###
### This file is part of Trivial IP Encryption (TrIPE).
###
-### TrIPE is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
+### TrIPE is free software: you can redistribute it and/or modify it under
+### the terms of the GNU General Public License as published by the Free
+### Software Foundation; either version 3 of the License, or (at your
+### option) any later version.
###
-### TrIPE is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
+### TrIPE is distributed in the hope that it will be useful, but WITHOUT
+### ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+### FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+### for more details.
###
### You should have received a copy of the GNU General Public License
-### along with TrIPE; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+### along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
###--------------------------------------------------------------------------
### External dependencies.
SYS.stdout.flush()
rc = OS.spawnvp(OS.P_WAIT, args[0], args)
if rc != 0:
- raise SubprocessError, rc
+ raise SubprocessError(rc)
def hexhyphens(bytes):
"""
if line[-1] == '\n': line = line[:-1]
match = rx_keyval.match(line)
if not match:
- raise ConfigFileError, "%s:%d: bad line `%s'" % (f, lno, line)
+ raise ConfigFileError("%s:%d: bad line `%s'" % (f, lno, line))
k, v = match.groups()
conf[k] = conf_subst(v)
('upload-hook', ': run upload hook'),
('kx', 'dh'),
('kx-genalg', lambda: {'dh': 'dh',
- 'ec': 'ec'}[conf['kx']]),
+ 'ec': 'ec',
+ 'x25519': 'x25519',
+ 'x448': 'x448'}[conf['kx']]),
('kx-param-genalg', lambda: {'dh': 'dh-param',
- 'ec': 'ec-param'}[conf['kx']]),
+ 'ec': 'ec-param',
+ 'x25519': 'empty',
+ 'x448': 'empty'}[conf['kx']]),
('kx-param', lambda: {'dh': '-LS -b3072 -B256',
- 'ec': '-Cnist-p256'}[conf['kx']]),
- ('kx-attrs', ''),
+ 'ec': '-Cnist-p256',
+ 'x25519': '',
+ 'x448': ''}[conf['kx']]),
+ ('kx-attrs', lambda: {'dh': 'serialization=constlen',
+ 'ec': 'serialization=constlen',
+ 'x25519': '',
+ 'x448': ''}[conf['kx']]),
('kx-expire', 'now + 1 year'),
('kx-warn-days', '28'),
- ('cipher', 'rijndael-cbc'),
+ ('bulk', 'iiv'),
+ ('cipher', lambda: conf['bulk'] == 'naclbox'
+ and 'salsa20' or 'rijndael-cbc'),
('hash', 'sha256'),
('master-keygen-flags', '-l'),
('master-attrs', ''),
('mgf', '${hash}-mgf'),
- ('mac', lambda: '%s-hmac/%d' %
- (conf['hash'],
- C.gchashes[conf['hash']].hashsz * 4)),
- ('sig', lambda: {'dh': 'dsa', 'ec': 'ecdsa'}[conf['kx']]),
+ ('mac', lambda: conf['bulk'] == 'naclbox'
+ and 'poly1305/128'
+ or '%s-hmac/%d' %
+ (conf['hash'],
+ C.gchashes[conf['hash']].hashsz * 4)),
+ ('sig', lambda: {'dh': 'dsa',
+ 'ec': 'ecdsa',
+ 'x25519': 'ed25519',
+ 'x448': 'ed448'}[conf['kx']]),
('sig-fresh', 'always'),
('sig-genalg', lambda: {'kcdsa': 'dh',
'dsa': 'dsa',
-a${kx-param-genalg} !${kx-param}
-eforever -tparam tripe-param
kx-group=${kx} mgf=${mgf} mac=${mac}
- cipher=${cipher} hash=${hash} ${kx-attrs}''')
+ bulk=${bulk} cipher=${cipher} hash=${hash} ${kx-attrs}''')
cmd_newmaster(args)
###--------------------------------------------------------------------------
OS.mkdir('tmp')
OS.chdir('tmp')
seq = int(conf['master-sequence'])
- run('curl -s -o tripe-keys.tar.gz ${repos-url}')
- run('curl -s -o tripe-keys.sig %s' % seqsubst('sig-url', seq))
+ run('curl -sL -o tripe-keys.tar.gz ${repos-url}')
+ run('curl -sL -o tripe-keys.sig %s' % seqsubst('sig-url', seq))
run('tar xfz tripe-keys.tar.gz')
## Verify the signature
want = C.bytes(rx_nonalpha.sub('', conf['hk-master']))
got = fingerprint('repos/master.pub', 'master-%d' % seq)
- if want != got: raise VerifyError
+ if want != got: raise VerifyError()
run('''catsign -krepos/master.pub verify -avC -kmaster-%d
-t${sig-fresh} tripe-keys.sig tripe-keys.tar.gz''' % seq)
###--------------------------------------------------------------------------
### Commands: mtu
+def mac_tagsz():
+ macname = conf['mac']
+ index = macname.rindex('/')
+ if index == -1: tagsz = C.gcmacs[macname].tagsz
+ else: tagsz = int(macname[index + 1:])/8
+ return tagsz
+
def cmd_mtu(args):
mtu, = (lambda mtu = '1500': (mtu,))(*args)
mtu = int(mtu)
- blksz = C.gcciphers[conf['cipher']].blksz
-
- index = conf['mac'].find('/')
- if index == -1:
- tagsz = C.gcmacs[conf['mac']].tagsz
- else:
- tagsz = int(conf['mac'][index + 1:])/8
-
mtu -= 20 # Minimum IP header
mtu -= 8 # UDP header
mtu -= 1 # TrIPE packet type octet
- mtu -= tagsz # MAC tag
- mtu -= 4 # Sequence number
- mtu -= blksz # Initialization vector
+
+ bulk = conf['bulk']
+
+ if bulk == 'v0':
+ blksz = C.gcciphers[conf['cipher']].blksz
+ mtu -= mac_tagsz() # MAC tag
+ mtu -= 4 # Sequence number
+ mtu -= blksz # Initialization vector
+
+ elif bulk == 'iiv':
+ mtu -= mac_tagsz() # MAC tag
+ mtu -= 4 # Sequence number
+
+ elif bulk == 'naclbox':
+ mtu -= 16 # MAC tag
+ mtu -= 4 # Sequence number
+
+ else:
+ die("Unknown bulk transform `%s'" % bulk)
print mtu