server/admin.c: Publish `corked' and `mobile' flags in `peerinfo'.

[tripe] / server / bulkcrypto.c

/* -*-c-*-
 *
 * Bulk crypto transformations
 *
 * (c) 2014 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Trivial IP Encryption (TrIPE).
 *
 * TrIPE is free software: you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 3 of the License, or (at your
 * option) any later version.
 *
 * TrIPE is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with TrIPE.  If not, see <https://www.gnu.org/licenses/>.
 */

/*----- Header files ------------------------------------------------------*/

#include "tripe.h"

/*----- Utilities ---------------------------------------------------------*/

#define SEQSZ 4                         /* Size of sequence number packet */

#define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, {                 \
  trace_block(T_CRYPTO, "crypto: initialization vector",                \
              (qiv), (ivsz));                                           \
}) } while (0)

#define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, {                   \
  trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz));       \
}) } while (0)

#define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, {              \
  trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz));       \
}) } while (0)

#define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, {           \
  trace(T_KEYSET, "keyset: incorrect MAC: decryption failed");          \
  trace_block(T_CRYPTO, "crypto: expected MAC", (pmac), (tagsz));       \
}) } while (0)

/*----- Common functionality for generic-composition transforms -----------*/

#define CHECK_MAC(h, pmac, tagsz) do {                                  \
  ghash *_h = (h);                                                      \
  const octet *_pmac = (pmac);                                          \
  size_t _tagsz = (tagsz);                                              \
  octet *_mac = GH_DONE(_h, 0);                                         \
  int _eq = ct_memeq(_mac, _pmac, _tagsz);                              \
  TRACE_MAC(_mac, _tagsz);                                              \
  GH_DESTROY(_h);                                                       \
  if (!_eq) {                                                           \
    TRACE_MACERR(_pmac, _tagsz);                                        \
    return (KSERR_DECRYPT);                                             \
  }                                                                     \
} while (0)

typedef struct gencomp_algs {
  const gccipher *c; size_t cksz;
  const gcmac *m; size_t mksz; size_t tagsz;
} gencomp_algs;

typedef struct gencomp_chal {
  bulkchal _b;
  gmac *m; size_t tagsz;
} gencomp_chal;

static int gencomp_getalgs(gencomp_algs *a, const algswitch *asw,
                           dstr *e, key_file *kf, key *k)
{
  const char *p;
  char *q, *qq;
  unsigned long n;
  dstr d = DSTR_INIT;
  int rc = -1;

  /* --- Symmetric encryption --- */

  if ((p = key_getattr(kf, k, "cipher")) == 0) p = "blowfish-cbc";
  if ((a->c = gcipher_byname(p)) == 0) {
    a_format(e, "unknown-cipher", "%s", p, A_END);
    goto done;
  }

  /* --- Message authentication --- */

  if ((p = key_getattr(kf, k, "mac")) != 0) {
    dstr_reset(&d);
    dstr_puts(&d, p);
    if ((q = strrchr(d.buf, '/')) != 0)
      *q++ = 0;
    if ((a->m = gmac_byname(d.buf)) == 0) {
      a_format(e, "unknown-mac", "%s", d.buf, A_END);
      goto done;
    }
    if (!q)
      a->tagsz = a->m->hashsz;
    else {
      n = strtoul(q, &qq, 0);
      if (*qq)  {
        a_format(e, "bad-tag-length-string", "%s", q, A_END);
        goto done;
      }
      if (n%8 || n/8 > a->m->hashsz) {
        a_format(e, "bad-tag-length", "%lu", n, A_END);
        goto done;
      }
      a->tagsz = n/8;
    }
  } else {
    dstr_reset(&d);
    dstr_putf(&d, "%s-hmac", asw->h->name);
    if ((a->m = gmac_byname(d.buf)) == 0) {
      a_format(e, "no-hmac-for-hash", "%s", asw->h->name, A_END);
      goto done;
    }
    a->tagsz = asw->h->hashsz/2;
  }

  rc = 0;
done:
  dstr_destroy(&d);
  return (rc);
}

#ifndef NTRACE
static void gencomp_tracealgs(const gencomp_algs *a)
{
  trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
  trace(T_CRYPTO, "crypto: mac = %s/%lu",
        a->m->name, (unsigned long)a->tagsz * 8);
}
#endif

static int gencomp_checkalgs(gencomp_algs *a, const algswitch *asw, dstr *e)
{
  /* --- Derive the key sizes --- *
   *
   * Must ensure that we have non-empty keys.  This isn't ideal, but it
   * provides a handy sanity check.  Also must be based on a 64- or 128-bit
   * block cipher or we can't do the data expiry properly.
   */

  if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
    a_format(e, "cipher", "%s", a->c->name,
             "no-key-size", "%lu", (unsigned long)asw->hashsz,
             A_END);
    return (-1);
  }
  if ((a->mksz = keysz(asw->hashsz, a->m->keysz)) == 0) {
    a_format(e, "mac", "%s", a->m->name,
             "no-key-size", "%lu", (unsigned long)asw->hashsz,
             A_END);
    return (-1);
  }

  return (0);
}

static void gencomp_alginfo(const gencomp_algs *a, admin *adm)
{
  a_info(adm,
         "cipher=%s", a->c->name,
         "cipher-keysz=%lu", (unsigned long)a->cksz,
         "cipher-blksz=%lu", (unsigned long)a->c->blksz,
         A_END);
  a_info(adm,
         "mac=%s", a->m->name,
         "mac-keysz=%lu", (unsigned long)a->mksz,
         "mac-tagsz=%lu", (unsigned long)a->tagsz,
         A_END);
}

static int gencomp_samealgsp(const gencomp_algs *a, const gencomp_algs *aa)
{
  return (a->c == aa->c &&
          a->m == aa->m && a->tagsz == aa->tagsz);
}

static size_t gencomp_expsz(const gencomp_algs *a)
  { return (a->c->blksz < 16 ? MEG(64) : MEG(2048)); }

static bulkchal *gencomp_genchal(const gencomp_algs *a)
{
  gencomp_chal *gc = CREATE(gencomp_chal);

  rand_get(RAND_GLOBAL, buf_t, a->mksz);
  gc->m = GM_KEY(a->m, buf_t, a->mksz);
  gc->_b.tagsz = a->tagsz;
  IF_TRACING(T_CHAL, {
    trace(T_CHAL, "chal: generated new challenge key");
    trace_block(T_CRYPTO, "chal: new key", buf_t, a->mksz);
  })
  return (&gc->_b);
}

static int gencomp_chaltag(bulkchal *bc, const void *m, size_t msz, void *t)
{
  gencomp_chal *gc = (gencomp_chal *)bc;
  ghash *h = GM_INIT(gc->m);

  GH_HASH(h, m, msz);
  memcpy(t, GH_DONE(h, 0), bc->tagsz);
  GH_DESTROY(h);
  return (0);
}

static int gencomp_chalvrf(bulkchal *bc, const void *m, size_t msz,
                           const void *t)
{
  gencomp_chal *gc = (gencomp_chal *)bc;
  ghash *h = GM_INIT(gc->m);
  int ok;

  GH_HASH(h, m, msz);
  ok = ct_memeq(GH_DONE(h, 0), t, gc->_b.tagsz);
  GH_DESTROY(h);
  return (ok ? 0 : -1);
}

static void gencomp_freechal(bulkchal *bc)
  { gencomp_chal *gc = (gencomp_chal *)bc; GM_DESTROY(gc->m); DESTROY(gc); }

/*----- The original transform --------------------------------------------*
 *
 * We generate a random initialization vector (if the cipher needs one).  We
 * encrypt the input message with the cipher, and format the type, sequence
 * number, IV, and ciphertext as follows.
 *
 *              +------+ +------+---...---+------...------+
 *              | type | | seq  |   iv    |   ciphertext  |
 *              +------+ +------+---...---+------...------+
 *                 32       32     blksz         sz
 *
 * All of this is fed into the MAC to compute a tag.  The type is not
 * transmitted: the other end knows what type of message it expects, and the
 * type is only here to prevent us from being confused because some other
 * kind of ciphertext has been substituted.  The tag is prepended to the
 * remainder, to yield the finished cryptogram, as follows.
 *
 *              +---...---+------+---...---+------...------+
 *              |   tag   | seq  |   iv    |   ciphertext  |
 *              +---...---+------+---...---+------...------+
 *                 tagsz     32     blksz         sz
 *
 * Decryption: checks the overall size, verifies the tag, then decrypts the
 * ciphertext and extracts the sequence number.
 */

typedef struct v0_algs {
  bulkalgs _b;
  gencomp_algs ga;
} v0_algs;

typedef struct v0_ctx {
  bulkctx _b;
  size_t tagsz;
  struct {
    gcipher *c;
    gmac *m;
  } d[NDIR];
} v0_ctx;

static bulkalgs *v0_getalgs(const algswitch *asw, dstr *e,
                            key_file *kf, key *k)
{
  v0_algs *a = CREATE(v0_algs);
  if (gencomp_getalgs(&a->ga, asw, e, kf, k)) { DESTROY(a); return (0); }
  return (&a->_b);
}

#ifndef NTRACE
static void v0_tracealgs(const bulkalgs *aa)
  { const v0_algs *a = (const v0_algs *)aa; gencomp_tracealgs(&a->ga); }
#endif

static int v0_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
{
  v0_algs *a = (v0_algs *)aa;
  if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);
  return (0);
}

static int v0_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
{
  const v0_algs *a = (const v0_algs *)aa, *b = (const v0_algs *)bb;
  return (gencomp_samealgsp(&a->ga, &b->ga));
}

static void v0_alginfo(const bulkalgs *aa, admin *adm)
  { const v0_algs *a = (const v0_algs *)aa; gencomp_alginfo(&a->ga, adm); }

static size_t v0_overhead(const bulkalgs *aa)
{
  const v0_algs *a = (const v0_algs *)aa;
  return (a->ga.tagsz + SEQSZ + a->ga.c->blksz);
}

static size_t v0_expsz(const bulkalgs *aa)
  { const v0_algs *a = (const v0_algs *)aa; return (gencomp_expsz(&a->ga)); }

static bulkctx *v0_genkeys(const bulkalgs *aa, const struct rawkey *rk)
{
  const v0_algs *a = (const v0_algs *)aa;
  v0_ctx *bc = CREATE(v0_ctx);
  octet k[MAXHASHSZ];
  int i;

  bc->tagsz = a->ga.tagsz;
  for (i = 0; i < NDIR; i++) {
    ks_derivekey(k, a->ga.cksz, rk, i, "encryption");
    bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
    ks_derivekey(k, a->ga.mksz, rk, i, "integrity");
    bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
  }
  return (&bc->_b);
}

static bulkchal *v0_genchal(const bulkalgs *aa)
{
  const v0_algs *a = (const v0_algs *)aa;
  return (gencomp_genchal(&a->ga));
}
#define v0_chaltag gencomp_chaltag
#define v0_chalvrf gencomp_chalvrf
#define v0_freechal gencomp_freechal

static void v0_freealgs(bulkalgs *aa)
  { v0_algs *a = (v0_algs *)aa; DESTROY(a); }

static void v0_freectx(bulkctx *bbc)
{
  v0_ctx *bc = (v0_ctx *)bbc;
  int i;

  for (i = 0; i < NDIR; i++) {
    GC_DESTROY(bc->d[i].c);
    GM_DESTROY(bc->d[i].m);
  }
  DESTROY(bc);
}

static int v0_encrypt(bulkctx *bbc, unsigned ty,
                      buf *b, buf *bb, uint32 seq)
{
  v0_ctx *bc = (v0_ctx *)bbc;
  ghash *h;
  gcipher *c = bc->d[DIR_OUT].c;
  const octet *p = BCUR(b);
  size_t sz = BLEFT(b);
  octet *qmac, *qseq, *qiv, *qpk;
  size_t ivsz = GC_CLASS(c)->blksz;
  size_t tagsz = bc->tagsz;
  octet t[4];

  /* --- Determine the ciphertext layout --- */

  if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
  qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz;
  BSTEP(bb, tagsz + SEQSZ + ivsz + sz);

  /* --- Store the type --- *
   *
   * This isn't transmitted, but it's covered by the MAC.
   */

  STORE32(t, ty);

  /* --- Store the sequence number --- */

  STORE32(qseq, seq);

  /* --- Establish an initialization vector if necessary --- */

  if (ivsz) {
    rand_get(RAND_GLOBAL, qiv, ivsz);
    GC_SETIV(c, qiv);
    TRACE_IV(qiv, ivsz);
  }

  /* --- Encrypt the packet --- */

  GC_ENCRYPT(c, p, qpk, sz);
  TRACE_CT(qpk, sz);

  /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */

  if (tagsz) {
    h = GM_INIT(bc->d[DIR_OUT].m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, qseq, SEQSZ + ivsz + sz);
    memcpy(qmac, GH_DONE(h, 0), tagsz);
    GH_DESTROY(h);
    TRACE_MAC(qmac, tagsz);
  }

  /* --- We're done --- */

  return (0);
}

static int v0_decrypt(bulkctx *bbc, unsigned ty,
                      buf *b, buf *bb, uint32 *seq)
{
  v0_ctx *bc = (v0_ctx *)bbc;
  const octet *pmac, *piv, *pseq, *ppk;
  size_t psz = BLEFT(b);
  size_t sz;
  octet *q = BCUR(bb);
  ghash *h;
  gcipher *c = bc->d[DIR_IN].c;
  size_t ivsz = GC_CLASS(c)->blksz;
  size_t tagsz = bc->tagsz;
  octet t[4];

  /* --- Break up the packet into its components --- */

  if (psz < ivsz + SEQSZ + tagsz) {
    T( trace(T_KEYSET, "keyset: block too small for keyset"); )
    return (KSERR_MALFORMED);
  }
  sz = psz - ivsz - SEQSZ - tagsz;
  pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz;
  STORE32(t, ty);

  /* --- Verify the MAC on the packet --- */

  if (tagsz) {
    h = GM_INIT(bc->d[DIR_IN].m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, pseq, SEQSZ + ivsz + sz);
    CHECK_MAC(h, pmac, tagsz);
  }

  /* --- Decrypt the packet --- */

  if (ivsz) {
    TRACE_IV(piv, ivsz);
    GC_SETIV(c, piv);
  }
  GC_DECRYPT(c, ppk, q, sz);

  /* --- Finished --- */

  *seq = LOAD32(pseq);
  BSTEP(bb, sz);
  return (0);
}

/*----- The implicit-IV transform -----------------------------------------*
 *
 * The v0 transform makes everything explicit.  There's an IV because the
 * cipher needs an IV; there's a sequence number because replay prevention
 * needs a sequence number.
 *
 * This new transform works rather differently.  We make use of a block
 * cipher to encrypt the sequence number, and use that as the IV.  We
 * transmit the sequence number in the clear, as before.  This reduces
 * overhead; and it's not a significant privacy leak because the adversary
 * can see the order in which the messages are transmitted -- i.e., the
 * sequence numbers are almost completely predictable anyway.
 *
 * So, a MAC is computed over
 *
 *              +------+ +------+------...------+
 *              | type | | seq  |   ciphertext  |
 *              +------+ +------+------...------+
 *                 32       32         sz
 *
 * and we actually transmit the following as the cryptogram.
 *
 *              +---...---+------+------...------+
 *              |   tag   | seq  |   ciphertext  |
 *              +---...---+------+------...------+
 *                 tagsz     32         sz
 */

typedef struct iiv_algs {
  bulkalgs _b;
  gencomp_algs ga;
  const gccipher *b; size_t bksz;
} iiv_algs;

typedef struct iiv_ctx {
  bulkctx _b;
  size_t tagsz;
  struct {
    gcipher *c, *b;
    gmac *m;
  } d[NDIR];
} iiv_ctx;


static bulkalgs *iiv_getalgs(const algswitch *asw, dstr *e,
                            key_file *kf, key *k)
{
  iiv_algs *a = CREATE(iiv_algs);
  dstr d = DSTR_INIT, dd = DSTR_INIT;
  const char *p;
  char *q;

  if (gencomp_getalgs(&a->ga, asw, e, kf, k)) goto fail;

  if ((p = key_getattr(kf, k, "blkc")) == 0) {
    dstr_puts(&dd, a->ga.c->name);
    if ((q = strrchr(dd.buf, '-')) != 0) *q = 0;
    p = dd.buf;
  }
  dstr_putf(&d, "%s-ecb", p);
  if ((a->b = gcipher_byname(d.buf)) == 0) {
    a_format(e, "unknown-blkc", "%s", p, A_END);
    goto fail;
  }

  dstr_destroy(&d); dstr_destroy(&dd);
  return (&a->_b);
fail:
  dstr_destroy(&d); dstr_destroy(&dd);
  DESTROY(a);
  return (0);
}

#ifndef NTRACE
static void iiv_tracealgs(const bulkalgs *aa)
{
  const iiv_algs *a = (const iiv_algs *)aa;

  gencomp_tracealgs(&a->ga);
  trace(T_CRYPTO, "crypto: blkc = %.*s", strlen(a->b->name) - 4, a->b->name);
}
#endif

static int iiv_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
{
  iiv_algs *a = (iiv_algs *)aa;

  if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);

  if ((a->bksz = keysz(asw->hashsz, a->b->keysz)) == 0) {
    a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
             "no-key-size", "%lu", (unsigned long)asw->hashsz,
             A_END);
    return (-1);
  }
  if (a->b->blksz < a->ga.c->blksz) {
    a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
             "blksz-insufficient", A_END);
    return (-1);
  }
  return (0);
}

static int iiv_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
{
  const iiv_algs *a = (const iiv_algs *)aa, *b = (const iiv_algs *)bb;
  return (gencomp_samealgsp(&a->ga, &b->ga) && a->b == b->b);
}

static void iiv_alginfo(const bulkalgs *aa, admin *adm)
{
  const iiv_algs *a = (const iiv_algs *)aa;
  gencomp_alginfo(&a->ga, adm);
  a_info(adm,
         "blkc=%.*s", strlen(a->b->name) - 4, a->b->name,
         "blkc-keysz=%lu", (unsigned long)a->bksz,
         "blkc-blksz=%lu", (unsigned long)a->b->blksz,
         A_END);
}

static size_t iiv_overhead(const bulkalgs *aa)
  { const iiv_algs *a = (const iiv_algs *)aa; return (a->ga.tagsz + SEQSZ); }

static size_t iiv_expsz(const bulkalgs *aa)
{
  const iiv_algs *a = (const iiv_algs *)aa;
  return (gencomp_expsz(&a->ga));
}

static bulkctx *iiv_genkeys(const bulkalgs *aa, const struct rawkey *rk)
{
  const iiv_algs *a = (const iiv_algs *)aa;
  iiv_ctx *bc = CREATE(iiv_ctx);
  octet k[MAXHASHSZ];
  int i;

  bc->tagsz = a->ga.tagsz;
  for (i = 0; i < NDIR; i++) {
    ks_derivekey(k, a->ga.cksz, rk, i, "encryption");
    bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
    ks_derivekey(k, a->bksz, rk, i, "blkc");
    bc->d[i].b = GC_INIT(a->b, k, a->bksz);
    ks_derivekey(k, a->ga.mksz, rk, i, "integrity");
    bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
  }
  return (&bc->_b);
}

static bulkchal *iiv_genchal(const bulkalgs *aa)
{
  const iiv_algs *a = (const iiv_algs *)aa;
  return (gencomp_genchal(&a->ga));
}
#define iiv_chaltag gencomp_chaltag
#define iiv_chalvrf gencomp_chalvrf
#define iiv_freechal gencomp_freechal

static void iiv_freealgs(bulkalgs *aa)
  { iiv_algs *a = (iiv_algs *)aa; DESTROY(a); }

static void iiv_freectx(bulkctx *bbc)
{
  iiv_ctx *bc = (iiv_ctx *)bbc;
  int i;

  for (i = 0; i < NDIR; i++) {
    GC_DESTROY(bc->d[i].c);
    GC_DESTROY(bc->d[i].b);
    GM_DESTROY(bc->d[i].m);
  }
  DESTROY(bc);
}

#define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, {            \
  trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
}) } while (0)

static int iiv_encrypt(bulkctx *bbc, unsigned ty,
                       buf *b, buf *bb, uint32 seq)
{
  iiv_ctx *bc = (iiv_ctx *)bbc;
  ghash *h;
  gcipher *c = bc->d[DIR_OUT].c, *blkc = bc->d[DIR_OUT].b;
  const octet *p = BCUR(b);
  size_t sz = BLEFT(b);
  octet *qmac, *qseq, *qpk;
  size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
  size_t tagsz = bc->tagsz;
  octet t[4];

  /* --- Determine the ciphertext layout --- */

  if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
  qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
  BSTEP(bb, tagsz + SEQSZ + sz);

  /* --- Store the type --- *
   *
   * This isn't transmitted, but it's covered by the MAC.
   */

  STORE32(t, ty);

  /* --- Store the sequence number --- */

  STORE32(qseq, seq);

  /* --- Establish an initialization vector if necessary --- */

  if (ivsz) {
    memset(buf_u, 0, blkcsz - SEQSZ);
    memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
    TRACE_PRESEQ(buf_u, ivsz);
    GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
    GC_SETIV(c, buf_u);
    TRACE_IV(buf_u, ivsz);
  }

  /* --- Encrypt the packet --- */

  GC_ENCRYPT(c, p, qpk, sz);
  TRACE_CT(qpk, sz);

  /* --- Compute a MAC over type, sequence number, and ciphertext --- */

  if (tagsz) {
    h = GM_INIT(bc->d[DIR_OUT].m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, qseq, SEQSZ + sz);
    memcpy(qmac, GH_DONE(h, 0), tagsz);
    GH_DESTROY(h);
    TRACE_MAC(qmac, tagsz);
  }

  /* --- We're done --- */

  return (0);
}

static int iiv_decrypt(bulkctx *bbc, unsigned ty,
                       buf *b, buf *bb, uint32 *seq)
{
  iiv_ctx *bc = (iiv_ctx *)bbc;
  const octet *pmac, *pseq, *ppk;
  size_t psz = BLEFT(b);
  size_t sz;
  octet *q = BCUR(bb);
  ghash *h;
  gcipher *c = bc->d[DIR_IN].c, *blkc = bc->d[DIR_IN].b;
  size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
  size_t tagsz = bc->tagsz;
  octet t[4];

  /* --- Break up the packet into its components --- */

  if (psz < SEQSZ + tagsz) {
    T( trace(T_KEYSET, "keyset: block too small for keyset"); )
    return (KSERR_MALFORMED);
  }
  sz = psz - SEQSZ - tagsz;
  pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
  STORE32(t, ty);

  /* --- Verify the MAC on the packet --- */

  if (tagsz) {
    h = GM_INIT(bc->d[DIR_IN].m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, pseq, SEQSZ + sz);
    CHECK_MAC(h, pmac, tagsz);
  }

  /* --- Decrypt the packet --- */

  if (ivsz) {
    memset(buf_u, 0, blkcsz - SEQSZ);
    memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
    TRACE_PRESEQ(buf_u, ivsz);
    GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
    GC_SETIV(c, buf_u);
    TRACE_IV(buf_u, ivsz);
  }
  GC_DECRYPT(c, ppk, q, sz);

  /* --- Finished --- */

  *seq = LOAD32(pseq);
  BSTEP(bb, sz);
  return (0);
}

/*----- The NaCl box transform --------------------------------------------*
 *
 * This transform is very similar to the NaCl `crypto_secretbox' transform
 * described in Bernstein, `Cryptography in NaCl', with the difference that,
 * rather than using XSalsa20, we use either Salsa20/r or ChaChar, because we
 * have no need of XSalsa20's extended nonce.  The default cipher is Salsa20.
 *
 * Salsa20 and ChaCha accept a 64-bit nonce.  The low 32 bits are the
 * sequence number, and the high 32 bits are the type, both big-endian.
 *
 *              +------+------+
 *              | seq  | type |
 *              +------+------+
 *                 32     32
 *
 * A stream is generated by concatenating the raw output blocks generated
 * with this nonce and successive counter values starting from zero.  The
 * first 32 bytes of the stream are used as a key for Poly1305: the first 16
 * bytes are the universal hash key r, and the second 16 bytes are the mask
 * value s.
 *
 *              +------+------+ +------...------+
 *              |  r   |  s   | |   keystream   |
 *              +------+------+ +------...------+
 *                128    128           sz
 *
 * The remainder of the stream is XORed with the incoming plaintext to form a
 * ciphertext with the same length.  The ciphertext (only) is then tagged
 * using Poly1305.  The tag, sequence number, and ciphertext are concatenated
 * in this order, and transmitted.
 *
 *
 *              +---...---+------+------...------+
 *              |   tag   | seq  |   ciphertext  |
 *              +---...---+------+------...------+
 *                  128     32          sz
 *
 * Note that there is no need to authenticate the type separately, since it
 * was used to select the cipher nonce, and hence the Poly1305 key.  The
 * Poly1305 tag length is fixed.
 */

typedef struct naclbox_algs {
  bulkalgs _b;
  const gccipher *c; size_t cksz;
} naclbox_algs;

typedef struct naclbox_ctx {
  bulkctx _b;
  struct { gcipher *c; } d[NDIR];
} naclbox_ctx;


static bulkalgs *naclbox_getalgs(const algswitch *asw, dstr *e,
                                 key_file *kf, key *k)
{
  naclbox_algs *a = CREATE(naclbox_algs);
  const char *p;
  char *qq;
  unsigned long n;

  /* --- Collect the selected cipher and check that it's supported --- */

  p = key_getattr(kf, k, "cipher");
  if (!p || strcmp(p, "salsa20") == 0) a->c = &salsa20;
  else if (strcmp(p, "salsa20/12") == 0) a->c = &salsa2012;
  else if (strcmp(p, "salsa20/8") == 0) a->c = &salsa208;
  else if (strcmp(p, "chacha20") == 0) a->c = &chacha20;
  else if (strcmp(p, "chacha12") == 0) a->c = &chacha12;
  else if (strcmp(p, "chacha8") == 0) a->c = &chacha8;
  else {
    a_format(e, "unknown-cipher", "%s", p, A_END);
    goto fail;
  }

  /* --- Collect the selected MAC, and check the tag length --- */

  p = key_getattr(kf, k, "mac");
  if (!p)
    ;
  else if (strncmp(p, "poly1305", 8) != 0 || (p[8] && p[8] != '/')) {
    a_format(e, "unknown-mac", "%s", p, A_END);
    goto fail;
  } else if (p[8] == '/') {
    n = strtoul(p + 9, &qq, 0);
    if (*qq) {
      a_format(e, "bad-tag-length-string", "%s", p + 9, A_END);
      goto fail;
    }
    if (n != 128) {
      a_format(e, "bad-tag-length", "%lu", n, A_END);
      goto fail;
    }
  }

  return (&a->_b);
fail:
  DESTROY(a);
  return (0);
}

#ifndef NTRACE
static void naclbox_tracealgs(const bulkalgs *aa)
{
  const naclbox_algs *a = (const naclbox_algs *)aa;

  trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
  trace(T_CRYPTO, "crypto: mac = poly1305/128");
}
#endif

static int naclbox_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
{
  naclbox_algs *a = (naclbox_algs *)aa;

  if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
    a_format(e, "cipher", "%s", a->c->name,
             "no-key-size", "%lu", (unsigned long)asw->hashsz,
             A_END);
    return (-1);
  }
  return (0);
}

static int naclbox_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
{
  const naclbox_algs *a = (const naclbox_algs *)aa,
    *b = (const naclbox_algs *)bb;
  return (a->c == b->c);
}

static void naclbox_alginfo(const bulkalgs *aa, admin *adm)
{
  const naclbox_algs *a = (const naclbox_algs *)aa;
  a_info(adm, "cipher=%s", a->c->name, "cipher-keysz=32", A_END);
  a_info(adm, "mac=poly1305", "mac-tagsz=16", A_END);
}

static size_t naclbox_overhead(const bulkalgs *aa)
  { return (POLY1305_TAGSZ + SEQSZ); }

static size_t naclbox_expsz(const bulkalgs *aa)
  { return (MEG(2048)); }

static bulkctx *naclbox_genkeys(const bulkalgs *aa, const struct rawkey *rk)
{
  const naclbox_algs *a = (const naclbox_algs *)aa;
  naclbox_ctx *bc = CREATE(naclbox_ctx);
  octet k[MAXHASHSZ];
  int i;

  for (i = 0; i < NDIR; i++) {
    ks_derivekey(k, a->cksz, rk, i, "encryption");
    bc->d[i].c = GC_INIT(a->c, k, a->cksz);
  }
  return (&bc->_b);
}

typedef struct naclbox_chal {
  bulkchal _b;
  gcipher *c;
} naclbox_chal;

static bulkchal *naclbox_genchal(const bulkalgs *aa)
{
  const naclbox_algs *a = (const naclbox_algs *)aa;
  naclbox_chal *c = CREATE(naclbox_chal);
  rand_get(RAND_GLOBAL, buf_t, a->cksz);
  c->c = GC_INIT(a->c, buf_t, a->cksz);
  IF_TRACING(T_CHAL, {
    trace(T_CHAL, "chal: generated new challenge key");
    trace_block(T_CRYPTO, "chal: new key", buf_t, a->cksz);
  })
  c->_b.tagsz = 16;
  return (&c->_b);
}

static int naclbox_chaltag(bulkchal *bc, const void *m, size_t msz, void *t)
{
  naclbox_chal *c = (naclbox_chal *)bc;
  octet b0[SALSA20_NONCESZ];
  assert(msz <= sizeof(b0));
  memcpy(b0, m, msz); memset(b0 + msz, 0, sizeof(b0) - msz);
  GC_SETIV(c->c, b0);
  GC_ENCRYPT(c->c, 0, t, c->_b.tagsz);
  return (0);
}

static int naclbox_chalvrf(bulkchal *bc, const void *m, size_t msz,
                           const void *t)
{
  naclbox_chal *c = (naclbox_chal *)bc;
  octet b0[SALSA20_NONCESZ], b1[16];
  assert(msz <= sizeof(b0)); assert(c->_b.tagsz <= sizeof(b1));
  memcpy(b0, m, msz); memset(b0 + msz, 0, sizeof(b0) - msz);
  GC_SETIV(c->c, b0);
  GC_ENCRYPT(c->c, 0, b1, c->_b.tagsz);
  return (ct_memeq(t, b1, c->_b.tagsz) ? 0 : -1);
}

static void naclbox_freechal(bulkchal *bc)
  { naclbox_chal *c = (naclbox_chal *)bc; GC_DESTROY(c->c); DESTROY(c); }

static void naclbox_freealgs(bulkalgs *aa)
  { naclbox_algs *a = (naclbox_algs *)aa; DESTROY(a); }

static void naclbox_freectx(bulkctx *bbc)
{
  naclbox_ctx *bc = (naclbox_ctx *)bbc;
  int i;

  for (i = 0; i < NDIR; i++) GC_DESTROY(bc->d[i].c);
  DESTROY(bc);
}

static int naclbox_encrypt(bulkctx *bbc, unsigned ty,
                           buf *b, buf *bb, uint32 seq)
{
  naclbox_ctx *bc = (naclbox_ctx *)bbc;
  gcipher *c = bc->d[DIR_OUT].c;
  poly1305_key polyk;
  poly1305_ctx poly;
  const octet *p = BCUR(b);
  size_t sz = BLEFT(b);
  octet *qmac, *qseq, *qpk;

  /* --- Determine the ciphertext layout --- */

  if (buf_ensure(bb, POLY1305_TAGSZ + SEQSZ + sz)) return (0);
  qmac = BCUR(bb); qseq = qmac + POLY1305_TAGSZ; qpk = qseq + SEQSZ;
  BSTEP(bb, POLY1305_TAGSZ + SEQSZ + sz);

  /* --- Construct and set the nonce --- */

  STORE32(qseq, seq);
  memcpy(buf_u, qseq, SEQSZ); STORE32(buf_u + SEQSZ, ty);
  GC_SETIV(c, buf_u);
  TRACE_IV(buf_u, SALSA20_NONCESZ);

  /* --- Determine the MAC key --- */

  GC_ENCRYPT(c, 0, buf_u, POLY1305_KEYSZ + POLY1305_MASKSZ);
  poly1305_keyinit(&polyk, buf_u, POLY1305_KEYSZ);
  poly1305_macinit(&poly, &polyk, buf_u + POLY1305_KEYSZ);

  /* --- Encrypt the message --- */

  GC_ENCRYPT(c, p, qpk, sz);
  TRACE_CT(qpk, sz);

  /* --- Compute the MAC --- */

  poly1305_hash(&poly, qpk, sz);
  poly1305_done(&poly, qmac);
  TRACE_MAC(qmac, POLY1305_TAGSZ);

  /* --- We're done --- */

  return (0);
}

static int naclbox_decrypt(bulkctx *bbc, unsigned ty,
                       buf *b, buf *bb, uint32 *seq)
{
  naclbox_ctx *bc = (naclbox_ctx *)bbc;
  gcipher *c = bc->d[DIR_IN].c;
  poly1305_key polyk;
  poly1305_ctx poly;
  const octet *pmac, *pseq, *ppk;
  size_t psz = BLEFT(b);
  size_t sz;
  octet *q = BCUR(bb);

  /* --- Break up the packet into its components --- */

  if (psz < SEQSZ + POLY1305_TAGSZ) {
    T( trace(T_KEYSET, "keyset: block too small for keyset"); )
    return (KSERR_MALFORMED);
  }
  sz = psz - SEQSZ - POLY1305_TAGSZ;
  pmac = BCUR(b); pseq = pmac + POLY1305_TAGSZ; ppk = pseq + SEQSZ;

  /* --- Construct and set the nonce --- */

  memcpy(buf_u, pseq, SEQSZ); STORE32(buf_u + SEQSZ, ty);
  GC_SETIV(c, buf_u);
  TRACE_IV(buf_u, SALSA20_NONCESZ);

  /* --- Determine the MAC key --- */

  GC_ENCRYPT(c, 0, buf_u, POLY1305_KEYSZ + POLY1305_MASKSZ);
  poly1305_keyinit(&polyk, buf_u, POLY1305_KEYSZ);
  poly1305_macinit(&poly, &polyk, buf_u + POLY1305_KEYSZ);

  /* --- Verify the MAC on the packet --- */

  poly1305_hash(&poly, ppk, sz);
  poly1305_done(&poly, buf_u);
  if (!ct_memeq(buf_u, pmac, POLY1305_TAGSZ)) {
    TRACE_MACERR(pmac, POLY1305_TAGSZ);
    return (KSERR_DECRYPT);
  }

  /* --- Decrypt the packet --- */

  GC_DECRYPT(c, ppk, q, sz);

  /* --- Finished --- */

  *seq = LOAD32(pseq);
  BSTEP(bb, sz);
  return (0);
}

/*----- Bulk crypto transform table ---------------------------------------*/

const bulkops bulktab[] = {

#define COMMA ,

#define BULK(name, pre)                                                 \
  { name, pre##_getalgs, T( pre##_tracealgs COMMA )                     \
    pre##_checkalgs, pre##_samealgsp,                                   \
    pre##_alginfo, pre##_overhead, pre##_expsz,                         \
    pre##_genkeys, pre##_genchal, pre##_freealgs,                       \
    pre##_encrypt, pre##_decrypt, pre##_freectx,                        \
    pre##_chaltag, pre##_chalvrf, pre##_freechal }

  BULK("v0", v0),
  BULK("iiv", iiv),
  BULK("naclbox", naclbox),

#undef BULK
  { 0 }
};

/*----- That's all, folks -------------------------------------------------*/