str4d · str4d · Apr 22, 2026 · Dec 7, 2025 · Feb 20, 2025 · Dec 7, 2025
diff --git a/.github/workflows/interop.yml b/.github/workflows/interop.yml
@@ -48,10 +48,10 @@ jobs:
           -H 'Authorization: token ${{ secrets.AGE_STATUS_ACCESS_TOKEN }}' \
           --data '{"state": "pending", "target_url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}", "description": "In progress", "context": "Interoperability tests / Build age"}'
 
-      - name: Set up Go 1.19
+      - name: Set up Go 1.24
         uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: 1.24
         id: go
 
       - name: Use specified FiloSottile/age commit

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/age/CHANGELOG.md b/age/CHANGELOG.md
@@ -10,6 +10,35 @@ to 1.0.0 are beta releases.
 
 ## [Unreleased]
 
+## [0.11.3] - 2026-04-22
+### Changed
+- Recipient and identity files (parsed via `age::IdentityFile` or
+  `age::cli_common::{read_recipients, read_identities}`) is now limited to at
+  most 16 MiB, matching the Go implementation.
+- `age::cli_common::read_identities` now limits SSH keys to at most 16 kiB,
+  matching the Go implementation.
+
+### Fixed
+- `age::plugin`:
+  - `{RecipientPluginV1, IdentityPluginV1}` no longer panic when a plugin sends
+    an unusually-formatted error in phase 2.
+  - `IdentityPluginV1` no longer panics when a plugin violates the specification
+    and returns a file key for a file index that was not provided, or sends more
+    than one file key per file index.
+- `age::ssh::EncryptedKey::decrypt` now returns an error instead of panicking
+  when given an empty passphrase.
+- `age::stream::StreamReader` no longer panics in debug mode when seeking on a
+  ciphertext truncated to just after the nonce (i.e. with zero chunk data).
+
+## [0.11.2] - 2025-12-07
+### Fixed
+- `age::armor::ArmoredWriter::poll_write` no longer panics when writing more
+  than 6144 bytes.
+- `age::encrypted::Identity` no longer causes a panic when being decrypted if
+  the `age::Callbacks::request_passphrase` impl returns `None`.
+- `age::plugin::{Identity, RecipientPluginV1, IdentityPluginV1}` now correctly
+  reject the empty plugin name (like `age::plugin::Recipient` already was).
+
 ## [0.6.1, 0.7.2, 0.8.2, 0.9.3, 0.10.1, 0.11.1] - 2024-11-18
 ### Security
 - Fixed a security vulnerability that could allow an attacker to execute an

diff --git a/age/Cargo.toml b/age/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "age"
 description = "[BETA] A simple, secure, and modern encryption library."
-version = "0.11.1"
+version = "0.11.3"
 authors.workspace = true
 repository.workspace = true
 readme = "README.md"

diff --git a/age/src/cli_common/identities.rs b/age/src/cli_common/identities.rs
@@ -6,11 +6,19 @@ use crate::{identity::IdentityFile, Identity};
 #[cfg(feature = "armor")]
 use crate::{armor::ArmoredReader, cli_common::file_io::InputReader};
 
+#[cfg(feature = "ssh")]
+use crate::util::LimitedReader;
+
+#[cfg(feature = "ssh")]
+const SSH_IDENTITY_SIZE_LIMIT: usize = 1 << 14; // 16 KiB
+
 /// Reads identities from the provided files.
 ///
 /// `filenames` may contain at most one entry of `"-"`, which will be interpreted as
 /// reading from standard input. An error will be returned if `stdin_guard` is guarding an
 /// existing usage of standard input.
+///
+/// Each file in `filenames` may be at most 16 MiB. SSH keys are limited to 16 kiB.
 pub fn read_identities(
     filenames: Vec<String>,
     max_work_factor: Option<u8>,
@@ -123,7 +131,10 @@ pub(super) fn parse_identity_files<Ctx, E: From<ReadError> + From<io::Error>>(
 
         // Try parsing as a single multi-line SSH identity.
         #[cfg(feature = "ssh")]
-        match crate::ssh::Identity::from_buffer(&mut reader, Some(filename.clone())) {
+        match crate::ssh::Identity::from_buffer(
+            LimitedReader::new(&mut reader, SSH_IDENTITY_SIZE_LIMIT),
+            Some(filename.clone()),
+        ) {
             Ok(crate::ssh::Identity::Unsupported(k)) => {
                 return Err(ReadError::UnsupportedKey(filename, k).into())
             }

diff --git a/age/src/cli_common/recipients.rs b/age/src/cli_common/recipients.rs
@@ -3,6 +3,7 @@ use std::io::{self, BufReader};
 use super::StdinGuard;
 use super::{identities::parse_identity_files, ReadError};
 use crate::identity::RecipientsAccumulator;
+use crate::util::LimitedReader;
 use crate::{x25519, Recipient};
 
 #[cfg(feature = "plugin")]
@@ -17,6 +18,8 @@ use crate::ssh;
 #[cfg(any(feature = "armor", feature = "plugin"))]
 use crate::EncryptError;
 
+const RECIPIENT_FILE_SIZE_LIMIT: usize = 1 << 24; // 16 MiB
+
 /// Handles error mapping for the given SSH recipient parser.
 ///
 /// Returns `Ok(None)` if the parser finds a parseable value that should be ignored. This
@@ -126,6 +129,8 @@ fn read_recipients_list<R: io::BufRead>(
 /// `recipients_file_strings` and `identity_strings` may collectively contain at most one
 /// entry of `"-"`, which will be interpreted as reading from standard input. An error
 /// will be returned if `stdin_guard` is guarding an existing usage of standard input.
+///
+/// Each file in `recipients_file_strings` and `identity_strings` may be at most 16 MiB.
 pub fn read_recipients(
     recipient_strings: Vec<String>,
     recipients_file_strings: Vec<String>,
@@ -146,7 +151,7 @@ pub fn read_recipients(
             }
             _ => e,
         })?;
-        let buf = BufReader::new(f);
+        let buf = LimitedReader::new(BufReader::new(f), RECIPIENT_FILE_SIZE_LIMIT);
         read_recipients_list(&arg, buf, &mut recipients)?;
     }
 

diff --git a/age/src/encrypted.rs b/age/src/encrypted.rs
@@ -43,7 +43,7 @@ impl<R: io::Read, C: Callbacks> IdentityState<R, C> {
                     filename = filename.unwrap_or_default()
                 )) {
                     Some(passphrase) => passphrase,
-                    None => todo!(),
+                    None => Err(DecryptError::KeyDecryptionFailed)?,
                 };
 
                 let mut identity = scrypt::Identity::new(passphrase);
@@ -216,10 +216,10 @@ fOrxrKTj7xCdNS3+OrCdnBC8Z9cKDxjCGWW3fkjLsYha0Jo=
     const TEST_RECIPIENT: &str = "age1ysxuaeqlk7xd8uqsh8lsnfwt9jzzjlqf49ruhpjrrj5yatlcuf7qke4pqe";
 
     #[derive(Clone)]
-    struct MockCallbacks(Arc<Mutex<Option<&'static str>>>);
+    struct MockCallbacks(Arc<Mutex<Option<Option<&'static str>>>>);
 
     impl MockCallbacks {
-        fn new(passphrase: &'static str) -> Self {
+        fn new(passphrase: Option<&'static str>) -> Self {
             MockCallbacks(Arc::new(Mutex::new(Some(passphrase))))
         }
     }
@@ -239,9 +239,13 @@ fOrxrKTj7xCdNS3+OrCdnBC8Z9cKDxjCGWW3fkjLsYha0Jo=
 
         /// This intentionally panics if called twice.
         fn request_passphrase(&self, _: &str) -> Option<SecretString> {
-            Some(SecretString::from(
-                self.0.lock().unwrap().take().unwrap().to_owned(),
-            ))
+            self.0
+                .lock()
+                .unwrap()
+                .take()
+                .expect("passphrase is only input once")
+                .to_owned()
+                .map(SecretString::from)
         }
     }
 
@@ -258,10 +262,28 @@ fOrxrKTj7xCdNS3+OrCdnBC8Z9cKDxjCGWW3fkjLsYha0Jo=
         // Unwrapping with the wrong passphrase fails.
         {
             let buf = ArmoredReader::new(TEST_ENCRYPTED_IDENTITY.as_bytes());
-            let identity =
-                Identity::from_buffer(buf, None, MockCallbacks::new("wrong passphrase"), None)
-                    .unwrap()
-                    .unwrap();
+            let identity = Identity::from_buffer(
+                buf,
+                None,
+                MockCallbacks::new(Some("wrong passphrase")),
+                None,
+            )
+            .unwrap()
+            .unwrap();
+
+            if let Err(e) = identity.unwrap_stanzas(&wrapped).unwrap() {
+                assert!(matches!(e, DecryptError::KeyDecryptionFailed));
+            } else {
+                panic!("Should have failed");
+            }
+        }
+
+        // Unwrapping fails if we cannot obtain a passphrase.
+        {
+            let buf = ArmoredReader::new(TEST_ENCRYPTED_IDENTITY.as_bytes());
+            let identity = Identity::from_buffer(buf, None, MockCallbacks::new(None), None)
+                .unwrap()
+                .unwrap();
 
             if let Err(e) = identity.unwrap_stanzas(&wrapped).unwrap() {
                 assert!(matches!(e, DecryptError::KeyDecryptionFailed));
@@ -274,7 +296,7 @@ fOrxrKTj7xCdNS3+OrCdnBC8Z9cKDxjCGWW3fkjLsYha0Jo=
         let identity = Identity::from_buffer(
             buf,
             None,
-            MockCallbacks::new(TEST_ENCRYPTED_IDENTITY_PASSPHRASE),
+            MockCallbacks::new(Some(TEST_ENCRYPTED_IDENTITY_PASSPHRASE)),
             None,
         )
         .unwrap()

diff --git a/age/src/error.rs b/age/src/error.rs
@@ -9,6 +9,9 @@ use crate::{wfl, wlnfl};
 #[cfg(feature = "plugin")]
 use age_core::format::Stanza;
 
+#[cfg(feature = "plugin")]
+use crate::plugin::CMD_ERROR;
+
 /// Errors returned when converting an identity file to a recipients file.
 #[derive(Debug)]
 pub enum IdentityFileConvertError {
@@ -110,8 +113,12 @@ pub enum PluginError {
 #[cfg(feature = "plugin")]
 impl From<Stanza> for PluginError {
     fn from(mut s: Stanza) -> Self {
-        assert!(s.tag == "error");
-        let kind = s.args.remove(0);
+        assert_eq!(s.tag, CMD_ERROR);
+        let kind = if s.args.is_empty() {
+            "unknown".into()
+        } else {
+            s.args.remove(0)
+        };
         PluginError::Other {
             kind,
             metadata: s.args,

diff --git a/age/src/identity.rs b/age/src/identity.rs
@@ -1,14 +1,23 @@
-use std::fs::File;
-use std::io;
+use std::{
+    fs::File,
+    io::{self, BufRead},
+};
 
-use crate::{x25519, Callbacks, DecryptError, EncryptError, IdentityFileConvertError, NoCallbacks};
+use zeroize::Zeroize;
+
+use crate::{
+    util::LimitedReader, x25519, Callbacks, DecryptError, EncryptError, IdentityFileConvertError,
+    NoCallbacks,
+};
 
 #[cfg(feature = "cli-common")]
 use crate::cli_common::file_io::InputReader;
 
 #[cfg(feature = "plugin")]
 use crate::plugin;
 
+const IDENTITY_SIZE_LIMIT: usize = 1 << 24; // 16 MiB
+
 /// The supported kinds of identities within an [`IdentityFile`].
 #[derive(Clone)]
 enum IdentityFileEntry {
@@ -41,6 +50,8 @@ impl IdentityFileEntry {
 }
 
 /// A list of identities that has been parsed from some input file.
+///
+/// The maximum supported file size is 16 MiB.
 pub struct IdentityFile<C: Callbacks> {
     filename: Option<String>,
     identities: Vec<IdentityFileEntry>,
@@ -70,8 +81,10 @@ impl IdentityFile<NoCallbacks> {
     fn parse_identities<R: io::BufRead>(filename: Option<String>, data: R) -> io::Result<Self> {
         let mut identities = vec![];
 
+        let data = LimitedReader::new(data, IDENTITY_SIZE_LIMIT);
+
         for (line_number, line) in data.lines().enumerate() {
-            let line = line?;
+            let mut line = line?;
             if line.is_empty() || line.starts_with('#') {
                 continue;
             }
@@ -96,6 +109,8 @@ impl IdentityFile<NoCallbacks> {
                 #[cfg(not(feature = "plugin"))]
                 let _: () = identity;
             } else {
+                line.zeroize();
+
                 // Return a line number in place of the line, so we don't leak the file
                 // contents in error messages.
                 return Err(io::Error::new(
@@ -114,6 +129,8 @@ impl IdentityFile<NoCallbacks> {
                     },
                 ));
             }
+
+            line.zeroize();
         }
 
         Ok(IdentityFile {