Add v6 SKESK #2207
Add v6 SKESK #2207
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2207 +/- ##
==========================================
+ Coverage 83.28% 83.63% +0.34%
==========================================
Files 107 107
Lines 22878 23168 +290
==========================================
+ Hits 19055 19376 +321
+ Misses 3823 3792 -31 ☔ View full report in Codecov by Sentry. |
src/librepgp/stream-write.cpp
Outdated
|
|
||
| /* Use SEIPDv2 for SKESK if enabled and preconditions are met */ | ||
| if (handler->ctx->enable_skesk_v6 && handler->ctx->aalg != PGP_AEAD_NONE && | ||
| skeycount > 0) { |
There was a problem hiding this comment.
Question: what is the meaning of skeycount in this context?
There was a problem hiding this comment.
pkeycount = handler->ctx->recipients.size();
skeycount = handler->ctx->passwords.size();
These are the number of SKESK or PKESK packets.
When writing the code I assumed that only one of those variables is non-zero, meaning, we have distinct cases for symmetric and asymmetric encryption. I now think that is a wrong assumption and you can actually use PKESK and SKESK packets simultaniously for the same SEIPD message.
Thus, I will need to adapt the logic here to also take into account the v2-SEIPD capability of the "PKESK recipients".
I added generating and parsing of v6 SKESK packets. They work similarly to the already implemented AEAD stuff, but use SEIPDv2 instead, and also, use HKDF for key derivation.
I added the Crypto Refresh test vectors for EAX/OCB, as well as an encrypt-decrypt test.
Further, I added the
rnp_op_encrypt_enable_skesk_v6()API call that enables creating v6 SKESK. In the CLI it can be activated with--enable-v6-skesk.The default behaviour for SKESK should be the same as before, even when compiling with
ENABLE_CRYPTO_REFRESH.