rnpgp
diff --git a/‎include/repgp/repgp_def.h‎
Lines changed: 7 additions & 1 deletion b/‎include/repgp/repgp_def.h‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎include/rnp/rnp.h‎
Lines changed: 11 additions & 0 deletions b/‎include/rnp/rnp.h‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/lib/rnp.cpp‎
Lines changed: 12 additions & 0 deletions b/‎src/lib/rnp.cpp‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/librepgp/stream-ctx.h‎
Lines changed: 2 additions & 0 deletions b/‎src/librepgp/stream-ctx.h‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/librepgp/stream-packet.cpp‎
Lines changed: 121 additions & 3 deletions b/‎src/librepgp/stream-packet.cpp‎
Lines changed: 121 additions & 3 deletions
diff --git a/‎src/librepgp/stream-packet.h‎
Lines changed: 4 additions & 0 deletions b/‎src/librepgp/stream-packet.h‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/librepgp/stream-parse.cpp‎
Lines changed: 37 additions & 9 deletions b/‎src/librepgp/stream-parse.cpp‎
Lines changed: 37 additions & 9 deletions
@@ -481,7 +481,13 @@ typedef enum {
     PGP_C_UNKNOWN = 255
 } pgp_compression_type_t;
 
-enum { PGP_SKSK_V4 = 4, PGP_SKSK_V5 = 5 };
+typedef enum {
+    PGP_SKSK_V4 = 4,
+    PGP_SKSK_V5 = 5,
+#if defined(ENABLE_CRYPTO_REFRESH)
+    PGP_SKSK_V6 = 6
+#endif
+} pgp_skesk_version_t;
 typedef enum {
     PGP_PKSK_V3 = 3,
 #if defined(ENABLE_CRYPTO_REFRESH)
 
@@ -3691,6 +3691,17 @@ RNP_API rnp_result_t rnp_op_encrypt_add_recipient(rnp_op_encrypt_t op, rnp_key_h
  * @return RNP_SUCCESS or errorcode if failed.
  */
 RNP_API rnp_result_t rnp_op_encrypt_enable_pkesk_v6(rnp_op_encrypt_t op);
+
+/**
+ * @brief Enables the creation of SKESK v6 (instead of v4) which results in the use of SEIPDv2.
+ *        The actually created version depends on whether an AEAD algorithm has been chosen.
+ *        NOTE: This is an experimental feature and this function can be replaced (or removed)
+ *        at any time.
+ *
+ * @param op opaque encrypting context. Must be allocated and initialized.
+ * @return RNP_SUCCESS or errorcode if failed.
+ */
+RNP_API rnp_result_t rnp_op_encrypt_enable_skesk_v6(rnp_op_encrypt_t op);
 #endif
 
 #if defined(RNP_EXPERIMENTAL_PQC)
 
@@ -2620,6 +2620,18 @@ try {
     return RNP_SUCCESS;
 }
 FFI_GUARD
+
+rnp_result_t
+rnp_op_encrypt_enable_skesk_v6(rnp_op_encrypt_t op)
+try {
+    if (!op) {
+        return RNP_ERROR_NULL_POINTER;
+    }
+
+    op->rnpctx.enable_skesk_v6 = true;
+    return RNP_SUCCESS;
+}
+FFI_GUARD
 #endif
 
 #if defined(RNP_EXPERIMENTAL_PQC)
 
@@ -74,6 +74,7 @@ typedef struct rnp_symmetric_pass_info_t {
  *  - recipients : list of key ids used to encrypt data to
  *  - enable_pkesk_v6 (Only if defined: ENABLE_CRYPTO_REFRESH): if true and each recipient in
  * the  list of recipients has the capability, allows PKESKv6/SEIPDv2
+ *  - enable_skesk_v6 : if true and AEAD cipher is chosen, creates SKESKv6/SEIPDv2
  *  - pref_pqc_enc_subkey (Only if defined: ENABLE_PQC): if true, prefers PQC subkey over
  * non-PQC subkey for encryption.
  *  - passwords : list of passwords used for password-based encryption
@@ -112,6 +113,7 @@ typedef struct rnp_ctx_t {
     bool           no_wrap{};   /* do not wrap source in literal data packet */
 #if defined(ENABLE_CRYPTO_REFRESH)
     bool enable_pkesk_v6{}; /* allows pkesk v6 if list of recipients is suitable */
+    bool enable_skesk_v6{}; /* allows skesk v6 if chosen cipher is suitable */
 #endif
 #if defined(ENABLE_PQC)
     bool pref_pqc_enc_subkey{}; /* prefer to encrypt to PQC subkey */
 
@@ -939,11 +939,43 @@ pgp_sk_sesskey_t::write(pgp_dest_t &dst) const
     pgp_packet_body_t pktbody(PGP_PKT_SK_SESSION_KEY);
     /* version and algorithm fields */
     pktbody.add_byte(version);
+#if defined(ENABLE_CRYPTO_REFRESH)
+    uint8_t s2k_len;
+    /* A one-octet scalar octet count for the 5 fields following this octet. */
+    /* TODO: unify with pgp_key_pkt_t::s2k_specifier_len() */
+    if (version == PGP_SKSK_V6) {
+        switch (s2k.specifier) {
+        case PGP_S2KS_SIMPLE:
+            s2k_len = 2;
+            break;
+        case PGP_S2KS_SALTED:
+            s2k_len = 10;
+            break;
+        case PGP_S2KS_ITERATED_AND_SALTED:
+            s2k_len = 11;
+            break;
+        default:
+            RNP_LOG("invalid specifier");
+            throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+        }
+        pktbody.add_byte(3 + s2k_len + ivlen);
+    }
+#endif
     pktbody.add_byte(alg);
-    if (version == PGP_SKSK_V5) {
+    if (version == PGP_SKSK_V5
+#if defined(ENABLE_CRYPTO_REFRESH)
+        || version == PGP_SKSK_V6
+#endif
+    ) {
         pktbody.add_byte(aalg);
     }
-    /* S2K specifier */
+/* S2K specifier */
+#if defined(ENABLE_CRYPTO_REFRESH)
+    /* A one-octet scalar octet count of the following field. */
+    if (version == PGP_SKSK_V6) {
+        pktbody.add_byte(s2k_len);
+    }
+#endif
     pktbody.add_byte(s2k.specifier);
     pktbody.add_byte(s2k.hash_alg);
 
@@ -962,7 +994,11 @@ pgp_sk_sesskey_t::write(pgp_dest_t &dst) const
         throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
     }
     /* v5 : iv */
-    if (version == PGP_SKSK_V5) {
+    if (version == PGP_SKSK_V5
+#if defined(ENABLE_CRYPTO_REFRESH)
+        || version == PGP_SKSK_V6
+#endif
+    ) {
         pktbody.add(iv, ivlen);
     }
     /* encrypted key and auth tag for v5 */
@@ -973,6 +1009,82 @@ pgp_sk_sesskey_t::write(pgp_dest_t &dst) const
     pktbody.write(dst);
 }
 
+#if defined(ENABLE_CRYPTO_REFRESH)
+rnp_result_t
+pgp_sk_sesskey_t::parse_v6(pgp_packet_body_t &pkt)
+{
+    uint8_t bt;
+    uint8_t octet_count;
+    uint8_t s2k_len;
+
+    /* A one-octet scalar octet count for the 5 fields following this octet. */
+    /* TODO: do we need to check octet_count? */
+    if (!pkt.get(octet_count)) {
+        RNP_LOG("failed to get octet count of next 5 fields");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+
+    /* symmetric algorithm */
+    if (!pkt.get(bt)) {
+        RNP_LOG("failed to get symm alg");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+    alg = (pgp_symm_alg_t) bt;
+
+    /* aead algorithm */
+    if (!pkt.get(bt)) {
+        RNP_LOG("failed to get aead alg");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+    aalg = (pgp_aead_alg_t) bt;
+    if ((aalg != PGP_AEAD_EAX) && (aalg != PGP_AEAD_OCB)) {
+        RNP_LOG("unsupported AEAD algorithm : %d", (int) aalg);
+        return RNP_ERROR_BAD_PARAMETERS;
+    }
+
+    /* A one-octet scalar octet count of the following field. */
+    /* TODO: do we need to check s2k_len? */
+    if (!pkt.get(s2k_len)) {
+        RNP_LOG("failed to get octet count of next 5 fields");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+
+    /* s2k */
+    if (!pkt.get(s2k)) {
+        RNP_LOG("failed to parse s2k");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+
+    size_t noncelen = pgp_cipher_aead_nonce_len(aalg);
+    size_t taglen = pgp_cipher_aead_tag_len(aalg);
+    size_t keylen = 0;
+
+    if (pkt.left() > noncelen + taglen + PGP_MAX_KEY_SIZE) {
+        RNP_LOG("too long esk");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+    if (pkt.left() < noncelen + taglen + 8) {
+        RNP_LOG("too short esk");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+    /* iv */
+    if (!pkt.get(iv, noncelen)) {
+        RNP_LOG("failed to get iv");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+    ivlen = noncelen;
+
+    /* key */
+    keylen = pkt.left();
+    if (!pkt.get(enckey, keylen)) {
+        RNP_LOG("failed to get key");
+        return RNP_ERROR_BAD_FORMAT;
+    }
+    enckeylen = keylen;
+    return RNP_SUCCESS;
+}
+#endif
+
 rnp_result_t
 pgp_sk_sesskey_t::parse(pgp_source_t &src)
 {
@@ -985,6 +1097,12 @@ pgp_sk_sesskey_t::parse(pgp_source_t &src)
     /* version */
     uint8_t bt;
     if (!pkt.get(bt) || ((bt != PGP_SKSK_V4) && (bt != PGP_SKSK_V5))) {
+#if defined(ENABLE_CRYPTO_REFRESH)
+        if (bt == PGP_SKSK_V6) {
+            version = bt;
+            return parse_v6(pkt);
+        }
+#endif
         RNP_LOG("wrong packet version");
         return RNP_ERROR_BAD_FORMAT;
     }
 
@@ -212,6 +212,10 @@ typedef struct pgp_sk_sesskey_t {
 
     void         write(pgp_dest_t &dst) const;
     rnp_result_t parse(pgp_source_t &src);
+#if defined(ENABLE_CRYPTO_REFRESH)
+  private:
+    rnp_result_t parse_v6(pgp_packet_body_t &pkt);
+#endif
 } pgp_sk_sesskey_t;
 
 /** pgp_one_pass_sig_t */
 
@@ -50,6 +50,7 @@
 #ifdef ENABLE_CRYPTO_REFRESH
 #include "crypto/hkdf.hpp"
 #include "v2_seipd.h"
+#include "crypto/hkdf.hpp"
 #endif
 
 #ifdef HAVE_ZLIB_H
@@ -1702,7 +1703,11 @@ encrypted_try_password(pgp_source_encrypted_param_t *param, const char *password
                 continue;
             }
             keyavail = true;
-        } else if (skey.version == PGP_SKSK_V5) {
+        } else if (skey.version == PGP_SKSK_V5
+#if defined(ENABLE_CRYPTO_REFRESH)
+                   || skey.version == PGP_SKSK_V6
+#endif
+        ) {
 #if !defined(ENABLE_AEAD)
             continue;
 #else
@@ -1716,6 +1721,31 @@ encrypted_try_password(pgp_source_encrypted_param_t *param, const char *password
             alg = skey.alg;
 
             /* initialize cipher */
+#if defined(ENABLE_CRYPTO_REFRESH)
+            if (skey.version == PGP_SKSK_V6) {
+                /* For v6 SKESK, we use the S2K derived key as input to the KDF */
+                auto kdf = rnp::Hkdf::create(PGP_HASH_SHA256);
+
+                std::vector<uint8_t> kdf_info;
+                kdf_info.push_back(PGP_PKT_SK_SESSION_KEY | PGP_PTAG_ALWAYS_SET |
+                                   PGP_PTAG_NEW_FORMAT);
+                kdf_info.push_back(skey.version);
+                kdf_info.push_back(skey.alg);
+                kdf_info.push_back(skey.aalg);
+
+                std::vector<uint8_t> kdf_input(keybuf.data(),
+                                               keybuf.data() + pgp_key_size(skey.alg));
+
+                kdf->extract_expand(NULL,
+                                    0, // no salt
+                                    kdf_input.data(),
+                                    kdf_input.size(),
+                                    kdf_info.data(),
+                                    kdf_info.size(),
+                                    keybuf.data(),
+                                    keybuf.size());
+            }
+#endif
             if (!pgp_cipher_aead_init(&crypt, skey.alg, skey.aalg, keybuf.data(), true)) {
                 continue;
             }
@@ -2163,14 +2193,12 @@ encrypted_read_packet_data(pgp_source_encrypted_param_t *param)
         }
 #ifdef ENABLE_CRYPTO_REFRESH
         else if (SEIPD_version == PGP_SE_IP_DATA_V2) {
-            /*  SKESK v6 is not yet implemented, thus we must not attempt to decrypt
-               SEIPDv2 here
-                TODO: Once SKESK v6 is implemented, replace this check with a check for
-               consistency between SEIPD and SKESK version
-            */
-            if (param->symencs.size() > 0) {
-                RNP_LOG("SEIPDv2 not usable with SKESK version");
-                return RNP_ERROR_BAD_FORMAT;
+            for (auto symenc : param->symencs) {
+                // consistency check if SEIPDv2 is only coupled with SKESKv6
+                if (symenc.version != PGP_SKSK_V6) {
+                    RNP_LOG("SEIPDv2 not usable with SKESK version");
+                    return RNP_ERROR_BAD_FORMAT;
+                }
             }
 
             param->auth_type = rnp::AuthType::AEADv2;