chore(deps): upgrade dependencies

Upgrade all dependencies to newest versions.
2025-09-04 19:18:29 +02:00 · 2023-12-13 08:29:02 -05:00
parent 0d9c92c8c0
commit 95a4e31b6c
769 changed files with 28936 additions and 12954 deletions
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go
@ -3,7 +3,8 @@
 // license that can be found in the LICENSE file.

 // Package s2k implements the various OpenPGP string-to-key transforms as
-// specified in RFC 4800 section 3.7.1.
+// specified in RFC 4800 section 3.7.1, and Argon2 specified in
+// draft-ietf-openpgp-crypto-refresh-08 section 3.7.1.4.
 package s2k // import "github.com/ProtonMail/go-crypto/openpgp/s2k"

 import (
@ -14,70 +15,47 @@ import (

 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
+	"golang.org/x/crypto/argon2"
 )

-// Config collects configuration parameters for s2k key-stretching
-// transformations. A nil *Config is valid and results in all default
-// values. Currently, Config is used only by the Serialize function in
-// this package.
-type Config struct {
-	// S2KMode is the mode of s2k function.
-	// It can be 0 (simple), 1(salted), 3(iterated)
-	// 2(reserved) 100-110(private/experimental).
-	S2KMode uint8
-	// Hash is the default hash function to be used. If
-	// nil, SHA256 is used.
-	Hash crypto.Hash
-	// S2KCount is only used for symmetric encryption. It
-	// determines the strength of the passphrase stretching when
-	// the said passphrase is hashed to produce a key. S2KCount
-	// should be between 65536 and 65011712, inclusive. If Config
-	// is nil or S2KCount is 0, the value 16777216 used. Not all
-	// values in the above range can be represented. S2KCount will
-	// be rounded up to the next representable value if it cannot
-	// be encoded exactly. See RFC 4880 Section 3.7.1.3.
-	S2KCount int
-}
+type Mode uint8
+
+// Defines the default S2KMode constants
+//
+//	0 (simple), 1(salted), 3(iterated), 4(argon2)
+const (
+	SimpleS2K         Mode = 0
+	SaltedS2K         Mode = 1
+	IteratedSaltedS2K Mode = 3
+	Argon2S2K         Mode = 4
+	GnuS2K            Mode = 101
+)
+
+const Argon2SaltSize int = 16

 // Params contains all the parameters of the s2k packet
 type Params struct {
 	// mode is the mode of s2k function.
 	// It can be 0 (simple), 1(salted), 3(iterated)
 	// 2(reserved) 100-110(private/experimental).
-	mode uint8
+	mode Mode
 	// hashId is the ID of the hash function used in any of the modes
 	hashId byte
-	// salt is a byte array to use as a salt in hashing process
-	salt []byte
+	// salt is a byte array to use as a salt in hashing process or argon2
+	saltBytes [Argon2SaltSize]byte
 	// countByte is used to determine how many rounds of hashing are to
 	// be performed in s2k mode 3. See RFC 4880 Section 3.7.1.3.
 	countByte byte
-}
-
-func (c *Config) hash() crypto.Hash {
-	if c == nil || uint(c.Hash) == 0 {
-		return crypto.SHA256
-	}
-
-	return c.Hash
-}
-
-// EncodedCount get encoded count
-func (c *Config) EncodedCount() uint8 {
-	if c == nil || c.S2KCount == 0 {
-		return 224 // The common case. Corresponding to 16777216
-	}
-
-	i := c.S2KCount
-
-	switch {
-	case i < 65536:
-		i = 65536
-	case i > 65011712:
-		i = 65011712
-	}
-
-	return encodeCount(i)
+	// passes is a parameter in Argon2 to determine the number of iterations
+	// See RFC the crypto refresh Section 3.7.1.4.
+	passes byte
+	// parallelism is a parameter in Argon2 to determine the degree of paralellism
+	// See RFC the crypto refresh Section 3.7.1.4.
+	parallelism byte
+	// memoryExp is a parameter in Argon2 to determine the memory usage
+	// i.e., 2 ** memoryExp kibibytes
+	// See RFC the crypto refresh Section 3.7.1.4.
+	memoryExp byte
 }

 // encodeCount converts an iterative "count" in the range 1024 to
@ -106,6 +84,31 @@ func decodeCount(c uint8) int {
 	return (16 + int(c&15)) << (uint32(c>>4) + 6)
 }

+// encodeMemory converts the Argon2 "memory" in the range parallelism*8 to
+// 2**31, inclusive, to an encoded memory. The return value is the
+// octet that is actually stored in the GPG file. encodeMemory panics
+// if is not in the above range 
+// See OpenPGP crypto refresh Section 3.7.1.4.
+func encodeMemory(memory uint32, parallelism uint8) uint8 {
+	if memory < (8 * uint32(parallelism)) || memory > uint32(2147483648) {
+		panic("Memory argument memory is outside the required range")
+	}
+
+	for exp := 3; exp < 31; exp++ {
+		compare := decodeMemory(uint8(exp))
+		if compare >= memory {
+			return uint8(exp)
+		}
+	}
+
+	return 31
+}
+
+// decodeMemory computes the decoded memory in kibibytes as 2**memoryExponent
+func decodeMemory(memoryExponent uint8) uint32 {
+	return uint32(1) << memoryExponent
+}
+
 // Simple writes to out the result of computing the Simple S2K function (RFC
 // 4880, section 3.7.1.1) using the given hash and input passphrase.
 func Simple(out []byte, h hash.Hash, in []byte) {
@ -169,25 +172,53 @@ func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) {
 	}
 }

+// Argon2 writes to out the key derived from the password (in) with the Argon2
+// function (the crypto refresh, section 3.7.1.4)
+func Argon2(out []byte, in []byte, salt []byte, passes uint8, paralellism uint8, memoryExp uint8) {
+	key := argon2.IDKey(in, salt, uint32(passes), decodeMemory(memoryExp), paralellism, uint32(len(out)))
+	copy(out[:], key)
+}
+
 // Generate generates valid parameters from given configuration.
-// It will enforce salted + hashed s2k method
+// It will enforce the Iterated and Salted or Argon2 S2K method.
 func Generate(rand io.Reader, c *Config) (*Params, error) {
-	hashId, ok := HashToHashId(c.Hash)
-	if !ok {
-		return nil, errors.UnsupportedError("no such hash")
-	}
+	var params *Params
+	if c != nil && c.Mode() == Argon2S2K {
+		// handle Argon2 case
+		argonConfig := c.Argon2()
+		params = &Params{
+			mode:        Argon2S2K,
+			passes:      argonConfig.Passes(),
+			parallelism: argonConfig.Parallelism(),
+			memoryExp:   argonConfig.EncodedMemory(),
+		}
+	} else if c != nil && c.PassphraseIsHighEntropy && c.Mode() == SaltedS2K { // Allow SaltedS2K if PassphraseIsHighEntropy
+		hashId, ok := algorithm.HashToHashId(c.hash())
+		if !ok {
+			return nil, errors.UnsupportedError("no such hash")
+		}

-	params := &Params{
-		mode:      3, // Enforce iterared + salted method
-		hashId:    hashId,
-		salt:      make([]byte, 8),
-		countByte: c.EncodedCount(),
+		params = &Params{
+			mode:      SaltedS2K,
+			hashId:    hashId,
+		}
+	} else { // Enforce IteratedSaltedS2K method otherwise
+		hashId, ok := algorithm.HashToHashId(c.hash())
+		if !ok {
+			return nil, errors.UnsupportedError("no such hash")
+		}
+		if c != nil {
+			c.S2KMode = IteratedSaltedS2K
+		}
+		params = &Params{
+			mode:      IteratedSaltedS2K, 
+			hashId:    hashId,
+			countByte: c.EncodedCount(),
+		}
 	}
-
-	if _, err := io.ReadFull(rand, params.salt); err != nil {
+	if _, err := io.ReadFull(rand, params.salt()); err != nil {
 		return nil, err
 	}
-
 	return params, nil
 }

@ -207,45 +238,60 @@ func Parse(r io.Reader) (f func(out, in []byte), err error) {
 // ParseIntoParams reads a binary specification for a string-to-key
 // transformation from r and returns a struct describing the s2k parameters.
 func ParseIntoParams(r io.Reader) (params *Params, err error) {
-	var buf [9]byte
+	var buf [Argon2SaltSize + 3]byte

-	_, err = io.ReadFull(r, buf[:2])
+	_, err = io.ReadFull(r, buf[:1])
 	if err != nil {
 		return
 	}

 	params = &Params{
-		mode:   buf[0],
-		hashId: buf[1],
+		mode: Mode(buf[0]),
 	}

 	switch params.mode {
-	case 0:
-		return params, nil
-	case 1:
-		_, err = io.ReadFull(r, buf[:8])
+	case SimpleS2K:
+		_, err = io.ReadFull(r, buf[:1])
 		if err != nil {
 			return nil, err
 		}
-
-		params.salt = buf[:8]
+		params.hashId = buf[0]
 		return params, nil
-	case 3:
+	case SaltedS2K:
 		_, err = io.ReadFull(r, buf[:9])
 		if err != nil {
 			return nil, err
 		}
-
-		params.salt = buf[:8]
-		params.countByte = buf[8]
+		params.hashId = buf[0]
+		copy(params.salt(), buf[1:9])
 		return params, nil
-	case 101:
-		// This is a GNU extension. See
-		// https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=fe55ae16ab4e26d8356dc574c9e8bc935e71aef1;hb=23191d7851eae2217ecdac6484349849a24fd94a#l1109
-		if _, err = io.ReadFull(r, buf[:4]); err != nil {
+	case IteratedSaltedS2K:
+		_, err = io.ReadFull(r, buf[:10])
+		if err != nil {
 			return nil, err
 		}
-		if buf[0] == 'G' && buf[1] == 'N' && buf[2] == 'U' && buf[3] == 1 {
+		params.hashId = buf[0]
+		copy(params.salt(), buf[1:9])
+		params.countByte = buf[9]
+		return params, nil
+	case Argon2S2K:
+		_, err = io.ReadFull(r, buf[:Argon2SaltSize+3])
+		if err != nil {
+			return nil, err
+		}
+		copy(params.salt(), buf[:Argon2SaltSize])
+		params.passes = buf[Argon2SaltSize]
+		params.parallelism = buf[Argon2SaltSize+1]
+		params.memoryExp = buf[Argon2SaltSize+2]
+		return params, nil
+	case GnuS2K:
+		// This is a GNU extension. See
+		// https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=fe55ae16ab4e26d8356dc574c9e8bc935e71aef1;hb=23191d7851eae2217ecdac6484349849a24fd94a#l1109
+		if _, err = io.ReadFull(r, buf[:5]); err != nil {
+			return nil, err
+		}
+		params.hashId = buf[0]
+		if buf[1] == 'G' && buf[2] == 'N' && buf[3] == 'U' && buf[4] == 1 {
 			return params, nil
 		}
 		return nil, errors.UnsupportedError("GNU S2K extension")
@ -255,39 +301,56 @@ func ParseIntoParams(r io.Reader) (params *Params, err error) {
 }

 func (params *Params) Dummy() bool {
-	return params != nil && params.mode == 101
+	return params != nil && params.mode == GnuS2K
+}
+
+func (params *Params) salt() []byte {
+	switch params.mode {
+		case SaltedS2K, IteratedSaltedS2K: return params.saltBytes[:8]
+		case Argon2S2K: return params.saltBytes[:Argon2SaltSize]
+		default: return nil
+	}
 }

 func (params *Params) Function() (f func(out, in []byte), err error) {
 	if params.Dummy() {
 		return nil, errors.ErrDummyPrivateKey("dummy key found")
 	}
-	hashObj, ok := HashIdToHash(params.hashId)
-	if !ok {
-		return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(params.hashId)))
-	}
-	if !hashObj.Available() {
-		return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashObj)))
+	var hashObj crypto.Hash
+	if params.mode != Argon2S2K {
+		var ok bool
+		hashObj, ok = algorithm.HashIdToHashWithSha1(params.hashId)
+		if !ok {
+			return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(params.hashId)))
+		}
+		if !hashObj.Available() {
+			return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashObj)))
+		}
 	}

 	switch params.mode {
-	case 0:
+	case SimpleS2K:
 		f := func(out, in []byte) {
 			Simple(out, hashObj.New(), in)
 		}

 		return f, nil
-	case 1:
+	case SaltedS2K:
 		f := func(out, in []byte) {
-			Salted(out, hashObj.New(), in, params.salt)
+			Salted(out, hashObj.New(), in, params.salt())
 		}

 		return f, nil
-	case 3:
+	case IteratedSaltedS2K:
 		f := func(out, in []byte) {
-			Iterated(out, hashObj.New(), in, params.salt, decodeCount(params.countByte))
+			Iterated(out, hashObj.New(), in, params.salt(), decodeCount(params.countByte))
 		}

+		return f, nil
+	case Argon2S2K:
+		f := func(out, in []byte) {
+			Argon2(out, in, params.salt(), params.passes, params.parallelism, params.memoryExp)
+		}
 		return f, nil
 	}

@ -295,23 +358,28 @@ func (params *Params) Function() (f func(out, in []byte), err error) {
 }

 func (params *Params) Serialize(w io.Writer) (err error) {
-	if _, err = w.Write([]byte{params.mode}); err != nil {
+	if _, err = w.Write([]byte{uint8(params.mode)}); err != nil {
 		return
 	}
-	if _, err = w.Write([]byte{params.hashId}); err != nil {
-		return
+	if params.mode != Argon2S2K {
+		if _, err = w.Write([]byte{params.hashId}); err != nil {
+			return
+		}
 	}
 	if params.Dummy() {
 		_, err = w.Write(append([]byte("GNU"), 1))
 		return
 	}
 	if params.mode > 0 {
-		if _, err = w.Write(params.salt); err != nil {
+		if _, err = w.Write(params.salt()); err != nil {
 			return
 		}
-		if params.mode == 3 {
+		if params.mode == IteratedSaltedS2K {
 			_, err = w.Write([]byte{params.countByte})
 		}
+		if params.mode == Argon2S2K {
+			_, err = w.Write([]byte{params.passes, params.parallelism, params.memoryExp})
+		}
 	}
 	return
 }
@ -337,31 +405,3 @@ func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte, c *Co
 	f(key, passphrase)
 	return nil
 }
-
-// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
-// hash id.
-func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
-	if hash, ok := algorithm.HashById[id]; ok {
-		return hash.HashFunc(), true
-	}
-	return 0, false
-}
-
-// HashIdToString returns the name of the hash function corresponding to the
-// given OpenPGP hash id.
-func HashIdToString(id byte) (name string, ok bool) {
-	if hash, ok := algorithm.HashById[id]; ok {
-		return hash.String(), true
-	}
-	return "", false
-}
-
-// HashIdToHash returns an OpenPGP hash id which corresponds the given Hash.
-func HashToHashId(h crypto.Hash) (id byte, ok bool) {
-	for id, hash := range algorithm.HashById {
-		if hash.HashFunc() == h {
-			return id, true
-		}
-	}
-	return 0, false
-}