Disallow using forbidden S2K modes (#1777)

RFC9580 says that:

    Argon2 is only used with AEAD (S2K usage octet 253).  An
    implementation MUST NOT create and MUST reject as malformed any
    secret key packet where the S2K usage octet is not AEAD (253) and
    the S2K specifier type is Argon2.

Therefore, we disallow reading and writing Argon2 keys without AEAD.

And:

    [The Simple and Salted S2K methods] are used only for reading in
    backwards compatibility mode.
    
Since v6 keys don't need backwards compatibility, we also disallow
reading Simple S2K there. We still allow reading Salted S2K since the
spec says it may be used "when [the password] is high entropy".
This commit is contained in:
Daniel Huigens 2024-07-05 13:52:45 +02:00 committed by GitHub
parent 00e147f5c1
commit 857b794e13
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 1 deletions

View File

@ -568,6 +568,12 @@ class SecretKeyPacket extends PublicKeyPacket {
* @returns encryption key
*/
async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {
if (s2k.type === 'argon2' && !aeadMode) {
throw new Error('Using Argon2 S2K without AEAD is not allowed');
}
if (s2k.type === 'simple' && keyVersion === 6) {
throw new Error('Using Simple S2K with version 6 keys is not allowed');
}
const { keySize } = crypto.getCipherParams(cipherAlgo);
const derivedKey = await s2k.produceKey(passphrase, keySize);
if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {

View File

@ -1416,7 +1416,10 @@ VFBLG8uc9IiaKann/DYBAJcZNZHRSfpDoV2pUA5EAEi2MdjxkRysFQnYPRAu
const locked = await openpgp.encryptKey({
privateKey: key,
passphrase: passphrase,
config: { s2kType: openpgp.enums.s2k.argon2 }
config: {
s2kType: openpgp.enums.s2k.argon2,
aeadProtect: true
}
});
expect(key.isDecrypted()).to.be.true;
expect(locked.isDecrypted()).to.be.false;