X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/f56dbbc4f35e303ae79a24be8590ed79a335fd7c..11ad66c29764521f87f0dd399a1e592147c7af36:/keys/tripe-keys.in diff --git a/keys/tripe-keys.in b/keys/tripe-keys.in index db577b62..593f1423 100644 --- a/keys/tripe-keys.in +++ b/keys/tripe-keys.in @@ -10,19 +10,18 @@ ### ### This file is part of Trivial IP Encryption (TrIPE). ### -### TrIPE is free software; you can redistribute it and/or modify -### it under the terms of the GNU General Public License as published by -### the Free Software Foundation; either version 2 of the License, or -### (at your option) any later version. +### TrIPE is free software: you can redistribute it and/or modify it under +### the terms of the GNU General Public License as published by the Free +### Software Foundation; either version 3 of the License, or (at your +### option) any later version. ### -### TrIPE is distributed in the hope that it will be useful, -### but WITHOUT ANY WARRANTY; without even the implied warranty of -### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -### GNU General Public License for more details. +### TrIPE is distributed in the hope that it will be useful, but WITHOUT +### ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +### FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +### for more details. ### ### You should have received a copy of the GNU General Public License -### along with TrIPE; if not, write to the Free Software Foundation, -### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +### along with TrIPE. If not, see . ###-------------------------------------------------------------------------- ### External dependencies. @@ -238,29 +237,55 @@ def conf_defaults(): ('conf-file', '${base-dir}tripe-keys.conf'), ('upload-hook', ': run upload hook'), ('kx', 'dh'), + ('kx-genalg', lambda: {'dh': 'dh', + 'ec': 'ec', + 'x25519': 'x25519', + 'x448': 'x448'}[conf['kx']]), + ('kx-param-genalg', lambda: {'dh': 'dh-param', + 'ec': 'ec-param', + 'x25519': 'empty', + 'x448': 'empty'}[conf['kx']]), ('kx-param', lambda: {'dh': '-LS -b3072 -B256', - 'ec': '-Cnist-p256'}[conf['kx']]), + 'ec': '-Cnist-p256', + 'x25519': '', + 'x448': ''}[conf['kx']]), + ('kx-attrs', lambda: {'dh': 'serialization=constlen', + 'ec': 'serialization=constlen', + 'x25519': '', + 'x448': ''}[conf['kx']]), ('kx-expire', 'now + 1 year'), ('kx-warn-days', '28'), - ('cipher', 'rijndael-cbc'), + ('bulk', 'iiv'), + ('cipher', lambda: conf['bulk'] == 'naclbox' + and 'salsa20' or 'rijndael-cbc'), ('hash', 'sha256'), ('master-keygen-flags', '-l'), + ('master-attrs', ''), ('mgf', '${hash}-mgf'), - ('mac', lambda: '%s-hmac/%d' % - (conf['hash'], - C.gchashes[conf['hash']].hashsz * 4)), - ('sig', lambda: {'dh': 'dsa', 'ec': 'ecdsa'}[conf['kx']]), + ('mac', lambda: conf['bulk'] == 'naclbox' + and 'poly1305/128' + or '%s-hmac/%d' % + (conf['hash'], + C.gchashes[conf['hash']].hashsz * 4)), + ('sig', lambda: {'dh': 'dsa', + 'ec': 'ecdsa', + 'x25519': 'ed25519', + 'x448': 'ed448'}[conf['kx']]), ('sig-fresh', 'always'), ('sig-genalg', lambda: {'kcdsa': 'dh', 'dsa': 'dsa', 'rsapkcs1': 'rsa', 'rsapss': 'rsa', 'ecdsa': 'ec', - 'eckcdsa': 'ec'}[conf['sig']]), + 'eckcdsa': 'ec', + 'ed25519': 'ed25519', + 'ed448': 'ed448'}[conf['sig']]), ('sig-param', lambda: {'dh': '-LS -b3072 -B256', 'dsa': '-b3072 -B256', 'ec': '-Cnist-p256', - 'rsa': '-b3072'}[conf['sig-genalg']]), + 'rsa': '-b3072', + 'ed25519': '', + 'ed448': ''}[conf['sig-genalg']]), ('sig-hash', '${hash}'), ('sig-expire', 'forever'), ('fingerprint-hash', '${hash}')]: @@ -356,7 +381,7 @@ def cmd_newmaster(args): run('''key -kmaster add -a${sig-genalg} !${sig-param} -e${sig-expire} !${master-keygen-flags} -tmaster-%d tripe-keys-master - sig=${sig} hash=${sig-hash}''' % seq) + sig=${sig} hash=${sig-hash} !${master-attrs}''' % seq) run('key -kmaster extract -f-secret repos/master.pub') ###-------------------------------------------------------------------------- @@ -365,9 +390,10 @@ def cmd_newmaster(args): def cmd_setup(args): OS.mkdir('repos') run('''key -krepos/param add - -a${kx}-param !${kx-param} + -a${kx-param-genalg} !${kx-param} -eforever -tparam tripe-param - kx-group=${kx} cipher=${cipher} hash=${hash} mac=${mac} mgf=${mgf}''') + kx-group=${kx} mgf=${mgf} mac=${mac} + bulk=${bulk} cipher=${cipher} hash=${hash} ${kx-attrs}''') cmd_newmaster(args) ###-------------------------------------------------------------------------- @@ -420,6 +446,16 @@ def cmd_upload(args): for base in commit: new = '%s.new' % base OS.rename(new, base) + + ## Remove files in the base-dir which don't correspond to ones we just + ## committed + allow = {} + basedir = conf['base-dir'] + bdl = len(basedir) + for base in commit: + if base.startswith(basedir): allow[base[bdl:]] = 1 + for found in OS.listdir(basedir): + if found not in allow: OS.remove(OS.path.join(basedir, found)) finally: OS.chdir(cwd) rmtree('tmp') @@ -446,8 +482,8 @@ def cmd_update(args): OS.mkdir('tmp') OS.chdir('tmp') seq = int(conf['master-sequence']) - run('curl -s -o tripe-keys.tar.gz ${repos-url}') - run('curl -s -o tripe-keys.sig %s' % seqsubst('sig-url', seq)) + run('curl -sL -o tripe-keys.tar.gz ${repos-url}') + run('curl -sL -o tripe-keys.sig %s' % seqsubst('sig-url', seq)) run('tar xfz tripe-keys.tar.gz') ## Verify the signature @@ -479,7 +515,7 @@ def cmd_generate(args): keyring_pub = 'peer-%s.pub' % tag zap('keyring'); zap(keyring_pub) run('key -kkeyring merge repos/param') - run('key -kkeyring add -a${kx} -pparam -e${kx-expire} -t%s tripe' % + run('key -kkeyring add -a${kx-genalg} -pparam -e${kx-expire} -t%s tripe' % tag) run('key -kkeyring extract -f-secret %s %s' % (keyring_pub, tag)) @@ -531,24 +567,39 @@ def cmd_check(args): ###-------------------------------------------------------------------------- ### Commands: mtu +def mac_tagsz(): + macname = conf['mac'] + index = macname.rindex('/') + if index == -1: tagsz = C.gcmacs[macname].tagsz + else: tagsz = int(macname[index + 1:])/8 + return tagsz + def cmd_mtu(args): mtu, = (lambda mtu = '1500': (mtu,))(*args) mtu = int(mtu) - blksz = C.gcciphers[conf['cipher']].blksz - - index = conf['mac'].find('/') - if index == -1: - tagsz = C.gcmacs[conf['mac']].tagsz - else: - tagsz = int(conf['mac'][index + 1:])/8 - mtu -= 20 # Minimum IP header mtu -= 8 # UDP header mtu -= 1 # TrIPE packet type octet - mtu -= tagsz # MAC tag - mtu -= 4 # Sequence number - mtu -= blksz # Initialization vector + + bulk = conf['bulk'] + + if bulk == 'v0': + blksz = C.gcciphers[conf['cipher']].blksz + mtu -= mac_tagsz() # MAC tag + mtu -= 4 # Sequence number + mtu -= blksz # Initialization vector + + elif bulk == 'iiv': + mtu -= mac_tagsz() # MAC tag + mtu -= 4 # Sequence number + + elif bulk == 'naclbox': + mtu -= 16 # MAC tag + mtu -= 4 # Sequence number + + else: + die("Unknown bulk transform `%s'" % bulk) print mtu