mirror of
https://github.com/openpgpjs/openpgpjs.git
synced 2025-10-14 00:59:29 +00:00
Disallow using forbidden S2K modes (#1777)
RFC9580 says that: Argon2 is only used with AEAD (S2K usage octet 253). An implementation MUST NOT create and MUST reject as malformed any secret key packet where the S2K usage octet is not AEAD (253) and the S2K specifier type is Argon2. Therefore, we disallow reading and writing Argon2 keys without AEAD. And: [The Simple and Salted S2K methods] are used only for reading in backwards compatibility mode. Since v6 keys don't need backwards compatibility, we also disallow reading Simple S2K there. We still allow reading Salted S2K since the spec says it may be used "when [the password] is high entropy".
This commit is contained in:
parent
00e147f5c1
commit
857b794e13
@ -568,6 +568,12 @@ class SecretKeyPacket extends PublicKeyPacket {
|
||||
* @returns encryption key
|
||||
*/
|
||||
async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {
|
||||
if (s2k.type === 'argon2' && !aeadMode) {
|
||||
throw new Error('Using Argon2 S2K without AEAD is not allowed');
|
||||
}
|
||||
if (s2k.type === 'simple' && keyVersion === 6) {
|
||||
throw new Error('Using Simple S2K with version 6 keys is not allowed');
|
||||
}
|
||||
const { keySize } = crypto.getCipherParams(cipherAlgo);
|
||||
const derivedKey = await s2k.produceKey(passphrase, keySize);
|
||||
if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {
|
||||
|
@ -1416,7 +1416,10 @@ VFBLG8uc9IiaKann/DYBAJcZNZHRSfpDoV2pUA5EAEi2MdjxkRysFQnYPRAu
|
||||
const locked = await openpgp.encryptKey({
|
||||
privateKey: key,
|
||||
passphrase: passphrase,
|
||||
config: { s2kType: openpgp.enums.s2k.argon2 }
|
||||
config: {
|
||||
s2kType: openpgp.enums.s2k.argon2,
|
||||
aeadProtect: true
|
||||
}
|
||||
});
|
||||
expect(key.isDecrypted()).to.be.true;
|
||||
expect(locked.isDecrypted()).to.be.false;
|
||||
|
Loading…
x
Reference in New Issue
Block a user