Closed falko-strenzke closed 1 month ago
I added some more variation.
When explicitly setting None
via rnp_op_encrypt_set_aead
, we override it in init_encrypted_dst
to PGP_AEAD_OCB
. This is due to the fact that we choose PKESKv6 and AEAD is required. I think it's reasonable behaviour but perhaps we should ask the maintainers whether or not the explicitly requested mode should be honored. This would mean to a) either explicitly fail with an error or b) revert to PKESKv3.
It should be noted, that we are calling both rnp_op_encrypt_enable_pkesk_v6
and rnp_op_encrypt_set_aead
, so setting None
in the latter is contradictory in itself. Perhaps the inconsistent settings should be cought when setting either of the options and the other option is inconsistent with the currently set option.
It should be noted, that we are calling both
rnp_op_encrypt_enable_pkesk_v6
andrnp_op_encrypt_set_aead
, so settingNone
in the latter is contradictory in itself.
For me best solution in this case would be to fail with INVALID_PARAMETER error and some explanatory message via FFI_LOG()
, as it is definitely something which should not happen.
TODO: Check whether sufficient coverage now
I added another test for TwoFish in test_ffi_encrypt_pk_with_v6_key
in the branch https://github.com/pqc-thunderbird/rnp/tree/update-draft-03. PR to follow. (see https://github.com/pqc-thunderbird/rnp/issues/69 for an overview of our dev branches).
Coverage is sufficient now from my point of view.
need cli parameter to choose also GCM (unclear if GCM support is desired in RNP)not desired by RNP, see https://github.com/rnpgp/rnp/issues/2218#issuecomment-2077183809