Unsignedio
/
Reticulum
mirror of https://github.com/markqvist/Reticulum.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Removed legacy AES-128 handlers

master
Mark Qvist 2025-05-26 19:04:30 +02:00
parent 51e3983bf8
commit 045cb662ef
3 changed files with 7 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
RNS/Identity.py
View File

@ -694,7 +694,6 @@ class Identity:
else: else:
raise KeyError("Encryption failed because identity does not hold a public key") raise KeyError("Encryption failed because identity does not hold a public key")
# Post 0.9.6 decryption will only accept AES-256
def __decrypt(self, shared_key, ciphertext): def __decrypt(self, shared_key, ciphertext):
derived_key = RNS.Cryptography.hkdf( derived_key = RNS.Cryptography.hkdf(
length=Identity.DERIVED_KEY_LENGTH, length=Identity.DERIVED_KEY_LENGTH,
@ -706,34 +705,6 @@ class Identity:
plaintext = token.decrypt(ciphertext) plaintext = token.decrypt(ciphertext)
return plaintext return plaintext
# This handles decryption during migration to AES-256 where
# older instances may still use AES-128. If decryption fails
# initially, AES-128 will be attempted as a fallback mode.
# This handler will be removed in RNS 0.9.6.
def __migration_decrypt(self, shared_key, ciphertext):
try:
derived_key = RNS.Cryptography.hkdf(
length=Identity.DERIVED_KEY_LENGTH,
derive_from=shared_key,
salt=self.get_salt(),
context=self.get_context())
token = Token(derived_key)
plaintext = token.decrypt(ciphertext)
except Exception as e:
# RNS.log("Decryption failed, attempting legacy mode fallback", RNS.LOG_DEBUG)
derived_key = RNS.Cryptography.hkdf(
length=Identity.DERIVED_KEY_LENGTH_LEGACY,
derive_from=shared_key,
salt=self.get_salt(),
context=self.get_context())
token = Token(derived_key)
plaintext = token.decrypt(ciphertext)
return plaintext
def decrypt(self, ciphertext_token, ratchets=None, enforce_ratchets=False, ratchet_id_receiver=None): def decrypt(self, ciphertext_token, ratchets=None, enforce_ratchets=False, ratchet_id_receiver=None):
""" """
Decrypts information for the identity. Decrypts information for the identity.
@ -757,7 +728,7 @@ class Identity:
ratchet_prv = X25519PrivateKey.from_private_bytes(ratchet) ratchet_prv = X25519PrivateKey.from_private_bytes(ratchet)
ratchet_id = Identity._get_ratchet_id(ratchet_prv.public_key().public_bytes()) ratchet_id = Identity._get_ratchet_id(ratchet_prv.public_key().public_bytes())
shared_key = ratchet_prv.exchange(peer_pub) shared_key = ratchet_prv.exchange(peer_pub)
plaintext = self.__migration_decrypt(shared_key, ciphertext) plaintext = self.__decrypt(shared_key, ciphertext)
if ratchet_id_receiver: if ratchet_id_receiver:
ratchet_id_receiver.latest_ratchet_id = ratchet_id ratchet_id_receiver.latest_ratchet_id = ratchet_id
@ -774,7 +745,7 @@ class Identity:
if plaintext == None: if plaintext == None:
shared_key = self.prv.exchange(peer_pub) shared_key = self.prv.exchange(peer_pub)
plaintext = self.__migration_decrypt(shared_key, ciphertext) plaintext = self.__decrypt(shared_key, ciphertext)
if ratchet_id_receiver: if ratchet_id_receiver:
ratchet_id_receiver.latest_ratchet_id = None ratchet_id_receiver.latest_ratchet_id = None

2
RNS/Link.py
View File

@ -130,7 +130,7 @@ class Link:
MODE_PQ_RESERVED_2 = 0x05 MODE_PQ_RESERVED_2 = 0x05
MODE_PQ_RESERVED_3 = 0x06 MODE_PQ_RESERVED_3 = 0x06
MODE_PQ_RESERVED_4 = 0x07 MODE_PQ_RESERVED_4 = 0x07
ENABLED_MODES = [MODE_AES128_CBC, MODE_AES256_CBC] ENABLED_MODES = [MODE_AES256_CBC]
MODE_DEFAULT = MODE_AES256_CBC MODE_DEFAULT = MODE_AES256_CBC
MODE_DESCRIPTIONS = {MODE_AES128_CBC: "AES_128_CBC", MODE_DESCRIPTIONS = {MODE_AES128_CBC: "AES_128_CBC",
MODE_AES256_CBC: "AES_256_CBC", MODE_AES256_CBC: "AES_256_CBC",

13
tests/link.py
View File

@ -121,16 +121,11 @@ class TestLink(unittest.TestCase):
time.sleep(LINK_UP_WAIT) time.sleep(LINK_UP_WAIT)
self.assertEqual(l1.status, RNS.Link.CLOSED) self.assertEqual(l1.status, RNS.Link.CLOSED)
exc_triggered = False
print("Testing AES_128_CBC mode link establishment...") print("Testing AES_128_CBC mode link establishment...")
l2 = RNS.Link(dest, mode=RNS.Link.MODE_AES128_CBC) try: l2 = RNS.Link(dest, mode=RNS.Link.MODE_AES128_CBC)
time.sleep(LINK_UP_WAIT) except TypeError as e: exc_triggered = True
self.assertEqual(l2.status, RNS.Link.ACTIVE) self.assertEqual(exc_triggered, True)
self.assertEqual(l2.mode, RNS.Link.MODE_AES128_CBC)
self.assertEqual(len(l2.derived_key), 32)
l2.teardown()
time.sleep(LINK_UP_WAIT)
self.assertEqual(l2.status, RNS.Link.CLOSED)
print("Testing AES_256_CBC mode link establishment...") print("Testing AES_256_CBC mode link establishment...")
l3 = RNS.Link(dest, mode=RNS.Link.MODE_AES256_CBC) l3 = RNS.Link(dest, mode=RNS.Link.MODE_AES256_CBC)