21. Cryptography
21.1. Password hashing
- Methodcrypt
string(46..122)
crypt(string(1..255)
password
)bool
crypt(string(1..255)
input_password
,string(46..122)
crypted_password
)string(46..122)
crypt()- Description
This function crypts and verifies a short string (only the first 8 characters are significant).
The first syntax crypts the string
password
into something that is hopefully hard to decrypt.The second syntax is used to verify
typed_password
againstcrypted_password
, and returns1
if they match, and0
(zero) otherwise.The third syntax generates a random string and then crypts it, creating a string useful as a password.
- Note
Note that strings containing null characters will only be processed up until the null character.
Module Crypto.Password
- Description
Password handling.
This module handles generation and verification of password hashes.
- See also
verify()
,hash()
,crypt()
- Methodhash
string(7bit)
hash(string(8bit)
password
,string(7bit)
|void
scheme
,int(0..)
|void
rounds
)- Description
Generate a hash of
password
suitable forverify()
.- Parameter
password
Password to hash.
- Parameter
scheme
Password hashing scheme. If not specified the strongest available will be used.
If an unsupported scheme is specified an error will be thrown.
Supported schemes are:
Crypt(3C)-style:
UNDEFINED
Use the strongest crypt(3C)-style hash that is supported.
"crypt"
"{crypt}"
"6"
SHA512.crypt_hash()
with 96 bits of salt and a default of5000
rounds."$6$"
"5"
SHA256.crypt_hash()
with 96 bits of salt and a default of5000
rounds."$5$"
"3"
The NTLM MD4 hash.
"NT"
"2"
Nettle.bcrypt()
with 128 bits of salt and a default of1024
rounds."2a"
"2b"
"2x"
"2y"
"$2$"
"$2a$"
"$2b$"
"$2x$"
"$2y$"
"1"
MD5.crypt_hash()
with 48 bits of salt and1000
rounds."$1$"
"apr1"
MD5.crypt_hash_apr1()
with 48 bits of salt and1000
rounds."$apr1$"
"sha1"
SHA1.HMAC.crypt_hash()
with 48 bits of salt and a default of480000
rounds."P"
MD5.crypt_php()
with 48 bits of salt and a default of1<<19
rounds. The specified number of rounds will be rounded up to the closest power of2
."$P$"
"H"
"$H$"
"U$P$"
Same as
"$P$"
, the suppliedpassword
is assumed to have already been passed throughMD5.hash()
once. Typically used to upgrade unsaltedMD5
-password databases."Q"
Same as
"$P$"
, but withSHA1.crypt_php()
."$Q$"
"S"
Same as
"$S$"
, but withSHA512.crypt_php()
."$S$"
"pbkdf2"
SHA1.pbkdf2()
."$pbkdf2$"
"pbkdf2-sha256"
SHA256.pbkdf2()
."$pbkdf2-sha256$"
"pbkdf2-sha512"
SHA512.pbkdf2()
."$pbkdf2-sha512$"
""
predef::crypt()
with 12 bits of salt.LDAP (RFC 2307)-style. Don't use these if you can avoid it, since they are suspectible to attacks. In particular avoid the unsalted variants at all costs:
"ssha"
SHA1.hash()
with 96 bits of salt appended to the password."{ssha}"
"smd5"
MD5.hash()
with 96 bits of salt appended to the password."{smd5}"
"sha"
SHA1.hash()
without any salt."{sha}"
"md5"
MD5.hash()
without any salt."{md5}"
- Parameter
rounds
The number of rounds to use in parameterized schemes. If not specified the scheme specific default will be used.
- Returns
Returns a string suitable for
verify()
. This means that the hashes will be prepended with the suitable markers.- Note
Note that the availability of
SHA512
depends on the version ofNettle
that Pike has been compiled with.- Note
This function was added in Pike 7.8.755.
- See also
verify()
,predef::crypt()
,Nettle.crypt_md5()
,Nettle.Hash()->crypt_hash()
- Methodverify
int
verify(string(8bit)
password
,string(7bit)
hash
)- Description
Verify a password against a hash.
This function attempts to support most common password hashing schemes.
- Parameter
password
Binary password. This is typically is typically a textual string normalized according to
string_to_utf8(Unicode.normalize(raw_password, "NFC"))
, but some operating systems (eg MacOS X) may have other conventions.- Parameter
hash
The
hash
can be on any of the following formats.LDAP-style (RFC 2307) hashes:
"{SHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
The
XXX
string is taken to be aMIME.encode_base64
SHA1
hash of the password. Source: OpenLDAP FAQ http://www.openldap.org/faq/data/cache/347.html."{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
The
XXX
string is taken to be aMIME.encode_base64
string in which the first 20 chars are anSHA1
hash and the remaining chars the salt. The input for the hash is the password concatenated with the salt. Source: OpenLDAP FAQ http://www.openldap.org/faq/data/cache/347.html."{MD5}XXXXXXXXXXXXXXXXXXXXXXXX"
The
XXX
string is taken to be aMIME.encode_base64
MD5
hash of the password. Source: OpenLDAP FAQ http://www.openldap.org/faq/data/cache/418.html."{SMD5}XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
The
XXX
string is taken to be aMIME.encode_base64
string in which the first 16 chars are anMD5
hash and the remaining chars the salt. The input for the hash is the password concatenated with the salt. Source: OpenLDAP FAQ http://www.openldap.org/faq/data/cache/418.html."{CRYPT}XXXXXXXXXXXXX"
The
XX
string is taken to be a crypt(3C)-style hash. This is the same thing as passing theXXX
string without any preceding method name within{...}
. I.e. it's interpreted according to the crypt-style hashes below.Crypt-style hashes:
"$6$SSSSSSSSSSSSSSSS$XXXXXXXXXXXXXXXXXXXXXX"
The string is interpreted according to the "Unix crypt using SHA-256 and SHA-512" standard Version 0.4 2008-4-3, where
SSSSSSSSSSSSSSSS
is up to 16 characters of salt, and the stringXXX
the result ofSHA512.crypt_hash()
with5000
rounds. Source: Unix crypt using SHA-256 and SHA-512 http://www.akkadia.org/drepper/SHA-crypt.txt"$6$rounds=RR$SSSSSSSSSSSSSSSS$XXXXXXXXXXXXXXXXXXXXXX"
This is the same algorithm as the one above, but with the number of rounds specified by
RR
in decimal. Note that the number of rounds is clamped to be within1000
and999999999
(inclusive). Source: Unix crypt using SHA-256 and SHA-512 http://www.akkadia.org/drepper/SHA-crypt.txt"$5$SSSSSSSSSSSSSSSS$XXXXXXXXXXXXXXXXXXXXXX"
The string is interpreted according to the "Unix crypt using SHA-256 and SHA-512" standard Version 0.4 2008-4-3, where
SSSSSSSSSSSSSSSS
is up to 16 characters of salt, and the stringXXX
the result ofSHA256.crypt_hash()
with5000
rounds. Source: Unix crypt using SHA-256 and SHA-512 http://www.akkadia.org/drepper/SHA-crypt.txt"$5$rounds=RR$SSSSSSSSSSSSSSSS$XXXXXXXXXXXXXXXXXXXXXX"
This is the same algorithm as the one above, but with the number of rounds specified by
RR
in decimal. Note that the number of rounds is clamped to be within1000
and999999999
(inclusive). Source: Unix crypt using SHA-256 and SHA-512 http://www.akkadia.org/drepper/SHA-crypt.txt"$3$$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
This is interpreted as the NT LANMANAGER (NTLM) password hash. It is a hex representation of MD4 of the password.
"$1$SSSSSSSS$XXXXXXXXXXXXXXXXXXXXXX"
The string is interpreted according to the GNU libc2 extension of
crypt(3C)
whereSSSSSSSS
is up to 8 chars of salt and theXXX
string is anMD5
-based hash created from the password and the salt. Source: GNU libc http://www.gnu.org/software/libtool/manual/libc/crypt.html."$apr1$SSSSSSSS$XXXXXXXXXXXXXXXXXXXXXX"
The Apache proprietary MD5-derived password hashing algorithm. This is similar to the
"$1$"
algorithm above. Source: Apache http://httpd.apache.org/docs/2.4/misc/password_encryptions.html"$sha1$RRRRR$SSSSSSSS$XXXXXXXXXXXXXXXXXXXX"
The string is interpreted as a NetBSD-style
SHA1.HMAC.crypt_hash()
(aka crypt_sha1(3C)), whereRRRRR
is the number of rounds (default 480000),SSSSSSSS
is aMIME.crypt64()
encoded salt. and theXXX
string is anSHA1.HMAC
-based hash created from the password and the salt."$P$RSSSSSSSSXXXXXXXXXXXXXXXXXXXXXX"
The string is interpreted as a PHPass' Portable Hash password hash, where
R
is an encoding of the 2-logarithm of the number of rounds,SSSSSSSS
is a salt of 8 characters, andXXX
is similarily theMIME.encode_crypt64
of runningMD5.hash()
repeatedly on the password and the salt."$H$RSSSSSSSS.XXXXXXXXXXXXXXXXXXXXXX"
Same as
"$P$"
above. Used by phpBB3."U$P$RSSSSSSSSXXXXXXXXXXXXXXXXXXXXXX"
This is handled as a Drupal upgraded PHPass Portable Hash password. The password is run once through
MD5.hash()
, and then passed along to the"$P$"
-handler above."$Q$RSSSSSSSSXXXXXXXXXXXXXXXXXXXXXX"
The string is interpreted as a PHPass' Portable Hash password hash, where the base hashing alorithm has been switched to
SHA1
. This method is apparently used by some versions of Escher CMS."$S$RSSSSSSSSXXXXXXXXXXXXXXXXXXXXXX"
The string is interpreted as a PHPass' Portable Hash password hash, where the base hashing alorithm has been switched to
SHA256
. This method is apparently used by some versions of Drupal."$pbkdf2$RRRRR$SSSSS$XXXXXXXXXXXXX"
The string is interpreted as
SHA1.crypt_pbkdf2()
."$pbkdf2-sha256$RRRRR$SSSSS$XXXXXXXXXXXXX"
The string is interpreted as
SHA256.crypt_pbkdf2()
."$pbkdf2-sha512$RRRRR$SSSSS$XXXXXXXXXXXXX"
The string is interpreted as
SHA512.crypt_pbkdf2()
."pbkdf2_sha256$RRRRR$SSSSS$XXXXXXXXXXXXX"
The string is interpreted as the Django variant of
SHA256.crypt_pbkdf2()
. This differs from the standard variant ("$pbkdf2-sha256$"
) in that the hash is encoded with plainMIME.encode_base64()
(ie including padding ('='
) and plus ('+'
) characters)."XXXXXXXXXXXXX"
The
XXX
string (which doesn't begin with"{"
) is taken to be a password hashed using the classic unixcrypt(3C)
function. If the string contains only chars from the set[a-zA-Z0-9./]
it uses DES and the first two characters as salt, but other alternatives may be possible depending on thecrypt(3C)
implementation in the operating system.""
The empty password hash matches all passwords.
- Returns
Returns
1
on success, and0
(zero) otherwise.- Note
This function was added in Pike 7.8.755.
- See also
hash()
,predef::crypt()
21.2. Kerberos and GSSAPI
Module GSSAPI
- Description
This is pike glue for GSS-API ver 2 as specified in RFC 2743.
GSS-API is used to authenticate users and servers, and optionally also to encrypt communication between them. The API is generic and can be used without any knowledge of the actual implementation of these security services, which is typically provided by the operating system.
The most common implementation at the time of writing is Kerberos, which means that the main benefit of this API is to allow clients and servers to authenticate each other using Kerberos, thereby making single sign-on possible in a Kerberized environment.
All functions in this module that wrap GSS-API routines may throw
GSSAPI.Error
, and by default they do so for all such errors. Only in some special cases do they return when a GSS-API error has happened, and this is then noted in the documentation.
- ConstantINITIATE
ConstantACCEPT
ConstantBOTH constant
int
GSSAPI.INITIATE
constant
int
GSSAPI.ACCEPT
constant
int
GSSAPI.BOTH
- Description
Flags for indicating how a
GSSAPI.Cred
object may be used:- INITIATE
The credential can only be used to initiate security contexts (i.e. using
GSSAPI.InitContext
).- ACCEPT
The credential can only be used to accept security contexts (i.e. using
GSSAPI.AcceptContext
).- BOTH
The credential may be used both to initiate or accept security contexts.
- ConstantDELEG_FLAG
ConstantMUTUAL_FLAG
ConstantREPLAY_FLAG
ConstantSEQUENCE_FLAG
ConstantCONF_FLAG
ConstantINTEG_FLAG
ConstantANON_FLAG
ConstantPROT_READY_FLAG
ConstantTRANS_FLAG constant
int
GSSAPI.DELEG_FLAG
constant
int
GSSAPI.MUTUAL_FLAG
constant
int
GSSAPI.REPLAY_FLAG
constant
int
GSSAPI.SEQUENCE_FLAG
constant
int
GSSAPI.CONF_FLAG
constant
int
GSSAPI.INTEG_FLAG
constant
int
GSSAPI.ANON_FLAG
constant
int
GSSAPI.PROT_READY_FLAG
constant
int
GSSAPI.TRANS_FLAG
- Description
Bitfield flags returned by e.g.
GSSAPI.Context.services
to denote various services that are available in the context.Brief descriptions of the flags:
- GSSAPI.DELEG_FLAG
Delegation. See RFC 2743 section 1.2.9.
- GSSAPI.MUTUAL_FLAG
Mutual authentication (actually, acceptor authentication). See RFC 2743 section 1.1.1.3 and RFC 2743 section 1.2.5.
- GSSAPI.REPLAY_FLAG
Per-message replay detection. See RFC 2743 section 1.2.3.
- GSSAPI.SEQUENCE_FLAG
Per-message sequencing. See RFC 2743 section 1.2.3.
- GSSAPI.CONF_FLAG
Per-message confidentiality. See RFC 2743 section 1.2.2.
- GSSAPI.INTEG_FLAG
Per-message integrity. See RFC 2743 section 1.2.2.
- GSSAPI.ANON_FLAG
Anonymous authentication. See RFC 2743 section 1.2.5.
- GSSAPI.PROT_READY_FLAG
Might be set before the context establishment has finished, to denote that per-message protection already is available. See RFC 2743 section 1.2.7. Is always set in
GSSAPI.Context
and derived classes when the context is established.- GSSAPI.TRANS_FLAG
The context can be transferred between processes using
GSSAPI.Context.export
. See RFC 2743 section 1.2.10.
- ConstantBAD_MECH
ConstantBAD_NAME
ConstantBAD_NAMETYPE
ConstantBAD_BINDINGS
ConstantBAD_STATUS
ConstantBAD_SIG
ConstantNO_CRED
ConstantNO_CONTEXT
ConstantDEFECTIVE_TOKEN
ConstantDEFECTIVE_CREDENTIAL
ConstantCREDENTIALS_EXPIRED
ConstantCONTEXT_EXPIRED
ConstantFAILURE
ConstantBAD_QOP
ConstantUNAUTHORIZED
ConstantUNAVAILABLE
ConstantDUPLICATE_ELEMENT
ConstantNAME_NOT_MN constant
int
GSSAPI.BAD_MECH
constant
int
GSSAPI.BAD_NAME
constant
int
GSSAPI.BAD_NAMETYPE
constant
int
GSSAPI.BAD_BINDINGS
constant
int
GSSAPI.BAD_STATUS
constant
int
GSSAPI.BAD_SIG
constant
int
GSSAPI.NO_CRED
constant
int
GSSAPI.NO_CONTEXT
constant
int
GSSAPI.DEFECTIVE_TOKEN
constant
int
GSSAPI.DEFECTIVE_CREDENTIAL
constant
int
GSSAPI.CREDENTIALS_EXPIRED
constant
int
GSSAPI.CONTEXT_EXPIRED
constant
int
GSSAPI.FAILURE
constant
int
GSSAPI.BAD_QOP
constant
int
GSSAPI.UNAUTHORIZED
constant
int
GSSAPI.UNAVAILABLE
constant
int
GSSAPI.DUPLICATE_ELEMENT
constant
int
GSSAPI.NAME_NOT_MN
- Description
Constants for routine errors in major status codes like
GSSAPI.Error.major_status
. See RFC 2743 section 1.2.1.1. Note that major status codes have to be masked withGSSAPI.ERROR_MASK
before comparison with these.Brief descriptions of the flags:
- GSSAPI.BAD_BINDINGS
Channel binding mismatch.
- GSSAPI.BAD_MECH
Unsupported mechanism requested.
- GSSAPI.BAD_NAME
Invalid name provided.
- GSSAPI.BAD_NAMETYPE
Name of unsupported type provided.
- GSSAPI.BAD_STATUS
Invalid input status selector.
- GSSAPI.BAD_MIC
Token had invalid integrity check.
- GSSAPI.CONTEXT_EXPIRED
Specified security context expired.
- GSSAPI.CREDENTIALS_EXPIRED
Expired credentials detected.
- GSSAPI.DEFECTIVE_CREDENTIAL
Defective credential detected.
- GSSAPI.DEFECTIVE_TOKEN
Defective token detected.
- GSSAPI.FAILURE
Failure, unspecified at GSS-API level.
GSSAPI.Error.minor_status
should provide further details.- GSSAPI.NO_CONTEXT
No valid security context specified.
- GSSAPI.NO_CRED
No valid credentials provided.
- GSSAPI.BAD_QOP
Unsupported QOP value.
- GSSAPI.UNAUTHORIZED
Operation unauthorized.
- GSSAPI.UNAVAILABLE
Operation unavailable.
- GSSAPI.DUPLICATE_ELEMENT
Duplicate credential element requested.
- GSSAPI.NAME_NOT_MN
Name contains multi-mechanism elements.
- ConstantCONTINUE_NEEDED
ConstantDUPLICATE_TOKEN
ConstantOLD_TOKEN
ConstantUNSEQ_TOKEN
ConstantGAP_TOKEN constant
int
GSSAPI.CONTINUE_NEEDED
constant
int
GSSAPI.DUPLICATE_TOKEN
constant
int
GSSAPI.OLD_TOKEN
constant
int
GSSAPI.UNSEQ_TOKEN
constant
int
GSSAPI.GAP_TOKEN
- Description
Bitfield flags for informatory codes in major status codes like
GSSAPI.Error.major_status
. See RFC 2743 section 1.2.1.1. Any combination of these might optionally be combined with one routine error constant to form a major status code.Brief descriptions of the flags:
- GSSAPI.CONTINUE_NEEDED
Continuation call to routine required.
- GSSAPI.DUPLICATE_TOKEN
Duplicate per-message token detected.
- GSSAPI.OLD_TOKEN
Timed-out per-message token detected.
- GSSAPI.UNSEQ_TOKEN
Reordered (early) per-message token detected.
- GSSAPI.GAP_TOKEN
Skipped predecessor token(s) detected.
- ConstantERROR_MASK
constant
int
GSSAPI.ERROR_MASK
- Description
Bitfield mask for the routine error part of major status codes like
GSSAPI.Error.major_status
. After applying this mask, the status values may be compared to any of the routine error constants.
- ConstantINFO_MASK
constant
int
GSSAPI.INFO_MASK
- Description
Bitfield mask for the informatory part of major status codes like
GSSAPI.Error.major_status
.
- ConstantNT_HOSTBASED_SERVICE
ConstantNT_USER_NAME
ConstantNT_MACHINE_UID_NAME
ConstantNT_STRING_UID_NAME
ConstantNT_ANONYMOUS
ConstantNT_EXPORT_NAME
ConstantKRB5_NT_PRINCIPAL_NAME constant
string
GSSAPI.NT_HOSTBASED_SERVICE
constant
string
GSSAPI.NT_USER_NAME
constant
string
GSSAPI.NT_MACHINE_UID_NAME
constant
string
GSSAPI.NT_STRING_UID_NAME
constant
string
GSSAPI.NT_ANONYMOUS
constant
string
GSSAPI.NT_EXPORT_NAME
constant
string
GSSAPI.KRB5_NT_PRINCIPAL_NAME
- Description
OIDs on dotted-decimal form for the GSS-API mechanism-independent name types, and some selected mechanism-specific ones:
- NT_HOSTBASED_SERVICE
Name type for a service associated with a host computer. The syntax is service@hostname where the @hostname part may be omitted for the local host. See RFC 2743 section 4.1.
- NT_USER_NAME
Name type for a named user on a local system. The syntax is username. See RFC 2743 section 4.2.
- NT_MACHINE_UID_NAME
Name type for a numeric user identifier corresponding to a user on a local system. The string representing a name of this type should contain a locally-significant user ID, represented in host byte order. See RFC 2743 section 4.3.
- NT_STRING_UID_NAME
Name type for a string of digits representing the numeric user identifier of a user on a local system. This name type is similar to the Machine UID Form, except that the buffer contains a string representing the user ID. See RFC 2743 section 4.4.
- NT_ANONYMOUS
Name type to identify anonymous names. See RFC 2743 section 4.5.
- NT_EXPORT_NAME
Name type for the Mechanism-Independent Exported Name Object type, which is the type of the names returned by
GSSAPI.Name.export
. See RFC 2743 section 4.7.- KRB5_NT_PRINCIPAL_NAME
Name type for a Kerberos principal. See RFC 1964 section 2.1.1.
- Methoddescribe_services
string
describe_services(int
services
)- Description
Returns a string that compactly describes the given
services
, which is taken as a bitfield of GSSAPI.*_FLAG flags.The returned string contains capitalized names for the flags reminiscent of the
GSSAPI.*_FLAG
constants, separated by"|"
.
- Methodindicate_mechs
multiset
(string
) indicate_mechs()- Description
Returns the OIDs for the available mechanism in the GSS-API implementation. The OIDs are returned on dotted-decimal form.
This wraps GSS_Indicate_mechs according to RFC 2743 section 2.4.2.
- Methodmajor_status_messages
array
(string
) major_status_messages(int
major_status
)- Description
Given a major status code like
GSSAPI.Error.major_status
(or more commonlyGSSAPI.Context.last_major_status
in this case), returns an array containing messages for all the status values in it. The returned string(s) presumably don't end with linefeeds.This wraps GSS_Display_status according to RFC 2743 section 2.4.1.
- Methodminor_status_messages
array
(string
) minor_status_messages(int
minor_status
,void
|string
mech
)- Description
Given a mechanism-specific minor status code like
GSSAPI.Error.minor_status
, returns an array containing messages for all the status values in it. The returned string(s) presumably don't end with linefeeds.This wraps GSS_Display_status according to RFC 2743 section 2.4.1.
- Parameter
minor_status
The mechanism-specific minor status.
- Parameter
mech
The mechanism that produced the status code. If this is zero or left out, a system default mechanism is used.
- Methodnames_for_mech
multiset
(string
) names_for_mech(string
mech
)- Description
Returns the OIDs for the name types that the given
mech
supports. Bothmech
and the returned OID strings are on dotted-decimal form.This wraps GSS_Inquire_names_for_mech according to RFC 2743 section 2.4.12.
Class GSSAPI.AcceptContext
- Description
Variant of
Context
which is used on the acceptor side.
- Methodaccept
string
accept(string
remote_token
)- Description
Accepts a remotely initiated security context.
This wraps GSS_Accept_sec_context according to RFC 2743 section 2.2.2.
The underlying mechanism might require several tokens to be passed back and forth to establish the context. If
is_established
returns zero after a call to this function then the caller must wait for a token from the remote peer to feed asremote_token
in another call to this function.- Parameter
remote_token
A token from the remote peer, as returned by a call to
GSSAPI.InitContext.init
or some other GSS_Init_sec_context wrapper.- Returns
If a string is returned then it must be passed to the remote peer which will feed it to
GSSAPI.InitContext.init
or some other GSS_Init_sec_context wrapper. An empty string is never returned.Zero is returned if there is no token to send to the remote peer. Note that
is_established
might still return zero in that case, meaning more remote tokens are necessary.- Note
This function might block on network connections to remote authentication servers.
- Methodcreate
GSSAPI.AcceptContextGSSAPI.AcceptContext(
void
|Cred
cred
,void
|int
required_services
)- Description
Creates a context for acceptor use. This function only accepts parameters to be used later during the
accept
call. If there are semantic problems with them, such as if the credentials are stale, then they will be signalled later byaccept
.- Parameter
cred
Credentials for the identity this context claims. The credentials for the default principal (if any) is used if zero or left out.
- Parameter
required_services
Bitfield of GSSAPI.*_FLAG flags specifying all services that must be provided in the context. If the context fail to provide any of them then it is closed and a
GSSAPI.MissingServicesError
is thrown.GSSAPI.PROT_READY_FLAG
is ignored in this parameter. The fact that a user calls a per-message function indicates that this service is required at that point, and aGSSAPI.MissingServicesError
is thrown if it isn't.- Note
Channel bindings (RFC 2743 section 1.1.6) are not yet implemented since that feature appear to not be in much active use, and its format is not completely specified (RFC 2744 section 3.11).
Class GSSAPI.Context
- Description
Class representing a security context; see RFC 2743 section 1.1.3 The user usually instantiates one of the two inheriting classes
GSSAPI.InitContext
orGSSAPI.AcceptContext
, based on whether the context should act as initiator or acceptor for the connection. This class is instantiated directly for imported contexts.- Note
If a
Context
object for a partly or completely established context is destructed, GSS_Delete_sec_context (RFC 2743 section 2.2.3) is called. That function might do blocking network I/O, which due to pike's object management might occur essentially anytime in any thread if the object isn't explicitly destructed. To avoid that, it's strongly recommended to calldelete
in contexts that are no longer used.
- Methodcreate
GSSAPI.ContextGSSAPI.Context(
string
interprocess_token
,void
|int
required_services
)- Description
Creates a context by importing an inter-process token.
This wraps GSS_Import_sec_context according to RFC 2743 section 2.2.9.
- Parameter
interprocess_token
The inter-process token which has been created by
export
or some other GSS_Export_sec_context wrapper.- Parameter
required_services
Bitfield of GSSAPI.*_FLAG flags specifying all services that must be provided in the context. If the context fail to provide any of them then it is closed and a
GSSAPI.MissingServicesError
is thrown.GSSAPI.PROT_READY_FLAG
is ignored in this parameter. The fact that a user calls a per-message function indicates that this service is required at that point, and aGSSAPI.MissingServicesError
is thrown if it isn't.- Note
It is not possible to retrieve delegated credentials from an imported context. That is a GSS-API limitation.
- Methoddelete
void
delete()- Description
Frees the resources for the context, provided it is in use. Does nothing otherwise.
This wraps GSS_Delete_sec_context according to RFC 2743 section 2.2.3.
- Note
This function might block on network connections to remote authentication servers.
- Note
In compliance with recommendations in GSS-API v2, the optional output token is never used in the call to GSS_Delete_sec_context.
- Methodexport
string
export()- Description
Exports this context so that it can be imported in another process, providing the inter-process context transfer service is available (c.f.
GSSAPI.TRANS_FLAG
).This wraps GSS_Export_sec_context according to RFC 2743 section 2.2.8.
The returned string is intended to be fed to
GSSAPI.Context.create
(or some other GSS_Import_sec_context wrapper) in the receiving process.This operation frees the context in this object.
- Methodget_mic
string
get_mic(string
message
,void
|int
qop
)- Description
Calculates and returns a MIC (message integrity checksum) for the given message that allows the receiver to verify its origin and integrity through
verify_mic
or some other GSS_VerifyMIC wrapper.This wraps GSS_GetMIC according to RFC 2743 section 2.3.1.
This function requires that the context is established, or that the early per-message protection service is available (c.f.
GSSAPI.PROT_READY_FLAG
. If not, aGSSAPI.MissingServicesError
is thrown (but the context is not closed).- Parameter
message
The message for which the MIC is to be calculated. It may be of zero length.
- Parameter
qop
The quality of protection. This is a mechanism-specific value that lets the user direct how the underlying mechanism calculates the MIC. See RFC 2743 section 1.2.4.
Zero or left out means use the default method.
- Methodis_established
Methodservices
Methodlocally_initiated
Methodsource_name
Methodtarget_name
Methodlifetime
Methodmech int
is_established()int
services()int
locally_initiated()Name
source_name()Name
target_name()int(0..)
lifetime()string
mech()- Description
Functions to query various properties about the context.
These wrap GSS_Inquire_context according to RFC 2743 section 2.2.6.
- is_established()
Returns nonzero as soon as the context has been established. That means no further rounds through
GSSAPI.InitContext.init
orGSSAPI.AcceptContext.accept
, that the remote peer is authenticated as required, and that the set of available services is complete (seeservices
).- services()
Returns a bitfield of GSSAPI.*_FLAG flags for the services that the context (currently) provides. This field is complete only when the context establishment has finished, i.e. when
is_established
returns nonzero.See also
GSSAPI.describe_services
.- locally_initiated()
Returns nonzero if the context is an initiator, zero if it is an acceptor. (This is mainly useful in imported contexts.)
- source_name()
Returns the name of the context initiator. The name is always an MN. Returns an anonymous name if used on the acceptor side and the anonymous authentication service (c.f.
GSSAPI.ANON_FLAG
) was used.- target_name()
Returns the name of the context acceptor. If a name is returned then it is always an MN.
Zero is returned on the initiator side if the initiator didn't specify a target name and the acceptor did not authenticate itself (should never happen if mutual authentication (c.f.
GSSAPI.MUTUAL_FLAG
) is a required service).The returned object is not necessarily the same one as was passed to
GSSAPI.InitContext.create
, even though they are likely to compare as equal (they might not be equal if the passed name wasn't an MN).- lifetime()
Returns the validity lifetime left for the context. Returns zero if the context has expired, or
Int.inf
if there is no time limit (in older pikes withoutInt.inf
a large positive integer is returned instead).- mech()
Returns the mechanism that provides the context. The returned value is its OID on dotted-decimal form.
These functions don't throw errors if the context is missing or not completely established, even though they might not be able to query the proper values then (GSS-API implementations are known to not be completely reliable in handling these queries for partly established contexts). The functions instead return zero.
- Methodlast_confidential
int
last_confidential()- Description
Returns nonzero if the last call to
wrap
orunwrap
provided confidentiality for the message, i.e. ifwrap
encrypted it or ifunwrap
decrypted it. Zero is returned otherwise.
- Methodlast_major_status
Methodlast_minor_status int
last_major_status()int
last_minor_status()- Description
Returns the major and minor status codes from the last operation that called a GSS-API routine, with the exception of those that wrap GSS_Inquire_context.
- Methodlast_qop
int
last_qop()- Description
Returns the quality of protection provided by the last call to
verify_mic
orunwrap
.
- Methodprocess_token
void
process_token(string
remote_token
)- Description
Passes the given
remote_token
to the mechanism.This wraps GSS_Process_context_token according to RFC 2743 section 2.2.4.
This is used for tokens that are received outside the handshaking between GSS_Init_sec_context (
GSSAPI.InitContext.init
) and GSS_Accept_sec_context (GSSAPI.AcceptContext.accept
).An example is when
GSSAPI.InitContext.init
returns a final token and flags the context as established, but the acceptor context detects an error and sends a failure token back. That token is processed using this function sinceGSSAPI.InitContext.init
doesn't handle any more tokens by then.- Note
This function might change context state.
- Note
This function might block on network connections to remote authentication servers. However, if the remote token is the result of GSS_Delete_sec_context on the remote side then it will not block.
- Methodrequired_services
int
required_services(void
|int
services
)- Description
Gets and optionally sets the set of services that must be provided in the context. The returned and given value is a bitfield of the GSSAPI.*_FLAG constants.
This is mainly useful to change the per-message service flags that
verify_mic
andunwrap
use to decide whether a condition is an error or not.- Parameter
services
New set of required services. If this is not given then the set is not changed.
If the context is established and
services
contain a service which isn't currently provided then the context is closed and aGSSAPI.MissingServicesError
is thrown immediately.GSSAPI.PROT_READY_FLAG
is ignored in this parameter.- Returns
Returns the current set of required services (after setting them to
services
, if provided).- See also
GSSAPI.describe_services
- Methodunwrap
string
unwrap(string
message
,void
|int
accept_encrypted_only
)- Description
Verifies the origin and integrity of the given message using the MIC included in it, and also decrypts the message if it was encrypted. The message has been calculated by the sender using
wrap
or some other GSS_Wrap wrapper.This wraps GSS_Unwrap according to RFC 2743 section 2.3.4.
This function requires that the context is established, or that the early per-message protection service is available (c.f.
GSSAPI.PROT_READY_FLAG
. If not, aGSSAPI.MissingServicesError
is thrown (but the context is not closed).- Parameter
message
The message to be unwrapped.
- Parameter
accept_encrypted_only
If this is nonzero then it is an error if
message
isn't encrypted, and zero is returned in that case (the status returned bylast_major_status
will still indicate success, though).- Returns
Zero is returned if the verification fails with
GSSAPI.DEFECTIVE_TOKEN
orGSSAPI.BAD_MIC
.Zero is also returned if
message
isn't encrypted andaccept_encrypted_only
is set.Otherwise the message is successfully decrypted (provided it was encrypted to begin with), and its origin and integrity checks out, but it might still be considered wrong depending on whether the replay detection or sequencing services are required (see
required_services
):If replay detection (c.f.
GSSAPI.REPLAY_FLAG
) is required then zero is returned if the message is duplicated (GSSAPI.DUPLICATE_TOKEN
) or old (GSSAPI.OLD_TOKEN
).If sequencing (c.f.
GSSAPI.SEQUENCE_FLAG
) is required then in addition to the replay detection conditions, zero is also returned if the message is out of sequence (GSSAPI.UNSEQ_TOKEN
orGSSAPI.GAP_TOKEN
).Otherwise the unwrapped message is returned, which is valid according to the currently required services (note however that requiring the confidentiality service does not imply that an error is signalled whenever an unencrypted message is received - see instead
accept_encrypted_only
above).- Throws
Any GSS-API errors except
GSSAPI.DEFECTIVE_TOKEN
andGSSAPI.BAD_MIC
are thrown.- Note
This function sets the value returned by
last_confidential
andlast_qop
.- Note
Even if the message is considered valid by the return value,
last_major_status
may be called to check for the informatory codes mentioned above.
- Methodverify_mic
int
verify_mic(string
message
,string
mic
)- Description
Verifies the origin and integrity of the given
message
using the givenmic
, which has been calculated by the sender usingget_mic
or some other GSS_GetMIC wrapper.This wraps GSS_VerifyMIC according to RFC 2743 section 2.3.2.
This function requires that the context is established, or that the early per-message protection service is available (c.f.
GSSAPI.PROT_READY_FLAG
. If not, aGSSAPI.MissingServicesError
is thrown (but the context is not closed).- Returns
Zero is returned if the verification fails with
GSSAPI.DEFECTIVE_TOKEN
orGSSAPI.BAD_MIC
.Otherwise the message origin and integrity checks out, but it might still be considered wrong depending on whether the replay detection or sequencing services are required (see
required_services
):If replay detection (c.f.
GSSAPI.REPLAY_FLAG
) is required then zero is returned if the message is duplicated (GSSAPI.DUPLICATE_TOKEN
) or old (GSSAPI.OLD_TOKEN
).If sequencing (c.f.
GSSAPI.SEQUENCE_FLAG
) is required then in addition to the replay detection conditions, zero is also returned if the message is out of sequence (GSSAPI.UNSEQ_TOKEN
orGSSAPI.GAP_TOKEN
).Otherwise nonzero is returned to indicate that the message is valid according to the currently required services.
- Throws
Any GSS-API errors except
GSSAPI.DEFECTIVE_TOKEN
andGSSAPI.BAD_MIC
are thrown.- Note
This function sets the value returned by
last_qop
.- Note
Regardless whether the message is considered valid or not by the return value,
last_major_status
may be called to check for routine errors or the informatory codes mentioned above.
- Methodwrap
string
wrap(string
message
,void
|int
encrypt
,void
|int
qop
)- Description
Calculates a MIC (message integrity checksum) for the given message, and returns it together with the message, which is optionally encrypted. The returned value can be verified and (if applicable) decrypted by the receiver using
unwrap
or some other GSS_Unwrap wrapper.This wraps GSS_Wrap according to RFC 2743 section 2.3.3.
This function requires that the context is established, or that the early per-message protection service is available (c.f.
GSSAPI.PROT_READY_FLAG
. If not, aGSSAPI.MissingServicesError
is thrown (but the context is not closed).- Parameter
message
The message to be wrapped. It may be of zero length.
- Parameter
encrypt
Set to nonzero to request that the message is encrypted. Otherwise only a MIC is calculated and the returned value contains the unencrypted message.
If this is set and the confidentiality service (c.f.
GSSAPI.CONF_FLAG
) is required then the returned value is always encrypted. Otherwise it might not be encrypted anyway, and a call tolast_confidential
will tell if it is or not.- Parameter
qop
The quality of protection. This is a mechanism-specific value that lets the user direct how the underlying mechanism calculates the MIC. See RFC 2743 section 1.2.4.
Zero or left out means use the default method.
- Note
This function sets the value returned by
last_confidential
.- See also
wrap_size_limit
- Methodwrap_size_limit
int(0..)
wrap_size_limit(int(0..)
output_size
,int
encrypt
,void
|int
qop
)- Description
Returns the maximum size of an input string to
wrap
that would produce no more thanoutput_size
bytes in the resulting output.This wraps GSS_Wrap_size_limit according to RFC 2743 section 2.2.7.
with_confidentiality
andqop
are the same as in the call towrap
.
Class GSSAPI.Cred
- Description
Objects of this class hold one or more credentials that the current process can use to assert identities; see RFC 2743 section 1.1.1.
- Note
If a
Cred
object is destructed, GSS_Release_cred (RFC 2743 section 2.1.2) is called. The RFC doesn't preclude that that function might do blocking network I/O, which due to pike's object management might occur essentially anytime in any thread if the object isn't explicitly destructed. To avoid that, it's recommended to callrelease
in credential objects that are no longer used.
- Methodname
Methodcred_usage
Methodmechs
Methodlifetime
Methodinit_lifetime
Methodaccept_lifetime GSSAPI.Name
name(void
|string
mech
)int
cred_usage(void
|string
mech
)multiset
(string
) mechs()int(0..)
|Int.inf
lifetime()int(0..)
|Int.inf
init_lifetime(string
mech
)int(0..)
|Int.inf
accept_lifetime(string
mech
)- Description
Functions to query various properties about the credentials.
These wrap GSS_Inquire_cred according to RFC 2743 section 2.1.3 if
mech
is not given, and GSS_Inquire_cred_by_mech according to RFC 2743 section 2.1.5 otherwise.- Parameter
mech
If this is given then the credential for that specific mechanism is queried.
mech
contains the OID of the mechanism on dotted-decimal form.Some of the query functions can only be used for a specific mechanism, in which case
mech
is required. Some can only be used on the credentials in general, and themech
argument is not applicable. Some can be used both ways, and thenmech
is optional.name (void|string mech) Returns the name of the identity that the credential(s) assert. If
mech
is given then the returned name is a Mechanism Name (MN).The returned
GSSAPI.Name
object is always a newly created one, even though it typically compares as equal with the ones given toacquire
oradd
.cred_usage (void|string mech) Returns how the credential(s) may be used, one of
GSSAPI.INITIATE
,GSSAPI.ACCEPT
orGSSAPI.BOTH
.If
mech
is not given then the returned usage value reflects the union of the capabilities in all credentials.mechs() Returns the set of mechanisms supported by the credential. The returned value is a multiset of strings with OIDs on dotted-decimal form.
lifetime() Returns the shortest validity lifetime left in any of the mechanisms that are part of the credentials, for either initiator or acceptor use.
Returns zero if some part of the credentials has expired.
Returns
Int.inf
if there is no time limit (in older pikes withoutInt.inf
a large positive integer is returned instead).init_lifetime (string mech) Returns the validity lifetime left for initiator use.
Returns zero if the credential has expired for this use or if its usage is
GSSAPI.ACCEPT
.Returns
Int.inf
if there is no time limit (in older pikes withoutInt.inf
a large positive integer is returned instead).accept_lifetime (string mech) Returns the validity lifetime left for acceptor use.
Returns zero if the credential has expired for this use or if its usage is
GSSAPI.INITIATE
.Returns
Int.inf
if there is no time limit (in older pikes withoutInt.inf
a large positive integer is returned instead).
- Note
RFC 2743 doesn't preclude that these functions might block on network connections to remote authentication servers.
- Methodacquire
void
acquire(Name
|string
name
,int
cred_usage
,void
|multiset
(string
)desired_mechs
,void
|int(0..)
desired_time
)- Description
Acquire initial credentials for this object. It is an error if it already has some credentials.
This wraps GSS_Acquire_cred according to RFC 2743 section 2.1.1.
- Parameter
name
The name of the identity for which credentials should be acquired. It is up to the GSS-API implementation to check whether the running process is authorized to act on behalf of this identity.
This can be either a
GSSAPI.Name
object or a string. In the latter case, the string is converted to a GSS-API name according to a mechanism-specific default printable syntax, i.e. just like if it would be given as the sole argument toGSSAPI.Name.create
.If this is zero then credentials for the default principal (if any) are retrieved.
- Parameter
cred_usage
Specifies how the credential will be used. One of
GSSAPI.INITIATE
,GSSAPI.ACCEPT
orGSSAPI.BOTH
.- Parameter
desired_mechs
The mechanisms that the credentials should cover, as a multiset containing their OIDs on dotted-decimal form. If zero or left out then a default set provided by the GSS-API implementation is used.
It is an error to pass an empty multiset.
- Parameter
desired_time
Number of seconds the credentials should remain valid. The GSS-API implementation may return credentials that are valid both longer and shorter than this. Zero or left out means use the maximum permitted time.
- Note
This function might block on network connections to remote authentication servers.
- Methodadd
void
add(Name
|string
name
,int
cred_usage
,string
desired_mech
,void
|int(0..)
|array
(int(0..)
)desired_time
)- Description
Adds another credential element to this object. If this object has no credentials already then it will get the default credentials in addition to this specified one.
This wraps GSS_Add_cred according to RFC 2743 section 2.1.4.
- Parameter
name
The name of the identity for which a credential should be acquired. It is up to the GSS-API implementation to check whether the running process has sufficient privileges to act on behalf of this identity.
This can be either a
GSSAPI.Name
object or a string. In the latter case, the string is converted to a GSS-API name according to a mechanism-specific default printable syntax, i.e. just like if it would be given as the sole argument toGSSAPI.Name.create
.If this is zero then a credential for the default principal (if any) are retrieved.
- Parameter
cred_usage
Specifies how the credential will be used. One of
GSSAPI.INITIATE
,GSSAPI.ACCEPT
orGSSAPI.BOTH
.- Parameter
desired_mech
The mechanism that the credential should cover, as an OID on dotted-decimal form.
- Parameter
desired_time
Number of seconds the credential should remain valid. The GSS-API implementation may return a credential that is valid both longer and shorter than this. Zero or left out means use the maximum permitted time.
This can also be an array containing two elements. In that case the first element applies to the credential when it is used to initiate contexts, and the second element applies to use for acceptor contexts.
- Note
This function might block on network connections to remote authentication servers.
- Methodrelease
void
release()- Description
Frees the resources for the credential.
This wraps GSS_Release_cred according to RFC 2743 section 2.1.2.
- Note
This function might block on network connections to remote authentication servers.
Class GSSAPI.Error
- Description
Error object used for GSS-API errors.
- Constantis_gssapi_error
Constanterror_type constant
int
GSSAPI.Error.is_gssapi_error
constant
string
GSSAPI.Error.error_type
- Description
Object recognition constants.
- Variablemajor_status
int
GSSAPI.Error.major_status- Description
The major status code. This is a bitwise OR of one routine error code and zero or more supplementary error info bits.
See RFC 2743 section 1.2.1.1 and RFC 2744 section 3.9.1. Note that the calling errors mentioned in RFC 2744 are never thrown.
- See also
major_status_messages
- Variableminor_status
int
GSSAPI.Error.minor_status- Description
The minor status code specific for the mechanism.
- See also
minor_status_messages
,minor_status_mech
- Methodcreate
GSSAPI.ErrorGSSAPI.Error(
void
|int
major
,void
|int
minor
,void
|string
mech
,void
|string
message
,void
|array
backtrace
)- Parameter
major
Initial value for
major_status
.- Parameter
minor
Initial value for
minor_status
.- Parameter
mech
Object identifier on dotted-decimal form for the mechanism that
minor
applies to.- Parameter
message
Error message. This is prepended to the message generated from
major_status
and/orminor_status
.": "
is inserted in between.- Parameter
backtrace
Backtrace. The current backtrace for the calling function is used if left out.
- Methodmajor_status_messages
array
(string
) major_status_messages()- Description
Returns an array containing messages for all the status values in
major_status
. SeeGSSAPI.major_status_messages
for further details.
- Methodminor_status_mech
string
|zero
minor_status_mech()- Description
Returns the OID for the mechanism that is used to interpret the minor status, or zero if no mechanism has been set. It is returned on dotted-decimal form.
Class GSSAPI.InitContext
- Description
Variant of
Context
which is used on the initiator side.
- Methodcreate
GSSAPI.InitContextGSSAPI.InitContext(
void
|Cred
cred
,void
|Name
|string
target_name
,void
|string
mech
,void
|int
required_services
,void
|int
desired_services
,void
|int(0..)
desired_time
)- Description
Creates a context for initiator use. This function only accepts parameters to be used later during the
init
call. If there are semantic problems with them, such as if the credentials are stale or the mechanism isn't supported, then they will be signalled later byinit
.- Parameter
cred
Credentials for the identity this context claims. The credentials for the default principal (if any) is used if zero or left out.
- Parameter
target_name
The name of the target.
This can be either a
GSSAPI.Name
object or a string. In the latter case, the string is converted to a GSS-API name according to a mechanism-specific default printable syntax, i.e. just like if it would be given as the sole argument toGSSAPI.Name.create
.Some mechanisms support unnamed targets (as allowed in GSS-API v2, update 1) and in such cases this may be zero or left out.
- Parameter
mech
The mechanism to use. It is given as an OID on dotted-decimal form. The GSS-API implementation chooses this using system settings if it's zero or left out, which is the recommended way.
- Parameter
required_services
Bitfield of GSSAPI.*_FLAG flags specifying all services that must be provided in the context. If the context fail to provide any of them then it is closed and a
GSSAPI.MissingServicesError
is thrown.GSSAPI.PROT_READY_FLAG
is ignored in this parameter. The fact that a user calls a per-message function indicates that this service is required at that point, and aGSSAPI.MissingServicesError
is thrown if it isn't.- Parameter
desired_services
Bitfield of GSSAPI.*_FLAG flags specifying the context services that are wanted but not required. I.e. errors won't be thrown if any of these aren't provided. The services specified in
required_services
are implicit, so they need not be repeated here.GSSAPI.PROT_READY_FLAG
is ignored in this parameter.- Parameter
desired_time
The desired context validity time in seconds. Zero or left out means use the default.
- Note
Channel bindings (RFC 2743 section 1.1.6) are not yet implemented since that feature appear to not be in much active use, and its format is not completely specified (RFC 2744 section 3.11).
- Methodinit
string
init(void
|string
remote_token
)- Description
Initiates a security context to send to a remote peer.
This wraps GSS_Init_sec_context according to RFC 2743 section 2.2.1.
The underlying mechanism might require several tokens to be passed back and forth to establish the context. If
is_established
returns zero after a call to this function then the caller must wait for a token from the remote peer to feed asremote_token
in another call to this function.- Parameter
remote_token
A token from the remote peer, as returned by a call to
GSSAPI.AcceptContext.accept
(or some other GSS_Accept_sec_context wrapper) in it. This is zero or left out on the initial call, but used later if the remote peer sends back tokens to process as part of the context establishment.- Returns
If a string is returned then it must be passed to the remote peer which will feed it to
GSSAPI.AcceptContext.accept
or some other GSS_Accept_sec_context wrapper. An empty string is never returned.Zero is returned if there is no token to send to the remote peer. Note that
is_established
might still return zero in that case, meaning more remote tokens are necessary.- Note
This function might block on network connections to remote authentication servers.
Class GSSAPI.MissingServicesError
- Description
Error object used when one or more required services are missing in a
GSSAPI.Context
object.
- Constantis_gssapi_missing_services_error
Constanterror_type constant
int
GSSAPI.MissingServicesError.is_gssapi_missing_services_error
constant
string
GSSAPI.MissingServicesError.error_type
- Description
Object recognition constants.
- Variableservices
int
GSSAPI.MissingServicesError.services- Description
Bitfield of GSSAPI.*_FLAG flags for the missing services that caused the error.
- See also
GSSAPI.describe_services
Class GSSAPI.Name
- Description
An object of this class contains a name on the internal form which is required by the GSS-API functions. See RFC 2743 section 1.1.5.
- Method__hash
int
hash_value(GSSAPI.Namearg)- Description
Tries to export the name (see
export
) and if that succeeds returns a hash made from the exported name string. Otherwise a normal hash based on this object is returned.This means that mechanism names (MNs) can be used as indices in mappings without getting duplicate entries for the same identity.
- Method`==
int
res =GSSAPI.Name()
==other
- Description
Returns true if
other
is aGSSAPI.Name
which contains a name that refers to the same identity as this one.This wraps GSS_Compare_name according to RFC 2743 section 2.4.3.
If either
GSSAPI.Name
object is uninitialized or contains an anonymous identity then they are considered different, unless it is the very sameGSSAPI.Name
object (that is an inherent pike behavior).- Throws
An error is thrown if the names are incomparable, or if either of them are ill-formed.
- Methodcanonicalize
Name
canonicalize(string
mech
)- Description
Returns a
GSSAPI.Name
containing the canonical mechanism name (MN) of this name. The mechanism is given as a dotted-decimal OID inmech
.This wraps GSS_Canonicalize_name according to RFC 2743 section 2.4.14.
- Note
This function might block on network connections to remote authentication servers.
- Methodcreate
GSSAPI.NameGSSAPI.Name(
string
name
,void
|string
name_type
)- Description
This wraps GSS_Import_name according to RFC 2743 section 2.4.5.
- Parameter
name
A name on string form (a contiguous string name in GSS-API parlance).
- Parameter
name_type
The OID on dotted-decimal form for the type of the name in
name
. If left out,name
is parsed according to a mechanism-specific default printable syntax.- Note
If
name
is the result ofexport
or a similar function thenname_type
should beGSSAPI.NT_EXPORT_NAME
.
- Methoddisplay_name
Methoddisplay_name_type string
display_name()string
display_name_type()- Description
display_name
returns a representation of the name for display purposes, anddisplay_name_type
returns an OID on dotted-decimal form for the type of that name.If no type was given to
create
thendisplay_name_type
might return zero.This wraps GSS_Display_name according to RFC 2743 section 2.4.4.
- See also
The GSSAPI.NT_* constants.
- Methodexport
string
export(void
|string
mech
)- Description
Returns the name on the exported format. If
mech
isn't given then the name has to be a mechanism name (MN). Ifmech
is given then the name is canonicalized according to that mechanism before being exported (seecanonicalize
).This wraps GSS_Export_name according to RFC 2743 section 2.4.15.
- Note
This function might block on network connections to remote authentication servers if
mech
is specified.
- Methodmechs
multiset
(string
) mechs()- Description
Returns the OIDs for the mechanisms that might be able to process this name. The returned OID strings are on dotted-decimal form.
This wraps GSS_Inquire_mechs_for_name according to RFC 2743 section 2.4.13.
- Note
Some older GSS-API v2 implementations lack this funcion.
21.3. Cryptographic primitives
Module Crypto
- Description
Various cryptographic classes and functions.
- Hash modules
These are based on the
Nettle.Hash
API. Examples includeMD5
,SHA1
,SHA256
andSHA3_256
.- Cipher modules
These are based on the
Nettle.Cipher
API. Examples includeAES
,Arcfour
,DES
,DES3
,CAMELLIA
.The
Substitution
program is compatible withCipher.State
.Also conforming to the API are several helper modules such as
predef::Nettle.BufferedCipher.Buffer
,predef::Nettle.BlockCipher.CBC
,predef::Nettle.BlockCipher16.GCM
andPipe
.- Message Authentication Code modules (MACs)
MAC
algorithms are provided as sub-modules to their correspondingHash
orCipher
module. Examples includeSHA1.HMAC
andAES.UMAC32
.- Authenticated Encryption with Associated Data modules (AEADs)
AEAD
s combine ciphers with authentication codes, and may optionally also take into account some associated data that is provided out of band. This API is compatible with bothCipher
andHash
. AEADs are provided as sub-modules to their corresponding ciphers. Examples includeAES.CCM
,AES.GCM
andCAMELLIA.EAX
.
As the cryptographic services offered from this module aren't necessarily used for security applications, none of the strings input or output are marked as secure. That is up to the caller.
- Note
Most of the APIs in this module work on 8 bit binary strings unless otherwise noted. For conversions to and from hexadecimal notation
String.string2hex()
andString.hex2string()
may be of interest.- Note
This module is only available if Pike has been compiled with
Nettle
enabled (this is the default).
- Methodmake_crypt_md5
string(8bit)
make_crypt_md5(string(8bit)
password
,string(8bit)
|void
salt
)- Description
Hashes a
password
together with asalt
with the crypt_md5 algorithm and returns the result.- See also
verify_crypt_md5
- Methodrot13
string(8bit)
rot13(string(8bit)
data
)- Description
Convenience function that accesses the crypt function of a substitution object keyed to perform standard ROT13 (de)ciphering.
- Methodrot13
string(8bit)
rot13(string(8bit)
x
)- Description
Perform case insensitive ROT13 "encryption"/"decryption".
- See also
Substitution
- Methodsiphash24
int
siphash24(string
data
,void
|int
key
)- Description
Hashes a string, with an optional key, to a 64 bit integer using the siphash-2-4 algorithm. Currently the 64 bit
key
parameter is used both for the high and low part of the 128 bit key.
- Methodverify_crypt_md5
bool
verify_crypt_md5(string(8bit)
password
,string(7bit)
hash
)- Description
Verifies the
password
against the crypt_md5 hash.- Throws
May throw an exception if the hash value is bad.
- See also
make_crypt_md5
Class Crypto.AE
- Description
Abstract class for AE algorithms.
Class Crypto.AEAD
- Description
Abstract class for AEAD algorithms.
Class Crypto.BlockCipher
- Description
Abstract class for block cipher algorithms. Contains some tools useful for all block ciphers.
Contains the
CBC
submodule.
Class Crypto.BlockCipher16
- Description
Abstract class for block cipher algorithms with a 16 byte block size. Contains some tools useful for all such block ciphers.
Contains the
GCM
submodule.
Class Crypto.BufferedCipher
- Description
Abstract class for block cipher meta algorithms.
Contains the
Buffer
submodule.
Class Crypto.Cipher
- Description
Abstract class for crypto algorithms. Contains some tools useful for all ciphers.
- Note
Typically only inherited directly by stream ciphers.
- Note
It is however convenient for typing as it contains the minimum base level API for a cipher.
- See also
BufferedCipher
,BlockCipher
,BlockCipher16
Class Crypto.HMAC
- Description
HMAC, defined by RFC 2104.
Backward-compatibility implementation. New code should use
Crypto.Hash.HMAC
.
- Method`()
Crypto.MAC.State
res =Crypto.HMAC()
()- Description
Calling the HMAC object with a password returns a new object that can perform the actual HMAC hashing. E.g. doing a HMAC hash with MD5 and the password
"bar"
of the string"foo"
would require the codeCrypto.HMAC(Crypto.MD5)("bar")("foo")
.
- Methodcreate
Crypto.HMACCrypto.HMAC(
.Hash
h
,int(1..)
|void
b
)- Parameter
h
The hash object on which the HMAC object should base its operations. Typical input is
Crypto.MD5
.- Parameter
b
The block size of one compression block, in octets. Defaults to block_size() of
h
.
- Methodpkcs_digest
string(8bit)
pkcs_digest(string(8bit)
s
)- Description
Makes a PKCS-1 digestinfo block with the message
s
.- See also
Standards.PKCS.Signature.build_digestinfo
Class Crypto.Hash
- Description
Abstract class for hash algorithms. Contains some tools useful for all hashes.
Class Crypto.MAC
- Description
Abstract class for Message Authentication Code (MAC) algorithms. Contains some tools useful for all MACs.
Class Crypto.Pipe
- Description
A wrapper class that connects several cipher algorithms into one algorithm. E.g. triple DES can be emulated with
Crypto.Pipe(Crypto.DES, Crypto.DES, Crypto.DES)
.
Class Crypto.Sign
- Description
Abstract class for signature algorithms. Contains some tools useful for all signatures.
Class Crypto.Substitution
- Description
Implements a simple substitution crypto, ie. one of the first crypto systems ever invented and thus one of the least secure ones available.
- Methodfilter
string
filter(string
m
,multiset
(int
)|void
save
)- Description
Removes characters not in the encryption key or in the
save
multiset from the messagem
.
- Methodset_ACA_K1_key
this_program
set_ACA_K1_key(string
key
,void
|int
offset
,array
(string
)|void
alphabet
)- Description
Sets the key according to ACA K1 key generation. The plaintext alphabet is prepended with a keyword
key
that shifts the alphabet positions compared to the cryptogram alphabet. The plaintext alphabet is then reduced with the characters in the keyword. It is also optionally rotatedoffset
number of steps.
- Methodset_ACA_K2_key
this_program
set_ACA_K2_key(string
key
,void
|int
offset
,array
(string
)|void
alphabet
)- Description
Sets the key according to ACA K2 key generation. The cryptogram alphabet is prepended with a keyword
key
that shifts the alphabet positions compared to the plaintext alphabet. The cryptogram alphabet is then reduced with the characters in the keyword. It is als optionally reotatedoffset
number of steps.
- Methodset_ACA_K3_key
this_program
set_ACA_K3_key(string
key
,int
offset
,array
(string
)|void
alphabet
)- Description
Sets the key according to ACA K3 key generation. Both the plaintext and the cryptogram alphabets are prepended with a keyword
key
, which characters are removed from the rest of the alphabet. The plaintext alphabet is then rotatedoffset
number of steps.
- Methodset_ACA_K4_key
this_program
set_ACA_K4_key(string
key1
,string
key2
,void
|int
offset
,array
(string
)|void
alphabet
)- Description
Sets the key according to ACA K4 key generation. Both the plaintext and the cryptogram alphabets are prepended with the keywords
key1
andkey2
. The plaintext alphabet is then rotatedoffset
number of steps.
- Methodset_key
this_program
set_key(mapping
(string
:string
|array
(string
))key
)- Description
Sets the encryption and decryption key. The decryption key is derived from the encryption
key
by reversing the mapping. If one index maps to an array of strings, one element from the array will be chosen at random in such substitution.- Throws
An error is thrown if the encryption key can not be made reversible.
- Methodset_null_chars
this_program
set_null_chars(int
|float
p
,array
(string
)chars
)- Description
Set null characters (fillers). Characters from
chars
will be inserted into the output stream with a probabilityp
.- Parameter
p
A float between 0.0 and 1.0 or an integer between 0 and 100.
- Parameter
chars
An array of one character strings.
- Methodset_rot_key
this_program
set_rot_key(int(1..)
|void
steps
,void
|array
(string
)alphabet
)- Description
Sets the key to a ROT substitution system.
steps
defaults to 13 andalphabet
defaults to A-Z, i.e. this function defaults to set the substitution crypto to be ROT13. If no alphabet is given the key will be case insensitive, e.g. the key will really be two ROT13 alphabets, one a-z and one A-Z, used simultaneously.
Module Crypto.AES
- Description
AES (American Encryption Standard) is a quite new block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen.
Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and variable key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys.
Module Crypto.AES.POLY1305
Module Crypto.AES.UMAC128
- Description
UMAC is a familty of message digest functions based on universal hashing and
AES
that is specified in RFC 4418. They differ mainly in the size of the resulting digest.UMAC128
outputs a digest of 128 bits or 16 octets.- See also
UMAC32
,UMAC64
,UMAC96
Module Crypto.AES.UMAC32
- Description
UMAC is a familty of message digest functions based on universal hashing and
AES
that is specified in RFC 4418. They differ mainly in the size of the resulting digest.UMAC32
outputs a digest of 32 bits or 4 octets.- See also
UMAC64
,UMAC96
,UMAC128
Module Crypto.AES.UMAC64
- Description
UMAC is a familty of message digest functions based on universal hashing and
AES
that is specified in RFC 4418. They differ mainly in the size of the resulting digest.UMAC64
outputs a digest of 64 bits or 8 octets.- See also
UMAC32
,UMAC96
,UMAC128
Module Crypto.AES.UMAC96
- Description
UMAC is a familty of message digest functions based on universal hashing and
AES
that is specified in RFC 4418. They differ mainly in the size of the resulting digest.UMAC96
outputs a digest of 96 bits or 12 octets.- See also
UMAC32
,UMAC64
,UMAC128
Module Crypto.Arcfour
- Description
Arcfour is a stream cipher, also known under the trade marked name RC4, and it is one of the fastest ciphers around. A problem is that the key setup of Arcfour is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like
"secret:1"
,"secret:2"
, ..... If you have keys that don't look like random bit strings, and you want to use Arcfour, always hash the key before feeding it to Arcfour.
Module Crypto.Arctwo
- Description
Arctwo is a block cipher, also known under the trade marked name RC2.
The cipher is quite weak, and should not be used for new software.
Module Crypto.Blowfish
- Description
BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys.
Module Crypto.CAST
- Description
CAST-128 is a block cipher, specified in RFC 2144. It uses a 64 bit (8 octets) block size, and a variable key size of up to 128 bits.
Module Crypto.Camellia
- Description
The Camellia 128-bit block cipher.
Module Crypto.ChaCha20
- Description
ChaCha20 is a stream cipher by D. J. Bernstein.
- Note
This module is not available in all versions of Nettle.
Module Crypto.ChaCha20.POLY1305
- Description
This is an
AEAD
cipher consisting of theCHACHA
cipher and aMAC
based on the POLY1305 algorithm.- Note
Note that this is an
AEAD
cipher, whileAES.POLY1305
(aka POLY1305-AES) is aMAC
.- Note
Note also that the POLY1305 algorithm used here is NOT identical to the one in the
AES.POLY1305
MAC
. The iv/nonce handling differs.- Note
This module is not available in all versions of Nettle.
Module Crypto.Checksum
- Description
Some non-cryptographic checksums.
- Methodadler32
int(0..)
adler32(string(8bit)
data
,void
|int(0..)
seed
)- Description
This function calculates the Adler-32 Cyclic Redundancy Check.
- Parameter
seed
Can be fed with the result of the previous invocation to chain on new data. Defaults to zero on virgin runs.
- Methodcrc32
int(0..)
crc32(string(8bit)
data
,void
|int(0..)
seed
)- Description
This function calculates the standard ISO3309 Cyclic Redundancy Check.
- Parameter
seed
Can be fed with the result of the previous invocation to chain on new data. Defaults to zero on virgin runs.
Module Crypto.DES
- Description
DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet is used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key.
The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn't be using plain DES at all today, if one uses DES at all one should be using
DES3
or "triple DES".DES also has some weak keys.
Module Crypto.DES3
- Description
The inadequate key size of
DES
has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits.The standard way to increase DES's key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then decrypt it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as "ede" triple-DES, for "encrypt-decrypt-encrypt".
The "ede" construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3.
DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a "two-key" variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force.
Module Crypto.DH
- Description
Diffie-Hellman key-exchange related stuff.
- VariableFFDHE2048
Parameters
Crypto.DH.FFDHE2048- Description
Finite Field Diffie-Hellman 2048
From RFC 7919 appendix A.1.
- VariableFFDHE2432
Parameters
Crypto.DH.FFDHE2432- Description
Finite Field Diffie-Hellman 2432
Mentioned in Negotiated FF-DHE for TLS draft 06, March 2015, Section 2.
- VariableFFDHE3072
Parameters
Crypto.DH.FFDHE3072- Description
Finite Field Diffie-Hellman 3072
From RFC 7919 appendix A.2.
- VariableFFDHE4096
Parameters
Crypto.DH.FFDHE4096- Description
Finite Field Diffie-Hellman 4096
From RFC 7919 appendix A.3.
- VariableFFDHE6144
Parameters
Crypto.DH.FFDHE6144- Description
Finite Field Diffie-Hellman 6144
From RFC 7919 appendix A.4.
- VariableFFDHE8192
Parameters
Crypto.DH.FFDHE8192- Description
Finite Field Diffie-Hellman 8192
From RFC 7919 appendix A.5.
- VariableMODPGroup1
Parameters
Crypto.DH.MODPGroup1- Description
MODP Group 1 (768 bit) (aka First Oakley Group (aka ORM96 group 1)).
- Note
Not allowed for use with FIPS 140.
- VariableMODPGroup2
Parameters
Crypto.DH.MODPGroup2- Description
MODP Group 2 (1024 bit) (aka Second Oakley Group (aka ORM96 group 2)).
- Note
Not allowed for use with FIPS 140.
- VariableMODPGroup22
Parameters
Crypto.DH.MODPGroup22- Description
MODP Group 22 (1024-bit with 160-bit Subgroup).
- VariableMODPGroup23
Parameters
Crypto.DH.MODPGroup23- Description
MODP Group 23 (2048-bit with 224-bit Subgroup).
- VariableMODPGroup24
Parameters
Crypto.DH.MODPGroup24- Description
MODP Group 24 (2048-bit with 256-bit Subgroup).
- VariableMODPGroup5
Parameters
Crypto.DH.MODPGroup5- Description
MODP Group 5 (1536 bit).
- Note
Not allowed for use with FIPS 140.
Class Crypto.DH.Parameters
- Description
Diffie-Hellman parameters.
- Methodcreate
Crypto.DH.ParametersCrypto.DH.Parameters(
this_program
other
)- Description
Initialize the set of Diffie-Hellman parameters.
- Parameter
other
Copy the parameters from this object.
- Methodcreate
Crypto.DH.ParametersCrypto.DH.Parameters(
DSA_State
dsa
)- Description
Initialize the set of Diffie-Hellman parameters.
- Parameter
dsa
Copy the parameters from this object.
- Methodcreate
Crypto.DH.ParametersCrypto.DH.Parameters(
Gmp.mpz
|int
p
,Gmp.mpz
|int
|void
g
,Gmp.mpz
|int
|void
q
)- Description
Initialize the set of Diffie-Hellman parameters.
- Parameter
p
The prime for the group.
- Parameter
g
The generator for the group. Defaults to
2
.- Parameter
q
The order of the group. Defaults to
(p-1)/2
.
- Methodgenerate_keypair
array
(Gmp.mpz
) generate_keypair(function
(int(0..)
:string(8bit)
)rnd
)- Description
Generate a Diffie-Hellman key pair.
- Returns
Returns the following array:
Array Gmp.mpz
0
The generated public key.
Gmp.mpz
1
The corresponding private key.
- Methodvalidate
bool
validate(int(0..)
effort
)- Description
Validate that the DH Parameters doesn't have obvious security weaknesses. It will first attempt to verify the prime
p
using Donald Knuth's probabilistic primality test with providedeffort
. This has a chance of pow(0.25,effort) to produce a false positive. Aneffort
of 0 skipps this step. The second test verifies thatg
is of high order.
Module Crypto.DSA
- Description
The Digital Signature Algorithm DSA is part of the NIST Digital Signature Standard DSS, FIPS-186 (1993).
Class Crypto.DSA.State
- Annotations
@
Pike.Annotations.Implements
(Crypto.Sign.State
)
- Method_equal
bool
equal(Crypto.DSA.Statefrom,mixed
other
)- Description
Compares the keys of this DSA object with something other.
- Methodgenerate_key
variant
this_program
generate_key()- Description
Generates a public/private key pair. Needs the public parameters p, q and g set, through one of
set_public_key
,generate_key(int,int)
orgenerate_key(params)
.
- Methodgenerate_key
variant
this_program
generate_key(int
p_bits
,int
q_bits
)- Description
Generates DSA parameters (p, q, g) and key (x, y). Depending on Nettle version
q_bits
can be 160, 224 and 256 bits. 160 works for all versions.
- Methodgenerate_key
variant
this_program
generate_key(.DH.Parameters
params
)- Description
Generates a public/private key pair with the specified finite field diffie-hellman parameters.
- Methodhash
Gmp.mpz
hash(string(8bit)
msg
,__builtin.Nettle.Hash
h
)- Description
Makes a DSA hash of the message
msg
.
- Methodpkcs_algorithm_identifier
Sequence
pkcs_algorithm_identifier()- Description
Returns the AlgorithmIdentifier as defined in RFC 5280 section 4.1.1.2 including the DSA parameters.
- Methodpkcs_public_key
Sequence
pkcs_public_key()- Description
Creates a SubjectPublicKeyInfo ASN.1 sequence for the object. See RFC 5280 section 4.1.2.7.
- Methodpkcs_sign
string(8bit)
pkcs_sign(string(8bit)
message
,__builtin.Nettle.Hash
h
)- Description
Signs the
message
with a PKCS-1 signature using hash algorithmh
.
- Methodpkcs_signature_algorithm_id
Sequence
|zero
pkcs_signature_algorithm_id(__builtin.Nettle.Hash
hash
)- Description
Returns the PKCS-1 algorithm identifier for DSA and the provided hash algorithm. Only
SHA1
supported.
- Methodpkcs_verify
bool
pkcs_verify(string(8bit)
message
,__builtin.Nettle.Hash
h
,string(8bit)
sign
)- Description
Verify PKCS-1 signature
sign
of messagemessage
using hash algorithmh
.
- Methodpublic_key_equal
bool
public_key_equal(object
other
)- Description
Compares the public key in this object with that in the provided DSA object.
- Methodraw_sign
array
(Gmp.mpz
) raw_sign(Gmp.mpz
h
,Gmp.mpz
|void
k
)- Description
Sign the message
h
. Returns the signature as twoGmp.mpz
objects.
- Methodraw_verify
bool
raw_verify(Gmp.mpz
h
,Gmp.mpz
r
,Gmp.mpz
s
)- Description
Verify the signature
r
,s
against the messageh
.
- Methodset_private_key
this_program
set_private_key(Gmp.mpz
secret
)- Description
Sets the private key, the x parameter, in this DSA object.
- Methodset_public_key
this_program
set_public_key(Gmp.mpz
modulo
,Gmp.mpz
order
,Gmp.mpz
generator
,Gmp.mpz
key
)- Description
Sets the public key in this DSA object.
- Parameter
modulo
This is the p parameter.
- Parameter
order
This is the group order q parameter.
- Parameter
generator
This is the g parameter.
- Parameter
kye
This is the public key y parameter.
- Methodset_public_key
variant
this_program
set_public_key(.DH.Parameters
params
,Gmp.mpz
key
)- Description
Sets the public key in this DSA object.
- Parameter
params
The finite-field diffie-hellman group parameters.
- Parameter
key
The public key y parameter.
Module Crypto.ECC
- Description
Elliptic Curve Cipher Constants.
This module contains constants used with elliptic curve algorithms.
Class Crypto.ECC.Curve
- Description
The definition of an elliptic curve.
Objects of this class are typically not created by the user.
- See also
SECP_192R1
,SECP_224R1
,SECP_256R1
,SECP_384R1
,SECP_521R1
- Methodpkcs_algorithm_identifier
Sequence
pkcs_algorithm_identifier()- Description
Returns the AlgorithmIdentifier as defined in RFC 5480 section 2.
- Methodpkcs_ec_parameters
Identifier
pkcs_ec_parameters()- Description
Returns the PKCS-1 elliptic curve parameters for the curve. cf RFC 5480 section 2.1.1.
- Methodpkcs_named_curve_id
Identifier
|zero
pkcs_named_curve_id()- Description
Returns the PKCS-1 elliptic curve identifier for the curve. cf RFC 5480 section 2.1.1.
Class Crypto.ECC.Curve.ECDSA
- Description
Elliptic Curve Digital Signing Algorithm
- Method_equal
bool
equal(Crypto.ECC.Curve.ECDSAfrom,mixed
other
)- Description
Compares the keys of this ECDSA object with something other.
- Methodgenerate_key
this_program
generate_key()- Description
Generate a new set of private and public keys on the current curve.
- Methodget_public_key
string(8bit)
get_public_key()- Description
Get the ANSI x9.62 4.3.6 encoded uncompressed public key.
- Methodjose_decode
array
(mapping
(string(7bit)
:string(7bit)
|int
)|string(8bit)
)|zero
jose_decode(string(7bit)
jws
)- Description
Verify and decode a JOSE JWS ECDSA signed value.
- Parameter
jws
A JSON Web Signature as returned by
jose_sign()
.- Returns
Returns
0
(zero) on failure, and an arrayArray mapping
(string(7bit)
:string(7bit)
|int
)0
The JOSE header.
string(8bit)
1
The signed message.
- See also
pkcs_verify()
, RFC 7515 section 3.5
- Methodjose_sign
string(7bit)
|zero
jose_sign(string(8bit)
message
,.Hash
|void
h
,mapping
(string(7bit)
:string(7bit)
|int
)|void
headers
)- Description
Signs the
message
with a JOSE JWS ECDSA signature using hash algorithmh
.- Parameter
message
Message to sign.
- Parameter
h
Hash algorithm to use.
- Returns
Returns the signature on success, and
0
(zero) on failure.- See also
pkcs_verify()
,salt_size()
, RFC 7515
- Methodjwa
string(7bit)
|zero
jwa(.Hash
hash
)- Description
Get the JWS algorithm identifier for a hash.
- Returns
Returns
0
(zero) on failure.- See also
- Methodjwk
mapping
(string(7bit)
:string(7bit)
)|zero
jwk(bool
|void
private_key
)- Description
Generate a JWK-style mapping of the object.
- Parameter
private_key
If true, include the private key in the result.
- Returns
Returns a JWK-style mapping on success, and
0
(zero) on failure.- See also
create()
,Web.encode_jwk()
, RFC 7517 section 4, RFC 7518 section 6.2
- Methodpkcs_algorithm_identifier
Sequence
pkcs_algorithm_identifier()- Description
Returns the AlgorithmIdentifier as defined in RFC 5480 section 2.1.1 including the ECDSA parameters.
- Methodpkcs_public_key
Sequence
pkcs_public_key()- Description
Creates a SubjectPublicKeyInfo ASN.1 sequence for the object. See RFC 5280 section 4.1.2.7 and RFC 5480 section 2.2.
- Methodpkcs_sign
string(8bit)
pkcs_sign(string(8bit)
message
,.Hash
h
)- Description
Signs the
message
with a PKCS-1 signature using hash algorithmh
.
- Methodpkcs_signature_algorithm_id
Sequence
|zero
pkcs_signature_algorithm_id(.Hash
hash
)- Description
Returns the PKCS-1 algorithm identifier for ECDSA and the provided hash algorithm. Only SHA-1 and SHA-2 based hashes are supported currently.
- Methodpkcs_verify
bool
pkcs_verify(string(8bit)
message
,.Hash
h
,string(8bit)
sign
)- Description
Verify PKCS-1 signature
sign
of messagemessage
using hash algorithmh
.
- Methodpublic_key_equal
bool
public_key_equal(this_program
ecdsa
)- Description
Compares the public key in this object with that in the provided ECDSA object.
- Methodset_private_key
this_program
set_private_key(Gmp.mpz
|int
k
)- Description
Set the private key.
- Note
Throws errors if the key isn't valid for the curve.
- Methodset_private_key
variant
this_program
set_private_key(string(8bit)
k
)- Description
Set the private key.
- Note
Throws errors if the key isn't valid for the curve.
- Methodset_public_key
this_program
set_public_key(Gmp.mpz
|int
x
,Gmp.mpz
|int
y
)- Description
Change to the selected point on the curve as public key.
- Note
Throws errors if the point isn't on the curve.
- Methodset_public_key
variant
this_program
set_public_key(string(8bit)
key
)- Description
Change to the selected point on the curve as public key.
- Parameter
key
The public key encoded according to ANSI x9.62 4.3.6.
- Note
Throws errors if the point isn't on the curve.
- Methodset_random
this_program
set_random(function
(int
:string(8bit)
)r
)- Description
Set the random function, used to generate keys and parameters, to the function
r
.
Module Crypto.ECC.Curve25519
- Description
The definition of the elliptic curve X25519.
- See also
Curve
,Curve448
- Methodpkcs_algorithm_identifier
Sequence
pkcs_algorithm_identifier()- Description
Returns the AlgorithmIdentifier for the curve as defined in RFC 8410 section 3.
- Methodpkcs_eddsa_id
Identifier
pkcs_eddsa_id()- Description
Returns the EdDSA AlgorithmIdentifier as defined in RFC 8410 section 3.
- Methodpkcs_named_curve_id
Identifier
pkcs_named_curve_id()- Description
Returns the PKCS-1 elliptic curve identifier for the curve. cf RFC 8410 section 3.
Class Crypto.ECC.Curve25519.EdDSA
- Description
Edwards Curve Digital Signing Algorithm
- Method_equal
bool
equal(Crypto.ECC.Curve25519.EdDSAfrom,mixed
other
)- Description
Compares the keys of this ECDSA object with something other.
- Methodgenerate_key
this_program
generate_key()- Description
Generate a new set of private and public keys on the current curve.
- Methodget_public_key
string(8bit)
get_public_key()- Description
Get the ANSI x9.62 4.3.6 encoded uncompressed public key.
- Methodjose_decode
array
(mapping
(string(7bit)
:string(7bit)
|int
)|string(8bit)
)|zero
jose_decode(string(7bit)
jws
)- Description
Verify and decode a JOSE JWS EdDSA signed value.
- Parameter
jws
A JSON Web Signature as returned by
jose_sign()
.- Returns
Returns
0
(zero) on failure, and an arrayArray mapping
(string(7bit)
:string(7bit)
|int
)0
The JOSE header.
string(8bit)
1
The signed message.
- See also
pkcs_verify()
, RFC 7515 section 3.5
- Methodjose_sign
string(7bit)
|zero
jose_sign(string(8bit)
message
,.Hash
|void
h
,mapping
(string(7bit)
:string(7bit)
|int
)|void
headers
)- Description
Signs the
message
with a JOSE JWS EdDSA signature.- Parameter
message
Message to sign.
- Parameter
h
Hash algorithm to use; ignored for Ed25519.
- Returns
Returns the signature on success, and
0
(zero) on failure.- See also
pkcs_verify()
,salt_size()
, RFC 7515
- Methodjwa
string(7bit)
jwa(.Hash
|void
hash
)- Description
Get the JWS algorithm identifier for a hash.
- Parameter
hash
Hash algorithm; ignored for Ed25519.
- Returns
Returns
0
(zero) on failure.- See also
- Methodjwk
mapping
(string(7bit)
:string(7bit)
)|zero
jwk(bool
|void
private_key
)- Description
Generate a JWK-style mapping of the object.
- Parameter
private_key
If true, include the private key in the result.
- Returns
Returns a JWK-style mapping on success, and
0
(zero) on failure.- See also
create()
,Web.encode_jwk()
, RFC 8037
- Methodpkcs_algorithm_identifier
Sequence
pkcs_algorithm_identifier()- Description
Returns the AlgorithmIdentifier as defined in RFC 5480 section 2.1.1 including the EdDSA parameters.
- Methodpkcs_named_curve_id
Identifier
pkcs_named_curve_id()- Description
Returns the EdDSA identifier for the curve.
- Methodpkcs_public_key
Sequence
pkcs_public_key()- Description
Creates a SubjectPublicKeyInfo ASN.1 sequence for the object. See RFC 5280 section 4.1.2.7.
- Methodpkcs_sign
string(8bit)
pkcs_sign(string(8bit)
message
,.Hash
|void
h
)- Description
Signs the
message
with a PKCS-1 signature using hash algorithmh
.- Parameter
h
Hash algorithm; ignored for
Curve25519
.
- Methodpkcs_signature_algorithm_id
Sequence
pkcs_signature_algorithm_id(.Hash
|void
hash
)- Description
Returns the PKCS-1 algorithm identifier for EdDSA and the provided hash algorithm.
- Parameter
hash
Hash algorithm; ignored for
Curve25519
.
- Methodpkcs_verify
bool
pkcs_verify(string(8bit)
message
,.Hash
|void
h
,string(8bit)
sign
)- Description
Verify PKCS-1 signature
sign
of messagemessage
using hash algorithmh
.- Parameter
h
Hash algorithm; ignored for Ed25519.
- Methodpublic_key_equal
bool
public_key_equal(this_program
eddsa
)- Description
Compares the public key in this object with that in the provided ECDSA object.
- Methodset_private_key
this_program
set_private_key(string(8bit)
k
)- Description
Set the private key.
- Note
Throws errors if the key isn't valid for the curve.
- Methodset_random
this_program
set_random(function
(int
:string(8bit)
)r
)- Description
Set the random function, used to generate keys and parameters, to the function
r
.
Module Crypto.GOST94
- Description
The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards, defined in RFC 4357.
Module Crypto.GOST94CP
- Description
The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards. This is the "CryptoPro" variant.
- See also
GOST94
Module Crypto.IDEA
- Description
The IDEA(tm) block cipher is covered by patents held by ETH and a Swiss company called Ascom-Tech AG. The Swiss patent number is PCT/CH91/00117, the European patent number is EP 0 482 154 B1, and the U.S. patent number is US005214703. IDEA(tm) is a trademark of Ascom-Tech AG. There is no license fee required for noncommercial use.
Module Crypto.Koremutake
- Description
Quote from Koremutake home page http://shorl.com/koremutake:
In an attempt to temporarily solve the fact that human beings seem to be inable to remember important things (such as their names, car keys and seemingly random numbers with fourteen digits in 'em), we invented Koremutake.
It is, in plain language, a way to express any large number as a sequence of syllables. The general idea is that word-sounding pieces of information are a lot easier to remember than a sequence of digits.
- Note
Note this encoding is NOT suitable for encoding numeric quantities where initial zeroes are significant (ie it is NOT suitable for eg PIN-numbers).
- Note
This module implements an API that is similar to (but NOT compatible with) the generic
Crypto.Cipher
API.
- Methoddecrypt
int(0..)
decrypt(string(7bit)
c
)- Description
Decode a koremutake string into an integer.
- Note
Returns an integer. This is not compatible with the
Crypto.Cipher
API.
Module Crypto.MD2
- Description
MD2 is a message digest function constructed by Burton Kaliski, and is described in RFC 1319. It outputs message digests of 128 bits, or 16 octets.
Module Crypto.MD4
- Description
MD4 is a message digest function constructed by Ronald Rivest, and is described in RFC 1320. It outputs message digests of 128 bits, or 16 octets.
Module Crypto.MD5
- Description
MD5 is a message digest function constructed by Ronald Rivest, and is described in RFC 1321. It outputs message digests of 128 bits, or 16 octets.
- Methodcrypt_hash
string(7bit)
crypt_hash(string(8bit)
password
,string(7bit)
salt
,int(0..)
|void
rounds
)- Description
This is a convenience alias for
Nettle.crypt_md5()
, that uses the same API as the other hashes.- Note
The
rounds
parameter is currently ignored. For forward compatibility, either leave out, or specify as1000
.- See also
Nettle.Hash()->crypt_hash()
,crypt_md5()
- Methodcrypt_hash_apr1
string(7bit)
crypt_hash_apr1(string(8bit)
password
,string(7bit)
salt
,int(0..)
|void
rounds
)- Description
This is an implementation of the Apache password hashing algorithm typically denoted as
"apr1"
.- Parameter
password
Password to hash.
- Parameter
salt
8 bytes of salt.
- Parameter
round
Number of algorithm rounds. Default:
1000
.- See also
Nettle.Hash()->crypt_hash()
,crypt_md5()
, https://fr.wikipedia.org/wiki/APR1
Module Crypto.NT
Class Crypto.NT.CryptContext
- Description
Class representing an HCRYPTPROV handle.
- Methodcreate
Crypto.NT.CryptContextCrypto.NT.CryptContext(
string(8bit)
name
,string(8bit)
csp
,int
type
,int
flags
)- Parameter
name
Key container name. When flags is set to
CRYPT_VERIFYCONTEXT
the name must be0
.- Parameter
csp
The name of the Crypto Service Provider to use. If set to
0
the user default CSP will be used.
Module Crypto.NTLM
- Description
NT Lan Manager authentication protocol primitives.
- Note
These functions use obsolete crypto primitives in weak and questionable ways, and should be avoided if possible. They are only intended to be used for interop with old code.
- See also
[MS-NLMP]:http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/[ms-nlmp].pdf
- MethodLMOWFv1
string(8bit)
LMOWFv1(string
Passwd
,string
User
,string
UserDom
)- Description
Lan-Manager One-Way Function version 1.
This function is also known as LM hash.
- MethodLMOWFv2
string(8bit)
LMOWFv2(string
Passwd
,string
User
,string
UserDom
)- Description
Lan-Manager One-Way Function version 2.
This function is identical to
NTOWFv2()
.
- MethodNTOWFv1
string(8bit)
NTOWFv1(string
Passwd
,string
User
,string
UserDom
)- Description
NT One-Way Function version 1.
- MethodNTOWFv2
string(8bit)
NTOWFv2(string
Passwd
,string
User
,string
UserDom
)- Description
NT One-Way Function version 2.
Module Crypto.None
- Description
The plaintext algorithm.
This modules implements several of the crypto APIs, but without any crypto. It is intended to be used for testing of higher level algorithms.
Module Crypto.PGP
- Description
PGP stuff. See RFC 4880.
- Methodencode_radix64
string
encode_radix64(string
data
,string
type
,mapping
(string
:string
)|void
extra
)- Description
Encode PGP data with ASCII armour.
Module Crypto.RC4
- Description
RC4 is a stream cipher, sometimes refered to as Arcfour, and while very fast isn't considered secure anymore.
- Note
The key setup of RC4 is quite weak, so you should never use keys with structure, such as ordinary passwords. If you have keys that don't look like random bit strings, and you want to use RC4, always hash the key before feeding it to RC4.
The first few thousand bits have a slight bias, so it is not uncommon for applications to encrypt a few kilobytes of dummy data before actual encryption.
Module Crypto.RIPEMD160
- Description
RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets.
Module Crypto.RSA
- Method`()
protected
State
`()(mapping
(string(8bit)
:Gmp.mpz
|int
|string(7bit)
)|void
params
)- Description
Calling `() will return a
State
object with the givenparams
.- See also
State()
Class Crypto.RSA.LowState
- Method_equal
bool
equal(Crypto.RSA.LowStatefrom,mixed
other
)- Description
Compares the keys of this RSA object with something other.
- Methodcreate
Crypto.RSA.LowStateCrypto.RSA.LowState(
mapping
(string(8bit)
:Gmp.mpz
|int
|string(7bit)
)|void
params
)- Description
Can be initialized with a mapping with the elements n, e, d, p and q.
The mapping can either contain integer values, or be an RFC 7517 JWK-style mapping with kty set to
"RSA"
and containMIME.encode_base64url()
-encoded values.- See also
jwk()
- Methodgenerate_key
this_program
generate_key(int(89..)
bits
,int(1..)
|Gmp.mpz
|void
e
)- Description
Generate a valid RSA key pair with the size
bits
using the random function set withset_random()
. The public exponente
will be used, which defaults to 65537. Keys must be at least 89 bits.
- Methodjwa
string(7bit)
jwa(.Hash
hash
)- Description
Get the JWS algorithm identifier for a hash.
- Returns
Returns
0
(zero) on failure.- See also
- Methodjwk
mapping
(string(7bit)
:string(7bit)
)|zero
jwk(bool
|void
private_key
)- Description
Generate a JWK-style mapping of the object.
- Parameter
private_key
If true, include the private key in the result. Note that if the private key isn't known, the function will fail (and return
0
).- Returns
Returns a JWK-style mapping on success, and
0
(zero) on failure.- See also
create()
,Web.encode_jwk()
, RFC 7517 section 4, RFC 7518 section 6.3
- Methodpublic_key_equal
bool
public_key_equal(this_program
rsa
)- Description
Compares the public key of this RSA object with another RSA object.
- Methodset_decrypt_key
this_program
set_decrypt_key(array
(Gmp.mpz
)key
)- Description
Sets the public key to
key
and the mod to decryption.- See also
set_encrypt_key
,crypt
- Methodset_encrypt_key
this_program
set_encrypt_key(array
(Gmp.mpz
)key
)- Description
Sets the public key to
key
and the mode to encryption.- See also
set_decrypt_key
,crypt
- Methodset_private_key
this_program
set_private_key(Gmp.mpz
|int
priv
,array
(Gmp.mpz
|int
)|void
extra
)- Description
Sets the private key.
- Parameter
priv
The private RSA exponent, often called d.
- Parameter
extra
Array Gmp.mpz
|int
0
The first prime, often called p.
Gmp.mpz
|int
1
The second prime, often called q.
- Methodset_public_key
this_program
set_public_key(Gmp.mpz
|int
modulo
,Gmp.mpz
|int
pub
)- Description
Sets the public key.
- Parameter
modulo
The RSA modulo, often called n. This value needs to be >=12.
- Parameter
pub
The public RSA exponent, often called e.
- Method_equal
Class Crypto.RSA.OAEPState
- Description
Implementation of RSAES-OAEP (Optimal Asymmetric Encryption Padding).
- See also
- VariableOAEP
this_program
Crypto.RSA.OAEPState.OAEP- Description
Get the OAEP encryption state.
- Note
Read only
- Methodblock_size
local
int
block_size()- Description
Returns the crypto block size, in bytes, or zero if not yet set.
Class Crypto.RSA.PKCS1_5State
- Description
PKCS#1 1.5 encryption (RFC 3447 section 7.2) and signatures (RFC 3447 section 8.2).
- See also
PSSState
- VariablePKCS1_5
this_program
Crypto.RSA.PKCS1_5State.PKCS1_5- Description
Get the PKCS#1 1.5 state.
- Note
Read only
- Methodblock_size
int
block_size()- Description
Returns the crypto block size, in bytes, or zero if not yet set.
- Methodcrypt
string(8bit)
|zero
crypt(string(8bit)
s
)- Description
Encrypt or decrypt depending on set mode.
- See also
set_encrypt_key
,set_decrypt_key
- Methoddecrypt
string(8bit)
|zero
decrypt(string(8bit)
s
)- Description
Decrypt a message encrypted with
encrypt
.
- Methodencrypt
string(8bit)
encrypt(string(8bit)
s
,function
(int
:string(8bit)
)|void
r
)- Description
Pads the message
s
withrsa_pad
type 2, signs it and returns the signature as a byte string.- Parameter
r
Optional random function to be passed down to
rsa_pad
.
- Methodjose_decode
array
(mapping
(string(7bit)
:string(7bit)
|int
)|string(8bit)
)|zero
jose_decode(string(7bit)
jws
)- Description
Verify and decode a JOSE JWS RSASSA-PKCS-v1.5 signed value.
- Parameter
jws
A JSON Web Signature as returned by
jose_sign()
.- Returns
Returns
0
(zero) on failure, and an arrayArray mapping
(string(7bit)
:string(7bit)
|int
)0
The JOSE header.
string(8bit)
1
The signed message.
on success.
- See also
pkcs_verify()
, RFC 7515 section 3.5
- Methodjose_sign
string(7bit)
|zero
jose_sign(string(8bit)
message
,mapping
(string(7bit)
:string(7bit)
|int
)|void
headers
,.Hash
|void
h
)- Description
Signs the
message
with a JOSE JWS RSASSA-PKCS-v1.5 signature using hash algorithmh
.- Parameter
message
Message to sign.
- Parameter
headers
JOSE headers to use. Typically a mapping with a single element
"typ"
.- Parameter
h
Hash algorithm to use. Currently defaults to
SHA256
.- Returns
Returns the signature on success, and
0
(zero) on failure (typically that the hash + salt combo is too large for the RSA modulo).- See also
pkcs_verify()
,salt_size()
, RFC 7515
- Methodjwa
string(7bit)
|zero
jwa(.Hash
hash
)- Description
Get the JWS algorithm identifier for a hash.
- Returns
Returns
0
(zero) on failure.- See also
- Methodpkcs_public_key
Sequence
pkcs_public_key()- Description
Calls
Standards.PKCS.RSA.build_public_key
with this object as argument.
- Methodpkcs_sign
string(8bit)
pkcs_sign(string(8bit)
message
,.Hash
h
)- Description
Signs the
message
with a PKCS-1 signature using hash algorithmh
. This is equivalent to I2OSP(RSASP1(OS2IP(RSAES-PKCS1-V1_5-ENCODE(message)))) in PKCS#1 v2.2.
- Methodpkcs_signature_algorithm_id
Sequence
pkcs_signature_algorithm_id(.Hash
hash
)- Description
Calls
Standards.PKCS.RSA.signature_algorithm_id
with the providedhash
.
- Methodpkcs_verify
bool
pkcs_verify(string(8bit)
message
,.Hash
h
,string(8bit)
sign
)- Description
Verify PKCS-1 signature
sign
of messagemessage
using hash algorithmh
.
- Methodraw_sign
Gmp.mpz
raw_sign(string(8bit)
digest
)- Description
Pads the
digest
withrsa_pad
type 1 and signs it. This is equivalent to RSASP1(OS2IP(RSAES-PKCS1-V1_5-ENCODE(message))) in PKCS#1 v2.2.
- Methodraw_verify
bool
raw_verify(string(8bit)
digest
,Gmp.mpz
s
)- Description
Verifies the
digest
against the signatures
, assuming pad type 1.- See also
rsa_pad
,raw_sign
- Methodrsa_pad
Gmp.mpz
rsa_pad(string(8bit)
message
,int(1..2)
type
,function
(int(0..)
:string(8bit)
)|void
random
)- Description
Pads the
message
to the current block size with methodtype
and returns the result as an integer. This is equivalent to OS2IP(RSAES-PKCS1-V1_5-ENCODE(message)) in PKCS#1 v2.2.- Parameter
type
1
The message is padded with
0xff
bytes.2
The message is padded with random data, using the
random
function if provided. Otherwise the default random function set in the object will be used.
Class Crypto.RSA.PSSState
- Description
RSA PSS signatures (RFC 3447 section 8.1).
- See also
PKCS1_5State
- Methodjose_decode
local
array
(mapping
(string(7bit)
:string(7bit)
|int
)|string(8bit)
)|zero
jose_decode(string(7bit)
jws
)- Description
Verify and decode a JOSE JWS RSASSA-PSS signed value.
- Parameter
jws
A JSON Web Signature as returned by
jose_sign()
.- Returns
Returns
0
(zero) on failure, and an arrayArray mapping
(string(7bit)
:string(7bit)
|int
)0
The JOSE header.
string(8bit)
1
The signed message.
- See also
pkcs_verify()
, RFC 7515 section 3.5
- Methodjose_sign
local
string(7bit)
|zero
jose_sign(string(8bit)
message
,mapping
(string(7bit)
:string(7bit)
|int
)|void
headers
,.Hash
|void
h
)- Description
Signs the
message
with a JOSE JWS RSASSA-PSS signature using hash algorithmh
.- Parameter
message
Message to sign.
- Parameter
headers
JOSE headers to use. Typically a mapping with a single element
"typ"
.- Parameter
h
Hash algorithm to use. Currently defaults to
SHA256
.- Returns
Returns the signature on success, and
0
(zero) on failure (typically that the hash + salt combo is too large for the RSA modulo).- See also
pkcs_sign()
,salt_size()
, RFC 7515 section 3.5
- Methodjwa
local
string(7bit)
|zero
jwa(.Hash
hash
)- Description
Get the JWS algorithm identifier for a hash.
- Returns
Returns
0
(zero) on failure.- See also
- Methodpkcs_sign
local
string(8bit)
pkcs_sign(string(8bit)
message
,.Hash
h
,string(8bit)
|int(0..)
|void
salt
)- Description
Signs the
message
with a RSASSA-PSS signature using hash algorithmh
.- Parameter
message
Message to sign.
- Parameter
h
Hash algorithm to use.
- Parameter
salt
Either of
int(0..)
Use a
random
salt of this length for the signature.zero
|void
Use a
random
salt of lengthsalt_size()
.string(8bit)
Use this specific salt.
- Returns
Returns the signature on success, and
0
(zero) on failure (typically that the hash + salt combo is too large for the RSA modulo).- See also
pkcs_verify()
,salt_size()
, RFC 3447 section 8.1.1
- Methodpkcs_signature_algorithm_id
local
Sequence
pkcs_signature_algorithm_id(.Hash
hash
,int(0..)
|void
saltlen
)- Description
Calls
Standards.PKCS.RSA.pss_signature_algorithm_id
with the providedhash
andsaltlen
.- Parameter
hash
Hash algorithm for the signature.
- Parameter
saltlen
Length of the salt for the signature. Defaults to the value returned by
salt_size()
.
- Method`()
Module Crypto.Random
- Description
This module contains a pseudo random number generator (PRNG) designed to give you the best possible random number generation. The current design is based on the Fortuna PRNG, but uses the system random source as input.
- Methodadd_entropy
void
add_entropy(string(8bit)
data
)- Description
Inject additional entropy into the random generator. One possible use is to persist random data between executions of an application. The internal state is approximately 256 bits, so storing 32 bytes from
random_string()
at shutdown and injecting them throughadd_entropy()
again at startup should carry over the entropy. Note that this doesn't affect the independent initialization that happens in the generator at startup, so the output sequence will be different than if the application had continued uninterrupted.- Parameter
data
The random string.
Module Crypto.SALSA20
- Description
The SALSA20 stream cipher.
Module Crypto.SALSA20R12
- Description
The
SALSA20
stream cipher reduced to just 12 rounds.
Module Crypto.SHA1
- Description
SHA1 is a hash function specified by NIST (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets.
Module Crypto.SHA224
- Description
SHA224 is another hash function specified by NIST, intended as a replacement for
SHA1
, generating larger digests. It outputs hash values of 224 bits, or 28 octets.
Module Crypto.SHA256
- Description
SHA256 is another hash function specified by NIST, intended as a replacement for
SHA1
, generating larger digests. It outputs hash values of 256 bits, or 32 octets.
Module Crypto.SHA384
- Description
SHA384 is another hash function specified by NIST, intended as a replacement for
SHA1
, generating larger digests. It outputs hash values of 384 bits, or 48 octets.
Module Crypto.SHA3_224
- Description
SHA-3-224 is another hash function specified by NIST, intended as a replacement for SHA-2. It outputs hash values of 224 bits, or 28 octets.
Module Crypto.SHA3_256
- Description
SHA-3-256 is another hash function specified by NIST, intended as a replacement for SHA-2. It outputs hash values of 256 bits, or 32 octets.
Module Crypto.SHA3_384
- Description
SHA-3-386 is another hash function specified by NIST, intended as a replacement for SHA-2. It outputs hash values of 256 bits, or 48 octets.
Module Crypto.SHA3_512
- Description
SHA-3-512 is another hash function specified by NIST, intended as a replacement for SHA-2. It outputs hash values of 512 bits, or 64 octets.
Module Crypto.SHA512
- Description
SHA512 is another hash function specified by NIST, intended as a replacement for
SHA1
, generating larger digests. It outputs hash values of 512 bits, or 64 octets.
Module Crypto.SHA512_224
- Description
SHA512/224 is another hash function specified by NIST. It is similar to
SHA512
except it uses a different initialization and the output is truncated to 224 bits, or 28 octets.
Module Crypto.SHA512_256
- Description
SHA512/256 is another hash function specified by NIST. It is similar to
SHA512
except it uses a different initialization and the output is truncated to 256 bits, or 32 octets.
Module Crypto.SHAKE_256
- Description
SHAKE-256 is an extendable output function (XOF) based on
SHA3_256
. It can provide an output digest of any length.- See also
SHA3_256.shake()
Module Crypto.SM3
- Description
SM3 is a cryptographic hash function standard adopted by the government of the People's Republic of China. It outputs hash values of 256 bits, or 32 octets.
Module Crypto.STREEBOG256
- Description
The STREEBOG256 algorithm is a member of the Streebog (GOST R 34.11-2012) family of hash algorithms, and is used in Russian government standards.
- See also
STREEBOG512
Module Crypto.STREEBOG512
- Description
The STREEBOG512 algorithm is a member of the Streebog (GOST R 34.11-2012) family of hash algorithms, and is used in Russian government standards.
- See also
STREEBOG256
Module Crypto.Serpent
- Description
SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to
AES
'. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones.
Module Crypto.Twofish
- Description
Another
AES
finalist, this one designed by Bruce Schneier and others.
Module Crypto.rot13
Module Nettle
- Description
Low level crypto functions used by the
Crypto
module. Unless you are doing something very special, you would want to use the Crypto module instead.
- Methodbcrypt_hash
string(7bit)
bcrypt_hash(string(8bit)
password
,string(7bit)
scheme
,string(8bit)
|void
salt
,int
|void
log2rounds
)- Description
Low level implementation of the bcrypt password-hashing algorithm.
- Parameter
password
The cleartext password. Only accepts 8-bit strings. Typically passwords are encoded in UTF-8 NFC, but some platforms may have other conventions.
- Parameter
scheme
Specifies the scheme to be used to generate the hash. The settings either cleanly specify the scheme of either
"2a"
,"2b"
,"2x"
or"2y"
, or they contain the (or part of the prefix of) normal hashed password string, so an existing hashed password string may be passed unmodified.When generating a new hash from scratch, the following minimum needs to be specified, e.g.
"$2y$10$1b2lPgo4XumibnJGN3r3sO"
. In this"$"
is the separator,"2y"
specifies the used hash-algorithm,"10"
specifies2^10
encryption rounds and"1b2lPgo4XumibnJGN3r3sO"
is the salt (16 bytes, base64 encoded). The minimal value for settings would be"$2y$"
.- Parameter
salt
The salt can be supplied as part of
settings
, or separately as a 16-byte binary string.- Parameter
log2rounds
The log2 number of encryption rounds. If unspecified it is taken from the settings string, and if not specified there it defaults to
10
which equals 1024 encryption rounds.- Returns
Returns the (according to the specified algorithm, encryption rounds, and salt) hashed and encoded version of the supplied password. Throws an error on invalid input.
- Note
You should normally use
Crypto.Password
instead.- Note
Requires Nettle 2.7 or later.
- See also
Crypto.Password
,Crypto.BLOWFISH
- Methodbcrypt_verify
int
bcrypt_verify(string(8bit)
password
,string(7bit)
hashedpassword
)- Description
Low level implementation of the bcrypt password-verifying algorithm.
- Parameter
password
The cleartext password. Only accepts 8-bit strings.
- Parameter
hashedpassword
This is the full hashed password string.
- Returns
Returns
1
if the cleartext password matches the hashed password and zero otherwise.- Note
You should normally use
Crypto.Password
instead.- Note
Requires Nettle 2.7 or later.
- See also
Crypto.Password
,Crypto.BLOWFISH
- Methodcrc32c
int(0..)
crc32c(string(8bit)
data
,void
|int(0..)
seed
)- Description
Implements the Castagnoli CRC, CRC32C. Hardware optimized on Intel CPUs with SSE 4.2.
- Parameter
seed
Can be fed with the result of the previous invocation to chain on new data. Defaults to zero on virgin runs.
- Methodcrypt_md5
string(7bit)
crypt_md5(string(8bit)
password
,string(8bit)
salt
,void
|string(8bit)
magic
)- Description
Does the crypt_md5 abrakadabra (MD5 + snakeoil). It is assumed that
salt
does not contain "$".The
password
memory will be cleared before released.
- Methoddsa_generate_keypair
array
(Gmp.mpz
) dsa_generate_keypair(int
p_bits
,int
q_bits
,function
(int(0..)
:string(8bit)
)rnd
)- Description
Generates a DSA key pair with
p_bits
number of bits (sometimes referred to as L) for p, andq_bits
number of bits (sometimes referred to as N) for q, using the random functionrnd
.Valid combinations as per FIPS 186-3 are
p_bits q_bits 1024 160 2048 224 (rejected by some versions of Hogweed) 2048 256 3072 256
- Returns
Array Gmp.mpz
0
The value p, the modulo.
Gmp.mpz
1
The value q, the group order.
Gmp.mpz
2
The value g, the generator.
Gmp.mpz
3
The value y, the public value.
Gmp.mpz
4
The value x, the private value.
- Methodrsa_generate_keypair
array
(Gmp.mpz
) rsa_generate_keypair(int
bits
,int
e
,function
(int(0..)
:string(8bit)
)rnd
)- Description
Generates an RSA key pair with a
bits
sized modulus (n), using the provided value fore
and random functionrnd
.- Returns
Array Gmp.mpz
0
The value n, the modulo.
Gmp.mpz
1
The value d, the private exponent.
Gmp.mpz
2
The value p, a prime.
Gmp.mpz
3
The value q, a prime.
- Methodrsa_unpad
int(0..)
rsa_unpad(string(8bit)
data
,int(1..2)
type
)- Description
Unpads a message that has been padded according to RSAES-PKCS1-V1_5-ENCODE(message) in PKCS#1 v2.2, but without the null byte prefix. The padding method used on the original message must be provided in the
type
parameter. All content dependent processing is done in constant time for the same padding type anddata
length.- Returns
Returns the position in the string where the first non-padding character is, or 0.
- Methodversion
string
version()- Description
Returns the version of the Nettle library, e.g. "3.1". 0 is returned when runtime version is unknown.
Class Nettle.AEAD
- Description
Represents information about an Authenticated Encryption with Associated Data (AEAD) algorithm, such as name, key size, digest size, and block size.
- Methodblock_size
int(0..)
block_size()- Returns
The block size of the AEAD algorithm.
- Note
Note that AEAD algorithms often support automatic padding, so that the last block does not need to be complete.
- Methodiv_size
int(0..)
iv_size()- Description
Returns the size of the iv/nonce of the AEAD algorithm (if any).
Returns
0
(zero) if there is no configurable iv/nonce.
Class Nettle.AEAD.State
- Description
Base class for AEAD contexts.
- Methodblock_size
int(0..)
block_size()- Returns
The block size for this cipher.
- Note
The default implementation just calls
Cipher::block_size()
in the parent.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypts or decrypts data, using the current key. Neither the input nor output data is automatically memory scrubbed, unless
String.secure
has been called on them.- Parameter
data
Data must be an integral number of blocks, except for the last segment.
- Returns
The encrypted or decrypted data.
- Methoddigest
string(8bit)
digest(int
|void
length
)- Description
Generates a digest, and resets the AEAD contents.
Also updates the iv/nonce (if any).
- Parameter
length
If the length argument is provided, the digest is truncated to the given length.
- Returns
The digest.
- Methodiv_size
int(0..)
iv_size()- Description
Returns the size of the iv/nonce of the AEAD algorithm (if any).
Returns
0
(zero) if there is no configurable iv/nonce.
- Methodmake_key
string(8bit)
make_key()- Description
Generate a key by calling
random_string
and initialize this object for encryption with that key.- Returns
The generated key. The key memory will be cleared before released.
- See also
set_encrypt_key
- Methodname
string(8bit)
name()- Returns
A human readable name for the algorithm.
- Note
The default implementation just calls
Cipher::name()
in the parent.
- Methodset_decrypt_key
State
set_decrypt_key(string(8bit)
key
)- Description
Initializes the object for decryption. The
key
memory will be cleared before released.- See also
set_encrypt_key
,crypt
- Methodset_encrypt_key
State
set_encrypt_key(string(8bit)
key
)- Description
Initializes the object for encryption. The
key
memory will be cleared before released.- See also
set_decrypt_key
,crypt
- Methodset_iv
State
set_iv(string(8bit)
iv
)- Description
Set the iv/nonce (if supported) for the AEAD.
- Returns
Returns
this
in order to simplify chaining of function calls.
Class Nettle.AES
- Description
Implementation of the AES cipher.
Class Nettle.AES128
- Description
Implementation of the AES128 cipher.
Class Nettle.AES128_CTR_DRBG
- Description
Minimal implementation of NIST SP800-90Ar1 pseudo random number generator CTR_DRBG using AES-128. No personalization, nounces or additional data are supported.
- See also
Random.AES128_CTR_DRBG
- Variablereseed_interval
int(1..281474976710656)
Nettle.AES128_CTR_DRBG.reseed_interval- Description
The number of times
random_string
can be called before a reseeding is forced. The number needs to be in the range of 1..1<<48.- See also
entropy_underflow
- Variablereseed_interval
int(1..281474976710656)
Nettle.AES128_CTR_DRBG.reseed_interval- Description
The number of times
random_string
can be called before a reseeding is forced. The number needs to be in the range of 1..1<<48.- See also
entropy_underflow
- Methodentropy_underflow
void
entropy_underflow()- Description
Called when
random_string
has been called more thanreseed_interval
times.
- Methodrandom_string
string(8bit)
random_string(int(0..)
len
)- Description
Generates
len
amount of pseudo random data. Does not allow for additional input data in the call.
Class Nettle.AES192
- Description
Implementation of the AES192 cipher.
Class Nettle.AES256
- Description
Implementation of the AES256 cipher.
Class Nettle.ARCFOUR
- Description
Implementation of the ARCFOUR cipher.
Class Nettle.ARCTWO
- Description
Implementation of the ARCTWO cipher.
Class Nettle.ARCTWO.State
- Description
State for PIKE_NAME encyption.
- Methodset_decrypt_key
State
set_decrypt_key(string(8bit)
key
,void
|int
ekb
)- Description
Initializes the object for decryption. The
key
memory will be cleared before released.- Parameter
ekb
The effective number of bits in the key.
UNDEFINED
Derive from the key size (ie
8 * sizeof(key)
).0
Convenience alias for max (ie
1024
).(1..1024)
Reduce the effective key size to the specified number of bits.
- See also
set_encrypt_key
,crypt
- Methodset_encrypt_key
State
set_encrypt_key(string(8bit)
key
,int
|void
ekb
)- Description
Initializes the object for encryption. The
key
memory will be cleared before released.- Parameter
ekb
The effective number of bits in the key.
UNDEFINED
Derive from the key size (ie
8 * sizeof(key)
).0
Convenience alias for max (ie
1024
).(1..1024)
Reduce the effective key size to the specified number of bits.
- See also
set_decrypt_key
,crypt
Class Nettle.BLOWFISH
- Description
Implementation of the BLOWFISH cipher.
Class Nettle.BlockCipher
- Description
Base class for all block ciphers.
Extends the
BufferedCipher
class with various operating modes.
Module Nettle.BlockCipher.ABC
- Description
Implementation of the Accumulated Block Chaining mode (ABC).
This is a mode of operation similar to
IGE
, but where the plaintext is mixed with both initialization vectors. It was suggested as a mode of operation forAES
by Lars R. Knudsen.- See also
CBC
,GCM
,CFB
,IGE
Class Nettle.BlockCipher.ABC.State
- Methodcreate
Nettle.BlockCipher.ABC.StateNettle.BlockCipher.ABC.State()
- Description
Initialize the ABC state with the
Cipher::State
object returned bysubstate_factory()
. This is usually the State for the cipher implemented in the parent module.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt/decrypt
data
and return the result.data
must be an integral number of blocks.Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.
- Methodname
string(8bit)
name()- Description
Returns the string
"ABC(x)"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.
- Methodset_iv
this_program
set_iv(string(8bit)
iv
)- Description
Set the initialization vector to
iv
. Theiv
memory will be cleared before released.- Note
ABC semantically has two initialization vectors of size
block_size()
; x0 (previous plaintext) and y0 (previous ciphertext). They are here concatenated to a single initialization vector of double the block size.
- Methodcreate
Module Nettle.BlockCipher.CBC
- Description
Implementation of the Cipher Block Chaining mode (CBC).
Works as a wrapper for the cipher implemented by overloading the parent class (
Cipher
).- See also
Crypto.CBC
,GCM
Class Nettle.BlockCipher.CBC.State
- Methodcreate
Nettle.BlockCipher.CBC.StateNettle.BlockCipher.CBC.State()
- Description
Initialize the CBC state with the
Cipher::State
object returned bysubstate_factory()
. This is usually the State for the cipher implemented in the parent module.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt/decrypt
data
and return the result.data
must be an integral number of blocks.Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.
- Methodname
string(8bit)
name()- Description
Returns the string
"CBC(x)"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.
- Methodset_iv
this_program
set_iv(string(8bit)
iv
)- Description
Set the initialization vector to
iv
. Theiv
memory will be cleared before released.
- Methodcreate
Module Nettle.BlockCipher.CFB
- Description
Implementation of the Cipher Feed-Back mode (CFB).
- Note
Requires Nettle 3.4 or later.
- See also
CBC
,GCM
- Methodname
string(8bit)
name()- Description
Returns the base cipher name appended with the string
".CFB"
.
Class Nettle.BlockCipher.CFB.State
- Description
The state for a CFB instance.
- Methodcreate
Nettle.BlockCipher.CFB.StateNettle.BlockCipher.CFB.State()
- Description
Initialize the CFB state with the
Cipher::State
object returned bysubstate_factory()
. This is usually the State for the cipher implemented in the parent module.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt/decrypt
data
and return the result.data
must be an integral number of blocks.The length of
data
MUST be a multiple of the block size for all calls except the last.Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.- See also
update()
,digest()
- Methodname
string(8bit)
name()- Description
Returns the string
"CFB(x)"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_encrypt_key()
,set_iv()
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_decrypt_key()
,set_iv()
- Methodset_iv
this_program
set_iv(string(8bit)
iv
)- Description
Set the initialization vector to
iv
. Theiv
memory will be cleared before released.- Note
iv
must have the length reported byiv_size()
.- See also
set_encrypt_key()
,set_decrypt_key()
.
Module Nettle.BlockCipher.CTR
- Description
Implementation of the Counter mode (CTR).
This cipher mode works like a stream cipher with a block size >= 1. This means that the same key and initialization vector (aka counter) should never be reused, since a simple xor would reveal information about the plain text. It also means that it should never be used without a suiteable Message Authentication Code (MAC).
- See also
CBC
,GCM
,Buffer
- Methodname
string(8bit)
name()- Description
Returns the base cipher name appended with the string
".CTR"
.
Class Nettle.BlockCipher.CTR.State
- Description
The state for a CTR instance.
- Methodcreate
Nettle.BlockCipher.CTR.StateNettle.BlockCipher.CTR.State()
- Description
Initialize the CTR state with the
Cipher::State
object returned bysubstate_factory()
. This is usually the State for the cipher implemented in the parent module.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt/decrypt
data
and return the result.data
must be an integral number of blocks.The length of
data
MUST be a multiple of the block size for all calls except the last.Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.- See also
update()
,digest()
- Methodname
string(8bit)
name()- Description
Returns the string
"CTR(x)"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_encrypt_key()
,set_iv()
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_decrypt_key()
,set_iv()
- Methodset_iv
this_program
set_iv(string(8bit)
iv
)- Description
Set the initialization vector to
iv
. Theiv
memory will be cleared before released.- Note
iv
must have the length reported byiv_size()
.- See also
set_encrypt_key()
,set_decrypt_key()
.
Module Nettle.BlockCipher.IGE
- Description
Implementation of the Infinite Garble Extension mode (IGE).
This is a mode of operation suggested in 1977 by C. Cambell.
- See also
CBC
,GCM
,CFB
Class Nettle.BlockCipher.IGE.State
- Methodcreate
Nettle.BlockCipher.IGE.StateNettle.BlockCipher.IGE.State()
- Description
Initialize the IGE state with the
Cipher::State
object returned bysubstate_factory()
. This is usually the State for the cipher implemented in the parent module.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt/decrypt
data
and return the result.data
must be an integral number of blocks.Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.
- Methodname
string(8bit)
name()- Description
Returns the string
"IGE(x)"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.
- Methodset_iv
this_program
set_iv(string(8bit)
iv
)- Description
Set the initialization vector to
iv
. Theiv
memory will be cleared before released.- Note
IGE semantically has two initialization vectors of size
block_size()
; x0 (previous plaintext) and y0 (previous ciphertext). They are here concatenated to a single initialization vector of double the block size.
- Methodcreate
Module Nettle.BlockCipher.OFB
- Description
Implementation of the Output Feed-Back mode (OFB).
This cipher mode works like a stream cipher with a block size >= 1. This means that the same key and initialization vector (aka counter) should never be reused, since a simple xor would reveal information about the plain text. It also means that it should never be used without a suiteable Message Authentication Code (MAC).
- See also
CFB
,CBC
,CTR
,GCM
- Methodname
string(8bit)
name()- Description
Returns the base cipher name appended with the string
".OFB"
.
Class Nettle.BlockCipher.OFB.State
- Description
The state for a OFB instance.
- Methodcreate
Nettle.BlockCipher.OFB.StateNettle.BlockCipher.OFB.State()
- Description
Initialize the OFB state with the
Cipher::State
object returned bysubstate_factory()
. This is usually the State for the cipher implemented in the parent module.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt/decrypt
data
and return the result.data
must be an integral number of blocks.The length of
data
MUST be a multiple of the block size for all calls except the last.Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.- See also
update()
,digest()
- Methodname
string(8bit)
name()- Description
Returns the string
"OFB(x)"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_encrypt_key()
,set_iv()
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_decrypt_key()
,set_iv()
- Methodset_iv
this_program
set_iv(string(8bit)
iv
)- Description
Set the initialization vector to
iv
. Theiv
memory will be cleared before released.- Note
iv
must have the length reported byiv_size()
.- See also
set_encrypt_key()
,set_decrypt_key()
.
Module Nettle.BlockCipher.PCBC
- Description
Implementation of the Propagating Cipher Block Chaining mode (PCBC).
This mode is also known as plaintext cipher block chaining (from Kerberos v4).
Works as a wrapper for the cipher implemented by overloading the parent class (
Cipher
).- See also
CBC
,GCM
Class Nettle.BlockCipher.PCBC.State
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt/decrypt
data
and return the result.data
must be an integral number of blocks.Neither the input nor the output data is automatically memory scrubbed, unless
String.secure
has been called on the data.
- Methodcrypt
Class Nettle.BlockCipher16
- Description
This is the
BlockCipher
class extended with algorithms that require a block size of16
bytes.- See also
Cipher
,BlockCipher
,BufferedCipher
,GCM
Class Nettle.BlockCipher16.State
- Description
Base class for cipher contexts for ciphers that have a block size of 16 bytes.
- Methodunwrap_key
string(8bit)
unwrap_key(string(8bit)
wrap
,bool
|void
method
)- Description
The AES Key Unwrapping algorithms from RFC 3394 and RFC 5649.
- Parameter
wrap
Wrapped key to unwrap.
- Parameter
method
Method that was used to wrap
wrap
. Seewrap_key()
for details.0
1
This function is intended to be used to decode encryption keys that have been wrapped by
wrap_key()
.- Returns
Returns the unwrapped key.
- Throws
Throws an error on failure to unwrap the key.
- Note
Assumes that the
State
object has been initialized to decryption mode (ie thatset_decrypt_key()
has been called).- Note
RFC 6931 section 2.6.3 indicates that the RFC 3394 algorithm is also appropriate for
Camellia
.- See also
wrap_key()
- Methodwrap_key
string(8bit)
wrap_key(string(8bit)
key
,bool
|void
method
)- Description
- Parameter
key
Key to wrap.
- Parameter
method
Method to use to wrap the key. One of:
0
RFC 3394 This algorithm is intended to be used to encode encryption keys which are a multiple of 8 bytes and at least 16 bytes long. This is the default method.
1
RFC 5649 This algorithm is similar to the above, but supports keys of any length and has an intentionally not compatible result.
- Returns
Returns the wrapped key.
- Note
Assumes that the
State
object has been initialized to encryption mode (ie thatset_encrypt_key()
has been called).- Note
RFC 6931 section 2.6.3 indicates that the RFC 3394 algorithm is also appropriate for
Camellia
.- See also
unwrap_key()
Module Nettle.BlockCipher16.CCM
- Description
Implementation of the Counter with Cipher Block Chaining Message Authentication Code mode (CCM).
Works as a wrapper for the cipher implemented by overloading the parent class (
BlockCipher16
).This is a so-called authenticated encryption with associated data (AEAD) algorithm, and in addition to encryption also provides message digests.
The operation of CCM is specified in NIST Special Publication 800-38C.
- Note
This mode of operation is not suited for streaming operation, as the sizes of the associated data and payload data need to be known for the CBC-MAC operation to start. Currently this means that the associated data and payload data are buffered until
State()->digest()
is called.- See also
CCM8
,CBC
,GCM
,CTR
- Methoddigest_size
int(4..16)
digest_size()- Description
Default digest size.
- Returns
Returns
16
, but overloading via inherit is supported, and may return any even number in the range[4..16]
.- Note
Note that the digest length is folded into the digest, so it doesn't simply imply a truncation.
Class Nettle.BlockCipher16.CCM.State
- Methoddigest
string(8bit)
digest(int(4..16)
|void
bytes
)- Description
Returns the CBC-MAC digest of the specified size.
- Parameter
bytes
Size in bytes for the desired digest. Any even number in the range
[4..16]
. If not specified the value from callingdigest_size()
will be used.- Note
Note that the digest length is folded into the digest, so it doesn't simply imply a truncation.
- See also
digest_size()
,global::digest_size()
- Methoddigest_size
int(4..16)
digest_size()- Description
Default digest size.
This function is used by
digest()
to determine the digest size if no argument was given.- Returns
The default implementation returns the result from calling
global::digest_size()
, but overloading via inherit is supported, and may return any even number in the range[4..16]
.- Note
Note that the digest length is folded into the digest, so it doesn't simply imply a truncation.
- See also
digest()
,CCM::digest_size()
- Methoddigest
Module Nettle.BlockCipher16.CCM8
- Description
Special case of
CCM
where the default digest size has been truncated to8
bytes.- See also
CCM
,CBC
,GCM
,CTR
- Methoddigest_size
int(4..16)
digest_size()- Description
Default digest size.
- Returns
Returns
8
, but overloading via inherit is supported, and may return any even number in the range[4..16]
.
Module Nettle.BlockCipher16.CMAC
- Description
CMAC - Cipher-based Message Authentication Code
This module implements the CMAC algorithm from RFC 4493.
- Note
Requires Nettle 3.5 or later.
Class Nettle.BlockCipher16.CMAC.State
Module Nettle.BlockCipher16.EAX
- Description
Implementation of the EAX mode.
Works as a wrapper for the cipher implemented by overloading the parent class (
BlockCipher16
).This is a so-called authenticated encryption with associated data (AEAD) algorithm, and in addition to encryption also provides message digests.
- Note
This mode of operation was specified as a reaction to the limitiations of the
BlockCipher16.CCM
mode.- Note
Requires Nettle 3.0 or later.
- See also
CBC
,CTR
,BlockCipher16.CCM
,BlockCipher16.GCM
- Methoddigest_size
int(1..)
digest_size()- Description
Default digest size.
- Returns
Returns
BlockCipher::block_size()
, but overloading via inherit is supported, and may return any positive number<= BlockCipher::block_size()
.
Class Nettle.BlockCipher16.EAX.State
- Methodblock_size
int(16)
block_size()- Description
Returns the block size of the encapsulated cipher, which is always
16
for EAX.
- Methoddigest
string(8bit)
digest(int(1..16)
|void
bytes
)- Description
Returns the OMAC digest of the specified size.
- Parameter
bytes
Size in bytes for the desired digest. Any number in the range
[1..16]
. If not specified the value from callingdigest_size()
will be used.- See also
digest_size()
,global::digest_size()
- Methoddigest_size
int(1..16)
digest_size()- Description
Default digest size.
This function is used by
digest()
to determine the digest size if no argument was given.- Returns
The default implementation returns the result from calling
EAX::digest_size()
, but overloading via inherit is supported, and may return any even number in the range[1..16]
.- See also
digest()
,EAX::digest_size()
- Methodiv_size
int(16)
iv_size()- Description
Returns the recommended size for the initialization vector (ie
16
).Other sizes are allowed, but will be compressed or expanded to this size using the encapsulated cipher.
- Methodname
string(8bit)
name()- Description
Returns the string
"x.EAX"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_encrypt_key()
,set_iv()
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_decrypt_key()
,set_iv()
- Methodblock_size
Module Nettle.BlockCipher16.GCM
- Description
Implementation of the Galois Counter Mode (GCM).
Works as a wrapper for the cipher implemented by overloading the parent class (
BlockCipher16
).This is a so-called authenticated encryption with associated data (AEAD) algorithm, which in addition to encryption also provides message digests.
The operation of GCM is specified in NIST Special Publication 800-38D.
Typically accessed as
Crypto.AES.GCM
orCrypto.Camellia.GCM
- Note
Requires Nettle 2.2 or later.
- See also
CBC
- Methodblock_size
int(16)
block_size()- Description
Returns the block size of the encapsulated cipher, which is always
16
for GCM.
- Methoddigest_size
int(16)
digest_size()- Description
Returns the size of the generated digest, which is always
16
for GCM.
- Methodiv_size
int(12)
iv_size()- Description
Returns the recommended size for the initialization vector (ie
12
).Other sizes are allowed, but will be compressed or expanded to this size using the encapsulated cipher.
Class Nettle.BlockCipher16.GCM.State
- Description
The state for a GCM instance.
- Methodblock_size
int(16)
block_size()- Description
Returns the block size of the encapsulated cipher, which is always
16
for GCM.
- Methodcreate
Nettle.BlockCipher16.GCM.StateNettle.BlockCipher16.GCM.State()
- Description
Initialize the GCM state with the
Cipher::State
object returned bysubstate_factory()
. This is usually the State for the cipher implemented in the parent module.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt/decrypt
data
and return the result.data
must be an integral number of blocks.The length of
data
MUST be a multiple of the block size (ie16
) for all calls except the last.Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.- See also
update()
,digest()
- Methoddigest
string(8bit)
digest()- Description
Generate a message digest for the data accumulated so far.
- Note
set_iv()
needs to be called to start the next message.- See also
update()
,digest()
- Methoddigest_size
int(16)
digest_size()- Description
Returns the size of the generated digest, which is always
16
for GCM.
- Methodiv_size
int(12)
iv_size()- Description
Returns the recommended size for the initialization vector (ie
12
).Other sizes are allowed, but will be compressed or expanded to this size using the encapsulated cipher.
- Methodname
string(8bit)
name()- Description
Returns the string
"x.GCM"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_encrypt_key()
,set_iv()
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_decrypt_key()
,set_iv()
- Methodset_iv
this_program
set_iv(string(8bit)
iv
)- Description
Set the initialization vector to
iv
. Theiv
memory will be cleared before released.Also resets all state needed to start a new message.
- Note
For
iv
s of length other than12
, an encryption or decryption key must have been set first.- See also
set_encrypt_key()
,set_decrypt_key()
.
- Methodsubstate_factory
Cipher::State
substate_factory()- Description
Returns the
Cipher::State
object that this object is to operate on.Defaults to creating the State for the cipher implemented in the parent module.
Module Nettle.BlockCipher16.OCB
- Description
Implementation of the OCB mode (RFC 7253).
Works as a wrapper for the cipher implemented by overloading the parent class (
BlockCipher16
).OCB was initially an acronym for Offset CodeBook.
This is a so-called authenticated encryption with associated data (AEAD) algorithm, and in addition to encryption also provides message digests.
- Note
This module requires Nettle 3.9 or later.
- See also
CBC
,CTR
,BlockCipher16.CCM
,BlockCipher16.GCM
Class Nettle.BlockCipher16.OCB.State
- Methodblock_size
int(16)
block_size()- Description
Returns the block size of the encapsulated cipher, which is always
16
for OCB.
- Methoddigest
string(8bit)
digest()- Description
Returns the OCB authentication tag.
- Note
The size of the digest is specified in the call to
set_iv()
.- See also
set_iv()
,digest_size()
,global::digest_size()
- Methoddigest_size
int(1..16)
digest_size()- Description
Digest size as set by
set_iv()
.- See also
digest()
,OCB::digest_size()
- Methodiv_size
int(15)
iv_size()- Description
Returns the recommended size for the initialization vector (ie
15
).Other sizes are allowed, but will be compressed or expanded to this size using the encapsulated cipher.
- Methodname
string(8bit)
name()- Description
Returns the string
"x.OCB"
where x is the encapsulated algorithm.
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for decrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_encrypt_key()
,set_iv()
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,int
|void
flags
)- Description
Prepare the cipher and the wrapper for encrypting with the given
key
. Thekey
memory will be cleared before released.- Note
Note that this operation does not by itself reset the context sufficiently to start a new message;
set_iv()
needs to be called too.- See also
set_decrypt_key()
,set_iv()
- Methodblock_size
Class Nettle.BufferedCipher
- Description
Extends the
Cipher
class with theBuffer
meta cipher. This is in turn inherited by theBlockCipher
class, which is the base class for all block ciphers.
Module Nettle.BufferedCipher.Buffer
- Description
Acts as a buffer so that data can be fed to the cipher in blocks that don't correspond to cipher block sizes.
- Example
class Encrypter { protected Crypto.Cipher buffer;
void create(string key) { buffer = Crypto.AES.CBC.Buffer(); buffer->set_encrypt_key(key); }
string feed(string data) { return buffer->crypt(data); }
string drain() { return buffer->pad(Crypto.PAD_PKCS7); } }
- See also
BlockCipher.CBC
,BlockCipher16.GCM
Class Nettle.BufferedCipher.Buffer.State
- Description
Acts as a buffer so that data can be fed to the cipher in blocks that don't correspond to cipher block sizes.
- Example
class Encrypter { protected Crypto.Cipher buffer;
void create(string key) { buffer = Crypto.AES.CBC.Buffer(); buffer->set_encrypt_key(key); }
string feed(string data) { return buffer->crypt(data); }
string drain() { return buffer->pad(Crypto.PAD_PKCS7); } }
- See also
BlockCipher.CBC
,BlockCipher16.GCM
- Methodcreate
Nettle.BufferedCipher.Buffer.StateNettle.BufferedCipher.Buffer.State()
- Description
Initialize the buffer with the
Cipher::State
object returned bysubstate_factory()
. This is usually the State for the cipher implemented in the parent module.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypt or decrypt some data.
Adds data to be en/decrypted to the buffer. If there's enough data to en/decrypt a block, that will be done, and the result returned. Any unprocessed data will be left in the buffer.
Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.
- Methodname
string(8bit)
name()- Description
Returns the name of the wrapped cipher with
".Buffer"
appended.
- Methodpad
string(8bit)
pad(void
|int
method
)- Description
Pad and encrypt any data left in the buffer. The output data is not automatically memory scrubbed, unless
String.secure
is called on the data.- Parameter
method
The type of padding to apply to the buffer.
Crypto.PAD_ISO_10126
Pads according to ISO 10126, which means filling all extra space with random data and putting the size of the non-payload data last.
Crypto.PAD_TLS
Pads according to RFC 5246 section 6.2.3.2, meaning that all extra space is filled with the size of the padding. Note that this size has an off by one difference to the other schemas, so 0 means 1 byte of padding.
Crypto.PAD_SSL
Crypto.PAD_ANSI_X923
Pads according to ANSI X.923, which means filling all extra space with zero and putting the size of the non-payload data last.
Crypto.PAD_PKCS7
Pads according to PKCS7 / RFC 3852, which means filling all extra space with the size of the extra space.
Crypto.PAD_ZERO
Fills the extra space with null bytes. To correctly remove the padding the clear text data must not end with a null byte. In that case the data would have to be manually padded/unpadded before/after calling
crypt()
.Defaults to Crypto.PAD_SSL for compatibility reasons.
- See also
unpad()
- Methodset_decrypt_key
this_program
set_decrypt_key(string(8bit)
key
,void
|int
flags
)- Description
Set the decryption key. The
key
memory will be cleared before released.- Note
As a side-effect any buffered data will be cleared.
- Methodset_encrypt_key
this_program
set_encrypt_key(string(8bit)
key
,void
|int
flags
)- Description
Set the encryption key. The
key
memory will be cleared before released.- Note
As a side-effect any buffered data will be cleared.
- Methodsubstate_factory
Cipher::State
substate_factory()- Description
Returns the
Cipher::State
object that this object is to operate on.Defaults to creating the State for the cipher implemented in the parent module.
- Methodunpad
string(8bit)
unpad(string(8bit)
data
,void
|int
method
)- Description
Decrypt and unpad a block of data. Neither the input or output data is not automatically memory scrubbed, unless
String.secure
has been called on the data.This performs the reverse operation of
pad()
. The padding will be verified to be correct, if possible. If not, zero is returned.- Parameter
method
The type of padding that was applied to the original buffer.
Crypto.PAD_SSL
Crypto.PAD_TLS
Crypto.PAD_ISO_10126
Crypto.PAD_ANSI_X923
Crypto.PAD_PKCS7
Crypto.PAD_ZERO
Defaults to Crypto.PAD_SSL for compatibility reasons.
- See also
pad()
Class Nettle.CAMELLIA
- Description
Implementation of the CAMELLIA cipher.
- Note
Requires Nettle 2.1 or later.
Class Nettle.CAST128
- Description
Implementation of the CAST128 cipher.
Class Nettle.CHACHA
- Description
Implementation of the CHACHA stream cipher.
- Note
Note that this class is not available in all versions of Nettle.
Class Nettle.CHACHA.State
- Description
State for CHACHA encyption.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypts or decrypts data, using the current key. Neither the input nor output data is automatically memory scrubbed, unless
String.secure
has been called on them.- Parameter
data
Usually an integral number of blocks, except for the last segement in a run. The decoder must get partial blocks at the same places as the encoder, otherwise they will get out of sync.
- Returns
The encrypted or decrypted data.
- Methodset_iv
object
set_iv(string(8bit)
iv
)- Description
Set the initialization vector (aka nonce) and reset the block counter to zero.
- Parameter
iv
An 8-byte long string which is only to be used once for every key.
- Note
This function MUST be called in addition to
set_encrypt_key()
orset_decrypt_key()
.- Note
The same
iv
should NEVER be reused with the same key!
Class Nettle.CHACHA_POLY1305
- Description
Implementation of the CHACHA_POLY1305 AEAD algorithm.
Class Nettle.Cipher
- Description
Represents information about a cipher algorithm, such as name, key size, and block size.
Class Nettle.Cipher.State
- Description
Base class for cipher contexts.
- Methodblock_size
int(1..)
block_size()- Returns
The block size for this cipher.
- Note
The default implementation just calls
Cipher::block_size()
in the parent.
- Methodcrypt
string(8bit)
crypt(string(8bit)
data
)- Description
Encrypts or decrypts data, using the current key. Neither the input nor output data is automatically memory scrubbed, unless
String.secure
has been called on them.- Parameter
data
For block ciphers, data must be an integral number of blocks.
- Returns
The encrypted or decrypted data.
- Methodmake_key
string(8bit)
make_key()- Description
Generate a key by calling
random_string
and initialize this object for encryption with that key.- Returns
The generated key. The key memory will be cleared before being released.
- See also
set_encrypt_key
- Methodname
string(8bit)
name()- Returns
A human readable name for the algorithm.
- Note
The default implementation just calls
Cipher::name()
in the parent.
- Methodset_decrypt_key
State
set_decrypt_key(string(8bit)
key
,void
|int
flags
)- Description
Initializes the object for decryption. The
key
memory will be cleared before released.- See also
set_encrypt_key
,crypt
Class Nettle.Curve25519
- Description
Elliptic Curve Definition for the curve
y^2 = x^3 + 486662 x^2 + x (mod 2^255 - 19)
.This curve is standardized in RFC 7748.
- Note
The API for this curve differs somewhat from the API used by the other
Curve
s.- Note
Requires Nettle 3.1 or later.
- See also
Curve
,Curve448
, RFC 7748
- Method`*
Point
res =Nettle.Curve25519()
*scalar
- Description
Multiply the curve by a scalar.
This can be used to get the public key from a private key.
- Returns
Returns a new point on the curve.
- Methodjose_name
string(7bit)
jose_name()- Description
Returns the name of the curve according to JOSE (RFC 8037 section 3.1).
- Returns
Returns the string
"X25519"
.- See also
name()
- Methodnew_scalar
Gmp.mpz
new_scalar(function
(int(0..)
:string(8bit)
)rnd
)- Parameter
rnd
Randomness function to use as source.
- Returns
Returns a random scalar suitable to use as an
ECDSA
private key or as an ECDH exponent.
- Methodpoint_mul
string(8bit)
point_mul(string(8bit)
x
,string(8bit)
scalar
)- Description
Multiply a point on the curve by a scalar.
A typical use is for Elliptic Curve Diffie Hellman (ECDH) key exchange.
- Returns
Returns the new point on the curve.
Class Nettle.Curve25519.EdDSA
- Description
Edwards Curve Digital Signing Algorithm
- Note
Requires Nettle 3.1 or later.
- Methodgenerate_key
void
generate_key()- Description
Generate a new set of private and public keys on the current curve.
- Methodraw_verify
bool
raw_verify(string(8bit)
message
,string(8bit)
signature
)- Description
Verify the
signature
against themessage
.
- Methodset_private_key
void
set_private_key(string(8bit)
k
)- Description
Set the private key (and corresponding public key).
- Note
Throws errors if the key isn't valid for the curve.
- Methodset_public_key
void
set_public_key(string(8bit)
x
)- Description
Change to the selected point on the curve as public key.
- Note
Throws errors if the point isn't on the curve.
Class Nettle.Curve448
- Description
Elliptic Curve Definition for the curve
y^2 = x^3 + 156326 x^2 + x (mod 2^448 - 2^224 - 1)
.This curve is standardized in RFC 7748.
- Note
The API for this curve differs somewhat from the API used by the other
Curve
s.- Note
Requires Nettle 3.6 or later.
- See also
Crypto.ECC.Curve
,Curve25519
, RFC 7748
- Method`*
Point
res =Nettle.Curve448()
*scalar
- Description
Multiply the curve by a scalar.
This can be used to get the public key from a private key.
- Returns
Returns a new point on the curve.
- Methodjose_name
string(7bit)
jose_name()- Description
Returns the name of the curve according to JOSE (RFC 8037 section 3.1).
- Returns
Returns the string
"X448"
.- See also
name()
- Methodnew_scalar
Gmp.mpz
new_scalar(function
(int(0..)
:string(8bit)
)rnd
)- Parameter
rnd
Randomness function to use as source.
- Returns
Returns a random scalar suitable to use as an
ECDSA
private key or as an ECDH exponent.
- Methodpoint_mul
string(8bit)
point_mul(string(8bit)
x
,string(8bit)
scalar
)- Description
Multiply a point on the curve by a scalar.
A typical use is for Elliptic Curve Diffie Hellman (ECDH) key exchange.
- Returns
Returns the new point on the curve.
Class Nettle.Curve448.EdDSA
- Description
Edwards Curve Digital Signing Algorithm
- Note
Requires Nettle 3.6 or later.
- Methodgenerate_key
void
generate_key()- Description
Generate a new set of private and public keys on the current curve.
- Methodraw_verify
bool
raw_verify(string(8bit)
message
,string(8bit)
signature
)- Description
Verify the
signature
against themessage
.
- Methodset_private_key
void
set_private_key(string(8bit)
k
)- Description
Set the private key (and corresponding public key).
- Note
Throws errors if the key isn't valid for the curve.
- Methodset_public_key
void
set_public_key(string(8bit)
x
)- Description
Change to the selected point on the curve as public key.
- Note
Throws errors if the point isn't on the curve.
Class Nettle.DES
- Description
Implementation of the Data Encryption Standard (DES) crypto algorithm.
- Methodfix_parity
string(8bit)
fix_parity(string(8bit)
key
)- Description
Sets the last bit in every byte in
key
to reflect the parity. If a seven byte key is used, it will be expanded into eight bytes. If a key longer than eight characters is used, it will be truncated to eight characters.
Class Nettle.DES.State
- Description
State for DES encyption
Class Nettle.DES3
- Description
Implementation of the DES3 cipher algorithm.
Class Nettle.DH_Params
- Description
Diffie-Hellman Parameters.
- Methodgenerate
void
generate(int
p_bits
,int
q_bits
,function
(int(0..)
:string(8bit)
)rnd
)- Description
Generate a new set of Diffie-Hellman parameters.
- Note
Throws errors for unsupported parameters.
- Note
This function is not available in all installations of Pike.
Class Nettle.ECC_Curve
- Description
Elliptic Curve Definition
- InheritECDSA
inherit ECDSA : ECDSA
- Description
This point represents the public key.
- Note
Requires Nettle 3.6 or later.
- Method`*
Point
res =Nettle.ECC_Curve()
*scalar
- Description
Multiply the curve by a scalar.
This can be used to get the public key from a private key.
- Returns
Returns a new
Point
on the curve.
- Method`==
bool
res =Nettle.ECC_Curve()
==x
- Returns
Returns
1
ifx
is the sameCurve
, and0
(zero) otherwise.
- Methodcreate
Nettle.ECC_CurveNettle.ECC_Curve(
int(0..)
curve
)- Description
Initialize the curve.
- Parameter
curve
The curve type the object should be initialized as.
Nettle.SECP192R1
Nettle.SECP224R1
Nettle.SECP256R1
Nettle.SECP384R1
Nettle.SECP521R1
Nettle.GOST_GC256B
Nettle.GOST_GC512A
- Methodjose_name
string(7bit)
jose_name()- Description
Returns the name of the curve according to JOSE (RFC 7518 section 6.2.1.1).
- Returns
Returns the JOSE name for supported curves, and
UNDEFINED
otherwise.- See also
name()
- Methodnew_scalar
Gmp.mpz
new_scalar(function
(int(0..)
:string(8bit)
)rnd
)- Parameter
rnd
Randomness function to use as source.
- Returns
Returns a random scalar suitable to use as an
ECDSA
private key or as an ECDH secret factor.
- Methodpoint_mul
Point
point_mul(Gmp.mpz
|int
x
,Gmp.mpz
|int
y
,Gmp.mpz
|int
scalar
)- Description
Multiply a point on the curve by a scalar.
A typical use is for Elliptic Curve Diffie Hellman (ECDH) key exchange.
This is equivalent to
(Point(x, y) * scalar)
.- Returns
Returns the new
Point
on the curve.- Throws
Throws an error if the point (
x
,y
) isn't on the curve.
- Methodraw_sign
array
(Gmp.mpz
) raw_sign(string(8bit)
digest
)- Description
Sign the message digest
digest
. Returns the signature as twoGmp.mpz
objects.
- Methodraw_verify
bool
raw_verify(string(8bit)
digest
,Gmp.mpz
r
,Gmp.mpz
s
)- Description
Verify the signature
r
,s
against the message digestdigest
.
Class Nettle.ECC_Curve.ECDSA
- Description
Elliptic Curve Digital Signing Algorithm
- Methodgenerate_key
void
generate_key()- Description
Generate a new set of private and public keys on the current curve.
- Methodname
string(7bit)
name()- Description
Returns the string
"ECDSA"
followed by the parenthesized name of the curve.
- Methodraw_sign
array
(Gmp.mpz
) raw_sign(string(8bit)
digest
)- Description
Sign the message digest
digest
. Returns the signature as twoGmp.mpz
objects.
- Methodraw_verify
bool
raw_verify(string(8bit)
digest
,Gmp.mpz
r
,Gmp.mpz
s
)- Description
Verify the signature
r
,s
against the message digestdigest
.
- Methodset_private_key
void
set_private_key(Gmp.mpz
|int
k
)- Description
Set the private key (and corresponding public key).
- Note
Throws errors if the key isn't valid for the curve.
- Methodset_public_key
void
set_public_key(Gmp.mpz
|int
x
,Gmp.mpz
|int
y
)- Description
Change to the selected point on the curve as public key.
- Note
Throws errors if the point isn't on the curve.
Class Nettle.ECC_Curve.Point
- Description
A point on an elliptic curve.
- Method_equal
bool
equal(Nettle.ECC_Curve.Pointfrom,mixed
x
)- Returns
Returns
1
ifx
is aPoint
on the sameCurve
and has the same coordinates, and otherwise returns0
(zero).
- Method`*
Point
res =Nettle.ECC_Curve.Point()
*scalar
- Description
Multiply the point on the curve by a scalar.
A typical use is for Elliptic Curve Diffie Hellman (ECDH) key exchange.
- Returns
Returns the new point on the curve.
- Methodname
string(7bit)
name()- Description
Returns the string
"Point"
followed by the parenthesized name of the curve.
Class Nettle.Fortuna
- Description
Implements the Fortuna PRNG generator, designed by Niels Ferguson and Bruce Schneier and described in Practical Cryptography. Web published exerpt at https://www.schneier.com:443/fortuna.pdf
This implementation uses AES256 to generate output and SHA256 to generate keys.
To use this class an entropy accumulator needs to be implemented and supply the
reseed()
method with new entopy.
- Methodrandom_string
string(8bit)
random_string(int(0..)
len
)- Description
Generates
len
amount of pseudo random data. In contrast with the Fortuna PseudoRandomData function, which only allows 2^20 bytes of random data per call, the necessary rekey operations are here performed internally, so no such restrictions apply.
Class Nettle.GOST94
- Description
Implementation of the GOST94 hash algorithm.
- Note
Requires Nettle 2.6 or later.
Class Nettle.GOST94.State
- Description
State for GOST94 hashing.
Module Nettle.GOST94.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the GOST94 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.GOST94CP
- Description
Implementation of the GOST94CP hash algorithm.
- Note
Requires Nettle 3.6 or later.
Class Nettle.GOST94CP.State
- Description
State for GOST94CP hashing.
Module Nettle.GOST94CP.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the GOST94CP hash algorithm.
- See also
Crypto.HMAC
Class Nettle.Hash
- Description
Represents information about a hash algorithm, such as name, digest size, and internal block size.
- Methodballoon
string(7bit)
balloon(string(8bit)
password
,string(8bit)
salt
,int(1..)
s_cost
,int(1..)
rounds
)- Description
Password hashing function in
crypt_hash()
-style.Implements the algorithm described in https://eprint.iacr.org/2016/027.pdf.
- Parameter
password
Password to hash.
- Parameter
salt
Salt for the password.
- Parameter
s_cost
Memory cost.
- Parameter
rounds
Number of rounds (also known as t_cost).
- Returns
Returns the balloon hash of the password.
- Note
The
password
memory will be cleared before released.- Note
Requires Nettle 3.9 or later.
- See also
crypt_hash()
- Methodblock_size
int(1..)
block_size()- Description
Returns the internal block size of the hash algorithm.
- Methodcrypt_hash
string(7bit)
crypt_hash(string(8bit)
password
,string(8bit)
salt
,int(0..)
rounds
)- Description
Password hashing function in
crypt_md5()
-style.Implements the algorithm described in http://www.akkadia.org/drepper/SHA-crypt.txt.
This is the algorithm used by crypt(2) in methods $5$ (SHA256) and $6$ (SHA512).
The
password
memory will be cleared before released.Rounds will never be set to less than 1000. If
rounds
is 0 it will be set to 5000.- Note
In Pike 8.0.1876 and earlier this function generated incompatible hashes for passwords that had a length that was a power of 2. See
crypt_hash_pike()
for details.- See also
crypt_md5()
,crypt_hash_pike()
- Methodcrypt_hash_pike
string(7bit)
crypt_hash_pike(string(8bit)
password
,string(8bit)
salt
,int(0..)
rounds
)- Description
Password hashing function in
crypt_md5()
-style.Almost implements the algorithm described in http://www.akkadia.org/drepper/SHA-crypt.txt.
This function is provided for compatibility with hashes generated by Pike 8.0.1876 and earlier.
It differs from
crypt_hash()
for passwords that have a length that is a power of 2 (phase 11).The
password
memory will be cleared before released.Rounds will never be set to less than 1000. If
rounds
is 0 it will be set to 5000.- Note
Do not use unless you know what you are doing!
- See also
crypt_md5()
,crypt_hash()
- Methodhash
string(8bit)
hash(string(8bit)
data
)- Description
Works as a (faster) shortcut for
State()->update(data)->digest()
, where State is the hash state class corresponding to this Hash.- See also
State()->update()
andState()->digest()
.
- Methodhash
string(8bit)
hash(Stdio.File
|Stdio.Buffer
|String.Buffer
|System.Memory
source
,void
|int(0..)
|__deprecated__
(int(..-1)
)bytes
)- Description
Works as a (faster) shortcut for e.g.
State()->update(Stdio.read_file(file))->digest()
, where State is the hash state class corresponding to this Hash.- Parameter
bytes
The number of bytes of the file object
file
that should be hashed. Zero and negative numbers are ignored and the whole file is hashed. Support for negative numbers is deprecated.- See also
Stdio.File
,State()->update()
andState()->digest()
.
Class Nettle.IDEA
- Description
Implementation of the IDEA cipher.
Class Nettle.MAC
- Description
Represents information about a MAC algorithm, such as name, key size, digest size, and internal block size.
- Methodblock_size
int(0..)
block_size()- Description
Returns the internal block size of the MAC algorithm.
- Methodiv_size
int(0..)
iv_size()- Description
Returns the size of the iv/nonce of the MAC algorithm (if any).
Returns
0
(zero) if there is no configurable iv/nonce.
- Methodkey_size
int(0..)
key_size()- Description
Returns the recommended size for the secret key for the MAC algorithm.
Class Nettle.MAC.State
- Description
Base class for MAC contexts.
- Method`()
string(8bit)
res =Nettle.MAC.State()
()- Description
Acts as the combination of
update()
followed bydigest()
.- Note
Also updates the iv/nonce (if any).
- Methodcreate
Nettle.MAC.StateNettle.MAC.State(
string(8bit)
key
)- Description
Initialize the MAC with a password.
It also resets any iv/nonce to it's default.
- Methoddigest
string(8bit)
digest(int
|void
length
)- Description
Generates a digest, and resets the MAC contents.
Also updates the iv/nonce (if any).
- Parameter
length
If the length argument is provided, the digest is truncated to the given length.
- Returns
The digest.
- Methodset_iv
State
set_iv(string(8bit)
iv
)- Description
Set the iv/nonce (if supported) for the MAC.
- Returns
Returns
this
in order to simplify chaining of function calls.
Class Nettle.MD2
- Description
Implementation of the MD2 hash algorithm.
Module Nettle.MD2.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the MD2 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.MD4
- Description
Implementation of the MD4 hash algorithm.
Module Nettle.MD4.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the MD4 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.MD5
- Description
Implementation of the MD5 hash algorithm.
Module Nettle.MD5.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the MD5 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.POLY1305_AES
- Description
Implementation of the POLY1305_AES MAC algorithm.
- Note
Requires Nettle 3.0 or later.
Class Nettle.RIPEMD160
- Description
Implementation of the RIPEMD160 hash algorithm.
- Note
Requires Nettle 2.3 or later.
Class Nettle.RIPEMD160.State
- Description
State for RIPEMD160 hashing.
Module Nettle.RIPEMD160.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the RIPEMD160 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SALSA20
- Description
Implementation of the SALSA20 cipher.
- Note
Requires Nettle 2.5 or later.
Class Nettle.SALSA20.State
- Description
State for SALSA20 encyption.
- Methodset_iv
object
set_iv(string(8bit)
iv
)- Description
Set the initialization vector (aka nonce) and reset the block counter to zero.
- Parameter
iv
An 8-byte long string which is only to be used once for every key.
- Note
This function MUST be called in addition to
set_encrypt_key()
orset_decrypt_key()
.- Note
The same
iv
should NEVER be reused with the same key!
Class Nettle.SALSA20R12
- Description
Implementation of the
SALSA20
cipher reduced to 12 rounds.- Note
Requires Nettle 2.7 or later.
Class Nettle.SERPENT
- Description
Implementation of the SERPENT cipher.
Class Nettle.SHA1
- Description
Implementation of the SHA1 hash algorithm.
Module Nettle.SHA1.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA1 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA224
- Description
Implementation of the SHA224 hash algorithm.
Class Nettle.SHA224.State
- Description
State for SHA224 hashing.
Module Nettle.SHA224.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA224 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA256
- Description
Implementation of the SHA256 hash algorithm.
Class Nettle.SHA256.State
- Description
State for SHA256 hashing.
Module Nettle.SHA256.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA256 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA384
- Description
Implementation of the SHA384 hash algorithm.
Class Nettle.SHA384.State
- Description
State for SHA384 hashing.
Module Nettle.SHA384.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA384 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA3_128
- Description
Implementation of the SHA3_128 hash algorithm.
- Note
Requires Nettle 3.10 or later.
- Methodshake
string(8bit)
shake(string(8bit)
in
,int(0..)
bytes
)- Description
SHAKE-128 hash.
Works as a (faster) shortcut for
SHA3_128.State()->update(in)->shake(bytes)
.This function is similar to
hash()
, but can return an arbitrary number of bytes. Whenbytes
isdigest_size
the security is equivalent to that ofhash()
, albeit the output is different.- See also
hash()
,State()->update()
andState()->shake()
.
Class Nettle.SHA3_128.State
- Description
State for SHA3_128 hashing.
- Methodshake
string(8bit)
shake(int(0..)
bytes
)- Description
SHAKE-128 hash.
This function is similar to
hash()
, but can return an arbitrary number of bytes. Whenbytes
isdigest_size
(or more) the security is equivalent to that ofhash()
, albeit the output is different.- See also
hash()
,State()->update()
,SHA3_128.shake()
Module Nettle.SHA3_128.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA3_128 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA3_224
- Description
Implementation of the SHA3_224 hash algorithm.
- Note
Requires Nettle 3.2 or later.
Class Nettle.SHA3_224.State
- Description
State for SHA3_224 hashing.
Module Nettle.SHA3_224.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA3_224 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA3_256
- Description
Implementation of the SHA3_256 hash algorithm.
- Note
Requires Nettle 3.2 or later.
- Methodshake
string(8bit)
shake(string(8bit)
in
,int(0..)
bytes
)- Description
SHAKE-256 hash.
Works as a (faster) shortcut for
SHA3_256.State()->update(in)->shake(bytes)
.This function is similar to
hash()
, but can return an arbitrary number of bytes. Whenbytes
isdigest_size
the security is equivalent to that ofhash()
, albeit the output is different.- See also
hash()
,State()->update()
andState()->shake()
.
Class Nettle.SHA3_256.State
- Description
State for SHA3_256 hashing.
- Methodshake
string(8bit)
shake(int(0..)
bytes
)- Description
SHAKE-256 hash.
This function is similar to
hash()
, but can return an arbitrary number of bytes. Whenbytes
isdigest_size
(or more) the security is equivalent to that ofhash()
, albeit the output is different.- See also
hash()
,State()->update()
,SHA3_256.shake()
Module Nettle.SHA3_256.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA3_256 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA3_384
- Description
Implementation of the SHA3_384 hash algorithm.
- Note
Requires Nettle 3.2 or later.
Class Nettle.SHA3_384.State
- Description
State for SHA3_384 hashing.
Module Nettle.SHA3_384.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA3_384 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA3_512
- Description
Implementation of the SHA3_512 hash algorithm.
- Note
Requires Nettle 3.2 or later.
Class Nettle.SHA3_512.State
- Description
State for SHA3_512 hashing.
Module Nettle.SHA3_512.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA3_512 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA512
- Description
Implementation of the SHA512 hash algorithm.
Class Nettle.SHA512.State
- Description
State for SHA512 hashing.
Module Nettle.SHA512.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA512 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA512_224
- Description
Implementation of the SHA512_224 hash algorithm.
Class Nettle.SHA512_224.State
- Description
State for SHA512_224 hashing.
Module Nettle.SHA512_224.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA512_224 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SHA512_256
- Description
Implementation of the SHA512_256 hash algorithm.
Class Nettle.SHA512_256.State
- Description
State for SHA512_256 hashing.
Module Nettle.SHA512_256.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SHA512_256 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SM3
- Description
Implementation of the SM3 hash algorithm.
- Note
Requires Nettle 3.8 or later.
Module Nettle.SM3.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the SM3 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.SM4
- Description
Implementation of the SM4 cipher.
- Note
Requires Nettle 3.9 or later.
Class Nettle.STREEBOG256
- Description
Implementation of the STREEBOG256 hash algorithm.
Class Nettle.STREEBOG256.State
- Description
State for STREEBOG256 hashing.
Module Nettle.STREEBOG256.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the STREEBOG256 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.STREEBOG512
- Description
Implementation of the STREEBOG512 hash algorithm.
Class Nettle.STREEBOG512.State
- Description
State for STREEBOG512 hashing.
Module Nettle.STREEBOG512.HMAC
- Description
Accellerated implementation of HMAC (Hashing for Message Authenticity Control) with the STREEBOG512 hash algorithm.
- See also
Crypto.HMAC
Class Nettle.Twofish
- Description
Implementation of the Twofish cipher.
Class Nettle.UMAC128_AES
- Description
Implementation of the UMAC128_AES MAC algorithm.
- Note
Requires Nettle 2.7 or later.
Class Nettle.UMAC32_AES
- Description
Implementation of the UMAC32_AES MAC algorithm.
Class Nettle.UMAC64_AES
- Description
Implementation of the UMAC64_AES MAC algorithm.
- Note
Requires Nettle 2.7 or later.
Class Nettle.UMAC96_AES
- Description
Implementation of the UMAC96_AES MAC algorithm.
- Note
Requires Nettle 2.7 or later.
Class Nettle.Yarrow
- Description
Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at http://www.schneier.com/paper-yarrow.html, and it uses SHA1 and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses SHA256 and AES to get an internal state of 256 bits.
- Methodcreate
Nettle.YarrowNettle.Yarrow(
void
|int(0..)
sources
)- Description
The number of entropy sources that will feed entropy to the random number generator is given as an argument to Yarrow during instantiation.
- See also
update
- Methodforce_reseed
void
force_reseed()- Description
By calling this function entropy is moved from the slow pool to the fast pool. Read more about Yarrow before using this.
- Methodget_seed
string(8bit)
get_seed()- Description
Returns part of the internal state so that it can be saved for later seeding. This method is deprecated. Instead read the
min_seed_size
number of bytes from therandom_string
method.- See also
seed()
,random_string()
- Methodis_seeded
bool
is_seeded()- Description
Returns 1 if the random generator is seeded and ready to generator output. 0 otherwise.
- See also
seed
- Methodmin_seed_size
int(0..)
min_seed_size()- Description
Returns the minimal number of characters that the
seed
needs to properly seed the random number generator.- See also
seed
- Methodneeded_sources
int(0..)
needed_sources()- Description
The number of sources that must reach the threshold before a slow reseed will happen.
- Methodrandom_string
string(8bit)
random_string(int(0..)
length
)- Description
Returns a pseudo-random string of the requested
length
.
- Methodseed
Yarrow
seed(string(8bit)
data
)- Description
The random generator needs to be seeded before it can be used. The seed must be at least 32 characters long. The seed could be stored from a previous run by inserting the value returned from previous
random_string
call.- Returns
Returns the called object.
- See also
min_seed_size
,is_seeded