23 EVP_CIPHER_CTX_set_key_length,
37 EVP_CIPHER_description,
39 EVP_CIPHER_names_do_all,
42 EVP_CIPHER_get_params,
43 EVP_CIPHER_gettable_params,
44 EVP_CIPHER_block_size,
45 EVP_CIPHER_key_length,
50 EVP_CIPHER_CTX_cipher,
51 EVP_CIPHER_CTX_get0_cipher,
52 EVP_CIPHER_CTX_get1_cipher,
55 EVP_CIPHER_CTX_get_params,
56 EVP_CIPHER_gettable_ctx_params,
57 EVP_CIPHER_CTX_gettable_params,
58 EVP_CIPHER_CTX_set_params,
59 EVP_CIPHER_settable_ctx_params,
60 EVP_CIPHER_CTX_settable_params,
61 EVP_CIPHER_CTX_block_size,
62 EVP_CIPHER_CTX_key_length,
63 EVP_CIPHER_CTX_iv_length,
64 EVP_CIPHER_CTX_tag_length,
65 EVP_CIPHER_CTX_get_app_data,
66 EVP_CIPHER_CTX_set_app_data,
70 EVP_CIPHER_param_to_asn1,
71 EVP_CIPHER_asn1_to_param,
72 EVP_CIPHER_CTX_set_padding,
74 EVP_CIPHER_do_all_provided
81 #include <openssl/evp.h>
83 EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
84 const char *properties);
85 int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
86 void EVP_CIPHER_free(EVP_CIPHER *cipher);
87 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
88 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
89 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
91 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
92 ENGINE *impl, const unsigned char *key, const unsigned char *iv);
93 int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
94 const unsigned char *key, const unsigned char *iv,
95 const OSSL_PARAM params[]);
96 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
97 int *outl, const unsigned char *in, int inl);
98 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
100 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
101 ENGINE *impl, const unsigned char *key, const unsigned char *iv);
102 int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
103 const unsigned char *key, const unsigned char *iv,
104 const OSSL_PARAM params[]);
105 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
106 int *outl, const unsigned char *in, int inl);
107 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
109 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
110 ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
111 int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
112 const unsigned char *key, const unsigned char *iv,
113 int enc, const OSSL_PARAM params[]);
114 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
115 int *outl, const unsigned char *in, int inl);
116 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
118 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
119 const unsigned char *key, const unsigned char *iv);
120 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
122 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
123 const unsigned char *key, const unsigned char *iv);
124 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
126 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
127 const unsigned char *key, const unsigned char *iv, int enc);
128 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
130 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
131 const unsigned char *in, unsigned int inl);
133 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
134 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
135 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int cmd, int p1, void *p2);
136 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key);
138 const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
139 const EVP_CIPHER *EVP_get_cipherbynid(int nid);
140 const EVP_CIPHER *EVP_get_cipherbyobj(const ASN1_OBJECT *a);
142 int EVP_CIPHER_nid(const EVP_CIPHER *e);
143 int EVP_CIPHER_number(const EVP_CIPHER *e);
144 int EVP_CIPHER_is_a(const EVP_CIPHER *cipher, const char *name);
145 int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher,
146 void (*fn)(const char *name, void *data),
148 const char *EVP_CIPHER_name(const EVP_CIPHER *cipher);
149 const char *EVP_CIPHER_description(const EVP_CIPHER *cipher);
150 const OSSL_PROVIDER *EVP_CIPHER_provider(const EVP_CIPHER *cipher);
151 int EVP_CIPHER_block_size(const EVP_CIPHER *e);
152 int EVP_CIPHER_key_length(const EVP_CIPHER *e);
153 int EVP_CIPHER_iv_length(const EVP_CIPHER *e);
154 unsigned long EVP_CIPHER_flags(const EVP_CIPHER *e);
155 unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e);
156 int EVP_CIPHER_type(const EVP_CIPHER *cipher);
158 const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx);
159 EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(const EVP_CIPHER_CTX *ctx);
160 int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);
161 const char *EVP_CIPHER_CTX_name(const EVP_CIPHER_CTX *ctx);
163 int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[]);
164 int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[]);
165 int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]);
166 const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher);
167 const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher);
168 const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher);
169 const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *ctx);
170 const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx);
171 int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
172 int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
173 int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
174 int EVP_CIPHER_CTX_tag_length(const EVP_CIPHER_CTX *ctx);
175 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx);
176 void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data);
177 int EVP_CIPHER_CTX_type(const EVP_CIPHER_CTX *ctx);
178 int EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx);
180 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
181 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
183 void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
184 void (*fn)(EVP_CIPHER *cipher, void *arg),
187 Deprecated since OpenSSL 3.0, can be hidden entirely by defining
188 B<OPENSSL_API_COMPAT> with a suitable version value, see
189 L<openssl_user_macros(7)>:
191 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
195 The EVP cipher routines are a high-level interface to certain
198 The B<EVP_CIPHER> type is a structure for cipher method implementation.
202 =item EVP_CIPHER_fetch()
204 Fetches the cipher implementation for the given B<algorithm> from any provider
205 offering it, within the criteria given by the B<properties>.
206 See L<crypto(7)/ALGORITHM FETCHING> for further information.
208 The returned value must eventually be freed with EVP_CIPHER_free().
210 Fetched B<EVP_CIPHER> structures are reference counted.
212 =item EVP_CIPHER_up_ref()
214 Increments the reference count for an B<EVP_CIPHER> structure.
216 =item EVP_CIPHER_free()
218 Decrements the reference count for the fetched B<EVP_CIPHER> structure.
219 If the reference count drops to 0 then the structure is freed.
221 =item EVP_CIPHER_CTX_new()
223 Allocates and returns a cipher context.
225 =item EVP_CIPHER_CTX_free()
227 Clears all information from a cipher context and free up any allocated memory
228 associate with it, including B<ctx> itself. This function should be called after
229 all operations using a cipher are complete so sensitive information does not
232 =item EVP_CIPHER_CTX_ctrl()
234 I<This is a legacy method. EVP_CIPHER_CTX_set_params() and
235 EVP_CIPHER_CTX_get_params() is the mechanism that should be used to set and get
236 parameters that are used by providers.>
238 Performs cipher-specific control actions on context I<ctx>. The control command
239 is indicated in I<cmd> and any additional arguments in I<p1> and I<p2>.
240 EVP_CIPHER_CTX_ctrl() must be called after EVP_CipherInit_ex2(). Other restrictions
241 may apply depending on the control type and cipher implementation.
243 If this function happens to be used with a fetched B<EVP_CIPHER>, it will
244 translate the controls that are known to OpenSSL into L<OSSL_PARAM(3)>
245 parameters with keys defined by OpenSSL and call EVP_CIPHER_CTX_get_params() or
246 EVP_CIPHER_CTX_set_params() as is appropriate for each control command.
248 See L</CONTROLS> below for more information, including what translations are
251 =item EVP_CIPHER_get_params()
253 Retrieves the requested list of algorithm I<params> from a CIPHER I<cipher>.
254 See L</PARAMETERS> below for more information.
256 =item EVP_CIPHER_CTX_get_params()
258 Retrieves the requested list of I<params> from CIPHER context I<ctx>.
259 See L</PARAMETERS> below for more information.
261 =item EVP_CIPHER_CTX_set_params()
263 Sets the list of I<params> into a CIPHER context I<ctx>.
264 See L</PARAMETERS> below for more information.
266 =item EVP_CIPHER_gettable_params()
268 Get a constant B<OSSL_PARAM> array that describes the retrievable parameters
269 that can be used with EVP_CIPHER_get_params(). See L<OSSL_PARAM(3)> for the
270 use of B<OSSL_PARAM> as a parameter descriptor.
272 =item EVP_CIPHER_gettable_ctx_params() and EVP_CIPHER_CTX_gettable_params()
274 Get a constant B<OSSL_PARAM> array that describes the retrievable parameters
275 that can be used with EVP_CIPHER_CTX_get_params().
276 EVP_CIPHER_gettable_ctx_params() returns the parameters that can be retrieved
277 from the algorithm, whereas EVP_CIPHER_CTX_gettable_params() returns the
278 parameters that can be retrieved in the context's current state.
279 See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as a parameter descriptor.
281 =item EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params()
283 Get a constant B<OSSL_PARAM> array that describes the settable parameters
284 that can be used with EVP_CIPHER_CTX_set_params().
285 EVP_CIPHER_settable_ctx_params() returns the parameters that can be set from the
286 algorithm, whereas EVP_CIPHER_CTX_settable_params() returns the parameters that
287 can be set in the context's current state.
288 See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as a parameter descriptor.
290 =item EVP_EncryptInit_ex2()
292 Sets up cipher context I<ctx> for encryption with cipher I<type>. I<type> is
293 typically supplied by a function such as EVP_aes_256_cbc(), or a value
294 explicitly fetched with EVP_CIPHER_fetch(). I<key> is the symmetric key to use
295 and I<iv> is the IV to use (if necessary), the actual number of bytes
296 used for the key and IV depends on the cipher. The parameters I<params> will
297 be set on the context after initialisation. It is possible to set
298 all parameters to NULL except I<type> in an initial call and supply
299 the remaining parameters in subsequent calls, all of which have I<type>
300 set to NULL. This is done when the default cipher parameters are not
302 For B<EVP_CIPH_GCM_MODE> the IV will be generated internally if it is not
305 =item EVP_EncryptInit_ex()
307 Is a legacy function similiar to EVP_EncryptInit_ex2() except If I<impl>
308 is non-NULL, its implementation of the cipher B<type> is used if there is one,
309 and if not, the default implementation is used.
311 =item EVP_EncryptUpdate()
313 Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to
314 I<out>. This function can be called multiple times to encrypt successive blocks
315 of data. The amount of data written depends on the block alignment of the
317 For most ciphers and modes, the amount of data written can be anything
318 from zero bytes to (inl + cipher_block_size - 1) bytes.
319 For wrap cipher modes, the amount of data written can be anything
320 from zero bytes to (inl + cipher_block_size) bytes.
321 For stream ciphers, the amount of data written can be anything from zero
323 Thus, I<out> should contain sufficient room for the operation being performed.
324 The actual number of bytes written is placed in I<outl>. It also
325 checks if I<in> and I<out> are partially overlapping, and if they are
326 0 is returned to indicate failure.
328 If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
329 the "final" data, that is any data that remains in a partial block.
330 It uses standard block padding (aka PKCS padding) as described in
331 the NOTES section, below. The encrypted
332 final data is written to B<out> which should have sufficient space for
333 one cipher block. The number of bytes written is placed in B<outl>. After
334 this function is called the encryption operation is finished and no further
335 calls to EVP_EncryptUpdate() should be made.
337 If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
338 data and it will return an error if any data remains in a partial block:
339 that is if the total data length is not a multiple of the block size.
341 =item EVP_DecryptInit_ex2(), EVP_DecryptInit_ex(), EVP_DecryptUpdate()
342 and EVP_DecryptFinal_ex()
344 These functions are the corresponding decryption operations.
345 EVP_DecryptFinal() will return an error code if padding is enabled and the
346 final block is not correctly formatted. The parameters and restrictions are
347 identical to the encryption operations except that if padding is enabled the
348 decrypted data buffer I<out> passed to EVP_DecryptUpdate() should have
349 sufficient room for (I<inl> + cipher_block_size) bytes unless the cipher block
350 size is 1 in which case I<inl> bytes is sufficient.
352 =item EVP_CipherInit_ex2(), EVP_CipherInit_ex(), EVP_CipherUpdate() and
355 These functions that can be used for decryption or encryption. The operation
356 performed depends on the value of the I<enc> parameter. It should be set to 1
357 for encryption, 0 for decryption and -1 to leave the value unchanged
358 (the actual value of 'enc' being supplied in a previous call).
360 =item EVP_CIPHER_CTX_reset()
362 Clears all information from a cipher context and free up any allocated memory
363 associated with it, except the I<ctx> itself. This function should be called
364 anytime I<ctx> is to be reused for another
365 EVP_CipherInit() / EVP_CipherUpdate() / EVP_CipherFinal() series of calls.
367 =item EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit()
369 Behave in a similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex() and
370 EVP_CipherInit_ex() except they always use the default cipher implementation.
372 =item EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal()
374 Identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
375 EVP_CipherFinal_ex(). In previous releases they also cleaned up
376 the I<ctx>, but this is no longer done and EVP_CIPHER_CTX_cleanup()
377 must be called to free any context resources.
381 Encrypts or decrypts a maximum I<inl> amount of bytes from I<in> and leaves the
383 If the cipher doesn't have the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> set,
384 then I<inl> must be a multiple of EVP_CIPHER_block_size(). If it isn't,
385 the result is undefined. If the cipher has that flag set, then I<inl>
387 This function is historic and shouldn't be used in an application, please
388 consider using EVP_CipherUpdate() and EVP_CipherFinal_ex instead.
390 =item EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
392 Return an EVP_CIPHER structure when passed a cipher name, a NID or an
393 ASN1_OBJECT structure.
395 =item EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid()
397 Return the NID of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
398 structure. The actual NID value is an internal value which may not have a
399 corresponding OBJECT IDENTIFIER.
401 =item EVP_CIPHER_CTX_set_padding()
403 Enables or disables padding. This function should be called after the context
404 is set up for encryption or decryption with EVP_EncryptInit_ex2(),
405 EVP_DecryptInit_ex2() or EVP_CipherInit_ex2(). By default encryption operations
406 are padded using standard block padding and the padding is checked and removed
407 when decrypting. If the B<pad> parameter is zero then no padding is
408 performed, the total amount of data encrypted or decrypted must then
409 be a multiple of the block size or an error will occur.
411 =item EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length()
413 Return the key length of a cipher when passed an B<EVP_CIPHER> or
414 B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum
415 key length for all ciphers. Note: although EVP_CIPHER_key_length() is fixed for
416 a given cipher, the value of EVP_CIPHER_CTX_key_length() may be different for
417 variable key length ciphers.
419 =item EVP_CIPHER_CTX_set_key_length()
421 Sets the key length of the cipher ctx.
422 If the cipher is a fixed length cipher then attempting to set the key
423 length to any value other than the fixed value is an error.
425 =item EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length()
427 Return the IV length of a cipher when passed an B<EVP_CIPHER> or
428 B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV.
429 The constant B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
431 =item EVP_CIPHER_CTX_tag_length()
433 Returns the tag length of a AEAD cipher when passed a B<EVP_CIPHER_CTX>. It will
434 return zero if the cipher does not support a tag. It returns a default value if
435 the tag length has not been set.
437 =item EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size()
439 Return the block size of a cipher when passed an B<EVP_CIPHER> or
440 B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_BLOCK_LENGTH> is also the
441 maximum block length for all ciphers.
443 =item EVP_CIPHER_type() and EVP_CIPHER_CTX_type()
445 Return the type of the passed cipher or context. This "type" is the actual NID
446 of the cipher OBJECT IDENTIFIER as such it ignores the cipher parameters and
447 40 bit RC2 and 128 bit RC2 have the same NID. If the cipher does not have an
448 object identifier or does not have ASN1 support this function will return
451 =item EVP_CIPHER_is_a()
453 Returns 1 if I<cipher> is an implementation of an algorithm that's identifiable
454 with I<name>, otherwise 0. If I<cipher> is a legacy cipher (it's the return
455 value from the likes of EVP_aes128() rather than the result of an
456 EVP_CIPHER_fetch()), only cipher names registered with the default library
457 context (see L<OSSL_LIB_CTX(3)>) will be considered.
459 =item EVP_CIPHER_number()
461 Returns the internal dynamic number assigned to the I<cipher>. This is only
462 useful with fetched B<EVP_CIPHER>s.
464 =item EVP_CIPHER_name() and EVP_CIPHER_CTX_name()
466 Return the name of the passed cipher or context. For fetched ciphers with
467 multiple names, only one of them is returned; it's recommended to use
468 EVP_CIPHER_names_do_all() instead.
470 =item EVP_CIPHER_names_do_all()
472 Traverses all names for the I<cipher>, and calls I<fn> with each name and
473 I<data>. This is only useful with fetched B<EVP_CIPHER>s.
475 =item EVP_CIPHER_description()
477 Returns a description of the cipher, meant for display and human consumption.
478 The description is at the discretion of the cipher implementation.
480 =item EVP_CIPHER_provider()
482 Returns an B<OSSL_PROVIDER> pointer to the provider that implements the given
485 =item EVP_CIPHER_CTX_get0_cipher()
487 Returns the B<EVP_CIPHER> structure when passed an B<EVP_CIPHER_CTX> structure.
488 EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to
491 =item EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode()
493 Return the block cipher mode:
494 EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE,
495 EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE,
496 EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE or EVP_CIPH_SIV_MODE.
497 If the cipher is a stream cipher then EVP_CIPH_STREAM_CIPHER is returned.
499 =item EVP_CIPHER_flags()
501 Returns any flags associated with the cipher. See EVP_CIPHER_meth_set_flags()
502 for a list of currently defined flags.
504 =item EVP_CIPHER_param_to_asn1()
506 Sets the AlgorithmIdentifier "parameter" based on the passed cipher. This will
507 typically include any parameters and an IV. The cipher IV (if any) must be set
508 when this call is made. This call should be made before the cipher is actually
509 "used" (before any EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example).
510 This function may fail if the cipher does not have any ASN1 support.
512 =item EVP_CIPHER_asn1_to_param()
514 Sets the cipher parameters based on an ASN1 AlgorithmIdentifier "parameter".
515 The precise effect depends on the cipher. In the case of B<RC2>, for example,
516 it will set the IV and effective key length.
517 This function should be called after the base cipher type is set but before
518 the key is set. For example EVP_CipherInit() will be called with the IV and
519 key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
520 EVP_CipherInit() again with all parameters except the key set to NULL. It is
521 possible for this function to fail if the cipher does not have any ASN1 support
522 or the parameters cannot be set (for example the RC2 effective key length
525 =item EVP_CIPHER_CTX_rand_key()
527 Generates a random key of the appropriate length based on the cipher context.
528 The B<EVP_CIPHER> can provide its own random key generation routine to support
529 keys of a specific form. I<Key> must point to a buffer at least as big as the
530 value returned by EVP_CIPHER_CTX_key_length().
532 =item EVP_CIPHER_do_all_provided()
534 Traverses all ciphers implemented by all activated providers in the given
535 library context I<libctx>, and for each of the implementations, calls the given
536 function I<fn> with the implementation method and the given I<arg> as argument.
542 See L<OSSL_PARAM(3)> for information about passing parameters.
544 =head2 Gettable EVP_CIPHER parameters
546 When EVP_CIPHER_fetch() is called it internally calls EVP_CIPHER_get_params()
547 and caches the results.
549 EVP_CIPHER_get_params() can be used with the following B<OSSL_PARAM> keys:
553 =item "mode" (B<OSSL_CIPHER_PARAM_MODE>) <unsigned integer>
555 Gets the mode for the associated cipher algorithm I<cipher>.
556 See L</EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode()> for a list of valid modes.
557 Use EVP_CIPHER_mode() to retrieve the cached value.
559 =item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer>
561 Gets the key length for the associated cipher algorithm I<cipher>.
562 Use EVP_CIPHER_key_length() to retrieve the cached value.
564 =item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>) <unsigned integer>
566 Gets the IV length for the associated cipher algorithm I<cipher>.
567 Use EVP_CIPHER_iv_length() to retrieve the cached value.
569 =item "blocksize" (B<OSSL_CIPHER_PARAM_BLOCK_SIZE>) <unsigned integer>
571 Gets the block size for the associated cipher algorithm I<cipher>.
572 The block size should be 1 for stream ciphers.
573 Note that the block size for a cipher may be different to the block size for
574 the underlying encryption/decryption primitive.
575 For example AES in CTR mode has a block size of 1 (because it operates like a
576 stream cipher), even though AES has a block size of 16.
577 Use EVP_CIPHER_block_size() to retreive the cached value.
579 =item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer>
581 Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0.
582 Use (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) to retrieve the
585 =item "custom-iv" (B<OSSL_CIPHER_PARAM_CUSTOM_IV>) <integer>
587 Gets 1 if the cipher algorithm I<cipher> has a custom IV, otherwise it gets 0.
588 Storing and initializing the IV is left entirely to the implementation, if a
590 Use (EVP_CIPHER_flags(cipher) & EVP_CIPH_CUSTOM_IV) to retrieve the
593 =item "cts" (B<OSSL_CIPHER_PARAM_CTS>) <integer>
595 Gets 1 if the cipher algorithm I<cipher> uses ciphertext stealing,
597 This is currently used to indicate that the cipher is a one shot that only
598 allows a single call to EVP_CipherUpdate().
599 Use (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) to retrieve the
602 =item "tls-multi" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK>) <integer>
604 Gets 1 if the cipher algorithm I<cipher> supports interleaving of crypto blocks,
605 otherwise it gets 0. The interleaving is an optimization only applicable to certain
607 Use (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) to retrieve the
612 =head2 Gettable and Settable EVP_CIPHER_CTX parameters
614 The following OSSL_PARAM keys can be used with both EVP_CIPHER_CTX_get_params()
615 and EVP_CIPHER_CTX_set_params().
619 =item "padding" (B<OSSL_CIPHER_PARAM_PADDING>) <unsigned integer>
621 Gets or sets the padding mode for the cipher context I<ctx>.
622 Padding is enabled if the value is 1, and disabled if the value is 0.
623 See also EVP_CIPHER_CTX_set_padding().
625 =item "num" (B<OSSL_CIPHER_PARAM_NUM>) <unsigned integer>
627 Gets or sets the cipher specific "num" parameter for the cipher context I<ctx>.
628 Built-in ciphers typically use this to track how much of the current underlying
629 block has been "used" already.
630 See also EVP_CIPHER_CTX_num() and EVP_CIPHER_CTX_set_num().
632 =item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer>
634 Gets or sets the key length for the cipher context I<ctx>.
635 The length of the "keylen" parameter should not exceed that of a B<size_t>.
636 See also EVP_CIPHER_CTX_key_length() and EVP_CIPHER_CTX_set_key_length().
638 =item "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>) <octet string>
640 Gets or sets the AEAD tag for the associated cipher context I<ctx>.
641 See L<EVP_EncryptInit(3)/AEAD Interface>.
643 =item "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>) <unsigned integer>
645 Gets or sets the effective keybits used for a RC2 cipher.
646 The length of the "keybits" parameter should not exceed that of a B<size_t>.
648 =item "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>) <unsigned integer>
650 Gets or sets the number of rounds to be used for a cipher.
651 This is used by the RC5 cipher.
653 =item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
655 Used to pass the DER encoded AlgorithmIdentifier parameter to or from
656 the cipher implementation. Functions like L<EVP_CIPHER_param_to_asn1(3)>
657 and L<EVP_CIPHER_asn1_to_param(3)> use this parameter for any implementation
658 that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set.
660 =item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
662 Gets or sets the cipher text stealing mode. For all modes the output size is the
663 same as the input size.
665 Valid values for the mode are:
671 The NIST variant of cipher text stealing.
672 For message lengths that are multiples of the block size it is equivalent to
673 using a "AES-CBC" cipher otherwise the second last cipher text block is a
678 For message lengths that are multiples of the block size it is equivalent to
679 using a "AES-CBC" cipher, otherwise it is the same as "CS3".
683 The Kerberos5 variant of cipher text stealing which always swaps the last
684 cipher text block with the previous block (which may be a partial or full block
685 depending on the input length).
689 The default is "CS1".
690 This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
692 =item "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>) <unsigned integer>
694 Sets or gets the number of records being sent in one go for a tls1 multiblock
695 cipher operation (either 4 or 8 records).
699 =head2 Gettable EVP_CIPHER_CTX parameters
701 The following OSSL_PARAM keys can be used with EVP_CIPHER_CTX_get_params():
705 =item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN> and <B<OSSL_CIPHER_PARAM_AEAD_IVLEN>) <unsigned integer>
707 Gets the IV length for the cipher context I<ctx>.
708 The length of the "ivlen" parameter should not exceed that of a B<size_t>.
709 See also EVP_CIPHER_CTX_iv_length().
711 =item "iv" (B<OSSL_CIPHER_PARAM_IV>) <octet string OR octet ptr>
713 Gets the IV used to initialize the associated cipher context I<ctx>.
714 See also EVP_CIPHER_CTX_get_original_iv().
716 =item "updated-iv" (B<OSSL_CIPHER_PARAM_UPDATED_IV>) <octet string OR octet ptr>
718 Gets the updated pseudo-IV state for the associated cipher ctx, e.g.,
719 the previous ciphertext block for CBC mode or the iteratively encrypted IV
720 value for OFB mode. Note that octet pointer access is deprecated and is
721 provided only for backwards compatibility with historical libcrypto APIs.
722 See also EVP_CIPHER_CTX_get_updated_iv().
724 =item "randkey" (B<OSSL_CIPHER_PARAM_RANDOM_KEY>) <octet string>
726 Gets a implementation specific randomly generated key for the associated
727 cipher ctx I(ctx>. This is currently only supported by 3DES (which sets the key to
730 =item "taglen" (B<OSSL_CIPHER_PARAM_AEAD_TAGLEN>) <unsigned integer>
732 Gets the tag length to be used for an AEAD cipher for the associated cipher ctx
733 I<ctx>. It gets a default value if it has not been set.
734 The length of the "taglen" parameter should not exceed that of a B<size_t>.
735 See also EVP_CIPHER_CTX_tag_length().
737 =item "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>) <unsigned integer>
739 Gets the length of the tag that will be added to a TLS record for the AEAD
740 tag for the associated cipher ctx I<ctx>.
741 The length of the "tlsaadpad" parameter should not exceed that of a B<size_t>.
743 =item "tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>) <octet string>
745 Gets the invocation field generated for encryption.
746 Can only be called after "tlsivfixed" is set.
747 This is only used for GCM mode.
749 =item "tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>) <unsigned integer>
751 Get the total length of the record returned from the "tls1multi_enc" operation.
753 =item "tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>) <unsigned integer>
755 Gets the maximum record length for a tls1 multiblock cipher operation.
756 The length of the "tls1multi_maxbufsz" parameter should not exceed that of a B<size_t>.
758 =item "tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) <unsigned integer>
760 Gets the result of running the "tls1multi_aad" operation.
762 =item "tls-mac" (B<OSSL_CIPHER_PARAM_TLS_MAC>) <octet ptr>
764 Used to pass the tls mac data.
768 =head2 Settable EVP_CIPHER_CTX parameters
770 The following OSSL_PARAM keys can be used with EVP_CIPHER_CTX_set_params():
774 =item "mackey" (B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>) <octet string>
776 Sets the MAC key used by composite AEAD ciphers such as AES-CBC-HMAC-SHA256.
778 =item "speed" (B<OSSL_CIPHER_PARAM_SPEED>) <unsigned integer>
780 Sets the speed option for the associated cipher ctx. This is only supported
781 by AES SIV ciphers which disallow multiple operations by default.
782 Setting "speed" to 1 allows another encrypt or decrypt operation to be
783 performed. This is used for performance testing.
785 =item "tls-version" (B<OSSL_CIPHER_PARAM_TLS_VERSION>) <integer>
787 Sets the tls-version.
789 =item "tls-mac-size" (B<OSSL_CIPHER_PARAM_TLS_MAC_SIZE>) <unsigned integer>
791 Set the tls mac size.
793 =item "tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>) <octet string>
795 Sets TLSv1.2 AAD information for the associated cipher ctx I<ctx>.
796 TLSv1.2 AAD information is always 13 bytes in length and is as defined for the
797 "additional_data" field described in section 6.2.3.3 of RFC5246.
799 =item "tlsivfixed" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>) <octet string>
801 Sets the fixed portion of an IV for an AEAD cipher used in a TLS record
802 encryption/ decryption for the associated cipher ctx.
803 TLS record encryption/decryption always occurs "in place" so that the input and
804 output buffers are always the same memory location.
805 AEAD IVs in TLSv1.2 consist of an implicit "fixed" part and an explicit part
806 that varies with every record.
807 Setting a TLS fixed IV changes a cipher to encrypt/decrypt TLS records.
808 TLS records are encrypted/decrypted using a single OSSL_FUNC_cipher_cipher call per
810 For a record decryption the first bytes of the input buffer will be the explicit
811 part of the IV and the final bytes of the input buffer will be the AEAD tag.
812 The length of the explicit part of the IV and the tag length will depend on the
813 cipher in use and will be defined in the RFC for the relevant ciphersuite.
814 In order to allow for "in place" decryption the plaintext output should be
815 written to the same location in the output buffer that the ciphertext payload
816 was read from, i.e. immediately after the explicit IV.
818 When encrypting a record the first bytes of the input buffer will be empty to
819 allow space for the explicit IV, as will the final bytes where the tag will
821 The length of the input buffer will include the length of the explicit IV, the
822 payload, and the tag bytes.
823 The cipher implementation should generate the explicit IV and write it to the
824 beginning of the output buffer, do "in place" encryption of the payload and
825 write that to the output buffer, and finally add the tag onto the end of the
828 Whether encrypting or decrypting the value written to I<*outl> in the
829 OSSL_FUNC_cipher_cipher call should be the length of the payload excluding the explicit
830 IV length and the tag length.
832 =item "tlsivinv" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>) <octet string>
834 Sets the invocation field used for decryption.
835 Can only be called after "tlsivfixed" is set.
836 This is only used for GCM mode.
838 =item "tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>) <octet string>
840 Triggers a multiblock tls1 encrypt operation for a tls1 aware cipher that supports
841 sending 4 or 8 records in one go.
842 The cipher performs both the MAC and encrypt stages and constructs the record
844 "tls1multi_enc" supplies the output buffer for the encrypt operation,
845 "tls1multi_encin" & "tls1multi_interleave" must also be set in order to supply
846 values to the encrypt operation.
848 =item "tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) <octet string>
850 Supplies the data to encrypt for a tls1 multiblock cipher operation.
852 =item "tls1multi_maxsndfrag" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT>) <unsigned integer>
854 Sets the maximum send fragment size for a tls1 multiblock cipher operation.
855 It must be set before using "tls1multi_maxbufsz".
856 The length of the "tls1multi_maxsndfrag" parameter should not exceed that of a B<size_t>.
858 =item "tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) <octet string>
860 Sets the authenticated additional data used by a tls1 multiblock cipher operation.
861 The supplied data consists of 13 bytes of record data containing:
862 Bytes 0-7: The sequence number of the first record
863 Byte 8: The record type
864 Byte 9-10: The protocol version
865 Byte 11-12: Input length (Always 0)
867 "tls1multi_interleave" must also be set for this operation.
873 The Mappings from EVP_CIPHER_CTX_ctrl() identifiers to PARAMETERS are listed
874 in the following section. See the L</PARAMETERS> section for more details.
876 EVP_CIPHER_CTX_ctrl() can be used to send the following standard controls:
880 =item EVP_CTRL_AEAD_SET_IVLEN and EVP_CTRL_GET_IVLEN
882 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
883 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
884 key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>).
886 =item EVP_CTRL_AEAD_SET_IV_FIXED
888 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
889 with an L<OSSL_PARAM(3)> item with the key "tlsivfixed"
890 (B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>).
892 =item EVP_CTRL_AEAD_SET_MAC_KEY
894 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
895 with an L<OSSL_PARAM(3)> item with the key "mackey"
896 (B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>).
898 =item EVP_CTRL_AEAD_SET_TAG and EVP_CTRL_AEAD_GET_TAG
900 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
901 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
902 key "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>).
904 =item EVP_CTRL_CCM_SET_L
906 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
907 with an L<OSSL_PARAM(3)> item with the key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>)
908 with a value of (15 - L)
912 There is no OSSL_PARAM mapping for this. Use EVP_CIPHER_CTX_copy() instead.
914 =item EVP_CTRL_GCM_SET_IV_INV
916 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
917 with an L<OSSL_PARAM(3)> item with the key "tlsivinv"
918 (B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>).
920 =item EVP_CTRL_RAND_KEY
922 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
923 with an L<OSSL_PARAM(3)> item with the key "randkey"
924 (B<OSSL_CIPHER_PARAM_RANDOM_KEY>).
926 =item EVP_CTRL_SET_KEY_LENGTH
928 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
929 with an L<OSSL_PARAM(3)> item with the key "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>).
931 =item EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS
933 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
934 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
935 key "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>).
937 =item EVP_CTRL_SET_RC5_ROUNDS and EVP_CTRL_GET_RC5_ROUNDS
939 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
940 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
941 key "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>).
943 =item EVP_CTRL_SET_SPEED
945 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
946 with an L<OSSL_PARAM(3)> item with the key "speed" (B<OSSL_CIPHER_PARAM_SPEED>).
948 =item EVP_CTRL_GCM_IV_GEN
950 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_get_params() gets called
951 with an L<OSSL_PARAM(3)> item with the key
952 "tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>).
954 =item EVP_CTRL_AEAD_TLS1_AAD
956 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called
957 with an L<OSSL_PARAM(3)> item with the key
958 "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>)
959 followed by EVP_CIPHER_CTX_get_params() with a key of
960 "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>).
962 =item EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE
964 When used with a fetched B<EVP_CIPHER>,
965 EVP_CIPHER_CTX_set_params() get called with an L<OSSL_PARAM(3)> item with the
966 key OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT
967 followed by EVP_CIPHER_CTX_get_params() with a key of
968 "tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>).
970 =item EVP_CTRL_TLS1_1_MULTIBLOCK_AAD
972 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called
973 with L<OSSL_PARAM(3)> items with the keys
974 "tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) and
975 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>)
976 followed by EVP_CIPHER_CTX_get_params() with keys of
977 "tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) and
978 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>).
980 =item EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT
982 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called
983 with L<OSSL_PARAM(3)> items with the keys
984 "tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>),
985 "tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) and
986 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>),
987 followed by EVP_CIPHER_CTX_get_params() with a key of
988 "tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>).
994 EVP_CIPHER_fetch() returns a pointer to a B<EVP_CIPHER> for success
995 and B<NULL> for failure.
997 EVP_CIPHER_up_ref() returns 1 for success or 0 otherwise.
999 EVP_CIPHER_CTX_new() returns a pointer to a newly created
1000 B<EVP_CIPHER_CTX> for success and B<NULL> for failure.
1002 EVP_EncryptInit_ex2(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
1003 return 1 for success and 0 for failure.
1005 EVP_DecryptInit_ex2() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
1006 EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
1008 EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure.
1009 EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
1011 EVP_Cipher() returns the amount of encrypted / decrypted bytes, or -1
1012 on failure, if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the
1013 cipher. EVP_Cipher() returns 1 on success or 0 on failure, if the flag
1014 B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher.
1016 EVP_CIPHER_CTX_reset() returns 1 for success and 0 for failure.
1018 EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
1019 return an B<EVP_CIPHER> structure or NULL on error.
1021 EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
1023 EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
1026 EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
1029 EVP_CIPHER_CTX_set_padding() always returns 1.
1031 EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
1032 length or zero if the cipher does not use an IV.
1034 EVP_CIPHER_CTX_tag_length() return the tag length or zero if the cipher does not
1037 EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
1038 OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
1040 EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
1042 EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater
1043 than zero for success and zero or a negative number on failure.
1045 EVP_CIPHER_CTX_rand_key() returns 1 for success.
1047 EVP_CIPHER_names_do_all() returns 1 if the callback was called for all names.
1048 A return value of 0 means that the callback was not called for any names.
1050 =head1 CIPHER LISTING
1052 All algorithms have a fixed key length unless otherwise stated.
1054 Refer to L</SEE ALSO> for the full list of ciphers available through the EVP
1059 =item EVP_enc_null()
1061 Null cipher: does nothing.
1065 =head1 AEAD INTERFACE
1067 The EVP interface for Authenticated Encryption with Associated Data (AEAD)
1068 modes are subtly altered and several additional I<ctrl> operations are supported
1069 depending on the mode specified.
1071 To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(),
1072 EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output
1073 parameter B<out> set to B<NULL>.
1075 When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal()
1076 indicates whether the operation was successful. If it does not indicate success,
1077 the authentication operation has failed and any output data B<MUST NOT> be used
1080 =head2 GCM and OCB Modes
1082 The following I<ctrl>s are supported in GCM and OCB modes.
1086 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1088 Sets the IV length. This call can only be made before specifying an IV. If
1089 not called a default IV length is used.
1091 For GCM AES and OCB AES the default is 12 (i.e. 96 bits). For OCB mode the
1094 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
1096 Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>.
1097 This call can only be made when encrypting data and B<after> all data has been
1098 processed (e.g. after an EVP_EncryptFinal() call).
1100 For OCB, C<taglen> must either be 16 or the value previously set via
1101 B<EVP_CTRL_AEAD_SET_TAG>.
1103 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1105 Sets the expected tag to C<taglen> bytes from C<tag>.
1106 The tag length can only be set before specifying an IV.
1107 C<taglen> must be between 1 and 16 inclusive.
1109 For GCM, this call is only valid when decrypting data.
1111 For OCB, this call is valid when decrypting data to set the expected tag,
1112 and before encryption to set the desired tag length.
1114 In OCB mode, calling this before encryption with C<tag> set to C<NULL> sets the
1115 tag length. If this is not called prior to encryption, a default tag length is
1118 For OCB AES, the default tag length is 16 (i.e. 128 bits). It is also the
1119 maximum tag length for OCB.
1125 The EVP interface for CCM mode is similar to that of the GCM mode but with a
1126 few additional requirements and different I<ctrl> values.
1128 For CCM mode, the total plaintext or ciphertext length B<MUST> be passed to
1129 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() with the output
1130 and input parameters (B<in> and B<out>) set to B<NULL> and the length passed in
1131 the B<inl> parameter.
1133 The following I<ctrl>s are supported in CCM mode.
1137 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1139 This call is made to set the expected B<CCM> tag value when decrypting or
1140 the length of the tag (with the C<tag> parameter set to NULL) when encrypting.
1141 The tag length is often referred to as B<M>. If not set a default value is
1142 used (12 for AES). When decrypting, the tag needs to be set before passing
1143 in data to be decrypted, but as in GCM and OCB mode, it can be set after
1144 passing additional authenticated data (see L</AEAD INTERFACE>).
1146 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL)
1148 Sets the CCM B<L> value. If not set a default is used (8 for AES).
1150 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1152 Sets the CCM nonce (IV) length. This call can only be made before specifying a
1153 nonce value. The nonce length is given by B<15 - L> so it is 7 by default for
1160 For SIV mode ciphers the behaviour of the EVP interface is subtly
1161 altered and several additional ctrl operations are supported.
1163 To specify any additional authenticated data (AAD) and/or a Nonce, a call to
1164 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made
1165 with the output parameter B<out> set to B<NULL>.
1167 RFC5297 states that the Nonce is the last piece of AAD before the actual
1168 encrypt/decrypt takes place. The API does not differentiate the Nonce from
1171 When decrypting the return value of EVP_DecryptFinal() or EVP_CipherFinal()
1172 indicates if the operation was successful. If it does not indicate success
1173 the authentication operation has failed and any output data B<MUST NOT>
1174 be used as it is corrupted.
1176 The following ctrls are supported in both SIV modes.
1180 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag);
1182 Writes B<taglen> bytes of the tag value to the buffer indicated by B<tag>.
1183 This call can only be made when encrypting data and B<after> all data has been
1184 processed (e.g. after an EVP_EncryptFinal() call). For SIV mode the taglen must
1187 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag);
1189 Sets the expected tag to B<taglen> bytes from B<tag>. This call is only legal
1190 when decrypting data and must be made B<before> any data is processed (e.g.
1191 before any EVP_DecryptUpdate() call). For SIV mode the taglen must be 16.
1195 SIV mode makes two passes over the input data, thus, only one call to
1196 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made
1197 with B<out> set to a non-B<NULL> value. A call to EVP_Decrypt_Final() or
1198 EVP_CipherFinal() is not required, but will indicate if the update
1199 operation succeeded.
1201 =head2 ChaCha20-Poly1305
1203 The following I<ctrl>s are supported for the ChaCha20-Poly1305 AEAD algorithm.
1207 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1209 Sets the nonce length. This call can only be made before specifying the nonce.
1210 If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum
1211 nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set
1212 then the nonce is automatically padded with leading 0 bytes to make it 12 bytes
1215 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
1217 Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>.
1218 This call can only be made when encrypting data and B<after> all data has been
1219 processed (e.g. after an EVP_EncryptFinal() call).
1221 C<taglen> specified here must be 16 (B<POLY1305_BLOCK_SIZE>, i.e. 128-bits) or
1224 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1226 Sets the expected tag to C<taglen> bytes from C<tag>.
1227 The tag length can only be set before specifying an IV.
1228 C<taglen> must be between 1 and 16 (B<POLY1305_BLOCK_SIZE>) inclusive.
1229 This call is only valid when decrypting data.
1235 Where possible the B<EVP> interface to symmetric ciphers should be used in
1236 preference to the low-level interfaces. This is because the code then becomes
1237 transparent to the cipher used and much more flexible. Additionally, the
1238 B<EVP> interface will ensure the use of platform specific cryptographic
1239 acceleration such as AES-NI (the low-level interfaces do not provide the
1242 PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
1243 length of the encrypted data a multiple of the block size. Padding is always
1244 added so if the data is already a multiple of the block size B<n> will equal
1245 the block size. For example if the block size is 8 and 11 bytes are to be
1246 encrypted then 5 padding bytes of value 5 will be added.
1248 When decrypting the final block is checked to see if it has the correct form.
1250 Although the decryption operation can produce an error if padding is enabled,
1251 it is not a strong test that the input data or key is correct. A random block
1252 has better than 1 in 256 chance of being of the correct format and problems with
1253 the input data earlier on will not produce a final decrypt error.
1255 If padding is disabled then the decryption operation will always succeed if
1256 the total amount of data decrypted is a multiple of the block size.
1258 The functions EVP_EncryptInit(), EVP_EncryptInit_ex(),
1259 EVP_EncryptFinal(), EVP_DecryptInit(), EVP_DecryptInit_ex(),
1260 EVP_CipherInit(), EVP_CipherInit_ex() and EVP_CipherFinal() are obsolete
1261 but are retained for compatibility with existing code. New code should
1262 use EVP_EncryptInit_ex2(), EVP_EncryptFinal_ex(), EVP_DecryptInit_ex2(),
1263 EVP_DecryptFinal_ex(), EVP_CipherInit_ex2() and EVP_CipherFinal_ex()
1264 because they can reuse an existing context without allocating and freeing
1267 There are some differences between functions EVP_CipherInit() and
1268 EVP_CipherInit_ex(), significant in some circumstances. EVP_CipherInit() fills
1269 the passed context object with zeros. As a consequence, EVP_CipherInit() does
1270 not allow step-by-step initialization of the ctx when the I<key> and I<iv> are
1271 passed in separate calls. It also means that the flags set for the CTX are
1272 removed, and it is especially important for the
1273 B<EVP_CIPHER_CTX_FLAG_WRAP_ALLOW> flag treated specially in
1274 EVP_CipherInit_ex().
1276 EVP_get_cipherbynid(), and EVP_get_cipherbyobj() are implemented as macros.
1280 B<EVP_MAX_KEY_LENGTH> and B<EVP_MAX_IV_LENGTH> only refer to the internal
1281 ciphers with default key lengths. If custom ciphers exceed these values the
1282 results are unpredictable. This is because it has become standard practice to
1283 define a generic key as a fixed unsigned char array containing
1284 B<EVP_MAX_KEY_LENGTH> bytes.
1286 The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
1287 for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
1291 Encrypt a string using IDEA:
1293 int do_crypt(char *outfile)
1295 unsigned char outbuf[1024];
1298 * Bogus key and IV: we'd normally set these from
1301 unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
1302 unsigned char iv[] = {1,2,3,4,5,6,7,8};
1303 char intext[] = "Some Crypto Text";
1304 EVP_CIPHER_CTX *ctx;
1307 ctx = EVP_CIPHER_CTX_new();
1308 EVP_EncryptInit_ex2(ctx, EVP_idea_cbc(), key, iv, NULL);
1310 if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) {
1312 EVP_CIPHER_CTX_free(ctx);
1316 * Buffer passed to EVP_EncryptFinal() must be after data just
1317 * encrypted to avoid overwriting it.
1319 if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) {
1321 EVP_CIPHER_CTX_free(ctx);
1325 EVP_CIPHER_CTX_free(ctx);
1327 * Need binary mode for fopen because encrypted data is
1328 * binary data. Also cannot use strlen() on it because
1329 * it won't be NUL terminated and may contain embedded
1332 out = fopen(outfile, "wb");
1337 fwrite(outbuf, 1, outlen, out);
1342 The ciphertext from the above example can be decrypted using the B<openssl>
1343 utility with the command line (shown on two lines for clarity):
1346 -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 <filename
1348 General encryption and decryption function example using FILE I/O and AES128
1351 int do_crypt(FILE *in, FILE *out, int do_encrypt)
1353 /* Allow enough space in output buffer for additional block */
1354 unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
1356 EVP_CIPHER_CTX *ctx;
1358 * Bogus key and IV: we'd normally set these from
1361 unsigned char key[] = "0123456789abcdeF";
1362 unsigned char iv[] = "1234567887654321";
1364 /* Don't set key or IV right away; we want to check lengths */
1365 ctx = EVP_CIPHER_CTX_new();
1366 EVP_CipherInit_ex2(ctx, EVP_aes_128_cbc(), NULL, NULL,
1368 OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
1369 OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
1371 /* Now we can set key and IV */
1372 EVP_CipherInit_ex2(ctx, NULL, key, iv, do_encrypt, NULL);
1375 inlen = fread(inbuf, 1, 1024, in);
1378 if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) {
1380 EVP_CIPHER_CTX_free(ctx);
1383 fwrite(outbuf, 1, outlen, out);
1385 if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) {
1387 EVP_CIPHER_CTX_free(ctx);
1390 fwrite(outbuf, 1, outlen, out);
1392 EVP_CIPHER_CTX_free(ctx);
1396 Encryption using AES-CBC with a 256-bit key with "CS1" ciphertext stealing.
1398 int encrypt(const unsigned char *key, const unsigned char *iv,
1399 const unsigned char *msg, size_t msg_len, unsigned char *out)
1402 * This assumes that key size is 32 bytes and the iv is 16 bytes.
1403 * For ciphertext stealing mode the length of the ciphertext "out" will be
1404 * the same size as the plaintext size "msg_len".
1405 * The "msg_len" can be any size >= 16.
1407 int ret = 0, encrypt = 1, outlen, len;
1408 EVP_CIPHER_CTX *ctx = NULL;
1409 EVP_CIPHER *cipher = NULL;
1410 OSSL_PARAM params[2];
1412 ctx = EVP_CIPHER_CTX_new();
1413 cipher = EVP_CIPHER_fetch(NULL, "AES-256-CBC-CTS", NULL);
1414 if (ctx == NULL || cipher == NULL)
1418 * The default is "CS1" so this is not really needed,
1419 * but would be needed to set either "CS2" or "CS3".
1421 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE,
1423 params[1] = OSSL_PARAM_construct_end();
1425 if (!EVP_CipherInit_ex2(ctx, cipher, key, iv, encrypt, params))
1428 /* NOTE: CTS mode does not support multiple calls to EVP_CipherUpdate() */
1429 if (!EVP_CipherUpdate(ctx, encrypted, &outlen, msg, msglen))
1431 if (!EVP_CipherFinal_ex(ctx, encrypted + outlen, &len))
1435 EVP_CIPHER_free(cipher);
1436 EVP_CIPHER_CTX_free(ctx);
1444 Supported ciphers are listed in:
1446 L<EVP_aes_128_gcm(3)>,
1447 L<EVP_aria_128_gcm(3)>,
1449 L<EVP_camellia_128_ecb(3)>,
1450 L<EVP_cast5_cbc(3)>,
1457 L<EVP_rc5_32_12_16_cbc(3)>,
1463 Support for OCB mode was added in OpenSSL 1.1.0.
1465 B<EVP_CIPHER_CTX> was made opaque in OpenSSL 1.1.0. As a result,
1466 EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup()
1467 disappeared. EVP_CIPHER_CTX_init() remains as an alias for
1468 EVP_CIPHER_CTX_reset().
1470 The EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0; use
1471 EVP_CIPHER_CTX_get0_cipher() instead.
1473 The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(),
1474 EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(),
1475 EVP_CIPHER_CTX_get0_cipher(), EVP_CIPHER_CTX_get1_cipher(),
1476 EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(),
1477 EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(),
1478 EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(),
1479 EVP_CIPHER_CTX_settable_params() and EVP_CIPHER_CTX_gettable_params()
1480 functions were added in 3.0.
1484 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
1486 Licensed under the Apache License 2.0 (the "License"). You may not use
1487 this file except in compliance with the License. You can obtain a copy
1488 in the file LICENSE in the source distribution or at
1489 L<https://www.openssl.org/source/license.html>.