Skip to content

Add v6 SKESK #2207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add v6 SKESK #2207

wants to merge 1 commit into from

Conversation

TJ-91
Copy link
Contributor

@TJ-91 TJ-91 commented Mar 26, 2024

I added generating and parsing of v6 SKESK packets. They work similarly to the already implemented AEAD stuff, but use SEIPDv2 instead, and also, use HKDF for key derivation.

I added the Crypto Refresh test vectors for EAX/OCB, as well as an encrypt-decrypt test.

Further, I added the rnp_op_encrypt_enable_skesk_v6() API call that enables creating v6 SKESK. In the CLI it can be activated with --enable-v6-skesk.

The default behaviour for SKESK should be the same as before, even when compiling with ENABLE_CRYPTO_REFRESH.

@codecov Codecov
Copy link

codecov bot commented Apr 8, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.46%. Comparing base (0d5c2b9) to head (646380f).

Additional details and impacted files 
@@           Coverage Diff            @@
##             main    #2207    +/-   ##
========================================
  Coverage   85.46%   85.46%            
========================================
  Files         126      126            
  Lines       22713    22477   -236     
========================================
- Hits        19411    19210   -201     
+ Misses       3302     3267    -35

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@falko-strenzke
Copy link
Contributor

When this gets merged RNP would also need a way to control whether to use the v6 SKESK or the v5 SKESK via FFI or CLI.
@TJ-91 @ni4

@falko-strenzke falko-strenzke mentioned this pull request Apr 25, 2024
Closed
falko-strenzke
falko-strenzke approved these changes Jun 4, 2024
View reviewed changes
src/librepgp/stream-write.cpp Outdated

/* Use SEIPDv2 for SKESK if enabled and preconditions are met */
if (handler->ctx->enable_skesk_v6 && handler->ctx->aalg != PGP_AEAD_NONE &&
skeycount > 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: what is the meaning of skeycount in this context?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

    pkeycount = handler->ctx->recipients.size();
    skeycount = handler->ctx->passwords.size();

These are the number of SKESK or PKESK packets.

When writing the code I assumed that only one of those variables is non-zero, meaning, we have distinct cases for symmetric and asymmetric encryption. I now think that is a wrong assumption and you can actually use PKESK and SKESK packets simultaniously for the same SEIPD message.

Thus, I will need to adapt the logic here to also take into account the v2-SEIPD capability of the "PKESK recipients".

@TJ-91
Copy link
Contributor Author

TJ-91 commented Sep 23, 2024

@ni4 from my view this could be merged. Do you have any comments on the PR?

ni4
ni4 approved these changes Sep 23, 2024
View reviewed changes
Copy link
Contributor

@ni4 ni4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@ni4 ni4 requested review from desvxx and ronaldtse September 23, 2024 13:36
@ni4
Copy link
Contributor

ni4 commented Sep 23, 2024

@ni4 from my view this could be merged. Do you have any comments on the PR?

@TJ-91 looks good, thanks. Let's wait for one more approval.

@ni4
Copy link
Contributor

ni4 commented Oct 4, 2024

@TJ-91 Could you please resolve conflicts here? I'm not seem able to push to this branch. Thanks!

@TJ-91
Copy link
Contributor Author

TJ-91 commented Oct 7, 2024

@ni4 I rebased (but now checks fail like on main)

@ni4
Copy link
Contributor

ni4 commented Oct 7, 2024

@TJ-91 Thanks. Windows and lint CI failure must be fixed via the PR #2282, so it seems another rebase would be needed once that PR is merged )

@ni4
Copy link
Contributor

ni4 commented Oct 29, 2024

@TJ-91 there is some merge conflict here.

@TJ-91
Copy link
Contributor Author

TJ-91 commented Oct 29, 2024

@TJ-91 there is some merge conflict here.

I rebased

@TJ-91 TJ-91 mentioned this pull request Jul 14, 2025
Open
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
@TJ-91
Copy link
Contributor Author

TJ-91 commented Jul 15, 2025

@ni4 I rebased again and all checks pass. Is it ready to merge?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ni4 ni4 ni4 approved these changes

@ronaldtse ronaldtse Awaiting requested review from ronaldtse

@desvxx desvxx Awaiting requested review from desvxx

+1 more reviewer

@falko-strenzke falko-strenzke falko-strenzke approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TJ-91 @falko-strenzke @ni4