From ee4ad894519a2226d3014afc094dc0df9f85f908 Mon Sep 17 00:00:00 2001
From: larabr <7375870+larabr@users.noreply.github.com>
Date: Mon, 5 Jun 2023 19:23:10 +0200
Subject: [PATCH] Enforce AES with PKESK v3 using x25519 (new format)

Fail on PKESK parsing as well as session key generation and encryption
---
 src/crypto/crypto.js    |  8 +++++++-
 src/crypto/mode/cfb.js  |  4 ++--
 src/message.js          |  9 +++++++++
 src/util.js             |  7 +++++++
 test/general/openpgp.js | 40 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/src/crypto/crypto.js b/src/crypto/crypto.js
index 1d780356..c36c3297 100644
--- a/src/crypto/crypto.js
+++ b/src/crypto/crypto.js
@@ -67,12 +67,15 @@ export async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, dat
       return { V, C: new ECDHSymkey(C) };
     }
     case enums.publicKey.x25519: {
+      if (!util.isAES(symmetricAlgo)) {
+        // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
+        throw new Error('X25519 keys can only encrypt AES session keys');
+      }
       const { A } = publicParams;
       const { ephemeralPublicKey, wrappedKey } = await publicKey.elliptic.ecdhX.encrypt(
         keyAlgo, data, A);
       const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
       return { ephemeralPublicKey, C };
-     
     }
     default:
       return [];
@@ -119,6 +122,9 @@ export async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams,
       const { A } = publicKeyParams;
       const { k } = privateKeyParams;
       const { ephemeralPublicKey, C } = sessionKeyParams;
+      if (!util.isAES(C.algorithm)) {
+        throw new Error('AES session key expected');
+      }
       return publicKey.elliptic.ecdhX.decrypt(
         algo, ephemeralPublicKey, C.wrappedKey, A, k);
     }
diff --git a/src/crypto/mode/cfb.js b/src/crypto/mode/cfb.js
index 69eae29d..6f09becf 100644
--- a/src/crypto/mode/cfb.js
+++ b/src/crypto/mode/cfb.js
@@ -57,7 +57,7 @@ export async function encrypt(algo, key, plaintext, iv, config) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeEncrypt(algo, key, plaintext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesEncrypt(algo, key, plaintext, iv, config);
   }
 
@@ -100,7 +100,7 @@ export async function decrypt(algo, key, ciphertext, iv) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt(algo, key, ciphertext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesDecrypt(algo, key, ciphertext, iv);
   }
 
diff --git a/src/message.js b/src/message.js
index 01e61c81..186fec42 100644
--- a/src/message.js
+++ b/src/message.js
@@ -345,6 +345,15 @@ export class Message {
       enums.read(enums.aead, await getPreferredAlgo('aead', encryptionKeys, date, userIDs, config)) :
       undefined;
 
+    await Promise.all(encryptionKeys.map(key => key.getEncryptionKey()
+      .catch(() => null) // ignore key strength requirements
+      .then(maybeKey => {
+        if (maybeKey && (maybeKey.keyPacket.algorithm === enums.publicKey.x25519) && !util.isAES(algo)) {
+          throw new Error('Could not generate a session key compatible with the given `encryptionKeys`: X22519 keys can only be used to encrypt AES session keys; change `config.preferredSymmetricAlgorithm` accordingly.');
+        }
+      })
+    ));
+
     const sessionKeyData = crypto.generateSessionKey(algo);
     return { data: sessionKeyData, algorithm: algorithmName, aeadAlgorithm: aeadAlgorithmName };
   }
diff --git a/src/util.js b/src/util.js
index 73f08fb2..c720d596 100644
--- a/src/util.js
+++ b/src/util.js
@@ -25,6 +25,7 @@
 
 import * as stream from '@openpgp/web-stream-tools';
 import { getBigInteger } from './biginteger';
+import enums from './enums';
 
 const debugMode = (() => {
   try {
@@ -605,6 +606,12 @@ const util = {
    */
   selectUint8: function(cond, a, b) {
     return (a & (256 - cond)) | (b & (255 + cond));
+  },
+  /**
+   * @param {module:enums.symmetric} cipherAlgo
+   */
+  isAES: function(cipherAlgo) {
+    return cipherAlgo === enums.symmetric.aes128 || cipherAlgo === enums.symmetric.aes192 || cipherAlgo === enums.symmetric.aes256;
   }
 };
 
diff --git a/test/general/openpgp.js b/test/general/openpgp.js
index 82e16136..0b59cc32 100644
--- a/test/general/openpgp.js
+++ b/test/general/openpgp.js
@@ -2122,6 +2122,7 @@ VFBLG8uc9IiaKann/DYBAJcZNZHRSfpDoV2pUA5EAEi2MdjxkRysFQnYPRAu
         decryptionKeys: originalDecryptedKey
       });
       expect(decrypted.data).to.equal('test');
+    });
   });
 
   describe('encryptSessionKey - unit tests', function() {
@@ -4081,6 +4082,45 @@ bsZgJWVlAa5eil6J9ePX2xbo1vVAkLQdzE9+1jL+l7PRIZuVBQ==
       expect(data).to.equal('test');
     });
 
+    it('should enforce using AES session keys with x25519 keys (new format)', async function () {
+      // x25519 key (v4) with cast5 as preferred cipher
+      const privateKeyCast5 = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xUkEZK8BixuMghYwdEgHl+3ASI4VZkn048KG4DVuugT1bMe4QTtFtQCoKBOG
+JxrZh8E+7I5nK7McXP2U9gyC0+RFcD46AxSmRA46zQDCiAQQGwgAPgWCZK8B
+iwQLAwcICZCaWrTxMIPhVwMVCAoEFgACAQIZAQKbAwIeARYhBDFBS8Xnfotk
+Oun5WZpatPEwg+FXAABwwuNWCdr1WahiGrLupYaOYQO4S9y+FYTxqEV/gsOP
+TKwmNIcIJPROV2LgyxvzQo79//0CocEYojEeUhGn7BH5lwvHSQRkrwGLGbVM
+1JxFUJeQ253sHMko73uPkyyb9DvaeyWHPwgF2k9GACA9caoO8GsZI7KMnVGP
+c4EpytBwVIsr4ck3QaEV/UxvDpnCdAQYGwgAKgWCZK8BiwmQmlq08TCD4VcC
+mwwWIQQxQUvF536LZDrp+VmaWrTxMIPhVwAAXycLtMyiv0lon4qU5/rKWjrq
+MIxMchUbHvktvUqomU0pDDLMPqLFtzBbtHqODPVbLTOygJRVLeHyWTOEfmOD
+kl0L
+=SYJZ
+-----END PGP PRIVATE KEY BLOCK-----` });
+
+      await expect(openpgp.generateSessionKey({
+        encryptionKeys: privateKeyCast5,
+        config: { preferredSymmetricAlgorithm: openpgp.enums.symmetric.cast5 }
+      })).to.be.rejectedWith(/Could not generate a session key compatible with the given `encryptionKeys`/);
+
+      await expect(openpgp.encrypt({
+        message: await openpgp.createMessage({ text: plaintext }),
+        encryptionKeys: privateKeyCast5,
+        sessionKey: { data: new Uint8Array(16).fill(1), algorithm: 'cast5' }
+      })).to.be.rejectedWith(/X25519 keys can only encrypt AES session keys/);
+
+      await expect(openpgp.decryptSessionKeys({
+        message: await openpgp.readMessage({ armoredMessage: `-----BEGIN PGP MESSAGE-----
+
+wUQD66NYAXF0vfYZNWpc7s9eihtgj7EhHBeLOq2Ktw79artbhN5JMs+9aCIZ
+A7sB7uYCTVCLIMfPFwVZH+c29gpCzPxSXQ==
+=Dr02
+-----END PGP MESSAGE-----` }),
+        decryptionKeys: privateKeyCast5
+      })).to.be.rejectedWith(/AES session key expected/);
+    });
+
     describe('Sign and verify with each curve', function() {
       const curves = ['secp256k1' , 'p256', 'p384', 'p521', 'curve25519', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1'];
       curves.forEach(curve => {