xref: /freebsd/crypto/openssl/doc/man3/EVP_PKEY_encapsulate.pod (revision e7be843b4a162e68651d3911f0357ed464915629) 
1=pod
2
3=head1 NAME
4
5EVP_PKEY_encapsulate_init, EVP_PKEY_auth_encapsulate_init, EVP_PKEY_encapsulate
6- Key encapsulation using a KEM algorithm with a public key
7
8=head1 SYNOPSIS
9
10 #include <openssl/evp.h>
11
12 int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
13 int EVP_PKEY_auth_encapsulate_init(EVP_PKEY_CTX *ctx, EVP_PKEY *authpriv,
14                                   const OSSL_PARAM params[]);
15 int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
16                          unsigned char *wrappedkey, size_t *wrappedkeylen,
17                          unsigned char *genkey, size_t *genkeylen);
18
19=head1 DESCRIPTION
20
21The EVP_PKEY_encapsulate_init() function initializes a public key algorithm
22context I<ctx> for an encapsulation operation and then sets the I<params>
23on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>.
24Note that I<ctx> is usually is produced using L<EVP_PKEY_CTX_new_from_pkey(3)>,
25specifying the public key to use.
26
27The EVP_PKEY_auth_encapsulate_init() function is similar to
28EVP_PKEY_encapsulate_init() but also passes an I<authpriv> authentication private
29key that is used during encapsulation.
30
31The EVP_PKEY_encapsulate() function performs a public key encapsulation
32operation using I<ctx>.
33The shared secret written to I<genkey> can be used as an input for key
34derivation, typically for various symmetric algorithms.
35Its size is written to I<genkeylen>, which must be initialised to the
36size of the provided buffer.
37
38The ciphertext written to I<wrappedkey> is an encapsulated form, which
39is expected to be only usable by the holder of the private key corresponding
40to the public key associated with I<ctx>.
41This ciphertext is then communicated to the private-key holder, who can use
42L<EVP_PKEY_decapsulate(3)> to securely recover the same shared secret.
43
44If I<wrappedkey> is NULL then the maximum size of the output buffer is written
45to the I<*wrappedkeylen> parameter unless I<wrappedkeylen> is NULL and the
46maximum size of the generated key buffer is written to I<*genkeylen> unless
47I<genkeylen> is NULL.
48
49If I<wrappedkey> is not NULL and the call is successful then the generated
50shared secret is written to I<genkey> and its size is written to
51I<*genkeylen> (which must be non-NULL).
52The encapsulated ciphertext is written to I<wrappedkey> and
53its size is written to I<*wrappedkeylen> (must also be non-NULL),
54The value pointed to by I<wrappedlen> initially hold the size of the
55I<unwrapped> buffer so that its size can be validated by the call, ensuring it
56is large enough to hold the result written to I<wrapped>.
57
58Absent detailed prior knowledge of the internals of the specific KEM
59algorithm, callers SHOULD NOT assume that the returned shared secret and
60ciphertext are necessarily of the maximum possible length.
61The lengths returned via I<*wrappedkeylen> and I<*genkeylen> SHOULD
62be used to determine the actual lengths of the outputs.
63
64=head1 NOTES
65
66After the call to EVP_PKEY_encapsulate_init(), algorithm-specific parameters
67for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>.
68
69=head1 RETURN VALUES
70
71EVP_PKEY_encapsulate_init(), EVP_PKEY_auth_encapsulate_init() and
72EVP_PKEY_encapsulate() return 1 for success and 0 or a negative value for
73failure. In particular a return value of -2 indicates the operation is not
74supported by the public key algorithm.
75
76=head1 EXAMPLES
77
78Encapsulate an RSASVE key (for RSA keys).
79
80 #include <openssl/evp.h>
81
82 /*
83  * NB: assumes rsa_pub_key is an public key of another party.
84  */
85
86 EVP_PKEY_CTX *ctx = NULL;
87 size_t secretlen = 0, outlen = 0;
88 unsigned char *out = NULL, *secret = NULL;
89
90 ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_pub_key, NULL);
91 if (ctx == NULL)
92     /* Error */
93 if (EVP_PKEY_encapsulate_init(ctx, NULL) <= 0)
94     /* Error */
95
96 /* Set the mode - only 'RSASVE' is currently supported */
97  if (EVP_PKEY_CTX_set_kem_op(ctx, "RSASVE") <= 0)
98     /* Error */
99 /* Determine buffer length */
100 if (EVP_PKEY_encapsulate(ctx, NULL, &outlen, NULL, &secretlen) <= 0)
101     /* Error */
102
103 out = OPENSSL_malloc(outlen);
104 secret = OPENSSL_malloc(secretlen);
105 if (out == NULL || secret == NULL)
106     /* malloc failure */
107
108 /*
109  * The generated 'secret' can be used as key material.
110  * The encapsulated 'out' can be sent to another party who can
111  * decapsulate it using their private key to retrieve the 'secret'.
112  */
113 if (EVP_PKEY_encapsulate(ctx, out, &outlen, secret, &secretlen) <= 0)
114     /* Error */
115
116=head1 SEE ALSO
117
118L<EVP_PKEY_CTX_new_from_pkey(3)>,
119L<EVP_PKEY_decapsulate(3)>,
120L<EVP_KEM-RSA(7)>,
121L<EVP_KEM-X25519(7)>,
122L<EVP_KEM-EC(7)>,
123L<EVP_KEM-ML-KEM-512(7)>,
124L<EVP_KEM-ML-KEM-768(7)>,
125L<EVP_KEM-ML-KEM-1024(7)>
126
127=head1 HISTORY
128
129The functions EVP_PKEY_encapsulate_init() and EVP_PKEY_encapsulate() were
130added in OpenSSL 3.0.
131The function EVP_PKEY_auth_encapsulate_init() was added in OpenSSL 3.2.
132
133Support for B<ML-KEM> was added in OpenSSL 3.5.
134
135=head1 COPYRIGHT
136
137Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
138
139Licensed under the Apache License 2.0 (the "License").  You may not use
140this file except in compliance with the License.  You can obtain a copy
141in the file LICENSE in the source distribution or at
142L<https://www.openssl.org/source/license.html>.
143
144=cut
145