'ec': 'ec-param'}[conf['kx']]),
('kx-param', lambda: {'dh': '-LS -b3072 -B256',
'ec': '-Cnist-p256'}[conf['kx']]),
- ('kx-attrs', ''),
+ ('kx-attrs', 'serialization=constlen'),
('kx-expire', 'now + 1 year'),
('kx-warn-days', '28'),
- ('cipher', 'rijndael-cbc'),
+ ('bulk', 'iiv'),
+ ('cipher', lambda: conf['bulk'] == 'naclbox'
+ and 'salsa20' or 'rijndael-cbc'),
('hash', 'sha256'),
('master-keygen-flags', '-l'),
('master-attrs', ''),
('mgf', '${hash}-mgf'),
- ('mac', lambda: '%s-hmac/%d' %
- (conf['hash'],
- C.gchashes[conf['hash']].hashsz * 4)),
+ ('mac', lambda: conf['bulk'] == 'naclbox'
+ and 'poly1305/128'
+ or '%s-hmac/%d' %
+ (conf['hash'],
+ C.gchashes[conf['hash']].hashsz * 4)),
('sig', lambda: {'dh': 'dsa', 'ec': 'ecdsa'}[conf['kx']]),
('sig-fresh', 'always'),
('sig-genalg', lambda: {'kcdsa': 'dh',
'rsapkcs1': 'rsa',
'rsapss': 'rsa',
'ecdsa': 'ec',
- 'eckcdsa': 'ec'}[conf['sig']]),
+ 'eckcdsa': 'ec',
+ 'ed25519': 'ed25519',
+ 'ed448': 'ed448'}[conf['sig']]),
('sig-param', lambda: {'dh': '-LS -b3072 -B256',
'dsa': '-b3072 -B256',
'ec': '-Cnist-p256',
- 'rsa': '-b3072'}[conf['sig-genalg']]),
+ 'rsa': '-b3072',
+ 'ed25519': '',
+ 'ed448': ''}[conf['sig-genalg']]),
('sig-hash', '${hash}'),
('sig-expire', 'forever'),
('fingerprint-hash', '${hash}')]:
-a${kx-param-genalg} !${kx-param}
-eforever -tparam tripe-param
kx-group=${kx} mgf=${mgf} mac=${mac}
- cipher=${cipher} hash=${hash} ${kx-attrs}''')
+ bulk=${bulk} cipher=${cipher} hash=${hash} ${kx-attrs}''')
cmd_newmaster(args)
###--------------------------------------------------------------------------
###--------------------------------------------------------------------------
### Commands: mtu
+def mac_tagsz():
+ macname = conf['mac']
+ index = macname.rindex('/')
+ if index == -1: tagsz = C.gcmacs[macname].tagsz
+ else: tagsz = int(macname[index + 1:])/8
+ return tagsz
+
def cmd_mtu(args):
mtu, = (lambda mtu = '1500': (mtu,))(*args)
mtu = int(mtu)
- blksz = C.gcciphers[conf['cipher']].blksz
-
- index = conf['mac'].find('/')
- if index == -1:
- tagsz = C.gcmacs[conf['mac']].tagsz
- else:
- tagsz = int(conf['mac'][index + 1:])/8
-
mtu -= 20 # Minimum IP header
mtu -= 8 # UDP header
mtu -= 1 # TrIPE packet type octet
- mtu -= tagsz # MAC tag
- mtu -= 4 # Sequence number
- mtu -= blksz # Initialization vector
+
+ bulk = conf['bulk']
+
+ if bulk == 'v0':
+ blksz = C.gcciphers[conf['cipher']].blksz
+ mtu -= mac_tagsz() # MAC tag
+ mtu -= 4 # Sequence number
+ mtu -= blksz # Initialization vector
+
+ elif bulk == 'iiv':
+ mtu -= mac_tagsz() # MAC tag
+ mtu -= 4 # Sequence number
+
+ elif bulk == 'naclbox':
+ mtu -= 16 # MAC tag
+ mtu -= 4 # Sequence number
+
+ else:
+ die("Unknown bulk transform `%s'" % bulk)
print mtu