From 857b794e13cf3bf0c958d5617d68f97b9415596c Mon Sep 17 00:00:00 2001 From: Daniel Huigens Date: Fri, 5 Jul 2024 13:52:45 +0200 Subject: [PATCH] Disallow using forbidden S2K modes (#1777) RFC9580 says that: Argon2 is only used with AEAD (S2K usage octet 253). An implementation MUST NOT create and MUST reject as malformed any secret key packet where the S2K usage octet is not AEAD (253) and the S2K specifier type is Argon2. Therefore, we disallow reading and writing Argon2 keys without AEAD. And: [The Simple and Salted S2K methods] are used only for reading in backwards compatibility mode. Since v6 keys don't need backwards compatibility, we also disallow reading Simple S2K there. We still allow reading Salted S2K since the spec says it may be used "when [the password] is high entropy". --- src/packet/secret_key.js | 6 ++++++ test/general/openpgp.js | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/packet/secret_key.js b/src/packet/secret_key.js index 737b2a82..ddddae5f 100644 --- a/src/packet/secret_key.js +++ b/src/packet/secret_key.js @@ -568,6 +568,12 @@ class SecretKeyPacket extends PublicKeyPacket { * @returns encryption key */ async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) { + if (s2k.type === 'argon2' && !aeadMode) { + throw new Error('Using Argon2 S2K without AEAD is not allowed'); + } + if (s2k.type === 'simple' && keyVersion === 6) { + throw new Error('Using Simple S2K with version 6 keys is not allowed'); + } const { keySize } = crypto.getCipherParams(cipherAlgo); const derivedKey = await s2k.produceKey(passphrase, keySize); if (!aeadMode || keyVersion === 5 || isLegacyAEAD) { diff --git a/test/general/openpgp.js b/test/general/openpgp.js index d6d1df92..e6f5bbca 100644 --- a/test/general/openpgp.js +++ b/test/general/openpgp.js @@ -1416,7 +1416,10 @@ VFBLG8uc9IiaKann/DYBAJcZNZHRSfpDoV2pUA5EAEi2MdjxkRysFQnYPRAu const locked = await openpgp.encryptKey({ privateKey: key, passphrase: passphrase, - config: { s2kType: openpgp.enums.s2k.argon2 } + config: { + s2kType: openpgp.enums.s2k.argon2, + aeadProtect: true + } }); expect(key.isDecrypted()).to.be.true; expect(locked.isDecrypted()).to.be.false;