kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4501 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 70dbf042b6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '70dbf042b6'
${ noResults }
boringssl/include/openssl/aead.h

424 lines
19 KiB
Raw Blame History 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #ifndef OPENSSL_HEADER_AEAD_H

  16. #define OPENSSL_HEADER_AEAD_H

  17. 

  18. #include <openssl/base.h>

  19. 

  20. #if defined(__cplusplus)

  21. extern "C" {

  22. #endif

  23. 

  24. 

  25. /* Authenticated Encryption with Additional Data.

  26.  *

  27.  * AEAD couples confidentiality and integrity in a single primitive. AEAD

  28.  * algorithms take a key and then can seal and open individual messages. Each

  29.  * message has a unique, per-message nonce and, optionally, additional data

  30.  * which is authenticated but not included in the ciphertext.

  31.  *

  32.  * The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and

  33.  * performs any precomputation needed to use |aead| with |key|. The length of

  34.  * the key, |key_len|, is given in bytes.

  35.  *

  36.  * The |tag_len| argument contains the length of the tags, in bytes, and allows

  37.  * for the processing of truncated authenticators. A zero value indicates that

  38.  * the default tag length should be used and this is defined as

  39.  * |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using

  40.  * truncated tags increases an attacker's chance of creating a valid forgery.

  41.  * Be aware that the attacker's chance may increase more than exponentially as

  42.  * would naively be expected.

  43.  *

  44.  * When no longer needed, the initialised |EVP_AEAD_CTX| structure must be

  45.  * passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.

  46.  *

  47.  * With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These

  48.  * operations are intended to meet the standard notions of privacy and

  49.  * authenticity for authenticated encryption. For formal definitions see

  50.  * Bellare and Namprempre, "Authenticated encryption: relations among notions

  51.  * and analysis of the generic composition paradigm," Lecture Notes in Computer

  52.  * Science B<1976> (2000), 531–545,

  53.  * http://www-cse.ucsd.edu/~mihir/papers/oem.html.

  54.  *

  55.  * When sealing messages, a nonce must be given. The length of the nonce is

  56.  * fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The

  57.  * nonce must be unique for all messages with the same key*. This is critically

  58.  * important - nonce reuse may completely undermine the security of the AEAD.

  59.  * Nonces may be predictable and public, so long as they are unique. Uniqueness

  60.  * may be achieved with a simple counter or, if large enough, may be generated

  61.  * randomly. The nonce must be passed into the "open" operation by the receiver

  62.  * so must either be implicit (e.g. a counter), or must be transmitted along

  63.  * with the sealed message.

  64.  *

  65.  * The "seal" and "open" operations are atomic - an entire message must be

  66.  * encrypted or decrypted in a single call. Large messages may have to be split

  67.  * up in order to accommodate this. When doing so, be mindful of the need not to

  68.  * repeat nonces and the possibility that an attacker could duplicate, reorder

  69.  * or drop message chunks. For example, using a single key for a given (large)

  70.  * message and sealing chunks with nonces counting from zero would be secure as

  71.  * long as the number of chunks was securely transmitted. (Otherwise an

  72.  * attacker could truncate the message by dropping chunks from the end.)

  73.  *

  74.  * The number of chunks could be transmitted by prefixing it to the plaintext,

  75.  * for example. This also assumes that no other message would ever use the same

  76.  * key otherwise the rule that nonces must be unique for a given key would be

  77.  * violated.

  78.  *

  79.  * The "seal" and "open" operations also permit additional data to be

  80.  * authenticated via the |ad| parameter. This data is not included in the

  81.  * ciphertext and must be identical for both the "seal" and "open" call. This

  82.  * permits implicit context to be authenticated but may be empty if not needed.

  83.  *

  84.  * The "seal" and "open" operations may work in-place if the |out| and |in|

  85.  * arguments are equal. Otherwise, if |out| and |in| alias, input data may be

  86.  * overwritten before it is read. This situation will cause an error.

  87.  *

  88.  * The "seal" and "open" operations return one on success and zero on error. */

  89. 

  90. 

  91. /* AEAD algorithms. */

  92. 

  93. /* EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode. */

  94. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);

  95. 

  96. /* EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode. */

  97. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);

  98. 

  99. /* EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and

  100.  * Poly1305 as described in RFC 7539. */

  101. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);

  102. 

  103. /* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for

  104.  * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the

  105.  * block counter, thus the maximum plaintext size is 64GB. */

  106. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);

  107. 

  108. /* EVP_aead_aes_256_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for

  109.  * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */

  110. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);

  111. 

  112. /* EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See

  113.  * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 */

  114. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void);

  115. 

  116. /* EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See

  117.  * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 */

  118. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void);

  119. 

  120. /* EVP_has_aes_hardware returns one if we enable hardware support for fast and

  121.  * constant-time AES-GCM. */

  122. OPENSSL_EXPORT int EVP_has_aes_hardware(void);

  123. 

  124. 

  125. /* Utility functions. */

  126. 

  127. /* EVP_AEAD_key_length returns the length, in bytes, of the keys used by

  128.  * |aead|. */

  129. OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead);

  130. 

  131. /* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce

  132.  * for |aead|. */

  133. OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);

  134. 

  135. /* EVP_AEAD_max_overhead returns the maximum number of additional bytes added

  136.  * by the act of sealing data with |aead|. */

  137. OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);

  138. 

  139. /* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This

  140.  * is the largest value that can be passed as |tag_len| to

  141.  * |EVP_AEAD_CTX_init|. */

  142. OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);

  143. 

  144. 

  145. /* AEAD operations. */

  146. 

  147. /* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key

  148.  * and message-independent IV. */

  149. typedef struct evp_aead_ctx_st {

  150.   const EVP_AEAD *aead;

  151.   /* aead_state is an opaque pointer to whatever state the AEAD needs to

  152.    * maintain. */

  153.   void *aead_state;

  154.   /* tag_len may contain the actual length of the authentication tag if it is

  155.    * known at initialization time. */

  156.   uint8_t tag_len;

  157. } EVP_AEAD_CTX;

  158. 

  159. /* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by

  160.  * any AEAD defined in this header. */

  161. #define EVP_AEAD_MAX_KEY_LENGTH 80

  162. 

  163. /* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by

  164.  * any AEAD defined in this header. */

  165. #define EVP_AEAD_MAX_NONCE_LENGTH 16

  166. 

  167. /* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD

  168.  * defined in this header. */

  169. #define EVP_AEAD_MAX_OVERHEAD 64

  170. 

  171. /* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to

  172.  * EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should

  173.  * be used. */

  174. #define EVP_AEAD_DEFAULT_TAG_LENGTH 0

  175. 

  176. /* EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be

  177.  * initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not

  178.  * necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for

  179.  * more uniform cleanup of |EVP_AEAD_CTX|. */

  180. OPENSSL_EXPORT void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx);

  181. 

  182. /* EVP_AEAD_CTX_new allocates an |EVP_AEAD_CTX|, calls |EVP_AEAD_CTX_init| and

  183.  * returns the |EVP_AEAD_CTX|, or NULL on error. */

  184. OPENSSL_EXPORT EVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead,

  185.                                               const uint8_t *key,

  186.                                               size_t key_len, size_t tag_len);

  187. 

  188. /* EVP_AEAD_CTX_free calls |EVP_AEAD_CTX_cleanup| and |OPENSSL_free| on

  189.  * |ctx|. */

  190. OPENSSL_EXPORT void EVP_AEAD_CTX_free(EVP_AEAD_CTX *ctx);

  191. 

  192. /* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl|

  193.  * argument is ignored and should be NULL. Authentication tags may be truncated

  194.  * by passing a size as |tag_len|. A |tag_len| of zero indicates the default

  195.  * tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for

  196.  * readability.

  197.  *

  198.  * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In

  199.  * the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's

  200.  * harmless to do so. */

  201. OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,

  202.                                      const uint8_t *key, size_t key_len,

  203.                                      size_t tag_len, ENGINE *impl);

  204. 

  205. /* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to

  206.  * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to

  207.  * all zeros. */

  208. OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);

  209. 

  210. /* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and

  211.  * authenticates |ad_len| bytes from |ad| and writes the result to |out|. It

  212.  * returns one on success and zero otherwise.

  213.  *

  214.  * This function may be called concurrently with itself or any other seal/open

  215.  * function on the same |EVP_AEAD_CTX|.

  216.  *

  217.  * At most |max_out_len| bytes are written to |out| and, in order to ensure

  218.  * success, |max_out_len| should be |in_len| plus the result of

  219.  * |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the

  220.  * actual number of bytes written.

  221.  *

  222.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  223.  * |EVP_AEAD_nonce_length| for this AEAD.

  224.  *

  225.  * |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is

  226.  * insufficient, zero will be returned. If any error occurs, |out| will be

  227.  * filled with zero bytes and |*out_len| set to zero.

  228.  *

  229.  * If |in| and |out| alias then |out| must be == |in|. */

  230. OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  231.                                      size_t *out_len, size_t max_out_len,

  232.                                      const uint8_t *nonce, size_t nonce_len,

  233.                                      const uint8_t *in, size_t in_len,

  234.                                      const uint8_t *ad, size_t ad_len);

  235. 

  236. /* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes

  237.  * from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on

  238.  * success and zero otherwise.

  239.  *

  240.  * This function may be called concurrently with itself or any other seal/open

  241.  * function on the same |EVP_AEAD_CTX|.

  242.  *

  243.  * At most |in_len| bytes are written to |out|. In order to ensure success,

  244.  * |max_out_len| should be at least |in_len|. On successful return, |*out_len|

  245.  * is set to the the actual number of bytes written.

  246.  *

  247.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  248.  * |EVP_AEAD_nonce_length| for this AEAD.

  249.  *

  250.  * |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is

  251.  * insufficient, zero will be returned. If any error occurs, |out| will be

  252.  * filled with zero bytes and |*out_len| set to zero.

  253.  *

  254.  * If |in| and |out| alias then |out| must be == |in|. */

  255. OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  256.                                      size_t *out_len, size_t max_out_len,

  257.                                      const uint8_t *nonce, size_t nonce_len,

  258.                                      const uint8_t *in, size_t in_len,

  259.                                      const uint8_t *ad, size_t ad_len);

  260. 

  261. /* EVP_AEAD_CTX_seal_scatter encrypts and authenticates |in_len| bytes from |in|

  262.  * and authenticates |ad_len| bytes from |ad|. It writes |in_len| bytes of

  263.  * ciphertext to |out| and the authentication tag to |out_tag|. It returns one

  264.  * on success and zero otherwise.

  265.  *

  266.  * This function may be called concurrently with itself or any other seal/open

  267.  * function on the same |EVP_AEAD_CTX|.

  268.  *

  269.  * Exactly |in_len| bytes are written to |out|, and up to

  270.  * |EVP_AEAD_max_overhead+extra_in_len| bytes to |out_tag|. On successful

  271.  * return, |*out_tag_len| is set to the actual number of bytes written to

  272.  * |out_tag|.

  273.  *

  274.  * |extra_in| may point to an additional plaintext input buffer if the cipher

  275.  * supports it. If present, |extra_in_len| additional bytes of plaintext are

  276.  * encrypted and authenticated, and the ciphertext is written (before the tag)

  277.  * to |out_tag|. |max_out_tag_len| must be sized to allow for the additional

  278.  * |extra_in_len| bytes.

  279.  *

  280.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  281.  * |EVP_AEAD_nonce_length| for this AEAD.

  282.  *

  283.  * |EVP_AEAD_CTX_seal_scatter| never results in a partial output. If

  284.  * |max_out_tag_len| is insufficient, zero will be returned. If any error

  285.  * occurs, |out| and |out_tag| will be filled with zero bytes and |*out_tag_len|

  286.  * set to zero.

  287.  *

  288.  * If |in| and |out| alias then |out| must be == |in|. |out_tag| may not alias

  289.  * any other argument. */

  290. OPENSSL_EXPORT int EVP_AEAD_CTX_seal_scatter(

  291.     const EVP_AEAD_CTX *ctx, uint8_t *out,

  292.     uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len,

  293.     const uint8_t *nonce, size_t nonce_len,

  294.     const uint8_t *in, size_t in_len,

  295.     const uint8_t *extra_in, size_t extra_in_len,

  296.     const uint8_t *ad, size_t ad_len);

  297. 

  298. /* EVP_AEAD_CTX_open_gather decrypts and authenticates |in_len| bytes from |in|

  299.  * and authenticates |ad_len| bytes from |ad| using |in_tag_len| bytes of

  300.  * authentication tag from |in_tag|. If successful, it writes |in_len| bytes of

  301.  * plaintext to |out|. It returns one on success and zero otherwise.

  302.  *

  303.  * This function may be called concurrently with itself or any other seal/open

  304.  * function on the same |EVP_AEAD_CTX|.

  305.  *

  306.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  307.  * |EVP_AEAD_nonce_length| for this AEAD.

  308.  *

  309.  * |EVP_AEAD_CTX_open_gather| never results in a partial output. If any error

  310.  * occurs, |out| will be filled with zero bytes.

  311.  *

  312.  * If |in| and |out| alias then |out| must be == |in|. */

  313. OPENSSL_EXPORT int EVP_AEAD_CTX_open_gather(

  314.     const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,

  315.     size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,

  316.     size_t in_tag_len, const uint8_t *ad, size_t ad_len);

  317. 

  318. /* EVP_AEAD_CTX_aead returns the underlying AEAD for |ctx|, or NULL if one has

  319.  * not been set. */

  320. OPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx);

  321. 

  322. 

  323. /* TLS-specific AEAD algorithms.

  324.  *

  325.  * These AEAD primitives do not meet the definition of generic AEADs. They are

  326.  * all specific to TLS and should not be used outside of that context. They must

  327.  * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may

  328.  * not be used concurrently. Any nonces are used as IVs, so they must be

  329.  * unpredictable. They only accept an |ad| parameter of length 11 (the standard

  330.  * TLS one with length omitted). */

  331. 

  332. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);

  333. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);

  334. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);

  335. 

  336. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);

  337. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);

  338. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);

  339. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);

  340. 

  341. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);

  342. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);

  343. 

  344. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);

  345. 

  346. /* EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS

  347.  * 1.2 nonce construction. */

  348. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void);

  349. 

  350. /* EVP_aead_aes_256_gcm_tls12 is AES-256 in Galois Counter Mode using the TLS

  351.  * 1.2 nonce construction. */

  352. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls12(void);

  353. 

  354. 

  355. /* SSLv3-specific AEAD algorithms.

  356.  *

  357.  * These AEAD primitives do not meet the definition of generic AEADs. They are

  358.  * all specific to SSLv3 and should not be used outside of that context. They

  359.  * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,

  360.  * and may not be used concurrently. They only accept an |ad| parameter of

  361.  * length 9 (the standard TLS one with length and version omitted). */

  362. 

  363. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);

  364. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);

  365. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);

  366. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void);

  367. 

  368. 

  369. /* Obscure functions. */

  370. 

  371. /* evp_aead_direction_t denotes the direction of an AEAD operation. */

  372. enum evp_aead_direction_t {

  373.   evp_aead_open,

  374.   evp_aead_seal,

  375. };

  376. 

  377. /* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal

  378.  * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a

  379.  * given direction. */

  380. OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(

  381.     EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,

  382.     size_t tag_len, enum evp_aead_direction_t dir);

  383. 

  384. /* EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and

  385.  * sets |*out_iv| to point to that many bytes of the current IV. This is only

  386.  * meaningful for AEADs with implicit IVs (i.e. CBC mode in SSLv3 and TLS 1.0).

  387.  *

  388.  * It returns one on success or zero on error. */

  389. OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx,

  390.                                        const uint8_t **out_iv, size_t *out_len);

  391. 

  392. /* EVP_AEAD_CTX_tag_len computes the exact byte length of the tag written by

  393.  * |EVP_AEAD_CTX_seal_scatter| and writes it to |*out_tag_len|. It returns one

  394.  * on success or zero on error. |in_len| and |extra_in_len| must equal the

  395.  * arguments of the same names passed to |EVP_AEAD_CTX_seal_scatter|. */

  396. OPENSSL_EXPORT int EVP_AEAD_CTX_tag_len(const EVP_AEAD_CTX *ctx,

  397.                                         size_t *out_tag_len,

  398.                                         const size_t in_len,

  399.                                         const size_t extra_in_len);

  400. 

  401. 

  402. #if defined(__cplusplus)

  403. }  /* extern C */

  404. 

  405. #if !defined(BORINGSSL_NO_CXX)

  406. extern "C++" {

  407. 

  408. namespace bssl {

  409. 

  410. using ScopedEVP_AEAD_CTX =

  411.     internal::StackAllocated<EVP_AEAD_CTX, void, EVP_AEAD_CTX_zero,

  412.                              EVP_AEAD_CTX_cleanup>;

  413. 

  414. BORINGSSL_MAKE_DELETER(EVP_AEAD_CTX, EVP_AEAD_CTX_free)

  415. 

  416. }  // namespace bssl

  417. 

  418. }  // extern C++

  419. #endif

  420. 

  421. #endif

  422. 

  423. #endif  /* OPENSSL_HEADER_AEAD_H */