X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/39bcd193d88309a411d3b26b5db205f913ce530d..dbc84ac3309e10a581233f3a2bd62ba174d247db:/keys/tripe-keys.in diff --git a/keys/tripe-keys.in b/keys/tripe-keys.in index f1279ad7..4ec89e90 100644 --- a/keys/tripe-keys.in +++ b/keys/tripe-keys.in @@ -10,19 +10,18 @@ ### ### This file is part of Trivial IP Encryption (TrIPE). ### -### TrIPE is free software; you can redistribute it and/or modify -### it under the terms of the GNU General Public License as published by -### the Free Software Foundation; either version 2 of the License, or -### (at your option) any later version. +### TrIPE is free software: you can redistribute it and/or modify it under +### the terms of the GNU General Public License as published by the Free +### Software Foundation; either version 3 of the License, or (at your +### option) any later version. ### -### TrIPE is distributed in the hope that it will be useful, -### but WITHOUT ANY WARRANTY; without even the implied warranty of -### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -### GNU General Public License for more details. +### TrIPE is distributed in the hope that it will be useful, but WITHOUT +### ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +### FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +### for more details. ### ### You should have received a copy of the GNU General Public License -### along with TrIPE; if not, write to the Free Software Foundation, -### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +### along with TrIPE. If not, see . ###-------------------------------------------------------------------------- ### External dependencies. @@ -167,7 +166,7 @@ def run(args): SYS.stdout.flush() rc = OS.spawnvp(OS.P_WAIT, args[0], args) if rc != 0: - raise SubprocessError, rc + raise SubprocessError(rc) def hexhyphens(bytes): """ @@ -218,7 +217,7 @@ def conf_read(f): if line[-1] == '\n': line = line[:-1] match = rx_keyval.match(line) if not match: - raise ConfigFileError, "%s:%d: bad line `%s'" % (f, lno, line) + raise ConfigFileError("%s:%d: bad line `%s'" % (f, lno, line)) k, v = match.groups() conf[k] = conf_subst(v) @@ -239,24 +238,39 @@ def conf_defaults(): ('upload-hook', ': run upload hook'), ('kx', 'dh'), ('kx-genalg', lambda: {'dh': 'dh', - 'ec': 'ec'}[conf['kx']]), + 'ec': 'ec', + 'x25519': 'x25519', + 'x448': 'x448'}[conf['kx']]), ('kx-param-genalg', lambda: {'dh': 'dh-param', - 'ec': 'ec-param'}[conf['kx']]), + 'ec': 'ec-param', + 'x25519': 'empty', + 'x448': 'empty'}[conf['kx']]), ('kx-param', lambda: {'dh': '-LS -b3072 -B256', - 'ec': '-Cnist-p256'}[conf['kx']]), - ('kx-attrs', ''), + 'ec': '-Cnist-p256', + 'x25519': '', + 'x448': ''}[conf['kx']]), + ('kx-attrs', lambda: {'dh': 'serialization=constlen', + 'ec': 'serialization=constlen', + 'x25519': '', + 'x448': ''}[conf['kx']]), ('kx-expire', 'now + 1 year'), ('kx-warn-days', '28'), ('bulk', 'iiv'), - ('cipher', 'rijndael-cbc'), + ('cipher', lambda: conf['bulk'] == 'naclbox' + and 'salsa20' or 'rijndael-cbc'), ('hash', 'sha256'), ('master-keygen-flags', '-l'), ('master-attrs', ''), ('mgf', '${hash}-mgf'), - ('mac', lambda: '%s-hmac/%d' % - (conf['hash'], - C.gchashes[conf['hash']].hashsz * 4)), - ('sig', lambda: {'dh': 'dsa', 'ec': 'ecdsa'}[conf['kx']]), + ('mac', lambda: conf['bulk'] == 'naclbox' + and 'poly1305/128' + or '%s-hmac/%d' % + (conf['hash'], + C.gchashes[conf['hash']].hashsz * 4)), + ('sig', lambda: {'dh': 'dsa', + 'ec': 'ecdsa', + 'x25519': 'ed25519', + 'x448': 'ed448'}[conf['kx']]), ('sig-fresh', 'always'), ('sig-genalg', lambda: {'kcdsa': 'dh', 'dsa': 'dsa', @@ -468,14 +482,14 @@ def cmd_update(args): OS.mkdir('tmp') OS.chdir('tmp') seq = int(conf['master-sequence']) - run('curl -s -o tripe-keys.tar.gz ${repos-url}') - run('curl -s -o tripe-keys.sig %s' % seqsubst('sig-url', seq)) + run('curl -sL -o tripe-keys.tar.gz ${repos-url}') + run('curl -sL -o tripe-keys.sig %s' % seqsubst('sig-url', seq)) run('tar xfz tripe-keys.tar.gz') ## Verify the signature want = C.bytes(rx_nonalpha.sub('', conf['hk-master'])) got = fingerprint('repos/master.pub', 'master-%d' % seq) - if want != got: raise VerifyError + if want != got: raise VerifyError() run('''catsign -krepos/master.pub verify -avC -kmaster-%d -t${sig-fresh} tripe-keys.sig tripe-keys.tar.gz''' % seq) @@ -580,6 +594,10 @@ def cmd_mtu(args): mtu -= mac_tagsz() # MAC tag mtu -= 4 # Sequence number + elif bulk == 'naclbox': + mtu -= 16 # MAC tag + mtu -= 4 # Sequence number + else: die("Unknown bulk transform `%s'" % bulk)