/*----- The AEAD transform ------------------------------------------------*
*
- * This transform uses a general authenticated encryption scheme (the
- * additional data isn't necessary). Good options include
- * `chacha20-poly1305' or `rijndael-ocb3'.
+ * This transform uses a general authenticated encryption scheme. Processing
+ * additional authenticated data isn't needed for encrypting messages, but it
+ * is required for challenge generation. Good options include `chacha20-
+ * poly1305' or `rijndael-ocb3'; alas, `salsa20-naclbox' isn't acceptable.
*
* To be acceptable, the scheme must accept at least a 40-bit nonce. (All of
- * Catacomb's current AEAD schemes are suitable.) The low 32 bits are the
- * sequence number. The type is written to the next 8--32 bytes: if the
- * nonce size is 64 bits or more (preferred, for compatibility reasons) then
- * the type is written as 32 bits, and the remaining space is padded with
- * zero bytes; otherwise, the type is right-aligned in the remaining space.
- * Both fields are big-endian.
+ * Catacomb's current AEAD schemes are suitable in this respect.) The low 32
+ * bits are the sequence number. The type is written to the next 8--32
+ * bytes: if the nonce size is 64 bits or more (preferred, for compatibility
+ * reasons) then the type is written as 32 bits, and the remaining space is
+ * padded with zero bytes; otherwise, the type is right-aligned in the
+ * remaining space. Both fields are big-endian.
*
* +--------+--+
* | seq |ty|
poly1305_ctx pm;
octet b[POLY1305_KEYSZ + POLY1305_MASKSZ];
- assert(SALSA20_NONCESZ <= sizeof(b));
+ STATIC_ASSERT(SALSA20_NONCESZ <= sizeof(b), "Need more space for nonce");
+
memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq);
GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b));
poly1305_keyinit(&pk, b, POLY1305_KEYSZ);
poly1305_ctx pm;
octet b[POLY1305_KEYSZ + POLY1305_MASKSZ];
- assert(SALSA20_NONCESZ <= sizeof(b));
+ STATIC_ASSERT(SALSA20_NONCESZ <= sizeof(b), "Need more space for nonce");
+ STATIC_ASSERT(POLY1305_TAGSZ <= sizeof(b), "Need more space for tag");
+
memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq);
GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b));
poly1305_keyinit(&pk, b, POLY1305_KEYSZ);
poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ);
if (msz) poly1305_hash(&pm, m, msz);
- assert(POLY1305_TAGSZ <= sizeof(b)); poly1305_done(&pm, b);
+ poly1305_done(&pm, b);
return (ct_memeq(t, b, POLY1305_TAGSZ) ? 0 : -1);
}