123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383openUnsigned(* We keep the API abstract over the type of buffer used in order to keep the
* possibility of swapping this implementation in the future or offering
* multiple such implementations. A past version of the library was
* built using Bigstring instead of Bytes. *)moduletypeBuffer=sigtypettypebufvalempty:bytesvalsize_uint32:bytes->uint32valctypes_buf:bytes->bufvalctypes_buf_with_offset:bytes->int->bufvalsize:bytes->intvalequal:bytes->bytes->boolvalmake:int->bytesvaldisjoint:bytes->bytes->boolvalsub:bytes-> int->int->bytesval z_compare:bytes->Z.t->intend(** Abstract representation of buffers *)moduleCBytes:Bufferwithtypet=Bytes.tandtypebuf=Bytes.tCtypes.ocaml=structopenCtypestypet=Bytes.ttypebuf=Bytes.tCtypes.ocamlletempty=Bytes.emptyletsize_uint32b=Unsigned.UInt32.of_int(Bytes.lengthb)letctypes_buf=ocaml_bytes_startletctypes_buf_with_offset bytesoffset=letbuf=ocaml_bytes_startbytesinbuf+@offsetletsize=Bytes.lengthlet equal=Bytes.equalletmakel=Bytes.makel'\x00'letdisjoint b1b2=b1!=b2letsub=Bytes.subletz_comparebz=Z.compare(Z.of_bits(Bytes.to_string b))zend(** Representation of [Bytes.t] buffers *)moduleHacl_Hash=structincludeHacl_Hash_Base_bindings.Bindings(Hacl_Hash_Base_stubs)includeHacl_Hash_MD5_bindings.Bindings(Hacl_Hash_MD5_stubs)includeHacl_Hash_SHA1_bindings.Bindings(Hacl_Hash_SHA1_stubs)includeHacl_Hash_SHA2_bindings.Bindings(Hacl_Hash_SHA2_stubs)includeHacl_Hash_Blake2_bindings.Bindings(Hacl_Hash_Blake2_stubs)endmoduleHacl_Spec =Hacl_Spec_bindings.Bindings(Hacl_Spec_stubs)letmax_uint32=Z.((shift_left~$132)-~$1)letmax_uint64=Z.((shift_left~$164)-~$1)letpow2_31=Z.(shift_left~$131)(* Note: we check most input buffers to have a length that fits inside
* a uint32_t because that is the type of buffer length accepted by the
* C interface. In their specs, some functions accept longer buffers.
* We could revise these checks in the future if the C interface will use
* larger types for the size of a buffer. *)letcheck_max_buffer_lenlen=assertZ.(of_int len<=max_uint32)moduleAEADDefs=structopenHacl_Spectypealg=|AES128_GCM|AES256_GCM|CHACHA20_POLY1305letalg_definition =function|AES128_GCM->spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES128_GCM|AES256_GCM->spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES256_GCM|CHACHA20_POLY1305->spec_Agile_AEAD_alg_Spec_Agile_AEAD_CHACHA20_POLY1305letkey_length=function(* specs/Spec.Agile.AEAD.key_length *)|AES128_GCM->16|AES256_GCM->32|CHACHA20_POLY1305->32lettag_length=function(* specs/Spec.Agile.AEAD.tag_length *)|AES128_GCM|AES256_GCM|CHACHA20_POLY1305->16letcheck_iv_lengthlen=function(* specs/Spec.Agile.AEAD.iv_length *)|AES128_GCM|AES256_GCM->len>0&&Z.(of_intlen<=max_uint32)|CHACHA20_POLY1305 ->len=12letcheck_max_pt_lengthlen=function(* specs/Spec.Agile.AEAD.max_length *)|AES128_GCM|AES256_GCM->Z.(of_intlen<=max_uint32)|CHACHA20_POLY1305 ->Z.(of_intlen<=max_uint32-~$16)letcheck_sizes~alg~iv_len~tag_len~ad_len ~pt_len ~ct_len =(* providers/EverCrypt.AEAD.encrypt_st *)assert(check_iv_lengthiv_lenalg);assert(tag_len=tag_lengthalg);assert(check_max_pt_lengthpt_lenalg);assertZ.(of_intad_len<=pow2_31);assert (pt_len=ct_len)endmoduleHashDefs=structopenHacl_Spectypedeprecated_alg=|SHA1|MD5[@@deprecated]type alg=|SHA2_224|SHA2_256|SHA2_384|SHA2_512|BLAKE2b|BLAKE2s|Legacyofdeprecated_algletalg_definition =function|SHA2_224->spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_224|SHA2_256->spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_256|SHA2_384->spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_384|SHA2_512->spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_512|BLAKE2b->spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_Blake2B|BLAKE2s->spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_Blake2S|LegacySHA1->spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA1|LegacyMD5->spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_MD5letdigest_lenalg=UInt32.to_int(Hacl_Hash.hacl_Hash_Definitions_hash_len(alg_definitionalg))letcheck_digest_lenalglen=assert(len =digest_lenalg)endmoduletypeChacha20_Poly1305_generic=sigtypebytesvalencrypt:key:bytes->iv:bytes->ad:bytes ->pt:bytes ->bytes *bytes(** [encrypt key iv ad pt] takes a [key], an initial value [iv], additional data
[ad], and plaintext [pt] and returns a tuple containing the encrypted [pt] and the
authentication tag for the plaintext and the associated data. *)valdecrypt:key:bytes->iv:bytes->ad:bytes ->ct:bytes ->tag:bytes->bytesoption(** [decrypt key iv ad ct tag] takes a [key], the initial value [iv], additional
data [ad], ciphertext [ct], and authentication tag [tag], and, if successful,
returns the decrypted [ct]. *)(** Versions of these functions which write their output in a buffer passed in as
an argument *)moduleNoalloc:sigvalencrypt:key:bytes->iv:bytes->ad:bytes ->pt:bytes ->ct:bytes ->tag:bytes->unit(** [encrypt key iv ad pt ct tag] takes a [key], an initial value [iv], additional data
[ad], and plaintext [pt], as well as output buffers [ct], which will
contain the encrypted [pt], and [tag], which will contain the authentication tag for
the plaintext and the associated data. *)valdecrypt:key:bytes->iv:bytes->ad:bytes ->ct:bytes ->tag:bytes->pt:bytes->bool(** [decrypt key iv ad ct tag pt] takes a [key], the initial value [iv], additional
data [ad], ciphertext [ct], and authentication tag [tag], as well as output buffer [pt],
which, if successful, will contain the decrypted [ct]. *)endendmoduletypeCurve25519_generic =sig(** See {{:https://hacl-star.github.io/HaclECDH.html#hacl-curve25519} here} for detailed
usage instructions.
*)typebytesvalsecret_to_public:sk:bytes->bytes(** [secret_to_public sk] takes a 32-byte secret key [sk] and returns the corresponding
32-byte ECDH public key. *)valecdh:sk:bytes->pk:bytes->bytes option(** [ecdh sk pk] takes a 32-byte secret key [sk] and another party's 32-byte public
key and returns the 32-byte ECDH shared key. *)valscalarmult:scalar:bytes->point:bytes->bytes(** [scalarmult scalar point] performs scalar multiplication over the curve. Buffers
are 32-byte long and must be distinct. *)(** Versions of these functions which write their output in a buffer passed in as
an argument *)moduleNoalloc:sigvalsecret_to_public:sk:bytes->pk:bytes->unit(** [secret_to_public sk pk] takes a 32-byte secret key [sk] and writes the corresponding
32-byte ECDH public key in [pk]. Buffers [pk] and [sk] must be distinct. *)valecdh:sk:bytes->pk:bytes->shared:bytes->bool(** [ecdh sk pk shared] takes a 32-byte secret key [sk] and another party's 32-byte public
key and writes the 32-byte ECDH shared key in [shared]. Buffer [shared] must be distinct from
[pk] and [sk]. *)valscalarmult:scalar:bytes->point:bytes->result:bytes->unit(** [scalarmult scalar point] performs scalar multiplication over the curve. Buffers
are 32-byte long and must be distinct. *)endendmoduletypeEdDSA_generic =sig(** See {{:https://hacl-star.github.io/HaclSig.html} here} for detailed
usage instructions.
*)typebytes(** {1 EdDSA} *)valsecret_to_public:sk:bytes->bytes(** [secret_to_public sk] takes a secret key [sk] and returns the corresponding
public key. *)valsign:sk:bytes->msg:bytes->bytes(** [sign sk msg] takes secret key [sk] and message [msg] and returns
the Ed25519 signature. *)valverify:pk:bytes->msg:bytes->signature:bytes->bool(** [verify pk msg signature] takes public key [pk], message [msg] and verifies the
Ed25519 signature, returning true if valid. *)(** {1 EdDSA Expanded Signing} *)valexpand_keys:sk:bytes->bytes(** [expand_keys sk] takes secret key [sk] and returns the expanded secret key. *)valsign_expanded:ks:bytes->msg:bytes->bytes(** [sign_expanded ks msg signature] takes expanded secret key [ks] and message [msg] and
returns the Ed25519 signature. *)(** Versions of these functions which write their output in a buffer passed in as
an argument *)moduleNoalloc:sig(** Buffers have the following size constraints:
- [sk], [pk]: 32 bytes
- [signature]: 64 bytes
{1 EdDSA}
Note: The [verify] function does not return a buffer so it has no been duplicated here.
*)valsecret_to_public:sk:bytes->pk:bytes->unit(** [secret_to_public sk pk] takes a secret key [sk] and writes the corresponding
public key in [pk]. Buffers [pk] and [sk] must be distinct. *)valsign:sk:bytes->msg:bytes->signature:bytes->unit(** [sign sk msg signature] takes secret key [sk] and message [msg] and writes
the Ed25519 signature in [signature]. *)(** {1 EdDSA Expanded Signing}
The buffer [ks] containing the expanded secret key must be 96 bytes long.
*)valexpand_keys:sk:bytes->ks:bytes->unit(** [expand_keys sk ks] takes secret key [sk] and writes the expanded secret key in [ks]. *)valsign_expanded:ks:bytes->msg:bytes->signature:bytes->unit(** [sign_expanded ks msg signature] takes expanded secret key [ks] and message [msg] and writes
the Ed25519 signature in [signature]. *)endendmoduletypeHashFunction_generic =sigtypebytesvalhash:bytes->bytes(** [hash msg] returns the hash of [msg]. *)(** Version of this function which writes its output in a buffer passed in as
an argument *)moduleNoalloc:sigvalhash:msg:bytes->digest:bytes->unit(** [hash msg digest] hashes [msg] and outputs the result in [digest]. *)endendmoduletypeMAC_generic =sig(** For Poly1305, buffers have the following size constraints:
- [key]: 32 bytes
- output buffer: 16 bytes
For HMAC with SHA-2, the output buffer is the same size as the digest size of
the corresponding hash function (see {{!EverCrypt.Hash} here}). For HMAC with BLAKE2,
the output buffer is 64 bytes for BLAKE2b and 32 bytes for BLAKE2s.
*)typebytesvalmac:key:bytes->msg:bytes->bytes(** [mac key msg] computes the MAC of [msg] using key [key]. *)(** Version of this function which writes its output in a buffer passed in as
an argument *)moduleNoalloc:sigvalmac:key:bytes->msg:bytes->tag:bytes->unit(** [mac key msg tag] computes the MAC of [msg] using key [key] and writes the result in [tag].
The `tag` buffer needs to satisfy the size requirements for the output buffer. *)endendmoduletypeHKDF_generic =sig(** Buffers have the following size constraints with respect to the digest size of the underlying
hash function, [digest_len]:
- [prk]: = [digest_len]
- [okm]: <= 255 * [digest_len]
*)typebytesvalextract:salt:bytes->ikm:bytes->bytes(** [extract salt ikm] computes a pseudorandom key using input key material [ikm] and
salt [salt]. *)valexpand:prk:bytes->info:bytes->size:int->bytes(** [expand prk info size] expands the pseudorandom key [prk], taking the info string [info] into
account and returns a buffer of [size] bytes. *)(** Versions of these functions which write their output in a buffer passed in as
an argument *)moduleNoalloc:sigvalextract:salt:bytes->ikm:bytes->prk:bytes->unit(** [extract salt ikm prk] computes a pseudorandom key [prk] using input key material [ikm] and
salt [salt]. *)valexpand:prk:bytes->info:bytes->okm:bytes->unit(** [expand prk info okm] expands the pseudorandom key [prk], taking the info string [info] into
account, and writes the output key material in [okm]. *)endendmoduletypeECDSA_generic =sig(** Buffers have the following size constraints:
- [pk]: 64 bytes, corresponding to the "raw" representation of an elliptic curve point (see {!section:points})
- [sk], [k]: 32 bytes
- [signature]: 64 bytes
- [msg]: no size requirement for variants using SHA-2 hashing (see {!section:ecdsa})
*)typebytesvalsign:sk:bytes->msg:bytes->k:bytes->bytesoption(** [sign sk msg k] attempts to sign the message [msg] with secret key [sk] and
signing secret [k] and returns the signature if successful. *)valverify:pk:bytes->msg:bytes->signature:bytes->bool(** [verify pk msg signature] checks the [signature] of [msg] using public key [pk] and returns
true if it is valid. *)(** Versions of these functions which write their output in a buffer passed in as
an argument *)moduleNoalloc:sigvalsign:sk:bytes->msg:bytes->k:bytes->signature:bytes->bool(** [sign sk msg k signature] attempts to sign the message [msg] with secret key [sk] and
signing secret [k]. If successful, the signature is written in [signature] and the
function returns true. *)endendmoduletypeBlake2_generic =sig(** Buffers have the following size constraints:
- [key]: <= 64 bytes for BLAKE2b, <= 32 bytes for BLAKE2s
- [digest]: non-zero, <= 64 bytes for BLAKE2b, <= 32 bytes for BLAKE2s *)typebytesvalhash:?key:bytes->bytes->int->bytes(** [hash ?key msg size] hashes [msg] and returns a digest of length [size].
An optional [key] argument can be passed for keyed hashing. *)(** Version of this function which writes its output in a buffer passed in as
an argument *)moduleNoalloc:sigvalhash:key:bytes->msg:bytes->digest:bytes->unit(** [hash key msg digest] hashes [msg] and outputs the result in [digest].
A non-empty [key] can be passed for keyed hashing. *)endendmoduletypeChacha20_Poly1305 =Chacha20_Poly1305_genericwithtypebytes=CBytes.tmoduletypeCurve25519 =Curve25519_genericwithtypebytes=CBytes.tmoduletypeEdDSA=EdDSA_genericwithtypebytes=CBytes.tmoduletypeHashFunction =HashFunction_genericwithtypebytes=CBytes.tmoduletypeMAC=MAC_generic withtypebytes=CBytes.tmoduletypeHKDF=HKDF_genericwithtypebytes=CBytes.tmoduletypeECDSA=ECDSA_genericwithtypebytes=CBytes.tmoduletypeBlake2=Blake2_genericwithtypebytes=CBytes.t