Re: GSoC 2018 - Modern cryptographic algorithms to netpgp, netpgpverify

[Alistair Crooks <agc%pkgsrc.org@localhost>]

Yeah, netpgpverify is the new, all-in-one, no pre-reqs codebase solely for the verification part of signatures.

ed25519 also needs to be added to netpgp, which is the older and more crufty code base which covers signing and verification.

But before any code is touched, we'd need to know what gpg constants uses for these algorithms, since they're not in RFC 4880, and so we can interoperate with gpg in verifying and signing.

We need to know what extra parts are needed (from different sources, along with their licences), and any other prereqs we might need for both netpgpverify and netpgp.

And we need to know tests for making sure that the implementation is correct, and for auditing, including a walk-through to make sure that any keys are discarded in a safe manner.

And rest assured that your implementation will be used, since pkgsrc uses netpgpverify to verify signatures on signed packages - see how Joyent have done this.

But there, I've just written a big part of your proposal for you :)

On 19 March 2018 at 19:54, Harsh Khatore <khatore.harsh.github%gmail.com@localhost> wrote:

Hi Alistair, 

It's great to hear from you. And okay, I will follow those instructions.
Regarding the project, we need to implement  ed25519 and salsa20 in the 'netpgpverify' package right, like there are already implementations for sha1, sha2, md5 etc. hashing schemes, we need to add the implementation of these two signature schemes and cipher to the package?
I guess the file would be here: ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/security/netpgpverify/files/

And yes, I can work with C and I understand it's workflow.
So, how should I begin with writing a proposal and get started with the implementation?

Thanks,
Harsh Khatore

On Tue, Mar 20, 2018 at 12:13 AM Alistair Crooks <agc%pkgsrc.org@localhost> wrote:

Hi Harsh,

I've been talking to others about it, but yours is the first mail I've received.

C proficiency is necessary. C++ not needed.

I can help you out with any specific questions you have - please mail them here (i.e. to tech-crypto, CC me).

Thanks,

Alistair

On 18 March 2018 at 10:57, Harsh Khatore <khatore.harsh.github@gmail.com> wrote:

Hi Alistair,

Sorry for contacting you soo late for the above-mentioned project. Could you provide me with help regarding the project so that I can work on it for GSoC? Also, do you have anyone else preparing for it or can I continue with this?

My knowledge of C and C++ languages is intermediate.

Thanks,
Harsh Khatore