[v6] Update packet versions to the latest crypto refresh #1630
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
twiss
force-pushed
the
update-packet-versions
branch
from
150afac
to
971a2ca
Compare
larabr
reviewed
Apr 4, 2023
larabr
reviewed
Apr 4, 2023
larabr
force-pushed
the
update-packet-versions
branch
from
971a2ca
to
961312c
Compare
larabr
reviewed
Apr 6, 2023
larabr
changed the title
larabr
force-pushed
the
update-packet-versions
branch
from
c6126e0
to
e4bf1bf
Compare
larabr
force-pushed
the
v6
branch
2 times, most recently
from
d0748a0
to
d375d62
Compare
larabr
force-pushed
the
update-packet-versions
branch
3 times, most recently
from
7723b60
to
1623a06
Compare
larabr
force-pushed
the
update-packet-versions
branch
from
1623a06
to
693f972
Compare
larabr
force-pushed
the
update-packet-versions
branch
4 times, most recently
from
e1a4816
to
2231abd
Compare
larabr
reviewed
Aug 14, 2023
11 tasks
twiss
commented
Aug 23, 2023
twiss
commented
Aug 25, 2023
larabr
force-pushed
the
update-packet-versions
branch
from
2231abd
to
194bcc7
Compare
larabr
reviewed
Aug 28, 2023
twiss
commented
Aug 28, 2023
larabr
force-pushed
the
update-packet-versions
branch
from
194bcc7
to
5a21cf8
Compare
larabr
reviewed
Aug 31, 2023
larabr
force-pushed
the
update-packet-versions
branch
from
35dc704
to
7498223
Compare
Chrome's Web Crypto implementation doesn't support it, and it seems unnecessary to list it when AES-256 is available.
This has been changed in the crypto refresh.
Key flags, expiration time, algorithm preferences, et cetera, are now read from the direct-key signature instead of the primary User ID binding signature for v6 keys. This also requires a direct-key signature to be present for v6 keys.
The crypto refresh says that we MUST NOT reject messages where the CRC24 checksum is incorrect. So, we remove the check for it. Also, remove the checksumRequired config.
The latest crypto refresh specifies an HKDF step to be used for deriving the key to encrypt the session key with. It also specifies two additional length fields.
Instead of calling getPreferredAlgo('symmetric') and
getPreferredAlgo('aead'), we define and call getPreferredCipherSuite()
to determine the preferred symmetric and AEAD algorithm.
Additionally, we remove isAEADSupported(), instead we return
aeadAlgorithm: undefined from getPreferredCipherSuite() if AEAD is not
supported (CFB is used instead).
And finally, we define getPreferredCompressionAlgo() to replace
getPreferredAlgo('compression').
Also, set version in PKESK constructor to null, requiring to explicitly set all fields. Co-authored-by: Lukas Burkhalter <lukas.burkhalter@proton.ch>
Rather than using the config to determine which algorithms to try to decrypt session keys for, try the algorithm we know the message was encrypted with.
…test for modification detection on decryption Also, address race condition in error handling as part of AEAD message decryption, which would cause non-uniform errors during testing.
The Packet Tag space is now partitioned into critical packets and non-critical packets. If an implementation encounters a critical packet where the packet type is unknown in a packet sequence, it MUST reject the whole packet sequence. On the other hand, an unknown non-critical packet MUST be ignored. See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-4.3.1 .
Introduces v6 one-pass signature packets required for v6 signatures. Includes the changes from !305 of the crypto refresh: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/305 Also, introduce `OnePassSignaturePacket.fromSignaturePacket` to simplify OPS generation.
The latest version of the crypto refresh (i.e., !313, !314) specifies that the "Hash" header is deprecated, and that an implementation that is verifying a cleartext signed message MUST ignore this header. However, we go against this directive, and keep the checks in place to avoid arbitrary injection of text as part of the "Hash" header payload. We also mandate that if the hash header is present, the declared algorithm matches the signature algorithm. This is again to avoid a spoofing attack where e.g. a SHA1 signature is presented as using SHA512. Related CVEs: CVE-2019-11841, CVE-2023-41037. This commit does not change the writing part of cleartext messages. # Conflicts: # src/cleartext.js
The latest version of the crypto refresh (i.e., !313, !314) specifies that the "Hash" header is depricated. This commit changes that the Hash header is only generated if a cleartext message contains a non-V6 signature.
To avoid defaulting to v1
larabr
force-pushed
the
update-packet-versions
branch
from
7498223
to
2a67f02
Compare
larabr
approved these changes
Sep 1, 2023
This was referenced Sep 4, 2023
Draft
This was referenced Sep 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement the new packet versions from draft-ietf-openpgp-crypto-refresh-08.
Fixes part of #1442; replaces #1505.
TODO: