table of contents
        
      
      
    | EVP_CHACHA20(3) | Library Functions Manual | EVP_CHACHA20(3) | 
NAME¶
EVP_chacha20,
    EVP_chacha20_poly1305 —
    ChaCha20 stream cipher for EVP
SYNOPSIS¶
#include
    <openssl/evp.h>
const EVP_CIPHER *
  
  EVP_chacha20(void);
const EVP_CIPHER *
  
  EVP_chacha20_poly1305(void);
DESCRIPTION¶
EVP_chacha20()
    provides the ChaCha20 stream cipher in the EVP framework.
    EVP_EncryptInit_ex(3),
    EVP_DecryptInit_ex(3), and
    EVP_CipherInit_ex(3) take a key
    argument of 32 bytes = 256 bits and an iv argument of
    16 bytes = 128 bits, internally using ChaCha_set_key(3)
    and ChaCha_set_iv(3). The lower 8 bytes = 64 bits of
    iv are used as counter and the remaining 8 bytes are
    used as the initialization vector of ChaCha_set_iv(3).
    EVP_EncryptUpdate(3),
    EVP_EncryptFinal_ex(3),
    EVP_DecryptUpdate(3), and
    EVP_DecryptFinal_ex(3) internally use
    ChaCha(3) to perform encryption and decryption.
    EVP_CIPHER_CTX_ctrl(3) always fails for
    ctx objects created from
    EVP_chacha20().
EVP_chacha20_poly1305()
    provides authenticated encryption with ChaCha20-Poly1305. Unless
    compatibility with other implementations like OpenSSL or BoringSSL is
    required, using EVP_AEAD_CTX_init(3) with
    EVP_aead_chacha20_poly1305(3) is recommended instead
    because the code then becomes transparent to the AEAD cipher used, more
    flexible, and less error prone.
With
    EVP_chacha20_poly1305(),
    EVP_EncryptInit_ex(3),
    EVP_DecryptInit_ex(3), and
    EVP_CipherInit_ex(3) take a key
    argument of 32 bytes = 256 bits and an iv argument of
    12 bytes = 96 bits. This supports additional authenticated data (AAD) and
    produces a 128-bit authentication tag. The constant
    EVP_CHACHAPOLY_TLS_TAG_LEN specifies the length of
    the authentication tag in bytes and has a value of 16.
The following type arguments are supported for EVP_CIPHER_CTX_ctrl(3):
- EVP_CTRL_AEAD_GET_TAG
- Copy the number of bytes indicated by the arg argument from the tag to the location indicated by the ptr argument; to be called after EVP_EncryptFinal_ex(3). This control operation fails if the ctx is not configured for encryption or if arg is less than 1 or greater than 16.
- EVP_CTRL_AEAD_SET_TAG
- Copy the number of bytes indicated by the arg
      argument from the location indicated by the ptr
      argument and designate them as the expected tag length and tag, causing
      subsequent EVP_DecryptFinal_ex(3) to fail if the tag
      calculated during decryption does not match. It is strongly recommended to
      specify arg as exactly 16. Otherwise, only the
      initial part of the tag may be compared and mismatches near the end of the
      tag may get silently ignored. This control operation fails if the
      ctx is configured for encryption or if
      arg is less than 1 or greater than 16. If the
      ptr argument is a NULLpointer, this control operation succeeds without having any effect.
- EVP_CTRL_AEAD_SET_IV_FIXED
- Set the initialization vector by reading the 12 bytes pointed to by the ptr argument, independently of EVP_EncryptInit_ex(3), EVP_DecryptInit_ex(3), and EVP_CipherInit_ex(3). This control operation fails if the arg argument is not exactly 12.
- EVP_CTRL_AEAD_SET_IVLEN
- Instruct subsequent EVP_EncryptInit_ex(3), EVP_DecryptInit_ex(3), or EVP_CipherInit_ex(3) to expect an iv argument shorter than the default of 12 bytes; the arg argument specifies the number of bytes to be used. The initialization functions will only read the specified smaller number of bytes from iv and internally zero-pad them on the left. Using this is not recommended because it is likely more fragile and less often tested than the equivalent method of simply providing a full-sized iv. This control operation fails if arg is less than 1 or greater than 16.
- EVP_CTRL_INIT
- Set the length of the initialization vector to the default value of 12 bytes and clear the Poly1305 internal state. The application program usually does not need to invoke this control operation manually because it is automatically called internally by EVP_EncryptInit_ex(3), EVP_DecryptInit_ex(3), and EVP_CipherInit_ex(3).
RETURN VALUES¶
EVP_chacha20() and
    EVP_chacha20_poly1305() return pointers to static
    EVP_CIPHER objects that contain the implementations of
    the symmetric cipher.
If ctx was created from
    EVP_chacha20() or
    EVP_chacha20_poly1305(),
    EVP_CIPHER_CTX_ctrl(3) returns 1 for success or 0 for
    failure.
SEE ALSO¶
ChaCha(3), evp(3), EVP_aead_chacha20_poly1305(3), EVP_CIPHER_meth_new(3), EVP_EncryptInit(3)
STANDARDS¶
A. Langley, W. Chang, N. Mavrogiannopoulos, J. Strombergson, and S. Josefsson, ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS), RFC 7905, June 2016.
HISTORY¶
EVP_chacha20() first appeared in
    OpenBSD 5.6.
EVP_chacha20_poly1305() first appeared in
    OpenSSL 1.1.0 and has been available since OpenBSD
    7.2.
CAVEATS¶
The original publications and code by Adam Langley used a modified AEAD construction that is incompatible with the common style used by AEAD in TLS and incompatible with RFC 7905:
A. Langley and W. Chang, ChaCha20 and Poly1305 based Cipher Suites for TLS, draft-agl-tls-chacha20poly1305-04, November 2013.
Y. Nir and A. Langley, ChaCha20 and Poly1305 for IETF Protocols, RFC 8439, May 2018.
In particular, the original version used a nonce of 8 instead of 12 bytes.
| September 12, 2023 | Linux 6.14.1-1-default |