sjqtentacles
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 25 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 5 additions & 0 deletions b/‎.gitignore‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 21 additions & 0 deletions b/‎LICENSE‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 50 additions & 0 deletions b/‎Makefile‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 167 additions & 0 deletions b/‎README.md‎
Lines changed: 167 additions & 0 deletions
diff --git a/‎examples/demo.sml‎
Lines changed: 46 additions & 0 deletions b/‎examples/demo.sml‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎examples/sources.mlb‎
Lines changed: 5 additions & 0 deletions b/‎examples/sources.mlb‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎lib/github.com/sjqtentacles/sml-aes/aes.sig‎
Lines changed: 24 additions & 0 deletions b/‎lib/github.com/sjqtentacles/sml-aes/aes.sig‎
Lines changed: 24 additions & 0 deletions
@@ -0,0 +1,25 @@
+name: CI
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+jobs:
+  mlton:
+    name: MLton (build + test)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install MLton
+        run: sudo apt-get update && sudo apt-get install -y mlton
+      - name: Run tests
+        run: make test
+  polyml:
+    name: Poly/ML (test)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Poly/ML
+        run: sudo apt-get update && sudo apt-get install -y polyml libpolyml-dev
+      - name: Run tests
+        run: make test-poly
@@ -0,0 +1,5 @@
+# MLton build artifacts
+/bin/
+
+# editor/OS noise
+.DS_Store
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 sml-aead contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,50 @@
+# sml-aead build
+#
+#   make            build the test binary with MLton (default)
+#   make test       build + run tests under MLton
+#   make test-poly  run tests under Poly/ML (use-and-run; no link step)
+#   make all-tests  run the suite under both compilers
+#   make example    build + run the demo
+#   make clean      remove build artifacts
+#
+# Layout B (dependent): own sources live in src/; sml-chacha20 (ChaCha20 /
+# Poly1305 / ChaCha20Poly1305) and sml-aes (AesBlock / AesGcm) are vendored
+# under lib/ and loaded first, then the Aead facade.
+
+MLTON      ?= mlton
+POLY       ?= poly
+BIN        := bin
+CHACHADIR  := lib/github.com/sjqtentacles/sml-chacha20
+AESDIR     := lib/github.com/sjqtentacles/sml-aes
+TEST_MLB   := test/test.mlb
+SRCS       := $(wildcard $(CHACHADIR)/* $(AESDIR)/* src/* test/*.sml) $(TEST_MLB)
+
+.PHONY: all test poly test-poly all-tests example clean
+
+all: $(BIN)/test-mlton
+
+example: $(BIN)/demo
+	./$(BIN)/demo
+
+$(BIN)/demo: $(SRCS) examples/demo.sml examples/sources.mlb | $(BIN)
+	$(MLTON) -output $@ examples/sources.mlb
+
+$(BIN)/test-mlton: $(SRCS) | $(BIN)
+	$(MLTON) -output $@ $(TEST_MLB)
+
+test: $(BIN)/test-mlton
+	$(BIN)/test-mlton
+
+# Poly/ML has no native .mlb support; the suite runs at top level and exits on
+# its own. Load the vendored primitive sources (in dependency order), then the
+# aead facade, then the test driver.
+poly test-poly:
+	printf 'use "$(CHACHADIR)/chacha20.sig";\nuse "$(CHACHADIR)/chacha20.sml";\nuse "$(AESDIR)/aes.sig";\nuse "$(AESDIR)/aes.sml";\nuse "src/aead.sig";\nuse "src/aead.sml";\nuse "test/harness.sml";\nuse "test/support.sml";\nuse "test/test_vectors.sml";\nuse "test/test_facade.sml";\nuse "test/entry.sml";\nuse "test/main.sml";\n' | $(POLY) -q --error-exit
+
+all-tests: test test-poly
+
+$(BIN):
+	mkdir -p $(BIN)
+
+clean:
+	rm -f $(BIN)/test-mlton $(BIN)/demo
@@ -0,0 +1,167 @@
+# sml-aead
+
+A single, algorithm-agnostic **AEAD** (authenticated encryption with associated
+data) facade in pure Standard ML, over the cipher primitives that already exist
+in the sjqtentacles ecosystem:
+
+- **ChaCha20-Poly1305** ([RFC 8439](https://www.rfc-editor.org/rfc/rfc8439)) — via vendored [`sml-chacha20`](https://github.com/sjqtentacles/sml-chacha20)
+- **AES-128-GCM / AES-256-GCM** (NIST GCM) — via vendored [`sml-aes`](https://github.com/sjqtentacles/sml-aes)
+
+Instead of programming against three different structures, callers (and
+downstream protocol work such as a future `sml-tls`/`sml-ssh`) target one
+`alg`-keyed `seal`/`open'` interface. This repo **implements no new
+cryptography** — it is a thin dispatch layer plus a consolidated home for the
+canonical RFC 8439 / NIST GCM test vectors. The standalone Poly1305 one-time
+MAC is also re-exported.
+
+No FFI, no external dependencies, and **deterministic** — byte-identical under
+both [MLton](http://mlton.org/) and [Poly/ML](https://www.polyml.org/).
+
+## Status
+
+- 50 assertions, green on MLton and Poly/ML (byte-identical output).
+- Vendors `sml-chacha20` + `sml-aes` (Layout B), so the repo builds standalone.
+- Validated against the **official vectors**:
+  - **RFC 8439 §2.5.2** — Poly1305 one-time MAC.
+  - **RFC 8439 §2.8.2** — the canonical ChaCha20-Poly1305 AEAD "sunscreen"
+    example (ciphertext **and** tag, byte-exact).
+  - **AES-GCM** — McGrew & Viega Appendix B test cases 4 (AES-128) and 16
+    (AES-256), the de-facto NIST GCM known-answer vectors (ciphertext **and**
+    tag, byte-exact).
+- Tamper detection: a flipped tag byte, ciphertext byte, wrong AAD, or wrong
+  nonce all make `open'` return `NONE`.
+
+> Building this facade surfaced and fixed a GHASH bug in `sml-aes` (its AES-GCM
+> produced correct ciphertext but a non-interoperable authentication tag); the
+> upstream fix plus NIST known-answer vectors landed in `sml-aes` first, and the
+> byte-identical fixed tree is vendored here.
+
+## Install
+
+With [`smlpkg`](https://github.com/diku-dk/smlpkg):
+
+```
+smlpkg add github.com/sjqtentacles/sml-aead
+smlpkg sync
+```
+
+Include the MLB from your own (it pulls in the vendored `sml-chacha20` +
+`sml-aes`):
+
+```
+local
+  $(SML_LIB)/basis/basis.mlb
+  lib/github.com/sjqtentacles/sml-aead/... (via smlpkg)
+in
+  ...
+end
+```
+
+This brings `structure Aead` (and the vendored primitive structures) into scope.
+
+## Quick start
+
+```sml
+(* keys, nonces, aad, plaintext and ciphertext are all raw byte strings:
+   one char per byte, 0-255 *)
+
+(* 32-byte key, 12-byte nonce for ChaCha20-Poly1305 *)
+val sealed = Aead.seal Aead.ChaCha20Poly1305
+  { key = key32, nonce = nonce12, aad = "header", plaintext = "secret" }
+(* sealed = ciphertext || 16-byte tag *)
+
+val recovered = Aead.open' Aead.ChaCha20Poly1305
+  { key = key32, nonce = nonce12, aad = "header", ciphertext = sealed }
+(* SOME "secret", or NONE if anything was tampered with *)
+
+(* AES-256-GCM: 32-byte key, 12-byte IV *)
+val sealed' = Aead.seal Aead.AesGcm256
+  { key = key32, nonce = iv12, aad = "", plaintext = "secret" }
+
+(* standalone Poly1305 one-time MAC *)
+val tagHex = Aead.Poly1305.macHex oneTimeKey32 "message"
+```
+
+## Demo
+
+`make example` runs [`examples/demo.sml`](examples/demo.sml), sealing one
+message under all three algorithms with fixed keys/nonces:
+
+```
+sml-aead demo
+=============
+plaintext : attack at dawn
+aad       : hdr:v1
+
+ChaCha20-Poly1305:
+  sealed  : 3fbe31666572e6086fe65702aec51e96d0c044d64b4e8c7b5adf1ab69cdf
+  opened  : true
+AES-128-GCM:
+  sealed  : a55a77ce6c24968e63fd3994b0499fdab3ff07e908165aa3a63689380b45
+  opened  : true
+AES-256-GCM:
+  sealed  : 1c8aec772aa21ad2be556c7c7817dd8320f4fdcc354535b6df9615f13af7
+  opened  : true
+
+Poly1305 MAC of "attack at dawn" under a fixed key:
+  daf8f71535db4152c9b148bda19abcfa
+```
+
+## API
+
+```sml
+datatype alg = ChaCha20Poly1305   (* 256-bit key, 96-bit nonce *)
+             | AesGcm128          (* 128-bit key, 96-bit nonce *)
+             | AesGcm256          (* 256-bit key, 96-bit nonce *)
+
+exception Aead of string          (* wrong key/nonce length *)
+
+val tagLen   : int                (* = 16 *)
+val keyLen   : alg -> int
+val nonceLen : alg -> int
+
+val seal  : alg -> {key:string, nonce:string, aad:string, plaintext:string}
+                -> string         (* ciphertext || tag *)
+val open' : alg -> {key:string, nonce:string, aad:string, ciphertext:string}
+                -> string option  (* SOME plaintext, or NONE if auth fails *)
+
+structure Poly1305 :
+  sig
+    val mac    : string -> string -> string   (* raw 16-byte tag *)
+    val macHex : string -> string -> string   (* 32-char hex tag *)
+  end
+```
+
+| Function | Behavior |
+| --- | --- |
+| `keyLen alg` / `nonceLen alg` | required key / nonce length in bytes (`nonceLen` is always 12) |
+| `seal alg {key, nonce, aad, plaintext}` | encrypt + authenticate; returns `ciphertext` with the 16-byte tag appended; raises `Aead` on a wrong key/nonce length |
+| `open' alg {key, nonce, aad, ciphertext}` | verify the tag in constant time and decrypt; `SOME plaintext` on success, `NONE` if authentication fails or the input is shorter than the tag |
+| `Poly1305.mac key msg` | RFC 8439 §2.5 one-time authenticator with a 32-byte `key` |
+
+### Conventions
+
+- **Bytes as `string`.** Keys, nonces, AAD, plaintext and ciphertext are raw
+  byte strings (one char per byte, 0–255), matching the rest of the
+  sjqtentacles crypto/codec family. They are never hex.
+- **Tag appended.** `seal` returns `ciphertext || tag` (16-byte tag), exactly as
+  the underlying RFC 8439 / NIST GCM constructions specify, and `open'` expects
+  that same layout.
+- **Nonce reuse is catastrophic.** As with any AEAD, never reuse a
+  (key, nonce) pair; the caller is responsible for unique nonces.
+- **No new crypto.** The ciphers live in `sml-chacha20` / `sml-aes`; this repo
+  only unifies and vector-tests them.
+
+## Build & test
+
+```
+make test        # MLton
+make test-poly   # Poly/ML
+make all-tests   # both
+make example     # build + run examples/demo.sml
+make clean
+```
+
+## License
+
+MIT — see [LICENSE](LICENSE).
@@ -0,0 +1,46 @@
+(* sml-aead demo: seal one message under all three AEAD algorithms through the
+   unified facade, print the ciphertext||tag as hex, and confirm authenticated
+   decryption round-trips. All inputs are fixed, so the output is fully
+   deterministic and byte-identical across MLton and Poly/ML. *)
+
+fun line s = print (s ^ "\n")
+
+fun toHex s =
+  String.concat (List.map (fn c =>
+    let val v = Char.ord c
+        fun d x = String.str (String.sub ("0123456789abcdef", x))
+    in d (v div 16) ^ d (v mod 16) end) (String.explode s))
+
+val () = line "sml-aead demo"
+val () = line "============="
+
+val plaintext = "attack at dawn"
+val aad       = "hdr:v1"
+
+fun keyOf alg = String.implode (List.tabulate (Aead.keyLen alg, fn i => Char.chr (i mod 256)))
+fun nonceOf alg = String.implode (List.tabulate (Aead.nonceLen alg, fn i => Char.chr (16 + i)))
+
+fun show (name, alg) =
+  let
+    val key    = keyOf alg
+    val nonce  = nonceOf alg
+    val sealed = Aead.seal alg {key=key, nonce=nonce, aad=aad, plaintext=plaintext}
+    val opened = Aead.open' alg {key=key, nonce=nonce, aad=aad, ciphertext=sealed}
+    val ok     = opened = SOME plaintext
+  in
+    line (name ^ ":");
+    line ("  sealed  : " ^ toHex sealed);
+    line ("  opened  : " ^ Bool.toString ok)
+  end
+
+val () = line ("plaintext : " ^ plaintext)
+val () = line ("aad       : " ^ aad)
+val () = line ""
+val () = List.app show
+  [ ("ChaCha20-Poly1305", Aead.ChaCha20Poly1305)
+  , ("AES-128-GCM",       Aead.AesGcm128)
+  , ("AES-256-GCM",       Aead.AesGcm256) ]
+
+val () = line ""
+val () = line ("Poly1305 MAC of \"" ^ plaintext ^ "\" under a fixed key:")
+val () = line ("  " ^ Aead.Poly1305.macHex (keyOf Aead.ChaCha20Poly1305) plaintext)
@@ -0,0 +1,5 @@
+$(SML_LIB)/basis/basis.mlb
+
+../src/aead.mlb
+
+demo.sml
@@ -0,0 +1,24 @@
+(* aes.sig — AES block cipher (FIPS 197) + modes of operation. *)
+
+signature AES_BLOCK =
+sig
+  type key
+  val keySize   : key -> int
+  val expand128 : string -> key
+  val expand192 : string -> key
+  val expand256 : string -> key
+  val encrypt   : key -> string -> string
+  val decrypt   : key -> string -> string
+end
+
+signature AES_MODE =
+sig
+  val encrypt : string -> string -> string -> string
+  val decrypt : string -> string -> string -> string
+end
+
+signature AES_GCM =
+sig
+  val seal  : string -> string -> string -> string -> string
+  val open' : string -> string -> string -> string -> string option
+end