releasing key guide under CC 4.0 BY-SA

cipher/aes/aes128/gcm/TODO

@@ -0,0 +1,3 @@
+TODO
+
+I need to look further into the aes128-gcm@openssh.com variant to see if this is valid.

cipher/aes/aes256/gcm/TODO

@@ -0,0 +1,3 @@
+TODO
+
+I need to look further into the aes256-gcm@openssh.com variant to see if this is valid.

cipher/chacha20/poly1305/TODO

@@ -1 +1,14 @@
 TODO
+
+I need to fork out the chacha20-poly1305 pkg from golang x-stdlib
+(
+	https://pkg.go.dev/golang.org/x/crypto/chacha20poly1305
+	https://cs.opensource.google/go/x/crypto/+/master:chacha20poly1305/
+	https://github.com/golang/go/issues/36646
+)
+because they explicitly do NOT support the chacha20-poly1305 OpenSSH variant (chacha20-poly1305@openssh.com)
+(https://github.com/golang/go/issues/36646#issue-552055939
+"and there is exactly one widely used (or otherwise) composition:
+ ChaCha20Poly1305 as implemented by x/crypto/chacha20poly1305 (or by SSH in their weird variant)"
+
+sidenote, this is the same guy that decided it would be a good idea to deprecate golang x-stdlib gpg).

cipher/chacha20/poly1305/consts.go

@@ -1,5 +1,6 @@
 package poly1305
 
 const (
-	Name string = "chacha20-poly1305@openssh.com"
+	Name      string = "chacha20-poly1305@openssh.com"
+	BlockSize int    = 8
 )

cipher/chacha20/poly1305/funcs.go

@@ -4,8 +4,7 @@ import (
 	`bytes`
 	`io`
 
-	`r00t2.io/sshkeys/cipher/aes`
-	`r00t2.io/sshkeys/cipher/aes/aes128`
+	`r00t2.io/cc20p1305ssh`
 	`r00t2.io/sshkeys/internal`
 )
 
@@ -39,7 +38,7 @@ func (c *Cipher) NameBytes() (name []byte) {
 // BlockSize returns the blocksize of this Cipher.
 func (c *Cipher) BlockSize() (size int) {
 
-	size = aes.BlockSize
+	size = BlockSize
 
 	return
 }
@@ -47,7 +46,7 @@ func (c *Cipher) BlockSize() (size int) {
 // KdfKeySize returns the target key length from KDF to use with this Cipher.
 func (c *Cipher) KdfKeySize() (size int) {
 
-	size = aes128.KeySize
+	size = cc20p1305ssh.KeySize
 
 	return
 }

cipher/chacha20/poly1305/types.go

@@ -1,5 +1,22 @@
 package poly1305
 
+/*
+	Cipher is a ChaCha20-Poly1305 (OpenSSH variant) cipher.Cipher.
+
+	In the OpenSSH variant (for *key* encryption), only the first
+	32 bytes is used from the 64-byte key as generated from ChaCha20.
+
+	It then proceeds per https://datatracker.ietf.org/doc/html/rfc8439#section-2.8
+	except:
+
+		* The nonce used is a constant of 16 zero bytes
+		* There is no additional authenticated data
+		* The Poly1305 authentication tag is generated via a message
+		  that consists *only* of the ciphertext.
+		  In other words, OpenSSH does *not* add padding or
+		  encode message lengths to generate the Poly1305
+		  authentication tag.
+*/
 type Cipher struct {
 	Key []byte
 }

cipher/null/consts.go

@@ -0,0 +1,6 @@
+package null
+
+const (
+	Name      string = ""
+	BlockSize int    = 8
+)

cipher/null/funcs.go

@@ -1,17 +1,26 @@
 package null
 
 import (
-	`bytes`
-	`io`
+	"bytes"
 
-	`r00t2.io/sshkeys/cipher/aes`
-	`r00t2.io/sshkeys/cipher/aes/aes128`
-	`r00t2.io/sshkeys/internal`
+	`r00t2.io/sshkeys/cipher`
+	"r00t2.io/sshkeys/internal"
 )
 
+/*
+	Setup populates a Cipher from a key.
+
+	This is basically a no-op as null.Cipher does not offer any encryption, so there's no setup necessary.
+*/
 func (c *Cipher) Setup(key []byte) (err error) {
 
-	// TODO
+	if c == nil {
+		*c = Cipher{}
+	}
+
+	if err = c.keyChk(); err != nil {
+		return
+	}
 
 	return
 }
@@ -39,21 +48,26 @@ func (c *Cipher) NameBytes() (name []byte) {
 // BlockSize returns the blocksize of this Cipher.
 func (c *Cipher) BlockSize() (size int) {
 
-	size = aes.BlockSize
-
-	return
-}
-
-// KdfKeySize returns the target key length from KDF to use with this Cipher.
-func (c *Cipher) KdfKeySize() (size int) {
-
-	size = aes128.KeySize
+	size = BlockSize
 
 	return
 }
 
 /*
-	Encrypt encrypts data (a string, []byte, byte, *bytes.Buffer, or *bytes.Reader) to the *bytes.Reader encrypted.
+	KdfKeySize returns the target key length from KDF to use with this Cipher.
+
+	Because this function is only here for interface compat, it always returns 0
+	(as a Null cipher uses no KDF).
+*/
+func (c *Cipher) KdfKeySize() (size int) {
+
+	size = 0
+
+	return
+}
+
+/*
+	Encrypt "encrypts" data (a string, []byte, byte, *bytes.Buffer, or *bytes.Reader) to the *bytes.Reader encrypted.
 
 	NOTE: Padding IS applied automatically.
 
@@ -61,31 +75,15 @@ func (c *Cipher) KdfKeySize() (size int) {
 		  It is up to the caller to consume the buffer as desired beforehand or isolate to a specific sub-buffer beforehand to pass to Cipher.Encrypt.
 
 	NOTE: If data is a *bytes.Reader, ALL bytes WILL be consumed.
+
+	NOTE: No actual encryption takes place, only padding.
 */
 func (c *Cipher) Encrypt(data interface{}) (encrypted *bytes.Reader, err error) {
 
-	var b []byte
-	var cryptDst []byte
-	var padded *bytes.Reader
-
-	if b, err = internal.SerializeData(data); err != nil {
+	if encrypted, err = c.Pad(data); err != nil {
 		return
 	}
 
-	if padded, err = c.Pad(b); err != nil {
-		return
-	}
-
-	b = make([]byte, padded.Len())
-	if b, err = io.ReadAll(padded); err != nil {
-		return
-	}
-
-	cryptDst = make([]byte, len(b))
-
-	// TODO
-	_ = cryptDst
-
 	return
 }
 
@@ -125,17 +123,38 @@ func (c *Cipher) AllocateEncrypt(data interface{}) (encrypted *bytes.Reader, err
 }
 
 /*
-	Pad will pad data (a string, []byte, byte, or *bytes.Buffer) to the Cipher.BlockSize (if necessary).
-	The resulting padded buffer is returned.
+	Pad will pad data (a string, []byte, byte, *bytes.Buffer, *bytes.Reader) to the Cipher.BlockSize. The resulting padded *bytes.Reader is returned.
 
 	NOTE: If data is a *bytes.Buffer, no bytes will be consumed -- the bytes are taken in entirety without consuming them (Buffer.Bytes()).
-		  It is up to the caller to consume the buffer as desired beforehand or isolate to a specific sub-buffer beforehand to pass to Cipher.Pad.
+		  It is up to the caller to consume the buffer as desired beforehand or isolate to a specific sub-buffer beforehand to pass to Pad.
 
 	NOTE: If data is a *bytes.Reader, ALL bytes WILL be consumed.
 */
 func (c *Cipher) Pad(data interface{}) (paddedBuf *bytes.Reader, err error) {
 
-	// TODO
+	var b []byte
+	var padNum int
+	var pad []byte
+	var buf *bytes.Buffer
+
+	if err = c.keyChk(); err != nil {
+		return
+	}
+
+	if b, err = internal.UnpackBytes(data); err != nil {
+		return
+	}
+	buf = bytes.NewBuffer(b)
+
+	for padIdx := 1; (buf.Len() % BlockSize) != 0; padIdx++ {
+
+		padNum = padIdx & cipher.PadMod
+		pad = []byte{byte(uint32(padNum))}
+
+		if _, err = buf.Write(pad); err != nil {
+			return
+		}
+	}
 
 	return
 }
@@ -152,17 +171,13 @@ func (c *Cipher) Pad(data interface{}) (paddedBuf *bytes.Reader, err error) {
 */
 func (c *Cipher) Decrypt(data interface{}) (decrypted *bytes.Reader, err error) {
 
-	var b []byte
-	var decryptDst []byte
+	var plain []byte
 
-	if b, err = internal.SerializeData(data); err != nil {
+	if plain, err = internal.SerializeData(data); err != nil {
 		return
 	}
 
-	decryptDst = make([]byte, len(b))
-
-	// TODO
-	_ = decryptDst
+	decrypted = bytes.NewReader(plain)
 
 	return
 }
@@ -195,11 +210,21 @@ func (c *Cipher) AllocatedDecrypt(data interface{}) (decrypted *bytes.Reader, er
 /*
 	IsPlain indicates if this Cipher is a plain/null encryption (cipher.null.Null).
 
-	It will always return false. It is included for interface compatability.
+	It will always return true. It is included for interface compatability.
 */
 func (c *Cipher) IsPlain() (plain bool) {
 
-	plain = false
+	plain = true
+
+	return
+}
+
+// keyChk is more or less a no-op but provides some basic sanity checking.
+func (c *Cipher) keyChk() (err error) {
+
+	if c == nil {
+		*c = Cipher{}
+	}
 
 	return
 }

cipher/null/types.go

@@ -0,0 +1,4 @@
+package null
+
+// Cipher is a null (plaintext) cipher.Cipher.
+type Cipher struct{}