︙ | | | ︙ | |
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
uniquely and randomly generated value. This option is used by BLAKE2 MAC
and some KDF implementations use a non-secret unique cryptographic salt.</dd>
</dl>
<dl>
<dt><a name="-length"><strong>-length</strong> <em>integer</em></a></dt>
<dt><a name="-size"><strong>-size</strong> <em>integer</em></a></dt>
<dd>Set the output hash or KDF length in bytes. Used by KDFs, KMAC128, and
KMAC256 to specify an output length in bytes. The default size
for KMAC128 is 32 bytes and KMAC256 is 64 bytes.</dd>
</dl>
<dl>
<dt><a name="-auth_tag"><strong>-tag</strong> <em>string</em></a></dt>
<dt><a name="-tag"><strong>-tag</strong> <em>string</em></a></dt>
<dd>Authenticated Encryption and Authenticated Data (AEAD) tag.
Can be a binary or text string. Max is 16 bytes. A minimum of 12
|
|
|
|
>
|
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
uniquely and randomly generated value. This option is used by BLAKE2 MAC
and some KDF implementations use a non-secret unique cryptographic salt.</dd>
</dl>
<dl>
<dt><a name="-length"><strong>-length</strong> <em>integer</em></a></dt>
<dt><a name="-size"><strong>-size</strong> <em>integer</em></a></dt>
<dd>Set the output length in bytes. Used by KDFs, KMAC128 and KMAC256 MACs,
and SHAKE128 and SHAKE256 XOF hashes. The default length for KMAC128 is 32
bytes and KMAC256 is 64 bytes. The default length for SHAKE128 is 16 bytes
and SHAKE256 is 32 bytes.</dd>
</dl>
<dl>
<dt><a name="-auth_tag"><strong>-tag</strong> <em>string</em></a></dt>
<dt><a name="-tag"><strong>-tag</strong> <em>string</em></a></dt>
<dd>Authenticated Encryption and Authenticated Data (AEAD) tag.
Can be a binary or text string. Max is 16 bytes. A minimum of 12
|
︙ | | | ︙ | |
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
|
<tr><td><b>description</b></td><td>Description of the cipher. OpenSSL 3.0+ only.<td></tr>
<tr><td><b>block_size</b></td><td>Block size of the cipher. Stream ciphers are set to 1.<td></tr>
<tr><td><b>key_length</b></td><td>key length of a cipher in bytes.<td></tr>
<tr><td><b>iv_length</b></td><td>IV length of a cipher in bytes or 0 if not used.<td></tr>
<tr><td><b>type</b></td><td>Base type of this cipher or undefined if none.<td></tr>
<tr><td><b>provider</b></td><td>Provider of the cipher. OpenSSL 3.0+ only.<td></tr>
<tr><td><b>mode</b></td><td>Block cipher mode or <b>stream</b> for a stream cipher.<td></tr>
<tr><td><b>flags</b></td><td>Flags associated with the cipher. Includes: Variable Length, AEAD Cipher, Non FIPS Allow, etc.<td></tr>
</table></blockquote>
<dt><a name="tls::ciphers"><strong>tls::ciphers</strong>
<em>?protocol? ?verbose? ?supported?</em></a></dt>
<dd>Without any args, returns a list of all symmetric ciphers for use with
the <a href="#-cipher"><b>-cipher</b></a> option. With <em>protocol</em>,
only the ciphers supported for that protocol are returned. See
|
|
>
|
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
|
<tr><td><b>description</b></td><td>Description of the cipher. OpenSSL 3.0+ only.<td></tr>
<tr><td><b>block_size</b></td><td>Block size of the cipher. Stream ciphers are set to 1.<td></tr>
<tr><td><b>key_length</b></td><td>key length of a cipher in bytes.<td></tr>
<tr><td><b>iv_length</b></td><td>IV length of a cipher in bytes or 0 if not used.<td></tr>
<tr><td><b>type</b></td><td>Base type of this cipher or undefined if none.<td></tr>
<tr><td><b>provider</b></td><td>Provider of the cipher. OpenSSL 3.0+ only.<td></tr>
<tr><td><b>mode</b></td><td>Block cipher mode or <b>stream</b> for a stream cipher.<td></tr>
<tr><td><b>flags</b></td><td>Flags associated with the cipher. Includes:
Variable Length, AEAD Cipher, Non FIPS Allow, etc.<td></tr>
</table></blockquote>
<dt><a name="tls::ciphers"><strong>tls::ciphers</strong>
<em>?protocol? ?verbose? ?supported?</em></a></dt>
<dd>Without any args, returns a list of all symmetric ciphers for use with
the <a href="#-cipher"><b>-cipher</b></a> option. With <em>protocol</em>,
only the ciphers supported for that protocol are returned. See
|
︙ | | | ︙ | |
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
|
<tr><td><b>name</b></td><td>Name or alias of the digest.<td></tr>
<tr><td><b>description</b></td><td>Description of the digest. OpenSSL 3.0+ only.<td></tr>
<tr><td><b>size</b></td><td>Size of the digest in bits.<td></tr>
<tr><td><b>block_size</b></td><td>Block size of digest in bytes.<td></tr>
<tr><td><b>provider</b></td><td>Provider of the digest. OpenSSL 3.0+ only.<td></tr>
<tr><td><b>type</b></td><td>Base type of this digest or undefined if none.<td></tr>
<tr><td><b>pkey_type</b></td><td>Pkey associated with digest.<td></tr>
<tr><td><b>flags</b></td><td>Flags associated with the digest. Includes: One-shot, XOF, etc.<td></tr>
</table></blockquote>
<dt><a name="tls::kdfs"><strong>tls::kdfs</strong></a></dt>
<dd>Returns a list of the available Key Derivation Function (KDF)
algorithms. Each item in the list corresponds to a command with the same name.</dd>
<dt><a name="tls::macs"><strong>tls::macs</strong></a></dt>
|
|
>
|
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
|
<tr><td><b>name</b></td><td>Name or alias of the digest.<td></tr>
<tr><td><b>description</b></td><td>Description of the digest. OpenSSL 3.0+ only.<td></tr>
<tr><td><b>size</b></td><td>Size of the digest in bits.<td></tr>
<tr><td><b>block_size</b></td><td>Block size of digest in bytes.<td></tr>
<tr><td><b>provider</b></td><td>Provider of the digest. OpenSSL 3.0+ only.<td></tr>
<tr><td><b>type</b></td><td>Base type of this digest or undefined if none.<td></tr>
<tr><td><b>pkey_type</b></td><td>Pkey associated with digest.<td></tr>
<tr><td><b>flags</b></td><td>Flags associated with the digest. Includes:
One-shot (only one update (no incremental) allowed), XOF (variable length), etc.<td></tr>
</table></blockquote>
<dt><a name="tls::kdfs"><strong>tls::kdfs</strong></a></dt>
<dd>Returns a list of the available Key Derivation Function (KDF)
algorithms. Each item in the list corresponds to a command with the same name.</dd>
<dt><a name="tls::macs"><strong>tls::macs</strong></a></dt>
|
︙ | | | ︙ | |
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
|
upon the size of the key and the security of the hash function used.
See <a href="#OPTIONS"><b>options</b></a> for usage info.</dd>
<dt><a name="tls::mac"><strong>tls::mac</strong>
<em>?</em><b>-mac</b><em>? name</em>
<b>-cipher</b> <em>name</em>
<b>-digest</b> <em>name</em>
<b>-key</b> <em>key ?</em>
<b>-bin</b>|<b>-hex</b>
<em>?[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
<b>-file</b> <em>filename | ?</em><b>-data</b><em>? data]</em></a></dt>
<dd>(OpenSSL 3.0+) Calculate the Message Authentication Code (MAC) where
<em>key</em> is a shared key and output the result per the I/O options
in the specified format. MACs are used to ensure authenticity and
the integrity of data. See <a href="#OPTIONS"><b>options</b></a>
for usage info.</dd>
<dt><a name="tls::md"><strong>tls::md</strong>
<em>?</em><b>-digest</b><em>? name</em>
<em>?</em><b>-bin</b>|<b>-hex</b>
<em>?[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
<b>-file</b> <em>filename | ?</em><b>-data</b><em>? data]</em></a></dt>
<dd>Calculate the message digest (MD) using hash function <em>name</em>
and output the result per the I/O options in the specified format.
MDs are used to ensure the integrity of data. See
<a href="#OPTIONS"><b>options</b></a> for usage info.</dd>
<dt><a name="tls::md4"><strong>tls::md4</strong> <em>data</em></a></dt>
|
|
|
>
|
|
>
|
|
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
|
upon the size of the key and the security of the hash function used.
See <a href="#OPTIONS"><b>options</b></a> for usage info.</dd>
<dt><a name="tls::mac"><strong>tls::mac</strong>
<em>?</em><b>-mac</b><em>? name</em>
<b>-cipher</b> <em>name</em>
<b>-digest</b> <em>name</em>
<b>-key</b> <em>key</em>
<em>?</em><b>-bin</b>|<b>-hex</b><em>?</em>
<em>?</em><b>-length</b>|<b>-size</b> <em>length?</em>
<em>[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
<b>-file</b> <em>filename | ?</em><b>-data</b><em>? data]</em></a></dt>
<dd>(OpenSSL 3.0+) Calculate the Message Authentication Code (MAC) where
<em>key</em> is a shared key and output the result per the I/O options
in the specified format. MACs are used to ensure authenticity and
the integrity of data. See <a href="#OPTIONS"><b>options</b></a>
for usage info.</dd>
<dt><a name="tls::md"><strong>tls::md</strong>
<em>?</em><b>-digest</b><em>? name</em>
<em>?</em><b>-bin</b>|<b>-hex</b><em>?</em>
<em>?</em><b>-length</b>|<b>-size</b> <em>length?</em>
<em>[</em><b>-chan</b> <em>channelId |</em> <b>-command</b> <em>cmdName |</em>
<b>-file</b> <em>filename | ?</em><b>-data</b><em>? data]</em></a></dt>
<dd>Calculate the message digest (MD) using hash function <em>name</em>
and output the result per the I/O options in the specified format.
MDs are used to ensure the integrity of data. See
<a href="#OPTIONS"><b>options</b></a> for usage info.</dd>
<dt><a name="tls::md4"><strong>tls::md4</strong> <em>data</em></a></dt>
|
︙ | | | ︙ | |
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
|
<br>
<br>
<dt><a name="tls::hkdf"><strong>tls::hkdf</strong>
<b>-digest</b> <em>digest</em>
<b>-key</b> <em>string</em>
<em>?</em><b>-info</b> <em>string?</em>
<em>?</em><b>-salt</b> <em>string?</em>
<em>?</em><b>-size</b> <em>derived_length?</em></a></dt>
<dd>Derive a key of size <i>size</i> using the HMAC-based Extract-and-Expand
Key Derivation Function (HKDF).
See <a href="#OPTIONS"><b>options</b></a> for usage info. </dd>
<dt><a name="tls::pbkdf2"><strong>tls::pbkdf2</strong>
<em>[</em><b>-cipher</b> <em>cipher |</em>
<b>-size</b> <em>derived_length]</em>
<b>-digest</b> <em>digest</em>
<em>?</em><b>-iterations</b> <em>count?</em>
<em>?</em><b>-password</b> <em>string?</em>
<em>?</em><b>-salt</b> <em>string?</em></a></dt>
<dd>Derive a key and initialization vector (iv) from a password and salt
value using PKCS5_PBKDF2_HMAC.
See <a href="#OPTIONS"><b>options</b></a> for usage info. If <b>-cipher</b>
is specified, then the derived key and iv sized for that cipher are
returned as a key-value list. If not or if <b>-size</b> is specified,
then the derived key (DK) of <em>size</em> bytes is returned.</dd>
<dt><a name="tls::scrypt"><strong>tls::scrypt</strong>
<b>-password</b> <em>string</em>
<b>-salt</b> <em>string</em>
<em>?</em><b>-N</b> <em>costParameter?</em>
<em>?</em><b>-r</b> <em>blockSize?</em>
<em>?</em><b>-p</b> <em>parallelization?</em>
<em>?</em><b>-size</b> <em>derived_length?</em></a></dt>
<dd>Derive a key of size <i>size</i> using the scrypt password based key derivation function.
See <a href="#OPTIONS"><b>options</b></a> for usage info.
See RFC 7914 for more details. Can consume a large amount of memory.
RAM used is roughly (128 * N * r * p) bytes. Memory is limited to
1025 MiB. The custom options are:</dd>
<blockquote><table>
<tr><td><b>-N</b></td><td>The CPU/Memory cost parameter
must be larger than 1, a power of 2, and less than
2^(128 * r / 8). Default is 1048576.<td></tr>
<tr><td><b>-r</b></td><td>The blockSize parameter specifies the
|
|
|
|
|
|
|
|
|
|
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
|
<br>
<br>
<dt><a name="tls::hkdf"><strong>tls::hkdf</strong>
<b>-digest</b> <em>digest</em>
<b>-key</b> <em>string</em>
<em>?</em><b>-info</b> <em>string?</em>
<em>?</em><b>-salt</b> <em>string?</em>
<em>?</em><b>-length</b>|<b>-size</b> <em>length?</em></a></dt>
<dd>Derive a key of size <i>length</i> using the HMAC-based Extract-and-Expand
Key Derivation Function (HKDF).
See <a href="#OPTIONS"><b>options</b></a> for usage info. </dd>
<dt><a name="tls::pbkdf2"><strong>tls::pbkdf2</strong>
<em>[</em><b>-cipher</b> <em>cipher |</em>
<b>-length</b> <em>length]</em>
<b>-digest</b> <em>digest</em>
<em>?</em><b>-iterations</b> <em>count?</em>
<em>?</em><b>-password</b> <em>string?</em>
<em>?</em><b>-salt</b> <em>string?</em></a></dt>
<dd>Derive a key and initialization vector (iv) from a password and salt
value using PKCS5_PBKDF2_HMAC.
See <a href="#OPTIONS"><b>options</b></a> for usage info. If <b>-cipher</b>
is specified, then the derived key and iv sized for that cipher are
returned as a key-value list. If not or if <b>-size</b> is specified,
then the derived key (DK) of <em>length</em> bytes is returned.</dd>
<dt><a name="tls::scrypt"><strong>tls::scrypt</strong>
<b>-password</b> <em>string</em>
<b>-salt</b> <em>string</em>
<em>?</em><b>-N</b> <em>costParameter?</em>
<em>?</em><b>-r</b> <em>blockSize?</em>
<em>?</em><b>-p</b> <em>parallelization?</em>
<em>?</em><b>-length</b>|<b>-size</b> <em>length?</em></a></dt>
<dd>Derive a key of size <i>length</i> using the scrypt password based key
derivation function. See <a href="#OPTIONS"><b>options</b></a> for usage
info. See RFC 7914 for more details. Can consume a large amount of memory.
RAM used is roughly (128 * N * r * p) bytes. Memory is limited to
1025 MiB. The custom options are:</dd>
<blockquote><table>
<tr><td><b>-N</b></td><td>The CPU/Memory cost parameter
must be larger than 1, a power of 2, and less than
2^(128 * r / 8). Default is 1048576.<td></tr>
<tr><td><b>-r</b></td><td>The blockSize parameter specifies the
|
︙ | | | ︙ | |
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
|
</dl>
<br>
<h3><a name="GLOSSARY">GLOSSARY</a></h3>
<p>The following is a list of the terminology used in this package along with
brief definitions. For more details, please consult with the OpenSSL documentation.</p>
<br>
<h3><a name="EXAMPLES">EXAMPLES</a></h3>
<p>TBS</p>
<pre><code>
package require http
package require tls
http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs]
set tok [http::geturl https://www.tcl.tk/]
</code></pre>
<br>
<h3><a name="SPECIAL">SPECIAL CONSIDERATIONS</a></h3>
<p>The capabilities of this package can vary enormously based upon how your
OpenSSL library was configured and built. New versions may obsolete older
|
|
>
>
>
>
>
>
>
>
>
>
<
<
|
<
<
<
|
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
|
</dl>
<br>
<h3><a name="GLOSSARY">GLOSSARY</a></h3>
<p>The following is a list of the terminology used in this package along with
brief definitions. For more details, please consult with the OpenSSL documentation.</p>
<table>
<tr><td>AAD</td><td>Additional Authenticated Data<td></tr>
<tr><td>AEAD</td><td>Authenticated Encryption with Associated Data<td></tr>
<tr><td>IV</td><td>Initialization vector<td></tr>
<tr><td>KDF</td><td>Key Derivation Function<td></tr>
<tr><td>MAC</td><td>Message Authenticated Code<td></tr>
<tr><td>MD</td><td>Message Digest<td></tr>
<tr><td>SHA</td><td>Secure Hash Algorithm<td></tr>
<tr><td>TLS</td><td>Transport Layer Security<td></tr>
<tr><td>XOF</td><td>Extendable-Output Function (aka variable length)<td></tr>
</table>
<br>
<h3><a name="EXAMPLES">EXAMPLES</a></h3>
<p>TBS</p>
<pre><code>
TBD
</code></pre>
<br>
<h3><a name="SPECIAL">SPECIAL CONSIDERATIONS</a></h3>
<p>The capabilities of this package can vary enormously based upon how your
OpenSSL library was configured and built. New versions may obsolete older
|
︙ | | | ︙ | |