Plasma GitLab Archive
Projects Blog Knowledge 

(* $Id: netsys_ciphers.mli 2195 2015-01-01 12:23:39Z gerd $ *)

(** Symmetric cryptographic ciphers *)

type padding =
    [ `None
    | `Length
    | `_8000
    | `CTS
    ]
  (** Padding schemes:

      - [`None]: no padding. The text to encrypt/decrypt must be a multiple
         of [block_constraint] bytes
      - [`Length]: Pad the last block with n bytes of code n
      - [`_8000]: Pad with one byte 0x80 and as many zeros as needed to fill
        the block (this may add one or two blocks)
      - [`CTS]: Use "Ciphertext Stealing". There is a minimum length of the
        message to encrypt of two blocks.
   *)


class type cipher_ctx =
object
  method padding : padding
    (** The padding scheme of the cipher *)

  method block_constraint : int
    (** The buffers used with encrypt/decrypt must have a length that is a
        multiple of this number. (In ECB mode this is the
        block size.)

        This value doesn't take padding into account.
     *)

  method supports_aead : bool
    (** Whether this cipher integrates authentication *)

  method set_iv : string -> unit
    (** Sets the initialization vector (this must be done before starting
        the encryption or decryption).
     *)

  method set_header : string -> unit
    (** Sets the header to authenticate for AEAD (this must be done before
        starting the encryption or decryption).
     *)

  method encrypt : last:bool -> 
                   Netsys_types.memory -> Netsys_types.memory -> int * int
    (** [let n_in, n_out = encrypt ~last inbuf outbuf]: 
        Encrypts the text in [inbuf] and
        writes the result to [outbuf]. The returned numbers indicate how
        much data was processed: the first [n_in] bytes of [inbuf] are
        encrypted, and the first [n_out] bytes of [outbuf] are filled with
        ciphertext.

        This function can be called several
        times to encrypt a larger text. [last] should be set for the last
        call.

        The sizes of [inbuf] and [outbuf] must be at least one block
        in order to produce non-zero ([n_in],[n_out]). (For `CTS only:
        two blocks.)
     *)

  method decrypt : last:bool -> 
                   Netsys_types.memory -> Netsys_types.memory -> int * int
    (** [let n_in, n_out = decrypt ~last inbuf outbuf]:
        Decrypts the text in [inbuf] and
        writes the result to [outbuf]. The returned numbers indicate how
        much data was processed: the first [n_in] bytes of [inbuf] are
        decrypted, and the first [n_out] bytes of [outbuf] are filled with
        plaintext.

        This function can be called several
        times to decrypt a larger text. [last] should be set for the last
        call.

        The sizes of [inbuf] and [outbuf] must be at least one block
        in order to produce non-zero ([n_in],[n_out]). (For `CTS only:
        two blocks.)

        On error, the method fails.
     *)

  method encrypt_string : string -> string
    (** Encrypts this string as a whole *)

  method decrypt_string : string -> string
    (** Decrypts this string as a whole *)

  method mac : unit -> string
    (** Returns the MAC for AEAD ciphers. Can first be called after the
        encryption/decryption is complete. This function fails for non-AEAD
        ciphers.
     *)
end



class type cipher =
object
  method name : string
    (** The name of the cipher *)

  method mode : string
    (** The mode of the cipher *)

  method key_lengths : (int * int) list
    (** Supported key lengths as pairs [min,max]. If there is a recommended
         key length, this is the first.
     *)

  method iv_lengths : (int * int) list
    (** Supported iv lengths as pairs [min,max]. If there is a recommended
        iv length, this is the first.
     *)

  method block_constraint : int
    (** The buffers used with encrypt/decrypt must have a length that is a
        multiple of this number. (In ECB mode this is the
        block size.)
     *)

  method supports_aead : bool
     (** Whether this cipher integrates authentication *)

  method create : string -> padding -> cipher_ctx
    (** [create c p key]: create a new cipher context for [key]. If not set,
        the initialization vector is assumed to be zero, and the header the
        empty string.

        The cipher context can be used for either encrypting or decrypting a
        single message.
     *)
end


(** The following functions use the current crypto module (as retrieved by
    {!Netsys_crypto.current_symmetric_crypto}), unless the [impl] argument is
    passed.
 *)

val ciphers : ?impl:(module Netsys_crypto_types.SYMMETRIC_CRYPTO) ->
              unit -> cipher list
    (** List of supported ciphers *)

val find : ?impl:(module Netsys_crypto_types.SYMMETRIC_CRYPTO) ->
           (string * string) ->
           cipher
    (** [find (name,mode)]: get the cipher [name] in the passed [mode].

        The name conventionally follows the [<uppercasestring>-<size>] format,
        e.g. "AES-128" or "TWOFISH-128".

        Modes are "ECB", "CBC", "OFB", "CTR", "STREAM", "GCM". Not every cipher
        is available in every mode.
     *)

val process_substring :
     (last:bool -> Netsys_types.memory -> Netsys_types.memory -> int * int) ->
     string -> int -> int -> string
  (** [process_substring p s pos len]: If [p] is [encrypt] or [decrypt] from
      a [cipher_ctx], [p] will be called to submit the data from string [s],
      starting at position [pos] and length [len].

      The encrypted or decrypted string is returned.
   *)

val process_string :
     (last:bool -> Netsys_types.memory -> Netsys_types.memory -> int * int) ->
     string -> string
  (** [process_substring p s pos len]: If [p] is [encrypt] or [decrypt] from
      a [cipher_ctx], [p] will be called to submit the data from string [s].

      The encrypted or decrypted string is returned.
   *)
This web site is published by Informatikbüro Gerd Stolpmann
Powered by Caml