25 EVP_CIPHER_CTX_set_key_length,
39 EVP_CIPHER_get0_description,
40 EVP_CIPHER_names_do_all,
41 EVP_CIPHER_get0_provider,
43 EVP_CIPHER_get_params,
44 EVP_CIPHER_gettable_params,
45 EVP_CIPHER_get_block_size,
46 EVP_CIPHER_get_key_length,
47 EVP_CIPHER_get_iv_length,
51 EVP_CIPHER_CTX_cipher,
52 EVP_CIPHER_CTX_get0_cipher,
53 EVP_CIPHER_CTX_get1_cipher,
54 EVP_CIPHER_CTX_get0_name,
55 EVP_CIPHER_CTX_get_nid,
56 EVP_CIPHER_CTX_get_params,
57 EVP_CIPHER_gettable_ctx_params,
58 EVP_CIPHER_CTX_gettable_params,
59 EVP_CIPHER_CTX_set_params,
60 EVP_CIPHER_settable_ctx_params,
61 EVP_CIPHER_CTX_settable_params,
62 EVP_CIPHER_CTX_get_block_size,
63 EVP_CIPHER_CTX_get_key_length,
64 EVP_CIPHER_CTX_get_iv_length,
65 EVP_CIPHER_CTX_get_tag_length,
66 EVP_CIPHER_CTX_get_app_data,
67 EVP_CIPHER_CTX_set_app_data,
69 EVP_CIPHER_CTX_set_flags,
70 EVP_CIPHER_CTX_clear_flags,
71 EVP_CIPHER_CTX_test_flags,
72 EVP_CIPHER_CTX_get_type,
73 EVP_CIPHER_CTX_get_mode,
74 EVP_CIPHER_CTX_get_num,
75 EVP_CIPHER_CTX_set_num,
76 EVP_CIPHER_CTX_is_encrypting,
77 EVP_CIPHER_param_to_asn1,
78 EVP_CIPHER_asn1_to_param,
79 EVP_CIPHER_CTX_set_padding,
81 EVP_CIPHER_do_all_provided,
84 EVP_CIPHER_block_size,
85 EVP_CIPHER_key_length,
90 EVP_CIPHER_CTX_encrypting,
92 EVP_CIPHER_CTX_block_size,
93 EVP_CIPHER_CTX_key_length,
94 EVP_CIPHER_CTX_iv_length,
95 EVP_CIPHER_CTX_tag_length,
105 #include <openssl/evp.h>
107 EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
108 const char *properties);
109 int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
110 void EVP_CIPHER_free(EVP_CIPHER *cipher);
111 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
112 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
113 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
114 EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in);
115 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in);
117 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
118 ENGINE *impl, const unsigned char *key, const unsigned char *iv);
119 int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
120 const unsigned char *key, const unsigned char *iv,
121 const OSSL_PARAM params[]);
122 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
123 int *outl, const unsigned char *in, int inl);
124 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
126 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
127 ENGINE *impl, const unsigned char *key, const unsigned char *iv);
128 int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
129 const unsigned char *key, const unsigned char *iv,
130 const OSSL_PARAM params[]);
131 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
132 int *outl, const unsigned char *in, int inl);
133 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
135 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
136 ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
137 int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
138 const unsigned char *key, const unsigned char *iv,
139 int enc, const OSSL_PARAM params[]);
140 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
141 int *outl, const unsigned char *in, int inl);
142 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
144 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
145 const unsigned char *key, const unsigned char *iv);
146 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
148 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
149 const unsigned char *key, const unsigned char *iv);
150 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
152 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
153 const unsigned char *key, const unsigned char *iv, int enc);
154 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
156 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
157 const unsigned char *in, unsigned int inl);
159 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
160 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
161 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int cmd, int p1, void *p2);
162 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key);
163 void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
164 void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
165 int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
167 const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
168 const EVP_CIPHER *EVP_get_cipherbynid(int nid);
169 const EVP_CIPHER *EVP_get_cipherbyobj(const ASN1_OBJECT *a);
171 int EVP_CIPHER_get_nid(const EVP_CIPHER *e);
172 int EVP_CIPHER_is_a(const EVP_CIPHER *cipher, const char *name);
173 int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher,
174 void (*fn)(const char *name, void *data),
176 const char *EVP_CIPHER_get0_name(const EVP_CIPHER *cipher);
177 const char *EVP_CIPHER_get0_description(const EVP_CIPHER *cipher);
178 const OSSL_PROVIDER *EVP_CIPHER_get0_provider(const EVP_CIPHER *cipher);
179 int EVP_CIPHER_get_block_size(const EVP_CIPHER *e);
180 int EVP_CIPHER_get_key_length(const EVP_CIPHER *e);
181 int EVP_CIPHER_get_iv_length(const EVP_CIPHER *e);
182 unsigned long EVP_CIPHER_get_flags(const EVP_CIPHER *e);
183 unsigned long EVP_CIPHER_get_mode(const EVP_CIPHER *e);
184 int EVP_CIPHER_get_type(const EVP_CIPHER *cipher);
186 const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx);
187 EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(const EVP_CIPHER_CTX *ctx);
188 int EVP_CIPHER_CTX_get_nid(const EVP_CIPHER_CTX *ctx);
189 const char *EVP_CIPHER_CTX_get0_name(const EVP_CIPHER_CTX *ctx);
191 int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[]);
192 int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[]);
193 int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]);
194 const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher);
195 const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher);
196 const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher);
197 const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *ctx);
198 const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx);
199 int EVP_CIPHER_CTX_get_block_size(const EVP_CIPHER_CTX *ctx);
200 int EVP_CIPHER_CTX_get_key_length(const EVP_CIPHER_CTX *ctx);
201 int EVP_CIPHER_CTX_get_iv_length(const EVP_CIPHER_CTX *ctx);
202 int EVP_CIPHER_CTX_get_tag_length(const EVP_CIPHER_CTX *ctx);
203 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx);
204 void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data);
205 int EVP_CIPHER_CTX_get_type(const EVP_CIPHER_CTX *ctx);
206 int EVP_CIPHER_CTX_get_mode(const EVP_CIPHER_CTX *ctx);
207 int EVP_CIPHER_CTX_get_num(const EVP_CIPHER_CTX *ctx);
208 int EVP_CIPHER_CTX_set_num(EVP_CIPHER_CTX *ctx, int num);
209 int EVP_CIPHER_CTX_is_encrypting(const EVP_CIPHER_CTX *ctx);
211 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
212 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
214 void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
215 void (*fn)(EVP_CIPHER *cipher, void *arg),
218 #define EVP_CIPHER_nid EVP_CIPHER_get_nid
219 #define EVP_CIPHER_name EVP_CIPHER_get0_name
220 #define EVP_CIPHER_block_size EVP_CIPHER_get_block_size
221 #define EVP_CIPHER_key_length EVP_CIPHER_get_key_length
222 #define EVP_CIPHER_iv_length EVP_CIPHER_get_iv_length
223 #define EVP_CIPHER_flags EVP_CIPHER_get_flags
224 #define EVP_CIPHER_mode EVP_CIPHER_get_mode
225 #define EVP_CIPHER_type EVP_CIPHER_get_type
226 #define EVP_CIPHER_CTX_encrypting EVP_CIPHER_CTX_is_encrypting
227 #define EVP_CIPHER_CTX_nid EVP_CIPHER_CTX_get_nid
228 #define EVP_CIPHER_CTX_block_size EVP_CIPHER_CTX_get_block_size
229 #define EVP_CIPHER_CTX_key_length EVP_CIPHER_CTX_get_key_length
230 #define EVP_CIPHER_CTX_iv_length EVP_CIPHER_CTX_get_iv_length
231 #define EVP_CIPHER_CTX_tag_length EVP_CIPHER_CTX_get_tag_length
232 #define EVP_CIPHER_CTX_num EVP_CIPHER_CTX_get_num
233 #define EVP_CIPHER_CTX_type EVP_CIPHER_CTX_get_type
234 #define EVP_CIPHER_CTX_mode EVP_CIPHER_CTX_get_mode
236 The following function has been deprecated since OpenSSL 3.0, and can be
237 hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
238 see L<openssl_user_macros(7)>:
240 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
242 The following function has been deprecated since OpenSSL 1.1.0, and can be
243 hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
244 see L<openssl_user_macros(7)>:
246 int EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx);
250 The EVP cipher routines are a high-level interface to certain
253 The B<EVP_CIPHER> type is a structure for cipher method implementation.
257 =item EVP_CIPHER_fetch()
259 Fetches the cipher implementation for the given I<algorithm> from any provider
260 offering it, within the criteria given by the I<properties>.
261 See L<crypto(7)/ALGORITHM FETCHING> for further information.
263 The returned value must eventually be freed with EVP_CIPHER_free().
265 Fetched B<EVP_CIPHER> structures are reference counted.
267 =item EVP_CIPHER_up_ref()
269 Increments the reference count for an B<EVP_CIPHER> structure.
271 =item EVP_CIPHER_free()
273 Decrements the reference count for the fetched B<EVP_CIPHER> structure.
274 If the reference count drops to 0 then the structure is freed.
276 =item EVP_CIPHER_CTX_new()
278 Allocates and returns a cipher context.
280 =item EVP_CIPHER_CTX_free()
282 Clears all information from a cipher context and frees any allocated memory
283 associated with it, including I<ctx> itself. This function should be called after
284 all operations using a cipher are complete so sensitive information does not
287 =item EVP_CIPHER_CTX_dup()
289 Can be used to duplicate the cipher state from I<in>. This is useful
290 to avoid multiple EVP_CIPHER_fetch() calls or if large amounts of data are to be
291 fed which only differ in the last few bytes.
293 =item EVP_CIPHER_CTX_copy()
295 Can be used to copy the cipher state from I<in> to I<out>.
297 =item EVP_CIPHER_CTX_ctrl()
299 I<This is a legacy method.> EVP_CIPHER_CTX_set_params() and
300 EVP_CIPHER_CTX_get_params() is the mechanism that should be used to set and get
301 parameters that are used by providers.
303 Performs cipher-specific control actions on context I<ctx>. The control command
304 is indicated in I<cmd> and any additional arguments in I<p1> and I<p2>.
305 EVP_CIPHER_CTX_ctrl() must be called after EVP_CipherInit_ex2(). Other restrictions
306 may apply depending on the control type and cipher implementation.
308 If this function happens to be used with a fetched B<EVP_CIPHER>, it will
309 translate the controls that are known to OpenSSL into L<OSSL_PARAM(3)>
310 parameters with keys defined by OpenSSL and call EVP_CIPHER_CTX_get_params() or
311 EVP_CIPHER_CTX_set_params() as is appropriate for each control command.
313 See L</CONTROLS> below for more information, including what translations are
316 =item EVP_CIPHER_get_params()
318 Retrieves the requested list of algorithm I<params> from a CIPHER I<cipher>.
319 See L</PARAMETERS> below for more information.
321 =item EVP_CIPHER_CTX_get_params()
323 Retrieves the requested list of I<params> from CIPHER context I<ctx>.
324 See L</PARAMETERS> below for more information.
326 =item EVP_CIPHER_CTX_set_params()
328 Sets the list of I<params> into a CIPHER context I<ctx>.
329 See L</PARAMETERS> below for more information.
331 =item EVP_CIPHER_gettable_params()
333 Get a constant L<OSSL_PARAM(3)> array that describes the retrievable parameters
334 that can be used with EVP_CIPHER_get_params().
336 =item EVP_CIPHER_gettable_ctx_params() and EVP_CIPHER_CTX_gettable_params()
338 Get a constant L<OSSL_PARAM(3)> array that describes the retrievable parameters
339 that can be used with EVP_CIPHER_CTX_get_params().
340 EVP_CIPHER_gettable_ctx_params() returns the parameters that can be retrieved
341 from the algorithm, whereas EVP_CIPHER_CTX_gettable_params() returns the
342 parameters that can be retrieved in the context's current state.
344 =item EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params()
346 Get a constant L<OSSL_PARAM(3)> array that describes the settable parameters
347 that can be used with EVP_CIPHER_CTX_set_params().
348 EVP_CIPHER_settable_ctx_params() returns the parameters that can be set from the
349 algorithm, whereas EVP_CIPHER_CTX_settable_params() returns the parameters that
350 can be set in the context's current state.
352 =item EVP_EncryptInit_ex2()
354 Sets up cipher context I<ctx> for encryption with cipher I<type>. I<type> is
355 typically supplied by calling EVP_CIPHER_fetch(). I<type> may also be set
356 using legacy functions such as EVP_aes_256_cbc(), but this is not recommended
357 for new applications. I<key> is the symmetric key to use and I<iv> is the IV to
358 use (if necessary), the actual number of bytes used for the key and IV depends
359 on the cipher. The parameters I<params> will be set on the context after
360 initialisation. It is possible to set all parameters to NULL except I<type> in
361 an initial call and supply the remaining parameters in subsequent calls, all of
362 which have I<type> set to NULL. This is done when the default cipher parameters
364 For B<EVP_CIPH_GCM_MODE> the IV will be generated internally if it is not
367 =item EVP_EncryptInit_ex()
369 This legacy function is similar to EVP_EncryptInit_ex2() when I<impl> is NULL.
370 The implementation of the I<type> from the I<impl> engine will be used if it
373 =item EVP_EncryptUpdate()
375 Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to
376 I<out>. The pointers I<out> and I<in> may point to the same location, in which
377 case the encryption will be done in-place. If I<out> and I<in> point to different
378 locations, the two buffers must be disjoint, otherwise the operation might fail
379 or the outcome might be undefined.
381 This function can be called multiple times to encrypt successive blocks
382 of data. The amount of data written depends on the block alignment of the
384 For most ciphers and modes, the amount of data written can be anything
385 from zero bytes to (inl + cipher_block_size - 1) bytes.
386 For wrap cipher modes, the amount of data written can be anything
387 from zero bytes to (inl + cipher_block_size) bytes.
388 For stream ciphers, the amount of data written can be anything from zero
390 Thus, the buffer pointed to by I<out> must contain sufficient room for the
391 operation being performed.
392 The actual number of bytes written is placed in I<outl>.
394 If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
395 the "final" data, that is any data that remains in a partial block.
396 It uses standard block padding (aka PKCS padding) as described in
397 the NOTES section, below. The encrypted
398 final data is written to I<out> which should have sufficient space for
399 one cipher block. The number of bytes written is placed in I<outl>. After
400 this function is called the encryption operation is finished and no further
401 calls to EVP_EncryptUpdate() should be made.
403 If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
404 data and it will return an error if any data remains in a partial block:
405 that is if the total data length is not a multiple of the block size.
407 =item EVP_DecryptInit_ex2(), EVP_DecryptInit_ex(), EVP_DecryptUpdate()
408 and EVP_DecryptFinal_ex()
410 These functions are the corresponding decryption operations.
411 EVP_DecryptFinal() will return an error code if padding is enabled and the
412 final block is not correctly formatted. The parameters and restrictions are
413 identical to the encryption operations except that if padding is enabled the
414 decrypted data buffer I<out> passed to EVP_DecryptUpdate() should have
415 sufficient room for (I<inl> + cipher_block_size) bytes unless the cipher block
416 size is 1 in which case I<inl> bytes is sufficient.
418 =item EVP_CipherInit_ex2(), EVP_CipherInit_ex(), EVP_CipherUpdate() and
421 These functions can be used for decryption or encryption. The operation
422 performed depends on the value of the I<enc> parameter. It should be set to 1
423 for encryption, 0 for decryption and -1 to leave the value unchanged
424 (the actual value of 'enc' being supplied in a previous call).
426 =item EVP_CIPHER_CTX_reset()
428 Clears all information from a cipher context and free up any allocated memory
429 associated with it, except the I<ctx> itself. This function should be called
430 anytime I<ctx> is reused by another
431 EVP_CipherInit() / EVP_CipherUpdate() / EVP_CipherFinal() series of calls.
433 =item EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit()
435 Behave in a similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex() and
436 EVP_CipherInit_ex() except if the I<type> is not a fetched cipher they use the
437 default implementation of the I<type>.
439 =item EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal()
441 Identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
442 EVP_CipherFinal_ex(). In previous releases they also cleaned up
443 the I<ctx>, but this is no longer done and EVP_CIPHER_CTX_cleanup()
444 must be called to free any context resources.
448 Encrypts or decrypts a maximum I<inl> amount of bytes from I<in> and leaves the
451 For legacy ciphers - If the cipher doesn't have the flag
452 B<EVP_CIPH_FLAG_CUSTOM_CIPHER> set, then I<inl> must be a multiple of
453 EVP_CIPHER_get_block_size(). If it isn't, the result is undefined. If the cipher
454 has that flag set, then I<inl> can be any size.
456 Due to the constraints of the API contract of this function it shouldn't be used
457 in applications, please consider using EVP_CipherUpdate() and
458 EVP_CipherFinal_ex() instead.
460 =item EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
462 Returns an B<EVP_CIPHER> structure when passed a cipher name, a cipher B<NID> or
463 an B<ASN1_OBJECT> structure respectively.
465 EVP_get_cipherbyname() will return NULL for algorithms such as "AES-128-SIV",
466 "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were previously only
467 accessible via low level interfaces.
469 The EVP_get_cipherbyname() function is present for backwards compatibility with
470 OpenSSL prior to version 3 and is different to the EVP_CIPHER_fetch() function
471 since it does not attempt to "fetch" an implementation of the cipher.
472 Additionally, it only knows about ciphers that are built-in to OpenSSL and have
473 an associated NID. Similarly EVP_get_cipherbynid() and EVP_get_cipherbyobj()
474 also return objects without an associated implementation.
476 When the cipher objects returned by these functions are used (such as in a call
477 to EVP_EncryptInit_ex()) an implementation of the cipher will be implicitly
478 fetched from the loaded providers. This fetch could fail if no suitable
479 implementation is available. Use EVP_CIPHER_fetch() instead to explicitly fetch
480 the algorithm and an associated implementation from a provider.
482 See L<crypto(7)/ALGORITHM FETCHING> for more information about fetching.
484 The cipher objects returned from these functions do not need to be freed with
487 =item EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid()
489 Return the NID of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
490 structure. The actual NID value is an internal value which may not have a
491 corresponding OBJECT IDENTIFIER. NID_undef is returned in the event that the
492 nid is unknown or if the cipher has not been properly initialized via a call to
495 =item EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags()
497 Sets, clears and tests I<ctx> flags. See L</FLAGS> below for more information.
499 For provided ciphers EVP_CIPHER_CTX_set_flags() should be called only after the
500 fetched cipher has been assigned to the I<ctx>. It is recommended to use
501 L</PARAMETERS> instead.
503 =item EVP_CIPHER_CTX_set_padding()
505 Enables or disables padding. This function should be called after the context
506 is set up for encryption or decryption with EVP_EncryptInit_ex2(),
507 EVP_DecryptInit_ex2() or EVP_CipherInit_ex2(). By default encryption operations
508 are padded using standard block padding and the padding is checked and removed
509 when decrypting. If the I<pad> parameter is zero then no padding is
510 performed, the total amount of data encrypted or decrypted must then
511 be a multiple of the block size or an error will occur.
513 =item EVP_CIPHER_get_key_length() and EVP_CIPHER_CTX_get_key_length()
515 Return the key length of a cipher when passed an B<EVP_CIPHER> or
516 B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum
517 key length for all ciphers. Note: although EVP_CIPHER_get_key_length() is fixed for
518 a given cipher, the value of EVP_CIPHER_CTX_get_key_length() may be different for
519 variable key length ciphers.
521 =item EVP_CIPHER_CTX_set_key_length()
523 Sets the key length of the cipher context.
524 If the cipher is a fixed length cipher then attempting to set the key
525 length to any value other than the fixed value is an error.
527 =item EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length()
529 Return the IV length of a cipher when passed an B<EVP_CIPHER> or
530 B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV, if
531 the cipher has not yet been initialized within the B<EVP_CIPHER_CTX>, or if the
532 passed cipher is NULL. The constant B<EVP_MAX_IV_LENGTH> is the maximum IV
533 length for all ciphers.
535 =item EVP_CIPHER_CTX_get_tag_length()
537 Returns the tag length of an AEAD cipher when passed a B<EVP_CIPHER_CTX>. It will
538 return zero if the cipher does not support a tag. It returns a default value if
539 the tag length has not been set.
541 =item EVP_CIPHER_get_block_size() and EVP_CIPHER_CTX_get_block_size()
543 Return the block size of a cipher when passed an B<EVP_CIPHER> or
544 B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_BLOCK_LENGTH> is also the
545 maximum block length for all ciphers. A value of 0 is returned if the cipher
546 has not been properly initialized with a call to B<EVP_CipherInit>.
548 =item EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type()
550 Return the type of the passed cipher or context. This "type" is the actual NID
551 of the cipher OBJECT IDENTIFIER and as such it ignores the cipher parameters
552 (40 bit RC2 and 128 bit RC2 have the same NID). If the cipher does not have an
553 object identifier or does not have ASN1 support this function will return
556 =item EVP_CIPHER_is_a()
558 Returns 1 if I<cipher> is an implementation of an algorithm that's identifiable
559 with I<name>, otherwise 0. If I<cipher> is a legacy cipher (it's the return
560 value from the likes of EVP_aes128() rather than the result of an
561 EVP_CIPHER_fetch()), only cipher names registered with the default library
562 context (see L<OSSL_LIB_CTX(3)>) will be considered.
564 =item EVP_CIPHER_get0_name() and EVP_CIPHER_CTX_get0_name()
566 Return the name of the passed cipher or context. For fetched ciphers with
567 multiple names, only one of them is returned. See also EVP_CIPHER_names_do_all().
569 =item EVP_CIPHER_names_do_all()
571 Traverses all names for the I<cipher>, and calls I<fn> with each name and
572 I<data>. This is only useful with fetched B<EVP_CIPHER>s.
574 =item EVP_CIPHER_get0_description()
576 Returns a description of the cipher, meant for display and human consumption.
577 The description is at the discretion of the cipher implementation.
579 =item EVP_CIPHER_get0_provider()
581 Returns an B<OSSL_PROVIDER> pointer to the provider that implements the given
584 =item EVP_CIPHER_CTX_get0_cipher()
586 Returns the B<EVP_CIPHER> structure when passed an B<EVP_CIPHER_CTX> structure.
587 EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to
588 the caller. Both functions return NULL on error.
590 =item EVP_CIPHER_get_mode() and EVP_CIPHER_CTX_get_mode()
592 Return the block cipher mode:
593 EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE,
594 EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE,
595 EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE or EVP_CIPH_SIV_MODE.
596 If the cipher is a stream cipher then EVP_CIPH_STREAM_CIPHER is returned.
598 =item EVP_CIPHER_get_flags()
600 Returns any flags associated with the cipher. See L</FLAGS>
601 for a list of currently defined flags.
603 =item EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num()
605 Gets or sets the cipher specific "num" parameter for the associated I<ctx>.
606 Built-in ciphers typically use this to track how much of the current underlying block
607 has been "used" already.
609 =item EVP_CIPHER_CTX_is_encrypting()
611 Reports whether the I<ctx> is being used for encryption or decryption.
613 =item EVP_CIPHER_CTX_flags()
615 A deprecated macro calling C<EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx))>.
618 =item EVP_CIPHER_param_to_asn1()
620 Sets the AlgorithmIdentifier "parameter" based on the passed cipher. This will
621 typically include any parameters and an IV. The cipher IV (if any) must be set
622 when this call is made. This call should be made before the cipher is actually
623 "used" (before any EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example).
624 This function may fail if the cipher does not have any ASN1 support, or if an
625 uninitialized cipher is passed to it.
627 =item EVP_CIPHER_asn1_to_param()
629 Sets the cipher parameters based on an ASN1 AlgorithmIdentifier "parameter".
630 The precise effect depends on the cipher. In the case of B<RC2>, for example,
631 it will set the IV and effective key length.
632 This function should be called after the base cipher type is set but before
633 the key is set. For example EVP_CipherInit() will be called with the IV and
634 key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
635 EVP_CipherInit() again with all parameters except the key set to NULL. It is
636 possible for this function to fail if the cipher does not have any ASN1 support
637 or the parameters cannot be set (for example the RC2 effective key length
640 =item EVP_CIPHER_CTX_rand_key()
642 Generates a random key of the appropriate length based on the cipher context.
643 The B<EVP_CIPHER> can provide its own random key generation routine to support
644 keys of a specific form. I<key> must point to a buffer at least as big as the
645 value returned by EVP_CIPHER_CTX_get_key_length().
647 =item EVP_CIPHER_do_all_provided()
649 Traverses all ciphers implemented by all activated providers in the given
650 library context I<libctx>, and for each of the implementations, calls the given
651 function I<fn> with the implementation method and the given I<arg> as argument.
657 See L<OSSL_PARAM(3)> for information about passing parameters.
659 =head2 Gettable EVP_CIPHER parameters
661 When EVP_CIPHER_fetch() is called it internally calls EVP_CIPHER_get_params()
662 and caches the results.
664 EVP_CIPHER_get_params() can be used with the following L<OSSL_PARAM(3)> keys:
668 =item "mode" (B<OSSL_CIPHER_PARAM_MODE>) <unsigned integer>
670 Gets the mode for the associated cipher algorithm I<cipher>.
671 See L</EVP_CIPHER_get_mode() and EVP_CIPHER_CTX_get_mode()> for a list of valid modes.
672 Use EVP_CIPHER_get_mode() to retrieve the cached value.
674 =item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer>
676 Gets the key length for the associated cipher algorithm I<cipher>.
677 Use EVP_CIPHER_get_key_length() to retrieve the cached value.
679 =item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>) <unsigned integer>
681 Gets the IV length for the associated cipher algorithm I<cipher>.
682 Use EVP_CIPHER_get_iv_length() to retrieve the cached value.
684 =item "blocksize" (B<OSSL_CIPHER_PARAM_BLOCK_SIZE>) <unsigned integer>
686 Gets the block size for the associated cipher algorithm I<cipher>.
687 The block size should be 1 for stream ciphers.
688 Note that the block size for a cipher may be different to the block size for
689 the underlying encryption/decryption primitive.
690 For example AES in CTR mode has a block size of 1 (because it operates like a
691 stream cipher), even though AES has a block size of 16.
692 Use EVP_CIPHER_get_block_size() to retrieve the cached value.
694 =item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer>
696 Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0.
697 Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) to retrieve the
700 =item "custom-iv" (B<OSSL_CIPHER_PARAM_CUSTOM_IV>) <integer>
702 Gets 1 if the cipher algorithm I<cipher> has a custom IV, otherwise it gets 0.
703 Storing and initializing the IV is left entirely to the implementation, if a
705 Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_CUSTOM_IV) to retrieve the
708 =item "cts" (B<OSSL_CIPHER_PARAM_CTS>) <integer>
710 Gets 1 if the cipher algorithm I<cipher> uses ciphertext stealing,
712 This is currently used to indicate that the cipher is a one shot that only
713 allows a single call to EVP_CipherUpdate().
714 Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_CTS) to retrieve the
717 =item "tls-multi" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK>) <integer>
719 Gets 1 if the cipher algorithm I<cipher> supports interleaving of crypto blocks,
720 otherwise it gets 0. The interleaving is an optimization only applicable to certain
722 Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) to retrieve the
725 =item "has-randkey" (B<OSSL_CIPHER_PARAM_HAS_RANDKEY>) <integer>
727 Gets 1 if the cipher algorithm I<cipher> supports the gettable EVP_CIPHER_CTX
728 parameter B<OSSL_CIPHER_PARAM_RANDOM_KEY>. Only DES and 3DES set this to 1,
729 all other OpenSSL ciphers return 0.
733 =head2 Gettable and Settable EVP_CIPHER_CTX parameters
735 The following L<OSSL_PARAM(3)> keys can be used with both EVP_CIPHER_CTX_get_params()
736 and EVP_CIPHER_CTX_set_params().
740 =item "padding" (B<OSSL_CIPHER_PARAM_PADDING>) <unsigned integer>
742 Gets or sets the padding mode for the cipher context I<ctx>.
743 Padding is enabled if the value is 1, and disabled if the value is 0.
744 See also EVP_CIPHER_CTX_set_padding().
746 =item "num" (B<OSSL_CIPHER_PARAM_NUM>) <unsigned integer>
748 Gets or sets the cipher specific "num" parameter for the cipher context I<ctx>.
749 Built-in ciphers typically use this to track how much of the current underlying
750 block has been "used" already.
751 See also EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num().
753 =item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer>
755 Gets or sets the key length for the cipher context I<ctx>.
756 The length of the "keylen" parameter should not exceed that of a B<size_t>.
757 See also EVP_CIPHER_CTX_get_key_length() and EVP_CIPHER_CTX_set_key_length().
759 =item "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>) <octet string>
761 Gets or sets the AEAD tag for the associated cipher context I<ctx>.
762 See L<EVP_EncryptInit(3)/AEAD Interface>.
764 =item "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>) <unsigned integer>
766 Gets or sets the effective keybits used for a RC2 cipher.
767 The length of the "keybits" parameter should not exceed that of a B<size_t>.
769 =item "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>) <unsigned integer>
771 Gets or sets the number of rounds to be used for a cipher.
772 This is used by the RC5 cipher.
774 =item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
776 Used to pass the DER encoded AlgorithmIdentifier parameter to or from
777 the cipher implementation. Functions like L<EVP_CIPHER_param_to_asn1(3)>
778 and L<EVP_CIPHER_asn1_to_param(3)> use this parameter for any implementation
779 that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set.
781 =item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
783 Gets or sets the cipher text stealing mode. For all modes the output size is the
784 same as the input size. The input length must be greater than or equal to the
785 block size. (The block size for AES and CAMELLIA is 16 bytes).
787 Valid values for the mode are:
793 The NIST variant of cipher text stealing.
794 For input lengths that are multiples of the block size it is equivalent to
795 using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last
796 cipher text block is a partial block.
800 For input lengths that are multiples of the block size it is equivalent to
801 using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as
806 The Kerberos5 variant of cipher text stealing which always swaps the last
807 cipher text block with the previous block (which may be a partial or full block
808 depending on the input length). If the input length is exactly one full block
809 then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher.
813 The default is "CS1".
814 This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS",
815 "CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS".
817 =item "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>) <unsigned integer>
819 Sets or gets the number of records being sent in one go for a tls1 multiblock
820 cipher operation (either 4 or 8 records).
824 =head2 Gettable EVP_CIPHER_CTX parameters
826 The following L<OSSL_PARAM(3)> keys can be used with EVP_CIPHER_CTX_get_params():
830 =item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN> and <B<OSSL_CIPHER_PARAM_AEAD_IVLEN>) <unsigned integer>
832 Gets the IV length for the cipher context I<ctx>.
833 The length of the "ivlen" parameter should not exceed that of a B<size_t>.
834 See also EVP_CIPHER_CTX_get_iv_length().
836 =item "iv" (B<OSSL_CIPHER_PARAM_IV>) <octet string OR octet ptr>
838 Gets the IV used to initialize the associated cipher context I<ctx>.
839 See also EVP_CIPHER_CTX_get_original_iv().
841 =item "updated-iv" (B<OSSL_CIPHER_PARAM_UPDATED_IV>) <octet string OR octet ptr>
843 Gets the updated pseudo-IV state for the associated cipher context, e.g.,
844 the previous ciphertext block for CBC mode or the iteratively encrypted IV
845 value for OFB mode. Note that octet pointer access is deprecated and is
846 provided only for backwards compatibility with historical libcrypto APIs.
847 See also EVP_CIPHER_CTX_get_updated_iv().
849 =item "randkey" (B<OSSL_CIPHER_PARAM_RANDOM_KEY>) <octet string>
851 Gets an implementation specific randomly generated key for the associated
852 cipher context I<ctx>. This is currently only supported by DES and 3DES (which set
853 the key to odd parity).
855 =item "taglen" (B<OSSL_CIPHER_PARAM_AEAD_TAGLEN>) <unsigned integer>
857 Gets the tag length to be used for an AEAD cipher for the associated cipher
858 context I<ctx>. It gets a default value if it has not been set.
859 The length of the "taglen" parameter should not exceed that of a B<size_t>.
860 See also EVP_CIPHER_CTX_get_tag_length().
862 =item "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>) <unsigned integer>
864 Gets the length of the tag that will be added to a TLS record for the AEAD
865 tag for the associated cipher context I<ctx>.
866 The length of the "tlsaadpad" parameter should not exceed that of a B<size_t>.
868 =item "tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>) <octet string>
870 Gets the invocation field generated for encryption.
871 Can only be called after "tlsivfixed" is set.
872 This is only used for GCM mode.
874 =item "tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>) <unsigned integer>
876 Get the total length of the record returned from the "tls1multi_enc" operation.
878 =item "tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>) <unsigned integer>
880 Gets the maximum record length for a TLS1 multiblock cipher operation.
881 The length of the "tls1multi_maxbufsz" parameter should not exceed that of a B<size_t>.
883 =item "tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) <unsigned integer>
885 Gets the result of running the "tls1multi_aad" operation.
887 =item "tls-mac" (B<OSSL_CIPHER_PARAM_TLS_MAC>) <octet ptr>
889 Used to pass the TLS MAC data.
893 =head2 Settable EVP_CIPHER_CTX parameters
895 The following L<OSSL_PARAM(3)> keys can be used with EVP_CIPHER_CTX_set_params():
899 =item "mackey" (B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>) <octet string>
901 Sets the MAC key used by composite AEAD ciphers such as AES-CBC-HMAC-SHA256.
903 =item "speed" (B<OSSL_CIPHER_PARAM_SPEED>) <unsigned integer>
905 Sets the speed option for the associated cipher context. This is only supported
906 by AES SIV ciphers which disallow multiple operations by default.
907 Setting "speed" to 1 allows another encrypt or decrypt operation to be
908 performed. This is used for performance testing.
910 =item "use-bits" (B<OSSL_CIPHER_PARAM_USE_BITS>) <unsigned integer>
912 Determines if the input length I<inl> passed to EVP_EncryptUpdate(),
913 EVP_DecryptUpdate() and EVP_CipherUpdate() is the number of bits or number of bytes.
914 Setting "use-bits" to 1 uses bits. The default is in bytes.
915 This is only used for B<CFB1> ciphers.
917 This can be set using EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS).
919 =item "tls-version" (B<OSSL_CIPHER_PARAM_TLS_VERSION>) <integer>
921 Sets the TLS version.
923 =item "tls-mac-size" (B<OSSL_CIPHER_PARAM_TLS_MAC_SIZE>) <unsigned integer>
925 Set the TLS MAC size.
927 =item "tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>) <octet string>
929 Sets TLSv1.2 AAD information for the associated cipher context I<ctx>.
930 TLSv1.2 AAD information is always 13 bytes in length and is as defined for the
931 "additional_data" field described in section 6.2.3.3 of RFC5246.
933 =item "tlsivfixed" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>) <octet string>
935 Sets the fixed portion of an IV for an AEAD cipher used in a TLS record
936 encryption/ decryption for the associated cipher context.
937 TLS record encryption/decryption always occurs "in place" so that the input and
938 output buffers are always the same memory location.
939 AEAD IVs in TLSv1.2 consist of an implicit "fixed" part and an explicit part
940 that varies with every record.
941 Setting a TLS fixed IV changes a cipher to encrypt/decrypt TLS records.
942 TLS records are encrypted/decrypted using a single OSSL_FUNC_cipher_cipher call per
944 For a record decryption the first bytes of the input buffer will be the explicit
945 part of the IV and the final bytes of the input buffer will be the AEAD tag.
946 The length of the explicit part of the IV and the tag length will depend on the
947 cipher in use and will be defined in the RFC for the relevant ciphersuite.
948 In order to allow for "in place" decryption the plaintext output should be
949 written to the same location in the output buffer that the ciphertext payload
950 was read from, i.e. immediately after the explicit IV.
952 When encrypting a record the first bytes of the input buffer should be empty to
953 allow space for the explicit IV, as will the final bytes where the tag will
955 The length of the input buffer will include the length of the explicit IV, the
956 payload, and the tag bytes.
957 The cipher implementation should generate the explicit IV and write it to the
958 beginning of the output buffer, do "in place" encryption of the payload and
959 write that to the output buffer, and finally add the tag onto the end of the
962 Whether encrypting or decrypting the value written to I<*outl> in the
963 OSSL_FUNC_cipher_cipher call should be the length of the payload excluding the explicit
964 IV length and the tag length.
966 =item "tlsivinv" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>) <octet string>
968 Sets the invocation field used for decryption.
969 Can only be called after "tlsivfixed" is set.
970 This is only used for GCM mode.
972 =item "tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>) <octet string>
974 Triggers a multiblock TLS1 encrypt operation for a TLS1 aware cipher that
975 supports sending 4 or 8 records in one go.
976 The cipher performs both the MAC and encrypt stages and constructs the record
978 "tls1multi_enc" supplies the output buffer for the encrypt operation,
979 "tls1multi_encin" & "tls1multi_interleave" must also be set in order to supply
980 values to the encrypt operation.
982 =item "tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) <octet string>
984 Supplies the data to encrypt for a TLS1 multiblock cipher operation.
986 =item "tls1multi_maxsndfrag" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT>) <unsigned integer>
988 Sets the maximum send fragment size for a TLS1 multiblock cipher operation.
989 It must be set before using "tls1multi_maxbufsz".
990 The length of the "tls1multi_maxsndfrag" parameter should not exceed that of a B<size_t>.
992 =item "tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) <octet string>
994 Sets the authenticated additional data used by a TLS1 multiblock cipher operation.
995 The supplied data consists of 13 bytes of record data containing:
996 Bytes 0-7: The sequence number of the first record
997 Byte 8: The record type
998 Byte 9-10: The protocol version
999 Byte 11-12: Input length (Always 0)
1001 "tls1multi_interleave" must also be set for this operation.
1003 =item "xts_standard" (B<OSSL_CIPHER_PARAM_XTS_STANDARD>) <UTF8 string>
1005 Sets the XTS standard to use with SM4-XTS algorithm. XTS mode has two
1006 implementations, one is standardized in IEEE Std. 1619-2007 and has
1007 been widely used (e.g., XTS AES), the other is proposed recently
1008 (GB/T 17964-2021 implemented in May 2022) and is currently only used
1011 The main difference between them is the multiplication by the
1012 primitive element E<alpha> to calculate the tweak values. The IEEE
1013 Std 1619-2007 noted that the multiplication "is a left shift of each
1014 byte by one bit with carry propagating from one byte to the next
1015 one", which means that in each byte, the leftmost bit is the most
1016 significant bit. But in GB/T 17964-2021, the rightmost bit is the
1017 most significant bit, thus the multiplication becomes a right shift
1018 of each byte by one bit with carry propagating from one byte to the
1021 Valid values for the mode are:
1027 The GB/T 17964-2021 variant of SM4-XTS algorithm.
1031 The IEEE Std. 1619-2007 variant of SM4-XTS algorithm.
1035 The default value is "GB".
1041 The Mappings from EVP_CIPHER_CTX_ctrl() identifiers to PARAMETERS are listed
1042 in the following section. See the L</PARAMETERS> section for more details.
1044 EVP_CIPHER_CTX_ctrl() can be used to send the following standard controls:
1048 =item EVP_CTRL_AEAD_SET_IVLEN and EVP_CTRL_GET_IVLEN
1050 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
1051 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
1052 key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>).
1054 =item EVP_CTRL_AEAD_SET_IV_FIXED
1056 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1057 with an L<OSSL_PARAM(3)> item with the key "tlsivfixed"
1058 (B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>).
1060 =item EVP_CTRL_AEAD_SET_MAC_KEY
1062 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1063 with an L<OSSL_PARAM(3)> item with the key "mackey"
1064 (B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>).
1066 =item EVP_CTRL_AEAD_SET_TAG and EVP_CTRL_AEAD_GET_TAG
1068 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
1069 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
1070 key "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>).
1072 =item EVP_CTRL_CCM_SET_L
1074 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1075 with an L<OSSL_PARAM(3)> item with the key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>)
1076 with a value of (15 - L)
1080 There is no OSSL_PARAM mapping for this. Use EVP_CIPHER_CTX_copy() instead.
1082 =item EVP_CTRL_GCM_SET_IV_INV
1084 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1085 with an L<OSSL_PARAM(3)> item with the key "tlsivinv"
1086 (B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>).
1088 =item EVP_CTRL_RAND_KEY
1090 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1091 with an L<OSSL_PARAM(3)> item with the key "randkey"
1092 (B<OSSL_CIPHER_PARAM_RANDOM_KEY>).
1094 =item EVP_CTRL_SET_KEY_LENGTH
1096 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1097 with an L<OSSL_PARAM(3)> item with the key "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>).
1099 =item EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS
1101 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
1102 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
1103 key "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>).
1105 =item EVP_CTRL_SET_RC5_ROUNDS and EVP_CTRL_GET_RC5_ROUNDS
1107 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
1108 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
1109 key "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>).
1111 =item EVP_CTRL_SET_SPEED
1113 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1114 with an L<OSSL_PARAM(3)> item with the key "speed" (B<OSSL_CIPHER_PARAM_SPEED>).
1116 =item EVP_CTRL_GCM_IV_GEN
1118 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_get_params() gets called
1119 with an L<OSSL_PARAM(3)> item with the key
1120 "tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>).
1122 =item EVP_CTRL_AEAD_TLS1_AAD
1124 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called
1125 with an L<OSSL_PARAM(3)> item with the key
1126 "tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>)
1127 followed by EVP_CIPHER_CTX_get_params() with a key of
1128 "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>).
1130 =item EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE
1132 When used with a fetched B<EVP_CIPHER>,
1133 EVP_CIPHER_CTX_set_params() gets called with an L<OSSL_PARAM(3)> item with the
1134 key OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT
1135 followed by EVP_CIPHER_CTX_get_params() with a key of
1136 "tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>).
1138 =item EVP_CTRL_TLS1_1_MULTIBLOCK_AAD
1140 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1141 with L<OSSL_PARAM(3)> items with the keys
1142 "tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) and
1143 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>)
1144 followed by EVP_CIPHER_CTX_get_params() with keys of
1145 "tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) and
1146 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>).
1148 =item EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT
1150 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1151 with L<OSSL_PARAM(3)> items with the keys
1152 "tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>),
1153 "tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) and
1154 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>),
1155 followed by EVP_CIPHER_CTX_get_params() with a key of
1156 "tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>).
1162 EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags().
1163 can be used to manipulate and test these B<EVP_CIPHER_CTX> flags:
1167 =item EVP_CIPH_NO_PADDING
1169 Used by EVP_CIPHER_CTX_set_padding().
1171 See also L</Gettable and Settable EVP_CIPHER_CTX parameters> "padding"
1173 =item EVP_CIPH_FLAG_LENGTH_BITS
1175 See L</Settable EVP_CIPHER_CTX parameters> "use-bits".
1177 =item EVP_CIPHER_CTX_FLAG_WRAP_ALLOW
1179 Used for Legacy purposes only. This flag needed to be set to indicate the
1180 cipher handled wrapping.
1184 EVP_CIPHER_flags() uses the following flags that
1185 have mappings to L</Gettable EVP_CIPHER parameters>:
1189 =item EVP_CIPH_FLAG_AEAD_CIPHER
1191 See L</Gettable EVP_CIPHER parameters> "aead".
1193 =item EVP_CIPH_CUSTOM_IV
1195 See L</Gettable EVP_CIPHER parameters> "custom-iv".
1197 =item EVP_CIPH_FLAG_CTS
1199 See L</Gettable EVP_CIPHER parameters> "cts".
1201 =item EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK;
1203 See L</Gettable EVP_CIPHER parameters> "tls-multi".
1205 =item EVP_CIPH_RAND_KEY
1207 See L</Gettable EVP_CIPHER parameters> "has-randkey".
1211 EVP_CIPHER_flags() uses the following flags for legacy purposes only:
1215 =item EVP_CIPH_VARIABLE_LENGTH
1217 =item EVP_CIPH_FLAG_CUSTOM_CIPHER
1219 =item EVP_CIPH_ALWAYS_CALL_INIT
1221 =item EVP_CIPH_CTRL_INIT
1223 =item EVP_CIPH_CUSTOM_KEY_LENGTH
1225 =item EVP_CIPH_CUSTOM_COPY
1227 =item EVP_CIPH_FLAG_DEFAULT_ASN1
1229 See L<EVP_CIPHER_meth_set_flags(3)> for further information related to the above
1234 =head1 RETURN VALUES
1236 EVP_CIPHER_fetch() returns a pointer to a B<EVP_CIPHER> for success
1237 and B<NULL> for failure.
1239 EVP_CIPHER_up_ref() returns 1 for success or 0 otherwise.
1241 EVP_CIPHER_CTX_new() returns a pointer to a newly created
1242 B<EVP_CIPHER_CTX> for success and B<NULL> for failure.
1244 EVP_CIPHER_CTX_dup() returns a new EVP_CIPHER_CTX if successful or NULL on failure.
1246 EVP_CIPHER_CTX_copy() returns 1 if successful or 0 for failure.
1248 EVP_EncryptInit_ex2(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
1249 return 1 for success and 0 for failure.
1251 EVP_DecryptInit_ex2() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
1252 EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
1254 EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure.
1255 EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
1257 EVP_Cipher() returns 1 on success and <= 0 on failure, if the flag
1258 B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher, or if the cipher has
1259 not been initialized via a call to B<EVP_CipherInit_ex2>.
1260 EVP_Cipher() returns the number of bytes written to I<out> for encryption / decryption, or
1261 the number of bytes authenticated in a call specifying AAD for an AEAD cipher, if the flag
1262 B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the cipher.
1264 EVP_CIPHER_CTX_reset() returns 1 for success and 0 for failure.
1266 EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
1267 return an B<EVP_CIPHER> structure or NULL on error.
1269 EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid() return a NID.
1271 EVP_CIPHER_get_block_size() and EVP_CIPHER_CTX_get_block_size() return the
1272 block size, or 0 on error.
1274 EVP_CIPHER_get_key_length() and EVP_CIPHER_CTX_get_key_length() return the key
1277 EVP_CIPHER_CTX_set_padding() always returns 1.
1279 EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length() return the IV
1280 length, zero if the cipher does not use an IV and a negative value on error.
1282 EVP_CIPHER_CTX_get_tag_length() return the tag length or zero if the cipher
1285 EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type() return the NID of the
1286 cipher's OBJECT IDENTIFIER or NID_undef if it has no defined
1289 EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
1291 EVP_CIPHER_CTX_get_num() returns a nonnegative num value or
1292 B<EVP_CTRL_RET_UNSUPPORTED> if the implementation does not support the call
1293 or on any other error.
1295 EVP_CIPHER_CTX_set_num() returns 1 on success and 0 if the implementation
1296 does not support the call or on any other error.
1298 EVP_CIPHER_CTX_is_encrypting() returns 1 if the I<ctx> is set up for encryption
1301 EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater
1302 than zero for success and zero or a negative number on failure.
1304 EVP_CIPHER_CTX_rand_key() returns 1 for success and zero or a negative number
1307 EVP_CIPHER_names_do_all() returns 1 if the callback was called for all names.
1308 A return value of 0 means that the callback was not called for any names.
1310 =head1 CIPHER LISTING
1312 All algorithms have a fixed key length unless otherwise stated.
1314 Refer to L</SEE ALSO> for the full list of ciphers available through the EVP
1319 =item EVP_enc_null()
1321 Null cipher: does nothing.
1325 =head1 AEAD INTERFACE
1327 The EVP interface for Authenticated Encryption with Associated Data (AEAD)
1328 modes are subtly altered and several additional I<ctrl> operations are supported
1329 depending on the mode specified.
1331 To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(),
1332 EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output
1333 parameter I<out> set to B<NULL>. In this case, on success, the parameter
1334 I<outl> is set to the number of bytes authenticated.
1336 When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal()
1337 indicates whether the operation was successful. If it does not indicate success,
1338 the authentication operation has failed and any output data B<MUST NOT> be used
1341 =head2 GCM and OCB Modes
1343 The following I<ctrl>s are supported in GCM and OCB modes.
1347 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1349 Sets the IV length. This call can only be made before specifying an IV. If
1350 not called a default IV length is used.
1352 For GCM AES and OCB AES the default is 12 (i.e. 96 bits). For OCB mode the
1355 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
1357 Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>.
1358 This call can only be made when encrypting data and B<after> all data has been
1359 processed (e.g. after an EVP_EncryptFinal() call).
1361 For OCB, C<taglen> must either be 16 or the value previously set via
1362 B<EVP_CTRL_AEAD_SET_TAG>.
1364 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1366 When decrypting, this call sets the expected tag to C<taglen> bytes from C<tag>.
1367 C<taglen> must be between 1 and 16 inclusive.
1368 The tag must be set prior to any call to EVP_DecryptFinal() or
1369 EVP_DecryptFinal_ex().
1371 For GCM, this call is only valid when decrypting data.
1373 For OCB, this call is valid when decrypting data to set the expected tag,
1374 and when encrypting to set the desired tag length.
1376 In OCB mode, calling this when encrypting with C<tag> set to C<NULL> sets the
1377 tag length. The tag length can only be set before specifying an IV. If this is
1378 not called prior to setting the IV during encryption, then a default tag length
1381 For OCB AES, the default tag length is 16 (i.e. 128 bits). It is also the
1382 maximum tag length for OCB.
1388 The EVP interface for CCM mode is similar to that of the GCM mode but with a
1389 few additional requirements and different I<ctrl> values.
1391 For CCM mode, the total plaintext or ciphertext length B<MUST> be passed to
1392 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() with the output
1393 and input parameters (I<in> and I<out>) set to B<NULL> and the length passed in
1394 the I<inl> parameter.
1396 The following I<ctrl>s are supported in CCM mode.
1400 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1402 This call is made to set the expected B<CCM> tag value when decrypting or
1403 the length of the tag (with the C<tag> parameter set to NULL) when encrypting.
1404 The tag length is often referred to as B<M>. If not set a default value is
1405 used (12 for AES). When decrypting, the tag needs to be set before passing
1406 in data to be decrypted, but as in GCM and OCB mode, it can be set after
1407 passing additional authenticated data (see L</AEAD INTERFACE>).
1409 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL)
1411 Sets the CCM B<L> value. If not set a default is used (8 for AES).
1413 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1415 Sets the CCM nonce (IV) length. This call can only be made before specifying a
1416 nonce value. The nonce length is given by B<15 - L> so it is 7 by default for
1423 Both the AES-SIV and AES-GCM-SIV ciphers fall under this mode.
1425 For SIV mode ciphers the behaviour of the EVP interface is subtly
1426 altered and several additional ctrl operations are supported.
1428 To specify any additional authenticated data (AAD) and/or a Nonce, a call to
1429 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made
1430 with the output parameter I<out> set to B<NULL>.
1432 RFC5297 states that the Nonce is the last piece of AAD before the actual
1433 encrypt/decrypt takes place. The API does not differentiate the Nonce from
1436 When decrypting the return value of EVP_DecryptFinal() or EVP_CipherFinal()
1437 indicates if the operation was successful. If it does not indicate success
1438 the authentication operation has failed and any output data B<MUST NOT>
1439 be used as it is corrupted.
1441 The API does not store the SIV (Synthetic Initialization Vector) in
1442 the cipher text. Instead, it is stored as the tag within the EVP_CIPHER_CTX.
1443 The SIV must be retrieved from the context after encryption, and set into
1444 the context before decryption.
1446 This differs from RFC5297 in that the cipher output from encryption, and
1447 the cipher input to decryption, does not contain the SIV. This also means
1448 that the plain text and cipher text lengths are identical.
1450 The following ctrls are supported in SIV mode, and are used to get and set
1451 the Synthetic Initialization Vector:
1455 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag);
1457 Writes I<taglen> bytes of the tag value (the Synthetic Initialization Vector)
1458 to the buffer indicated by I<tag>. This call can only be made when encrypting
1459 data and B<after> all data has been processed (e.g. after an EVP_EncryptFinal()
1460 call). For SIV mode the taglen must be 16.
1462 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag);
1464 Sets the expected tag (the Synthetic Initialization Vector) to I<taglen>
1465 bytes from I<tag>. This call is only legal when decrypting data and must be
1466 made B<before> any data is processed (e.g. before any EVP_DecryptUpdate()
1467 calls). For SIV mode the taglen must be 16.
1471 SIV mode makes two passes over the input data, thus, only one call to
1472 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made
1473 with I<out> set to a non-B<NULL> value. A call to EVP_DecryptFinal() or
1474 EVP_CipherFinal() is not required, but will indicate if the update
1475 operation succeeded.
1477 =head2 ChaCha20-Poly1305
1479 The following I<ctrl>s are supported for the ChaCha20-Poly1305 AEAD algorithm.
1483 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1485 Sets the nonce length. This call is now redundant since the only valid value
1486 is the default length of 12 (i.e. 96 bits).
1487 Prior to OpenSSL 3.0 a nonce of less than 12 bytes could be used to automatically
1488 pad the iv with leading 0 bytes to make it 12 bytes in length.
1490 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
1492 Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>.
1493 This call can only be made when encrypting data and B<after> all data has been
1494 processed (e.g. after an EVP_EncryptFinal() call).
1496 C<taglen> specified here must be 16 (B<POLY1305_BLOCK_SIZE>, i.e. 128-bits) or
1499 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1501 Sets the expected tag to C<taglen> bytes from C<tag>.
1502 The tag length can only be set before specifying an IV.
1503 C<taglen> must be between 1 and 16 (B<POLY1305_BLOCK_SIZE>) inclusive.
1504 This call is only valid when decrypting data.
1510 Where possible the B<EVP> interface to symmetric ciphers should be used in
1511 preference to the low-level interfaces. This is because the code then becomes
1512 transparent to the cipher used and much more flexible. Additionally, the
1513 B<EVP> interface will ensure the use of platform specific cryptographic
1514 acceleration such as AES-NI (the low-level interfaces do not provide the
1517 PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
1518 length of the encrypted data a multiple of the block size. Padding is always
1519 added so if the data is already a multiple of the block size B<n> will equal
1520 the block size. For example if the block size is 8 and 11 bytes are to be
1521 encrypted then 5 padding bytes of value 5 will be added.
1523 When decrypting the final block is checked to see if it has the correct form.
1525 Although the decryption operation can produce an error if padding is enabled,
1526 it is not a strong test that the input data or key is correct. A random block
1527 has better than 1 in 256 chance of being of the correct format and problems with
1528 the input data earlier on will not produce a final decrypt error.
1530 If padding is disabled then the decryption operation will always succeed if
1531 the total amount of data decrypted is a multiple of the block size.
1533 The functions EVP_EncryptInit(), EVP_EncryptInit_ex(),
1534 EVP_EncryptFinal(), EVP_DecryptInit(), EVP_DecryptInit_ex(),
1535 EVP_CipherInit(), EVP_CipherInit_ex() and EVP_CipherFinal() are obsolete
1536 but are retained for compatibility with existing code. New code should
1537 use EVP_EncryptInit_ex2(), EVP_EncryptFinal_ex(), EVP_DecryptInit_ex2(),
1538 EVP_DecryptFinal_ex(), EVP_CipherInit_ex2() and EVP_CipherFinal_ex()
1539 because they can reuse an existing context without allocating and freeing
1542 There are some differences between functions EVP_CipherInit() and
1543 EVP_CipherInit_ex(), significant in some circumstances. EVP_CipherInit() fills
1544 the passed context object with zeros. As a consequence, EVP_CipherInit() does
1545 not allow step-by-step initialization of the ctx when the I<key> and I<iv> are
1546 passed in separate calls. It also means that the flags set for the CTX are
1547 removed, and it is especially important for the
1548 B<EVP_CIPHER_CTX_FLAG_WRAP_ALLOW> flag treated specially in
1549 EVP_CipherInit_ex().
1551 Ignoring failure returns of the B<EVP_CIPHER_CTX> initialization functions can
1552 lead to subsequent undefined behavior when calling the functions that update or
1553 finalize the context. The only valid calls on the B<EVP_CIPHER_CTX> when
1554 initialization fails are calls that attempt another initialization of the
1555 context or release the context.
1557 EVP_get_cipherbynid(), and EVP_get_cipherbyobj() are implemented as macros.
1561 B<EVP_MAX_KEY_LENGTH> and B<EVP_MAX_IV_LENGTH> only refer to the internal
1562 ciphers with default key lengths. If custom ciphers exceed these values the
1563 results are unpredictable. This is because it has become standard practice to
1564 define a generic key as a fixed unsigned char array containing
1565 B<EVP_MAX_KEY_LENGTH> bytes.
1567 The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
1568 for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
1572 Encrypt a string using IDEA:
1574 int do_crypt(char *outfile)
1576 unsigned char outbuf[1024];
1579 * Bogus key and IV: we'd normally set these from
1582 unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
1583 unsigned char iv[] = {1,2,3,4,5,6,7,8};
1584 char intext[] = "Some Crypto Text";
1585 EVP_CIPHER_CTX *ctx;
1588 ctx = EVP_CIPHER_CTX_new();
1589 if (!EVP_EncryptInit_ex2(ctx, EVP_idea_cbc(), key, iv, NULL)) {
1591 EVP_CIPHER_CTX_free(ctx);
1595 if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) {
1597 EVP_CIPHER_CTX_free(ctx);
1601 * Buffer passed to EVP_EncryptFinal() must be after data just
1602 * encrypted to avoid overwriting it.
1604 if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) {
1606 EVP_CIPHER_CTX_free(ctx);
1610 EVP_CIPHER_CTX_free(ctx);
1612 * Need binary mode for fopen because encrypted data is
1613 * binary data. Also cannot use strlen() on it because
1614 * it won't be NUL terminated and may contain embedded
1617 out = fopen(outfile, "wb");
1622 fwrite(outbuf, 1, outlen, out);
1627 The ciphertext from the above example can be decrypted using the B<openssl>
1628 utility with the command line (shown on two lines for clarity):
1631 -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 <filename
1633 General encryption and decryption function example using FILE I/O and AES128
1636 int do_crypt(FILE *in, FILE *out, int do_encrypt)
1638 /* Allow enough space in output buffer for additional block */
1639 unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
1641 EVP_CIPHER_CTX *ctx;
1643 * Bogus key and IV: we'd normally set these from
1646 unsigned char key[] = "0123456789abcdeF";
1647 unsigned char iv[] = "1234567887654321";
1649 /* Don't set key or IV right away; we want to check lengths */
1650 ctx = EVP_CIPHER_CTX_new();
1651 if (!EVP_CipherInit_ex2(ctx, EVP_aes_128_cbc(), NULL, NULL,
1652 do_encrypt, NULL)) {
1654 EVP_CIPHER_CTX_free(ctx);
1657 OPENSSL_assert(EVP_CIPHER_CTX_get_key_length(ctx) == 16);
1658 OPENSSL_assert(EVP_CIPHER_CTX_get_iv_length(ctx) == 16);
1660 /* Now we can set key and IV */
1661 if (!EVP_CipherInit_ex2(ctx, NULL, key, iv, do_encrypt, NULL)) {
1663 EVP_CIPHER_CTX_free(ctx);
1668 inlen = fread(inbuf, 1, 1024, in);
1671 if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) {
1673 EVP_CIPHER_CTX_free(ctx);
1676 fwrite(outbuf, 1, outlen, out);
1678 if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) {
1680 EVP_CIPHER_CTX_free(ctx);
1683 fwrite(outbuf, 1, outlen, out);
1685 EVP_CIPHER_CTX_free(ctx);
1689 Encryption using AES-CBC with a 256-bit key with "CS1" ciphertext stealing.
1691 int encrypt(const unsigned char *key, const unsigned char *iv,
1692 const unsigned char *msg, size_t msg_len, unsigned char *out)
1695 * This assumes that key size is 32 bytes and the iv is 16 bytes.
1696 * For ciphertext stealing mode the length of the ciphertext "out" will be
1697 * the same size as the plaintext size "msg_len".
1698 * The "msg_len" can be any size >= 16.
1700 int ret = 0, encrypt = 1, outlen, len;
1701 EVP_CIPHER_CTX *ctx = NULL;
1702 EVP_CIPHER *cipher = NULL;
1703 OSSL_PARAM params[2];
1705 ctx = EVP_CIPHER_CTX_new();
1706 cipher = EVP_CIPHER_fetch(NULL, "AES-256-CBC-CTS", NULL);
1707 if (ctx == NULL || cipher == NULL)
1711 * The default is "CS1" so this is not really needed,
1712 * but would be needed to set either "CS2" or "CS3".
1714 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE,
1716 params[1] = OSSL_PARAM_construct_end();
1718 if (!EVP_CipherInit_ex2(ctx, cipher, key, iv, encrypt, params))
1721 /* NOTE: CTS mode does not support multiple calls to EVP_CipherUpdate() */
1722 if (!EVP_CipherUpdate(ctx, out, &outlen, msg, msg_len))
1724 if (!EVP_CipherFinal_ex(ctx, out + outlen, &len))
1728 EVP_CIPHER_free(cipher);
1729 EVP_CIPHER_CTX_free(ctx);
1737 L<crypto(7)/ALGORITHM FETCHING>,
1738 L<provider-cipher(7)>,
1739 L<life_cycle-cipher(7)>
1741 Supported ciphers are listed in:
1743 L<EVP_aes_128_gcm(3)>,
1744 L<EVP_aria_128_gcm(3)>,
1746 L<EVP_camellia_128_ecb(3)>,
1747 L<EVP_cast5_cbc(3)>,
1754 L<EVP_rc5_32_12_16_cbc(3)>,
1760 Support for OCB mode was added in OpenSSL 1.1.0.
1762 B<EVP_CIPHER_CTX> was made opaque in OpenSSL 1.1.0. As a result,
1763 EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup()
1764 disappeared. EVP_CIPHER_CTX_init() remains as an alias for
1765 EVP_CIPHER_CTX_reset().
1767 The EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0; use
1768 EVP_CIPHER_CTX_get0_cipher() instead.
1770 The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(),
1771 EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(),
1772 EVP_CIPHER_CTX_get0_cipher(), EVP_CIPHER_CTX_get1_cipher(),
1773 EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(),
1774 EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(),
1775 EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(),
1776 EVP_CIPHER_CTX_settable_params() and EVP_CIPHER_CTX_gettable_params()
1777 functions were added in 3.0.
1779 The EVP_CIPHER_nid(), EVP_CIPHER_name(), EVP_CIPHER_block_size(),
1780 EVP_CIPHER_key_length(), EVP_CIPHER_iv_length(), EVP_CIPHER_flags(),
1781 EVP_CIPHER_mode(), EVP_CIPHER_type(), EVP_CIPHER_CTX_nid(),
1782 EVP_CIPHER_CTX_block_size(), EVP_CIPHER_CTX_key_length(),
1783 EVP_CIPHER_CTX_iv_length(), EVP_CIPHER_CTX_tag_length(),
1784 EVP_CIPHER_CTX_num(), EVP_CIPHER_CTX_type(), and EVP_CIPHER_CTX_mode()
1785 functions were renamed to include C<get> or C<get0> in their names in
1786 OpenSSL 3.0, respectively. The old names are kept as non-deprecated
1789 The EVP_CIPHER_CTX_encrypting() function was renamed to
1790 EVP_CIPHER_CTX_is_encrypting() in OpenSSL 3.0. The old name is kept as
1791 non-deprecated alias macro.
1793 The EVP_CIPHER_CTX_flags() macro was deprecated in OpenSSL 1.1.0.
1795 EVP_CIPHER_CTX_dup() was added in OpenSSL 3.2.
1799 Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
1801 Licensed under the Apache License 2.0 (the "License"). You may not use
1802 this file except in compliance with the License. You can obtain a copy
1803 in the file LICENSE in the source distribution or at
1804 L<https://www.openssl.org/source/license.html>.