SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync code with last improvements from OpenBSD

Browse source
This commit is contained in:
purplerain 2023-08-24 19:19:17 +00:00
parent ab8d6e7bca
commit aaee5ffc53
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
52 changed files with 584 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

90
lib/libcrypto/man/EVP_AEAD_CTX_init.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.11 2023/05/09 07:19:24 tb Exp $
.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.13 2023/08/24 04:33:08 tb Exp $
.\"
.\" Copyright (c) 2014, Google Inc.
.\" Parts of the text were written by Adam Langley and David Benjamin.
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: May 9 2023 $
.Dd $Mdocdate: August 24 2023 $
.Dt EVP_AEAD_CTX_INIT 3
.Os
.Sh NAME
@ -245,23 +245,44 @@ All cipher algorithms have a fixed key length unless otherwise stated.
The following ciphers are available:
.Bl -tag -width Ds -offset indent
.It Fn EVP_aead_aes_128_gcm
AES-128 in Galois Counter Mode.
AES-128 in Galois Counter Mode, using a
.Fa key_len
of 16 bytes and a
.Fa nonce_len
of 12 bytes.
.It Fn EVP_aead_aes_256_gcm
AES-256 in Galois Counter Mode.
AES-256 in Galois Counter Mode, using a
.Fa key_len
of 32 bytes and a
.Fa nonce_len
of 12 bytes.
.It Fn EVP_aead_chacha20_poly1305
ChaCha20 with a Poly1305 authenticator.
ChaCha20 with a Poly1305 authenticator, using a
.Fa key_len
of 32 bytes and a
.Fa nonce_len
of 12 bytes.
.It Fn EVP_aead_xchacha20_poly1305
XChaCha20 with a Poly1305 authenticator.
XChaCha20 with a Poly1305 authenticator, using a
.Fa key_len
of 32 bytes and a
.Fa nonce_len
of 24 bytes.
.El
.Pp
Where possible the
Unless compatibility with other implementations
like OpenSSL or BoringSSL is required, using the
.Sy EVP_AEAD
interface to AEAD ciphers should be used in preference to the older
.Sy EVP
variants or to the low level interfaces.
This is because the code then becomes transparent to the AEAD cipher
used and much more flexible.
It is also safer to use as it prevents common mistakes with the native APIs.
interface to AEAD ciphers is recommended
in preference to the functions documented in the
.Xr EVP_EncryptInit 3 ,
.Xr EVP_aes_256_gcm 3 ,
and
.Xr EVP_chacha20_poly1305 3
manual pages.
The code then becomes transparent to the AEAD cipher used
and much more flexible.
It is also safer to use as it prevents common mistakes with the EVP APIs.
.Sh RETURN VALUES
.Fn EVP_AEAD_CTX_new
returns the new
@ -319,17 +340,12 @@ EVP_AEAD_CTX_free(ctx);
.Rs
.%A A. Langley
.%A W. Chang
.%D November 2013
.%R draft-agl-tls-chacha20poly1305-04
.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
.Re
.Pp
.Rs
.%A Y. Nir
.%A A. Langley
.%D May 2015
.%R RFC 7539
.%T ChaCha20 and Poly1305 for IETF Protocols
.%A N. Mavrogiannopoulos
.%A J. Strombergson
.%A S. Josefsson
.%D June 2016
.%R RFC 7905
.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
.Re
.Pp
.Rs
@ -341,6 +357,7 @@ EVP_AEAD_CTX_free(ctx);
.Sh HISTORY
AEAD is based on the implementation by
.An Adam Langley
.\" OpenSSL commit 9a8646510b Sep 9 12:13:24 2013 -0400
for Chromium/BoringSSL and first appeared in
.Ox 5.6 .
.Pp
@ -349,3 +366,28 @@ and
.Fn EVP_AEAD_CTX_free
first appeared in
.Ox 7.1 .
.Sh CAVEATS
The original publications and code by
.An Adam Langley
used a modified AEAD construction that is incompatible with the common
style used by AEAD in TLS and incompatible with RFC 7905:
.Pp
.Rs
.%A A. Langley
.%A W. Chang
.%D November 2013
.%R draft-agl-tls-chacha20poly1305-04
.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
.Re
.Pp
.Rs
.%A Y. Nir
.%A A. Langley
.%D June 2018
.%R RFC 8439
.%T ChaCha20 and Poly1305 for IETF Protocols
.Re
.Pp
In particular, the original version used a
.Fa nonce_len
of 8 bytes.

60
lib/libcrypto/man/EVP_chacha20.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_chacha20.3,v 1.3 2023/08/21 03:26:42 jsg Exp $
.\" $OpenBSD: EVP_chacha20.3,v 1.6 2023/08/24 04:33:08 tb Exp $
.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
.\"
.\" This file is a derived work.
@ -65,7 +65,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: August 21 2023 $
.Dd $Mdocdate: August 24 2023 $
.Dt EVP_CHACHA20 3
.Os
.Sh NAME
@ -93,11 +93,11 @@ argument of 16 bytes = 128 bits, internally using
.Xr ChaCha_set_key 3
and
.Xr ChaCha_set_iv 3 .
Due to the symmetry of the internal cipher state, interpreting the
The lower 8 bytes = 64 bits of
.Fa iv
argument as a 4 byte counter followed by a 12 byte nonce
or interpreting it as an 8 byte counter followed by an 8 byte nonce
is functionally equivalent.
are used as counter and the remaining 8 bytes are used as
the initialization vector of
.Xr ChaCha_set_iv 3 .
.Xr EVP_EncryptUpdate 3 ,
.Xr EVP_EncryptFinal_ex 3 ,
.Xr EVP_DecryptUpdate 3 ,
@ -114,6 +114,16 @@ objects created from
.Pp
.Fn EVP_chacha20_poly1305
provides authenticated encryption with ChaCha20-Poly1305.
Unless compatibility with other implementations
like OpenSSL or BoringSSL is required, using
.Xr EVP_AEAD_CTX_init 3
with
.Xr EVP_aead_chacha20_poly1305 3
is recommended instead because the code then becomes transparent
to the AEAD cipher used, more flexible, and less error prone.
.Pp
With
.Fn EVP_chacha20_poly1305 ,
.Xr EVP_EncryptInit_ex 3 ,
.Xr EVP_DecryptInit_ex 3 ,
and
@ -237,6 +247,32 @@ returns 1 for success or 0 for failure.
.Rs
.%A A. Langley
.%A W. Chang
.%A N. Mavrogiannopoulos
.%A J. Strombergson
.%A S. Josefsson
.%D June 2016
.%R RFC 7905
.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
.Re
.Sh HISTORY
.Fn EVP_chacha20
first appeared in
.Ox 5.6 .
.Pp
.Fn EVP_chacha20_poly1305
first appeared in OpenSSL 1.1.0
.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
and has been available since
.Ox 7.2 .
.Sh CAVEATS
The original publications and code by
.An Adam Langley
used a modified AEAD construction that is incompatible with the common
style used by AEAD in TLS and incompatible with RFC 7905:
.Pp
.Rs
.%A A. Langley
.%A W. Chang
.%D November 2013
.%R draft-agl-tls-chacha20poly1305-04
.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
@ -245,15 +281,9 @@ returns 1 for success or 0 for failure.
.Rs
.%A Y. Nir
.%A A. Langley
.%D May 2015
.%R RFC 7539
.%D May 2018
.%R RFC 8439
.%T ChaCha20 and Poly1305 for IETF Protocols
.Re
.Sh HISTORY
.Fn EVP_chacha20
first appeared in
.Ox 5.6 .
.Pp
.Fn EVP_chacha20_poly1305
first appeared in OpenSSL 1.1.0 and has been available since
.Ox 7.2 .
In particular, the original version used a nonce of 8 instead of 12 bytes.