upstream: https://github.com/mirage/mirage-crypto
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge pull request #73 from hannesm/unify-aead

Unify AEAD constructions

authored by

Hannes Mehnert and committed by
GitHub
1b4d90b9 74bfd27f

+146 -135
+1
mirage-crypto.opam
··· 19 19 "dune-configurator" {>= "2.0.0"} 20 20 "ounit" {with-test} 21 21 "cstruct" {>="3.2.0"} 22 + "eqaf" {>= "0.7"} 22 23 ] 23 24 depopts: [ 24 25 "mirage-xen-posix"
+7
src/aead.ml
··· 1 + module type AEAD = sig 2 + type key 3 + val authenticate_encrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> 4 + Cstruct.t -> Cstruct.t 5 + val authenticate_decrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> 6 + Cstruct.t -> Cstruct.t option 7 + end
+6 -6
src/ccm.ml
··· 78 78 79 79 type mode = Encrypt | Decrypt 80 80 81 - let crypto_core ~cipher ~mode ~key ~nonce ~maclen ?(adata = Cstruct.empty) data = 81 + let crypto_core ~cipher ~mode ~key ~nonce ~maclen ~adata data = 82 82 let datalen = Cstruct.len data in 83 83 let cbcheader = prepare_header nonce adata datalen maclen in 84 84 let target = Cstruct.create datalen in ··· 146 146 if nsize < 7 || nsize > 13 then 147 147 invalid_arg "CCM: nonce length not between 7 and 13: %d" nsize 148 148 149 - let generation_encryption ~cipher ~key ~nonce ~maclen ?adata data = 149 + let generation_encryption ~cipher ~key ~nonce ~maclen ~adata data = 150 150 valid_nonce nonce; 151 - let cdata, t = crypto_core ~cipher ~mode:Encrypt ~key ~nonce ~maclen ?adata data in 151 + let cdata, t = crypto_core ~cipher ~mode:Encrypt ~key ~nonce ~maclen ~adata data in 152 152 crypto_t t nonce cipher key ; 153 153 cdata <+> t 154 154 155 - let decryption_verification ~cipher ~key ~nonce ~maclen ?adata data = 155 + let decryption_verification ~cipher ~key ~nonce ~maclen ~adata data = 156 156 valid_nonce nonce; 157 157 if Cstruct.len data < maclen then 158 158 None 159 159 else 160 160 let pclen = Cstruct.len data - maclen in 161 - let cdata, t = crypto_core ~cipher ~mode:Decrypt ~key ~nonce ~maclen ?adata (Cstruct.sub data 0 pclen) in 161 + let cdata, t = crypto_core ~cipher ~mode:Decrypt ~key ~nonce ~maclen ~adata (Cstruct.sub data 0 pclen) in 162 162 let t' = Cs.clone (Cstruct.sub data pclen maclen) in 163 163 crypto_t t' nonce cipher key ; 164 - match Cstruct.equal t' t with 164 + match Eqaf_cstruct.equal t' t with 165 165 | true -> Some cdata 166 166 | false -> None
+7 -3
src/chacha20.ml
··· 4 4 5 5 let block = 64 6 6 7 + type key = Cstruct.t 8 + 9 + let of_secret a = a 10 + 7 11 let chacha20_block state idx key_stream = 8 12 Native.Chacha.round 10 state.Cstruct.buffer 0 key_stream.Cstruct.buffer idx 9 13 ··· 78 82 let ctx = P.feed ctx len in 79 83 P.get ctx 80 84 81 - let aead_poly1305_encrypt ~key ~nonce ?(adata = Cstruct.empty) data = 85 + let authenticate_encrypt ~key ~nonce ?(adata = Cstruct.empty) data = 82 86 let poly1305_key = generate_poly1305_key ~key ~nonce in 83 87 let ciphertext = crypt ~key ~nonce ~ctr:1L data in 84 88 let mac = mac ~key:poly1305_key ~adata ciphertext in 85 89 Cstruct.append ciphertext mac 86 90 87 - let aead_poly1305_decrypt ~key ~nonce ?(adata = Cstruct.empty) data = 91 + let authenticate_decrypt ~key ~nonce ?(adata = Cstruct.empty) data = 88 92 if Cstruct.len data < P.mac_size then 89 93 None 90 94 else ··· 92 96 let poly1305_key = generate_poly1305_key ~key ~nonce in 93 97 let ctag = mac ~key:poly1305_key ~adata cipher in 94 98 let plain = crypt ~key ~nonce ~ctr:1L cipher in 95 - if Cstruct.equal tag ctag then Some plain else None 99 + if Eqaf_cstruct.equal tag ctag then Some plain else None
+33 -27
src/cipher_block.ml
··· 63 63 end 64 64 65 65 module type GCM = sig 66 - type key 67 - type result = { message : Cstruct.t ; tag : Cstruct.t } 66 + include Aead.AEAD 68 67 val of_secret : Cstruct.t -> key 69 68 70 69 val key_sizes : int array 71 70 val block_size : int 72 - val encrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result 73 - val decrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result 71 + val tag_size : int 74 72 end 75 73 76 74 module type CCM = sig 77 - type key 75 + include Aead.AEAD 78 76 val of_secret : maclen:int -> Cstruct.t -> key 79 77 80 78 val key_sizes : int array 81 79 val block_size : int 82 80 val mac_sizes : int array 83 - val encrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t 84 - val decrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t option 85 81 end 86 82 end 87 83 ··· 238 234 type key 239 235 val derive : Cstruct.t -> key 240 236 val digesti : key:key -> (Cstruct.t Uncommon.iter) -> Cstruct.t 237 + val tagsize : int 241 238 end = struct 242 239 type key = bytes 243 240 let keysize = Native.GHASH.keysize () 241 + let tagsize = 16 244 242 let derive cs = 245 - assert (cs.len >= 16); 243 + assert (cs.len >= tagsize); 246 244 let k = Bytes.create keysize in 247 245 Native.GHASH.keyinit cs.buffer cs.off k; k 248 - let _cs = create_unsafe 16 249 - let hash0 = Bytes.make 16 '\x00' 246 + let _cs = create_unsafe tagsize 247 + let hash0 = Bytes.make tagsize '\x00' 250 248 let digesti ~key i = (* Clobbers `_cs`! *) 251 249 let res = Bytes.copy hash0 in 252 250 i (fun cs -> Native.GHASH.ghash key res cs.buffer cs.off cs.len); 253 - blit_from_bytes res 0 _cs 0 16; _cs 251 + blit_from_bytes res 0 _cs 0 tagsize; _cs 254 252 end 255 253 256 254 module GCM_of (C : S.Core) : S.GCM = struct ··· 259 257 module CTR = CTR_of (C) (Counters.C128be32) 260 258 261 259 type key = { key : C.ekey ; hkey : GHASH.key } 262 - type result = { message : Cstruct.t ; tag : Cstruct.t } 263 260 261 + let tag_size = GHASH.tagsize 264 262 let key_sizes, block_size = C.(key, block) 265 263 let z128, h = create block_size, create block_size 266 264 ··· 273 271 let pack64s = let _cs = create_unsafe 16 in fun a b -> 274 272 BE.set_uint64 _cs 0 a; BE.set_uint64 _cs 8 b; _cs 275 273 276 - let counter ~hkey iv = match len iv with 277 - | 0 -> invalid_arg "GCM: invalid IV of length 0" 278 - | 12 -> let (w1, w2) = BE.get_uint64 iv 0, BE.get_uint32 iv 8 in 274 + let counter ~hkey nonce = match len nonce with 275 + | 0 -> invalid_arg "GCM: invalid nonce of length 0" 276 + | 12 -> let (w1, w2) = BE.get_uint64 nonce 0, BE.get_uint32 nonce 8 in 279 277 (w1, Int64.(shift_left (of_int32 w2) 32 |> add 1L)) 280 278 | _ -> CTR.ctr_of_cstruct @@ 281 - GHASH.digesti ~key:hkey @@ iter2 iv (pack64s 0L (bits64 iv)) 279 + GHASH.digesti ~key:hkey @@ iter2 nonce (pack64s 0L (bits64 nonce)) 282 280 283 281 let tag ~key ~hkey ~ctr ?(adata=Cstruct.empty) cdata = 284 282 CTR.encrypt ~key ~ctr @@ 285 283 GHASH.digesti ~key:hkey @@ 286 284 iter3 adata cdata (pack64s (bits64 adata) (bits64 cdata)) 287 285 288 - let encrypt ~key:{ key; hkey } ~iv ?adata data = 289 - let ctr = counter ~hkey iv in 286 + let authenticate_encrypt ~key:{ key; hkey } ~nonce ?adata data = 287 + let ctr = counter ~hkey nonce in 290 288 let cdata = CTR.(encrypt ~key ~ctr:(add_ctr ctr 1L) data) in 291 - { message = cdata ; tag = tag ~key ~hkey ~ctr ?adata cdata } 289 + let ctag = tag ~key ~hkey ~ctr ?adata cdata in 290 + Cstruct.append cdata ctag 292 291 293 - let decrypt ~key:{ key; hkey } ~iv ?adata cdata = 294 - let ctr = counter ~hkey iv in 295 - let data = CTR.(encrypt ~key ~ctr:(add_ctr ctr 1L) cdata) in 296 - { message = data ; tag = tag ~key ~hkey ~ctr ?adata cdata } 292 + let authenticate_decrypt ~key:{ key; hkey } ~nonce ?adata cdata = 293 + let ctr = counter ~hkey nonce in 294 + if Cstruct.len cdata < tag_size then 295 + None 296 + else 297 + let cipher, tag_data = 298 + Cstruct.split cdata (Cstruct.len cdata - tag_size) 299 + in 300 + let data = CTR.(encrypt ~key ~ctr:(add_ctr ctr 1L) cipher) in 301 + let ctag = tag ~key ~hkey ~ctr ?adata cipher in 302 + if Eqaf_cstruct.equal tag_data ctag then Some data else None 297 303 end 298 304 299 305 module CCM_of (C : S.Core) : S.CCM = struct ··· 316 322 invalid_arg "src len %d, dst len %d" src.len dst.len; 317 323 C.encrypt ~key ~blocks:1 src.buffer src.off dst.buffer dst.off 318 324 319 - let encrypt ~key:{key; maclen} ~nonce ?adata cs = 320 - Ccm.generation_encryption ~cipher ~key ~nonce ~maclen ?adata cs 325 + let authenticate_encrypt ~key:{key; maclen} ~nonce ?(adata = Cstruct.empty) cs = 326 + Ccm.generation_encryption ~cipher ~key ~nonce ~maclen ~adata cs 321 327 322 - let decrypt ~key:{key; maclen} ~nonce ?adata cs = 323 - Ccm.decryption_verification ~cipher ~key ~nonce ~maclen ?adata cs 328 + let authenticate_decrypt ~key:{key; maclen} ~nonce ?(adata = Cstruct.empty) cs = 329 + Ccm.decryption_verification ~cipher ~key ~nonce ~maclen ~adata cs 324 330 end 325 331 end 326 332
+2 -2
src/dune
··· 1 1 (library 2 2 (name mirage_crypto) 3 3 (public_name mirage-crypto) 4 - (libraries cstruct) 5 - (private_modules chacha20 ccm cipher_block cipher_stream hash native poly1305 uncommon) 4 + (libraries cstruct eqaf.cstruct) 5 + (private_modules aead chacha20 ccm cipher_block cipher_stream hash native poly1305 uncommon) 6 6 (c_names detect_cpu_features 7 7 misc misc_sse 8 8 md5 sha1 sha256 sha512 hash_stubs
+1
src/mirage_crypto.ml
··· 1 1 module Uncommon = Uncommon 2 2 module Hash = Hash 3 3 module Poly1305 = Poly1305.It 4 + module type AEAD = Aead.AEAD 4 5 module Cipher_block = Cipher_block 5 6 module Chacha20 = Chacha20 6 7 module Cipher_stream = Cipher_stream
+41 -47
src/mirage_crypto.mli
··· 224 224 225 225 (** {1 Symmetric-key cryptography} *) 226 226 227 + (** Authenticated encryption with associated data. 228 + 229 + This defines a uniform interface of symmetrics cryptographic algorithms 230 + which encrypt, and also protect the integrity of the data. Additional data, 231 + only used for integrity protection, not encrypted and not part of the 232 + ciphertext, can be passed in optionally. This prevents the same ciphertext 233 + being used at a different location. See 234 + {{:https://tools.ietf.org/html/rfc5116}RFC 5116} for further description. 235 + *) 236 + module type AEAD = sig 237 + 238 + type key 239 + (** The abstract type for the key. *) 240 + 241 + val authenticate_encrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> 242 + Cstruct.t -> Cstruct.t 243 + (** [authenticate_encrypt ~key ~nonce ~adata msg] encrypts [msg] with [key] 244 + and [nonce], and appends an authentication tag computed over the encrypted 245 + [msg], using [key], [nonce], and [adata]. 246 + 247 + @raise Invalid_argument if [nonce] is not of the right size. *) 248 + 249 + val authenticate_decrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> 250 + Cstruct.t -> Cstruct.t option 251 + (** [authenticate_decrypt ~key ~nonce ~adata msg] splits [msg] into encrypted 252 + data and authentication tag, computes the authentication tag using [key], 253 + [nonce], and [adata], and decrypts the encrypted data. If the 254 + authentication tags match, the decrypted data is returned. 255 + 256 + @raise Invalid_argument if [nonce] is not of the right size. *) 257 + end 258 + 227 259 (** Block ciphers. 228 260 229 261 Each algorithm, and each mode of operation, is contained in its own separate ··· 381 413 (** {e Galois/Counter Mode}. *) 382 414 module type GCM = sig 383 415 384 - type key 385 - 386 - type result = { message : Cstruct.t ; tag : Cstruct.t } 387 - (** The transformed message, packed with the authentication tag. *) 416 + include AEAD 388 417 389 418 val of_secret : Cstruct.t -> key 390 419 (** Construct the encryption key corresponding to [secret]. ··· 398 427 val block_size : int 399 428 (** The size of a single block. *) 400 429 401 - val encrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result 402 - (** [encrypt ~key ~iv ?adata msg] is the {{!result}[result]} containing 403 - [msg] encrypted under [key], with [iv] as the initialization vector, 404 - and the authentication tag computed over both [adata] and [msg]. 405 - 406 - @raise Invalid_argument if the length [iv] is 0. 407 - *) 408 - 409 - val decrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result 410 - (** [decrypt ~key ~iv ?adata msg] is the result containing the inversion 411 - of [encrypt] and the same authentication tag. 412 - 413 - @raise Invalid_argument if the length [iv] is 0. 414 - *) 430 + val tag_size : int 431 + (** The size of the authentication tag. *) 415 432 end 416 433 417 434 (** {e Counter with CBC-MAC} mode. *) 418 435 module type CCM = sig 419 436 420 - type key 437 + include AEAD 421 438 422 439 val of_secret : maclen:int -> Cstruct.t -> key 423 440 (** Construct the encryption key corresponding to [secret], that will ··· 434 451 435 452 val mac_sizes : int array 436 453 (** [MAC] lengths allowed with this cipher. *) 437 - 438 - val encrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t 439 - (** [encrypt ~key ~nonce ?adata msg] is [msg] encrypted under [key] and 440 - [nonce], packed with authentication data computed over [msg] and 441 - [adata]. 442 - 443 - @raise Invalid_argument if [nonce] is not between 7 and 13 bytes long. *) 444 - 445 - val decrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t option 446 - (** [decrypt ~key ~nonce ?adata msg] is [Some text] when [msg] was 447 - produced by the corresponding [encrypt], or [None] otherwise. 448 - 449 - @raise Invalid_argument if [nonce] is not between 7 and 13 bytes long. *) 450 454 end 451 455 end 452 456 ··· 473 477 474 478 (** The ChaCha20 cipher proposed by D.J. Bernstein. *) 475 479 module Chacha20 : sig 476 - val crypt : key:Cstruct.t -> nonce:Cstruct.t -> ?ctr:int64 -> Cstruct.t -> Cstruct.t 480 + include AEAD 481 + 482 + val of_secret : Cstruct.t -> key 483 + 484 + val crypt : key:key -> nonce:Cstruct.t -> ?ctr:int64 -> Cstruct.t -> Cstruct.t 477 485 (** [crypt ~key ~nonce ~ctr data] generates a ChaCha20 key stream using 478 486 the [key], and [nonce]. The [ctr] defaults to 0. The generated key 479 487 stream is of the same length as [data], and the output is the XOR ··· 487 495 IETF mode (and counter fit into 32 bits), or [key] must be either 16 488 496 bytes or 32 bytes and [nonce] 8 bytes. 489 497 *) 490 - 491 - val aead_poly1305_encrypt : key:Cstruct.t -> nonce:Cstruct.t -> 492 - ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t 493 - (** [aead_poly1305_encrypt ~key ~nonce ~adata data] encrypts [data] 494 - with ChaCha20 using [key] and [nonce]. Additionally, an authentication 495 - tag using {!Poly1305} is appended to the output. This conforms to 496 - RFC 8439 Section 2.8. *) 497 - 498 - val aead_poly1305_decrypt : key:Cstruct.t -> nonce:Cstruct.t -> 499 - ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t option 500 - (** [aead_poly1305_decrypt ~key ~nonce ~adata data] decrypts [data] with 501 - ChaCha20 using [key] and [nonce]. Also, the authentication tag is split 502 - off the end of [data] and verified using {!Poly1305}. This conforms to 503 - RFC 8439 Section 2.8. *) 504 498 end 505 499 506 500 (** Streaming ciphers. *)
+48 -50
tests/test_cipher.ml
··· 135 135 let gcm_cases = 136 136 let open Cipher_block in 137 137 138 - let case ~key ~p ~a ~iv ~c ~t = 139 - (AES.GCM.of_secret (vx key), vx p, vx a, vx iv, vx c, vx t) in 138 + let case ~key ~p ~a ~nonce ~c ~t = 139 + (AES.GCM.of_secret (vx key), vx p, vx a, vx nonce, vx c, vx t) in 140 140 141 - let check (key, p, adata, iv, c, t) _ = 142 - let open AES.GCM in 143 - let { message = cdata ; tag = ctag } = 144 - AES.GCM.encrypt ~key ~iv ~adata p in 145 - let { message = pdata ; tag = ptag } = 146 - AES.GCM.decrypt ~key ~iv ~adata cdata 141 + let check (key, p, adata, nonce, c, t) _ = 142 + let cipher = AES.GCM.authenticate_encrypt ~key ~nonce ~adata p in 143 + let pdata = 144 + match AES.GCM.authenticate_decrypt ~key ~nonce ~adata cipher with 145 + | None -> assert_failure "GCM decryption broken" 146 + | Some data -> data 147 147 in 148 - assert_cs_equal ~msg:"ciphertext" c cdata ; 149 - assert_cs_equal ~msg:"encryption tag" t ctag ; 150 - assert_cs_equal ~msg:"decrypted plaintext" p pdata ; 151 - assert_cs_equal ~msg:"decryption tag" t ptag 148 + assert_cs_equal ~msg:"ciphertext" (Cstruct.append c t) cipher ; 149 + assert_cs_equal ~msg:"decrypted plaintext" p pdata 152 150 in 153 151 154 152 cases_of check [ ··· 156 154 case ~key: "00000000000000000000000000000000" 157 155 ~p: "" 158 156 ~a: "" 159 - ~iv: "000000000000000000000000" 157 + ~nonce: "000000000000000000000000" 160 158 ~c: "" 161 159 ~t: "58e2fccefa7e3061367f1d57a4e7455a" ; 162 160 case ~key: "00000000000000000000000000000000" 163 161 ~p: "00000000000000000000000000000000" 164 162 ~a: "" 165 - ~iv: "000000000000000000000000" 163 + ~nonce: "000000000000000000000000" 166 164 ~c: "0388dace60b6a392f328c2b971b2fe78" 167 165 ~t: "ab6e47d42cec13bdf53a67b21257bddf" ; 168 166 case ~key: "feffe9928665731c6d6a8f9467308308" ··· 171 169 1c3c0c95956809532fcf0e2449a6b525 172 170 b16aedf5aa0de657ba637b391aafd255" 173 171 ~a: "" 174 - ~iv: "cafebabefacedbaddecaf888" 172 + ~nonce: "cafebabefacedbaddecaf888" 175 173 ~c: "42831ec2217774244b7221b784d0d49c 176 174 e3aa212f2c02a4e035c17e2329aca12e 177 175 21d514b25466931c7d8f6a5aac84aa05 ··· 184 182 b16aedf5aa0de657ba637b39" 185 183 ~a: "feedfacedeadbeeffeedfacedeadbeef 186 184 abaddad2" 187 - ~iv: "cafebabefacedbaddecaf888" 185 + ~nonce: "cafebabefacedbaddecaf888" 188 186 ~c: "42831ec2217774244b7221b784d0d49c 189 187 e3aa212f2c02a4e035c17e2329aca12e 190 188 21d514b25466931c7d8f6a5aac84aa05 ··· 197 195 b16aedf5aa0de657ba637b39" 198 196 ~a: "feedfacedeadbeeffeedfacedeadbeef 199 197 abaddad2" 200 - ~iv: "cafebabefacedbad" 198 + ~nonce: "cafebabefacedbad" 201 199 ~c: "61353b4c2806934a777ff51fa22a4755 202 200 699b2a714fcdc6f83766e5f97b6c7423 203 201 73806900e49f24b22b097544d4896b42 ··· 210 208 b16aedf5aa0de657ba637b39" 211 209 ~a: "feedfacedeadbeeffeedfacedeadbeef 212 210 abaddad2" 213 - ~iv: "9313225df88406e555909c5aff5269aa 211 + ~nonce: "9313225df88406e555909c5aff5269aa 214 212 6a7a9538534f7da1e4c303d2a318a728 215 213 c3c0c95156809539fcf0e2429a6b5254 216 214 16aedbf5a0de6a57a637b39b" ··· 227 225 b16aedf5aa0de657ba637b39" 228 226 ~a: "feedfacedeadbeeffeedfacedeadbeef 229 227 abaddad2" 230 - ~iv: "cafebabefacedbaddecaf888" 228 + ~nonce: "cafebabefacedbaddecaf888" 231 229 ~c: "3980ca0b3c00e841eb06fac4872a2757 232 230 859e1ceaa6efd984628593b40ca1e19c 233 231 7d773d00c144c525ac619d18c84a3f47 ··· 241 239 b16aedf5aa0de657ba637b39" 242 240 ~a: "feedfacedeadbeeffeedfacedeadbeef 243 241 abaddad2" 244 - ~iv: "9313225df88406e555909c5aff5269aa 242 + ~nonce: "9313225df88406e555909c5aff5269aa 245 243 6a7a9538534f7da1e4c303d2a318a728 246 244 c3c0c95156809539fcf0e2429a6b5254 247 245 16aedbf5a0de6a57a637b39b" ··· 269 267 10101010101010100101010101010101 270 268 00000000000000000000000000000000 271 269 ff" 272 - ~iv: "000000000000000000000000" 270 + ~nonce: "000000000000000000000000" 273 271 ~c: "" 274 272 ~t: "9bfdb8fdac1be65739780c41703c0fb6"; 275 273 case ~key: "00000000000000000000000000000002" (* ctr rollover *) 276 - ~iv: "3222415d" 274 + ~nonce: "3222415d" 277 275 ~p: "deadbeefdeadbeefdeadbeefdeadbeef 278 276 deadbeefdeadbeefdeadbeefdeadbeef 279 277 deadbeef" ··· 292 290 (of_secret ~maclen (vx key), vx p, vx a, vx nonce, vx c) in 293 291 294 292 let check (key, p, adata, nonce, c) _ = 295 - let cip = encrypt ~key ~nonce ~adata p in 293 + let cip = authenticate_encrypt ~key ~nonce ~adata p in 296 294 assert_cs_equal ~msg:"encrypt" c cip ; 297 - match decrypt ~key ~nonce ~adata c with 295 + match authenticate_decrypt ~key ~nonce ~adata c with 298 296 | Some x -> assert_cs_equal ~msg:"decrypt" p x 299 - | None -> assert_failure "decryption broken" 297 + | None -> assert_failure "CCM decryption broken" 300 298 in 301 299 302 300 cases_of check [ ··· 333 331 and plaintext = Cstruct.of_string "hello" 334 332 in 335 333 assert_cs_equal ~msg:"CCM no vs empty ad" 336 - (encrypt ~key ~nonce plaintext) 337 - (encrypt ~adata:Cstruct.empty ~key ~nonce plaintext) 334 + (authenticate_encrypt ~key ~nonce plaintext) 335 + (authenticate_encrypt ~adata:Cstruct.empty ~key ~nonce plaintext) 338 336 and short_nonce_enc _ = 339 337 (* as reported in https://github.com/mirleft/ocaml-nocrypto/issues/167 *) 340 338 (* valid nonce sizes for CCM are 7..13 (L can be 2..8, nonce is 15 - L)*) ··· 345 343 in 346 344 assert_raises ~msg:"CCM with short nonce raises" 347 345 (Invalid_argument "Mirage_crypto: CCM: nonce length not between 7 and 13: 0") 348 - (fun () -> encrypt ~key ~nonce plaintext) 346 + (fun () -> authenticate_encrypt ~key ~nonce plaintext) 349 347 and short_nonce_enc2 _ = 350 348 let key = of_secret ~maclen:16 (vx "000102030405060708090a0b0c0d0e0f") 351 349 and nonce = vx "00" ··· 353 351 in 354 352 assert_raises ~msg:"CCM with short nonce raises" 355 353 (Invalid_argument "Mirage_crypto: CCM: nonce length not between 7 and 13: 1") 356 - (fun () -> encrypt ~key ~nonce plaintext) 354 + (fun () -> authenticate_encrypt ~key ~nonce plaintext) 357 355 and short_nonce_enc3 _ = 358 356 let key = of_secret ~maclen:16 (vx "000102030405060708090a0b0c0d0e0f") 359 357 and nonce = vx "000102030405" ··· 361 359 in 362 360 assert_raises ~msg:"CCM with short nonce raises" 363 361 (Invalid_argument "Mirage_crypto: CCM: nonce length not between 7 and 13: 6") 364 - (fun () -> encrypt ~key ~nonce plaintext) 362 + (fun () -> authenticate_encrypt ~key ~nonce plaintext) 365 363 and long_nonce_enc _ = 366 364 let key = of_secret ~maclen:16 (vx "000102030405060708090a0b0c0d0e0f") 367 365 and nonce = vx "000102030405060708090a0b0c0d" ··· 369 367 in 370 368 assert_raises ~msg:"CCM with short nonce raises" 371 369 (Invalid_argument "Mirage_crypto: CCM: nonce length not between 7 and 13: 14") 372 - (fun () -> encrypt ~key ~nonce plaintext) 370 + (fun () -> authenticate_encrypt ~key ~nonce plaintext) 373 371 and enc_dec_empty_message _ = 374 372 (* as reported in https://github.com/mirleft/ocaml-nocrypto/issues/168 *) 375 373 let key = of_secret ~maclen:16 (vx "000102030405060708090a0b0c0d0e0f") ··· 377 375 and adata = Cstruct.of_string "hello" 378 376 and p = Cstruct.empty 379 377 in 380 - let cipher = encrypt ~adata ~key ~nonce p in 381 - match decrypt ~key ~nonce ~adata cipher with 378 + let cipher = authenticate_encrypt ~adata ~key ~nonce p in 379 + match authenticate_decrypt ~key ~nonce ~adata cipher with 382 380 | Some x -> assert_cs_equal ~msg:"CCM decrypt of empty message" p x 383 381 | None -> assert_failure "decryption broken" 384 382 in ··· 395 393 let open Cipher_block.AES.GCM in 396 394 let msg = vx "000102030405060708090a0b0c0d0e0f" in 397 395 let key = of_secret msg 398 - and iv = Cstruct.empty 396 + and nonce = Cstruct.empty 399 397 in 400 - let iv_zero_length_enc _ = 398 + let nonce_zero_length_enc _ = 401 399 (* reported in https://github.com/mirleft/ocaml-nocrypto/issues/169 *) 402 - assert_raises ~msg:"GCM with iv of length 0" 403 - (Invalid_argument "Mirage_crypto: GCM: invalid IV of length 0") 404 - (fun () -> encrypt ~key ~iv msg) 405 - and iv_zero_length_dec _ = 406 - assert_raises ~msg:"GCM with iv of 0" 407 - (Invalid_argument "Mirage_crypto: GCM: invalid IV of length 0") 408 - (fun () -> decrypt ~key ~iv msg) 400 + assert_raises ~msg:"GCM with nonce of length 0" 401 + (Invalid_argument "Mirage_crypto: GCM: invalid nonce of length 0") 402 + (fun () -> authenticate_encrypt ~key ~nonce msg) 403 + and nonce_zero_length_dec _ = 404 + assert_raises ~msg:"GCM with nonce of 0" 405 + (Invalid_argument "Mirage_crypto: GCM: invalid nonce of length 0") 406 + (fun () -> authenticate_decrypt ~key ~nonce msg) 409 407 in 410 408 [ 411 - test_case iv_zero_length_enc ; 412 - test_case iv_zero_length_dec ; 409 + test_case nonce_zero_length_enc ; 410 + test_case nonce_zero_length_dec ; 413 411 ] 414 412 415 413 416 414 let chacha20_cases = 417 415 let case msg ?ctr ~key ~nonce ?(input = Cstruct.create 128) output = 418 - let key = vx key 416 + let key = Chacha20.of_secret (vx key) 419 417 and nonce = vx nonce 420 418 and output = vx output 421 419 in ··· 437 435 in 438 436 case "Chacha20 RFC 8439 2.4.2" ~ctr:1L ~key ~nonce ~input:rfc8439_input output 439 437 and rfc8439_test_2_8_2 _ = 440 - let key = vx "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" 438 + let key = Chacha20.of_secret (vx "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f") 441 439 and adata = vx "50515253c0c1c2c3c4c5c6c7" 442 440 and nonce = vx "0700000040 41424344454647" 443 441 and output = vx {| ··· 452 450 1a e1 0b 59 4f 09 e2 6a 7e 90 2e cb d0 60 06 91|} 453 451 in 454 452 assert_cs_equal ~msg:"Chacha20/Poly1305 RFC 8439 2.8.2 encrypt" 455 - (Chacha20.aead_poly1305_encrypt ~key ~nonce ~adata rfc8439_input) 453 + (Chacha20.authenticate_encrypt ~key ~nonce ~adata rfc8439_input) 456 454 output; 457 455 assert_cs_equal ~msg:"Chacha20/Poly1305 RFC 8439 2.8.2 decrypt" 458 - (match Chacha20.aead_poly1305_decrypt ~key ~nonce ~adata output with 459 - | Some cs -> cs | None -> assert false) 456 + (match Chacha20.authenticate_decrypt ~key ~nonce ~adata output with 457 + | Some cs -> cs | None -> assert_failure "Chacha20/poly1305 decryption broken") 460 458 rfc8439_input; 461 459 let input = Cstruct.(shift (append (create 16) rfc8439_input) 16) in 462 460 assert_cs_equal ~msg:"Chacha20/Poly1305 RFC 8439 2.8.2 encrypt 2" 463 - (Chacha20.aead_poly1305_encrypt ~key ~nonce ~adata input) 461 + (Chacha20.authenticate_encrypt ~key ~nonce ~adata input) 464 462 output; 465 463 in 466 464 (* from https://tools.ietf.org/html/draft-strombergson-chacha-test-vectors-01 *)