From dbeafcd6cab59a53813100cb11d10dbc3135192a Mon Sep 17 00:00:00 2001
From: Daniel Huigens <d.huigens@protonmail.com>
Date: Thu, 4 Jul 2024 21:44:48 +0200
Subject: [PATCH] Disallow using Argon2 S2K without AEAD

RFC9580 says that:

   Argon2 is only used with AEAD (S2K usage octet 253).  An
   implementation MUST NOT create and MUST reject as malformed any
   secret key packet where the S2K usage octet is not AEAD (253) and
   the S2K specifier type is Argon2.
---
 src/packet/secret_key.js | 3 +++
 test/general/openpgp.js  | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/packet/secret_key.js b/src/packet/secret_key.js
index 2257a78b..c96294ea 100644
--- a/src/packet/secret_key.js
+++ b/src/packet/secret_key.js
@@ -568,6 +568,9 @@ class SecretKeyPacket extends PublicKeyPacket {
  * @returns encryption key
  */
 async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {
+  if (s2k.type === 'argon2' && !aeadMode) {
+    throw new Error('Using Argon2 S2K without AEAD is not allowed');
+  }
   const { keySize } = crypto.getCipherParams(cipherAlgo);
   const derivedKey = await s2k.produceKey(passphrase, keySize);
   if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {
diff --git a/test/general/openpgp.js b/test/general/openpgp.js
index d6d1df92..e6f5bbca 100644
--- a/test/general/openpgp.js
+++ b/test/general/openpgp.js
@@ -1416,7 +1416,10 @@ VFBLG8uc9IiaKann/DYBAJcZNZHRSfpDoV2pUA5EAEi2MdjxkRysFQnYPRAu
       const locked = await openpgp.encryptKey({
         privateKey: key,
         passphrase: passphrase,
-        config: { s2kType: openpgp.enums.s2k.argon2 }
+        config: {
+          s2kType: openpgp.enums.s2k.argon2,
+          aeadProtect: true
+        }
       });
       expect(key.isDecrypted()).to.be.true;
       expect(locked.isDecrypted()).to.be.false;