From f7f3fc4934d845f5fea8a5058fa4727313f9f902 Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Thu, 12 Jan 2023 19:14:04 +0100
Subject: [PATCH] Normalise AEAD direct interface

The AEAD interface had three problems:

- Inconsistent prefix (now fixed, to "crypto_aead").
- Inconsistent ordering of arguments (now the mac is after the output
  text).
- Redundant API without the additional data (now removed).

The result is less than satisfactory to be honest.  If it were just me I
would delete the direct interface entirely, because the streaming one is
almost easier to use...

...save one crucial detail: the choice of the exact algorithm.  The
streaming interfaces offers three init options, each with its pros and
cons.  Users need a default, and it shall be XChacha20.  Those who know
what they are doing can easily use the streaming API anyway.
---
 src/monocypher.c    | 19 +++----------------
 src/monocypher.h    | 28 ++++++++--------------------
 tests/speed/speed.c |  2 +-
 tests/test.c        | 25 +++++--------------------
 tests/tis-ci.c      |  2 +-
 5 files changed, 18 insertions(+), 58 deletions(-)

diff --git a/src/monocypher.c b/src/monocypher.c
index 5f3c61b..f0a0baf 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -2878,7 +2878,7 @@ int crypto_aead_read(crypto_aead_ctx *ctx, u8 *plain_text, const u8 mac[16],
 	return mismatch;
 }
 
-void crypto_lock_aead(u8 mac[16], u8 *cipher_text, const u8 key[32],
+void crypto_aead_lock(u8 *cipher_text, u8 mac[16], const u8 key[32],
                       const u8  nonce[24], const u8 *ad, size_t ad_size,
                       const u8 *plain_text, size_t text_size)
 {
@@ -2889,8 +2889,8 @@ void crypto_lock_aead(u8 mac[16], u8 *cipher_text, const u8 key[32],
 	crypto_wipe(&ctx, sizeof(ctx));
 }
 
-int crypto_unlock_aead(u8 *plain_text, const u8 key[32], const u8 nonce[24],
-                       const u8  mac[16], const u8 *ad, size_t ad_size,
+int crypto_aead_unlock(u8 *plain_text, const u8  mac[16], const u8 key[32],
+                       const u8 nonce[24], const u8 *ad, size_t ad_size,
                        const u8 *cipher_text, size_t text_size)
 {
 	crypto_aead_ctx ctx;
@@ -2901,19 +2901,6 @@ int crypto_unlock_aead(u8 *plain_text, const u8 key[32], const u8 nonce[24],
 	return mismatch;
 }
 
-void crypto_lock(u8 mac[16], u8 *cipher_text, const u8 key[32],
-                 const u8 nonce[24], const u8 *plain_text, size_t text_size)
-{
-	crypto_lock_aead(mac, cipher_text, key, nonce, 0, 0, plain_text, text_size);
-}
-
-int crypto_unlock(u8 *plain_text, const u8 key[32], const u8 nonce[24],
-                  const u8 mac[16], const u8 *cipher_text, size_t text_size)
-{
-	return crypto_unlock_aead(plain_text, key, nonce, mac, 0, 0,
-	                          cipher_text, text_size);
-}
-
 #ifdef MONOCYPHER_CPP_NAMESPACE
 }
 #endif
diff --git a/src/monocypher.h b/src/monocypher.h
index 463f17c..8dc5869 100644
--- a/src/monocypher.h
+++ b/src/monocypher.h
@@ -83,29 +83,17 @@ void crypto_wipe(void *secret, size_t size);
 
 // Authenticated encryption
 // ------------------------
-void crypto_lock(uint8_t        mac[16],
-                 uint8_t       *cipher_text,
-                 const uint8_t  key[32],
-                 const uint8_t  nonce[24],
-                 const uint8_t *plain_text, size_t text_size);
-int crypto_unlock(uint8_t       *plain_text,
-                  const uint8_t  key[32],
-                  const uint8_t  nonce[24],
-                  const uint8_t  mac[16],
-                  const uint8_t *cipher_text, size_t text_size);
-
-// With additional data
-void crypto_lock_aead(uint8_t        mac[16],
-                      uint8_t       *cipher_text,
-                      const uint8_t  key[32],
+void crypto_aead_lock(uint8_t       *cipher_text,
+                      uint8_t        mac  [16],
+                      const uint8_t  key  [32],
                       const uint8_t  nonce[24],
-                      const uint8_t *ad        , size_t ad_size,
+                      const uint8_t *ad,         size_t ad_size,
                       const uint8_t *plain_text, size_t text_size);
-int crypto_unlock_aead(uint8_t       *plain_text,
-                       const uint8_t  key[32],
+int crypto_aead_unlock(uint8_t       *plain_text,
+                       const uint8_t  mac  [16],
+                       const uint8_t  key  [32],
                        const uint8_t  nonce[24],
-                       const uint8_t  mac[16],
-                       const uint8_t *ad         , size_t ad_size,
+                       const uint8_t *ad,          size_t ad_size,
                        const uint8_t *cipher_text, size_t text_size);
 
 // Authenticated stream
diff --git a/tests/speed/speed.c b/tests/speed/speed.c
index 9544b59..dfa0fb8 100644
--- a/tests/speed/speed.c
+++ b/tests/speed/speed.c
@@ -88,7 +88,7 @@ static u64 authenticated(void)
 	RANDOM_INPUT(nonce,   24);
 
 	TIMING_START {
-		crypto_lock(mac, out, key, nonce, in, SIZE);
+		crypto_aead_lock(mac, out, key, nonce, 0, 0, in, SIZE);
 	}
 	TIMING_END;
 }
diff --git a/tests/test.c b/tests/test.c
index 5986634..8cf2b4d 100644
--- a/tests/test.c
+++ b/tests/test.c
@@ -311,7 +311,7 @@ static void aead_ietf(vector_reader *reader)
 	vector ad    = next_input(reader);
 	vector text  = next_input(reader);
 	vector out   = next_output(reader);
-	crypto_lock_aead(out.buf, out.buf + 16, key.buf, nonce.buf,
+	crypto_aead_lock(out.buf + 16, out.buf, key.buf, nonce.buf,
 	                 ad.buf, ad.size, text.buf, text.size);
 }
 
@@ -339,29 +339,14 @@ static void test_aead()
 		RANDOM_INPUT(nonce    , 24);
 		RANDOM_INPUT(ad       ,  4);
 		RANDOM_INPUT(plaintext,  8);
-		u8 box[24], box2[24];
+		u8 box[24];
 		u8 out[8];
 		// AEAD roundtrip
-		crypto_lock_aead(box, box+16, key, nonce, ad, 4, plaintext, 8);
-		ASSERT_OK(crypto_unlock_aead(out, key, nonce, box, ad, 4, box+16, 8));
+		crypto_aead_lock(box+16, box, key, nonce, ad, 4, plaintext, 8);
+		ASSERT_OK(crypto_aead_unlock(out, box, key, nonce, ad, 4, box+16, 8));
 		ASSERT_EQUAL(plaintext, out, 8);
 		box[0]++;
-		ASSERT_KO(crypto_unlock_aead(out, key, nonce, box, ad, 4, box+16, 8));
-
-		// Authenticated roundtrip (easy interface)
-		// Make and accept message
-		crypto_lock(box, box + 16, key, nonce, plaintext, 8);
-		ASSERT_OK(crypto_unlock(out, key, nonce, box, box + 16, 8));
-		// Make sure decrypted text and original text are the same
-		ASSERT_EQUAL(plaintext, out, 8);
-		// Make and reject forgery
-		box[0]++;
-		ASSERT_KO(crypto_unlock(out, key, nonce, box, box + 16, 8));
-		box[0]--; // undo forgery
-
-		// Same result for both interfaces
-		crypto_lock_aead(box2, box2 + 16, key, nonce, 0, 0, plaintext, 8);
-		ASSERT_EQUAL(box, box2, 24);
+		ASSERT_KO(crypto_aead_unlock(out, box, key, nonce, ad, 4, box+16, 8));
 	}
 
 	printf("\taead incr (roundtrip)\n");
diff --git a/tests/tis-ci.c b/tests/tis-ci.c
index 0626238..64266c4 100644
--- a/tests/tis-ci.c
+++ b/tests/tis-ci.c
@@ -129,7 +129,7 @@ static void aead_ietf(vector_reader *reader)
 	vector ad    = next_input(reader);
 	vector text  = next_input(reader);
 	vector out   = next_output(reader);
-	crypto_lock_aead(out.buf, out.buf + 16, key.buf, nonce.buf,
+	crypto_aead_lock(out.buf + 16, out.buf, key.buf, nonce.buf,
 	                 ad.buf, ad.size, text.buf, text.size);
 }
 
-- 
2.47.3