Diff

Differences From Artifact [d060a163a5]:

To Artifact [b0e27f9e6f]:


33
34
35
36
37
38
39



40
41
42
43
44
45
46
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49







+
+
+







	    <dd><b>tls::md</b> <b>-digest</b> <em>name ?options?</em></dd>
	    <dd><b>tls::md4</b> <em>data</em></dd>
	    <dd><b>tls::md5</b> <em>data</em></dd>
	    <dd><b>tls::sha1</b> <em>data</em></dd>
	    <dd><b>tls::sha256</b> <em>data</em></dd>
	    <dd><b>tls::sha512</b> <em>data</em></dd>
	    <dd><b>tls::unstack</b> <em>channelId</em></dd>
	    <dt>&nbsp;</dt>
	    <dd><b>tls::encrypt</b> <b>-cipher</b> <em>name</em> <b>-key</b> <em>key ?options?</em></dd>
	    <dd><b>tls::decrypt</b> <b>-cipher</b> <em>name</em> <b>-key</b> <em>key ?options?</em></dd>
	</dl>
    </dd>
    <dd><a href="#OPTIONS">OPTIONS</a></dd>
    <dd><a href="#COMMANDS">COMMANDS</a></dd>
    <dd><a href="#GLOSSARY">GLOSSARY</a> </dd>
    <dd><a href="#EXAMPLES">EXAMPLES</a></dd>
    <dd><a href="#SPECIAL">SPECIAL CONSIDERATIONS</a></dd>
77
78
79
80
81
82
83



84
85
86
87
88
89
90
91
92
93
94
95
96
97
98





99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115


116




117
118
119
120
121
122
123
124




125
126
127
128
129
130
131
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100




101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

125
126
127
128
129
130
131
132
133



134
135
136
137
138
139
140
141
142
143
144







+
+
+











-
-
-
-
+
+
+
+
+

















+
+
-
+
+
+
+





-
-
-
+
+
+
+







<a href="#tls::md"><b>tls::md</b> <b>-digest</b> <i>name ?options?</i></a><br>
<a href="#tls::md4"><b>tls::md4</b> <i>data</i></a><br>
<a href="#tls::md5"><b>tls::md5</b> <i>data</i></a><br>
<a href="#tls::sha1"><b>tls::sha1</b> <i>data</i></a><br>
<a href="#tls::sha256"><b>tls::sha256</b> <i>data</i></a><br>
<a href="#tls::sha512"><b>tls::sha512</b> <i>data</i></a><br>
<a href="#tls::unstack"><b>tls::unstack</b> <i>channelId</i></a><br>
<br>
<a href="#tls::encrypt"><b>tls::encrypt</b> <b>-cipher</b> <i>name</i> <b>-key</b> <i>key ?options?</i></a><br>
<a href="#tls::decrypt"><b>tls::decrypt</b> <b>-cipher</b> <i>name</i> <b>-key</b> <i>key ?options?</i></a><br>
</p>

<br>
<h3><a name="OPTIONS">OPTIONS</a></h3>

<p>The following options are used by the cryptography commands.</p>
<br>
<h4>Cryptographic Options</h4>

<dl>
    <dt><a name="-cipher"><strong>-cipher</strong> <em>name</em></a></dt>
    <dd>Name of cryptographic cipher to use. Used by the CMAC and GMAC hash
    algorithms. For CMAC it must be one of AES-128-CBC, AES-192-CBC, AES-256-CBC
    or DES-EDE3-CBC. For GMAC it should be a GCM mode cipher e.g. AES-128-GCM.
    See <a href="#tls::ciphers"><b>tls::ciphers</b></a> for the valid values.</dd>
    <dd>Name of cryptographic cipher to use. Used by encrypt/decrypt command
    and CMAC &amp; GMAC hash algorithms. For CMAC it must be one of AES-128-CBC,
    AES-192-CBC, AES-256-CBC or DES-EDE3-CBC. For GMAC it should be a GCM mode
    cipher e.g. AES-128-GCM. See <a href="#tls::ciphers"><b>tls::ciphers</b></a>
    for the valid values.</dd>
</dl>

<dl>
    <dt><a name="-digest"><strong>-digest</strong> <em>name</em></a></dt>
    <dd>Name of hash function (aka message digest) to use.
    See <a href="#tls::digests"><b>tls::digests</b></a> for the valid values.</dd>
</dl>

<dl>
    <dt><a name="-iterations"><strong>-iterations</strong> <em>count</em></a></dt>
    <dd>Number (integer) of iterations on the password to use in deriving the
    encryption key. Default is 10000. Some KDF implementations require an
    iteration count.</dd>
</dl>

<dl>
    <dt><a name="-iv"><strong>-iv</strong> <em>string</em></a></dt>
    <dd>Initialization vector (IV) to use. Required for some ciphers and GMAC.
    Cipher modes CBC, CFB, OFB and CTR all need an IV while ECB mode does not.
    <dd>Initialization vector (IV). Required for GMAC. Cipher modes CBC, CFB, OFB and CTR all need an initialization vector (IV) while ECB mode does not. A new, random IV should be created for each use. Think of the IV as a nonce (number used once), it's public but random and unpredictable.</dd>
    A new, random IV should be created for each use. Think of the IV as a nonce
    (number used once), it's public but random and unpredictable. See the
   <a href="#tls::cipher"><b>tls::cipher</b></a> command for iv size and
    when required.</dd>
</dl>

<dl>
    <dt><a name="-key"><strong>-key</strong> <em>string</em></a></dt>
    <dd>Encryption key to use for cryptography function. Can be a binary or
    text string. Longer keys provide
    better protection. Used by HMAC, some CMAC, and some KDF implementations.
    Some functions require key length must conform to <b>key_length</b> size.</dd>
    text string. Longer keys provide better protection. Used by ciphers, HMAC,
    some CMAC, and some KDF implementations. Key lengths less than <b>key_length</b>
    size may be padded or rejected. See the
    <a href="#tls::cipher"><b>tls::cipher</b></a> command for key size.</dd>
</dl>

<dl>
    <dt><a name="-mac"><strong>-mac</strong> <em>name</em></a></dt>
    <dd>Name of Message Authentication Code (MAC) to use.
    See <a href="#tls::mac"><b>tls::macs</b></a> for the valid values.</dd>
</dl>
172
173
174
175
176
177
178

179

180
181

182
183
184
185
186
187
188
189
190
191
192
193

194
195
196
197




198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214

215
216
217
218
219
220
221
222
223






224
225
226
227






228
229
230
231
232
233
234
185
186
187
188
189
190
191
192

193
194

195
196
197
198
199
200
201
202
203
204
205
206
207
208




209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228

229
230
231
232
233
234
235
236
237

238
239
240
241
242
243
244
245
246

247
248
249
250
251
252
253
254
255
256
257
258
259







+
-
+

-
+












+
-
-
-
-
+
+
+
+
















-
+








-
+
+
+
+
+
+



-
+
+
+
+
+
+







	the system may hang while waiting for data. When done, use either the
	close command or <a href="#tls::unstack"><strong>tls::unstack</strong></a>
	to remove the transform from the channel. Additional transforms cannot
	be added to channel. Example code:</dd></dl>
    <blockquote><code>
		set ch [open test_file.txt rb]<br>
		::tls::digest -digest sha256 -chan $ch<br>
		set dat ""<br>
		while {![eof $ch]} {set md [read $ch 4096]}<br>
		while {![eof $ch]} {append dat [read $ch 4096]}<br>
		close $ch<br>
		puts $md
		puts $dat
    </code></blockquote>

<dl>
    <dt><a name="-command"><strong>-command</strong> <em>cmdName</em></a></dt>
    <dd>Create and return <em>cmdName</em> which is used to incrementally add
	data to a cryptographic function. To add data to the function, call
	&quot;<em>cmdName</em> <b>update</b> <em>data</em>&quot;, where
	<em>data</em> is the data to add. When done, call
	&quot;<em>cmdName</em> <b>finalize</b>&quot; to return the resulting
	value and delete <em>cmdName</em>. Example code:</dd></dl>
    <blockquote><code>
		set cmd [::tls::digest -digest sha256 -command ::tls::temp]<br>
		set dat ""<br>
		$cmd update "Some data. "<br>
		$cmd update "More data."<br>
		set md [$cmd finalize]<br>
		puts $md
		append dat [$cmd update "Some data. "]<br>
		append dat [$cmd update "More data."]<br>
		append dat [$cmd finalize]<br>
		puts $dat
    </code></blockquote>

<dl>
    <dt><a name="-data"><strong>-data</strong> <em>string</em></a></dt>
    <dd>Perform the cryptographic function on <em>data</em> and return the
    result. Example code:</dd></dl>
    <blockquote><code>
		set md [::tls::digest sha256 "Some example data."]<br>
		puts $md
    </code></blockquote>

<dl>
    <dt><a name="-file"><strong>-file</strong> <em>filename</em></a></dt>
    <dt><a name="-file"><strong>-filename</strong> <em>filename</em></a></dt>
    <dd>Perform the cryptographic function on file <em>filename</em> and return
    the result. This operation will open file, read the file data, close the
    file, and return the result using the TCL APIs, so VFS files are
    file, and return the result using the TCL file APIs, so VFS files are
    supported. Example code:</dd></dl>
    <blockquote><code>
		set md [::tls::digest -digest sha256 -file test_file.txt]<br>
		puts $md
    </code></blockquote>

<dl>
    <dt><a name="-infile"><strong>-infile</strong> <em>filename</em></a></dt>
    <dd>Specifies the file to use as data input source.</dd></dl>
    <dd>Specifies the file to use as data input source. This option uses the
    TCL file APIs, so VFS files are supported. Example code:</dd></dl>
    <blockquote><code>
		::tls::encrypt -cipher aes-128-cbc -key "Test key"
		-infile unencrypted.txt -outfile encrypted.dat
    </code></blockquote>

<dl>
    <dt><a name="-outfile"><strong>-outfile</strong> <em>filename</em></a></dt>
    <dd>Specifies the file to send the results to.</dd></dl>
    <dd>Specifies the file to output the encryption results to. This option
    uses the TCL file APIs, so VFS files are supported. Example code:</dd></dl>
    <blockquote><code>
		::tls::decrypt -cipher aes-128-cbc -key "Test key"
		-infile encrypted.dat -outfile unencrypted.txt
    </code></blockquote>

<dl>
    <dt><a name="-keyfile"><strong>-keyfile</strong> <em>filename</em></a></dt>
    <dd>Specifies the file to get the encryption key from.</dd></dl>

<br>

304
305
306
307
308
309
310
311
312


313
314
315
316
317
318
319
320
321
322
323


324
325
326
327
328
329
330
331
332
333
334
335



336
337
338
339
340
341
342
343
344
345
346
347
348





349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367




























368
369
370
371
372
373
374
329
330
331
332
333
334
335


336
337
338
339
340
341
342
343
344
345
346


347
348
349
350
351
352
353
354
355
356
357



358
359
360
361
362
363
364
365
366
367
368





369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427







-
-
+
+









-
-
+
+









-
-
-
+
+
+








-
-
-
-
-
+
+
+
+
+



















+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+







<br>

<h4>Message Digest (MD) and Message Authentication Code (MAC) Commands</h4>

    <dt><a name="tls::cmac"><strong>tls::cmac</strong>
	<em>?</em><b>-cipher</b><em>? name</em>
	<b>-key</b> <em>key ?</em><b>-bin</b>|<b>-hex</b><em>?
	[</em><b>-file</b> <em>filename | </em><b>-command</b> <em>cmdName |
	</em><b>-chan</b> <em>channelId | ?</em><b>-data</b><em>? data]</em></a></dt>
	[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
	<b>-file</b> <em>filename | ?</em><b>-data</b><em>? data]</em></a></dt>
    <dd>Calculate the Cipher-based Message Authentication Code (CMAC) where
	<em>key</em> is a shared key and output the result per the I/O options
	in the specified format. MACs are used to ensure authenticity and the
	integrity of data. See <a href="#OPTIONS"><b>options</b></a> for usage
	info. Option <b>-key</b> is only used for some ciphers.</dd>

    <dt><a name="tls::hmac"><strong>tls::hmac</strong>
	<em>?</em><b>-digest</b><em>? name</em>
	<b>-key</b> <em>key ?</em><b>-bin</b>|<b>-hex</b><em>?
	[</em><b>-file</b> <em>filename | </em><b>-command</b> <em>cmdName |
	</em><b>-chan</b> <em>channelId | ?</em><b>-data</b><em>? data]</em></a></dt>
	[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
	<b>-file</b> <em>filename | ?</em><b>-data</b><em>? data]</em></a></dt>
    <dd>Calculate the Hash-based Message Authentication Code (HMAC) where
	<em>key</em> is a shared secret key and output the result per the I/O
	options in the specified format. The cryptographic strength depends
	upon the size of the key and the security of the hash function used.
	See <a href="#OPTIONS"><b>options</b></a> for usage info.</dd>

    <dt><a name="tls::mac"><strong>tls::mac</strong>
	<em>?</em><b>-mac</b><em>? name</em> <b>-cipher</b> <em>name</em>
	<b>-digest</b> <em>name</em> <b>-key</b> <em>key ?</em>
	<b>-bin</b>|<b>-hex</b><em>? [</em><b>-file</b>
	<em>filename | </em><b>-command</b> <em>cmdName |
	</em><b>-chan</b> <em>channelId | ?</em><b>-data</b><em>? data]</em></a></dt>
	<b>-bin</b>|<b>-hex</b><em>?
	[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
	<b>-file</b> <em>filename | ?</em><b>-data</b><em>? data]</em></a></dt>
    <dd>(OpenSSL 3.0+) Calculate the Message Authentication Code (MAC) where
	<em>key</em> is a shared key and output the result per the I/O options
	in the specified format. MACs are used to ensure authenticity and
	the integrity of data. See <a href="#OPTIONS"><b>options</b></a>
	for usage info.</dd>

    <dt><a name="tls::md"><strong>tls::md</strong>
	<em>?</em><b>-digest</b><em>? name ?</em><b>-bin</b>|<b>-hex</b><em>?
	[</em><b>-file</b> <em>filename | </em><b>-command</b> <em>cmdName |
	</em><b>-chan</b> <em>channelId | ?</em><b>-data</b><em>? data]</em></a></dt>
    <dd>Calculate the message digest (MD) using hash function (aka message
	digest) <em>name</em> and output the result per the I/O options in the
	specified format. MDs are used to ensure the integrity of data. See
	[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
	<b>-file</b> <em>filename | ?</em><b>-data</b><em>? data]</em></a></dt>
    <dd>Calculate the message digest (MD) using hash function <em>name</em>
	and output the result per the I/O options in the specified format.
	MDs are used to ensure the integrity of data. See
	<a href="#OPTIONS"><b>options</b></a> for usage info.</dd>

    <dt><a name="tls::md4"><strong>tls::md4</strong> <em>data</em></a></dt>
    <dd>Returns the MD4 message-digest for <em>data</em> as a hex string.</dd>

    <dt><a name="tls::md5"><strong>tls::md5</strong> <em>data</em></a></dt>
    <dd>Returns the MD5 message-digest for <em>data</em> as a hex string.</dd>

    <dt><a name="tls::sha1"><strong>tls::sha1</strong> <em>data</em></a></dt>
    <dd>Returns the SHA1 secure hash algorithm digest for <em>data</em> as a hex string.</dd>

    <dt><a name="tls::sha256"><strong>tls::sha256</strong> <em>data</em></a></dt>
    <dd>Returns the SHA-2 SHA256 secure hash algorithm digest for <em>data</em> as a hex string.</dd>

    <dt><a name="tls::sha512"><strong>tls::sha512</strong> <em>data</em></a></dt>
    <dd>Returns the SHA-2 SHA512 secure hash algorithm digest for <em>data</em> as a hex string.</dd>

    <dt><a name="tls::unstack"><strong>tls::unstack</strong> <em>channelId</em></a></dt>
    <dd>Removes the top level cryptographic transform from channel <em>channelId</em>.</dd>

<br>

<h4>Encryption and Decryption Commands</h4>

    <dt><a name="tls::encrypt"><strong>tls::encrypt</strong>
	<b>-cipher</b> <em>name</em> <b>-key</b> <em>key ?</em><b>-iv</b> <em>string?
	[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
	<b>-infile</b> <em>filename</em> <b>-outfile</b> <em>filename |</em>
	<b>-data</b><em> data]</em></a></dt>
    <dd>Encrypt the data using cipher <em>cipher</em> and output the result per
	the I/O options. Ciphers are used to create the cipher text from the
	input data. See <a href="#OPTIONS"><b>options</b></a> for usage
	info. Option <b>-iv</b> is only used for some ciphers. See the
	&quot;<b>tls::cipher</b> <em>cipher</em>&quot; command for key and iv
	sizes and when the iv is used (iv_length &gt; 0).</dd>

    <dt><a name="tls::decrypt"><strong>tls::decrypt</strong>
	<b>-cipher</b> <em>name</em> <b>-key</b> <em>key ?</em><b>-iv</b> <em>string?
	[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
	<b>-infile</b> <em>filename</em> <b>-outfile</b> <em>filename |</em>
	<b>-data</b><em> data]</em></a></dt>
    <dd>Decrypt the data using cipher <em>cipher</em> and output the result per
	the I/O options. This command is the opposite of the <b>tls::encrypt</b>
	command. See <a href="#OPTIONS"><b>options</b></a> for usage
	info. Option <b>-iv</b> is only used for some ciphers. See the
	&quot;<b>tls::cipher</b> <em>cipher</em>&quot; command for key and iv
	sizes and when the iv is used (iv_length &gt; 0).</dd>
</dl>

<br>
<h3><a name="GLOSSARY">GLOSSARY</a></h3>

<p>The following is a list of the terminology used in this package along with
brief definitions. For more details, please consult with the OpenSSL documentation.</p>