The previous iteration of the recipient-v1 state machine assumed that
user interaction would never be required during encryption. This is
almost certainly true for asymmetric recipients, but is not the case
for symmetric recipients (e.g. the symmetric key might be stored on a
hardware token that requires a PIN).
The recipient-v1 state machine now uses a bi-directional second phase,
matching the identity-v1 state machine. It defines the same commands
for interacting with users.
FiloSottile/age has implemented the client side of the specification,
and is able to communicate with our plugin side. This is sufficient for
releasing beta plugin support!
This implements the same mitigation as FiloSottile/age for the multi-key
attack. The age crate was already checking these lengths for built-in
recipient types; this change extends the mitigation to other crates that
reuse the age primitives, such as age plugins.
This enables a stream of stanzas to be parsed, such as in the upcoming
plugin IPC. Previously the parser could not distinguish an
stanza with a body of length 0 mod 64 from an incomplete stanza. This did
not cause issues for V1 header parsing because the recipients list is
always terminated with the MAC line, which has a distinct prefix.
V1 header parsing now accepts either kind of stanza body encoding.
We upgrade the hkdf, hmac, and rsa crates in lock-step because their
usages all depend on the sha2 crate, and upgrading from digest 0.8 to
0.9 is a breaking change that would otherwise require having two
versions of the sha2 crate.
We upgrade various other dependencies to ensure that we drop older
digest-related crate versions within our dependency tree where possible.
As a nice bonus, we can now depend on a published version of the rsa
crate that includes RSAES-OAEP.
