···11+module type AEAD = sig
22+ type key
33+ val authenticate_encrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t ->
44+ Cstruct.t -> Cstruct.t
55+ val authenticate_decrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t ->
66+ Cstruct.t -> Cstruct.t option
77+end
+6-6
src/ccm.ml
···78787979type mode = Encrypt | Decrypt
80808181-let crypto_core ~cipher ~mode ~key ~nonce ~maclen ?(adata = Cstruct.empty) data =
8181+let crypto_core ~cipher ~mode ~key ~nonce ~maclen ~adata data =
8282 let datalen = Cstruct.len data in
8383 let cbcheader = prepare_header nonce adata datalen maclen in
8484 let target = Cstruct.create datalen in
···146146 if nsize < 7 || nsize > 13 then
147147 invalid_arg "CCM: nonce length not between 7 and 13: %d" nsize
148148149149-let generation_encryption ~cipher ~key ~nonce ~maclen ?adata data =
149149+let generation_encryption ~cipher ~key ~nonce ~maclen ~adata data =
150150 valid_nonce nonce;
151151- let cdata, t = crypto_core ~cipher ~mode:Encrypt ~key ~nonce ~maclen ?adata data in
151151+ let cdata, t = crypto_core ~cipher ~mode:Encrypt ~key ~nonce ~maclen ~adata data in
152152 crypto_t t nonce cipher key ;
153153 cdata <+> t
154154155155-let decryption_verification ~cipher ~key ~nonce ~maclen ?adata data =
155155+let decryption_verification ~cipher ~key ~nonce ~maclen ~adata data =
156156 valid_nonce nonce;
157157 if Cstruct.len data < maclen then
158158 None
159159 else
160160 let pclen = Cstruct.len data - maclen in
161161- let cdata, t = crypto_core ~cipher ~mode:Decrypt ~key ~nonce ~maclen ?adata (Cstruct.sub data 0 pclen) in
161161+ let cdata, t = crypto_core ~cipher ~mode:Decrypt ~key ~nonce ~maclen ~adata (Cstruct.sub data 0 pclen) in
162162 let t' = Cs.clone (Cstruct.sub data pclen maclen) in
163163 crypto_t t' nonce cipher key ;
164164- match Cstruct.equal t' t with
164164+ match Eqaf_cstruct.equal t' t with
165165 | true -> Some cdata
166166 | false -> None
+7-3
src/chacha20.ml
···4455let block = 64
6677+type key = Cstruct.t
88+99+let of_secret a = a
1010+711let chacha20_block state idx key_stream =
812 Native.Chacha.round 10 state.Cstruct.buffer 0 key_stream.Cstruct.buffer idx
913···7882 let ctx = P.feed ctx len in
7983 P.get ctx
80848181-let aead_poly1305_encrypt ~key ~nonce ?(adata = Cstruct.empty) data =
8585+let authenticate_encrypt ~key ~nonce ?(adata = Cstruct.empty) data =
8286 let poly1305_key = generate_poly1305_key ~key ~nonce in
8387 let ciphertext = crypt ~key ~nonce ~ctr:1L data in
8488 let mac = mac ~key:poly1305_key ~adata ciphertext in
8589 Cstruct.append ciphertext mac
86908787-let aead_poly1305_decrypt ~key ~nonce ?(adata = Cstruct.empty) data =
9191+let authenticate_decrypt ~key ~nonce ?(adata = Cstruct.empty) data =
8892 if Cstruct.len data < P.mac_size then
8993 None
9094 else
···9296 let poly1305_key = generate_poly1305_key ~key ~nonce in
9397 let ctag = mac ~key:poly1305_key ~adata cipher in
9498 let plain = crypt ~key ~nonce ~ctr:1L cipher in
9595- if Cstruct.equal tag ctag then Some plain else None
9999+ if Eqaf_cstruct.equal tag ctag then Some plain else None
+33-27
src/cipher_block.ml
···6363 end
64646565 module type GCM = sig
6666- type key
6767- type result = { message : Cstruct.t ; tag : Cstruct.t }
6666+ include Aead.AEAD
6867 val of_secret : Cstruct.t -> key
69687069 val key_sizes : int array
7170 val block_size : int
7272- val encrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result
7373- val decrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result
7171+ val tag_size : int
7472 end
75737674 module type CCM = sig
7777- type key
7575+ include Aead.AEAD
7876 val of_secret : maclen:int -> Cstruct.t -> key
79778078 val key_sizes : int array
8179 val block_size : int
8280 val mac_sizes : int array
8383- val encrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t
8484- val decrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t option
8581 end
8682end
8783···238234 type key
239235 val derive : Cstruct.t -> key
240236 val digesti : key:key -> (Cstruct.t Uncommon.iter) -> Cstruct.t
237237+ val tagsize : int
241238 end = struct
242239 type key = bytes
243240 let keysize = Native.GHASH.keysize ()
241241+ let tagsize = 16
244242 let derive cs =
245245- assert (cs.len >= 16);
243243+ assert (cs.len >= tagsize);
246244 let k = Bytes.create keysize in
247245 Native.GHASH.keyinit cs.buffer cs.off k; k
248248- let _cs = create_unsafe 16
249249- let hash0 = Bytes.make 16 '\x00'
246246+ let _cs = create_unsafe tagsize
247247+ let hash0 = Bytes.make tagsize '\x00'
250248 let digesti ~key i = (* Clobbers `_cs`! *)
251249 let res = Bytes.copy hash0 in
252250 i (fun cs -> Native.GHASH.ghash key res cs.buffer cs.off cs.len);
253253- blit_from_bytes res 0 _cs 0 16; _cs
251251+ blit_from_bytes res 0 _cs 0 tagsize; _cs
254252 end
255253256254 module GCM_of (C : S.Core) : S.GCM = struct
···259257 module CTR = CTR_of (C) (Counters.C128be32)
260258261259 type key = { key : C.ekey ; hkey : GHASH.key }
262262- type result = { message : Cstruct.t ; tag : Cstruct.t }
263260261261+ let tag_size = GHASH.tagsize
264262 let key_sizes, block_size = C.(key, block)
265263 let z128, h = create block_size, create block_size
266264···273271 let pack64s = let _cs = create_unsafe 16 in fun a b ->
274272 BE.set_uint64 _cs 0 a; BE.set_uint64 _cs 8 b; _cs
275273276276- let counter ~hkey iv = match len iv with
277277- | 0 -> invalid_arg "GCM: invalid IV of length 0"
278278- | 12 -> let (w1, w2) = BE.get_uint64 iv 0, BE.get_uint32 iv 8 in
274274+ let counter ~hkey nonce = match len nonce with
275275+ | 0 -> invalid_arg "GCM: invalid nonce of length 0"
276276+ | 12 -> let (w1, w2) = BE.get_uint64 nonce 0, BE.get_uint32 nonce 8 in
279277 (w1, Int64.(shift_left (of_int32 w2) 32 |> add 1L))
280278 | _ -> CTR.ctr_of_cstruct @@
281281- GHASH.digesti ~key:hkey @@ iter2 iv (pack64s 0L (bits64 iv))
279279+ GHASH.digesti ~key:hkey @@ iter2 nonce (pack64s 0L (bits64 nonce))
282280283281 let tag ~key ~hkey ~ctr ?(adata=Cstruct.empty) cdata =
284282 CTR.encrypt ~key ~ctr @@
285283 GHASH.digesti ~key:hkey @@
286284 iter3 adata cdata (pack64s (bits64 adata) (bits64 cdata))
287285288288- let encrypt ~key:{ key; hkey } ~iv ?adata data =
289289- let ctr = counter ~hkey iv in
286286+ let authenticate_encrypt ~key:{ key; hkey } ~nonce ?adata data =
287287+ let ctr = counter ~hkey nonce in
290288 let cdata = CTR.(encrypt ~key ~ctr:(add_ctr ctr 1L) data) in
291291- { message = cdata ; tag = tag ~key ~hkey ~ctr ?adata cdata }
289289+ let ctag = tag ~key ~hkey ~ctr ?adata cdata in
290290+ Cstruct.append cdata ctag
292291293293- let decrypt ~key:{ key; hkey } ~iv ?adata cdata =
294294- let ctr = counter ~hkey iv in
295295- let data = CTR.(encrypt ~key ~ctr:(add_ctr ctr 1L) cdata) in
296296- { message = data ; tag = tag ~key ~hkey ~ctr ?adata cdata }
292292+ let authenticate_decrypt ~key:{ key; hkey } ~nonce ?adata cdata =
293293+ let ctr = counter ~hkey nonce in
294294+ if Cstruct.len cdata < tag_size then
295295+ None
296296+ else
297297+ let cipher, tag_data =
298298+ Cstruct.split cdata (Cstruct.len cdata - tag_size)
299299+ in
300300+ let data = CTR.(encrypt ~key ~ctr:(add_ctr ctr 1L) cipher) in
301301+ let ctag = tag ~key ~hkey ~ctr ?adata cipher in
302302+ if Eqaf_cstruct.equal tag_data ctag then Some data else None
297303 end
298304299305 module CCM_of (C : S.Core) : S.CCM = struct
···316322 invalid_arg "src len %d, dst len %d" src.len dst.len;
317323 C.encrypt ~key ~blocks:1 src.buffer src.off dst.buffer dst.off
318324319319- let encrypt ~key:{key; maclen} ~nonce ?adata cs =
320320- Ccm.generation_encryption ~cipher ~key ~nonce ~maclen ?adata cs
325325+ let authenticate_encrypt ~key:{key; maclen} ~nonce ?(adata = Cstruct.empty) cs =
326326+ Ccm.generation_encryption ~cipher ~key ~nonce ~maclen ~adata cs
321327322322- let decrypt ~key:{key; maclen} ~nonce ?adata cs =
323323- Ccm.decryption_verification ~cipher ~key ~nonce ~maclen ?adata cs
328328+ let authenticate_decrypt ~key:{key; maclen} ~nonce ?(adata = Cstruct.empty) cs =
329329+ Ccm.decryption_verification ~cipher ~key ~nonce ~maclen ~adata cs
324330 end
325331end
326332
···224224225225(** {1 Symmetric-key cryptography} *)
226226227227+(** Authenticated encryption with associated data.
228228+229229+ This defines a uniform interface of symmetrics cryptographic algorithms
230230+ which encrypt, and also protect the integrity of the data. Additional data,
231231+ only used for integrity protection, not encrypted and not part of the
232232+ ciphertext, can be passed in optionally. This prevents the same ciphertext
233233+ being used at a different location. See
234234+ {{:https://tools.ietf.org/html/rfc5116}RFC 5116} for further description.
235235+*)
236236+module type AEAD = sig
237237+238238+ type key
239239+ (** The abstract type for the key. *)
240240+241241+ val authenticate_encrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t ->
242242+ Cstruct.t -> Cstruct.t
243243+ (** [authenticate_encrypt ~key ~nonce ~adata msg] encrypts [msg] with [key]
244244+ and [nonce], and appends an authentication tag computed over the encrypted
245245+ [msg], using [key], [nonce], and [adata].
246246+247247+ @raise Invalid_argument if [nonce] is not of the right size. *)
248248+249249+ val authenticate_decrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t ->
250250+ Cstruct.t -> Cstruct.t option
251251+ (** [authenticate_decrypt ~key ~nonce ~adata msg] splits [msg] into encrypted
252252+ data and authentication tag, computes the authentication tag using [key],
253253+ [nonce], and [adata], and decrypts the encrypted data. If the
254254+ authentication tags match, the decrypted data is returned.
255255+256256+ @raise Invalid_argument if [nonce] is not of the right size. *)
257257+end
258258+227259(** Block ciphers.
228260229261 Each algorithm, and each mode of operation, is contained in its own separate
···381413 (** {e Galois/Counter Mode}. *)
382414 module type GCM = sig
383415384384- type key
385385-386386- type result = { message : Cstruct.t ; tag : Cstruct.t }
387387- (** The transformed message, packed with the authentication tag. *)
416416+ include AEAD
388417389418 val of_secret : Cstruct.t -> key
390419 (** Construct the encryption key corresponding to [secret].
···398427 val block_size : int
399428 (** The size of a single block. *)
400429401401- val encrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result
402402- (** [encrypt ~key ~iv ?adata msg] is the {{!result}[result]} containing
403403- [msg] encrypted under [key], with [iv] as the initialization vector,
404404- and the authentication tag computed over both [adata] and [msg].
405405-406406- @raise Invalid_argument if the length [iv] is 0.
407407- *)
408408-409409- val decrypt : key:key -> iv:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> result
410410- (** [decrypt ~key ~iv ?adata msg] is the result containing the inversion
411411- of [encrypt] and the same authentication tag.
412412-413413- @raise Invalid_argument if the length [iv] is 0.
414414- *)
430430+ val tag_size : int
431431+ (** The size of the authentication tag. *)
415432 end
416433417434 (** {e Counter with CBC-MAC} mode. *)
418435 module type CCM = sig
419436420420- type key
437437+ include AEAD
421438422439 val of_secret : maclen:int -> Cstruct.t -> key
423440 (** Construct the encryption key corresponding to [secret], that will
···434451435452 val mac_sizes : int array
436453 (** [MAC] lengths allowed with this cipher. *)
437437-438438- val encrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t
439439- (** [encrypt ~key ~nonce ?adata msg] is [msg] encrypted under [key] and
440440- [nonce], packed with authentication data computed over [msg] and
441441- [adata].
442442-443443- @raise Invalid_argument if [nonce] is not between 7 and 13 bytes long. *)
444444-445445- val decrypt : key:key -> nonce:Cstruct.t -> ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t option
446446- (** [decrypt ~key ~nonce ?adata msg] is [Some text] when [msg] was
447447- produced by the corresponding [encrypt], or [None] otherwise.
448448-449449- @raise Invalid_argument if [nonce] is not between 7 and 13 bytes long. *)
450454 end
451455 end
452456···473477474478(** The ChaCha20 cipher proposed by D.J. Bernstein. *)
475479module Chacha20 : sig
476476- val crypt : key:Cstruct.t -> nonce:Cstruct.t -> ?ctr:int64 -> Cstruct.t -> Cstruct.t
480480+ include AEAD
481481+482482+ val of_secret : Cstruct.t -> key
483483+484484+ val crypt : key:key -> nonce:Cstruct.t -> ?ctr:int64 -> Cstruct.t -> Cstruct.t
477485 (** [crypt ~key ~nonce ~ctr data] generates a ChaCha20 key stream using
478486 the [key], and [nonce]. The [ctr] defaults to 0. The generated key
479487 stream is of the same length as [data], and the output is the XOR
···487495 IETF mode (and counter fit into 32 bits), or [key] must be either 16
488496 bytes or 32 bytes and [nonce] 8 bytes.
489497 *)
490490-491491- val aead_poly1305_encrypt : key:Cstruct.t -> nonce:Cstruct.t ->
492492- ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t
493493- (** [aead_poly1305_encrypt ~key ~nonce ~adata data] encrypts [data]
494494- with ChaCha20 using [key] and [nonce]. Additionally, an authentication
495495- tag using {!Poly1305} is appended to the output. This conforms to
496496- RFC 8439 Section 2.8. *)
497497-498498- val aead_poly1305_decrypt : key:Cstruct.t -> nonce:Cstruct.t ->
499499- ?adata:Cstruct.t -> Cstruct.t -> Cstruct.t option
500500- (** [aead_poly1305_decrypt ~key ~nonce ~adata data] decrypts [data] with
501501- ChaCha20 using [key] and [nonce]. Also, the authentication tag is split
502502- off the end of [data] and verified using {!Poly1305}. This conforms to
503503- RFC 8439 Section 2.8. *)
504498end
505499506500(** Streaming ciphers. *)
+48-50
tests/test_cipher.ml
···135135let gcm_cases =
136136 let open Cipher_block in
137137138138- let case ~key ~p ~a ~iv ~c ~t =
139139- (AES.GCM.of_secret (vx key), vx p, vx a, vx iv, vx c, vx t) in
138138+ let case ~key ~p ~a ~nonce ~c ~t =
139139+ (AES.GCM.of_secret (vx key), vx p, vx a, vx nonce, vx c, vx t) in
140140141141- let check (key, p, adata, iv, c, t) _ =
142142- let open AES.GCM in
143143- let { message = cdata ; tag = ctag } =
144144- AES.GCM.encrypt ~key ~iv ~adata p in
145145- let { message = pdata ; tag = ptag } =
146146- AES.GCM.decrypt ~key ~iv ~adata cdata
141141+ let check (key, p, adata, nonce, c, t) _ =
142142+ let cipher = AES.GCM.authenticate_encrypt ~key ~nonce ~adata p in
143143+ let pdata =
144144+ match AES.GCM.authenticate_decrypt ~key ~nonce ~adata cipher with
145145+ | None -> assert_failure "GCM decryption broken"
146146+ | Some data -> data
147147 in
148148- assert_cs_equal ~msg:"ciphertext" c cdata ;
149149- assert_cs_equal ~msg:"encryption tag" t ctag ;
150150- assert_cs_equal ~msg:"decrypted plaintext" p pdata ;
151151- assert_cs_equal ~msg:"decryption tag" t ptag
148148+ assert_cs_equal ~msg:"ciphertext" (Cstruct.append c t) cipher ;
149149+ assert_cs_equal ~msg:"decrypted plaintext" p pdata
152150 in
153151154152 cases_of check [
···156154 case ~key: "00000000000000000000000000000000"
157155 ~p: ""
158156 ~a: ""
159159- ~iv: "000000000000000000000000"
157157+ ~nonce: "000000000000000000000000"
160158 ~c: ""
161159 ~t: "58e2fccefa7e3061367f1d57a4e7455a" ;
162160 case ~key: "00000000000000000000000000000000"
163161 ~p: "00000000000000000000000000000000"
164162 ~a: ""
165165- ~iv: "000000000000000000000000"
163163+ ~nonce: "000000000000000000000000"
166164 ~c: "0388dace60b6a392f328c2b971b2fe78"
167165 ~t: "ab6e47d42cec13bdf53a67b21257bddf" ;
168166 case ~key: "feffe9928665731c6d6a8f9467308308"
···171169 1c3c0c95956809532fcf0e2449a6b525
172170 b16aedf5aa0de657ba637b391aafd255"
173171 ~a: ""
174174- ~iv: "cafebabefacedbaddecaf888"
172172+ ~nonce: "cafebabefacedbaddecaf888"
175173 ~c: "42831ec2217774244b7221b784d0d49c
176174 e3aa212f2c02a4e035c17e2329aca12e
177175 21d514b25466931c7d8f6a5aac84aa05
···184182 b16aedf5aa0de657ba637b39"
185183 ~a: "feedfacedeadbeeffeedfacedeadbeef
186184 abaddad2"
187187- ~iv: "cafebabefacedbaddecaf888"
185185+ ~nonce: "cafebabefacedbaddecaf888"
188186 ~c: "42831ec2217774244b7221b784d0d49c
189187 e3aa212f2c02a4e035c17e2329aca12e
190188 21d514b25466931c7d8f6a5aac84aa05
···197195 b16aedf5aa0de657ba637b39"
198196 ~a: "feedfacedeadbeeffeedfacedeadbeef
199197 abaddad2"
200200- ~iv: "cafebabefacedbad"
198198+ ~nonce: "cafebabefacedbad"
201199 ~c: "61353b4c2806934a777ff51fa22a4755
202200 699b2a714fcdc6f83766e5f97b6c7423
203201 73806900e49f24b22b097544d4896b42
···210208 b16aedf5aa0de657ba637b39"
211209 ~a: "feedfacedeadbeeffeedfacedeadbeef
212210 abaddad2"
213213- ~iv: "9313225df88406e555909c5aff5269aa
211211+ ~nonce: "9313225df88406e555909c5aff5269aa
214212 6a7a9538534f7da1e4c303d2a318a728
215213 c3c0c95156809539fcf0e2429a6b5254
216214 16aedbf5a0de6a57a637b39b"
···227225 b16aedf5aa0de657ba637b39"
228226 ~a: "feedfacedeadbeeffeedfacedeadbeef
229227 abaddad2"
230230- ~iv: "cafebabefacedbaddecaf888"
228228+ ~nonce: "cafebabefacedbaddecaf888"
231229 ~c: "3980ca0b3c00e841eb06fac4872a2757
232230 859e1ceaa6efd984628593b40ca1e19c
233231 7d773d00c144c525ac619d18c84a3f47
···241239 b16aedf5aa0de657ba637b39"
242240 ~a: "feedfacedeadbeeffeedfacedeadbeef
243241 abaddad2"
244244- ~iv: "9313225df88406e555909c5aff5269aa
242242+ ~nonce: "9313225df88406e555909c5aff5269aa
245243 6a7a9538534f7da1e4c303d2a318a728
246244 c3c0c95156809539fcf0e2429a6b5254
247245 16aedbf5a0de6a57a637b39b"
···269267 10101010101010100101010101010101
270268 00000000000000000000000000000000
271269 ff"
272272- ~iv: "000000000000000000000000"
270270+ ~nonce: "000000000000000000000000"
273271 ~c: ""
274272 ~t: "9bfdb8fdac1be65739780c41703c0fb6";
275273 case ~key: "00000000000000000000000000000002" (* ctr rollover *)
276276- ~iv: "3222415d"
274274+ ~nonce: "3222415d"
277275 ~p: "deadbeefdeadbeefdeadbeefdeadbeef
278276 deadbeefdeadbeefdeadbeefdeadbeef
279277 deadbeef"
···292290 (of_secret ~maclen (vx key), vx p, vx a, vx nonce, vx c) in
293291294292 let check (key, p, adata, nonce, c) _ =
295295- let cip = encrypt ~key ~nonce ~adata p in
293293+ let cip = authenticate_encrypt ~key ~nonce ~adata p in
296294 assert_cs_equal ~msg:"encrypt" c cip ;
297297- match decrypt ~key ~nonce ~adata c with
295295+ match authenticate_decrypt ~key ~nonce ~adata c with
298296 | Some x -> assert_cs_equal ~msg:"decrypt" p x
299299- | None -> assert_failure "decryption broken"
297297+ | None -> assert_failure "CCM decryption broken"
300298 in
301299302300 cases_of check [
···333331 and plaintext = Cstruct.of_string "hello"
334332 in
335333 assert_cs_equal ~msg:"CCM no vs empty ad"
336336- (encrypt ~key ~nonce plaintext)
337337- (encrypt ~adata:Cstruct.empty ~key ~nonce plaintext)
334334+ (authenticate_encrypt ~key ~nonce plaintext)
335335+ (authenticate_encrypt ~adata:Cstruct.empty ~key ~nonce plaintext)
338336 and short_nonce_enc _ =
339337 (* as reported in https://github.com/mirleft/ocaml-nocrypto/issues/167 *)
340338 (* valid nonce sizes for CCM are 7..13 (L can be 2..8, nonce is 15 - L)*)
···345343 in
346344 assert_raises ~msg:"CCM with short nonce raises"
347345 (Invalid_argument "Mirage_crypto: CCM: nonce length not between 7 and 13: 0")
348348- (fun () -> encrypt ~key ~nonce plaintext)
346346+ (fun () -> authenticate_encrypt ~key ~nonce plaintext)
349347 and short_nonce_enc2 _ =
350348 let key = of_secret ~maclen:16 (vx "000102030405060708090a0b0c0d0e0f")
351349 and nonce = vx "00"
···353351 in
354352 assert_raises ~msg:"CCM with short nonce raises"
355353 (Invalid_argument "Mirage_crypto: CCM: nonce length not between 7 and 13: 1")
356356- (fun () -> encrypt ~key ~nonce plaintext)
354354+ (fun () -> authenticate_encrypt ~key ~nonce plaintext)
357355 and short_nonce_enc3 _ =
358356 let key = of_secret ~maclen:16 (vx "000102030405060708090a0b0c0d0e0f")
359357 and nonce = vx "000102030405"
···361359 in
362360 assert_raises ~msg:"CCM with short nonce raises"
363361 (Invalid_argument "Mirage_crypto: CCM: nonce length not between 7 and 13: 6")
364364- (fun () -> encrypt ~key ~nonce plaintext)
362362+ (fun () -> authenticate_encrypt ~key ~nonce plaintext)
365363 and long_nonce_enc _ =
366364 let key = of_secret ~maclen:16 (vx "000102030405060708090a0b0c0d0e0f")
367365 and nonce = vx "000102030405060708090a0b0c0d"
···369367 in
370368 assert_raises ~msg:"CCM with short nonce raises"
371369 (Invalid_argument "Mirage_crypto: CCM: nonce length not between 7 and 13: 14")
372372- (fun () -> encrypt ~key ~nonce plaintext)
370370+ (fun () -> authenticate_encrypt ~key ~nonce plaintext)
373371 and enc_dec_empty_message _ =
374372 (* as reported in https://github.com/mirleft/ocaml-nocrypto/issues/168 *)
375373 let key = of_secret ~maclen:16 (vx "000102030405060708090a0b0c0d0e0f")
···377375 and adata = Cstruct.of_string "hello"
378376 and p = Cstruct.empty
379377 in
380380- let cipher = encrypt ~adata ~key ~nonce p in
381381- match decrypt ~key ~nonce ~adata cipher with
378378+ let cipher = authenticate_encrypt ~adata ~key ~nonce p in
379379+ match authenticate_decrypt ~key ~nonce ~adata cipher with
382380 | Some x -> assert_cs_equal ~msg:"CCM decrypt of empty message" p x
383381 | None -> assert_failure "decryption broken"
384382 in
···395393 let open Cipher_block.AES.GCM in
396394 let msg = vx "000102030405060708090a0b0c0d0e0f" in
397395 let key = of_secret msg
398398- and iv = Cstruct.empty
396396+ and nonce = Cstruct.empty
399397 in
400400- let iv_zero_length_enc _ =
398398+ let nonce_zero_length_enc _ =
401399 (* reported in https://github.com/mirleft/ocaml-nocrypto/issues/169 *)
402402- assert_raises ~msg:"GCM with iv of length 0"
403403- (Invalid_argument "Mirage_crypto: GCM: invalid IV of length 0")
404404- (fun () -> encrypt ~key ~iv msg)
405405- and iv_zero_length_dec _ =
406406- assert_raises ~msg:"GCM with iv of 0"
407407- (Invalid_argument "Mirage_crypto: GCM: invalid IV of length 0")
408408- (fun () -> decrypt ~key ~iv msg)
400400+ assert_raises ~msg:"GCM with nonce of length 0"
401401+ (Invalid_argument "Mirage_crypto: GCM: invalid nonce of length 0")
402402+ (fun () -> authenticate_encrypt ~key ~nonce msg)
403403+ and nonce_zero_length_dec _ =
404404+ assert_raises ~msg:"GCM with nonce of 0"
405405+ (Invalid_argument "Mirage_crypto: GCM: invalid nonce of length 0")
406406+ (fun () -> authenticate_decrypt ~key ~nonce msg)
409407 in
410408 [
411411- test_case iv_zero_length_enc ;
412412- test_case iv_zero_length_dec ;
409409+ test_case nonce_zero_length_enc ;
410410+ test_case nonce_zero_length_dec ;
413411 ]
414412415413416414let chacha20_cases =
417415 let case msg ?ctr ~key ~nonce ?(input = Cstruct.create 128) output =
418418- let key = vx key
416416+ let key = Chacha20.of_secret (vx key)
419417 and nonce = vx nonce
420418 and output = vx output
421419 in
···437435 in
438436 case "Chacha20 RFC 8439 2.4.2" ~ctr:1L ~key ~nonce ~input:rfc8439_input output
439437 and rfc8439_test_2_8_2 _ =
440440- let key = vx "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f"
438438+ let key = Chacha20.of_secret (vx "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f")
441439 and adata = vx "50515253c0c1c2c3c4c5c6c7"
442440 and nonce = vx "0700000040 41424344454647"
443441 and output = vx {|
···452450 1a e1 0b 59 4f 09 e2 6a 7e 90 2e cb d0 60 06 91|}
453451 in
454452 assert_cs_equal ~msg:"Chacha20/Poly1305 RFC 8439 2.8.2 encrypt"
455455- (Chacha20.aead_poly1305_encrypt ~key ~nonce ~adata rfc8439_input)
453453+ (Chacha20.authenticate_encrypt ~key ~nonce ~adata rfc8439_input)
456454 output;
457455 assert_cs_equal ~msg:"Chacha20/Poly1305 RFC 8439 2.8.2 decrypt"
458458- (match Chacha20.aead_poly1305_decrypt ~key ~nonce ~adata output with
459459- | Some cs -> cs | None -> assert false)
456456+ (match Chacha20.authenticate_decrypt ~key ~nonce ~adata output with
457457+ | Some cs -> cs | None -> assert_failure "Chacha20/poly1305 decryption broken")
460458 rfc8439_input;
461459 let input = Cstruct.(shift (append (create 16) rfc8439_input) 16) in
462460 assert_cs_equal ~msg:"Chacha20/Poly1305 RFC 8439 2.8.2 encrypt 2"
463463- (Chacha20.aead_poly1305_encrypt ~key ~nonce ~adata input)
461461+ (Chacha20.authenticate_encrypt ~key ~nonce ~adata input)
464462 output;
465463 in
466464 (* from https://tools.ietf.org/html/draft-strombergson-chacha-test-vectors-01 *)