PyPI - ghostbit-cli - Versions diffs - 1.4.0__tar.gz → 1.5.0__tar.gz - Mend

ghostbit-cli 1.4.0tar.gz → 1.5.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

{ghostbit_cli-1.4.0 → ghostbit_cli-1.5.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ghostbit-cli
-Version: 1.4.0
+Version: 1.5.0
 Summary: Ghostbit CLI — create end-to-end encrypted pastes from the terminal
 License-Expression: MIT
 Project-URL: Homepage, https://github.com/stackopshq/ghostbit

{ghostbit_cli-1.4.0 → ghostbit_cli-1.5.0}/__init__.py RENAMED Viewed

@@ -29,6 +29,7 @@ from ._crypto import (
     decrypt,
     decrypt_bytes,
     derive_key,
+    derive_key_for,
     encrypt,
     gen_key,
     gen_salt,
@@ -110,10 +111,12 @@ def cmd_paste(args) -> None:
     if password:
         kdf_salt = gen_salt()
-        key = derive_key(password, kdf_salt)
+        kdf_choice = args.kdf
+        key = derive_key_for(kdf_choice, password, kdf_salt)
     else:
         key = gen_key()
         kdf_salt = None
+        kdf_choice = "pbkdf2-sha256"  # ignored when has_password is false
     if args.compress:
         import gzip
@@ -132,6 +135,7 @@ def cmd_paste(args) -> None:
         "burn": args.burn,
         "max_views": args.max_views,
         "compressed": args.compress,
+        "kdf": kdf_choice,
     }
     result = api_create(server, payload)
@@ -270,7 +274,10 @@ def cmd_view(args) -> None:
         if not kdf_salt:
             print("Error: no KDF salt — paste is not password-protected.", file=sys.stderr)
             sys.exit(1)
-        key = derive_key(password, kdf_salt)
+        # Server tells us which KDF was used; default to legacy PBKDF2 for
+        # pastes written before the field existed.
+        kdf_choice = data.get("kdf") or "pbkdf2-sha256"
+        key = derive_key_for(kdf_choice, password, kdf_salt)
     else:
         # Restore base64 padding stripped for URL safety.
         padded = key_b64url + "=" * (-len(key_b64url) % 4)
@@ -518,6 +525,10 @@ current server: {current_server}
         "--compress", "-z", action="store_true",
         help="Gzip the plaintext locally BEFORE encryption (60–80%% smaller for text).",
     )  # fmt: skip
+    parser.add_argument(
+        "--kdf", choices=("pbkdf2-sha256", "argon2id"), default="pbkdf2-sha256",
+        help="Key derivation function (used only with --password). Default: pbkdf2-sha256.",
+    )  # fmt: skip
     parser.add_argument(
         "--max-views", "-m", type=int, default=None, metavar="N",
         help="Delete after N views.",

{ghostbit_cli-1.4.0 → ghostbit_cli-1.5.0}/_crypto.py RENAMED Viewed

@@ -21,8 +21,24 @@ try:
 except ImportError:
     _CRYPTO_OK = False
+try:
+    from argon2.low_level import Type as _Argon2Type
+    from argon2.low_level import hash_secret_raw as _argon2_hash
+    _ARGON2_OK = True
+except ImportError:
+    _ARGON2_OK = False
 _PBKDF2_ITERATIONS = 600_000
+# OWASP 2023+ minimum for Argon2id in interactive contexts (browser/CLI).
+# m = memory in KiB; t = passes; p = parallelism; hash length in bytes.
+# Anything stronger meaningfully impacts page-load time on a phone — bump
+# these together with the browser WASM lib's defaults when it lands.
+_ARGON2_MEMORY_KIB = 19_456  # 19 MiB
+_ARGON2_TIME_COST = 2
+_ARGON2_PARALLELISM = 1
 def require_crypto() -> None:
     """Abort with an actionable message if `cryptography` is missing."""
@@ -62,6 +78,7 @@ def decrypt(ciphertext_b64: str, nonce_b64: str, key: bytes) -> str:
 def derive_key(password: str, salt_b64: str) -> bytes:
+    """PBKDF2-SHA256 at 600k iterations — the historical default."""
     salt = base64.b64decode(salt_b64)
     kdf = PBKDF2HMAC(
         algorithm=_hashes.SHA256(), length=32, salt=salt, iterations=_PBKDF2_ITERATIONS
@@ -69,5 +86,35 @@ def derive_key(password: str, salt_b64: str) -> bytes:
     return kdf.derive(password.encode())
+def derive_key_argon2id(password: str, salt_b64: str) -> bytes:
+    """Argon2id with OWASP minimum params (m=19 MiB, t=2, p=1)."""
+    if not _ARGON2_OK:
+        print(
+            "Error: 'argon2-cffi' package required for --kdf argon2id. "
+            "Run: pip install argon2-cffi",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+    salt = base64.b64decode(salt_b64)
+    return _argon2_hash(
+        secret=password.encode(),
+        salt=salt,
+        time_cost=_ARGON2_TIME_COST,
+        memory_cost=_ARGON2_MEMORY_KIB,
+        parallelism=_ARGON2_PARALLELISM,
+        hash_len=32,
+        type=_Argon2Type.ID,
+    )
+def derive_key_for(kdf: str, password: str, salt_b64: str) -> bytes:
+    """Dispatch to the right KDF based on the protocol's kdf field."""
+    if kdf == "pbkdf2-sha256":
+        return derive_key(password, salt_b64)
+    if kdf == "argon2id":
+        return derive_key_argon2id(password, salt_b64)
+    raise ValueError(f"unsupported kdf {kdf!r}")
 def key_to_fragment(key: bytes) -> str:
     return base64.urlsafe_b64encode(key).rstrip(b"=").decode()

{ghostbit_cli-1.4.0 → ghostbit_cli-1.5.0}/ghostbit_cli.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ghostbit-cli
-Version: 1.4.0
+Version: 1.5.0
 Summary: Ghostbit CLI — create end-to-end encrypted pastes from the terminal
 License-Expression: MIT
 Project-URL: Homepage, https://github.com/stackopshq/ghostbit

{ghostbit_cli-1.4.0 → ghostbit_cli-1.5.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "ghostbit-cli"
-version = "1.4.0"
+version = "1.5.0"
 description = "Ghostbit CLI — create end-to-end encrypted pastes from the terminal"
 readme = "README.md"
 license = "MIT"