package mirage-crypto

  1. Overview
  2. Docs

Authenticated encryption with associated data.

This defines a uniform interface of symmetrics cryptographic algorithms which encrypt, and also protect the integrity of the data. Additional data, only used for integrity protection, not encrypted and not part of the ciphertext, can be passed in optionally. This prevents the same ciphertext being used at a different location. See RFC 5116 for further description.

val tag_size : int

The size of the authentication tag.

type key

The abstract type for the key.

val of_secret : string -> key

of_secret secret constructs the encryption key corresponding to secret.

Authenticated encryption and decryption with inline tag

val authenticate_encrypt : key:key -> nonce:string -> ?adata:string -> string -> string

authenticate_encrypt ~key ~nonce ~adata msg encrypts msg with key and nonce, and appends an authentication tag computed over the encrypted msg, using key, nonce, and adata.

val authenticate_decrypt : key:key -> nonce:string -> ?adata:string -> string -> string option

authenticate_decrypt ~key ~nonce ~adata msg splits msg into encrypted data and authentication tag, computes the authentication tag using key, nonce, and adata, and decrypts the encrypted data. If the authentication tags match, the decrypted data is returned.

Authenticated encryption and decryption with tag provided separately

val authenticate_encrypt_tag : key:key -> nonce:string -> ?adata:string -> string -> string * string

authenticate_encrypt_tag ~key ~nonce ~adata msg encrypts msg with key and nonce. The computed authentication tag is returned separately as second part of the tuple.

val authenticate_decrypt_tag : key:key -> nonce:string -> ?adata:string -> tag:string -> string -> string option

authenticate_decrypt ~key ~nonce ~adata ~tag msg computes the authentication tag using key, nonce, and adata, and decrypts the encrypted data. If the authentication tags match, the decrypted data is returned.

Authenticated encryption and decryption into existing buffers

val authenticate_encrypt_into : key:key -> nonce:string -> ?adata:string -> string -> src_off:int -> bytes -> dst_off:int -> tag_off:int -> int -> unit

authenticate_encrypt_into ~key ~nonce ~adata msg ~src_off dst ~dst_off ~tag_off len encrypts len bytes of msg starting at src_off with key and nonce. The output is put into dst at dst_off, the tag into dst at tag_off.

val authenticate_decrypt_into : key:key -> nonce:string -> ?adata:string -> string -> src_off:int -> tag_off:int -> bytes -> dst_off:int -> int -> bool

authenticate_decrypt_into ~key ~nonce ~adata msg ~src_off ~tag_off dst ~dst_off len computes the authentication tag using key, nonce, and adata, and decrypts the len bytes encrypted data from msg starting at src_off into dst starting at dst_off. If the authentication tags match, true is returned, and the decrypted data is in dst.

OCaml

Innovation. Community. Security.