7 * new ticket format: the reply protector/type is replaced by a
8 * 8 byte signature and a 4 byte counter forming the 12 byte
9 * nonce for chacha20/poly1305 encryption. a 16 byte poly1305
10 * authentication tag is appended for message authentication.
11 * the counter is needed for the AuthPass message which uses
12 * the same key for several messages.
19 AuthPass, "form1 PR", /* password change request encrypted with ticket key */
20 AuthTs, "form1 Ts", /* ticket encrypted with server's key */
21 AuthTc, "form1 Tc", /* ticket encrypted with client's key */
22 AuthAs, "form1 As", /* server generated authenticator */
23 AuthAc, "form1 Ac", /* client generated authenticator */
24 AuthTp, "form1 Tp", /* ticket encrypted with client's key for password change */
25 AuthHr, "form1 Hr", /* http reply */
29 form1check(char *ap, int n)
34 for(n=0; n<nelem(form1sig); n++)
35 if(memcmp(form1sig[n].sig, ap, 8) == 0)
36 return form1sig[n].num;
42 form1B2M(char *ap, int n, uchar key[32])
44 static u32int counter;
49 for(i=nelem(form1sig)-1; i>=0; i--)
50 if(form1sig[i].num == *ap)
56 memmove(p, ap+1, --n);
58 /* nonce[12] = sig[8] | counter[4] */
59 memmove(ap, form1sig[i].sig, 8);
61 ap[8] = i, ap[9] = i>>8, ap[10] = i>>16, ap[11] = i>>24;
63 setupChachastate(&s, key, 32, (uchar*)ap, 12, 20);
64 ccpoly_encrypt(p, n, nil, 0, p+n, &s);
69 form1M2B(char *ap, int n, uchar key[32])
75 num = form1check(ap, n);
83 setupChachastate(&s, key, 32, (uchar*)ap, 12, 20);
84 if(ccpoly_decrypt(p, n, nil, 0, p+n, &s))