*
* This file is part of Trivial IP Encryption (TrIPE).
*
- * TrIPE is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
+ * TrIPE is free software: you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at your
+ * option) any later version.
*
- * TrIPE is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * TrIPE is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
*
* You should have received a copy of the GNU General Public License
- * along with TrIPE; if not, write to the Free Software Foundation,
- * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ * along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
*/
/*----- Header files ------------------------------------------------------*/
trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
}) } while (0)
+#define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, { \
+ trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
+ trace_block(T_CRYPTO, "crypto: provided MAC", (pmac), (tagsz)); \
+}) } while (0)
+
+/* --- @derivekey@ --- *
+ *
+ * Arguments: @octet *k@ = pointer to an output buffer of at least
+ * @MAXHASHSZ@ bytes
+ * @size_t ksz@ = actual size wanted (for tracing)
+ * @const deriveargs@ = derivation parameters, as passed into
+ * @genkeys@
+ * @int dir@ = direction for the key (@DIR_IN@ or @DIR_OUT@)
+ * @const char *what@ = label for the key (input to derivation)
+ *
+ * Returns: ---
+ *
+ * Use: Derives a session key, for use on incoming or outgoing data.
+ */
+
+static void derivekey(octet *k, size_t ksz, const deriveargs *a,
+ int dir, const char *what)
+{
+ const gchash *hc = a->hc;
+ ghash *h;
+
+ assert(ksz <= hc->hashsz);
+ assert(hc->hashsz <= MAXHASHSZ);
+ h = GH_INIT(hc);
+ GH_HASH(h, a->what, strlen(a->what)); GH_HASH(h, what, strlen(what) + 1);
+ switch (dir) {
+ case DIR_IN:
+ if (a->x) GH_HASH(h, a->k, a->x);
+ if (a->y != a->x) GH_HASH(h, a->k + a->x, a->y - a->x);
+ break;
+ case DIR_OUT:
+ if (a->y != a->x) GH_HASH(h, a->k + a->x, a->y - a->x);
+ if (a->x) GH_HASH(h, a->k, a->x);
+ break;
+ default:
+ abort();
+ }
+ GH_HASH(h, a->k + a->y, a->z - a->y);
+ GH_DONE(h, k);
+ GH_DESTROY(h);
+ IF_TRACING(T_KEYSET, { IF_TRACING(T_CRYPTO, {
+ char _buf[32];
+ sprintf(_buf, "crypto: %s key %s", dir ? "outgoing" : "incoming", what);
+ trace_block(T_CRYPTO, _buf, k, ksz);
+ }) })
+}
+
+/*----- Common functionality for generic-composition transforms -----------*/
+
#define CHECK_MAC(h, pmac, tagsz) do { \
ghash *_h = (h); \
const octet *_pmac = (pmac); \
TRACE_MAC(_mac, _tagsz); \
GH_DESTROY(_h); \
if (!_eq) { \
- IF_TRACING(T_KEYSET, { \
- trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
- trace_block(T_CRYPTO, "crypto: expected MAC", _pmac, _tagsz); \
- }) \
+ TRACE_MACERR(_pmac, _tagsz); \
return (KSERR_DECRYPT); \
} \
} while (0)
+typedef struct gencomp_algs {
+ const gccipher *c; size_t cksz;
+ const gcmac *m; size_t mksz; size_t tagsz;
+} gencomp_algs;
+
+typedef struct gencomp_chal {
+ bulkchal _b;
+ gmac *m;
+} gencomp_chal;
+
+static int gencomp_getalgs(gencomp_algs *a, const algswitch *asw,
+ dstr *e, key_file *kf, key *k)
+{
+ const char *p;
+ char *q, *qq;
+ unsigned long n;
+ dstr d = DSTR_INIT;
+ int rc = -1;
+
+ /* --- Symmetric encryption --- */
+
+ if ((p = key_getattr(kf, k, "cipher")) == 0) p = "blowfish-cbc";
+ if ((a->c = gcipher_byname(p)) == 0) {
+ a_format(e, "unknown-cipher", "%s", p, A_END);
+ goto done;
+ }
+
+ /* --- Message authentication --- */
+
+ if ((p = key_getattr(kf, k, "mac")) != 0) {
+ dstr_reset(&d);
+ dstr_puts(&d, p);
+ if ((q = strrchr(d.buf, '/')) != 0)
+ *q++ = 0;
+ if ((a->m = gmac_byname(d.buf)) == 0) {
+ a_format(e, "unknown-mac", "%s", d.buf, A_END);
+ goto done;
+ }
+ if (!q)
+ a->tagsz = a->m->hashsz;
+ else {
+ n = strtoul(q, &qq, 0);
+ if (*qq) {
+ a_format(e, "bad-tag-length-string", "%s", q, A_END);
+ goto done;
+ }
+ if (n%8 || n/8 > a->m->hashsz) {
+ a_format(e, "bad-tag-length", "%lu", n, A_END);
+ goto done;
+ }
+ a->tagsz = n/8;
+ }
+ } else {
+ dstr_reset(&d);
+ dstr_putf(&d, "%s-hmac", asw->h->name);
+ if ((a->m = gmac_byname(d.buf)) == 0) {
+ a_format(e, "no-hmac-for-hash", "%s", asw->h->name, A_END);
+ goto done;
+ }
+ a->tagsz = asw->h->hashsz/2;
+ }
+
+ rc = 0;
+done:
+ dstr_destroy(&d);
+ return (rc);
+}
+
+#ifndef NTRACE
+static void gencomp_tracealgs(const gencomp_algs *a)
+{
+ trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
+ trace(T_CRYPTO, "crypto: mac = %s/%lu",
+ a->m->name, (unsigned long)a->tagsz * 8);
+}
+#endif
+
+static int gencomp_checkalgs(gencomp_algs *a, const algswitch *asw, dstr *e)
+{
+ /* --- Derive the key sizes --- *
+ *
+ * Must ensure that we have non-empty keys. This isn't ideal, but it
+ * provides a handy sanity check. Also must be based on a 64- or 128-bit
+ * block cipher or we can't do the data expiry properly.
+ */
+
+ if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
+ a_format(e, "cipher", "%s", a->c->name,
+ "no-key-size", "%lu", (unsigned long)asw->hashsz,
+ A_END);
+ return (-1);
+ }
+ if ((a->mksz = keysz(asw->hashsz, a->m->keysz)) == 0) {
+ a_format(e, "mac", "%s", a->m->name,
+ "no-key-size", "%lu", (unsigned long)asw->hashsz,
+ A_END);
+ return (-1);
+ }
+
+ return (0);
+}
+
+static void gencomp_alginfo(const gencomp_algs *a, admin *adm)
+{
+ a_info(adm,
+ "cipher=%s", a->c->name,
+ "cipher-keysz=%lu", (unsigned long)a->cksz,
+ "cipher-blksz=%lu", (unsigned long)a->c->blksz,
+ A_END);
+ a_info(adm,
+ "mac=%s", a->m->name,
+ "mac-keysz=%lu", (unsigned long)a->mksz,
+ "mac-tagsz=%lu", (unsigned long)a->tagsz,
+ A_END);
+}
+
+static int gencomp_samealgsp(const gencomp_algs *a, const gencomp_algs *aa)
+{
+ return (a->c == aa->c &&
+ a->m == aa->m && a->tagsz == aa->tagsz);
+}
+
+static size_t gencomp_expsz(const gencomp_algs *a)
+ { return (a->c->blksz < 16 ? MEG(64) : MEG(2048)); }
+
+static bulkchal *gencomp_genchal(const gencomp_algs *a)
+{
+ gencomp_chal *gc = CREATE(gencomp_chal);
+
+ rand_get(RAND_GLOBAL, buf_t, a->mksz);
+ gc->m = GM_KEY(a->m, buf_t, a->mksz);
+ gc->_b.tagsz = a->tagsz;
+ IF_TRACING(T_CHAL, {
+ trace(T_CHAL, "chal: generated new challenge key");
+ trace_block(T_CRYPTO, "chal: new key", buf_t, a->mksz);
+ })
+ return (&gc->_b);
+}
+
+static int gencomp_chaltag(bulkchal *bc, const void *m, size_t msz,
+ uint32 seq, void *t)
+{
+ gencomp_chal *gc = (gencomp_chal *)bc;
+ ghash *h = GM_INIT(gc->m);
+
+ GH_HASHU32(h, seq); if (msz) GH_HASH(h, m, msz);
+ memcpy(t, GH_DONE(h, 0), bc->tagsz);
+ GH_DESTROY(h);
+ return (0);
+}
+
+static int gencomp_chalvrf(bulkchal *bc, const void *m, size_t msz,
+ uint32 seq, const void *t)
+{
+ gencomp_chal *gc = (gencomp_chal *)bc;
+ ghash *h = GM_INIT(gc->m);
+ int ok;
+
+ GH_HASHU32(h, seq); if (msz) GH_HASH(h, m, msz);
+ ok = ct_memeq(GH_DONE(h, 0), t, gc->_b.tagsz);
+ GH_DESTROY(h);
+ return (ok ? 0 : -1);
+}
+
+static void gencomp_freechal(bulkchal *bc)
+ { gencomp_chal *gc = (gencomp_chal *)bc; GM_DESTROY(gc->m); DESTROY(gc); }
+
/*----- The original transform --------------------------------------------*
*
* We generate a random initialization vector (if the cipher needs one). We
* encrypt the input message with the cipher, and format the type, sequence
* number, IV, and ciphertext as follows.
*
- * +------+ +------+---...---+------...------+
- * | type | | seq | iv | ciphertext |
- * +------+ +------+---...---+------...------+
- * 32 32 blksz sz
+ * +--------+ +--------+---...---+------...------+
+ * | type | | seq | iv | ciphertext |
+ * +--------+ +--------+---...---+------...------+
+ * 32 32 blksz sz
*
* All of this is fed into the MAC to compute a tag. The type is not
* transmitted: the other end knows what type of message it expects, and the
* kind of ciphertext has been substituted. The tag is prepended to the
* remainder, to yield the finished cryptogram, as follows.
*
- * +---...---+------+---...---+------...------+
- * | tag | seq | iv | ciphertext |
- * +---...---+------+---...---+------...------+
- * tagsz 32 blksz sz
+ * +---...---+--------+---...---+------...------+
+ * | tag | seq | iv | ciphertext |
+ * +---...---+--------+---...---+------...------+
+ * tagsz 32 blksz sz
*
* Decryption: checks the overall size, verifies the tag, then decrypts the
* ciphertext and extracts the sequence number.
*/
-static int v0_check(const algswitch *a, dstr *e)
- { return (0); }
+typedef struct v0_algs {
+ bulkalgs _b;
+ gencomp_algs ga;
+} v0_algs;
+
+typedef struct v0_ctx {
+ bulkctx _b;
+ size_t tagsz;
+ struct {
+ gcipher *c;
+ gmac *m;
+ } d[NDIR];
+} v0_ctx;
+
+static bulkalgs *v0_getalgs(const algswitch *asw, dstr *e,
+ key_file *kf, key *k)
+{
+ v0_algs *a = CREATE(v0_algs);
+ if (gencomp_getalgs(&a->ga, asw, e, kf, k)) { DESTROY(a); return (0); }
+ return (&a->_b);
+}
+
+#ifndef NTRACE
+static void v0_tracealgs(const bulkalgs *aa)
+ { const v0_algs *a = (const v0_algs *)aa; gencomp_tracealgs(&a->ga); }
+#endif
+
+static int v0_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
+{
+ v0_algs *a = (v0_algs *)aa;
+ if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);
+ return (0);
+}
+
+static int v0_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
+{
+ const v0_algs *a = (const v0_algs *)aa, *b = (const v0_algs *)bb;
+ return (gencomp_samealgsp(&a->ga, &b->ga));
+}
+
+static void v0_alginfo(const bulkalgs *aa, admin *adm)
+ { const v0_algs *a = (const v0_algs *)aa; gencomp_alginfo(&a->ga, adm); }
+
+static size_t v0_overhead(const bulkalgs *aa)
+{
+ const v0_algs *a = (const v0_algs *)aa;
+ return (a->ga.tagsz + SEQSZ + a->ga.c->blksz);
+}
+
+static size_t v0_expsz(const bulkalgs *aa)
+ { const v0_algs *a = (const v0_algs *)aa; return (gencomp_expsz(&a->ga)); }
+
+static bulkctx *v0_genkeys(const bulkalgs *aa, const deriveargs *da)
+{
+ const v0_algs *a = (const v0_algs *)aa;
+ v0_ctx *bc = CREATE(v0_ctx);
+ octet k[MAXHASHSZ];
+ int i;
+
+ bc->tagsz = a->ga.tagsz;
+ for (i = 0; i < NDIR; i++) {
+ if (!(da->f&(1 << i))) { bc->d[i].c = 0; bc->d[i].m = 0; continue; }
+ derivekey(k, a->ga.cksz, da, i, "encryption");
+ bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
+ derivekey(k, a->ga.mksz, da, i, "integrity");
+ bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
+ }
+ return (&bc->_b);
+}
+
+static bulkchal *v0_genchal(const bulkalgs *aa)
+{
+ const v0_algs *a = (const v0_algs *)aa;
+ return (gencomp_genchal(&a->ga));
+}
+#define v0_chaltag gencomp_chaltag
+#define v0_chalvrf gencomp_chalvrf
+#define v0_freechal gencomp_freechal
+
+static void v0_freealgs(bulkalgs *aa)
+ { v0_algs *a = (v0_algs *)aa; DESTROY(a); }
-static size_t v0_overhead(const algswitch *a)
- { return a->tagsz + SEQSZ + a->c->blksz; }
+static void v0_freectx(bulkctx *bbc)
+{
+ v0_ctx *bc = (v0_ctx *)bbc;
+ int i;
-static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
+ for (i = 0; i < NDIR; i++) {
+ if (bc->d[i].c) GC_DESTROY(bc->d[i].c);
+ if (bc->d[i].m) GM_DESTROY(bc->d[i].m);
+ }
+ DESTROY(bc);
+}
+
+static int v0_encrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 seq)
{
+ v0_ctx *bc = (v0_ctx *)bbc;
ghash *h;
- gcipher *c = ks->out.c;
+ gcipher *c = bc->d[DIR_OUT].c;
const octet *p = BCUR(b);
size_t sz = BLEFT(b);
octet *qmac, *qseq, *qiv, *qpk;
- uint32 oseq;
- size_t ivsz = GC_CLASS(c)->blksz;
- size_t tagsz = ks->tagsz;
+ size_t ivsz;
+ size_t tagsz = bc->tagsz;
octet t[4];
+ assert(c);
+ ivsz = GC_CLASS(c)->blksz;
+
/* --- Determine the ciphertext layout --- */
if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
/* --- Store the sequence number --- */
- oseq = ks->oseq++;
- STORE32(qseq, oseq);
+ STORE32(qseq, seq);
/* --- Establish an initialization vector if necessary --- */
/* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
if (tagsz) {
- h = GM_INIT(ks->out.m);
+ h = GM_INIT(bc->d[DIR_OUT].m);
GH_HASH(h, t, sizeof(t));
GH_HASH(h, qseq, SEQSZ + ivsz + sz);
memcpy(qmac, GH_DONE(h, 0), tagsz);
return (0);
}
-static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
+static int v0_decrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 *seq)
{
+ v0_ctx *bc = (v0_ctx *)bbc;
const octet *pmac, *piv, *pseq, *ppk;
size_t psz = BLEFT(b);
size_t sz;
octet *q = BCUR(bb);
ghash *h;
- gcipher *c = ks->in.c;
- size_t ivsz = GC_CLASS(c)->blksz;
- size_t tagsz = ks->tagsz;
+ gcipher *c = bc->d[DIR_IN].c;
+ size_t ivsz;
+ size_t tagsz = bc->tagsz;
octet t[4];
+ assert(c);
+ ivsz = GC_CLASS(c)->blksz;
+
/* --- Break up the packet into its components --- */
if (psz < ivsz + SEQSZ + tagsz) {
- T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
+ T( trace(T_KEYSET, "keyset: block too small for keyset"); )
return (KSERR_MALFORMED);
}
sz = psz - ivsz - SEQSZ - tagsz;
/* --- Verify the MAC on the packet --- */
if (tagsz) {
- h = GM_INIT(ks->in.m);
+ h = GM_INIT(bc->d[DIR_IN].m);
GH_HASH(h, t, sizeof(t));
GH_HASH(h, pseq, SEQSZ + ivsz + sz);
CHECK_MAC(h, pmac, tagsz);
*
* So, a MAC is computed over
*
- * +------+ +------+------...------+
- * | type | | seq | ciphertext |
- * +------+ +------+------...------+
- * 32 32 sz
+ * +--------+ +--------+------...------+
+ * | type | | seq | ciphertext |
+ * +--------+ +--------+------...------+
+ * 32 32 sz
*
* and we actually transmit the following as the cryptogram.
*
* tagsz 32 sz
*/
-static int iiv_check(const algswitch *a, dstr *e)
+typedef struct iiv_algs {
+ bulkalgs _b;
+ gencomp_algs ga;
+ const gccipher *b; size_t bksz;
+} iiv_algs;
+
+typedef struct iiv_ctx {
+ bulkctx _b;
+ size_t tagsz;
+ struct {
+ gcipher *c, *b;
+ gmac *m;
+ } d[NDIR];
+} iiv_ctx;
+
+
+static bulkalgs *iiv_getalgs(const algswitch *asw, dstr *e,
+ key_file *kf, key *k)
{
- if (a->b->blksz < a->c->blksz) {
+ iiv_algs *a = CREATE(iiv_algs);
+ dstr d = DSTR_INIT, dd = DSTR_INIT;
+ const char *p;
+ char *q;
+
+ if (gencomp_getalgs(&a->ga, asw, e, kf, k)) goto fail;
+
+ if ((p = key_getattr(kf, k, "blkc")) == 0) {
+ dstr_puts(&dd, a->ga.c->name);
+ if ((q = strrchr(dd.buf, '-')) != 0) *q = 0;
+ p = dd.buf;
+ }
+ dstr_putf(&d, "%s-ecb", p);
+ if ((a->b = gcipher_byname(d.buf)) == 0) {
+ a_format(e, "unknown-blkc", "%s", p, A_END);
+ goto fail;
+ }
+
+ dstr_destroy(&d); dstr_destroy(&dd);
+ return (&a->_b);
+fail:
+ dstr_destroy(&d); dstr_destroy(&dd);
+ DESTROY(a);
+ return (0);
+}
+
+#ifndef NTRACE
+static void iiv_tracealgs(const bulkalgs *aa)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+
+ gencomp_tracealgs(&a->ga);
+ trace(T_CRYPTO,
+ "crypto: blkc = %.*s", (int)strlen(a->b->name) - 4, a->b->name);
+}
+#endif
+
+static int iiv_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
+{
+ iiv_algs *a = (iiv_algs *)aa;
+
+ if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);
+
+ if ((a->bksz = keysz(asw->hashsz, a->b->keysz)) == 0) {
+ a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
+ "no-key-size", "%lu", (unsigned long)asw->hashsz,
+ A_END);
+ return (-1);
+ }
+ if (a->b->blksz < a->ga.c->blksz) {
a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
"blksz-insufficient", A_END);
return (-1);
return (0);
}
-static size_t iiv_overhead(const algswitch *a)
- { return a->tagsz + SEQSZ; }
+static int iiv_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
+{
+ const iiv_algs *a = (const iiv_algs *)aa, *b = (const iiv_algs *)bb;
+ return (gencomp_samealgsp(&a->ga, &b->ga) && a->b == b->b);
+}
+
+static void iiv_alginfo(const bulkalgs *aa, admin *adm)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+ gencomp_alginfo(&a->ga, adm);
+ a_info(adm,
+ "blkc=%.*s", strlen(a->b->name) - 4, a->b->name,
+ "blkc-keysz=%lu", (unsigned long)a->bksz,
+ "blkc-blksz=%lu", (unsigned long)a->b->blksz,
+ A_END);
+}
+
+static size_t iiv_overhead(const bulkalgs *aa)
+ { const iiv_algs *a = (const iiv_algs *)aa; return (a->ga.tagsz + SEQSZ); }
+
+static size_t iiv_expsz(const bulkalgs *aa)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+ return (gencomp_expsz(&a->ga));
+}
+
+static bulkctx *iiv_genkeys(const bulkalgs *aa, const deriveargs *da)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+ iiv_ctx *bc = CREATE(iiv_ctx);
+ octet k[MAXHASHSZ];
+ int i;
+
+ bc->tagsz = a->ga.tagsz;
+ for (i = 0; i < NDIR; i++) {
+ if (!(da->f&(1 << i)))
+ { bc->d[i].c = 0; bc->d[i].b = 0; bc->d[i].m = 0; continue; }
+ derivekey(k, a->ga.cksz, da, i, "encryption");
+ bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
+ derivekey(k, a->bksz, da, i, "blkc");
+ bc->d[i].b = GC_INIT(a->b, k, a->bksz);
+ derivekey(k, a->ga.mksz, da, i, "integrity");
+ bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
+ }
+ return (&bc->_b);
+}
+
+static bulkchal *iiv_genchal(const bulkalgs *aa)
+{
+ const iiv_algs *a = (const iiv_algs *)aa;
+ return (gencomp_genchal(&a->ga));
+}
+#define iiv_chaltag gencomp_chaltag
+#define iiv_chalvrf gencomp_chalvrf
+#define iiv_freechal gencomp_freechal
+
+static void iiv_freealgs(bulkalgs *aa)
+ { iiv_algs *a = (iiv_algs *)aa; DESTROY(a); }
+
+static void iiv_freectx(bulkctx *bbc)
+{
+ iiv_ctx *bc = (iiv_ctx *)bbc;
+ int i;
+
+ for (i = 0; i < NDIR; i++) {
+ if (bc->d[i].c) GC_DESTROY(bc->d[i].c);
+ if (bc->d[i].b) GC_DESTROY(bc->d[i].b);
+ if (bc->d[i].m) GM_DESTROY(bc->d[i].m);
+ }
+ DESTROY(bc);
+}
#define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
}) } while (0)
-static int iiv_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
+static int iiv_encrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 seq)
{
+ iiv_ctx *bc = (iiv_ctx *)bbc;
ghash *h;
- gcipher *c = ks->out.c, *blkc = ks->out.b;
+ gcipher *c = bc->d[DIR_OUT].c, *blkc = bc->d[DIR_OUT].b;
const octet *p = BCUR(b);
size_t sz = BLEFT(b);
octet *qmac, *qseq, *qpk;
- uint32 oseq;
- size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
- size_t tagsz = ks->tagsz;
+ size_t ivsz, blkcsz;
+ size_t tagsz = bc->tagsz;
octet t[4];
+ assert(c); assert(blkc);
+ ivsz = GC_CLASS(c)->blksz;
+ blkcsz = GC_CLASS(blkc)->blksz;
+
/* --- Determine the ciphertext layout --- */
if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
/* --- Store the sequence number --- */
- oseq = ks->oseq++;
- STORE32(qseq, oseq);
+ STORE32(qseq, seq);
/* --- Establish an initialization vector if necessary --- */
/* --- Compute a MAC over type, sequence number, and ciphertext --- */
if (tagsz) {
- h = GM_INIT(ks->out.m);
+ h = GM_INIT(bc->d[DIR_OUT].m);
GH_HASH(h, t, sizeof(t));
GH_HASH(h, qseq, SEQSZ + sz);
memcpy(qmac, GH_DONE(h, 0), tagsz);
return (0);
}
-static int iiv_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
+static int iiv_decrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 *seq)
{
+ iiv_ctx *bc = (iiv_ctx *)bbc;
const octet *pmac, *pseq, *ppk;
size_t psz = BLEFT(b);
size_t sz;
octet *q = BCUR(bb);
ghash *h;
- gcipher *c = ks->in.c, *blkc = ks->in.b;
- size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
- size_t tagsz = ks->tagsz;
+ gcipher *c = bc->d[DIR_IN].c, *blkc = bc->d[DIR_IN].b;
+ size_t ivsz, blkcsz;
+ size_t tagsz = bc->tagsz;
octet t[4];
+ assert(c); assert(blkc);
+ ivsz = GC_CLASS(c)->blksz;
+ blkcsz = GC_CLASS(blkc)->blksz;
+
/* --- Break up the packet into its components --- */
if (psz < SEQSZ + tagsz) {
- T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
+ T( trace(T_KEYSET, "keyset: block too small for keyset"); )
return (KSERR_MALFORMED);
}
sz = psz - SEQSZ - tagsz;
/* --- Verify the MAC on the packet --- */
if (tagsz) {
- h = GM_INIT(ks->in.m);
+ h = GM_INIT(bc->d[DIR_IN].m);
GH_HASH(h, t, sizeof(t));
GH_HASH(h, pseq, SEQSZ + sz);
CHECK_MAC(h, pmac, tagsz);
return (0);
}
+/*----- The AEAD transform ------------------------------------------------*
+ *
+ * This transform uses a general authenticated encryption scheme (the
+ * additional data isn't necessary). Good options include
+ * `chacha20-poly1305' or `rijndael-ocb3'.
+ *
+ * To be acceptable, the scheme must accept at least a 40-bit nonce. (All of
+ * Catacomb's current AEAD schemes are suitable.) The low 32 bits are the
+ * sequence number. The type is written to the next 8--32 bytes: if the
+ * nonce size is 64 bits or more (preferred, for compatibility reasons) then
+ * the type is written as 32 bits, and the remaining space is padded with
+ * zero bytes; otherwise, the type is right-aligned in the remaining space.
+ * Both fields are big-endian.
+ *
+ * +--------+--+
+ * | seq |ty|
+ * +--------+--+
+ * 32 8
+ *
+ * +--------+----+
+ * | seq | ty |
+ * +--------+----+
+ * 32 16
+ *
+ * +--------+------+
+ * | seq | type |
+ * +--------+------+
+ * 32 24
+ *
+ * +--------+--------+---...---+
+ * | seq | type | 0 |
+ * +--------+--------+---...---+
+ * 32 32 nsz - 64
+ *
+ * The ciphertext is formatted as
+ *
+ * +---...---+--------+------...------+
+ * | tag | seq | ciphertext |
+ * +---...---+--------+------...------+
+ * tagsz 32 sz
+ *
+ */
+
+#define AEAD_NONCEMAX 64
+
+typedef struct aead_algs {
+ bulkalgs _b;
+ const gcaead *c;
+ size_t ksz, nsz, tsz;
+} aead_algs;
+
+typedef struct aead_ctx {
+ bulkctx _b;
+ struct { gaead_key *k; } d[NDIR];
+ size_t nsz, tsz;
+} aead_ctx;
+
+static bulkalgs *aead_getalgs(const algswitch *asw, dstr *e,
+ key_file *kf, key *k)
+{
+ aead_algs *a = CREATE(aead_algs);
+ const char *p;
+ char *qq;
+ gaead_key *kk = 0;
+ size_t ksz;
+ size_t csz = 0;
+ unsigned long n;
+
+ /* --- Collect the selected cipher and check that it's supported --- */
+
+ p = key_getattr(kf, k, "cipher"); if (!p) p = "rijndael-ocb3";
+ a->c = gaead_byname(p);
+ if (!a->c) { a_format(e, "unknown-cipher", "%s", p, A_END); goto fail; }
+ if (a->c->f&AEADF_NOAAD) {
+ a_format(e, "unsuitable-aead-cipher", "%s", p, "no-aad", A_END);
+ goto fail;
+ }
+ a->nsz = keysz_pad(8, a->c->noncesz);
+ if (!a->nsz) a->nsz = keysz_pad(5, a->c->noncesz);
+ if (!a->nsz) {
+ a_format(e, "unsuitable-aead-cipher", "%s", p, "nonce-too-small", A_END);
+ goto fail;
+ } else if (a->nsz > AEAD_NONCEMAX) {
+ a_format(e, "unsuitable-aead-cipher", "%s", p, "nonce-too-large", A_END);
+ goto fail;
+ }
+
+ /* --- Collect the selected MAC, and check the tag length --- *
+ *
+ * Of course, there isn't a separate MAC, so only accept `aead'.
+ */
+
+ p = key_getattr(kf, k, "tagsz");
+ if (!p) {
+ p = key_getattr(kf, k, "mac");
+ if (!p) ;
+ else if (strncmp(p, "aead", 4) != 0 || (p[4] && p[4] != '/'))
+ { a_format(e, "unknown-mac", "%s", p, A_END); goto fail; }
+ else if (p[4] == '/') p += 5;
+ else p = 0;
+ }
+ if (!p)
+ a->tsz = keysz(0, a->c->tagsz);
+ else {
+ n = strtoul(p, &qq, 0);
+ if (*qq) {
+ a_format(e, "bad-tag-length-string", "%s", p, A_END);
+ goto fail;
+ }
+ if (n%8 || (a->tsz = keysz(n/8, a->c->tagsz)) == 0)
+ { a_format(e, "bad-tag-length", "%lu", n, A_END); goto fail; }
+ }
+
+ /* --- Check that an empty message gives an empty ciphertext --- *
+ *
+ * This is necessary for producing challenges. If the overhead is zero
+ * then we're fine; otherwise, we have to check the hard way.
+ */
+
+ if (a->c->ohd) {
+ ksz = keysz(0, a->c->keysz);
+ memset(buf_t, 0, ksz > a->nsz ? ksz : a->nsz);
+ kk = GAEAD_KEY(a->c, buf_t, ksz);
+ if (gaead_encrypt(kk, buf_t, a->nsz,
+ buf_t, ksz,
+ 0, 0,
+ buf_t, &csz,
+ buf_t, a->tsz)) {
+ a_format(e, "unsuitable-aead-cipher", "%s", a->c->name,
+ "nonempty-ciphertext-for-empty-message", A_END);
+ goto fail;
+ }
+ GAEAD_DESTROY(kk); kk = 0;
+ }
+
+ return (&a->_b);
+fail:
+ if (kk) GAEAD_DESTROY(kk);
+ DESTROY(a);
+ return (0);
+}
+
+#ifndef NTRACE
+static void aead_tracealgs(const bulkalgs *aa)
+{
+ const aead_algs *a = (const aead_algs *)aa;
+
+ trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
+ trace(T_CRYPTO, "crypto: noncesz = %lu", (unsigned long)a->nsz);
+ trace(T_CRYPTO, "crypto: tagsz = %lu", (unsigned long)a->tsz);
+}
+#endif
+
+static int aead_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
+{
+ aead_algs *a = (aead_algs *)aa;
+
+ if ((a->ksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
+ a_format(e, "cipher", "%s", a->c->name,
+ "no-key-size", "%lu", (unsigned long)asw->hashsz,
+ A_END);
+ return (-1);
+ }
+ return (0);
+}
+
+static int aead_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
+{
+ const aead_algs *a = (const aead_algs *)aa,
+ *b = (const aead_algs *)bb;
+ return (a->c == b->c && a->tsz == b->tsz);
+}
+
+static void aead_alginfo(const bulkalgs *aa, admin *adm)
+{
+ const aead_algs *a = (const aead_algs *)aa;
+ a_info(adm, "cipher=%s", a->c->name,
+ "cipher-keysz=%lu", (unsigned long)a->ksz,
+ A_END);
+ a_info(adm, "mac=aead", "mac-tagsz=%lu", (unsigned long)a->tsz, A_END);
+}
+
+static size_t aead_overhead(const bulkalgs *aa)
+{
+ const aead_algs *a = (const aead_algs *)aa;
+ return (a->tsz + SEQSZ + a->c->ohd);
+}
+
+static size_t aead_expsz(const bulkalgs *aa)
+{
+ const aead_algs *a = (const aead_algs *)aa;
+ return (a->c->blksz < 16 ? MEG(64) : MEG(2048));
+}
+
+static bulkctx *aead_genkeys(const bulkalgs *aa, const deriveargs *da)
+{
+ const aead_algs *a = (const aead_algs *)aa;
+ aead_ctx *bc = CREATE(aead_ctx);
+ octet k[MAXHASHSZ];
+ int i;
+
+ for (i = 0; i < NDIR; i++) {
+ if (!(da->f&(1 << i))) { bc->d[i].k = 0; continue; }
+ derivekey(k, a->ksz, da, i, "encryption");
+ bc->d[i].k = GAEAD_KEY(a->c, k, a->ksz);
+ }
+ bc->nsz = a->nsz; bc->tsz = a->tsz;
+ return (&bc->_b);
+}
+
+typedef struct aead_chal {
+ bulkchal _b;
+ gaead_key *k;
+} aead_chal;
+
+static bulkchal *aead_genchal(const bulkalgs *aa)
+{
+ const aead_algs *a = (const aead_algs *)aa;
+ aead_chal *c = CREATE(aead_chal);
+ rand_get(RAND_GLOBAL, buf_t, a->ksz);
+ c->k = GAEAD_KEY(a->c, buf_t, a->ksz);
+ IF_TRACING(T_CHAL, {
+ trace(T_CHAL, "chal: generated new challenge key");
+ trace_block(T_CRYPTO, "chal: new key", buf_t, a->ksz);
+ })
+ c->_b.tagsz = a->tsz;
+ return (&c->_b);
+}
+
+static int aead_chaltag(bulkchal *bc, const void *m, size_t msz,
+ uint32 seq, void *t)
+{
+ aead_chal *c = (aead_chal *)bc;
+ octet b[AEAD_NONCEMAX];
+ size_t nsz = keysz_pad(4, c->k->ops->c->noncesz);
+ size_t csz = 0;
+ int rc;
+
+ assert(nsz); assert(nsz <= sizeof(b));
+ memset(b, 0, nsz - 4); STORE32(b + nsz - 4, seq);
+ rc = gaead_encrypt(c->k, b, nsz, m, msz, 0, 0,
+ buf_t, &csz, t, c->_b.tagsz);
+ assert(!rc);
+ return (0);
+}
+
+static int aead_chalvrf(bulkchal *bc, const void *m, size_t msz,
+ uint32 seq, const void *t)
+{
+ aead_chal *c = (aead_chal *)bc;
+ octet b[AEAD_NONCEMAX];
+ size_t nsz = keysz(4, c->k->ops->c->noncesz);
+ size_t psz = 0;
+ int rc;
+
+ assert(nsz); assert(nsz <= sizeof(b));
+ memset(b, 0, nsz - 4); STORE32(b + nsz - 4, seq);
+ rc = gaead_decrypt(c->k, b, nsz, m, msz, 0, 0,
+ buf_t, &psz, t, c->_b.tagsz);
+ assert(rc >= 0);
+ return (rc == 1 ? 0 : -1);
+}
+
+static void aead_freechal(bulkchal *bc)
+ { aead_chal *c = (aead_chal *)bc; GAEAD_DESTROY(c->k); DESTROY(c); }
+
+static void aead_freealgs(bulkalgs *aa)
+ { aead_algs *a = (aead_algs *)aa; DESTROY(a); }
+
+static void aead_freectx(bulkctx *bbc)
+{
+ aead_ctx *bc = (aead_ctx *)bbc;
+ int i;
+
+ for (i = 0; i < NDIR; i++) { if (bc->d[i].k) GAEAD_DESTROY(bc->d[i].k); }
+ DESTROY(bc);
+}
+
+static void aead_fmtnonce(aead_ctx *bc, octet *n, uint32 seq, unsigned ty)
+{
+ assert(bc->nsz <= AEAD_NONCEMAX); assert(ty <= 255);
+ STORE32(n, seq);
+ switch (bc->nsz) {
+ case 5: STORE8(n + SEQSZ, ty); break;
+ case 6: STORE16(n + SEQSZ, ty); break;
+ case 7: STORE24(n + SEQSZ, ty); break;
+ default: memset(n + 8, 0, bc->nsz - 8); /* and continue */
+ case 8: STORE32(n + SEQSZ, ty); break;
+ }
+ TRACE_IV(n, bc->nsz);
+}
+
+static int aead_encrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 seq)
+{
+ aead_ctx *bc = (aead_ctx *)bbc;
+ const octet *p = BCUR(b);
+ gaead_key *k = bc->d[DIR_OUT].k;
+ size_t sz = BLEFT(b);
+ size_t csz = sz + k->ops->c->ohd;
+ octet *qmac, *qseq, *qpk;
+ octet n[AEAD_NONCEMAX];
+ int rc;
+
+ assert(k);
+
+ if (buf_ensure(bb, bc->tsz + SEQSZ + csz)) return (0);
+ qmac = BCUR(bb); qseq = qmac + bc->tsz; qpk = qseq + SEQSZ;
+ STORE32(qseq, seq);
+
+ aead_fmtnonce(bc, n, seq, ty);
+ rc = gaead_encrypt(k, n, bc->nsz, 0, 0, p, sz, qpk, &csz, qmac, bc->tsz);
+ assert(!rc);
+ BSTEP(bb, bc->tsz + SEQSZ + csz);
+ TRACE_CT(qpk, csz);
+ TRACE_MAC(qmac, bc->tsz);
+
+ return (0);
+}
+
+static int aead_decrypt(bulkctx *bbc, unsigned ty,
+ buf *b, buf *bb, uint32 *seq_out)
+{
+ aead_ctx *bc = (aead_ctx *)bbc;
+ gaead_key *k = bc->d[DIR_IN].k;
+ const octet *pmac, *pseq, *ppk;
+ uint32 seq;
+ size_t psz = BLEFT(b);
+ size_t sz;
+ octet *q = BCUR(bb);
+ octet n[AEAD_NONCEMAX];
+ int rc;
+
+ assert(k);
+
+ if (psz < bc->tsz + SEQSZ) {
+ T( trace(T_KEYSET, "keyset: block too small for keyset"); )
+ return (KSERR_MALFORMED);
+ }
+ sz = psz - bc->tsz - SEQSZ;
+ pmac = BCUR(b); pseq = pmac + bc->tsz; ppk = pseq + SEQSZ;
+ seq = LOAD32(pseq);
+
+ aead_fmtnonce(bc, n, seq, ty);
+ rc = gaead_decrypt(k, n, bc->nsz, 0, 0, ppk, sz, q, &sz, pmac, bc->tsz);
+ assert(rc >= 0);
+ if (!rc) { TRACE_MACERR(pmac, bc->tsz); return (KSERR_DECRYPT); }
+
+ *seq_out = seq;
+ BSTEP(bb, sz);
+ return (0);
+}
+
+/*----- The NaCl box transform --------------------------------------------*
+ *
+ * This transform is very similar to the NaCl `crypto_secretbox' transform
+ * described in Bernstein, `Cryptography in NaCl', with the difference that,
+ * rather than using XSalsa20, we use either Salsa20/r or ChaChar, because we
+ * have no need of XSalsa20's extended nonce. The default cipher is Salsa20.
+ *
+ * Salsa20 and ChaCha accept a 64-bit nonce. The low 32 bits are the
+ * sequence number, and the high 32 bits are the type, both big-endian.
+ *
+ * +--------+--------+
+ * | seq | type |
+ * +--------+--------+
+ * 32 32
+ *
+ * A stream is generated by concatenating the raw output blocks generated
+ * with this nonce and successive counter values starting from zero. The
+ * first 32 bytes of the stream are used as a key for Poly1305: the first 16
+ * bytes are the universal hash key r, and the second 16 bytes are the mask
+ * value s.
+ *
+ * +------+------+ +------...------+
+ * | r | s | | keystream |
+ * +------+------+ +------...------+
+ * 128 128 sz
+ *
+ * The remainder of the stream is XORed with the incoming plaintext to form a
+ * ciphertext with the same length. The ciphertext (only) is then tagged
+ * using Poly1305. The tag, sequence number, and ciphertext are concatenated
+ * in this order, and transmitted.
+ *
+ *
+ * +---...---+------+------...------+
+ * | tag | seq | ciphertext |
+ * +---...---+------+------...------+
+ * 128 32 sz
+ *
+ * Note that there is no need to authenticate the type separately, since it
+ * was used to select the cipher nonce, and hence the Poly1305 key. The
+ * Poly1305 tag length is fixed.
+ */
+
+typedef struct naclbox_algs {
+ aead_algs _b;
+ const gccipher *c;
+} naclbox_algs;
+
+static bulkalgs *naclbox_getalgs(const algswitch *asw, dstr *e,
+ key_file *kf, key *k)
+{
+ naclbox_algs *a = CREATE(naclbox_algs);
+ const char *p;
+ char *qq;
+ unsigned long n;
+
+ /* --- Collect the selected cipher and check that it's supported --- */
+
+ p = key_getattr(kf, k, "cipher");
+ if (!p || strcmp(p, "salsa20") == 0)
+ { a->_b.c = &salsa20_naclbox; a->c = &salsa20; }
+ else if (strcmp(p, "salsa20/12") == 0)
+ { a->_b.c = &salsa2012_naclbox; a->c = &salsa2012; }
+ else if (strcmp(p, "salsa20/8") == 0)
+ { a->_b.c = &salsa208_naclbox; a->c = &salsa208; }
+ else if (strcmp(p, "chacha20") == 0)
+ { a->_b.c = &chacha20_naclbox; a->c = &chacha20; }
+ else if (strcmp(p, "chacha12") == 0)
+ { a->_b.c = &chacha12_naclbox; a->c = &chacha12; }
+ else if (strcmp(p, "chacha8") == 0)
+ { a->_b.c = &chacha8_naclbox; a->c = &chacha8; }
+ else {
+ a_format(e, "unknown-cipher", "%s", p, A_END);
+ goto fail;
+ }
+ a->_b.nsz = 8;
+
+ /* --- Collect the selected MAC, and check the tag length --- */
+
+ p = key_getattr(kf, k, "mac");
+ if (!p)
+ ;
+ else if (strncmp(p, "poly1305", 8) != 0 || (p[8] && p[8] != '/')) {
+ a_format(e, "unknown-mac", "%s", p, A_END);
+ goto fail;
+ } else if (p[8] == '/') {
+ n = strtoul(p + 9, &qq, 0);
+ if (*qq) {
+ a_format(e, "bad-tag-length-string", "%s", p + 9, A_END);
+ goto fail;
+ }
+ if (n != 128) {
+ a_format(e, "bad-tag-length", "%lu", n, A_END);
+ goto fail;
+ }
+ }
+ a->_b.tsz = 16;
+
+ return (&a->_b._b);
+fail:
+ DESTROY(a);
+ return (0);
+}
+
+#ifndef NTRACE
+static void naclbox_tracealgs(const bulkalgs *aa)
+{
+ const naclbox_algs *a = (const naclbox_algs *)aa;
+
+ trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
+ trace(T_CRYPTO, "crypto: mac = poly1305/128");
+}
+#endif
+
+#define naclbox_checkalgs aead_checkalgs
+#define naclbox_samealgsp aead_samealgsp
+
+static void naclbox_alginfo(const bulkalgs *aa, admin *adm)
+{
+ const naclbox_algs *a = (const naclbox_algs *)aa;
+ a_info(adm, "cipher=%s", a->c->name, "cipher-keysz=32", A_END);
+ a_info(adm, "mac=poly1305", "mac-tagsz=16", A_END);
+}
+
+#define naclbox_overhead aead_overhead
+#define naclbox_expsz aead_expsz
+#define naclbox_genkeys aead_genkeys
+
+typedef struct naclbox_chal {
+ bulkchal _b;
+ gcipher *c;
+} naclbox_chal;
+
+static bulkchal *naclbox_genchal(const bulkalgs *aa)
+{
+ const naclbox_algs *a = (const naclbox_algs *)aa;
+ naclbox_chal *c = CREATE(naclbox_chal);
+ rand_get(RAND_GLOBAL, buf_t, a->_b.ksz);
+ c->c = GC_INIT(a->c, buf_t, a->_b.ksz);
+ IF_TRACING(T_CHAL, {
+ trace(T_CHAL, "chal: generated new challenge key");
+ trace_block(T_CRYPTO, "chal: new key", buf_t, a->_b.ksz);
+ })
+ c->_b.tagsz = POLY1305_TAGSZ;
+ return (&c->_b);
+}
+
+static int naclbox_chaltag(bulkchal *bc, const void *m, size_t msz,
+ uint32 seq, void *t)
+{
+ naclbox_chal *c = (naclbox_chal *)bc;
+ poly1305_key pk;
+ poly1305_ctx pm;
+ octet b[POLY1305_KEYSZ + POLY1305_MASKSZ];
+
+ STATIC_ASSERT(SALSA20_NONCESZ <= sizeof(b), "Need more space for nonce");
+
+ memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq);
+ GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b));
+ poly1305_keyinit(&pk, b, POLY1305_KEYSZ);
+ poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ);
+ if (msz) poly1305_hash(&pm, m, msz);
+ poly1305_done(&pm, t);
+ return (0);
+}
+
+static int naclbox_chalvrf(bulkchal *bc, const void *m, size_t msz,
+ uint32 seq, const void *t)
+{
+ naclbox_chal *c = (naclbox_chal *)bc;
+ poly1305_key pk;
+ poly1305_ctx pm;
+ octet b[POLY1305_KEYSZ + POLY1305_MASKSZ];
+
+ STATIC_ASSERT(SALSA20_NONCESZ <= sizeof(b), "Need more space for nonce");
+ STATIC_ASSERT(POLY1305_TAGSZ <= sizeof(b), "Need more space for tag");
+
+ memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq);
+ GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b));
+ poly1305_keyinit(&pk, b, POLY1305_KEYSZ);
+ poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ);
+ if (msz) poly1305_hash(&pm, m, msz);
+ poly1305_done(&pm, b);
+ return (ct_memeq(t, b, POLY1305_TAGSZ) ? 0 : -1);
+}
+
+static void naclbox_freechal(bulkchal *bc)
+ { naclbox_chal *c = (naclbox_chal *)bc; GC_DESTROY(c->c); DESTROY(c); }
+
+static void naclbox_freealgs(bulkalgs *aa)
+ { naclbox_algs *a = (naclbox_algs *)aa; DESTROY(a); }
+
+#define naclbox_freectx aead_freectx
+#define naclbox_encrypt aead_encrypt
+#define naclbox_decrypt aead_decrypt
+
/*----- Bulk crypto transform table ---------------------------------------*/
-const bulkcrypto bulktab[] = {
+const bulkops bulktab[] = {
+
+#define COMMA ,
-#define BULK(name, pre, prim) \
- { name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt }
+#define BULK(name, pre) \
+ { name, pre##_getalgs, T( pre##_tracealgs COMMA ) \
+ pre##_checkalgs, pre##_samealgsp, \
+ pre##_alginfo, pre##_overhead, pre##_expsz, \
+ pre##_genkeys, pre##_genchal, pre##_freealgs, \
+ pre##_encrypt, pre##_decrypt, pre##_freectx, \
+ pre##_chaltag, pre##_chalvrf, pre##_freechal }
- BULK("v0", v0, BCP_CIPHER | BCP_MAC),
- BULK("iiv", iiv, BCP_CIPHER | BCP_MAC | BCP_BLKC),
+ BULK("v0", v0),
+ BULK("iiv", iiv),
+ BULK("aead", aead),
+ BULK("naclbox", naclbox),
#undef BULK
{ 0 }