X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/a93aacce200e0d68b614d8bfb05d9cbeba850b12..HEAD:/server/bulkcrypto.c diff --git a/server/bulkcrypto.c b/server/bulkcrypto.c index faaf8d71..4c6be323 100644 --- a/server/bulkcrypto.c +++ b/server/bulkcrypto.c @@ -9,19 +9,18 @@ * * This file is part of Trivial IP Encryption (TrIPE). * - * TrIPE is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * TrIPE is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 3 of the License, or (at your + * option) any later version. * - * TrIPE is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * TrIPE is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. * * You should have received a copy of the GNU General Public License - * along with TrIPE; if not, write to the Free Software Foundation, - * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * along with TrIPE. If not, see . */ /*----- Header files ------------------------------------------------------*/ @@ -45,6 +44,60 @@ trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \ }) } while (0) +#define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, { \ + trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \ + trace_block(T_CRYPTO, "crypto: provided MAC", (pmac), (tagsz)); \ +}) } while (0) + +/* --- @derivekey@ --- * + * + * Arguments: @octet *k@ = pointer to an output buffer of at least + * @MAXHASHSZ@ bytes + * @size_t ksz@ = actual size wanted (for tracing) + * @const deriveargs@ = derivation parameters, as passed into + * @genkeys@ + * @int dir@ = direction for the key (@DIR_IN@ or @DIR_OUT@) + * @const char *what@ = label for the key (input to derivation) + * + * Returns: --- + * + * Use: Derives a session key, for use on incoming or outgoing data. + */ + +static void derivekey(octet *k, size_t ksz, const deriveargs *a, + int dir, const char *what) +{ + const gchash *hc = a->hc; + ghash *h; + + assert(ksz <= hc->hashsz); + assert(hc->hashsz <= MAXHASHSZ); + h = GH_INIT(hc); + GH_HASH(h, a->what, strlen(a->what)); GH_HASH(h, what, strlen(what) + 1); + switch (dir) { + case DIR_IN: + if (a->x) GH_HASH(h, a->k, a->x); + if (a->y != a->x) GH_HASH(h, a->k + a->x, a->y - a->x); + break; + case DIR_OUT: + if (a->y != a->x) GH_HASH(h, a->k + a->x, a->y - a->x); + if (a->x) GH_HASH(h, a->k, a->x); + break; + default: + abort(); + } + GH_HASH(h, a->k + a->y, a->z - a->y); + GH_DONE(h, k); + GH_DESTROY(h); + IF_TRACING(T_KEYSET, { IF_TRACING(T_CRYPTO, { + char _buf[32]; + sprintf(_buf, "crypto: %s key %s", dir ? "outgoing" : "incoming", what); + trace_block(T_CRYPTO, _buf, k, ksz); + }) }) +} + +/*----- Common functionality for generic-composition transforms -----------*/ + #define CHECK_MAC(h, pmac, tagsz) do { \ ghash *_h = (h); \ const octet *_pmac = (pmac); \ @@ -54,24 +107,188 @@ TRACE_MAC(_mac, _tagsz); \ GH_DESTROY(_h); \ if (!_eq) { \ - IF_TRACING(T_KEYSET, { \ - trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \ - trace_block(T_CRYPTO, "crypto: expected MAC", _pmac, _tagsz); \ - }) \ + TRACE_MACERR(_pmac, _tagsz); \ return (KSERR_DECRYPT); \ } \ } while (0) +typedef struct gencomp_algs { + const gccipher *c; size_t cksz; + const gcmac *m; size_t mksz; size_t tagsz; +} gencomp_algs; + +typedef struct gencomp_chal { + bulkchal _b; + gmac *m; +} gencomp_chal; + +static int gencomp_getalgs(gencomp_algs *a, const algswitch *asw, + dstr *e, key_file *kf, key *k) +{ + const char *p; + char *q, *qq; + unsigned long n; + dstr d = DSTR_INIT; + int rc = -1; + + /* --- Symmetric encryption --- */ + + if ((p = key_getattr(kf, k, "cipher")) == 0) p = "blowfish-cbc"; + if ((a->c = gcipher_byname(p)) == 0) { + a_format(e, "unknown-cipher", "%s", p, A_END); + goto done; + } + + /* --- Message authentication --- */ + + if ((p = key_getattr(kf, k, "mac")) != 0) { + dstr_reset(&d); + dstr_puts(&d, p); + if ((q = strrchr(d.buf, '/')) != 0) + *q++ = 0; + if ((a->m = gmac_byname(d.buf)) == 0) { + a_format(e, "unknown-mac", "%s", d.buf, A_END); + goto done; + } + if (!q) + a->tagsz = a->m->hashsz; + else { + n = strtoul(q, &qq, 0); + if (*qq) { + a_format(e, "bad-tag-length-string", "%s", q, A_END); + goto done; + } + if (n%8 || n/8 > a->m->hashsz) { + a_format(e, "bad-tag-length", "%lu", n, A_END); + goto done; + } + a->tagsz = n/8; + } + } else { + dstr_reset(&d); + dstr_putf(&d, "%s-hmac", asw->h->name); + if ((a->m = gmac_byname(d.buf)) == 0) { + a_format(e, "no-hmac-for-hash", "%s", asw->h->name, A_END); + goto done; + } + a->tagsz = asw->h->hashsz/2; + } + + rc = 0; +done: + dstr_destroy(&d); + return (rc); +} + +#ifndef NTRACE +static void gencomp_tracealgs(const gencomp_algs *a) +{ + trace(T_CRYPTO, "crypto: cipher = %s", a->c->name); + trace(T_CRYPTO, "crypto: mac = %s/%lu", + a->m->name, (unsigned long)a->tagsz * 8); +} +#endif + +static int gencomp_checkalgs(gencomp_algs *a, const algswitch *asw, dstr *e) +{ + /* --- Derive the key sizes --- * + * + * Must ensure that we have non-empty keys. This isn't ideal, but it + * provides a handy sanity check. Also must be based on a 64- or 128-bit + * block cipher or we can't do the data expiry properly. + */ + + if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) { + a_format(e, "cipher", "%s", a->c->name, + "no-key-size", "%lu", (unsigned long)asw->hashsz, + A_END); + return (-1); + } + if ((a->mksz = keysz(asw->hashsz, a->m->keysz)) == 0) { + a_format(e, "mac", "%s", a->m->name, + "no-key-size", "%lu", (unsigned long)asw->hashsz, + A_END); + return (-1); + } + + return (0); +} + +static void gencomp_alginfo(const gencomp_algs *a, admin *adm) +{ + a_info(adm, + "cipher=%s", a->c->name, + "cipher-keysz=%lu", (unsigned long)a->cksz, + "cipher-blksz=%lu", (unsigned long)a->c->blksz, + A_END); + a_info(adm, + "mac=%s", a->m->name, + "mac-keysz=%lu", (unsigned long)a->mksz, + "mac-tagsz=%lu", (unsigned long)a->tagsz, + A_END); +} + +static int gencomp_samealgsp(const gencomp_algs *a, const gencomp_algs *aa) +{ + return (a->c == aa->c && + a->m == aa->m && a->tagsz == aa->tagsz); +} + +static size_t gencomp_expsz(const gencomp_algs *a) + { return (a->c->blksz < 16 ? MEG(64) : MEG(2048)); } + +static bulkchal *gencomp_genchal(const gencomp_algs *a) +{ + gencomp_chal *gc = CREATE(gencomp_chal); + + rand_get(RAND_GLOBAL, buf_t, a->mksz); + gc->m = GM_KEY(a->m, buf_t, a->mksz); + gc->_b.tagsz = a->tagsz; + IF_TRACING(T_CHAL, { + trace(T_CHAL, "chal: generated new challenge key"); + trace_block(T_CRYPTO, "chal: new key", buf_t, a->mksz); + }) + return (&gc->_b); +} + +static int gencomp_chaltag(bulkchal *bc, const void *m, size_t msz, + uint32 seq, void *t) +{ + gencomp_chal *gc = (gencomp_chal *)bc; + ghash *h = GM_INIT(gc->m); + + GH_HASHU32(h, seq); if (msz) GH_HASH(h, m, msz); + memcpy(t, GH_DONE(h, 0), bc->tagsz); + GH_DESTROY(h); + return (0); +} + +static int gencomp_chalvrf(bulkchal *bc, const void *m, size_t msz, + uint32 seq, const void *t) +{ + gencomp_chal *gc = (gencomp_chal *)bc; + ghash *h = GM_INIT(gc->m); + int ok; + + GH_HASHU32(h, seq); if (msz) GH_HASH(h, m, msz); + ok = ct_memeq(GH_DONE(h, 0), t, gc->_b.tagsz); + GH_DESTROY(h); + return (ok ? 0 : -1); +} + +static void gencomp_freechal(bulkchal *bc) + { gencomp_chal *gc = (gencomp_chal *)bc; GM_DESTROY(gc->m); DESTROY(gc); } + /*----- The original transform --------------------------------------------* * * We generate a random initialization vector (if the cipher needs one). We * encrypt the input message with the cipher, and format the type, sequence * number, IV, and ciphertext as follows. * - * +------+ +------+---...---+------...------+ - * | type | | seq | iv | ciphertext | - * +------+ +------+---...---+------...------+ - * 32 32 blksz sz + * +--------+ +--------+---...---+------...------+ + * | type | | seq | iv | ciphertext | + * +--------+ +--------+---...---+------...------+ + * 32 32 blksz sz * * All of this is fed into the MAC to compute a tag. The type is not * transmitted: the other end knows what type of message it expects, and the @@ -79,33 +296,125 @@ * kind of ciphertext has been substituted. The tag is prepended to the * remainder, to yield the finished cryptogram, as follows. * - * +---...---+------+---...---+------...------+ - * | tag | seq | iv | ciphertext | - * +---...---+------+---...---+------...------+ - * tagsz 32 blksz sz + * +---...---+--------+---...---+------...------+ + * | tag | seq | iv | ciphertext | + * +---...---+--------+---...---+------...------+ + * tagsz 32 blksz sz * * Decryption: checks the overall size, verifies the tag, then decrypts the * ciphertext and extracts the sequence number. */ -static int v0_check(const algswitch *a, dstr *e) - { return (0); } +typedef struct v0_algs { + bulkalgs _b; + gencomp_algs ga; +} v0_algs; + +typedef struct v0_ctx { + bulkctx _b; + size_t tagsz; + struct { + gcipher *c; + gmac *m; + } d[NDIR]; +} v0_ctx; + +static bulkalgs *v0_getalgs(const algswitch *asw, dstr *e, + key_file *kf, key *k) +{ + v0_algs *a = CREATE(v0_algs); + if (gencomp_getalgs(&a->ga, asw, e, kf, k)) { DESTROY(a); return (0); } + return (&a->_b); +} + +#ifndef NTRACE +static void v0_tracealgs(const bulkalgs *aa) + { const v0_algs *a = (const v0_algs *)aa; gencomp_tracealgs(&a->ga); } +#endif + +static int v0_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e) +{ + v0_algs *a = (v0_algs *)aa; + if (gencomp_checkalgs(&a->ga, asw, e)) return (-1); + return (0); +} + +static int v0_samealgsp(const bulkalgs *aa, const bulkalgs *bb) +{ + const v0_algs *a = (const v0_algs *)aa, *b = (const v0_algs *)bb; + return (gencomp_samealgsp(&a->ga, &b->ga)); +} + +static void v0_alginfo(const bulkalgs *aa, admin *adm) + { const v0_algs *a = (const v0_algs *)aa; gencomp_alginfo(&a->ga, adm); } -static size_t v0_overhead(const algswitch *a) - { return a->tagsz + SEQSZ + a->c->blksz; } +static size_t v0_overhead(const bulkalgs *aa) +{ + const v0_algs *a = (const v0_algs *)aa; + return (a->ga.tagsz + SEQSZ + a->ga.c->blksz); +} + +static size_t v0_expsz(const bulkalgs *aa) + { const v0_algs *a = (const v0_algs *)aa; return (gencomp_expsz(&a->ga)); } + +static bulkctx *v0_genkeys(const bulkalgs *aa, const deriveargs *da) +{ + const v0_algs *a = (const v0_algs *)aa; + v0_ctx *bc = CREATE(v0_ctx); + octet k[MAXHASHSZ]; + int i; + + bc->tagsz = a->ga.tagsz; + for (i = 0; i < NDIR; i++) { + if (!(da->f&(1 << i))) { bc->d[i].c = 0; bc->d[i].m = 0; continue; } + derivekey(k, a->ga.cksz, da, i, "encryption"); + bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz); + derivekey(k, a->ga.mksz, da, i, "integrity"); + bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz); + } + return (&bc->_b); +} + +static bulkchal *v0_genchal(const bulkalgs *aa) +{ + const v0_algs *a = (const v0_algs *)aa; + return (gencomp_genchal(&a->ga)); +} +#define v0_chaltag gencomp_chaltag +#define v0_chalvrf gencomp_chalvrf +#define v0_freechal gencomp_freechal + +static void v0_freealgs(bulkalgs *aa) + { v0_algs *a = (v0_algs *)aa; DESTROY(a); } -static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) +static void v0_freectx(bulkctx *bbc) { + v0_ctx *bc = (v0_ctx *)bbc; + int i; + + for (i = 0; i < NDIR; i++) { + if (bc->d[i].c) GC_DESTROY(bc->d[i].c); + if (bc->d[i].m) GM_DESTROY(bc->d[i].m); + } + DESTROY(bc); +} + +static int v0_encrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 seq) +{ + v0_ctx *bc = (v0_ctx *)bbc; ghash *h; - gcipher *c = ks->out.c; + gcipher *c = bc->d[DIR_OUT].c; const octet *p = BCUR(b); size_t sz = BLEFT(b); octet *qmac, *qseq, *qiv, *qpk; - uint32 oseq; - size_t ivsz = GC_CLASS(c)->blksz; - size_t tagsz = ks->tagsz; + size_t ivsz; + size_t tagsz = bc->tagsz; octet t[4]; + assert(c); + ivsz = GC_CLASS(c)->blksz; + /* --- Determine the ciphertext layout --- */ if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0); @@ -121,8 +430,7 @@ static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) /* --- Store the sequence number --- */ - oseq = ks->oseq++; - STORE32(qseq, oseq); + STORE32(qseq, seq); /* --- Establish an initialization vector if necessary --- */ @@ -140,7 +448,7 @@ static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */ if (tagsz) { - h = GM_INIT(ks->out.m); + h = GM_INIT(bc->d[DIR_OUT].m); GH_HASH(h, t, sizeof(t)); GH_HASH(h, qseq, SEQSZ + ivsz + sz); memcpy(qmac, GH_DONE(h, 0), tagsz); @@ -153,22 +461,27 @@ static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) return (0); } -static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) +static int v0_decrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 *seq) { + v0_ctx *bc = (v0_ctx *)bbc; const octet *pmac, *piv, *pseq, *ppk; size_t psz = BLEFT(b); size_t sz; octet *q = BCUR(bb); ghash *h; - gcipher *c = ks->in.c; - size_t ivsz = GC_CLASS(c)->blksz; - size_t tagsz = ks->tagsz; + gcipher *c = bc->d[DIR_IN].c; + size_t ivsz; + size_t tagsz = bc->tagsz; octet t[4]; + assert(c); + ivsz = GC_CLASS(c)->blksz; + /* --- Break up the packet into its components --- */ if (psz < ivsz + SEQSZ + tagsz) { - T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); ) + T( trace(T_KEYSET, "keyset: block too small for keyset"); ) return (KSERR_MALFORMED); } sz = psz - ivsz - SEQSZ - tagsz; @@ -178,7 +491,7 @@ static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) /* --- Verify the MAC on the packet --- */ if (tagsz) { - h = GM_INIT(ks->in.m); + h = GM_INIT(bc->d[DIR_IN].m); GH_HASH(h, t, sizeof(t)); GH_HASH(h, pseq, SEQSZ + ivsz + sz); CHECK_MAC(h, pmac, tagsz); @@ -199,14 +512,874 @@ static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) return (0); } +/*----- The implicit-IV transform -----------------------------------------* + * + * The v0 transform makes everything explicit. There's an IV because the + * cipher needs an IV; there's a sequence number because replay prevention + * needs a sequence number. + * + * This new transform works rather differently. We make use of a block + * cipher to encrypt the sequence number, and use that as the IV. We + * transmit the sequence number in the clear, as before. This reduces + * overhead; and it's not a significant privacy leak because the adversary + * can see the order in which the messages are transmitted -- i.e., the + * sequence numbers are almost completely predictable anyway. + * + * So, a MAC is computed over + * + * +--------+ +--------+------...------+ + * | type | | seq | ciphertext | + * +--------+ +--------+------...------+ + * 32 32 sz + * + * and we actually transmit the following as the cryptogram. + * + * +---...---+------+------...------+ + * | tag | seq | ciphertext | + * +---...---+------+------...------+ + * tagsz 32 sz + */ + +typedef struct iiv_algs { + bulkalgs _b; + gencomp_algs ga; + const gccipher *b; size_t bksz; +} iiv_algs; + +typedef struct iiv_ctx { + bulkctx _b; + size_t tagsz; + struct { + gcipher *c, *b; + gmac *m; + } d[NDIR]; +} iiv_ctx; + + +static bulkalgs *iiv_getalgs(const algswitch *asw, dstr *e, + key_file *kf, key *k) +{ + iiv_algs *a = CREATE(iiv_algs); + dstr d = DSTR_INIT, dd = DSTR_INIT; + const char *p; + char *q; + + if (gencomp_getalgs(&a->ga, asw, e, kf, k)) goto fail; + + if ((p = key_getattr(kf, k, "blkc")) == 0) { + dstr_puts(&dd, a->ga.c->name); + if ((q = strrchr(dd.buf, '-')) != 0) *q = 0; + p = dd.buf; + } + dstr_putf(&d, "%s-ecb", p); + if ((a->b = gcipher_byname(d.buf)) == 0) { + a_format(e, "unknown-blkc", "%s", p, A_END); + goto fail; + } + + dstr_destroy(&d); dstr_destroy(&dd); + return (&a->_b); +fail: + dstr_destroy(&d); dstr_destroy(&dd); + DESTROY(a); + return (0); +} + +#ifndef NTRACE +static void iiv_tracealgs(const bulkalgs *aa) +{ + const iiv_algs *a = (const iiv_algs *)aa; + + gencomp_tracealgs(&a->ga); + trace(T_CRYPTO, + "crypto: blkc = %.*s", (int)strlen(a->b->name) - 4, a->b->name); +} +#endif + +static int iiv_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e) +{ + iiv_algs *a = (iiv_algs *)aa; + + if (gencomp_checkalgs(&a->ga, asw, e)) return (-1); + + if ((a->bksz = keysz(asw->hashsz, a->b->keysz)) == 0) { + a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name, + "no-key-size", "%lu", (unsigned long)asw->hashsz, + A_END); + return (-1); + } + if (a->b->blksz < a->ga.c->blksz) { + a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name, + "blksz-insufficient", A_END); + return (-1); + } + return (0); +} + +static int iiv_samealgsp(const bulkalgs *aa, const bulkalgs *bb) +{ + const iiv_algs *a = (const iiv_algs *)aa, *b = (const iiv_algs *)bb; + return (gencomp_samealgsp(&a->ga, &b->ga) && a->b == b->b); +} + +static void iiv_alginfo(const bulkalgs *aa, admin *adm) +{ + const iiv_algs *a = (const iiv_algs *)aa; + gencomp_alginfo(&a->ga, adm); + a_info(adm, + "blkc=%.*s", strlen(a->b->name) - 4, a->b->name, + "blkc-keysz=%lu", (unsigned long)a->bksz, + "blkc-blksz=%lu", (unsigned long)a->b->blksz, + A_END); +} + +static size_t iiv_overhead(const bulkalgs *aa) + { const iiv_algs *a = (const iiv_algs *)aa; return (a->ga.tagsz + SEQSZ); } + +static size_t iiv_expsz(const bulkalgs *aa) +{ + const iiv_algs *a = (const iiv_algs *)aa; + return (gencomp_expsz(&a->ga)); +} + +static bulkctx *iiv_genkeys(const bulkalgs *aa, const deriveargs *da) +{ + const iiv_algs *a = (const iiv_algs *)aa; + iiv_ctx *bc = CREATE(iiv_ctx); + octet k[MAXHASHSZ]; + int i; + + bc->tagsz = a->ga.tagsz; + for (i = 0; i < NDIR; i++) { + if (!(da->f&(1 << i))) + { bc->d[i].c = 0; bc->d[i].b = 0; bc->d[i].m = 0; continue; } + derivekey(k, a->ga.cksz, da, i, "encryption"); + bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz); + derivekey(k, a->bksz, da, i, "blkc"); + bc->d[i].b = GC_INIT(a->b, k, a->bksz); + derivekey(k, a->ga.mksz, da, i, "integrity"); + bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz); + } + return (&bc->_b); +} + +static bulkchal *iiv_genchal(const bulkalgs *aa) +{ + const iiv_algs *a = (const iiv_algs *)aa; + return (gencomp_genchal(&a->ga)); +} +#define iiv_chaltag gencomp_chaltag +#define iiv_chalvrf gencomp_chalvrf +#define iiv_freechal gencomp_freechal + +static void iiv_freealgs(bulkalgs *aa) + { iiv_algs *a = (iiv_algs *)aa; DESTROY(a); } + +static void iiv_freectx(bulkctx *bbc) +{ + iiv_ctx *bc = (iiv_ctx *)bbc; + int i; + + for (i = 0; i < NDIR; i++) { + if (bc->d[i].c) GC_DESTROY(bc->d[i].c); + if (bc->d[i].b) GC_DESTROY(bc->d[i].b); + if (bc->d[i].m) GM_DESTROY(bc->d[i].m); + } + DESTROY(bc); +} + +#define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \ + trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \ +}) } while (0) + +static int iiv_encrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 seq) +{ + iiv_ctx *bc = (iiv_ctx *)bbc; + ghash *h; + gcipher *c = bc->d[DIR_OUT].c, *blkc = bc->d[DIR_OUT].b; + const octet *p = BCUR(b); + size_t sz = BLEFT(b); + octet *qmac, *qseq, *qpk; + size_t ivsz, blkcsz; + size_t tagsz = bc->tagsz; + octet t[4]; + + assert(c); assert(blkc); + ivsz = GC_CLASS(c)->blksz; + blkcsz = GC_CLASS(blkc)->blksz; + + /* --- Determine the ciphertext layout --- */ + + if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0); + qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ; + BSTEP(bb, tagsz + SEQSZ + sz); + + /* --- Store the type --- * + * + * This isn't transmitted, but it's covered by the MAC. + */ + + STORE32(t, ty); + + /* --- Store the sequence number --- */ + + STORE32(qseq, seq); + + /* --- Establish an initialization vector if necessary --- */ + + if (ivsz) { + memset(buf_u, 0, blkcsz - SEQSZ); + memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ); + TRACE_PRESEQ(buf_u, ivsz); + GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz); + GC_SETIV(c, buf_u); + TRACE_IV(buf_u, ivsz); + } + + /* --- Encrypt the packet --- */ + + GC_ENCRYPT(c, p, qpk, sz); + TRACE_CT(qpk, sz); + + /* --- Compute a MAC over type, sequence number, and ciphertext --- */ + + if (tagsz) { + h = GM_INIT(bc->d[DIR_OUT].m); + GH_HASH(h, t, sizeof(t)); + GH_HASH(h, qseq, SEQSZ + sz); + memcpy(qmac, GH_DONE(h, 0), tagsz); + GH_DESTROY(h); + TRACE_MAC(qmac, tagsz); + } + + /* --- We're done --- */ + + return (0); +} + +static int iiv_decrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 *seq) +{ + iiv_ctx *bc = (iiv_ctx *)bbc; + const octet *pmac, *pseq, *ppk; + size_t psz = BLEFT(b); + size_t sz; + octet *q = BCUR(bb); + ghash *h; + gcipher *c = bc->d[DIR_IN].c, *blkc = bc->d[DIR_IN].b; + size_t ivsz, blkcsz; + size_t tagsz = bc->tagsz; + octet t[4]; + + assert(c); assert(blkc); + ivsz = GC_CLASS(c)->blksz; + blkcsz = GC_CLASS(blkc)->blksz; + + /* --- Break up the packet into its components --- */ + + if (psz < SEQSZ + tagsz) { + T( trace(T_KEYSET, "keyset: block too small for keyset"); ) + return (KSERR_MALFORMED); + } + sz = psz - SEQSZ - tagsz; + pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ; + STORE32(t, ty); + + /* --- Verify the MAC on the packet --- */ + + if (tagsz) { + h = GM_INIT(bc->d[DIR_IN].m); + GH_HASH(h, t, sizeof(t)); + GH_HASH(h, pseq, SEQSZ + sz); + CHECK_MAC(h, pmac, tagsz); + } + + /* --- Decrypt the packet --- */ + + if (ivsz) { + memset(buf_u, 0, blkcsz - SEQSZ); + memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ); + TRACE_PRESEQ(buf_u, ivsz); + GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz); + GC_SETIV(c, buf_u); + TRACE_IV(buf_u, ivsz); + } + GC_DECRYPT(c, ppk, q, sz); + + /* --- Finished --- */ + + *seq = LOAD32(pseq); + BSTEP(bb, sz); + return (0); +} + +/*----- The AEAD transform ------------------------------------------------* + * + * This transform uses a general authenticated encryption scheme (the + * additional data isn't necessary). Good options include + * `chacha20-poly1305' or `rijndael-ocb3'. + * + * To be acceptable, the scheme must accept at least a 40-bit nonce. (All of + * Catacomb's current AEAD schemes are suitable.) The low 32 bits are the + * sequence number. The type is written to the next 8--32 bytes: if the + * nonce size is 64 bits or more (preferred, for compatibility reasons) then + * the type is written as 32 bits, and the remaining space is padded with + * zero bytes; otherwise, the type is right-aligned in the remaining space. + * Both fields are big-endian. + * + * +--------+--+ + * | seq |ty| + * +--------+--+ + * 32 8 + * + * +--------+----+ + * | seq | ty | + * +--------+----+ + * 32 16 + * + * +--------+------+ + * | seq | type | + * +--------+------+ + * 32 24 + * + * +--------+--------+---...---+ + * | seq | type | 0 | + * +--------+--------+---...---+ + * 32 32 nsz - 64 + * + * The ciphertext is formatted as + * + * +---...---+--------+------...------+ + * | tag | seq | ciphertext | + * +---...---+--------+------...------+ + * tagsz 32 sz + * + */ + +#define AEAD_NONCEMAX 64 + +typedef struct aead_algs { + bulkalgs _b; + const gcaead *c; + size_t ksz, nsz, tsz; +} aead_algs; + +typedef struct aead_ctx { + bulkctx _b; + struct { gaead_key *k; } d[NDIR]; + size_t nsz, tsz; +} aead_ctx; + +static bulkalgs *aead_getalgs(const algswitch *asw, dstr *e, + key_file *kf, key *k) +{ + aead_algs *a = CREATE(aead_algs); + const char *p; + char *qq; + gaead_key *kk = 0; + size_t ksz; + size_t csz = 0; + unsigned long n; + + /* --- Collect the selected cipher and check that it's supported --- */ + + p = key_getattr(kf, k, "cipher"); if (!p) p = "rijndael-ocb3"; + a->c = gaead_byname(p); + if (!a->c) { a_format(e, "unknown-cipher", "%s", p, A_END); goto fail; } + if (a->c->f&AEADF_NOAAD) { + a_format(e, "unsuitable-aead-cipher", "%s", p, "no-aad", A_END); + goto fail; + } + a->nsz = keysz_pad(8, a->c->noncesz); + if (!a->nsz) a->nsz = keysz_pad(5, a->c->noncesz); + if (!a->nsz) { + a_format(e, "unsuitable-aead-cipher", "%s", p, "nonce-too-small", A_END); + goto fail; + } else if (a->nsz > AEAD_NONCEMAX) { + a_format(e, "unsuitable-aead-cipher", "%s", p, "nonce-too-large", A_END); + goto fail; + } + + /* --- Collect the selected MAC, and check the tag length --- * + * + * Of course, there isn't a separate MAC, so only accept `aead'. + */ + + p = key_getattr(kf, k, "tagsz"); + if (!p) { + p = key_getattr(kf, k, "mac"); + if (!p) ; + else if (strncmp(p, "aead", 4) != 0 || (p[4] && p[4] != '/')) + { a_format(e, "unknown-mac", "%s", p, A_END); goto fail; } + else if (p[4] == '/') p += 5; + else p = 0; + } + if (!p) + a->tsz = keysz(0, a->c->tagsz); + else { + n = strtoul(p, &qq, 0); + if (*qq) { + a_format(e, "bad-tag-length-string", "%s", p, A_END); + goto fail; + } + if (n%8 || (a->tsz = keysz(n/8, a->c->tagsz)) == 0) + { a_format(e, "bad-tag-length", "%lu", n, A_END); goto fail; } + } + + /* --- Check that an empty message gives an empty ciphertext --- * + * + * This is necessary for producing challenges. If the overhead is zero + * then we're fine; otherwise, we have to check the hard way. + */ + + if (a->c->ohd) { + ksz = keysz(0, a->c->keysz); + memset(buf_t, 0, ksz > a->nsz ? ksz : a->nsz); + kk = GAEAD_KEY(a->c, buf_t, ksz); + if (gaead_encrypt(kk, buf_t, a->nsz, + buf_t, ksz, + 0, 0, + buf_t, &csz, + buf_t, a->tsz)) { + a_format(e, "unsuitable-aead-cipher", "%s", a->c->name, + "nonempty-ciphertext-for-empty-message", A_END); + goto fail; + } + GAEAD_DESTROY(kk); kk = 0; + } + + return (&a->_b); +fail: + if (kk) GAEAD_DESTROY(kk); + DESTROY(a); + return (0); +} + +#ifndef NTRACE +static void aead_tracealgs(const bulkalgs *aa) +{ + const aead_algs *a = (const aead_algs *)aa; + + trace(T_CRYPTO, "crypto: cipher = %s", a->c->name); + trace(T_CRYPTO, "crypto: noncesz = %lu", (unsigned long)a->nsz); + trace(T_CRYPTO, "crypto: tagsz = %lu", (unsigned long)a->tsz); +} +#endif + +static int aead_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e) +{ + aead_algs *a = (aead_algs *)aa; + + if ((a->ksz = keysz(asw->hashsz, a->c->keysz)) == 0) { + a_format(e, "cipher", "%s", a->c->name, + "no-key-size", "%lu", (unsigned long)asw->hashsz, + A_END); + return (-1); + } + return (0); +} + +static int aead_samealgsp(const bulkalgs *aa, const bulkalgs *bb) +{ + const aead_algs *a = (const aead_algs *)aa, + *b = (const aead_algs *)bb; + return (a->c == b->c && a->tsz == b->tsz); +} + +static void aead_alginfo(const bulkalgs *aa, admin *adm) +{ + const aead_algs *a = (const aead_algs *)aa; + a_info(adm, "cipher=%s", a->c->name, + "cipher-keysz=%lu", (unsigned long)a->ksz, + A_END); + a_info(adm, "mac=aead", "mac-tagsz=%lu", (unsigned long)a->tsz, A_END); +} + +static size_t aead_overhead(const bulkalgs *aa) +{ + const aead_algs *a = (const aead_algs *)aa; + return (a->tsz + SEQSZ + a->c->ohd); +} + +static size_t aead_expsz(const bulkalgs *aa) +{ + const aead_algs *a = (const aead_algs *)aa; + return (a->c->blksz < 16 ? MEG(64) : MEG(2048)); +} + +static bulkctx *aead_genkeys(const bulkalgs *aa, const deriveargs *da) +{ + const aead_algs *a = (const aead_algs *)aa; + aead_ctx *bc = CREATE(aead_ctx); + octet k[MAXHASHSZ]; + int i; + + for (i = 0; i < NDIR; i++) { + if (!(da->f&(1 << i))) { bc->d[i].k = 0; continue; } + derivekey(k, a->ksz, da, i, "encryption"); + bc->d[i].k = GAEAD_KEY(a->c, k, a->ksz); + } + bc->nsz = a->nsz; bc->tsz = a->tsz; + return (&bc->_b); +} + +typedef struct aead_chal { + bulkchal _b; + gaead_key *k; +} aead_chal; + +static bulkchal *aead_genchal(const bulkalgs *aa) +{ + const aead_algs *a = (const aead_algs *)aa; + aead_chal *c = CREATE(aead_chal); + rand_get(RAND_GLOBAL, buf_t, a->ksz); + c->k = GAEAD_KEY(a->c, buf_t, a->ksz); + IF_TRACING(T_CHAL, { + trace(T_CHAL, "chal: generated new challenge key"); + trace_block(T_CRYPTO, "chal: new key", buf_t, a->ksz); + }) + c->_b.tagsz = a->tsz; + return (&c->_b); +} + +static int aead_chaltag(bulkchal *bc, const void *m, size_t msz, + uint32 seq, void *t) +{ + aead_chal *c = (aead_chal *)bc; + octet b[AEAD_NONCEMAX]; + size_t nsz = keysz_pad(4, c->k->ops->c->noncesz); + size_t csz = 0; + int rc; + + assert(nsz); assert(nsz <= sizeof(b)); + memset(b, 0, nsz - 4); STORE32(b + nsz - 4, seq); + rc = gaead_encrypt(c->k, b, nsz, m, msz, 0, 0, + buf_t, &csz, t, c->_b.tagsz); + assert(!rc); + return (0); +} + +static int aead_chalvrf(bulkchal *bc, const void *m, size_t msz, + uint32 seq, const void *t) +{ + aead_chal *c = (aead_chal *)bc; + octet b[AEAD_NONCEMAX]; + size_t nsz = keysz(4, c->k->ops->c->noncesz); + size_t psz = 0; + int rc; + + assert(nsz); assert(nsz <= sizeof(b)); + memset(b, 0, nsz - 4); STORE32(b + nsz - 4, seq); + rc = gaead_decrypt(c->k, b, nsz, m, msz, 0, 0, + buf_t, &psz, t, c->_b.tagsz); + assert(rc >= 0); + return (rc == 1 ? 0 : -1); +} + +static void aead_freechal(bulkchal *bc) + { aead_chal *c = (aead_chal *)bc; GAEAD_DESTROY(c->k); DESTROY(c); } + +static void aead_freealgs(bulkalgs *aa) + { aead_algs *a = (aead_algs *)aa; DESTROY(a); } + +static void aead_freectx(bulkctx *bbc) +{ + aead_ctx *bc = (aead_ctx *)bbc; + int i; + + for (i = 0; i < NDIR; i++) { if (bc->d[i].k) GAEAD_DESTROY(bc->d[i].k); } + DESTROY(bc); +} + +static void aead_fmtnonce(aead_ctx *bc, octet *n, uint32 seq, unsigned ty) +{ + assert(bc->nsz <= AEAD_NONCEMAX); assert(ty <= 255); + STORE32(n, seq); + switch (bc->nsz) { + case 5: STORE8(n + SEQSZ, ty); break; + case 6: STORE16(n + SEQSZ, ty); break; + case 7: STORE24(n + SEQSZ, ty); break; + default: memset(n + 8, 0, bc->nsz - 8); /* and continue */ + case 8: STORE32(n + SEQSZ, ty); break; + } + TRACE_IV(n, bc->nsz); +} + +static int aead_encrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 seq) +{ + aead_ctx *bc = (aead_ctx *)bbc; + const octet *p = BCUR(b); + gaead_key *k = bc->d[DIR_OUT].k; + size_t sz = BLEFT(b); + size_t csz = sz + k->ops->c->ohd; + octet *qmac, *qseq, *qpk; + octet n[AEAD_NONCEMAX]; + int rc; + + assert(k); + + if (buf_ensure(bb, bc->tsz + SEQSZ + csz)) return (0); + qmac = BCUR(bb); qseq = qmac + bc->tsz; qpk = qseq + SEQSZ; + STORE32(qseq, seq); + + aead_fmtnonce(bc, n, seq, ty); + rc = gaead_encrypt(k, n, bc->nsz, 0, 0, p, sz, qpk, &csz, qmac, bc->tsz); + assert(!rc); + BSTEP(bb, bc->tsz + SEQSZ + csz); + TRACE_CT(qpk, csz); + TRACE_MAC(qmac, bc->tsz); + + return (0); +} + +static int aead_decrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 *seq_out) +{ + aead_ctx *bc = (aead_ctx *)bbc; + gaead_key *k = bc->d[DIR_IN].k; + const octet *pmac, *pseq, *ppk; + uint32 seq; + size_t psz = BLEFT(b); + size_t sz; + octet *q = BCUR(bb); + octet n[AEAD_NONCEMAX]; + int rc; + + assert(k); + + if (psz < bc->tsz + SEQSZ) { + T( trace(T_KEYSET, "keyset: block too small for keyset"); ) + return (KSERR_MALFORMED); + } + sz = psz - bc->tsz - SEQSZ; + pmac = BCUR(b); pseq = pmac + bc->tsz; ppk = pseq + SEQSZ; + seq = LOAD32(pseq); + + aead_fmtnonce(bc, n, seq, ty); + rc = gaead_decrypt(k, n, bc->nsz, 0, 0, ppk, sz, q, &sz, pmac, bc->tsz); + assert(rc >= 0); + if (!rc) { TRACE_MACERR(pmac, bc->tsz); return (KSERR_DECRYPT); } + + *seq_out = seq; + BSTEP(bb, sz); + return (0); +} + +/*----- The NaCl box transform --------------------------------------------* + * + * This transform is very similar to the NaCl `crypto_secretbox' transform + * described in Bernstein, `Cryptography in NaCl', with the difference that, + * rather than using XSalsa20, we use either Salsa20/r or ChaChar, because we + * have no need of XSalsa20's extended nonce. The default cipher is Salsa20. + * + * Salsa20 and ChaCha accept a 64-bit nonce. The low 32 bits are the + * sequence number, and the high 32 bits are the type, both big-endian. + * + * +--------+--------+ + * | seq | type | + * +--------+--------+ + * 32 32 + * + * A stream is generated by concatenating the raw output blocks generated + * with this nonce and successive counter values starting from zero. The + * first 32 bytes of the stream are used as a key for Poly1305: the first 16 + * bytes are the universal hash key r, and the second 16 bytes are the mask + * value s. + * + * +------+------+ +------...------+ + * | r | s | | keystream | + * +------+------+ +------...------+ + * 128 128 sz + * + * The remainder of the stream is XORed with the incoming plaintext to form a + * ciphertext with the same length. The ciphertext (only) is then tagged + * using Poly1305. The tag, sequence number, and ciphertext are concatenated + * in this order, and transmitted. + * + * + * +---...---+------+------...------+ + * | tag | seq | ciphertext | + * +---...---+------+------...------+ + * 128 32 sz + * + * Note that there is no need to authenticate the type separately, since it + * was used to select the cipher nonce, and hence the Poly1305 key. The + * Poly1305 tag length is fixed. + */ + +typedef struct naclbox_algs { + aead_algs _b; + const gccipher *c; +} naclbox_algs; + +static bulkalgs *naclbox_getalgs(const algswitch *asw, dstr *e, + key_file *kf, key *k) +{ + naclbox_algs *a = CREATE(naclbox_algs); + const char *p; + char *qq; + unsigned long n; + + /* --- Collect the selected cipher and check that it's supported --- */ + + p = key_getattr(kf, k, "cipher"); + if (!p || strcmp(p, "salsa20") == 0) + { a->_b.c = &salsa20_naclbox; a->c = &salsa20; } + else if (strcmp(p, "salsa20/12") == 0) + { a->_b.c = &salsa2012_naclbox; a->c = &salsa2012; } + else if (strcmp(p, "salsa20/8") == 0) + { a->_b.c = &salsa208_naclbox; a->c = &salsa208; } + else if (strcmp(p, "chacha20") == 0) + { a->_b.c = &chacha20_naclbox; a->c = &chacha20; } + else if (strcmp(p, "chacha12") == 0) + { a->_b.c = &chacha12_naclbox; a->c = &chacha12; } + else if (strcmp(p, "chacha8") == 0) + { a->_b.c = &chacha8_naclbox; a->c = &chacha8; } + else { + a_format(e, "unknown-cipher", "%s", p, A_END); + goto fail; + } + a->_b.nsz = 8; + + /* --- Collect the selected MAC, and check the tag length --- */ + + p = key_getattr(kf, k, "mac"); + if (!p) + ; + else if (strncmp(p, "poly1305", 8) != 0 || (p[8] && p[8] != '/')) { + a_format(e, "unknown-mac", "%s", p, A_END); + goto fail; + } else if (p[8] == '/') { + n = strtoul(p + 9, &qq, 0); + if (*qq) { + a_format(e, "bad-tag-length-string", "%s", p + 9, A_END); + goto fail; + } + if (n != 128) { + a_format(e, "bad-tag-length", "%lu", n, A_END); + goto fail; + } + } + a->_b.tsz = 16; + + return (&a->_b._b); +fail: + DESTROY(a); + return (0); +} + +#ifndef NTRACE +static void naclbox_tracealgs(const bulkalgs *aa) +{ + const naclbox_algs *a = (const naclbox_algs *)aa; + + trace(T_CRYPTO, "crypto: cipher = %s", a->c->name); + trace(T_CRYPTO, "crypto: mac = poly1305/128"); +} +#endif + +#define naclbox_checkalgs aead_checkalgs +#define naclbox_samealgsp aead_samealgsp + +static void naclbox_alginfo(const bulkalgs *aa, admin *adm) +{ + const naclbox_algs *a = (const naclbox_algs *)aa; + a_info(adm, "cipher=%s", a->c->name, "cipher-keysz=32", A_END); + a_info(adm, "mac=poly1305", "mac-tagsz=16", A_END); +} + +#define naclbox_overhead aead_overhead +#define naclbox_expsz aead_expsz +#define naclbox_genkeys aead_genkeys + +typedef struct naclbox_chal { + bulkchal _b; + gcipher *c; +} naclbox_chal; + +static bulkchal *naclbox_genchal(const bulkalgs *aa) +{ + const naclbox_algs *a = (const naclbox_algs *)aa; + naclbox_chal *c = CREATE(naclbox_chal); + rand_get(RAND_GLOBAL, buf_t, a->_b.ksz); + c->c = GC_INIT(a->c, buf_t, a->_b.ksz); + IF_TRACING(T_CHAL, { + trace(T_CHAL, "chal: generated new challenge key"); + trace_block(T_CRYPTO, "chal: new key", buf_t, a->_b.ksz); + }) + c->_b.tagsz = POLY1305_TAGSZ; + return (&c->_b); +} + +static int naclbox_chaltag(bulkchal *bc, const void *m, size_t msz, + uint32 seq, void *t) +{ + naclbox_chal *c = (naclbox_chal *)bc; + poly1305_key pk; + poly1305_ctx pm; + octet b[POLY1305_KEYSZ + POLY1305_MASKSZ]; + + STATIC_ASSERT(SALSA20_NONCESZ <= sizeof(b), "Need more space for nonce"); + + memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq); + GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b)); + poly1305_keyinit(&pk, b, POLY1305_KEYSZ); + poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ); + if (msz) poly1305_hash(&pm, m, msz); + poly1305_done(&pm, t); + return (0); +} + +static int naclbox_chalvrf(bulkchal *bc, const void *m, size_t msz, + uint32 seq, const void *t) +{ + naclbox_chal *c = (naclbox_chal *)bc; + poly1305_key pk; + poly1305_ctx pm; + octet b[POLY1305_KEYSZ + POLY1305_MASKSZ]; + + STATIC_ASSERT(SALSA20_NONCESZ <= sizeof(b), "Need more space for nonce"); + STATIC_ASSERT(POLY1305_TAGSZ <= sizeof(b), "Need more space for tag"); + + memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq); + GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b)); + poly1305_keyinit(&pk, b, POLY1305_KEYSZ); + poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ); + if (msz) poly1305_hash(&pm, m, msz); + poly1305_done(&pm, b); + return (ct_memeq(t, b, POLY1305_TAGSZ) ? 0 : -1); +} + +static void naclbox_freechal(bulkchal *bc) + { naclbox_chal *c = (naclbox_chal *)bc; GC_DESTROY(c->c); DESTROY(c); } + +static void naclbox_freealgs(bulkalgs *aa) + { naclbox_algs *a = (naclbox_algs *)aa; DESTROY(a); } + +#define naclbox_freectx aead_freectx +#define naclbox_encrypt aead_encrypt +#define naclbox_decrypt aead_decrypt + /*----- Bulk crypto transform table ---------------------------------------*/ -const bulkcrypto bulktab[] = { +const bulkops bulktab[] = { + +#define COMMA , -#define BULK(name, pre, prim) \ - { name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt } +#define BULK(name, pre) \ + { name, pre##_getalgs, T( pre##_tracealgs COMMA ) \ + pre##_checkalgs, pre##_samealgsp, \ + pre##_alginfo, pre##_overhead, pre##_expsz, \ + pre##_genkeys, pre##_genchal, pre##_freealgs, \ + pre##_encrypt, pre##_decrypt, pre##_freectx, \ + pre##_chaltag, pre##_chalvrf, pre##_freechal } - BULK("v0", v0, BCP_CIPHER | BCP_MAC), + BULK("v0", v0), + BULK("iiv", iiv), + BULK("aead", aead), + BULK("naclbox", naclbox), #undef BULK { 0 }