diff --git a/RNS/Identity.py b/RNS/Identity.py index 81e5c50..7fb2be5 100644 --- a/RNS/Identity.py +++ b/RNS/Identity.py @@ -694,7 +694,6 @@ class Identity: else: raise KeyError("Encryption failed because identity does not hold a public key") - # Post 0.9.6 decryption will only accept AES-256 def __decrypt(self, shared_key, ciphertext): derived_key = RNS.Cryptography.hkdf( length=Identity.DERIVED_KEY_LENGTH, @@ -706,34 +705,6 @@ class Identity: plaintext = token.decrypt(ciphertext) return plaintext - # This handles decryption during migration to AES-256 where - # older instances may still use AES-128. If decryption fails - # initially, AES-128 will be attempted as a fallback mode. - # This handler will be removed in RNS 0.9.6. - def __migration_decrypt(self, shared_key, ciphertext): - try: - derived_key = RNS.Cryptography.hkdf( - length=Identity.DERIVED_KEY_LENGTH, - derive_from=shared_key, - salt=self.get_salt(), - context=self.get_context()) - - token = Token(derived_key) - plaintext = token.decrypt(ciphertext) - - except Exception as e: - # RNS.log("Decryption failed, attempting legacy mode fallback", RNS.LOG_DEBUG) - derived_key = RNS.Cryptography.hkdf( - length=Identity.DERIVED_KEY_LENGTH_LEGACY, - derive_from=shared_key, - salt=self.get_salt(), - context=self.get_context()) - - token = Token(derived_key) - plaintext = token.decrypt(ciphertext) - - return plaintext - def decrypt(self, ciphertext_token, ratchets=None, enforce_ratchets=False, ratchet_id_receiver=None): """ Decrypts information for the identity. @@ -757,7 +728,7 @@ class Identity: ratchet_prv = X25519PrivateKey.from_private_bytes(ratchet) ratchet_id = Identity._get_ratchet_id(ratchet_prv.public_key().public_bytes()) shared_key = ratchet_prv.exchange(peer_pub) - plaintext = self.__migration_decrypt(shared_key, ciphertext) + plaintext = self.__decrypt(shared_key, ciphertext) if ratchet_id_receiver: ratchet_id_receiver.latest_ratchet_id = ratchet_id @@ -774,7 +745,7 @@ class Identity: if plaintext == None: shared_key = self.prv.exchange(peer_pub) - plaintext = self.__migration_decrypt(shared_key, ciphertext) + plaintext = self.__decrypt(shared_key, ciphertext) if ratchet_id_receiver: ratchet_id_receiver.latest_ratchet_id = None diff --git a/RNS/Link.py b/RNS/Link.py index 74d4416..f65ce12 100644 --- a/RNS/Link.py +++ b/RNS/Link.py @@ -130,7 +130,7 @@ class Link: MODE_PQ_RESERVED_2 = 0x05 MODE_PQ_RESERVED_3 = 0x06 MODE_PQ_RESERVED_4 = 0x07 - ENABLED_MODES = [MODE_AES128_CBC, MODE_AES256_CBC] + ENABLED_MODES = [MODE_AES256_CBC] MODE_DEFAULT = MODE_AES256_CBC MODE_DESCRIPTIONS = {MODE_AES128_CBC: "AES_128_CBC", MODE_AES256_CBC: "AES_256_CBC", diff --git a/tests/link.py b/tests/link.py index 1d966c6..9ba31bc 100644 --- a/tests/link.py +++ b/tests/link.py @@ -121,16 +121,11 @@ class TestLink(unittest.TestCase): time.sleep(LINK_UP_WAIT) self.assertEqual(l1.status, RNS.Link.CLOSED) + exc_triggered = False print("Testing AES_128_CBC mode link establishment...") - l2 = RNS.Link(dest, mode=RNS.Link.MODE_AES128_CBC) - time.sleep(LINK_UP_WAIT) - self.assertEqual(l2.status, RNS.Link.ACTIVE) - self.assertEqual(l2.mode, RNS.Link.MODE_AES128_CBC) - self.assertEqual(len(l2.derived_key), 32) - - l2.teardown() - time.sleep(LINK_UP_WAIT) - self.assertEqual(l2.status, RNS.Link.CLOSED) + try: l2 = RNS.Link(dest, mode=RNS.Link.MODE_AES128_CBC) + except TypeError as e: exc_triggered = True + self.assertEqual(exc_triggered, True) print("Testing AES_256_CBC mode link establishment...") l3 = RNS.Link(dest, mode=RNS.Link.MODE_AES256_CBC)