Crypt::NaCl::Sodium - NaCl compatible modern, easy-to-use library for encryption, decryption, signatures, password hashing and more
Home Page: https://metacpan.org/release/Crypt-NaCl-Sodium
NAME
Crypt::NaCl::Sodium - NaCl compatible modern, easy-to-use library for
encryption, decryption, signatures, password hashing and more
VERSION
version 1.0.8.0
SYNOPSIS
use Crypt::NaCl::Sodium qw( :utils );
my $crypto = Crypt::NaCl::Sodium->new();
##########################
## Secret-key cryptography
# Secret-key authenticated encryption (XSalsa20/Poly1305 MAC)
my $crypto_secretbox = $crypto->secretbox();
# Secret-key message authentication (HMAC-SHA256, HMAC-SHA512, HMAC-SHA512/256 )
my $crypto_auth = $crypto->auth();
# Authenticated Encryption with Additional Data (ChaCha20/Poly1305 MAC, AES256-GCM)
my $crypto_aead = $crypto->aead();
##########################
## Public-key cryptography
# Public-key authenticated encryption (Curve25519/XSalsa20/Poly1305 MAC)
my $crypto_box = $crypto->box();
# Public-key signatures (Ed25519)
my $crypto_sign = $crypto->sign();
##########################
## Hashing
# Generic hashing (Blake2b)
my $crypto_generichash = $crypto->generichash();
# Short-input hashing (SipHash-2-4)
my $crypto_shorthash = $crypto->shorthash();
##########################
## Password hashing (yescrypt)
my $crypto_pwhash = $crypto->pwhash();
##########################
## Advanced
# SHA-2 (SHA-256, SHA-512)
my $crypto_hash = $crypto->hash();
# One-time authentication (Poly1305)
my $crypto_onetimeauth = $crypto->onetimeauth();
# Diffie-Hellman (Curve25519)
my $crypto_scalarmult = $crypto->scalarmult();
# Stream ciphers (XSalsa20, ChaCha20, Salsa20, AES-128-CTR)
my $crypto_stream = $crypto->stream();
##########################
## Utilities
# convert binary data to hexadecimal
my $hex = bin2hex($bin);
# convert hexadecimal to binary
my $bin = hex2bin($hex);
# constant time comparision of strings
memcmp($a, $b, $length ) or die '$a ne $b';
# constant time comparision of large numbers
compare($x, $y, $length ) == -1 and print '$x < $y';
# overwrite with null bytes
memzero($a, $b, ...);
# generate random number
my $num = random_number($upper_bound);
# generate random bytes
my $bytes = random_bytes($count);
##########################
## Guarded data storage
my $locker = Data::BytesLocker->new($password);
...
$locker->unlock();
print $locker->to_hex();
$locker->lock();
DESCRIPTION
Crypt::NaCl::Sodium provides bindings to libsodium - NaCl compatible
modern, easy-to-use library for encryption, decryption, signatures,
password hashing and more.
It is a portable, cross-compilable, installable, packageable fork of
NaCl <http://nacl.cr.yp.to/>, with a compatible API, and an extended API
to improve usability even further.
Its goal is to provide all of the core operations needed to build
higher-level cryptographic tools.
The design choices emphasize security, and "magic constants" have clear
rationales.
And despite the emphasis on high security, primitives are faster
across-the-board than most implementations of the NIST standards.
Crypt::NaCl::Sodium uses Alien::Sodium that tracks the most current
releases of libsodium.
METHODS
new
my $crypto = Crypt::NaCl::Sodium->new();
Returns a proxy object for methods provided below.
secretbox
# Secret-key authenticated encryption (XSalsa20/Poly1305 MAC)
my $crypto_secretbox = Crypt::NaCl::Sodium->secretbox();
Read Crypt::NaCl::Sodium::secretbox for more details.
auth
# Secret-key authentication (HMAC-SHA512/256 and advanced usage of HMAC-SHA-2)
my $crypto_auth = Crypt::NaCl::Sodium->auth();
Read Crypt::NaCl::Sodium::auth for more details.
aead
# Authenticated Encryption with Additional Data (ChaCha20/Poly1305 MAC, AES256-GCM)
my $crypto_aead = Crypt::NaCl::Sodium->aead();
Read Crypt::NaCl::Sodium::aead for more details.
box
# Public-key authenticated encryption (Curve25519/XSalsa20/Poly1305 MAC)
my $crypto_box = Crypt::NaCl::Sodium->box();
Read Crypt::NaCl::Sodium::box for more details.
sign
# Public-key signatures (Ed25519)
my $crypto_sign = Crypt::NaCl::Sodium->sign();
Read Crypt::NaCl::Sodium::sign for more details.
generichash
# Generic hashing (Blake2b)
my $crypto_generichash = Crypt::NaCl::Sodium->generichash();
Read Crypt::NaCl::Sodium::generichash for more details.
shorthash
# Short-input hashing (SipHash-2-4)
my $crypto_shorthash = Crypt::NaCl::Sodium->shorthash();
Read Crypt::NaCl::Sodium::shorthash for more details.
pwhash
# Password hashing (yescrypt)
my $crypto_pwhash = Crypt::NaCl::Sodium->pwhash();
Read Crypt::NaCl::Sodium::pwhash for more details.
hash
# SHA-2 (SHA-256, SHA-512)
my $crypto_hash = Crypt::NaCl::Sodium->hash();
Read Crypt::NaCl::Sodium::hash for more details.
onetimeauth
# One-time authentication (Poly1305)
my $crypto_onetimeauth = Crypt::NaCl::Sodium->onetimeauth();
Read Crypt::NaCl::Sodium::onetimeauth for more details.
scalarmult
# Diffie-Hellman (Curve25519)
my $crypto_scalarmult = Crypt::NaCl::Sodium->scalarmult();
Read Crypt::NaCl::Sodium::scalarmult for more details.
stream
# Stream ciphers (XSalsa20, ChaCha20, Salsa20, AES-128-CTR)
my $crypto_stream = Crypt::NaCl::Sodium->stream();
Read Crypt::NaCl::Sodium::stream for more details.
FUNCTIONS
use Crypt::NaCl::Sodium qw(:utils);
Imports all provided functions.
bin2hex
my $hex = bin2hex($bin);
Returns converted $bin into a hexadecimal string.
hex2bin
my $hex = "41 : 42 : 43";
my $bin = hex2bin($hex, ignore => ": ", max_len => 2 );
print $bin; # AB
Parses a hexadecimal string $hex and converts it to a byte sequence.
Optional arguments:
* ignore
A string of characters to skip. For example, the string ": " allows
columns and spaces to be present at any locations in the hexadecimal
string. These characters will just be ignored.
If unset any non-hexadecimal characters are disallowed.
* max_len
The maximum number of bytes to return.
The parser stops when a non-hexadecimal, non-ignored character is found
or when "max_len" bytes have been written.
memcmp
memcmp($a, $b, $length ) or die "\$a ne \$b for length: $length";
Compares strings in constant-time. Returns true if they match, false
otherwise.
The argument $length is optional if variables are of the same length.
Otherwise it is required and cannot be greater then the length of the
shorter of compared variables.
NOTE: "memcmp" in Data::BytesLocker provides the same functionality.
$locker->memcmp($b, $length) or die "\$locker ne \$b for length: $length";
compare
compare($x, $y, $length ) == -1 and print '$x < $y';
A constant-time version of "memcmp", useful to compare nonces and
counters in little-endian format, that plays well with "increment".
Returns -1 if $x is lower then $y, 0 if $x and $y are identical, or 1 if
$x is greater then $y. Both $x and $y are assumed to be numbers encoded
in little-endian format.
The argument $length is optional if variables are of the same length.
Otherwise it is required and cannot be greater then the length of the
shorter of compared variables.
NOTE: "compare" in Data::BytesLocker provides the same functionality.
$locker->compare($y, $length) == -1 and print "\$locker < \$y for length: $length";
memzero
memzero($a, $b, ...);
Replaces the value of the provided stringified variables with "null"
bytes. Length of the zeroed variables is unchanged.
random_number
my $num = random_number($upper_bound);
Returns an unpredictable number between 0 and optional $upper_bound
(excluded). If $upper_bound is not specified the maximum value is
0xffffffff (included).
increment
increment($nonce, ...);
NOTE: This function is deprecated and will be removed in next version.
Please use "increment" in Data::BytesLocker.
Increments an arbitrary long unsigned number(s) (in place). Function
runs in constant-time for a given length of arguments and considers them
to be encoded in little-endian format.
random_bytes
my $bytes = random_bytes($num_of_bytes);
Generates unpredictable sequence of $num_of_bytes bytes.
The length of the $bytes equals the value of $num_of_bytes.
Returns Data::BytesLocker object.
VARIABLES
$Data::BytesLocker::DEFAULT_LOCKED
use Crypt::NaCl::Sodium;
$Data::BytesLocker::DEFAULT_LOCKED = 1;
By default all values returned from the provided methods are unlocked
Data::BytesLocker objects. If this variable is set to true then the
returned objects are locked and require calling "unlock" in
Data::BytesLocker before accessing.
SEE ALSO
* Crypt::NaCl::Sodium::secretbox - Secret-key authenticated encryption
(XSalsa20/Poly1305 MAC)
* Crypt::NaCl::Sodium::auth - Secret-key message authentication
(HMAC-SHA256, HMAC-SHA512, HMAC-SHA512/256 )
* Crypt::NaCl::Sodium::aead - Authenticated Encryption with Additional
Data (ChaCha20/Poly1305 MAC, AES256-GCM)
* Crypt::NaCl::Sodium::box - Public-key authenticated encryption
(Curve25519/XSalsa20/Poly1305 MAC)
* Crypt::NaCl::Sodium::sign - Public-key signatures (Ed25519)
* Crypt::NaCl::Sodium::generichash - Generic hashing (Blake2b)
* Crypt::NaCl::Sodium::shorthash - Short-input hashing (SipHash-2-4)
* Crypt::NaCl::Sodium::pwhash - Password hashing (yescrypt)
* Crypt::NaCl::Sodium::hash - SHA-2 (SHA-256, SHA-512)
* Crypt::NaCl::Sodium::onetimeauth - One-time authentication
(Poly1305)
* Crypt::NaCl::Sodium::scalarmult - Diffie-Hellman (Curve25519)
* Crypt::NaCl::Sodium::stream - Stream ciphers (XSalsa20, ChaCha20,
Salsa20, AES-128-CTR)
* Data::BytesLocker - guarded data storage
* libsodium <http://jedisct1.gitbooks.io/libsodium> - libsodium
AUTHOR
Alex J. G. Burzyński <[email protected]>
COPYRIGHT AND LICENSE
This software is copyright (c) 2015 by Alex J. G. Burzyński
<[email protected]>.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
Hi,
I have a question about internal workflows of Crypt::NaCl::Sodium::sign and Data::BytesLocker
Consider following code:
#!/bin/env perl
use strict;
use warnings;
use Crypt::NaCl::Sodium qw/:utils/;
my $secret = hex2bin('a25b84b660c62019b7db57fc612e52a0accf99bd17490f4d65d3c118c09970e90a20c8312f2bbeb4a377a151e25fff1ec7be049526716a64b771e26e44a56bcc');
my $bl = Data::BytesLocker->new($secret);
my $crypto_sign = Crypt::NaCl::Sodium->sign();
my $mac = $crypto_sign->mac('message to sign', $bl);
printf "mac: %s\n", $mac->to_hex;
base on my evaluation of $crypto_sign->mac() and Data::BytesLocker's stringification method I conclude that the workflow leave copy of secret in RAM as a side effect of computing mac. This is because mac() calls SvPV(seckey, skey_len) which calls stringification method which in return does newSVpvn() on secret data.
newSVpvn:
Creates a new SV and copies a string into it, which may contain NUL characters (\0 ) and other binary data.
I double checked this workflow by amending above code to:
#!/bin/env perl
use strict;
use warnings;
use Crypt::NaCl::Sodium qw/:utils/;
my $secret = hex2bin('a25b84b660c62019b7db57fc612e52a0accf99bd17490f4d65d3c118c09970e90a20c8312f2bbeb4a377a151e25fff1ec7be049526716a64b771e26e44a56bcc');
my $bl = Data::BytesLocker->new($secret);
bless $bl, 'Data::BytesLocker::NoOverloading';
my $crypto_sign = Crypt::NaCl::Sodium->sign();
my $mac = $crypto_sign->mac('message to sign', $bl);
printf "mac: %s\n", $mac->to_hex;
exit 0;
package Data::BytesLocker::NoOverloading;
use parent '-norequire', 'Data::BytesLocker';
use overload '""' => sub { warn "stringification access"; my $coderef = Data::BytesLocker->can('(""'); $coderef->(@_) }, 'fallback' => 1;
1;
this outputs:
stringification access at test.pl line 18.
mac: b412a4b610f4fb1e855153ab4bb4d8a3d4ec2efadd10c4e4b670f82a01e3f979762d00626928b2415257990db091c01419114c64db2e55ee6ae22a25186e3003
Does this sound right?
If so I would expect $crypto_sign->mac() to access underlying mprotected Data::BytesLocker's buffer directly and not silently copying protected data to unprotected memory region.
I have libsodium version 1.0.11 installed, and have managed to get Crypt::NaCl::Sodium to build against it.
If I do that, one single test fails; it is lines 53-54 of t/sodium_sign.t:
my $mod_opened = $crypto_sign->open( $mod_sealed, $pk_bin );
is(bin2hex($mod_opened), $test->{msg}, "message $t is malleable");
The failure:
t/sodium_sign.t ............. 1/? Message forged at t/sodium_sign.t line 53, <TEST> line 1024.
# Tests were run but no plan was declared and done_testing() was not seen.
# Looks like your test exited with 255 just after 8.
t/sodium_sign.t ............. Dubious, test returned 255 (wstat 65280, 0xff00)
All 8 subtests passed
Simply commenting out this single test allows the others to pass.
I am unsure yet whether this is a fragile test that ought to have failed anyway, that it's correctly identifying a real bug in libsodium 1.0.11, or what's going on.
when i try to use this module, it says AES256-GCM is not supported by this CPU.
Hi,
could you update your library to libsodium 1.0.18 ?
Cheers,
Xavier
Would you mind to add Alien::Sodium to the actual dependency list in the meta data so that it will automatically be installed by cpan before Crypt::NaCl::Sodium?
Maybe even Alien::Base::ModuleBuild could be added at least as a recommended package as Alien::Sodium only refers to Alien::Base and Alien::Base::ModuleBuild would still be missing. I have asked you here ajgb/alien-sodium#4 to approve a pending pull request that would solve that issue properly but it seems the request is pending since 3 years already and there is no much hope... Maybe this issue request might help in any way to fix both modules?
I've been trying to build a debian package of this distribution. For long and complex reasons, anything derived from Alien::Base is more awkward here than I'd like. Instead of building libsodium via that method, I've gone and built a native debian package for it.
I then applied a relatively small hack to your Makefile.PL to avoid the use of Alien::Sodium and instead use ExtUtils::PkgConfig directly. This patch is currently applied as part of my debian package.
I have libsodium installed by debian:
$ dpkg -l libsodium18
ii libsodium18:amd64 1.0.11-1
$ dpkg -l libsodium-dev
ii libsodium-dev:amd64 1.0.11-1
By convincing Alien::Sodium that this is sufficient for it, that now builds and installs, in a state where it just wraps this pkg-config-provided library:
$ perl -MAlien::Sodium -E'say Alien::Sodium->libs'
-lsodium
$ perl -MAlien::Sodium -E'say Alien::Sodium->cflags'
[empty]
This ought to be sufficient to build Crypt::NaCl::Sodium, but it is not:
$ perl Makefile.PL
Is Alien::Sodium available? Could not locate libsodium.a in /usr/share/perl5/auto/share/dist/Alien-Sodium/lib
I believe this is because Makefile.PL is being overly picky about looking for the libsodium.a file, rather than just trusting whatever pkg-config (via Alien::Sodium) told it.
Compatibility issue when installing Crypt::NaCl::Sodium on Debian server
Description:
I'm trying to install the Perl module Crypt::NaCl::Sodium on my Debian server, but I'm running into compatibility issues with the libsodium library. The installation fails with several error messages indicating missing functions and constants in libsodium.
Installation attempt:
Command used: sudo cpanm Crypt::NaCl::Sodium
Error message: The most important errors relate to undefined identifiers such as crypto_stream_aes128ctr_NONCEBYTES, crypto_stream_aes128ctr_KEYBYTES and crypto_stream_aes128ctr.
System details:
Operating system: Debian 12 (latest version)
uname -mi
x86_64 unknown
Perl version: 5.036000
libsodium version: 1.0.19
Steps already taken:
Attempting to install via CPANminus.
Checking and uninstalling the current libsodium version.
Try to find and install an older version of libsodium that contains the required features.
Main problem:
The main problem seems to be that the required features (crypto_stream_aes128ctr_*) are not present in the current version of libsodium (1.0.19) and I'm having difficulty finding an older version of libsodium that includes these features.
Solution sought:
I'm looking for a way to either find and install a compatible version of libsodium or an alternative solution to successfully install Crypt::NaCl::Sodium on my Debian server.
I have tried the following without success:
sudo apt-get remove --purge libsodium-dev
wget http://archive.debian.org/debian/pool/main/libs/libsodium/libsodium18_1.0.11-2_amd64.deb
sudo dpkg -i libsodium18_1.0.11-2_amd64.deb
sudo cpanm Crypt::NaCl::Sodium
The solution mentioned in the forum and wiki doesn't work for me:
`cpan Crypt::NaCl::Sodium --force
...
make: *** [Makefile:367: Sodium.o] Fehler 1
AJGB/Crypt-NaCl-Sodium-1.0.8.0.tar.gz
/usr/bin/make -- NOT OK
(error): Could not expand [--force]. Check the module name.
(info): I can suggest names if you install one of Text::Levenshtein::XS, Text:: Levenshtein::Damerau::XS, Text::Levenshtein, and Text::Levenshtein::Damerau::PP
(info): and you provide the -x option on invocation.
(error): Skipping --force because I couldn't find a matching namespace.`
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.