23 EVP_CIPHER_CTX_set_key_length,
37 EVP_CIPHER_description,
39 EVP_CIPHER_names_do_all,
42 EVP_CIPHER_get_params,
43 EVP_CIPHER_gettable_params,
44 EVP_CIPHER_block_size,
45 EVP_CIPHER_key_length,
50 EVP_CIPHER_CTX_cipher,
51 EVP_CIPHER_CTX_get0_cipher,
52 EVP_CIPHER_CTX_get1_cipher,
55 EVP_CIPHER_CTX_get_params,
56 EVP_CIPHER_gettable_ctx_params,
57 EVP_CIPHER_CTX_gettable_params,
58 EVP_CIPHER_CTX_set_params,
59 EVP_CIPHER_settable_ctx_params,
60 EVP_CIPHER_CTX_settable_params,
61 EVP_CIPHER_CTX_block_size,
62 EVP_CIPHER_CTX_key_length,
63 EVP_CIPHER_CTX_iv_length,
64 EVP_CIPHER_CTX_tag_length,
65 EVP_CIPHER_CTX_get_app_data,
66 EVP_CIPHER_CTX_set_app_data,
69 EVP_CIPHER_CTX_set_flags,
70 EVP_CIPHER_CTX_clear_flags,
71 EVP_CIPHER_CTX_test_flags,
73 EVP_CIPHER_param_to_asn1,
74 EVP_CIPHER_asn1_to_param,
75 EVP_CIPHER_CTX_set_padding,
77 EVP_CIPHER_do_all_provided
84 #include <openssl/evp.h>
86 EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
87 const char *properties);
88 int EVP_CIPHER_up_ref(EVP_CIPHER *cipher);
89 void EVP_CIPHER_free(EVP_CIPHER *cipher);
90 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
91 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
92 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
94 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
95 ENGINE *impl, const unsigned char *key, const unsigned char *iv);
96 int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
97 const unsigned char *key, const unsigned char *iv,
98 const OSSL_PARAM params[]);
99 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
100 int *outl, const unsigned char *in, int inl);
101 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
103 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
104 ENGINE *impl, const unsigned char *key, const unsigned char *iv);
105 int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
106 const unsigned char *key, const unsigned char *iv,
107 const OSSL_PARAM params[]);
108 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
109 int *outl, const unsigned char *in, int inl);
110 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
112 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
113 ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
114 int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
115 const unsigned char *key, const unsigned char *iv,
116 int enc, const OSSL_PARAM params[]);
117 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
118 int *outl, const unsigned char *in, int inl);
119 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
121 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
122 const unsigned char *key, const unsigned char *iv);
123 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
125 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
126 const unsigned char *key, const unsigned char *iv);
127 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
129 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
130 const unsigned char *key, const unsigned char *iv, int enc);
131 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
133 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
134 const unsigned char *in, unsigned int inl);
136 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
137 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
138 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int cmd, int p1, void *p2);
139 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key);
140 void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
141 void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
142 int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
144 const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
145 const EVP_CIPHER *EVP_get_cipherbynid(int nid);
146 const EVP_CIPHER *EVP_get_cipherbyobj(const ASN1_OBJECT *a);
148 int EVP_CIPHER_nid(const EVP_CIPHER *e);
149 int EVP_CIPHER_number(const EVP_CIPHER *e);
150 int EVP_CIPHER_is_a(const EVP_CIPHER *cipher, const char *name);
151 int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher,
152 void (*fn)(const char *name, void *data),
154 const char *EVP_CIPHER_name(const EVP_CIPHER *cipher);
155 const char *EVP_CIPHER_description(const EVP_CIPHER *cipher);
156 const OSSL_PROVIDER *EVP_CIPHER_provider(const EVP_CIPHER *cipher);
157 int EVP_CIPHER_block_size(const EVP_CIPHER *e);
158 int EVP_CIPHER_key_length(const EVP_CIPHER *e);
159 int EVP_CIPHER_iv_length(const EVP_CIPHER *e);
160 unsigned long EVP_CIPHER_flags(const EVP_CIPHER *e);
161 unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e);
162 int EVP_CIPHER_type(const EVP_CIPHER *cipher);
164 const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx);
165 EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(const EVP_CIPHER_CTX *ctx);
166 int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);
167 const char *EVP_CIPHER_CTX_name(const EVP_CIPHER_CTX *ctx);
169 int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[]);
170 int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[]);
171 int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]);
172 const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher);
173 const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher);
174 const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher);
175 const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *ctx);
176 const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *ctx);
177 int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
178 int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
179 int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
180 int EVP_CIPHER_CTX_tag_length(const EVP_CIPHER_CTX *ctx);
181 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx);
182 void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data);
183 int EVP_CIPHER_CTX_type(const EVP_CIPHER_CTX *ctx);
184 int EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx);
186 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
187 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
189 void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
190 void (*fn)(EVP_CIPHER *cipher, void *arg),
193 Deprecated since OpenSSL 3.0, can be hidden entirely by defining
194 B<OPENSSL_API_COMPAT> with a suitable version value, see
195 L<openssl_user_macros(7)>:
197 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
201 The EVP cipher routines are a high-level interface to certain
204 The B<EVP_CIPHER> type is a structure for cipher method implementation.
208 =item EVP_CIPHER_fetch()
210 Fetches the cipher implementation for the given I<algorithm> from any provider
211 offering it, within the criteria given by the I<properties>.
212 See L<crypto(7)/ALGORITHM FETCHING> for further information.
214 The returned value must eventually be freed with EVP_CIPHER_free().
216 Fetched B<EVP_CIPHER> structures are reference counted.
218 =item EVP_CIPHER_up_ref()
220 Increments the reference count for an B<EVP_CIPHER> structure.
222 =item EVP_CIPHER_free()
224 Decrements the reference count for the fetched B<EVP_CIPHER> structure.
225 If the reference count drops to 0 then the structure is freed.
227 =item EVP_CIPHER_CTX_new()
229 Allocates and returns a cipher context.
231 =item EVP_CIPHER_CTX_free()
233 Clears all information from a cipher context and frees any allocated memory
234 associated with it, including I<ctx> itself. This function should be called after
235 all operations using a cipher are complete so sensitive information does not
238 =item EVP_CIPHER_CTX_ctrl()
240 I<This is a legacy method.> EVP_CIPHER_CTX_set_params() and
241 EVP_CIPHER_CTX_get_params() is the mechanism that should be used to set and get
242 parameters that are used by providers.
244 Performs cipher-specific control actions on context I<ctx>. The control command
245 is indicated in I<cmd> and any additional arguments in I<p1> and I<p2>.
246 EVP_CIPHER_CTX_ctrl() must be called after EVP_CipherInit_ex2(). Other restrictions
247 may apply depending on the control type and cipher implementation.
249 If this function happens to be used with a fetched B<EVP_CIPHER>, it will
250 translate the controls that are known to OpenSSL into L<OSSL_PARAM(3)>
251 parameters with keys defined by OpenSSL and call EVP_CIPHER_CTX_get_params() or
252 EVP_CIPHER_CTX_set_params() as is appropriate for each control command.
254 See L</CONTROLS> below for more information, including what translations are
257 =item EVP_CIPHER_get_params()
259 Retrieves the requested list of algorithm I<params> from a CIPHER I<cipher>.
260 See L</PARAMETERS> below for more information.
262 =item EVP_CIPHER_CTX_get_params()
264 Retrieves the requested list of I<params> from CIPHER context I<ctx>.
265 See L</PARAMETERS> below for more information.
267 =item EVP_CIPHER_CTX_set_params()
269 Sets the list of I<params> into a CIPHER context I<ctx>.
270 See L</PARAMETERS> below for more information.
272 =item EVP_CIPHER_gettable_params()
274 Get a constant B<OSSL_PARAM> array that describes the retrievable parameters
275 that can be used with EVP_CIPHER_get_params(). See L<OSSL_PARAM(3)> for the
276 use of B<OSSL_PARAM> as a parameter descriptor.
278 =item EVP_CIPHER_gettable_ctx_params() and EVP_CIPHER_CTX_gettable_params()
280 Get a constant B<OSSL_PARAM> array that describes the retrievable parameters
281 that can be used with EVP_CIPHER_CTX_get_params().
282 EVP_CIPHER_gettable_ctx_params() returns the parameters that can be retrieved
283 from the algorithm, whereas EVP_CIPHER_CTX_gettable_params() returns the
284 parameters that can be retrieved in the context's current state.
285 See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as a parameter descriptor.
287 =item EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params()
289 Get a constant B<OSSL_PARAM> array that describes the settable parameters
290 that can be used with EVP_CIPHER_CTX_set_params().
291 EVP_CIPHER_settable_ctx_params() returns the parameters that can be set from the
292 algorithm, whereas EVP_CIPHER_CTX_settable_params() returns the parameters that
293 can be set in the context's current state.
294 See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as a parameter descriptor.
296 =item EVP_EncryptInit_ex2()
298 Sets up cipher context I<ctx> for encryption with cipher I<type>. I<type> is
299 typically supplied by calling EVP_CIPHER_fetch(). I<type> may also be set
300 using legacy functions such as EVP_aes_256_cbc(), but this is not recommended
301 for new applications. I<key> is the symmetric key to use and I<iv> is the IV to
302 use (if necessary), the actual number of bytes used for the key and IV depends
303 on the cipher. The parameters I<params> will be set on the context after
304 initialisation. It is possible to set all parameters to NULL except I<type> in
305 an initial call and supply the remaining parameters in subsequent calls, all of
306 which have I<type> set to NULL. This is done when the default cipher parameters
308 For B<EVP_CIPH_GCM_MODE> the IV will be generated internally if it is not
311 =item EVP_EncryptInit_ex()
313 This legacy function is similar to EVP_EncryptInit_ex2() when I<impl> is NULL.
314 The implementation of the I<type> from the I<impl> engine will be used if it
317 =item EVP_EncryptUpdate()
319 Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to
320 I<out>. This function can be called multiple times to encrypt successive blocks
321 of data. The amount of data written depends on the block alignment of the
323 For most ciphers and modes, the amount of data written can be anything
324 from zero bytes to (inl + cipher_block_size - 1) bytes.
325 For wrap cipher modes, the amount of data written can be anything
326 from zero bytes to (inl + cipher_block_size) bytes.
327 For stream ciphers, the amount of data written can be anything from zero
329 Thus, I<out> should contain sufficient room for the operation being performed.
330 The actual number of bytes written is placed in I<outl>. It also
331 checks if I<in> and I<out> are partially overlapping, and if they are
332 0 is returned to indicate failure.
334 If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
335 the "final" data, that is any data that remains in a partial block.
336 It uses standard block padding (aka PKCS padding) as described in
337 the NOTES section, below. The encrypted
338 final data is written to I<out> which should have sufficient space for
339 one cipher block. The number of bytes written is placed in I<outl>. After
340 this function is called the encryption operation is finished and no further
341 calls to EVP_EncryptUpdate() should be made.
343 If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
344 data and it will return an error if any data remains in a partial block:
345 that is if the total data length is not a multiple of the block size.
347 =item EVP_DecryptInit_ex2(), EVP_DecryptInit_ex(), EVP_DecryptUpdate()
348 and EVP_DecryptFinal_ex()
350 These functions are the corresponding decryption operations.
351 EVP_DecryptFinal() will return an error code if padding is enabled and the
352 final block is not correctly formatted. The parameters and restrictions are
353 identical to the encryption operations except that if padding is enabled the
354 decrypted data buffer I<out> passed to EVP_DecryptUpdate() should have
355 sufficient room for (I<inl> + cipher_block_size) bytes unless the cipher block
356 size is 1 in which case I<inl> bytes is sufficient.
358 =item EVP_CipherInit_ex2(), EVP_CipherInit_ex(), EVP_CipherUpdate() and
361 These functions can be used for decryption or encryption. The operation
362 performed depends on the value of the I<enc> parameter. It should be set to 1
363 for encryption, 0 for decryption and -1 to leave the value unchanged
364 (the actual value of 'enc' being supplied in a previous call).
366 =item EVP_CIPHER_CTX_reset()
368 Clears all information from a cipher context and free up any allocated memory
369 associated with it, except the I<ctx> itself. This function should be called
370 anytime I<ctx> is reused by another
371 EVP_CipherInit() / EVP_CipherUpdate() / EVP_CipherFinal() series of calls.
373 =item EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit()
375 Behave in a similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex() and
376 EVP_CipherInit_ex() except if the I<type> is not a fetched cipher they use the
377 default implementation of the I<type>.
379 =item EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal()
381 Identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
382 EVP_CipherFinal_ex(). In previous releases they also cleaned up
383 the I<ctx>, but this is no longer done and EVP_CIPHER_CTX_cleanup()
384 must be called to free any context resources.
388 Encrypts or decrypts a maximum I<inl> amount of bytes from I<in> and leaves the
391 For legacy ciphers - If the cipher doesn't have the flag
392 B<EVP_CIPH_FLAG_CUSTOM_CIPHER> set, then I<inl> must be a multiple of
393 EVP_CIPHER_block_size(). If it isn't, the result is undefined. If the cipher
394 has that flag set, then I<inl> can be any size.
396 Due to the constraints of the API contract of this function it shouldn't be used
397 in applications, please consider using EVP_CipherUpdate() and
398 EVP_CipherFinal_ex() instead.
400 =item EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
402 Return an EVP_CIPHER structure when passed a cipher name, a NID or an
403 ASN1_OBJECT structure.
405 =item EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid()
407 Return the NID of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
408 structure. The actual NID value is an internal value which may not have a
409 corresponding OBJECT IDENTIFIER.
411 =item EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags()
413 Sets, clears and tests I<ctx> flags. See L</FLAGS> below for more information.
415 For provided ciphers EVP_CIPHER_CTX_set_flags() should be called only after the
416 fetched cipher has been assigned to the I<ctx>. It is recommended to use
417 L</PARAMETERS> instead.
419 =item EVP_CIPHER_CTX_set_padding()
421 Enables or disables padding. This function should be called after the context
422 is set up for encryption or decryption with EVP_EncryptInit_ex2(),
423 EVP_DecryptInit_ex2() or EVP_CipherInit_ex2(). By default encryption operations
424 are padded using standard block padding and the padding is checked and removed
425 when decrypting. If the I<pad> parameter is zero then no padding is
426 performed, the total amount of data encrypted or decrypted must then
427 be a multiple of the block size or an error will occur.
429 =item EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length()
431 Return the key length of a cipher when passed an B<EVP_CIPHER> or
432 B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum
433 key length for all ciphers. Note: although EVP_CIPHER_key_length() is fixed for
434 a given cipher, the value of EVP_CIPHER_CTX_key_length() may be different for
435 variable key length ciphers.
437 =item EVP_CIPHER_CTX_set_key_length()
439 Sets the key length of the cipher context.
440 If the cipher is a fixed length cipher then attempting to set the key
441 length to any value other than the fixed value is an error.
443 =item EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length()
445 Return the IV length of a cipher when passed an B<EVP_CIPHER> or
446 B<EVP_CIPHER_CTX>. It will return zero if the cipher does not use an IV.
447 The constant B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
449 =item EVP_CIPHER_CTX_tag_length()
451 Returns the tag length of an AEAD cipher when passed a B<EVP_CIPHER_CTX>. It will
452 return zero if the cipher does not support a tag. It returns a default value if
453 the tag length has not been set.
455 =item EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size()
457 Return the block size of a cipher when passed an B<EVP_CIPHER> or
458 B<EVP_CIPHER_CTX> structure. The constant B<EVP_MAX_BLOCK_LENGTH> is also the
459 maximum block length for all ciphers.
461 =item EVP_CIPHER_type() and EVP_CIPHER_CTX_type()
463 Return the type of the passed cipher or context. This "type" is the actual NID
464 of the cipher OBJECT IDENTIFIER and as such it ignores the cipher parameters
465 (40 bit RC2 and 128 bit RC2 have the same NID). If the cipher does not have an
466 object identifier or does not have ASN1 support this function will return
469 =item EVP_CIPHER_is_a()
471 Returns 1 if I<cipher> is an implementation of an algorithm that's identifiable
472 with I<name>, otherwise 0. If I<cipher> is a legacy cipher (it's the return
473 value from the likes of EVP_aes128() rather than the result of an
474 EVP_CIPHER_fetch()), only cipher names registered with the default library
475 context (see L<OSSL_LIB_CTX(3)>) will be considered.
477 =item EVP_CIPHER_number()
479 Returns the internal dynamic number assigned to the I<cipher>. This is only
480 useful with fetched B<EVP_CIPHER>s.
482 =item EVP_CIPHER_name() and EVP_CIPHER_CTX_name()
484 Return the name of the passed cipher or context. For fetched ciphers with
485 multiple names, only one of them is returned. See also EVP_CIPHER_names_do_all().
487 =item EVP_CIPHER_names_do_all()
489 Traverses all names for the I<cipher>, and calls I<fn> with each name and
490 I<data>. This is only useful with fetched B<EVP_CIPHER>s.
492 =item EVP_CIPHER_description()
494 Returns a description of the cipher, meant for display and human consumption.
495 The description is at the discretion of the cipher implementation.
497 =item EVP_CIPHER_provider()
499 Returns an B<OSSL_PROVIDER> pointer to the provider that implements the given
502 =item EVP_CIPHER_CTX_get0_cipher()
504 Returns the B<EVP_CIPHER> structure when passed an B<EVP_CIPHER_CTX> structure.
505 EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to
508 =item EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode()
510 Return the block cipher mode:
511 EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE,
512 EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE,
513 EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE or EVP_CIPH_SIV_MODE.
514 If the cipher is a stream cipher then EVP_CIPH_STREAM_CIPHER is returned.
516 =item EVP_CIPHER_flags()
518 Returns any flags associated with the cipher. See L</FLAGS>
519 for a list of currently defined flags.
521 =item EVP_CIPHER_param_to_asn1()
523 Sets the AlgorithmIdentifier "parameter" based on the passed cipher. This will
524 typically include any parameters and an IV. The cipher IV (if any) must be set
525 when this call is made. This call should be made before the cipher is actually
526 "used" (before any EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example).
527 This function may fail if the cipher does not have any ASN1 support.
529 =item EVP_CIPHER_asn1_to_param()
531 Sets the cipher parameters based on an ASN1 AlgorithmIdentifier "parameter".
532 The precise effect depends on the cipher. In the case of B<RC2>, for example,
533 it will set the IV and effective key length.
534 This function should be called after the base cipher type is set but before
535 the key is set. For example EVP_CipherInit() will be called with the IV and
536 key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
537 EVP_CipherInit() again with all parameters except the key set to NULL. It is
538 possible for this function to fail if the cipher does not have any ASN1 support
539 or the parameters cannot be set (for example the RC2 effective key length
542 =item EVP_CIPHER_CTX_rand_key()
544 Generates a random key of the appropriate length based on the cipher context.
545 The B<EVP_CIPHER> can provide its own random key generation routine to support
546 keys of a specific form. I<key> must point to a buffer at least as big as the
547 value returned by EVP_CIPHER_CTX_key_length().
549 =item EVP_CIPHER_do_all_provided()
551 Traverses all ciphers implemented by all activated providers in the given
552 library context I<libctx>, and for each of the implementations, calls the given
553 function I<fn> with the implementation method and the given I<arg> as argument.
559 See L<OSSL_PARAM(3)> for information about passing parameters.
561 =head2 Gettable EVP_CIPHER parameters
563 When EVP_CIPHER_fetch() is called it internally calls EVP_CIPHER_get_params()
564 and caches the results.
566 EVP_CIPHER_get_params() can be used with the following B<OSSL_PARAM> keys:
570 =item "mode" (B<OSSL_CIPHER_PARAM_MODE>) <unsigned integer>
572 Gets the mode for the associated cipher algorithm I<cipher>.
573 See L</EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode()> for a list of valid modes.
574 Use EVP_CIPHER_mode() to retrieve the cached value.
576 =item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer>
578 Gets the key length for the associated cipher algorithm I<cipher>.
579 Use EVP_CIPHER_key_length() to retrieve the cached value.
581 =item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>) <unsigned integer>
583 Gets the IV length for the associated cipher algorithm I<cipher>.
584 Use EVP_CIPHER_iv_length() to retrieve the cached value.
586 =item "blocksize" (B<OSSL_CIPHER_PARAM_BLOCK_SIZE>) <unsigned integer>
588 Gets the block size for the associated cipher algorithm I<cipher>.
589 The block size should be 1 for stream ciphers.
590 Note that the block size for a cipher may be different to the block size for
591 the underlying encryption/decryption primitive.
592 For example AES in CTR mode has a block size of 1 (because it operates like a
593 stream cipher), even though AES has a block size of 16.
594 Use EVP_CIPHER_block_size() to retreive the cached value.
596 =item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer>
598 Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0.
599 Use (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) to retrieve the
602 =item "custom-iv" (B<OSSL_CIPHER_PARAM_CUSTOM_IV>) <integer>
604 Gets 1 if the cipher algorithm I<cipher> has a custom IV, otherwise it gets 0.
605 Storing and initializing the IV is left entirely to the implementation, if a
607 Use (EVP_CIPHER_flags(cipher) & EVP_CIPH_CUSTOM_IV) to retrieve the
610 =item "cts" (B<OSSL_CIPHER_PARAM_CTS>) <integer>
612 Gets 1 if the cipher algorithm I<cipher> uses ciphertext stealing,
614 This is currently used to indicate that the cipher is a one shot that only
615 allows a single call to EVP_CipherUpdate().
616 Use (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) to retrieve the
619 =item "tls-multi" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK>) <integer>
621 Gets 1 if the cipher algorithm I<cipher> supports interleaving of crypto blocks,
622 otherwise it gets 0. The interleaving is an optimization only applicable to certain
624 Use (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) to retrieve the
629 =head2 Gettable and Settable EVP_CIPHER_CTX parameters
631 The following B<OSSL_PARAM> keys can be used with both EVP_CIPHER_CTX_get_params()
632 and EVP_CIPHER_CTX_set_params().
636 =item "padding" (B<OSSL_CIPHER_PARAM_PADDING>) <unsigned integer>
638 Gets or sets the padding mode for the cipher context I<ctx>.
639 Padding is enabled if the value is 1, and disabled if the value is 0.
640 See also EVP_CIPHER_CTX_set_padding().
642 =item "num" (B<OSSL_CIPHER_PARAM_NUM>) <unsigned integer>
644 Gets or sets the cipher specific "num" parameter for the cipher context I<ctx>.
645 Built-in ciphers typically use this to track how much of the current underlying
646 block has been "used" already.
647 See also EVP_CIPHER_CTX_num() and EVP_CIPHER_CTX_set_num().
649 =item "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>) <unsigned integer>
651 Gets or sets the key length for the cipher context I<ctx>.
652 The length of the "keylen" parameter should not exceed that of a B<size_t>.
653 See also EVP_CIPHER_CTX_key_length() and EVP_CIPHER_CTX_set_key_length().
655 =item "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>) <octet string>
657 Gets or sets the AEAD tag for the associated cipher context I<ctx>.
658 See L<EVP_EncryptInit(3)/AEAD Interface>.
660 =item "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>) <unsigned integer>
662 Gets or sets the effective keybits used for a RC2 cipher.
663 The length of the "keybits" parameter should not exceed that of a B<size_t>.
665 =item "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>) <unsigned integer>
667 Gets or sets the number of rounds to be used for a cipher.
668 This is used by the RC5 cipher.
670 =item "alg_id_param" (B<OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS>) <octet string>
672 Used to pass the DER encoded AlgorithmIdentifier parameter to or from
673 the cipher implementation. Functions like L<EVP_CIPHER_param_to_asn1(3)>
674 and L<EVP_CIPHER_asn1_to_param(3)> use this parameter for any implementation
675 that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set.
677 =item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
679 Gets or sets the cipher text stealing mode. For all modes the output size is the
680 same as the input size.
682 Valid values for the mode are:
688 The NIST variant of cipher text stealing.
689 For message lengths that are multiples of the block size it is equivalent to
690 using a "AES-CBC" cipher otherwise the second last cipher text block is a
695 For message lengths that are multiples of the block size it is equivalent to
696 using a "AES-CBC" cipher, otherwise it is the same as "CS3".
700 The Kerberos5 variant of cipher text stealing which always swaps the last
701 cipher text block with the previous block (which may be a partial or full block
702 depending on the input length).
706 The default is "CS1".
707 This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
709 =item "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>) <unsigned integer>
711 Sets or gets the number of records being sent in one go for a tls1 multiblock
712 cipher operation (either 4 or 8 records).
716 =head2 Gettable EVP_CIPHER_CTX parameters
718 The following B<OSSL_PARAM> keys can be used with EVP_CIPHER_CTX_get_params():
722 =item "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN> and <B<OSSL_CIPHER_PARAM_AEAD_IVLEN>) <unsigned integer>
724 Gets the IV length for the cipher context I<ctx>.
725 The length of the "ivlen" parameter should not exceed that of a B<size_t>.
726 See also EVP_CIPHER_CTX_iv_length().
728 =item "iv" (B<OSSL_CIPHER_PARAM_IV>) <octet string OR octet ptr>
730 Gets the IV used to initialize the associated cipher context I<ctx>.
731 See also EVP_CIPHER_CTX_get_original_iv().
733 =item "updated-iv" (B<OSSL_CIPHER_PARAM_UPDATED_IV>) <octet string OR octet ptr>
735 Gets the updated pseudo-IV state for the associated cipher context, e.g.,
736 the previous ciphertext block for CBC mode or the iteratively encrypted IV
737 value for OFB mode. Note that octet pointer access is deprecated and is
738 provided only for backwards compatibility with historical libcrypto APIs.
739 See also EVP_CIPHER_CTX_get_updated_iv().
741 =item "randkey" (B<OSSL_CIPHER_PARAM_RANDOM_KEY>) <octet string>
743 Gets an implementation specific randomly generated key for the associated
744 cipher context I<ctx>. This is currently only supported by DES and 3DES (which set
745 the key to odd parity).
747 =item "taglen" (B<OSSL_CIPHER_PARAM_AEAD_TAGLEN>) <unsigned integer>
749 Gets the tag length to be used for an AEAD cipher for the associated cipher
750 context I<ctx>. It gets a default value if it has not been set.
751 The length of the "taglen" parameter should not exceed that of a B<size_t>.
752 See also EVP_CIPHER_CTX_tag_length().
754 =item "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>) <unsigned integer>
756 Gets the length of the tag that will be added to a TLS record for the AEAD
757 tag for the associated cipher context I<ctx>.
758 The length of the "tlsaadpad" parameter should not exceed that of a B<size_t>.
760 =item "tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>) <octet string>
762 Gets the invocation field generated for encryption.
763 Can only be called after "tlsivfixed" is set.
764 This is only used for GCM mode.
766 =item "tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>) <unsigned integer>
768 Get the total length of the record returned from the "tls1multi_enc" operation.
770 =item "tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>) <unsigned integer>
772 Gets the maximum record length for a TLS1 multiblock cipher operation.
773 The length of the "tls1multi_maxbufsz" parameter should not exceed that of a B<size_t>.
775 =item "tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) <unsigned integer>
777 Gets the result of running the "tls1multi_aad" operation.
779 =item "tls-mac" (B<OSSL_CIPHER_PARAM_TLS_MAC>) <octet ptr>
781 Used to pass the TLS MAC data.
785 =head2 Settable EVP_CIPHER_CTX parameters
787 The following B<OSSL_PARAM> keys can be used with EVP_CIPHER_CTX_set_params():
791 =item "mackey" (B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>) <octet string>
793 Sets the MAC key used by composite AEAD ciphers such as AES-CBC-HMAC-SHA256.
795 =item "speed" (B<OSSL_CIPHER_PARAM_SPEED>) <unsigned integer>
797 Sets the speed option for the associated cipher context. This is only supported
798 by AES SIV ciphers which disallow multiple operations by default.
799 Setting "speed" to 1 allows another encrypt or decrypt operation to be
800 performed. This is used for performance testing.
802 =item "use-bits" (B<OSSL_CIPHER_PARAM_USE_BITS>) <unsigned integer>
804 Determines if the input length I<inl> passed to EVP_EncryptUpdate(),
805 EVP_DecryptUpdate() and EVP_CipherUpdate() is the number of bits or number of bytes.
806 Setting "use-bits" to 1 uses bits. The default is in bytes.
807 This is only used for B<CFB1> ciphers.
809 This can be set using EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS).
811 =item "tls-version" (B<OSSL_CIPHER_PARAM_TLS_VERSION>) <integer>
813 Sets the TLS version.
815 =item "tls-mac-size" (B<OSSL_CIPHER_PARAM_TLS_MAC_SIZE>) <unsigned integer>
817 Set the TLS MAC size.
819 =item "tlsaad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>) <octet string>
821 Sets TLSv1.2 AAD information for the associated cipher context I<ctx>.
822 TLSv1.2 AAD information is always 13 bytes in length and is as defined for the
823 "additional_data" field described in section 6.2.3.3 of RFC5246.
825 =item "tlsivfixed" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>) <octet string>
827 Sets the fixed portion of an IV for an AEAD cipher used in a TLS record
828 encryption/ decryption for the associated cipher context.
829 TLS record encryption/decryption always occurs "in place" so that the input and
830 output buffers are always the same memory location.
831 AEAD IVs in TLSv1.2 consist of an implicit "fixed" part and an explicit part
832 that varies with every record.
833 Setting a TLS fixed IV changes a cipher to encrypt/decrypt TLS records.
834 TLS records are encrypted/decrypted using a single OSSL_FUNC_cipher_cipher call per
836 For a record decryption the first bytes of the input buffer will be the explicit
837 part of the IV and the final bytes of the input buffer will be the AEAD tag.
838 The length of the explicit part of the IV and the tag length will depend on the
839 cipher in use and will be defined in the RFC for the relevant ciphersuite.
840 In order to allow for "in place" decryption the plaintext output should be
841 written to the same location in the output buffer that the ciphertext payload
842 was read from, i.e. immediately after the explicit IV.
844 When encrypting a record the first bytes of the input buffer should be empty to
845 allow space for the explicit IV, as will the final bytes where the tag will
847 The length of the input buffer will include the length of the explicit IV, the
848 payload, and the tag bytes.
849 The cipher implementation should generate the explicit IV and write it to the
850 beginning of the output buffer, do "in place" encryption of the payload and
851 write that to the output buffer, and finally add the tag onto the end of the
854 Whether encrypting or decrypting the value written to I<*outl> in the
855 OSSL_FUNC_cipher_cipher call should be the length of the payload excluding the explicit
856 IV length and the tag length.
858 =item "tlsivinv" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>) <octet string>
860 Sets the invocation field used for decryption.
861 Can only be called after "tlsivfixed" is set.
862 This is only used for GCM mode.
864 =item "tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>) <octet string>
866 Triggers a multiblock TLS1 encrypt operation for a TLS1 aware cipher that
867 supports sending 4 or 8 records in one go.
868 The cipher performs both the MAC and encrypt stages and constructs the record
870 "tls1multi_enc" supplies the output buffer for the encrypt operation,
871 "tls1multi_encin" & "tls1multi_interleave" must also be set in order to supply
872 values to the encrypt operation.
874 =item "tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) <octet string>
876 Supplies the data to encrypt for a TLS1 multiblock cipher operation.
878 =item "tls1multi_maxsndfrag" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT>) <unsigned integer>
880 Sets the maximum send fragment size for a TLS1 multiblock cipher operation.
881 It must be set before using "tls1multi_maxbufsz".
882 The length of the "tls1multi_maxsndfrag" parameter should not exceed that of a B<size_t>.
884 =item "tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) <octet string>
886 Sets the authenticated additional data used by a TLS1 multiblock cipher operation.
887 The supplied data consists of 13 bytes of record data containing:
888 Bytes 0-7: The sequence number of the first record
889 Byte 8: The record type
890 Byte 9-10: The protocol version
891 Byte 11-12: Input length (Always 0)
893 "tls1multi_interleave" must also be set for this operation.
899 The Mappings from EVP_CIPHER_CTX_ctrl() identifiers to PARAMETERS are listed
900 in the following section. See the L</PARAMETERS> section for more details.
902 EVP_CIPHER_CTX_ctrl() can be used to send the following standard controls:
906 =item EVP_CTRL_AEAD_SET_IVLEN and EVP_CTRL_GET_IVLEN
908 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
909 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
910 key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>).
912 =item EVP_CTRL_AEAD_SET_IV_FIXED
914 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
915 with an L<OSSL_PARAM(3)> item with the key "tlsivfixed"
916 (B<OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED>).
918 =item EVP_CTRL_AEAD_SET_MAC_KEY
920 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
921 with an L<OSSL_PARAM(3)> item with the key "mackey"
922 (B<OSSL_CIPHER_PARAM_AEAD_MAC_KEY>).
924 =item EVP_CTRL_AEAD_SET_TAG and EVP_CTRL_AEAD_GET_TAG
926 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
927 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
928 key "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>).
930 =item EVP_CTRL_CCM_SET_L
932 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
933 with an L<OSSL_PARAM(3)> item with the key "ivlen" (B<OSSL_CIPHER_PARAM_IVLEN>)
934 with a value of (15 - L)
938 There is no OSSL_PARAM mapping for this. Use EVP_CIPHER_CTX_copy() instead.
940 =item EVP_CTRL_GCM_SET_IV_INV
942 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
943 with an L<OSSL_PARAM(3)> item with the key "tlsivinv"
944 (B<OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV>).
946 =item EVP_CTRL_RAND_KEY
948 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
949 with an L<OSSL_PARAM(3)> item with the key "randkey"
950 (B<OSSL_CIPHER_PARAM_RANDOM_KEY>).
952 =item EVP_CTRL_SET_KEY_LENGTH
954 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
955 with an L<OSSL_PARAM(3)> item with the key "keylen" (B<OSSL_CIPHER_PARAM_KEYLEN>).
957 =item EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS
959 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
960 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
961 key "keybits" (B<OSSL_CIPHER_PARAM_RC2_KEYBITS>).
963 =item EVP_CTRL_SET_RC5_ROUNDS and EVP_CTRL_GET_RC5_ROUNDS
965 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() and
966 EVP_CIPHER_CTX_get_params() get called with an L<OSSL_PARAM(3)> item with the
967 key "rounds" (B<OSSL_CIPHER_PARAM_ROUNDS>).
969 =item EVP_CTRL_SET_SPEED
971 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
972 with an L<OSSL_PARAM(3)> item with the key "speed" (B<OSSL_CIPHER_PARAM_SPEED>).
974 =item EVP_CTRL_GCM_IV_GEN
976 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_get_params() gets called
977 with an L<OSSL_PARAM(3)> item with the key
978 "tlsivgen" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN>).
980 =item EVP_CTRL_AEAD_TLS1_AAD
982 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() get called
983 with an L<OSSL_PARAM(3)> item with the key
984 "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD>)
985 followed by EVP_CIPHER_CTX_get_params() with a key of
986 "tlsaadpad" (B<OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD>).
988 =item EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE
990 When used with a fetched B<EVP_CIPHER>,
991 EVP_CIPHER_CTX_set_params() gets called with an L<OSSL_PARAM(3)> item with the
992 key OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT
993 followed by EVP_CIPHER_CTX_get_params() with a key of
994 "tls1multi_maxbufsz" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE>).
996 =item EVP_CTRL_TLS1_1_MULTIBLOCK_AAD
998 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
999 with L<OSSL_PARAM(3)> items with the keys
1000 "tls1multi_aad" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD>) and
1001 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>)
1002 followed by EVP_CIPHER_CTX_get_params() with keys of
1003 "tls1multi_aadpacklen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN>) and
1004 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>).
1006 =item EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT
1008 When used with a fetched B<EVP_CIPHER>, EVP_CIPHER_CTX_set_params() gets called
1009 with L<OSSL_PARAM(3)> items with the keys
1010 "tls1multi_enc" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC>),
1011 "tls1multi_encin" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN>) and
1012 "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>),
1013 followed by EVP_CIPHER_CTX_get_params() with a key of
1014 "tls1multi_enclen" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN>).
1020 EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags().
1021 can be used to manipulate and test these B<EVP_CIPHER_CTX> flags:
1025 =item EVP_CIPH_NO_PADDING
1027 Used by EVP_CIPHER_CTX_set_padding().
1029 See also L</Gettable and Settable EVP_CIPHER_CTX parameters> "padding"
1031 =item EVP_CIPH_FLAG_LENGTH_BITS
1033 See L</Settable EVP_CIPHER_CTX parameters> "use-bits".
1035 =item EVP_CIPHER_CTX_FLAG_WRAP_ALLOW
1037 Used for Legacy purposes only. This flag needed to be set to indicate the
1038 cipher handled wrapping.
1042 EVP_CIPHER_flags() uses the following flags that
1043 have mappings to L</Gettable EVP_CIPHER parameters>:
1047 =item EVP_CIPH_FLAG_AEAD_CIPHER
1049 See L</Gettable EVP_CIPHER parameters> "aead".
1051 =item EVP_CIPH_CUSTOM_IV
1053 See L</Gettable EVP_CIPHER parameters> "custom-iv".
1055 =item EVP_CIPH_FLAG_CTS
1057 See L</Gettable EVP_CIPHER parameters> "cts".
1059 =item EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK;
1061 See L</Gettable EVP_CIPHER parameters> "tls-multi".
1065 EVP_CIPHER_flags() uses the following flags for legacy purposes only:
1069 =item EVP_CIPH_VARIABLE_LENGTH
1071 =item EVP_CIPH_FLAG_CUSTOM_CIPHER
1073 =item EVP_CIPH_ALWAYS_CALL_INIT
1075 =item EVP_CIPH_CTRL_INIT
1077 =item EVP_CIPH_CUSTOM_KEY_LENGTH
1079 =item EVP_CIPH_RAND_KEY
1081 =item EVP_CIPH_CUSTOM_COPY
1083 =item EVP_CIPH_FLAG_DEFAULT_ASN1
1085 See L<EVP_CIPHER_meth_set_flags(3)> for further information related to the above
1090 =head1 RETURN VALUES
1092 EVP_CIPHER_fetch() returns a pointer to a B<EVP_CIPHER> for success
1093 and B<NULL> for failure.
1095 EVP_CIPHER_up_ref() returns 1 for success or 0 otherwise.
1097 EVP_CIPHER_CTX_new() returns a pointer to a newly created
1098 B<EVP_CIPHER_CTX> for success and B<NULL> for failure.
1100 EVP_EncryptInit_ex2(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
1101 return 1 for success and 0 for failure.
1103 EVP_DecryptInit_ex2() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
1104 EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
1106 EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure.
1107 EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
1109 EVP_Cipher() returns the amount of encrypted / decrypted bytes, or -1
1110 on failure if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the
1111 cipher. EVP_Cipher() returns 1 on success or 0 on failure, if the flag
1112 B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher.
1114 EVP_CIPHER_CTX_reset() returns 1 for success and 0 for failure.
1116 EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
1117 return an B<EVP_CIPHER> structure or NULL on error.
1119 EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
1121 EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
1124 EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
1127 EVP_CIPHER_CTX_set_padding() always returns 1.
1129 EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
1130 length or zero if the cipher does not use an IV.
1132 EVP_CIPHER_CTX_tag_length() return the tag length or zero if the cipher does not
1135 EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
1136 OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
1138 EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
1140 EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater
1141 than zero for success and zero or a negative number on failure.
1143 EVP_CIPHER_CTX_rand_key() returns 1 for success.
1145 EVP_CIPHER_names_do_all() returns 1 if the callback was called for all names.
1146 A return value of 0 means that the callback was not called for any names.
1148 =head1 CIPHER LISTING
1150 All algorithms have a fixed key length unless otherwise stated.
1152 Refer to L</SEE ALSO> for the full list of ciphers available through the EVP
1157 =item EVP_enc_null()
1159 Null cipher: does nothing.
1163 =head1 AEAD INTERFACE
1165 The EVP interface for Authenticated Encryption with Associated Data (AEAD)
1166 modes are subtly altered and several additional I<ctrl> operations are supported
1167 depending on the mode specified.
1169 To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(),
1170 EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output
1171 parameter I<out> set to B<NULL>.
1173 When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal()
1174 indicates whether the operation was successful. If it does not indicate success,
1175 the authentication operation has failed and any output data B<MUST NOT> be used
1178 =head2 GCM and OCB Modes
1180 The following I<ctrl>s are supported in GCM and OCB modes.
1184 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1186 Sets the IV length. This call can only be made before specifying an IV. If
1187 not called a default IV length is used.
1189 For GCM AES and OCB AES the default is 12 (i.e. 96 bits). For OCB mode the
1192 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
1194 Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>.
1195 This call can only be made when encrypting data and B<after> all data has been
1196 processed (e.g. after an EVP_EncryptFinal() call).
1198 For OCB, C<taglen> must either be 16 or the value previously set via
1199 B<EVP_CTRL_AEAD_SET_TAG>.
1201 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1203 Sets the expected tag to C<taglen> bytes from C<tag>.
1204 The tag length can only be set before specifying an IV.
1205 C<taglen> must be between 1 and 16 inclusive.
1207 For GCM, this call is only valid when decrypting data.
1209 For OCB, this call is valid when decrypting data to set the expected tag,
1210 and before encryption to set the desired tag length.
1212 In OCB mode, calling this before encryption with C<tag> set to C<NULL> sets the
1213 tag length. If this is not called prior to encryption, a default tag length is
1216 For OCB AES, the default tag length is 16 (i.e. 128 bits). It is also the
1217 maximum tag length for OCB.
1223 The EVP interface for CCM mode is similar to that of the GCM mode but with a
1224 few additional requirements and different I<ctrl> values.
1226 For CCM mode, the total plaintext or ciphertext length B<MUST> be passed to
1227 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() with the output
1228 and input parameters (I<in> and I<out>) set to B<NULL> and the length passed in
1229 the I<inl> parameter.
1231 The following I<ctrl>s are supported in CCM mode.
1235 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1237 This call is made to set the expected B<CCM> tag value when decrypting or
1238 the length of the tag (with the C<tag> parameter set to NULL) when encrypting.
1239 The tag length is often referred to as B<M>. If not set a default value is
1240 used (12 for AES). When decrypting, the tag needs to be set before passing
1241 in data to be decrypted, but as in GCM and OCB mode, it can be set after
1242 passing additional authenticated data (see L</AEAD INTERFACE>).
1244 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL)
1246 Sets the CCM B<L> value. If not set a default is used (8 for AES).
1248 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1250 Sets the CCM nonce (IV) length. This call can only be made before specifying a
1251 nonce value. The nonce length is given by B<15 - L> so it is 7 by default for
1258 For SIV mode ciphers the behaviour of the EVP interface is subtly
1259 altered and several additional ctrl operations are supported.
1261 To specify any additional authenticated data (AAD) and/or a Nonce, a call to
1262 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made
1263 with the output parameter I<out> set to B<NULL>.
1265 RFC5297 states that the Nonce is the last piece of AAD before the actual
1266 encrypt/decrypt takes place. The API does not differentiate the Nonce from
1269 When decrypting the return value of EVP_DecryptFinal() or EVP_CipherFinal()
1270 indicates if the operation was successful. If it does not indicate success
1271 the authentication operation has failed and any output data B<MUST NOT>
1272 be used as it is corrupted.
1274 The following ctrls are supported in both SIV modes.
1278 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag);
1280 Writes I<taglen> bytes of the tag value to the buffer indicated by I<tag>.
1281 This call can only be made when encrypting data and B<after> all data has been
1282 processed (e.g. after an EVP_EncryptFinal() call). For SIV mode the taglen must
1285 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag);
1287 Sets the expected tag to I<taglen> bytes from I<tag>. This call is only legal
1288 when decrypting data and must be made B<before> any data is processed (e.g.
1289 before any EVP_DecryptUpdate() call). For SIV mode the taglen must be 16.
1293 SIV mode makes two passes over the input data, thus, only one call to
1294 EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made
1295 with I<out> set to a non-B<NULL> value. A call to EVP_Decrypt_Final() or
1296 EVP_CipherFinal() is not required, but will indicate if the update
1297 operation succeeded.
1299 =head2 ChaCha20-Poly1305
1301 The following I<ctrl>s are supported for the ChaCha20-Poly1305 AEAD algorithm.
1305 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
1307 Sets the nonce length. This call can only be made before specifying the nonce.
1308 If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum
1309 nonce length is 12 bytes (i.e. 96-bits). If a nonce of less than 12 bytes is set
1310 then the nonce is automatically padded with leading 0 bytes to make it 12 bytes
1313 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)
1315 Writes C<taglen> bytes of the tag value to the buffer indicated by C<tag>.
1316 This call can only be made when encrypting data and B<after> all data has been
1317 processed (e.g. after an EVP_EncryptFinal() call).
1319 C<taglen> specified here must be 16 (B<POLY1305_BLOCK_SIZE>, i.e. 128-bits) or
1322 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
1324 Sets the expected tag to C<taglen> bytes from C<tag>.
1325 The tag length can only be set before specifying an IV.
1326 C<taglen> must be between 1 and 16 (B<POLY1305_BLOCK_SIZE>) inclusive.
1327 This call is only valid when decrypting data.
1333 Where possible the B<EVP> interface to symmetric ciphers should be used in
1334 preference to the low-level interfaces. This is because the code then becomes
1335 transparent to the cipher used and much more flexible. Additionally, the
1336 B<EVP> interface will ensure the use of platform specific cryptographic
1337 acceleration such as AES-NI (the low-level interfaces do not provide the
1340 PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
1341 length of the encrypted data a multiple of the block size. Padding is always
1342 added so if the data is already a multiple of the block size B<n> will equal
1343 the block size. For example if the block size is 8 and 11 bytes are to be
1344 encrypted then 5 padding bytes of value 5 will be added.
1346 When decrypting the final block is checked to see if it has the correct form.
1348 Although the decryption operation can produce an error if padding is enabled,
1349 it is not a strong test that the input data or key is correct. A random block
1350 has better than 1 in 256 chance of being of the correct format and problems with
1351 the input data earlier on will not produce a final decrypt error.
1353 If padding is disabled then the decryption operation will always succeed if
1354 the total amount of data decrypted is a multiple of the block size.
1356 The functions EVP_EncryptInit(), EVP_EncryptInit_ex(),
1357 EVP_EncryptFinal(), EVP_DecryptInit(), EVP_DecryptInit_ex(),
1358 EVP_CipherInit(), EVP_CipherInit_ex() and EVP_CipherFinal() are obsolete
1359 but are retained for compatibility with existing code. New code should
1360 use EVP_EncryptInit_ex2(), EVP_EncryptFinal_ex(), EVP_DecryptInit_ex2(),
1361 EVP_DecryptFinal_ex(), EVP_CipherInit_ex2() and EVP_CipherFinal_ex()
1362 because they can reuse an existing context without allocating and freeing
1365 There are some differences between functions EVP_CipherInit() and
1366 EVP_CipherInit_ex(), significant in some circumstances. EVP_CipherInit() fills
1367 the passed context object with zeros. As a consequence, EVP_CipherInit() does
1368 not allow step-by-step initialization of the ctx when the I<key> and I<iv> are
1369 passed in separate calls. It also means that the flags set for the CTX are
1370 removed, and it is especially important for the
1371 B<EVP_CIPHER_CTX_FLAG_WRAP_ALLOW> flag treated specially in
1372 EVP_CipherInit_ex().
1374 EVP_get_cipherbynid(), and EVP_get_cipherbyobj() are implemented as macros.
1378 B<EVP_MAX_KEY_LENGTH> and B<EVP_MAX_IV_LENGTH> only refer to the internal
1379 ciphers with default key lengths. If custom ciphers exceed these values the
1380 results are unpredictable. This is because it has become standard practice to
1381 define a generic key as a fixed unsigned char array containing
1382 B<EVP_MAX_KEY_LENGTH> bytes.
1384 The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
1385 for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
1389 Encrypt a string using IDEA:
1391 int do_crypt(char *outfile)
1393 unsigned char outbuf[1024];
1396 * Bogus key and IV: we'd normally set these from
1399 unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
1400 unsigned char iv[] = {1,2,3,4,5,6,7,8};
1401 char intext[] = "Some Crypto Text";
1402 EVP_CIPHER_CTX *ctx;
1405 ctx = EVP_CIPHER_CTX_new();
1406 EVP_EncryptInit_ex2(ctx, EVP_idea_cbc(), key, iv, NULL);
1408 if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) {
1410 EVP_CIPHER_CTX_free(ctx);
1414 * Buffer passed to EVP_EncryptFinal() must be after data just
1415 * encrypted to avoid overwriting it.
1417 if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) {
1419 EVP_CIPHER_CTX_free(ctx);
1423 EVP_CIPHER_CTX_free(ctx);
1425 * Need binary mode for fopen because encrypted data is
1426 * binary data. Also cannot use strlen() on it because
1427 * it won't be NUL terminated and may contain embedded
1430 out = fopen(outfile, "wb");
1435 fwrite(outbuf, 1, outlen, out);
1440 The ciphertext from the above example can be decrypted using the B<openssl>
1441 utility with the command line (shown on two lines for clarity):
1444 -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 <filename
1446 General encryption and decryption function example using FILE I/O and AES128
1449 int do_crypt(FILE *in, FILE *out, int do_encrypt)
1451 /* Allow enough space in output buffer for additional block */
1452 unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
1454 EVP_CIPHER_CTX *ctx;
1456 * Bogus key and IV: we'd normally set these from
1459 unsigned char key[] = "0123456789abcdeF";
1460 unsigned char iv[] = "1234567887654321";
1462 /* Don't set key or IV right away; we want to check lengths */
1463 ctx = EVP_CIPHER_CTX_new();
1464 EVP_CipherInit_ex2(ctx, EVP_aes_128_cbc(), NULL, NULL,
1466 OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
1467 OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
1469 /* Now we can set key and IV */
1470 EVP_CipherInit_ex2(ctx, NULL, key, iv, do_encrypt, NULL);
1473 inlen = fread(inbuf, 1, 1024, in);
1476 if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) {
1478 EVP_CIPHER_CTX_free(ctx);
1481 fwrite(outbuf, 1, outlen, out);
1483 if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) {
1485 EVP_CIPHER_CTX_free(ctx);
1488 fwrite(outbuf, 1, outlen, out);
1490 EVP_CIPHER_CTX_free(ctx);
1494 Encryption using AES-CBC with a 256-bit key with "CS1" ciphertext stealing.
1496 int encrypt(const unsigned char *key, const unsigned char *iv,
1497 const unsigned char *msg, size_t msg_len, unsigned char *out)
1500 * This assumes that key size is 32 bytes and the iv is 16 bytes.
1501 * For ciphertext stealing mode the length of the ciphertext "out" will be
1502 * the same size as the plaintext size "msg_len".
1503 * The "msg_len" can be any size >= 16.
1505 int ret = 0, encrypt = 1, outlen, len;
1506 EVP_CIPHER_CTX *ctx = NULL;
1507 EVP_CIPHER *cipher = NULL;
1508 OSSL_PARAM params[2];
1510 ctx = EVP_CIPHER_CTX_new();
1511 cipher = EVP_CIPHER_fetch(NULL, "AES-256-CBC-CTS", NULL);
1512 if (ctx == NULL || cipher == NULL)
1516 * The default is "CS1" so this is not really needed,
1517 * but would be needed to set either "CS2" or "CS3".
1519 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE,
1521 params[1] = OSSL_PARAM_construct_end();
1523 if (!EVP_CipherInit_ex2(ctx, cipher, key, iv, encrypt, params))
1526 /* NOTE: CTS mode does not support multiple calls to EVP_CipherUpdate() */
1527 if (!EVP_CipherUpdate(ctx, encrypted, &outlen, msg, msglen))
1529 if (!EVP_CipherFinal_ex(ctx, encrypted + outlen, &len))
1533 EVP_CIPHER_free(cipher);
1534 EVP_CIPHER_CTX_free(ctx);
1542 Supported ciphers are listed in:
1544 L<EVP_aes_128_gcm(3)>,
1545 L<EVP_aria_128_gcm(3)>,
1547 L<EVP_camellia_128_ecb(3)>,
1548 L<EVP_cast5_cbc(3)>,
1555 L<EVP_rc5_32_12_16_cbc(3)>,
1561 Support for OCB mode was added in OpenSSL 1.1.0.
1563 B<EVP_CIPHER_CTX> was made opaque in OpenSSL 1.1.0. As a result,
1564 EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup()
1565 disappeared. EVP_CIPHER_CTX_init() remains as an alias for
1566 EVP_CIPHER_CTX_reset().
1568 The EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0; use
1569 EVP_CIPHER_CTX_get0_cipher() instead.
1571 The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(),
1572 EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(),
1573 EVP_CIPHER_CTX_get0_cipher(), EVP_CIPHER_CTX_get1_cipher(),
1574 EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(),
1575 EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(),
1576 EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(),
1577 EVP_CIPHER_CTX_settable_params() and EVP_CIPHER_CTX_gettable_params()
1578 functions were added in 3.0.
1582 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
1584 Licensed under the Apache License 2.0 (the "License"). You may not use
1585 this file except in compliance with the License. You can obtain a copy
1586 in the file LICENSE in the source distribution or at
1587 L<https://www.openssl.org/source/license.html>.