server/, keys/: Add bulk crypto transform based on NaCl `crypto_secretbox'.

[tripe] / keys / tripe-keys.in

diff --git a/keys/tripe-keys.in b/keys/tripe-keys.in
index 81d2ff707a38243fca6ff9b555579dbe62e5bcf5..62b62b6ec7aaa7b8e7691bf9302e0c01f3e0dbb6 100644 (file)
--- a/keys/tripe-keys.in
+++ b/keys/tripe-keys.in
@@ -248,14 +248,17 @@ def conf_defaults():
                ('kx-expire', 'now + 1 year'),
                ('kx-warn-days', '28'),
                ('bulk', 'iiv'),
-               ('cipher', 'rijndael-cbc'),
+               ('cipher', lambda: conf['bulk'] == 'naclbox'
+                                    and 'salsa20' or 'rijndael-cbc'),
                ('hash', 'sha256'),
                ('master-keygen-flags', '-l'),
                ('master-attrs', ''),
                ('mgf', '${hash}-mgf'),
-               ('mac', lambda: '%s-hmac/%d' %
-                         (conf['hash'],
-                          C.gchashes[conf['hash']].hashsz * 4)),
+               ('mac', lambda: conf['bulk'] == 'naclbox'
+                                 and 'poly1305/128'
+                                 or '%s-hmac/%d' %
+                                      (conf['hash'],
+                                       C.gchashes[conf['hash']].hashsz * 4)),
                ('sig', lambda: {'dh': 'dsa', 'ec': 'ecdsa'}[conf['kx']]),
                ('sig-fresh', 'always'),
                ('sig-genalg', lambda: {'kcdsa': 'dh',
@@ -580,6 +583,10 @@ def cmd_mtu(args):
     mtu -= mac_tagsz()                  # MAC tag
     mtu -= 4                            # Sequence number
 
+  elif bulk == 'naclbox':
+    mtu -= 16                           # MAC tag
+    mtu -= 4                            # Sequence number
+
   else:
     die("Unknown bulk transform `%s'" % bulk)