From 4b4c080cc4495c926cc4e73b4ed77a7d14d7b536 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20Gallou=C3=ABt?= <adrien@gallouet.fr>
Date: Tue, 17 Sep 2019 16:48:42 +0000
Subject: [PATCH] Use aegis256
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
---
 Makefile    |  2 +-
 Makefile.am |  2 ++
 README.md   |  4 ++--
 meson.build |  1 +
 mud         |  2 +-
 src/bench.c | 25 ++++++++++++-------------
 6 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/Makefile b/Makefile
index ae18752..527614b 100644
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,7 @@ FLAGS += -DPACKAGE_NAME=\"$(NAME)\" -DPACKAGE_VERSION=\"$(VERSION)\"
 FLAGS += -I.static/$(CROSS)/libsodium-stable/src/libsodium/include
 FLAGS += -L.static/$(CROSS)/libsodium-stable/src/libsodium/.libs
 
-SRC := argz/argz.c mud/mud.c $(wildcard src/*.c)
+SRC := argz/argz.c mud/mud.c mud/aegis256/aegis256.c $(wildcard src/*.c)
 
 .PHONY: $(NAME)
 $(NAME):
diff --git a/Makefile.am b/Makefile.am
index 42a09f2..0b55368 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -9,6 +9,8 @@ glorytun_SOURCES = \
     argz/argz.h \
     mud/mud.c \
     mud/mud.h \
+    mud/aegis256/aegis256.c \
+    mud/aegis256/aegis256.h \
     src/bench.c \
     src/bind.c \
     src/common.c \
diff --git a/README.md b/README.md
index 2c6f266..b7b29cb 100644
--- a/README.md
+++ b/README.md
@@ -20,8 +20,8 @@ The key features of Glorytun come directly from mud:
 
    The use of UDP and [libsodium](https://github.com/jedisct1/libsodium) allows you to secure
    your communications without impacting performance.
-   Glorytun uses AES only if AES-NI is available otherwise ChaCha20 is used.
-   If you are not cpu bounded, you can force the use of ChaCha20 for higher security.
+   Glorytun uses AEGIS-256 only if AES-NI is available otherwise ChaCha20Poly1305 is used.
+   If you are not cpu bounded, you can force the use of ChaCha20Poly1305 for higher security.
    All messages are encrypted, authenticated and marked with a timestamp.
    Perfect forward secrecy is also implemented with ECDH over Curve25519.
 
diff --git a/meson.build b/meson.build
index c8ded67..3179438 100644
--- a/meson.build
+++ b/meson.build
@@ -23,6 +23,7 @@ executable('glorytun', install: true,
   sources: [
     'argz/argz.c',
     'mud/mud.c',
+    'mud/aegis256/aegis256.c',
     'src/bench.c',
     'src/bind.c',
     'src/common.c',
diff --git a/mud b/mud
index 2c9d971..181e220 160000
--- a/mud
+++ b/mud
@@ -1 +1 @@
-Subproject commit 2c9d9714379b21a8c2107bed6ab2bf25d9ddf4e6
+Subproject commit 181e22011d4a48fc286abb8ecb5c75587b102ddd
diff --git a/src/bench.c b/src/bench.c
index 2e10f68..133a71b 100644
--- a/src/bench.c
+++ b/src/bench.c
@@ -13,9 +13,14 @@
 #endif
 
 #include "../argz/argz.h"
+#include "../mud/aegis256/aegis256.h"
 
 #define STR_S(X) (((X) > 1) ? "s" : "")
 
+#define NPUBBYTES 32
+#define KEYBYTES  32
+#define ABYTES    16
+
 static unsigned long long
 gt_now(void)
 {
@@ -68,7 +73,7 @@ gt_bench(int argc, char **argv)
     int aes = argz_is_set(bench_argz, "aes");
     int chacha = argz_is_set(bench_argz, "chacha");
 
-    if (!crypto_aead_aes256gcm_is_available()) {
+    if (!aegis256_is_available()) {
         if (aes) {
             gt_log("aes is not available on your platform\n");
             return 1;
@@ -76,22 +81,22 @@ gt_bench(int argc, char **argv)
         chacha = 1;
     }
 
-    unsigned char *buf = calloc(1, bufsize + crypto_aead_aes256gcm_ABYTES);
+    unsigned char *buf = calloc(1, bufsize + ABYTES);
 
     if (!buf) {
         perror("calloc");
         return 1;
     }
 
-    unsigned char npub[crypto_aead_aes256gcm_NPUBBYTES];
-    unsigned char key[crypto_aead_aes256gcm_KEYBYTES];
+    unsigned char npub[NPUBBYTES];
+    unsigned char key[KEYBYTES];
 
     randombytes_buf(npub, sizeof(npub));
     randombytes_buf(key, sizeof(key));
 
     if (term) {
         printf("\n");
-        printf("  %-10s %s\n", "bench", chacha ? "chacha20poly1305" : "aes256gcm");
+        printf("  %-10s %s\n", "bench", chacha ? "chacha20poly1305" : "aegis256");
         printf("  %-10s %s\n", "libsodium", sodium_version_string());
         printf("\n");
         printf("  %-10s 2^(-%lu)\n", "precision", precision);
@@ -112,11 +117,6 @@ gt_bench(int argc, char **argv)
         double mbps_dlt = INFINITY;
 
         while (!gt_quit && mbps_dlt > ldexp(mbps, -(int)precision)) {
-            crypto_aead_aes256gcm_state ctx;
-
-            if (!chacha)
-                crypto_aead_aes256gcm_beforenm(&ctx, key);
-
             unsigned long long now = gt_now();
             double mbps_old = mbps;
             size_t bytes = 0;
@@ -129,9 +129,8 @@ gt_bench(int argc, char **argv)
                     crypto_aead_chacha20poly1305_encrypt(
                         buf, NULL, buf, 1ULL << i, NULL, 0, NULL, npub, key);
                 } else {
-                    crypto_aead_aes256gcm_encrypt_afternm(
-                        buf, NULL, buf, 1ULL << i, NULL, 0, NULL, npub,
-                        (const crypto_aead_aes256gcm_state *)&ctx);
+                    aegis256_encrypt(
+                        buf, NULL, buf, 1ULL << i, NULL, 0, npub, key);
                 }
                 bytes += 1ULL << i;
             }