From 61ad40613875df71350035d0d0d0c6f5fb6208d4 Mon Sep 17 00:00:00 2001
From: Daniel Huigens <d.huigens@protonmail.com>
Date: Thu, 4 Jul 2024 21:59:01 +0200
Subject: [PATCH] Disallow using Simple S2K with version 6 keys

RFC9580 says that:

   [The Simple S2K method] is used only for reading in
   backwards compatibility mode.

Since V6 keys don't need backwards compatibility, disallow using
Simple S2K there.
---
 src/packet/secret_key.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/packet/secret_key.js b/src/packet/secret_key.js
index c96294ea..55c100ec 100644
--- a/src/packet/secret_key.js
+++ b/src/packet/secret_key.js
@@ -571,6 +571,9 @@ async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aea
   if (s2k.type === 'argon2' && !aeadMode) {
     throw new Error('Using Argon2 S2K without AEAD is not allowed');
   }
+  if (s2k.type === 'simple' && keyVersion === 6) {
+    throw new Error('Using Simple S2K with version 6 keys is not allowed');
+  }
   const { keySize } = crypto.getCipherParams(cipherAlgo);
   const derivedKey = await s2k.produceKey(passphrase, keySize);
   if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {