From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 17 Apr 2017 23:39:24 +0000 (+0100)
Subject: keys/tripe-keys.in: Add an option to control the bulk transform.
X-Git-Tag: 1.0.0pre19~12
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/commitdiff_plain/39bcd193d88309a411d3b26b5db205f913ce530d

keys/tripe-keys.in: Add an option to control the bulk transform.

The default is `iiv', because we don't have the compatibility
constraints that the main server has.

Also, fix the `mtu' command, which has been wrong about the `iiv'
overhead for a while.
---

diff --git a/keys/tripe-keys.conf.5.in b/keys/tripe-keys.conf.5.in
index e993ad26..663b9176 100644
--- a/keys/tripe-keys.conf.5.in
+++ b/keys/tripe-keys.conf.5.in
@@ -224,6 +224,10 @@ Expiry time for generated keys.  Default is
 Hashing algorithm to use.  Default is
 .BR sha256 .
 .TP
+.I bulk
+The bulk crypto transform to use.
+Default is
+.BR iiv .
 .I mac
 Message authentication algorithm to use.  Default is
 .IB hash -hmac/ halfhashlen \fR,
diff --git a/keys/tripe-keys.in b/keys/tripe-keys.in
index 787336fa..f1279ad7 100644
--- a/keys/tripe-keys.in
+++ b/keys/tripe-keys.in
@@ -247,6 +247,7 @@ def conf_defaults():
                ('kx-attrs', ''),
                ('kx-expire', 'now + 1 year'),
                ('kx-warn-days', '28'),
+               ('bulk', 'iiv'),
                ('cipher', 'rijndael-cbc'),
                ('hash', 'sha256'),
                ('master-keygen-flags', '-l'),
@@ -378,7 +379,7 @@ def cmd_setup(args):
     -a${kx-param-genalg} !${kx-param}
     -eforever -tparam tripe-param
     kx-group=${kx} mgf=${mgf} mac=${mac}
-    cipher=${cipher} hash=${hash} ${kx-attrs}''')
+    bulk=${bulk} cipher=${cipher} hash=${hash} ${kx-attrs}''')
   cmd_newmaster(args)
 
 ###--------------------------------------------------------------------------
@@ -552,24 +553,35 @@ def cmd_check(args):
 ###--------------------------------------------------------------------------
 ### Commands: mtu
 
+def mac_tagsz():
+  macname = conf['mac']
+  index = macname.rindex('/')
+  if index == -1: tagsz = C.gcmacs[macname].tagsz
+  else: tagsz = int(macname[index + 1:])/8
+  return tagsz
+
 def cmd_mtu(args):
   mtu, = (lambda mtu = '1500': (mtu,))(*args)
   mtu = int(mtu)
 
-  blksz = C.gcciphers[conf['cipher']].blksz
-
-  index = conf['mac'].find('/')
-  if index == -1:
-    tagsz = C.gcmacs[conf['mac']].tagsz
-  else:
-    tagsz = int(conf['mac'][index + 1:])/8
-
   mtu -= 20                             # Minimum IP header
   mtu -= 8                              # UDP header
   mtu -= 1                              # TrIPE packet type octet
-  mtu -= tagsz                          # MAC tag
-  mtu -= 4                              # Sequence number
-  mtu -= blksz                          # Initialization vector
+
+  bulk = conf['bulk']
+
+  if bulk == 'v0':
+    blksz = C.gcciphers[conf['cipher']].blksz
+    mtu -= mac_tagsz()                  # MAC tag
+    mtu -= 4                            # Sequence number
+    mtu -= blksz                        # Initialization vector
+
+  elif bulk == 'iiv':
+    mtu -= mac_tagsz()                  # MAC tag
+    mtu -= 4                            # Sequence number
+
+  else:
+    die("Unknown bulk transform `%s'" % bulk)
 
   print mtu
 
diff --git a/keys/tripe-keys.master b/keys/tripe-keys.master
index 35b868ce..a4b98ae7 100644
--- a/keys/tripe-keys.master
+++ b/keys/tripe-keys.master
@@ -28,6 +28,9 @@
 ## Expiry time for peer key-exchange keys.
 # kx-expire = now + 1 year
 
+## Bulk crypto transform to use.  May be `v0', or `iiv'.
+# bulk = iiv
+
 ## Symmetric encryption scheme to use.
 # cipher = rijndael-cbc