255 #define EVP_CIPHER_CTX_tag_length EVP_CIPHER_CTX_get_tag_length
256 #define EVP_CIPHER_CTX_num EVP_CIPHER_CTX_get_num
257 #define EVP_CIPHER_CTX_type EVP_CIPHER_CTX_get_type
258 #define EVP_CIPHER_CTX_mode EVP_CIPHER_CTX_get_mode
259
260The following function has been deprecated since OpenSSL 3.0, and can be
261hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
262see L<openssl_user_macros(7)>:
263
264 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
265
266The following function has been deprecated since OpenSSL 1.1.0, and can be
267hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
268see L<openssl_user_macros(7)>:
269
270 int EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx);
271
272=head1 DESCRIPTION
273
274The EVP cipher routines are a high-level interface to certain
275symmetric ciphers.
276
277The B<EVP_CIPHER> type is a structure for cipher method implementation.
278
279=over 4
280
281=item EVP_CIPHER_fetch()
282
283Fetches the cipher implementation for the given I<algorithm> from any provider
284offering it, within the criteria given by the I<properties>.
285See L<crypto(7)/ALGORITHM FETCHING> for further information.
286
287The returned value must eventually be freed with EVP_CIPHER_free().
288
289Fetched B<EVP_CIPHER> structures are reference counted.
290
291=item EVP_CIPHER_up_ref()
292
293Increments the reference count for an B<EVP_CIPHER> structure.
294
295=item EVP_CIPHER_free()
296
297Decrements the reference count for the fetched B<EVP_CIPHER> structure.
298If the reference count drops to 0 then the structure is freed.
299If the argument is NULL, nothing is done.
300
301=item EVP_CIPHER_CTX_new()
302
303Allocates and returns a cipher context.
304
305=item EVP_CIPHER_CTX_free()
306
307Clears all information from a cipher context and frees any allocated memory
308associated with it, including I<ctx> itself. This function should be called
309after all operations using a cipher are complete so sensitive information does
310not remain in memory. If the argument is NULL, nothing is done.
311
312=item EVP_CIPHER_CTX_dup()
313
314Can be used to duplicate the cipher state from I<in>.  This is useful
315to avoid multiple EVP_CIPHER_fetch() calls or if large amounts of data are to be
316fed which only differ in the last few bytes.
317
318=item EVP_CIPHER_CTX_copy()
319
320Can be used to copy the cipher state from I<in> to I<out>.
321
322=item EVP_CIPHER_CTX_ctrl()
323
324I<This is a legacy method.> EVP_CIPHER_CTX_set_params() and
325EVP_CIPHER_CTX_get_params() is the mechanism that should be used to set and get
326parameters that are used by providers.
327
328Performs cipher-specific control actions on context I<ctx>. The control command
329is indicated in I<cmd> and any additional arguments in I<p1> and I<p2>.
330EVP_CIPHER_CTX_ctrl() must be called after EVP_CipherInit_ex2(). Other restrictions
331may apply depending on the control type and cipher implementation.
332
333If this function happens to be used with a fetched B<EVP_CIPHER>, it will
334translate the controls that are known to OpenSSL into L<OSSL_PARAM(3)>
335parameters with keys defined by OpenSSL and call EVP_CIPHER_CTX_get_params() or
336EVP_CIPHER_CTX_set_params() as is appropriate for each control command.
337
338See L</CONTROLS> below for more information, including what translations are
339being done.
340
341=item EVP_CIPHER_get_params()
342
343Retrieves the requested list of algorithm I<params> from a CIPHER I<cipher>.
344See L</PARAMETERS> below for more information.
345
346=item EVP_CIPHER_CTX_get_params()
347
348Retrieves the requested list of I<params> from CIPHER context I<ctx>.
349See L</PARAMETERS> below for more information.
350
351=item EVP_CIPHER_CTX_set_params()
352
353Sets the list of I<params> into a CIPHER context I<ctx>.
354See L</PARAMETERS> below for more information.
355
356=item EVP_CIPHER_gettable_params()
357
358Get a constant L<OSSL_PARAM(3)> array that describes the retrievable parameters
359that can be used with EVP_CIPHER_get_params().
360
361=item EVP_CIPHER_gettable_ctx_params() and EVP_CIPHER_CTX_gettable_params()
362
363Get a constant L<OSSL_PARAM(3)> array that describes the retrievable parameters
364that can be used with EVP_CIPHER_CTX_get_params().
365EVP_CIPHER_gettable_ctx_params() returns the parameters that can be retrieved
366from the algorithm, whereas EVP_CIPHER_CTX_gettable_params() returns the
367parameters that can be retrieved in the context's current state.
368
369=item EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params()
370
371Get a constant L<OSSL_PARAM(3)> array that describes the settable parameters
372that can be used with EVP_CIPHER_CTX_set_params().
373EVP_CIPHER_settable_ctx_params() returns the parameters that can be set from the
374algorithm, whereas EVP_CIPHER_CTX_settable_params() returns the parameters that
375can be set in the context's current state.
376
377=item EVP_EncryptInit_ex2()
378
379Sets up cipher context I<ctx> for encryption with cipher I<type>. I<ctx> B<MUST NOT> be NULL.
380I<type> is typically supplied by calling EVP_CIPHER_fetch(). I<type> may also be set
381using legacy functions such as EVP_aes_256_cbc(), but this is not recommended
382for new applications. I<key> is the symmetric key to use and I<iv> is the IV to
383use (if necessary), the actual number of bytes used for the key and IV depends
384on the cipher. The parameters I<params> will be set on the context after
385initialisation. It is possible to set all parameters to NULL except I<type> in
386an initial call and supply the remaining parameters in subsequent calls, all of
387which have I<type> set to NULL. This is done when the default cipher parameters
388are not appropriate.
389For B<EVP_CIPH_GCM_MODE> the IV will be generated internally if it is not
390specified.
391
392=item EVP_EncryptInit_ex()
393
394This legacy function is similar to EVP_EncryptInit_ex2() when I<impl> is NULL.
395The implementation of the I<type> from the I<impl> engine will be used if it
396exists.
397
398=item EVP_EncryptUpdate()
399
400Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to
401I<out>. The pointers I<out> and I<in> may point to the same location, in which
402case the encryption will be done in-place. However, in-place encryption is
403guaranteed to work only if the encryption context (I<ctx>) has processed data in
404multiples of the block size. If the context contains an incomplete data block
405from previous operations, in-place encryption will fail. I<ctx> B<MUST NOT> be NULL.
406
407If I<out> and I<in> point to different locations, the two buffers must be
408disjoint, otherwise the operation might fail or the outcome might be undefined.
409
410This function can be called multiple times to encrypt successive blocks
411of data. The amount of data written depends on the block alignment of the
412encrypted data.
413For most ciphers and modes, the amount of data written can be anything
414from zero bytes to (inl + cipher_block_size - 1) bytes.
415For wrap cipher modes, the amount of data written can be anything
416from zero bytes to (inl + cipher_block_size) bytes.
417For stream ciphers, the amount of data written can be anything from zero
418bytes to inl bytes.
419Thus, the buffer pointed to by I<out> must contain sufficient room for the
420operation being performed.
421The actual number of bytes written is placed in I<outl>.
422
423If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
424the "final" data, that is any data that remains in a partial block.
425It uses standard block padding (aka PKCS padding) as described in
426the NOTES section, below. The encrypted
427final data is written to I<out> which should have sufficient space for
428one cipher block. The number of bytes written is placed in I<outl>. After
429this function is called the encryption operation is finished and no further
430calls to EVP_EncryptUpdate() should be made.
431
432If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
433data and it will return an error if any data remains in a partial block:
434that is if the total data length is not a multiple of the block size.
435
436=item EVP_DecryptInit_ex2(), EVP_DecryptInit_ex(), EVP_DecryptUpdate()
437and EVP_DecryptFinal_ex()
438
439These functions are the corresponding decryption operations.
440EVP_DecryptFinal() will return an error code if padding is enabled and the
441final block is not correctly formatted. The parameters and restrictions are
442identical to the encryption operations. I<ctx> B<MUST NOT> be NULL.
443
444=item EVP_CipherInit_ex2(), EVP_CipherInit_ex(), EVP_CipherUpdate() and
445EVP_CipherFinal_ex()
446
447These functions can be used for decryption or encryption. The operation
448performed depends on the value of the I<enc> parameter. It should be set to 1
449for encryption, 0 for decryption and -1 to leave the value unchanged
450(the actual value of 'enc' being supplied in a previous call).
451
452=item EVP_CIPHER_CTX_reset()
453
454Clears all information from a cipher context and free up any allocated memory
455associated with it, except the I<ctx> itself. This function should be called
456anytime I<ctx> is reused by another
457EVP_CipherInit() / EVP_CipherUpdate() / EVP_CipherFinal() series of calls.
458
459=item EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit()
460
461Behave in a similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex() and
462EVP_CipherInit_ex() except if the I<type> is not a fetched cipher they use the
463default implementation of the I<type>.
464
465=item EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal()
466
467Identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
468EVP_CipherFinal_ex(). In previous releases they also cleaned up
469the I<ctx>, but this is no longer done and EVP_CIPHER_CTX_cleanup()
470must be called to free any context resources.
471
472=item EVP_Cipher()
473
474Encrypts or decrypts a maximum I<inl> amount of bytes from I<in> and leaves the
475result in I<out>.
476
477For legacy ciphers - If the cipher doesn't have the flag
478B<EVP_CIPH_FLAG_CUSTOM_CIPHER> set, then I<inl> must be a multiple of
479EVP_CIPHER_get_block_size().  If it isn't, the result is undefined.  If the cipher
480has that flag set, then I<inl> can be any size.
481
482Due to the constraints of the API contract of this function it shouldn't be used
483in applications, please consider using EVP_CipherUpdate() and
484EVP_CipherFinal_ex() instead.
485
486=item EVP_CIPHER_can_pipeline()
487
488This function checks if a B<EVP_CIPHER> fetched using EVP_CIPHER_fetch() supports
489cipher pipelining. If the cipher supports pipelining, it returns 1, otherwise 0.
490This function will return 0 for non-fetched ciphers such as EVP_aes_128_gcm().
491There are currently no built-in ciphers that support pipelining.
492
493Cipher pipelining support allows an application to submit multiple chunks of
494data in one set of EVP_CipherUpdate()/EVP_CipherFinal calls, thereby allowing
495the provided implementation to take advantage of parallel computing. This is
496beneficial for hardware accelerators as pipeline amortizes the latency over
497multiple chunks.
498
499For non-fetched ciphers, EVP_CipherPipelineEncryptInit() or
500EVP_CipherPipelineDecryptInit() may be directly called, which will perform a
501fetch and return an error if a pipeline supported implementation is not found.
502
503=item EVP_CipherPipelineEncryptInit(), EVP_CipherPipelineDecryptInit(), EVP_CipherPipelineUpdate() and EVP_CipherPipelineFinal()
504
505These functions can be used to perform multiple encryption or decryption
506operations in parallel. EVP_CIPHER_can_pipeline() may be called to check if the
507cipher supports pipelining. These functions are analogous to
508EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherUpdate() and
509EVP_CipherFinal() but take an array of pointers for iv, input and output buffers.
510
511The I<key>, of length I<keylen>, is the symmetric key to use. The I<numpipes>
512parameter specifies the number of parallel operations to perform. The
513I<numpipes> cannot exceed B<EVP_MAX_PIPES>. The I<iv> parameter is an array of
514buffer pointers, containing IVs. The array size must be equal to I<numpipes>.
515The size of each IV buffer must be equal to I<ivlen>. When IV is not provided,
516I<iv> must be NULL, rather than an array of NULL pointers. The I<in>
517parameters takes an array of buffer pointers, each pointing to a buffer
518containing the input data. The buffers can be of different sizes. The I<inl>
519parameter is an array of size_t, each specifying the size of the corresponding
520input buffer. The I<out> and I<outm> parameters are arrays of buffer pointers,
521each pointing to a buffer where the output data will be written. The I<outsize>
522parameter is an array of size_t, each specifying the size of the corresponding
523output buffer. The I<outl> parameter is an array of size_t which will be updated
524with the size of the output data written to the corresponding output buffer.
525For size requirement of the output buffers, see the description of EVP_CipherUpdate().
526
527The EVP_CipherPipelineUpdate() function can be called multiple times to encrypt
528successive blocks of data. For AAD data, the I<out>, and I<outsize> parameter
529should be NULL, rather than an array of NULL pointers.
530
531=item EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
532
533Returns an B<EVP_CIPHER> structure when passed a cipher name, a cipher B<NID> or
534an B<ASN1_OBJECT> structure respectively.
535
536EVP_get_cipherbyname() will return NULL for algorithms such as "AES-128-SIV",
537"AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were previously only
538accessible via low level interfaces.
539
540The EVP_get_cipherbyname() function is present for backwards compatibility with
541OpenSSL prior to version 3 and is different to the EVP_CIPHER_fetch() function
542since it does not attempt to "fetch" an implementation of the cipher.
543Additionally, it only knows about ciphers that are built-in to OpenSSL and have
544an associated NID. Similarly EVP_get_cipherbynid() and EVP_get_cipherbyobj()
545also return objects without an associated implementation.
546
547When the cipher objects returned by these functions are used (such as in a call
548to EVP_EncryptInit_ex()) an implementation of the cipher will be implicitly
549fetched from the loaded providers. This fetch could fail if no suitable
550implementation is available. Use EVP_CIPHER_fetch() instead to explicitly fetch
551the algorithm and an associated implementation from a provider.
552
553See L<crypto(7)/ALGORITHM FETCHING> for more information about fetching.
554
555The cipher objects returned from these functions do not need to be freed with
556EVP_CIPHER_free().
557
558=item EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid()
559
560Return the NID of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
561structure.  The actual NID value is an internal value which may not have a
562corresponding OBJECT IDENTIFIER.  NID_undef is returned in the event that the
563nid is unknown or if the cipher has not been properly initialized via a call to
564B<EVP_CipherInit>.
565
566=item EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags()
567
568Sets, clears and tests I<ctx> flags.  See L</FLAGS> below for more information.
569
570For provided ciphers EVP_CIPHER_CTX_set_flags() should be called only after the
571fetched cipher has been assigned to the I<ctx>. It is recommended to use
572L</PARAMETERS> instead.
573
574=item EVP_CIPHER_CTX_set_padding()
575
576Enables or disables padding. This function should be called after the context
577is set up for encryption or decryption with EVP_EncryptInit_ex2(),
578EVP_DecryptInit_ex2() or EVP_CipherInit_ex2(). By default encryption operations
579are padded using standard block padding and the padding is checked and removed
580when decrypting. If the I<pad> parameter is zero then no padding is
581performed, the total amount of data encrypted or decrypted must then
582be a multiple of the block size or an error will occur. I<x> B<MUST NOT> be NULL.
583
584=item EVP_CIPHER_get_key_length() and EVP_CIPHER_CTX_get_key_length()
585
586Return the key length of a cipher when passed an B<EVP_CIPHER> or
587B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum
588key length for all ciphers. Note: although EVP_CIPHER_get_key_length() is fixed for
589a given cipher, the value of EVP_CIPHER_CTX_get_key_length() may be different for
590variable key length ciphers.
591
592=item EVP_CIPHER_CTX_set_key_length()
593
594Sets the key length of the cipher context.
595If the cipher is a fixed length cipher then attempting to set the key
596length to any value other than the fixed value is an error.
597
598=item EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length()
599
600Return the IV length of a cipher when passed an B<EVP_CIPHER> or
601B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV, if
602the cipher has not yet been initialized within the B<EVP_CIPHER_CTX>, or if the
603passed cipher is NULL.  The constant B<EVP_MAX_IV_LENGTH> is the maximum IV
604length for all ciphers.
605
606=item EVP_CIPHER_CTX_get_tag_length()
607
608Returns the tag length of an AEAD cipher when passed a B<EVP_CIPHER_CTX>. It will
609return zero if the cipher does not support a tag. It returns a default value if
610the tag length has not been set.
611
612=item EVP_CIPHER_get_block_size() and EVP_CIPHER_CTX_get_block_size()
613
614Return the block size of a cipher when passed an B<EVP_CIPHER> or
615B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_BLOCK_LENGTH> is also the
616maximum block length for all ciphers. A value of 0 is returned if the cipher
617has not been properly initialized with a call to B<EVP_CipherInit>.
618
619=item EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type()
620
621Return the type of the passed cipher or context. This "type" is the actual NID
622of the cipher OBJECT IDENTIFIER and as such it ignores the cipher parameters
623(40 bit RC2 and 128 bit RC2 have the same NID). If the cipher does not have an
624object identifier or does not have ASN1 support this function will return
625B<NID_undef>.
626
627=item EVP_CIPHER_is_a()
628
629Returns 1 if I<cipher> is an implementation of an algorithm that's identifiable
630with I<name>, otherwise 0. If I<cipher> is a legacy cipher (it's the return
631value from the likes of EVP_aes128() rather than the result of an
632EVP_CIPHER_fetch()), only cipher names registered with the default library
633context (see L<OSSL_LIB_CTX(3)>) will be considered.
634
635=item EVP_CIPHER_get0_name() and EVP_CIPHER_CTX_get0_name()
636
637Return the name of the passed cipher or context.  For fetched ciphers with
638multiple names, only one of them is returned. See also EVP_CIPHER_names_do_all().
639I<cipher> B<MUST NOT> be NULL.
640
641=item EVP_CIPHER_names_do_all()
642
643Traverses all names for the I<cipher>, and calls I<fn> with each name and
644I<data>.  This is only useful with fetched B<EVP_CIPHER>s.
645
646=item EVP_CIPHER_get0_description()
647
648Returns a description of the cipher, meant for display and human consumption.
649The description is at the discretion of the cipher implementation.
650
651=item EVP_CIPHER_get0_provider()
652
653Returns an B<OSSL_PROVIDER> pointer to the provider that implements the given
654B<EVP_CIPHER>.
655
656=item EVP_CIPHER_CTX_get0_cipher()
657
658Returns the B<EVP_CIPHER> structure when passed an B<EVP_CIPHER_CTX> structure.
659EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to
660the caller. Both functions return NULL on error.
661
662=item EVP_CIPHER_get_mode() and EVP_CIPHER_CTX_get_mode()
663
664Return the block cipher mode:
665EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE,
666EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE,
667EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE or EVP_CIPH_SIV_MODE.
668If the cipher is a stream cipher then EVP_CIPH_STREAM_CIPHER is returned.
669
670=item EVP_CIPHER_get_flags()
671
672Returns any flags associated with the cipher. See L</FLAGS>
673for a list of currently defined flags.
674
675=item EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num()
676
677Gets or sets the cipher specific "num" parameter for the associated I<ctx>.
678Built-in ciphers typically use this to track how much of the current underlying block
679has been "used" already.
680
681=item EVP_CIPHER_CTX_is_encrypting()
682
683Reports whether the I<ctx> is being used for encryption or decryption.
684
685=item EVP_CIPHER_CTX_flags()
686
687A deprecated macro calling C<EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx))>.
688Do not use.
689
690=item EVP_CIPHER_param_to_asn1()
691
692Sets the AlgorithmIdentifier "parameter" based on the passed cipher. This will
693typically include any parameters and an IV. The cipher IV (if any) must be set
694when this call is made. This call should be made before the cipher is actually
695"used" (before any EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example).
696This function may fail if the cipher does not have any ASN1 support, or if an
697uninitialized cipher is passed to it.
698
699=item EVP_CIPHER_asn1_to_param()
700
701Sets the cipher parameters based on an ASN1 AlgorithmIdentifier "parameter".
702The precise effect depends on the cipher. In the case of B<RC2>, for example,
703it will set the IV and effective key length.
704This function should be called after the base cipher type is set but before
705the key is set. For example EVP_CipherInit() will be called with the IV and
706key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
707EVP_CipherInit() again with all parameters except the key set to NULL. It is
708possible for this function to fail if the cipher does not have any ASN1 support
709or the parameters cannot be set (for example the RC2 effective key length
710is not supported.
711
712=item EVP_CIPHER_CTX_rand_key()
713
714Generates a random key of the appropriate length based on the cipher context.
715The B<EVP_CIPHER> can provide its own random key generation routine to support
716keys of a specific form. I<key> must point to a buffer at least as big as the
717value returned by EVP_CIPHER_CTX_get_key_length().
718
719=item EVP_CIPHER_do_all_provided()
720
721Traverses all ciphers implemented by all activated providers in the given
722library context I<libctx>, and for each of the implementations, calls the given
723function I<fn> with the implementation method and the given I<arg> as argument.
724
725=back
726
727=head1 PARAMETERS
728
729See L<OSSL_PARAM(3)> for information about passing parameters.
730
731=head2 Gettable EVP_CIPHER parameters
732
733When EVP_CIPHER_fetch() is called it internally calls EVP_CIPHER_get_params()
734and caches the results.
735
736EVP_CIPHER_get_params() can be used with the following L<OSSL_PARAM(3)> keys:
737
738=over 4
739
740=item "mode" (B<OSSL_CIPHER_PARAM_MODE>) <unsigned integer>
741
742Gets the mode for the associated cipher algorithm I<cipher>.
743See L</EVP_CIPHER_get_mode() and EVP_CIPHER_CTX_get_mode()> for a list of valid modes.
744Use EVP_CIPHER_get_mode() to retrieve the cached value.
745
746=item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer>
747
748Gets the key length for the associated cipher algorithm I<cipher>.
749Use EVP_CIPHER_get_key_length() to retrieve the cached value.
750
751=item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>) <unsigned integer>
752
753Gets the IV length for the associated cipher algorithm I<cipher>.
754Use EVP_CIPHER_get_iv_length() to retrieve the cached value.
755
756=item "blocksize" (B<OSSL_CIPHER_PARAM_BLOCK_SIZE>) <unsigned integer>
757
758Gets the block size for the associated cipher algorithm I<cipher>.
759The block size should be 1 for stream ciphers.
760Note that the block size for a cipher may be different to the block size for
761the underlying encryption/decryption primitive.
762For example AES in CTR mode has a block size of 1 (because it operates like a
763stream cipher), even though AES has a block size of 16.
764Use EVP_CIPHER_get_block_size() to retrieve the cached value.
765
766=item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer>
767
768Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0.
769Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) to retrieve the
770cached value.
771
772=item "custom-iv" (B<OSSL_CIPHER_PARAM_CUSTOM_IV>) <integer>
773
774Gets 1 if the cipher algorithm I<cipher> has a custom IV, otherwise it gets 0.
775Storing and initializing the IV is left entirely to the implementation, if a
776custom IV is used.
777Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_CUSTOM_IV) to retrieve the
778cached value.
779
780=item "cts" (B<OSSL_CIPHER_PARAM_CTS>) <integer>
781
782Gets 1 if the cipher algorithm I<cipher> uses ciphertext stealing,
783otherwise it gets 0.
784This is currently used to indicate that the cipher is a one shot that only
785allows a single call to EVP_CipherUpdate().
786Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_CTS) to retrieve the
787cached value.
788
789=item "tls-multi" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK>) <integer>
790
791Gets 1 if the cipher algorithm I<cipher> supports interleaving of crypto blocks,
792otherwise it gets 0. The interleaving is an optimization only applicable to certain
793TLS ciphers.
794Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) to retrieve the
795cached value.
796
797=item "has-randkey" (B<OSSL_CIPHER_PARAM_HAS_RANDKEY>) <integer>
798
799Gets 1 if the cipher algorithm I<cipher> supports the gettable EVP_CIPHER_CTX
800parameter B<OSSL_CIPHER_PARAM_RANDOM_KEY>. Only DES and 3DES set this to 1,
801all other OpenSSL ciphers return 0.
802
803=item "decrypt-only" (B<OSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer>
804
805Gets 1 if the cipher algorithm I<cipher> implementation supports only
806the decryption operation such as the 3DES ciphers in the fips provider.
807Otherwise gets 0 or the parameter might not be present at all.
808
809=back
810
811=head2 Gettable and Settable EVP_CIPHER_CTX parameters
812
813The following L<OSSL_PARAM(3)> keys can be used with both EVP_CIPHER_CTX_get_params()
814and EVP_CIPHER_CTX_set_params().
815
816=over 4
817
818=item "padding" (B<OSSL_CIPHER_PARAM_PADDING>) <unsigned integer>
819
820Gets or sets the padding mode for the cipher context I<ctx>.
821Padding is enabled if the value is 1, and disabled if the value is 0.
822See also EVP_CIPHER_CTX_set_padding().
823
824=item "num" (B<OSSL_CIPHER_PARAM_NUM>) <unsigned integer>
825
826Gets or sets the cipher specific "num" parameter for the cipher context I<ctx>.
827Built-in ciphers typically use this to track how much of the current underlying
828block has been "used" already.
829See also EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num().
830
831=item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer>
832
833Gets or sets the key length for the cipher context I<ctx>.
834The length of the "keylen" parameter should not exceed that of a B<size_t>.
835See also EVP_CIPHER_CTX_get_key_length() and EVP_CIPHER_CTX_set_key_length().
836
837=item "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>) <octet string>
838
839Gets or sets the AEAD tag for the associated cipher context I<ctx>.
840See L<EVP_EncryptInit(3)/AEAD Interface>.
841
842=item "pipeline-tag" (B<OSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG>) <octet ptr>
843
844Gets or sets the AEAD tag when using cipher pipelining. The pointer must
845point to an array of buffers, where the aead tag will be read from or written to.
846The array size must be equal to I<numpipes> used in
847EVP_CipherPipelineEncryptInit() or EVP_CipherPipelineDecryptInit().
848
849=item "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>) <unsigned integer>
850
851Gets or sets the effective keybits used for a RC2 cipher.
852The length of the "keybits" parameter should not exceed that of a B<size_t>.
853
854=item "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>) <unsigned integer>
855
856Gets or sets the number of rounds to be used for a cipher.
857This is used by the RC5 cipher.
858
859=item "algorithm-id" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID>) <octet string>
860
861Used to get the DER encoded AlgorithmIdentifier from the cipher
862implementation.  Functions like L<EVP_PKEY_CTX_get_algor(3)> use this
863parameter.
864
865=item "algorithm-id-params" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
866
867Used to pass the DER encoded AlgorithmIdentifier parameter to or from
868the cipher implementation.
869Functions like L<EVP_CIPHER_CTX_set_algor_params(3)> and
870L<EVP_CIPHER_CTX_get_algor_params(3)> use this parameter.
871
872=item "alg_id_params" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD>) <octet string>
873
874An deprecated alias for "algorithm-id-params", only used by
875L<EVP_CIPHER_param_to_asn1(3)> and L<EVP_CIPHER_asn1_to_param(3)>.
876
877=item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
878
879Gets or sets the cipher text stealing mode. For all modes the output size is the
880same as the input size. The input length must be greater than or equal to the
881block size. (The block size for AES and CAMELLIA is 16 bytes).
882
883Valid values for the mode are:
884
885=over 4
886
887=item "CS1"
888
889The NIST variant of cipher text stealing.
890For input lengths that are multiples of the block size it is equivalent to
891using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last
892cipher text block is a partial block.
893
894=item "CS2"
895
896For input lengths that are multiples of the block size it is equivalent to
897using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as
898"CS3" mode.
899
900=item "CS3"
901
902The Kerberos5 variant of cipher text stealing which always swaps the last
903cipher text block with the previous block (which may be a partial or full block
904depending on the input length). If the input length is exactly one full block
905then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher.
906
907=back
908
909The default is "CS1".
910This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS",
911"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS".
912
913=item "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>) <unsigned integer>
914
915Sets or gets the number of records being sent in one go for a tls1 multiblock
916cipher operation (either 4 or 8 records).
917
918=back
919
920=head2 Gettable EVP_CIPHER_CTX parameters
921
922The following L<OSSL_PARAM(3)> keys can be used with EVP_CIPHER_CTX_get_params():
923
924=over 4
925
926=item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN> and <B<OSSL_CIPHER_PARAM_AEAD_IVLEN>) <unsigned integer>
927
928Gets the IV length for the cipher context I<ctx>.
929The length of the "ivlen" parameter should not exceed that of a B<size_t>.
930See also EVP_CIPHER_CTX_get_iv_length().
931
932=item "iv" (B<OSSL_CIPHER_PARAM_IV>) <octet string OR octet ptr>
933
934Gets the IV used to initialize the associated cipher context I<ctx>.
935See also EVP_CIPHER_CTX_get_original_iv().
936
937=item "updated-iv" (B<OSSL_CIPHER_PARAM_UPDATED_IV>) <octet string OR octet ptr>
938
939Gets the updated pseudo-IV state for the associated cipher context, e.g.,
940the previous ciphertext block for CBC mode or the iteratively encrypted IV
941value for OFB mode.  Note that octet pointer access is deprecated and is
942provided only for backwards compatibility with historical libcrypto APIs.
943See also EVP_CIPHER_CTX_get_updated_iv().
944
945=item "randkey" (B<OSSL_CIPHER_PARAM_RANDOM_KEY>) <octet string>
946
947Gets an implementation specific randomly generated key for the associated
948cipher context I<ctx>. This is currently only supported by DES and 3DES (which set
949the key to odd parity).
950
951=item "taglen" (B<OSSL_CIPHER_PARAM_AEAD_TAGLEN>) <unsigned integer>
952
953Gets the tag length to be used for an AEAD cipher for the associated cipher
954context I<ctx>. It gets a default value if it has not been set.
955The length of the "taglen" parameter should not exceed that of a B<size_t>.
956See also EVP_CIPHER_CTX_get_tag_length().
957
958=item "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>) <unsigned integer>
959
960Gets the length of the tag that will be added to a TLS record for the AEAD
961tag for the associated cipher context I<ctx>.
962The length of the "tlsaadpad" parameter should not exceed that of a B<size_t>.
963
964=item "tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>) <octet string>
965
966Gets the invocation field generated for encryption.
967Can only be called after "tlsivfixed" is set.
968This is only used for GCM mode.
969
970=item "tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>) <unsigned integer>
971
972Get the total length of the record returned from the "tls1multi_enc" operation.
973
974=item "tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>) <unsigned integer>
975
976Gets the maximum record length for a TLS1 multiblock cipher operation.
977The length of the "tls1multi_maxbufsz" parameter should not exceed that of a B<size_t>.
978
979=item "tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) <unsigned integer>
980
981Gets the result of running the "tls1multi_aad" operation.
982
983=item "tls-mac" (B<OSSL_CIPHER_PARAM_TLS_MAC>) <octet ptr>
984
985Used to pass the TLS MAC data.
986
987=item "fips-indicator" (B<OSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
988
989This option is used by the OpenSSL FIPS provider.
990
991A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
992This may be used after calling a cipher final operation such as
993EVP_EncryptFinal_ex(). It may return 0 if the "encrypt-check" option is set to 0.
994
995=item "iv-generated" (B<OSSL_CIPHER_PARAM_AEAD_IV_GENERATED>) <unsigned integer>
996
997An indicator that returns 1 if an IV was generated internally during encryption,
998or O otherwise.
999This may be used by GCM ciphers after calling a cipher final operation such
1000as EVP_EncryptFinal_ex().
1001GCM should generate an IV internally if the IV is not specified during a
1002cipher initialisation call such as EVP_CipherInit_ex().
1003See FIPS 140-3 IG C.H for information related to IV requirements.
1004
1005=back
1006
1007=head2 Settable EVP_CIPHER_CTX parameters
1008
1009The following L<OSSL_PARAM(3)> keys can be used with EVP_CIPHER_CTX_set_params():
1010
1011=over 4
1012
1013=item "mackey" (B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>) <octet string>
1014
1015Sets the MAC key used by composite AEAD ciphers such as AES-CBC-HMAC-SHA256.
1016
1017=item "speed" (B<OSSL_CIPHER_PARAM_SPEED>) <unsigned integer>
1018
1019Sets the speed option for the associated cipher context. This is only supported
1020by AES SIV ciphers which disallow multiple operations by default.
1021Setting "speed" to 1 allows another encrypt or decrypt operation to be
1022performed. This is used for performance testing.
1023
1024=item "use-bits" (B<OSSL_CIPHER_PARAM_USE_BITS>) <unsigned integer>
1025
1026Determines if the input length I<inl> passed to EVP_EncryptUpdate(),
1027EVP_DecryptUpdate() and EVP_CipherUpdate() is the number of bits or number of bytes.
1028Setting "use-bits" to 1 uses bits. The default is in bytes.
1029This is only used for B<CFB1> ciphers.
1030
1031This can be set using EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS).
1032
1033=item "tls-version" (B<OSSL_CIPHER_PARAM_TLS_VERSION>) <integer>
1034
1035Sets the TLS version.
1036
1037=item "tls-mac-size" (B<OSSL_CIPHER_PARAM_TLS_MAC_SIZE>) <unsigned integer>
1038
1039Set the TLS MAC size.
1040
1041=item "tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>) <octet string>
1042
1043Sets TLSv1.2 AAD information for the associated cipher context I<ctx>.
1044TLSv1.2 AAD information is always 13 bytes in length and is as defined for the
1045"additional_data" field described in section 6.2.3.3 of RFC5246.
1046
1047=item "tlsivfixed" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>) <octet string>
1048
1049Sets the fixed portion of an IV for an AEAD cipher used in a TLS record
1050encryption/ decryption for the associated cipher context.
1051TLS record encryption/decryption always occurs "in place" so that the input and
1052output buffers are always the same memory location.
1053AEAD IVs in TLSv1.2 consist of an implicit "fixed" part and an explicit part
1054that varies with every record.
1055Setting a TLS fixed IV changes a cipher to encrypt/decrypt TLS records.
1056TLS records are encrypted/decrypted using a single OSSL_FUNC_cipher_cipher call per
1057record.
1058For a record decryption the first bytes of the input buffer will be the explicit
1059part of the IV and the final bytes of the input buffer will be the AEAD tag.
1060The length of the explicit part of the IV and the tag length will depend on the
1061cipher in use and will be defined in the RFC for the relevant ciphersuite.
1062In order to allow for "in place" decryption the plaintext output should be
1063written to the same location in the output buffer that the ciphertext payload
1064was read from, i.e. immediately after the explicit IV.
1065
1066When encrypting a record the first bytes of the input buffer should be empty to
1067allow space for the explicit IV, as will the final bytes where the tag will
1068be written.
1069The length of the input buffer will include the length of the explicit IV, the
1070payload, and the tag bytes.
1071The cipher implementation should generate the explicit IV and write it to the
1072beginning of the output buffer, do "in place" encryption of the payload and
1073write that to the output buffer, and finally add the tag onto the end of the
1074output buffer.
1075
1076Whether encrypting or decrypting the value written to I<*outl> in the
1077OSSL_FUNC_cipher_cipher call should be the length of the payload excluding the explicit
1078IV length and the tag length.
1079
1080=item "tlsivinv" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>) <octet string>
1081
1082Sets the invocation field used for decryption.
1083Can only be called after "tlsivfixed" is set.
1084This is only used for GCM mode.
1085
1086=item "tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>) <octet string>
1087
1088Triggers a multiblock TLS1 encrypt operation for a TLS1 aware cipher that
1089supports sending 4 or 8 records in one go.
1090The cipher performs both the MAC and encrypt stages and constructs the record
1091headers itself.
1092"tls1multi_enc" supplies the output buffer for the encrypt operation,
1093"tls1multi_encin" & "tls1multi_interleave" must also be set in order to supply
1094values to the encrypt operation.
1095
1096=item "tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) <octet string>
1097
1098Supplies the data to encrypt for a TLS1 multiblock cipher operation.
1099
1100=item "tls1multi_maxsndfrag" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT>) <unsigned integer>
1101
1102Sets the maximum send fragment size for a TLS1 multiblock cipher operation.
1103It must be set before using "tls1multi_maxbufsz".
1104The length of the "tls1multi_maxsndfrag" parameter should not exceed that of a B<size_t>.
1105
1106=item "tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) <octet string>
1107
1108Sets the authenticated additional data used by a TLS1 multiblock cipher operation.
1109The supplied data consists of 13 bytes of record data containing:
1110Bytes 0-7: The sequence number of the first record
1111Byte 8: The record type
1112Byte 9-10: The protocol version
1113Byte 11-12: Input length (Always 0)
1114
1115"tls1multi_interleave" must also be set for this operation.
1116
1117=item "xts_standard" (B<OSSL_CIPHER_PARAM_XTS_STANDARD>) <UTF8 string>
1118
1119Sets the XTS standard to use with SM4-XTS algorithm. XTS mode has two
1120implementations, one is standardized in IEEE Std. 1619-2007 and has
1121been widely used (e.g., XTS AES), the other is proposed recently
1122(GB/T 17964-2021 implemented in May 2022) and is currently only used
1123in SM4.
1124
1125The main difference between them is the multiplication by the
1126primitive element E<alpha> to calculate the tweak values. The IEEE
1127Std 1619-2007 noted that the multiplication "is a left shift of each
1128byte by one bit with carry propagating from one byte to the next
1129one", which means that in each byte, the leftmost bit is the most
1130significant bit. But in GB/T 17964-2021, the rightmost bit is the
1131most significant bit, thus the multiplication becomes a right shift
1132of each byte by one bit with carry propagating from one byte to the
1133next one.
1134
1135Valid values for the mode are:
1136
1137=over 4
1138
1139=item "GB"
1140
1141The GB/T 17964-2021 variant of SM4-XTS algorithm.
1142
1143=item "IEEE"
1144
1145The IEEE Std. 1619-2007 variant of SM4-XTS algorithm.
1146
1147=back
1148
1149The default value is "GB".
1150
1151=item "encrypt-check" (B<OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK>) <integer>
1152
1153This option is used by the OpenSSL FIPS provider.
1154
1155If required this parameter should be set early via an cipher encrypt init
1156function such as EVP_EncryptInit_ex2().
1157The default value of 1 causes an error when an encryption operation is triggered.
1158Setting this to 0 will ignore the error and set the approved "fips-indicator" to
11590.
1160This option breaks FIPS compliance if it causes the approved "fips-indicator"
1161to return 0.
1162
1163=back
1164
1165=head1 CONTROLS
1166
1167The Mappings from EVP_CIPHER_CTX_ctrl() identifiers to PARAMETERS are listed
1168in the following section. See the L</PARAMETERS> section for more details.
1169
1170EVP_CIPHER_CTX_ctrl() can be used to send the following standard controls:
1171
1172=over 4
1173
1174=item EVP_CTRL_AEAD_SET_IVLEN and EVP_CTRL_GET_IVLEN
1175
1176When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
1177EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
1178key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>).
1179
1180=item EVP_CTRL_AEAD_SET_IV_FIXED
1181
1182When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1183with an L<OSSL_PARAM(3)> item with the key "tlsivfixed"
1184(B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>).
1185
1186=item EVP_CTRL_AEAD_SET_MAC_KEY
1187
1188When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1189with an L<OSSL_PARAM(3)> item with the key "mackey"
1190(B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>).
1191
1192=item EVP_CTRL_AEAD_SET_TAG and EVP_CTRL_AEAD_GET_TAG
1193
1194When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
1195EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
1196key "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>).
1197
1198=item EVP_CTRL_CCM_SET_L
1199
1200When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1201with an L<OSSL_PARAM(3)> item with the key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>)
1202with a value of (15 - L)
1203
1204=item EVP_CTRL_COPY
1205
1206There is no OSSL_PARAM mapping for this. Use EVP_CIPHER_CTX_copy() instead.
1207
1208=item EVP_CTRL_GCM_SET_IV_INV
1209
1210When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1211with an L<OSSL_PARAM(3)> item with the key "tlsivinv"
1212(B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>).
1213
1214=item EVP_CTRL_RAND_KEY
1215
1216When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1217with an L<OSSL_PARAM(3)> item with the key "randkey"
1218(B<OSSL_CIPHER_PARAM_RANDOM_KEY>).
1219
1220=item EVP_CTRL_SET_KEY_LENGTH
1221
1222When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1223with an L<OSSL_PARAM(3)> item with the key "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>).
1224
1225=item EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS
1226
1227When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
1228EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
1229key "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>).
1230
1231=item EVP_CTRL_SET_RC5_ROUNDS and EVP_CTRL_GET_RC5_ROUNDS
1232
1233When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
1234EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
1235key "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>).
1236
1237=item EVP_CTRL_SET_SPEED
1238
1239When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1240with an L<OSSL_PARAM(3)> item with the key "speed" (B<OSSL_CIPHER_PARAM_SPEED>).
1241
1242=item EVP_CTRL_GCM_IV_GEN
1243
1244When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_get_params() gets called
1245with an L<OSSL_PARAM(3)> item with the key
1246"tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>).
1247
1248=item EVP_CTRL_AEAD_TLS1_AAD
1249
1250When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called
1251with an L<OSSL_PARAM(3)> item with the key
1252"tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>)
1253followed by EVP_CIPHER_CTX_get_params() with a key of
1254"tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>).
1255
1256=item EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE
1257
1258When used with a fetched B<EVP_CIPHER>,
1259EVP_CIPHER_CTX_set_params() gets called with an L<OSSL_PARAM(3)> item with the
1260key OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT
1261followed by EVP_CIPHER_CTX_get_params() with a key of
1262"tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>).
1263
1264=item EVP_CTRL_TLS1_1_MULTIBLOCK_AAD
1265
1266When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1267with L<OSSL_PARAM(3)> items with the keys
1268"tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) and
1269"tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>)
1270followed by EVP_CIPHER_CTX_get_params() with keys of
1271"tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) and
1272"tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>).
1273
1274=item EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT
1275
1276When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1277with L<OSSL_PARAM(3)> items with the keys
1278"tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>),
1279"tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) and
1280"tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>),
1281followed by EVP_CIPHER_CTX_get_params() with a key of
1282"tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>).
1283
1284=back
1285
1286=head1 FLAGS
1287
1288EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags().
1289can be used to manipulate and test these B<EVP_CIPHER_CTX> flags:
1290
1291=over 4
1292
1293=item EVP_CIPH_NO_PADDING
1294
1295Used by EVP_CIPHER_CTX_set_padding().
1296
1297See also L</Gettable and Settable EVP_CIPHER_CTX parameters> "padding"
1298
1299=item EVP_CIPH_FLAG_LENGTH_BITS
1300
1301See L</Settable EVP_CIPHER_CTX parameters> "use-bits".
1302
1303=item EVP_CIPHER_CTX_FLAG_WRAP_ALLOW
1304
1305Used for Legacy purposes only. This flag needed to be set to indicate the
1306cipher handled wrapping.
1307
1308=back
1309
1310EVP_CIPHER_flags() uses the following flags that
1311have mappings to L</Gettable EVP_CIPHER parameters>:
1312
1313=over 4
1314
1315=item EVP_CIPH_FLAG_AEAD_CIPHER
1316
1317See L</Gettable EVP_CIPHER parameters> "aead".
1318
1319=item EVP_CIPH_CUSTOM_IV
1320
1321See L</Gettable EVP_CIPHER parameters> "custom-iv".
1322
1323=item EVP_CIPH_FLAG_CTS
1324
1325See L</Gettable EVP_CIPHER parameters> "cts".
1326
1327=item EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK;
1328
1329See L</Gettable EVP_CIPHER parameters> "tls-multi".
1330
1331=item EVP_CIPH_RAND_KEY
1332
1333See L</Gettable EVP_CIPHER parameters> "has-randkey".
1334
1335=back
1336
1337EVP_CIPHER_flags() uses the following flags for legacy purposes only:
1338
1339=over 4
1340
1341=item EVP_CIPH_VARIABLE_LENGTH
1342
1343=item EVP_CIPH_FLAG_CUSTOM_CIPHER
1344
1345=item EVP_CIPH_ALWAYS_CALL_INIT
1346
1347=item EVP_CIPH_CTRL_INIT
1348
1349=item EVP_CIPH_CUSTOM_KEY_LENGTH
1350
1351=item EVP_CIPH_CUSTOM_COPY
1352
1353=item EVP_CIPH_FLAG_DEFAULT_ASN1
1354
1355See L<EVP_CIPHER_meth_set_flags(3)> for further information related to the above
1356flags.
1357
1358=back
1359
1360=head1 RETURN VALUES
1361
1362EVP_CIPHER_fetch() returns a pointer to a B<EVP_CIPHER> for success
1363and B<NULL> for failure.
1364
1365EVP_CIPHER_up_ref() returns 1 for success or 0 otherwise.
1366
1367EVP_CIPHER_CTX_new() returns a pointer to a newly created
1368B<EVP_CIPHER_CTX> for success and B<NULL> for failure.
1369
1370EVP_CIPHER_CTX_dup() returns a new EVP_CIPHER_CTX if successful or NULL on failure.
1371
1372EVP_CIPHER_CTX_copy() returns 1 if successful or 0 for failure.
1373
1374EVP_EncryptInit_ex2(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
1375return 1 for success and 0 for failure.
1376
1377EVP_DecryptInit_ex2() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
1378EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
1379
1380EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for
1381failure.
1382EVP_CipherFinal_ex() returns 0 for an encryption/decryption failure or 1 for
1383success.
1384
1385EVP_Cipher() returns 1 on success and <= 0 on failure, if the flag
1386B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher, or if the cipher has
1387not been initialized via a call to B<EVP_CipherInit_ex2>.
1388EVP_Cipher() returns the number of bytes written to I<out> for
1389encryption/decryption, or the number of bytes authenticated in a call specifying
1390AAD for an AEAD cipher, if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for
1391the cipher.
1392
1393EVP_CIPHER_can_pipeline() returns 1 if the cipher can be used in a pipeline, 0 otherwise.
1394
1395EVP_CipherPipelineEncryptInit() and EVP_CipherPipelineDecryptInit()
1396return 1 for success and 0 for failure.
1397
1398EVP_CipherPipelineUpdate() and EVP_CipherPipelineFinal()
1399return 1 for success and 0 for failure.
1400
1401EVP_CIPHER_CTX_reset() returns 1 for success and 0 for failure.
1402
1403EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
1404return an B<EVP_CIPHER> structure or NULL on error.
1405
1406EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid() return a NID.
1407
1408EVP_CIPHER_get_block_size() and EVP_CIPHER_CTX_get_block_size() return the
1409block size, or 0 on error.
1410
1411EVP_CIPHER_get_key_length() and EVP_CIPHER_CTX_get_key_length() return the key
1412length.
1413
1414EVP_CIPHER_CTX_set_padding() always returns 1.
1415
1416EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length() return the IV
1417length, zero if the cipher does not use an IV and a negative value on error.
1418
1419EVP_CIPHER_CTX_get_tag_length() return the tag length or zero if the cipher
1420does not use a tag.
1421
1422EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type() return the NID of the
1423cipher's OBJECT IDENTIFIER or NID_undef if it has no defined
1424OBJECT IDENTIFIER.
1425
1426EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
1427
1428EVP_CIPHER_CTX_get_num() returns a nonnegative num value or
1429B<EVP_CTRL_RET_UNSUPPORTED> if the implementation does not support the call
1430or on any other error.
1431
1432EVP_CIPHER_CTX_set_num() returns 1 on success and 0 if the implementation
1433does not support the call or on any other error.
1434
1435EVP_CIPHER_CTX_is_encrypting() returns 1 if the I<ctx> is set up for encryption
14360 otherwise.
1437
1438EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater
1439than zero for success and zero or a negative number on failure.
1440
1441EVP_CIPHER_CTX_rand_key() returns 1 for success and zero or a negative number
1442for failure.
1443
1444EVP_CIPHER_names_do_all() returns 1 if the callback was called for all names.
1445A return value of 0 means that the callback was not called for any names.
1446
1447=head1 CIPHER LISTING
1448
1449All algorithms have a fixed key length unless otherwise stated.
1450
1451Refer to L</SEE ALSO> for the full list of ciphers available through the EVP
1452interface.
1453
1454=over 4
1455
1456=item EVP_enc_null()
1457
1458Null cipher: does nothing.
1459
1460=back
1461
1462=head1 AEAD INTERFACE
1463
1464The EVP interface for Authenticated Encryption with Associated Data (AEAD)
1465modes are subtly altered and several additional I<ctrl> operations are supported
1466depending on the mode specified.
1467
1468To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(),
1469EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output
1470parameter I<out> set to B<NULL>. In this case, on success, the parameter
1471I<outl> is set to the number of bytes authenticated.
1472
1473When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal()
1474indicates whether the operation was successful. If it does not indicate success,
1475the authentication operation has failed and any output data B<MUST NOT> be used
1476as it is corrupted.
1477
1478Please note that the number of authenticated bytes returned by
1479EVP_CipherUpdate() depends on the cipher used. Stream ciphers, such as ChaCha20
1480or ciphers in GCM mode, can handle 1 byte at a time, resulting in an effective
1481"block" size of 1. Conversely, ciphers in OCB mode must process data one block
1482at a time, and the block size is returned.
1483
1484Regardless of the returned size, it is safe to pass unpadded data to an
1485EVP_CipherUpdate() call in a single operation.
1486
1487=head2 GCM and OCB Modes
1488
1489The following I<ctrl>s are supported in GCM and OCB modes.
1490
1491=over 4
1492
1493=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1494
1495Sets the IV length. This call can only be made before specifying an IV. If
1496not called a default IV length is used.
1497
1498For GCM AES and OCB AES the default is 12 (i.e. 96 bits). For OCB mode the
1499maximum is 15.
1500
1501=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
1502
1503Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>.
1504This call can only be made when encrypting data and B<after> all data has been
1505processed (e.g. after an EVP_EncryptFinal() call).
1506
1507For OCB, C<taglen> must either be 16 or the value previously set via
1508B<EVP_CTRL_AEAD_SET_TAG>.
1509
1510=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1511
1512When decrypting, this call sets the expected tag to C<taglen> bytes from C<tag>.
1513C<taglen> must be between 1 and 16 inclusive.
1514The tag must be set prior to any call to EVP_DecryptFinal() or
1515EVP_DecryptFinal_ex().
1516
1517For GCM, this call is only valid when decrypting data.
1518
1519For OCB, this call is valid when decrypting data to set the expected tag,
1520and when encrypting to set the desired tag length.
1521
1522In OCB mode, calling this with C<tag> set to C<NULL> sets the tag length.
1523The tag length can only be set before specifying an IV. If this is not called
1524prior to setting the IV, then a default tag length is used.
1525
1526For OCB AES, the default tag length is 16 (i.e. 128 bits).  It is also the
1527maximum tag length for OCB.
1528
1529=back
1530
1531=head2 CCM Mode
1532
1533The EVP interface for CCM mode is similar to that of the GCM mode but with a
1534few additional requirements and different I<ctrl> values.
1535
1536For CCM mode, the total plaintext or ciphertext length B<MUST> be passed to
1537EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() with the output
1538and input parameters (I<in> and I<out>) set to B<NULL> and the length passed in
1539the I<inl> parameter.
1540
1541The following I<ctrl>s are supported in CCM mode.
1542
1543=over 4
1544
1545=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1546
1547This call is made to set the expected B<CCM> tag value when decrypting or
1548the length of the tag (with the C<tag> parameter set to NULL) when encrypting.
1549The tag length is often referred to as B<M>. If not set a default value is
1550used (12 for AES). When decrypting, the tag needs to be set before passing
1551in data to be decrypted, but as in GCM and OCB mode, it can be set after
1552passing additional authenticated data (see L</AEAD INTERFACE>).
1553
1554=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL)
1555
1556Sets the CCM B<L> value. If not set a default is used (8 for AES).
1557
1558=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1559
1560Sets the CCM nonce (IV) length. This call can only be made before specifying a
1561nonce value. The nonce length is given by B<15 - L> so it is 7 by default for
1562AES.
1563
1564=back
1565
1566=head2 SIV Mode
1567
1568Both the AES-SIV and AES-GCM-SIV ciphers fall under this mode.
1569
1570For SIV mode ciphers the behaviour of the EVP interface is subtly
1571altered and several additional ctrl operations are supported.
1572
1573To specify any additional authenticated data (AAD) and/or a Nonce, a call to
1574EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made
1575with the output parameter I<out> set to B<NULL>.
1576
1577RFC5297 states that the Nonce is the last piece of AAD before the actual
1578encrypt/decrypt takes place. The API does not differentiate the Nonce from
1579other AAD.
1580
1581When decrypting the return value of EVP_DecryptFinal() or EVP_CipherFinal()
1582indicates if the operation was successful. If it does not indicate success
1583the authentication operation has failed and any output data B<MUST NOT>
1584be used as it is corrupted.
1585
1586The API does not store the SIV (Synthetic Initialization Vector) in
1587the cipher text. Instead, it is stored as the tag within the EVP_CIPHER_CTX.
1588The SIV must be retrieved from the context after encryption, and set into
1589the context before decryption.
1590
1591This differs from RFC5297 in that the cipher output from encryption, and
1592the cipher input to decryption, does not contain the SIV. This also means
1593that the plain text and cipher text lengths are identical.
1594
1595The following ctrls are supported in SIV mode, and are used to get and set
1596the Synthetic Initialization Vector:
1597
1598=over 4
1599
1600=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag);
1601
1602Writes I<taglen> bytes of the tag value (the Synthetic Initialization Vector)
1603to the buffer indicated by I<tag>. This call can only be made when encrypting
1604data and B<after> all data has been processed (e.g. after an EVP_EncryptFinal()
1605call). For SIV mode the taglen must be 16.
1606
1607=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag);
1608
1609Sets the expected tag (the Synthetic Initialization Vector) to I<taglen>
1610bytes from I<tag>. This call is only legal when decrypting data and must be
1611made B<before> any data is processed (e.g. before any EVP_DecryptUpdate()
1612calls). For SIV mode the taglen must be 16.
1613
1614=back
1615
1616SIV mode makes two passes over the input data, thus, only one call to
1617EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made
1618with I<out> set to a non-B<NULL> value. A call to EVP_DecryptFinal() or
1619EVP_CipherFinal() is not required, but will indicate if the update
1620operation succeeded.
1621
1622=head2 ChaCha20-Poly1305
1623
1624The following I<ctrl>s are supported for the ChaCha20-Poly1305 AEAD algorithm.
1625
1626=over 4
1627
1628=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1629
1630Sets the nonce length. This call is now redundant since the only valid value
1631is the default length of 12 (i.e. 96 bits).
1632Prior to OpenSSL 3.0 a nonce of less than 12 bytes could be used to automatically
1633pad the iv with leading 0 bytes to make it 12 bytes in length.
1634
1635=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
1636
1637Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>.
1638This call can only be made when encrypting data and B<after> all data has been
1639processed (e.g. after an EVP_EncryptFinal() call).
1640
1641C<taglen> specified here must be 16 (B<POLY1305_BLOCK_SIZE>, i.e. 128-bits) or
1642less.
1643
1644=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1645
1646Sets the expected tag to C<taglen> bytes from C<tag>.
1647The tag length can only be set before specifying an IV.
1648C<taglen> must be between 1 and 16 (B<POLY1305_BLOCK_SIZE>) inclusive.
1649This call is only valid when decrypting data.
1650
1651=back
1652
1653=head1 NOTES
1654
1655Where possible the B<EVP> interface to symmetric ciphers should be used in
1656preference to the low-level interfaces. This is because the code then becomes
1657transparent to the cipher used and much more flexible. Additionally, the
1658B<EVP> interface will ensure the use of platform specific cryptographic
1659acceleration such as AES-NI (the low-level interfaces do not provide the
1660guarantee).
1661
1662PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
1663length of the encrypted data a multiple of the block size. Padding is always
1664added so if the data is already a multiple of the block size B<n> will equal
1665the block size. For example if the block size is 8 and 11 bytes are to be
1666encrypted then 5 padding bytes of value 5 will be added.
1667
1668When decrypting the final block is checked to see if it has the correct form.
1669
1670Although the decryption operation can produce an error if padding is enabled,
1671it is not a strong test that the input data or key is correct. A random block
1672has better than 1 in 256 chance of being of the correct format and problems with
1673the input data earlier on will not produce a final decrypt error.
1674
1675If padding is disabled then the decryption operation will always succeed if
1676the total amount of data decrypted is a multiple of the block size.
1677
1678The functions EVP_EncryptInit(), EVP_EncryptInit_ex(),
1679EVP_EncryptFinal(), EVP_DecryptInit(), EVP_DecryptInit_ex(),
1680EVP_CipherInit(), EVP_CipherInit_ex() and EVP_CipherFinal() are obsolete
1681but are retained for compatibility with existing code. New code should
1682use EVP_EncryptInit_ex2(), EVP_EncryptFinal_ex(), EVP_DecryptInit_ex2(),
1683EVP_DecryptFinal_ex(), EVP_CipherInit_ex2() and EVP_CipherFinal_ex()
1684because they can reuse an existing context without allocating and freeing
1685it up on each call.
1686
1687There are some differences between functions EVP_CipherInit() and
1688EVP_CipherInit_ex(), significant in some circumstances. EVP_CipherInit() fills
1689the passed context object with zeros.  As a consequence, EVP_CipherInit() does
1690not allow step-by-step initialization of the ctx when the I<key> and I<iv> are
1691passed in separate calls. It also means that the flags set for the CTX are
1692removed, and it is especially important for the
1693B<EVP_CIPHER_CTX_FLAG_WRAP_ALLOW> flag treated specially in
1694EVP_CipherInit_ex().
1695
1696Ignoring failure returns of the B<EVP_CIPHER_CTX> initialization functions can
1697lead to subsequent undefined behavior when calling the functions that update or
1698finalize the context. The only valid calls on the B<EVP_CIPHER_CTX> when
1699initialization fails are calls that attempt another initialization of the
1700context or release the context.
1701
1702EVP_get_cipherbynid(), and EVP_get_cipherbyobj() are implemented as macros.
1703
1704=head1 BUGS
1705
1706B<EVP_MAX_KEY_LENGTH> and B<EVP_MAX_IV_LENGTH> only refer to the internal
1707ciphers with default key lengths. If custom ciphers exceed these values the
1708results are unpredictable. This is because it has become standard practice to
1709define a generic key as a fixed unsigned char array containing
1710B<EVP_MAX_KEY_LENGTH> bytes.
1711
1712The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
1713for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
1714
1715=head1 EXAMPLES
1716
1717Encrypt a string using IDEA:
1718
1719 int do_crypt(char *outfile)
1720 {
1721     unsigned char outbuf[1024];
1722     int outlen, tmplen;
1723     /*
1724      * Bogus key and IV: we'd normally set these from
1725      * another source.
1726      */
1727     unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
1728     unsigned char iv[] = {1,2,3,4,5,6,7,8};
1729     char intext[] = "Some Crypto Text";
1730     EVP_CIPHER_CTX *ctx;
1731     FILE *out;
1732
1733     ctx = EVP_CIPHER_CTX_new();
1734     if (!EVP_EncryptInit_ex2(ctx, EVP_idea_cbc(), key, iv, NULL)) {
1735         /* Error */
1736         EVP_CIPHER_CTX_free(ctx);
1737         return 0;
1738     }
1739
1740     if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) {
1741         /* Error */
1742         EVP_CIPHER_CTX_free(ctx);
1743         return 0;
1744     }
1745     /*
1746      * Buffer passed to EVP_EncryptFinal() must be after data just
1747      * encrypted to avoid overwriting it.
1748      */
1749     if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) {
1750         /* Error */
1751         EVP_CIPHER_CTX_free(ctx);
1752         return 0;
1753     }
1754     outlen += tmplen;
1755     EVP_CIPHER_CTX_free(ctx);
1756     /*
1757      * Need binary mode for fopen because encrypted data is
1758      * binary data. Also cannot use strlen() on it because
1759      * it won't be NUL terminated and may contain embedded
1760      * NULs.
1761      */
1762     out = fopen(outfile, "wb");
1763     if (out == NULL) {
1764         /* Error */
1765         return 0;
1766     }
1767     fwrite(outbuf, 1, outlen, out);
1768     fclose(out);
1769     return 1;
1770 }
1771
1772The ciphertext from the above example can be decrypted using the B<openssl>
1773utility with the command line (shown on two lines for clarity):
1774
1775 openssl idea -d \
1776     -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 <filename
1777
1778General encryption and decryption function example using FILE I/O and AES128
1779with a 128-bit key:
1780
1781 int do_crypt(FILE *in, FILE *out, int do_encrypt)
1782 {
1783     /* Allow enough space in output buffer for additional block */
1784     unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
1785     int inlen, outlen;
1786     EVP_CIPHER_CTX *ctx;
1787     /*
1788      * Bogus key and IV: we'd normally set these from
1789      * another source.
1790      */
1791     unsigned char key[] = "0123456789abcdeF";
1792     unsigned char iv[] = "1234567887654321";
1793
1794     /* Don't set key or IV right away; we want to check lengths */
1795     ctx = EVP_CIPHER_CTX_new();
1796     if (!EVP_CipherInit_ex2(ctx, EVP_aes_128_cbc(), NULL, NULL,
1797                             do_encrypt, NULL)) {
1798         /* Error */
1799         EVP_CIPHER_CTX_free(ctx);
1800         return 0;
1801     }
1802     OPENSSL_assert(EVP_CIPHER_CTX_get_key_length(ctx) == 16);
1803     OPENSSL_assert(EVP_CIPHER_CTX_get_iv_length(ctx) == 16);
1804
1805     /* Now we can set key and IV */
1806     if (!EVP_CipherInit_ex2(ctx, NULL, key, iv, do_encrypt, NULL)) {
1807         /* Error */
1808         EVP_CIPHER_CTX_free(ctx);
1809         return 0;
1810     }
1811
1812     for (;;) {
1813         inlen = fread(inbuf, 1, 1024, in);
1814         if (inlen <= 0)
1815             break;
1816         if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) {
1817             /* Error */
1818             EVP_CIPHER_CTX_free(ctx);
1819             return 0;
1820         }
1821         fwrite(outbuf, 1, outlen, out);
1822     }
1823     if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) {
1824         /* Error */
1825         EVP_CIPHER_CTX_free(ctx);
1826         return 0;
1827     }
1828     fwrite(outbuf, 1, outlen, out);
1829
1830     EVP_CIPHER_CTX_free(ctx);
1831     return 1;
1832 }
1833
1834Encryption using AES-CBC with a 256-bit key with "CS1" ciphertext stealing.
1835
1836 int encrypt(const unsigned char *key, const unsigned char *iv,
1837             const unsigned char *msg, size_t msg_len, unsigned char *out)
1838 {
1839    /*
1840     * This assumes that key size is 32 bytes and the iv is 16 bytes.
1841     * For ciphertext stealing mode the length of the ciphertext "out" will be
1842     * the same size as the plaintext size "msg_len".
1843     * The "msg_len" can be any size >= 16.
1844     */
1845     int ret = 0, encrypt = 1, outlen, len;
1846     EVP_CIPHER_CTX *ctx = NULL;
1847     EVP_CIPHER *cipher = NULL;
1848     OSSL_PARAM params[2];
1849
1850     ctx = EVP_CIPHER_CTX_new();
1851     cipher = EVP_CIPHER_fetch(NULL, "AES-256-CBC-CTS", NULL);
1852     if (ctx == NULL || cipher == NULL)
1853         goto err;
1854
1855     /*
1856      * The default is "CS1" so this is not really needed,
1857      * but would be needed to set either "CS2" or "CS3".
1858      */
1859     params[0] = OSSL_PARAM_construct_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE,
1860                                                  "CS1", 0);
1861     params[1] = OSSL_PARAM_construct_end();
1862
1863     if (!EVP_CipherInit_ex2(ctx, cipher, key, iv, encrypt, params))
1864         goto err;
1865
1866     /* NOTE: CTS mode does not support multiple calls to EVP_CipherUpdate() */
1867     if (!EVP_CipherUpdate(ctx, out, &outlen, msg, msg_len))
1868         goto err;
1869      if (!EVP_CipherFinal_ex(ctx, out + outlen, &len))
1870         goto err;
1871     ret = 1;
1872 err:
1873     EVP_CIPHER_free(cipher);
1874     EVP_CIPHER_CTX_free(ctx);
1875     return ret;
1876 }
1877
1878=head1 SEE ALSO
1879
1880L<evp(7)>,
1881L<property(7)>,
1882L<crypto(7)/ALGORITHM FETCHING>,
1883L<provider-cipher(7)>,
1884L<life_cycle-cipher(7)>
1885
1886Supported ciphers are listed in:
1887
1888L<EVP_aes_128_gcm(3)>,
1889L<EVP_aria_128_gcm(3)>,
1890L<EVP_bf_cbc(3)>,
1891L<EVP_camellia_128_ecb(3)>,
1892L<EVP_cast5_cbc(3)>,
1893L<EVP_chacha20(3)>,
1894L<EVP_des_cbc(3)>,
1895L<EVP_desx_cbc(3)>,
1896L<EVP_idea_cbc(3)>,
1897L<EVP_rc2_cbc(3)>,
1898L<EVP_rc4(3)>,
1899L<EVP_rc5_32_12_16_cbc(3)>,
1900L<EVP_seed_cbc(3)>,
1901L<EVP_sm4_cbc(3)>,
1902
1903=head1 HISTORY
1904
1905Support for OCB mode was added in OpenSSL 1.1.0.
1906
1907B<EVP_CIPHER_CTX> was made opaque in OpenSSL 1.1.0.  As a result,
1908EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup()
1909disappeared.  EVP_CIPHER_CTX_init() remains as an alias for
1910EVP_CIPHER_CTX_reset().
1911
1912The EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0; use
1913EVP_CIPHER_CTX_get0_cipher() instead.
1914
1915The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(),
1916EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(),
1917EVP_CIPHER_CTX_get0_cipher(), EVP_CIPHER_CTX_get1_cipher(),
1918EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(),
1919EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(),
1920EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(),
1921EVP_CIPHER_CTX_settable_params() and EVP_CIPHER_CTX_gettable_params()
1922functions were added in 3.0.
1923
1924The EVP_CIPHER_nid(), EVP_CIPHER_name(), EVP_CIPHER_block_size(),
1925EVP_CIPHER_key_length(), EVP_CIPHER_iv_length(), EVP_CIPHER_flags(),
1926EVP_CIPHER_mode(), EVP_CIPHER_type(), EVP_CIPHER_CTX_nid(),
1927EVP_CIPHER_CTX_block_size(), EVP_CIPHER_CTX_key_length(),
1928EVP_CIPHER_CTX_iv_length(), EVP_CIPHER_CTX_tag_length(),
1929EVP_CIPHER_CTX_num(), EVP_CIPHER_CTX_type(), and EVP_CIPHER_CTX_mode()
1930functions were renamed to include C<get> or C<get0> in their names in
1931OpenSSL 3.0, respectively. The old names are kept as non-deprecated
1932alias macros.
1933
1934The EVP_CIPHER_CTX_encrypting() function was renamed to
1935EVP_CIPHER_CTX_is_encrypting() in OpenSSL 3.0. The old name is kept as
1936non-deprecated alias macro.
1937
1938The EVP_CIPHER_CTX_flags() macro was deprecated in OpenSSL 1.1.0.
1939
1940EVP_CIPHER_CTX_dup() was added in OpenSSL 3.2.
1941
1942=head1 COPYRIGHT
1943
1944Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
1945
1946Licensed under the Apache License 2.0 (the "License").  You may not use
1947this file except in compliance with the License.  You can obtain a copy
1948in the file LICENSE in the source distribution or at
1949L<https://www.openssl.org/source/license.html>.
1950
1951=cut
1952