+/*----- The implicit-IV transform -----------------------------------------*
+ *
+ * The v0 transform makes everything explicit. There's an IV because the
+ * cipher needs an IV; there's a sequence number because replay prevention
+ * needs a sequence number.
+ *
+ * This new transform works rather differently. We make use of a block
+ * cipher to encrypt the sequence number, and use that as the IV. We
+ * transmit the sequence number in the clear, as before. This reduces
+ * overhead; and it's not a significant privacy leak because the adversary
+ * can see the order in which the messages are transmitted -- i.e., the
+ * sequence numbers are almost completely predictable anyway.
+ *
+ * So, a MAC is computed over
+ *
+ * +------+ +------+------...------+
+ * | type | | seq | ciphertext |
+ * +------+ +------+------...------+
+ * 32 32 sz
+ *
+ * and we actually transmit the following as the cryptogram.
+ *
+ * +---...---+------+------...------+
+ * | tag | seq | ciphertext |
+ * +---...---+------+------...------+
+ * tagsz 32 sz
+ */
+
+typedef struct iiv_algs {
+ bulkalgs _b;
+ gencomp_algs ga;
+ const gccipher *b; size_t bksz;
+} iiv_algs;
+
+typedef struct iiv_ctx {
+ bulkctx _b;
+ size_t tagsz;
+ struct {
+ gcipher *c, *b;
+ gmac *m;
+ } d[NDIR];
+} iiv_ctx;
+
+
+static bulkalgs *iiv_getalgs(const algswitch *asw, dstr *e,
+ key_file *kf, key *k)
+{
+ iiv_algs *a = CREATE(iiv_algs);
+ dstr d = DSTR_INIT, dd = DSTR_INIT;
+ const char *p;
+ char *q;
+
+ if (gencomp_getalgs(&a->ga, asw, e, kf, k)) goto fail;
+
+ if ((p = key_getattr(kf, k, "blkc")) == 0) {
+ dstr_puts(&dd, a->ga.c->name);
+ if ((q = strrchr(dd.buf, '-')) != 0) *q = 0;
+ p = dd.buf;
+ }
+ dstr_putf(&d, "%s-ecb", p);
+ if ((a->b = gcipher_byname(d.buf)) == 0) {
+ a_format(e, "unknown-blkc", "%s", p, A_END);
+ goto fail;
+ }
+
+ dstr_destroy(&d); dstr_destroy(&dd);
+ return (&a->_b);
+fail:
+ dstr_destroy(&d); dstr_destroy(&dd);
+ DESTROY(a);
+ return (0);
+}
+
+#ifndef NTRACE
+static void iiv_tracealgs(const bulkalgs *aa)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+
+ gencomp_tracealgs(&a->ga);
+ trace(T_CRYPTO,
+ "crypto: blkc = %.*s", (int)strlen(a->b->name) - 4, a->b->name);
+}
+#endif
+
+static int iiv_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
+{
+ iiv_algs *a = (iiv_algs *)aa;
+
+ if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);
+
+ if ((a->bksz = keysz(asw->hashsz, a->b->keysz)) == 0) {
+ a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
+ "no-key-size", "%lu", (unsigned long)asw->hashsz,
+ A_END);
+ return (-1);
+ }
+ if (a->b->blksz < a->ga.c->blksz) {
+ a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
+ "blksz-insufficient", A_END);
+ return (-1);
+ }
+ return (0);
+}
+
+static int iiv_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
+{
+ const iiv_algs *a = (const iiv_algs *)aa, *b = (const iiv_algs *)bb;
+ return (gencomp_samealgsp(&a->ga, &b->ga) && a->b == b->b);
+}
+
+static void iiv_alginfo(const bulkalgs *aa, admin *adm)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+ gencomp_alginfo(&a->ga, adm);
+ a_info(adm,
+ "blkc=%.*s", strlen(a->b->name) - 4, a->b->name,
+ "blkc-keysz=%lu", (unsigned long)a->bksz,
+ "blkc-blksz=%lu", (unsigned long)a->b->blksz,
+ A_END);
+}
+
+static size_t iiv_overhead(const bulkalgs *aa)
+ { const iiv_algs *a = (const iiv_algs *)aa; return (a->ga.tagsz + SEQSZ); }
+
+static size_t iiv_expsz(const bulkalgs *aa)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+ return (gencomp_expsz(&a->ga));
+}
+
+static bulkctx *iiv_genkeys(const bulkalgs *aa, const struct rawkey *rk)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+ iiv_ctx *bc = CREATE(iiv_ctx);
+ octet k[MAXHASHSZ];
+ int i;
+
+ bc->tagsz = a->ga.tagsz;
+ for (i = 0; i < NDIR; i++) {
+ ks_derivekey(k, a->ga.cksz, rk, i, "encryption");
+ bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
+ ks_derivekey(k, a->bksz, rk, i, "blkc");
+ bc->d[i].b = GC_INIT(a->b, k, a->bksz);
+ ks_derivekey(k, a->ga.mksz, rk, i, "integrity");
+ bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
+ }
+ return (&bc->_b);
+}
+
+static bulkchal *iiv_genchal(const bulkalgs *aa)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+ return (gencomp_genchal(&a->ga));
+}
+#define iiv_chaltag gencomp_chaltag
+#define iiv_chalvrf gencomp_chalvrf
+#define iiv_freechal gencomp_freechal
+
+static void iiv_freealgs(bulkalgs *aa)
+ { iiv_algs *a = (iiv_algs *)aa; DESTROY(a); }
+
+static void iiv_freectx(bulkctx *bbc)
+{
+ iiv_ctx *bc = (iiv_ctx *)bbc;
+ int i;
+
+ for (i = 0; i < NDIR; i++) {
+ GC_DESTROY(bc->d[i].c);
+ GC_DESTROY(bc->d[i].b);
+ GM_DESTROY(bc->d[i].m);
+ }
+ DESTROY(bc);
+}
+
+#define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
+ trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
+}) } while (0)
+
+static int iiv_encrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 seq)
+{
+ iiv_ctx *bc = (iiv_ctx *)bbc;
+ ghash *h;
+ gcipher *c = bc->d[DIR_OUT].c, *blkc = bc->d[DIR_OUT].b;
+ const octet *p = BCUR(b);
+ size_t sz = BLEFT(b);
+ octet *qmac, *qseq, *qpk;
+ size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
+ size_t tagsz = bc->tagsz;
+ octet t[4];
+
+ /* --- Determine the ciphertext layout --- */
+
+ if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
+ qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
+ BSTEP(bb, tagsz + SEQSZ + sz);
+
+ /* --- Store the type --- *
+ *
+ * This isn't transmitted, but it's covered by the MAC.
+ */
+
+ STORE32(t, ty);
+
+ /* --- Store the sequence number --- */
+
+ STORE32(qseq, seq);
+
+ /* --- Establish an initialization vector if necessary --- */
+
+ if (ivsz) {
+ memset(buf_u, 0, blkcsz - SEQSZ);
+ memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
+ TRACE_PRESEQ(buf_u, ivsz);
+ GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
+ GC_SETIV(c, buf_u);
+ TRACE_IV(buf_u, ivsz);
+ }
+
+ /* --- Encrypt the packet --- */
+
+ GC_ENCRYPT(c, p, qpk, sz);
+ TRACE_CT(qpk, sz);
+
+ /* --- Compute a MAC over type, sequence number, and ciphertext --- */
+
+ if (tagsz) {
+ h = GM_INIT(bc->d[DIR_OUT].m);
+ GH_HASH(h, t, sizeof(t));
+ GH_HASH(h, qseq, SEQSZ + sz);
+ memcpy(qmac, GH_DONE(h, 0), tagsz);
+ GH_DESTROY(h);
+ TRACE_MAC(qmac, tagsz);
+ }
+
+ /* --- We're done --- */
+
+ return (0);
+}
+
+static int iiv_decrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 *seq)
+{
+ iiv_ctx *bc = (iiv_ctx *)bbc;
+ const octet *pmac, *pseq, *ppk;
+ size_t psz = BLEFT(b);
+ size_t sz;
+ octet *q = BCUR(bb);
+ ghash *h;
+ gcipher *c = bc->d[DIR_IN].c, *blkc = bc->d[DIR_IN].b;
+ size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
+ size_t tagsz = bc->tagsz;
+ octet t[4];
+
+ /* --- Break up the packet into its components --- */
+
+ if (psz < SEQSZ + tagsz) {
+ T( trace(T_KEYSET, "keyset: block too small for keyset"); )
+ return (KSERR_MALFORMED);
+ }
+ sz = psz - SEQSZ - tagsz;
+ pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
+ STORE32(t, ty);
+
+ /* --- Verify the MAC on the packet --- */
+
+ if (tagsz) {
+ h = GM_INIT(bc->d[DIR_IN].m);
+ GH_HASH(h, t, sizeof(t));
+ GH_HASH(h, pseq, SEQSZ + sz);
+ CHECK_MAC(h, pmac, tagsz);
+ }
+
+ /* --- Decrypt the packet --- */
+
+ if (ivsz) {
+ memset(buf_u, 0, blkcsz - SEQSZ);
+ memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
+ TRACE_PRESEQ(buf_u, ivsz);
+ GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
+ GC_SETIV(c, buf_u);
+ TRACE_IV(buf_u, ivsz);
+ }
+ GC_DECRYPT(c, ppk, q, sz);
+
+ /* --- Finished --- */
+
+ *seq = LOAD32(pseq);
+ BSTEP(bb, sz);
+ return (0);
+}
+
+/*----- The NaCl box transform --------------------------------------------*
+ *
+ * This transform is very similar to the NaCl `crypto_secretbox' transform
+ * described in Bernstein, `Cryptography in NaCl', with the difference that,
+ * rather than using XSalsa20, we use either Salsa20/r or ChaChar, because we
+ * have no need of XSalsa20's extended nonce. The default cipher is Salsa20.
+ *
+ * Salsa20 and ChaCha accept a 64-bit nonce. The low 32 bits are the
+ * sequence number, and the high 32 bits are the type, both big-endian.
+ *
+ * +------+------+
+ * | seq | type |
+ * +------+------+
+ * 32 32
+ *
+ * A stream is generated by concatenating the raw output blocks generated
+ * with this nonce and successive counter values starting from zero. The
+ * first 32 bytes of the stream are used as a key for Poly1305: the first 16
+ * bytes are the universal hash key r, and the second 16 bytes are the mask
+ * value s.
+ *
+ * +------+------+ +------...------+
+ * | r | s | | keystream |
+ * +------+------+ +------...------+
+ * 128 128 sz
+ *
+ * The remainder of the stream is XORed with the incoming plaintext to form a
+ * ciphertext with the same length. The ciphertext (only) is then tagged
+ * using Poly1305. The tag, sequence number, and ciphertext are concatenated
+ * in this order, and transmitted.
+ *
+ *
+ * +---...---+------+------...------+
+ * | tag | seq | ciphertext |
+ * +---...---+------+------...------+
+ * 128 32 sz
+ *
+ * Note that there is no need to authenticate the type separately, since it
+ * was used to select the cipher nonce, and hence the Poly1305 key. The
+ * Poly1305 tag length is fixed.
+ */
+
+typedef struct naclbox_algs {
+ bulkalgs _b;
+ const gccipher *c; size_t cksz;
+} naclbox_algs;
+
+typedef struct naclbox_ctx {
+ bulkctx _b;
+ struct { gcipher *c; } d[NDIR];
+} naclbox_ctx;
+
+
+static bulkalgs *naclbox_getalgs(const algswitch *asw, dstr *e,
+ key_file *kf, key *k)
+{
+ naclbox_algs *a = CREATE(naclbox_algs);
+ const char *p;
+ char *qq;
+ unsigned long n;
+
+ /* --- Collect the selected cipher and check that it's supported --- */
+
+ p = key_getattr(kf, k, "cipher");
+ if (!p || strcmp(p, "salsa20") == 0) a->c = &salsa20;
+ else if (strcmp(p, "salsa20/12") == 0) a->c = &salsa2012;
+ else if (strcmp(p, "salsa20/8") == 0) a->c = &salsa208;
+ else if (strcmp(p, "chacha20") == 0) a->c = &chacha20;
+ else if (strcmp(p, "chacha12") == 0) a->c = &chacha12;
+ else if (strcmp(p, "chacha8") == 0) a->c = &chacha8;
+ else {
+ a_format(e, "unknown-cipher", "%s", p, A_END);
+ goto fail;
+ }
+
+ /* --- Collect the selected MAC, and check the tag length --- */
+
+ p = key_getattr(kf, k, "mac");
+ if (!p)
+ ;
+ else if (strncmp(p, "poly1305", 8) != 0 || (p[8] && p[8] != '/')) {
+ a_format(e, "unknown-mac", "%s", p, A_END);
+ goto fail;
+ } else if (p[8] == '/') {
+ n = strtoul(p + 9, &qq, 0);
+ if (*qq) {
+ a_format(e, "bad-tag-length-string", "%s", p + 9, A_END);
+ goto fail;
+ }
+ if (n != 128) {
+ a_format(e, "bad-tag-length", "%lu", n, A_END);
+ goto fail;
+ }
+ }
+
+ return (&a->_b);
+fail:
+ DESTROY(a);
+ return (0);
+}
+
+#ifndef NTRACE
+static void naclbox_tracealgs(const bulkalgs *aa)
+{
+ const naclbox_algs *a = (const naclbox_algs *)aa;
+
+ trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
+ trace(T_CRYPTO, "crypto: mac = poly1305/128");
+}
+#endif
+
+static int naclbox_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
+{
+ naclbox_algs *a = (naclbox_algs *)aa;
+
+ if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
+ a_format(e, "cipher", "%s", a->c->name,
+ "no-key-size", "%lu", (unsigned long)asw->hashsz,
+ A_END);
+ return (-1);
+ }
+ return (0);
+}
+
+static int naclbox_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
+{
+ const naclbox_algs *a = (const naclbox_algs *)aa,
+ *b = (const naclbox_algs *)bb;
+ return (a->c == b->c);
+}
+
+static void naclbox_alginfo(const bulkalgs *aa, admin *adm)
+{
+ const naclbox_algs *a = (const naclbox_algs *)aa;
+ a_info(adm, "cipher=%s", a->c->name, "cipher-keysz=32", A_END);
+ a_info(adm, "mac=poly1305", "mac-tagsz=16", A_END);
+}
+
+static size_t naclbox_overhead(const bulkalgs *aa)
+ { return (POLY1305_TAGSZ + SEQSZ); }
+
+static size_t naclbox_expsz(const bulkalgs *aa)
+ { return (MEG(2048)); }
+
+static bulkctx *naclbox_genkeys(const bulkalgs *aa, const struct rawkey *rk)
+{
+ const naclbox_algs *a = (const naclbox_algs *)aa;
+ naclbox_ctx *bc = CREATE(naclbox_ctx);
+ octet k[MAXHASHSZ];
+ int i;
+
+ for (i = 0; i < NDIR; i++) {
+ ks_derivekey(k, a->cksz, rk, i, "encryption");
+ bc->d[i].c = GC_INIT(a->c, k, a->cksz);
+ }
+ return (&bc->_b);
+}
+
+typedef struct naclbox_chal {
+ bulkchal _b;
+ gcipher *c;
+} naclbox_chal;
+
+static bulkchal *naclbox_genchal(const bulkalgs *aa)
+{
+ const naclbox_algs *a = (const naclbox_algs *)aa;
+ naclbox_chal *c = CREATE(naclbox_chal);
+ rand_get(RAND_GLOBAL, buf_t, a->cksz);
+ c->c = GC_INIT(a->c, buf_t, a->cksz);
+ IF_TRACING(T_CHAL, {
+ trace(T_CHAL, "chal: generated new challenge key");
+ trace_block(T_CRYPTO, "chal: new key", buf_t, a->cksz);
+ })
+ c->_b.tagsz = 16;
+ return (&c->_b);
+}
+
+static int naclbox_chaltag(bulkchal *bc, const void *m, size_t msz, void *t)
+{
+ naclbox_chal *c = (naclbox_chal *)bc;
+ octet b0[SALSA20_NONCESZ];
+ assert(msz <= sizeof(b0));
+ memcpy(b0, m, msz); memset(b0 + msz, 0, sizeof(b0) - msz);
+ GC_SETIV(c->c, b0);
+ GC_ENCRYPT(c->c, 0, t, c->_b.tagsz);
+ return (0);
+}
+
+static int naclbox_chalvrf(bulkchal *bc, const void *m, size_t msz,
+ const void *t)
+{
+ naclbox_chal *c = (naclbox_chal *)bc;
+ octet b0[SALSA20_NONCESZ], b1[16];
+ assert(msz <= sizeof(b0)); assert(c->_b.tagsz <= sizeof(b1));
+ memcpy(b0, m, msz); memset(b0 + msz, 0, sizeof(b0) - msz);
+ GC_SETIV(c->c, b0);
+ GC_ENCRYPT(c->c, 0, b1, c->_b.tagsz);
+ return (ct_memeq(t, b1, c->_b.tagsz) ? 0 : -1);
+}
+
+static void naclbox_freechal(bulkchal *bc)
+ { naclbox_chal *c = (naclbox_chal *)bc; GC_DESTROY(c->c); DESTROY(c); }
+
+static void naclbox_freealgs(bulkalgs *aa)
+ { naclbox_algs *a = (naclbox_algs *)aa; DESTROY(a); }
+
+static void naclbox_freectx(bulkctx *bbc)
+{
+ naclbox_ctx *bc = (naclbox_ctx *)bbc;
+ int i;
+
+ for (i = 0; i < NDIR; i++) GC_DESTROY(bc->d[i].c);
+ DESTROY(bc);
+}
+
+static int naclbox_encrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 seq)
+{
+ naclbox_ctx *bc = (naclbox_ctx *)bbc;
+ gcipher *c = bc->d[DIR_OUT].c;
+ poly1305_key polyk;
+ poly1305_ctx poly;
+ const octet *p = BCUR(b);
+ size_t sz = BLEFT(b);
+ octet *qmac, *qseq, *qpk;
+
+ /* --- Determine the ciphertext layout --- */
+
+ if (buf_ensure(bb, POLY1305_TAGSZ + SEQSZ + sz)) return (0);
+ qmac = BCUR(bb); qseq = qmac + POLY1305_TAGSZ; qpk = qseq + SEQSZ;
+ BSTEP(bb, POLY1305_TAGSZ + SEQSZ + sz);
+
+ /* --- Construct and set the nonce --- */
+
+ STORE32(qseq, seq);
+ memcpy(buf_u, qseq, SEQSZ); STORE32(buf_u + SEQSZ, ty);
+ GC_SETIV(c, buf_u);
+ TRACE_IV(buf_u, SALSA20_NONCESZ);
+
+ /* --- Determine the MAC key --- */
+
+ GC_ENCRYPT(c, 0, buf_u, POLY1305_KEYSZ + POLY1305_MASKSZ);
+ poly1305_keyinit(&polyk, buf_u, POLY1305_KEYSZ);
+ poly1305_macinit(&poly, &polyk, buf_u + POLY1305_KEYSZ);
+
+ /* --- Encrypt the message --- */
+
+ GC_ENCRYPT(c, p, qpk, sz);
+ TRACE_CT(qpk, sz);
+
+ /* --- Compute the MAC --- */
+
+ poly1305_hash(&poly, qpk, sz);
+ poly1305_done(&poly, qmac);
+ TRACE_MAC(qmac, POLY1305_TAGSZ);
+
+ /* --- We're done --- */
+
+ return (0);
+}
+
+static int naclbox_decrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 *seq)
+{
+ naclbox_ctx *bc = (naclbox_ctx *)bbc;
+ gcipher *c = bc->d[DIR_IN].c;
+ poly1305_key polyk;
+ poly1305_ctx poly;
+ const octet *pmac, *pseq, *ppk;
+ size_t psz = BLEFT(b);
+ size_t sz;
+ octet *q = BCUR(bb);
+
+ /* --- Break up the packet into its components --- */
+
+ if (psz < SEQSZ + POLY1305_TAGSZ) {
+ T( trace(T_KEYSET, "keyset: block too small for keyset"); )
+ return (KSERR_MALFORMED);
+ }
+ sz = psz - SEQSZ - POLY1305_TAGSZ;
+ pmac = BCUR(b); pseq = pmac + POLY1305_TAGSZ; ppk = pseq + SEQSZ;
+
+ /* --- Construct and set the nonce --- */
+
+ memcpy(buf_u, pseq, SEQSZ); STORE32(buf_u + SEQSZ, ty);
+ GC_SETIV(c, buf_u);
+ TRACE_IV(buf_u, SALSA20_NONCESZ);
+
+ /* --- Determine the MAC key --- */
+
+ GC_ENCRYPT(c, 0, buf_u, POLY1305_KEYSZ + POLY1305_MASKSZ);
+ poly1305_keyinit(&polyk, buf_u, POLY1305_KEYSZ);
+ poly1305_macinit(&poly, &polyk, buf_u + POLY1305_KEYSZ);
+
+ /* --- Verify the MAC on the packet --- */
+
+ poly1305_hash(&poly, ppk, sz);
+ poly1305_done(&poly, buf_u);
+ TRACE_MAC(buf_u, POLY1305_TAGSZ);
+ if (!ct_memeq(buf_u, pmac, POLY1305_TAGSZ)) {
+ TRACE_MACERR(pmac, POLY1305_TAGSZ);
+ return (KSERR_DECRYPT);
+ }
+
+ /* --- Decrypt the packet --- */
+
+ GC_DECRYPT(c, ppk, q, sz);
+
+ /* --- Finished --- */
+
+ *seq = LOAD32(pseq);
+ BSTEP(bb, sz);
+ return (0);
+}
+