From fd6d7b6088bae15c99578debbc98072fda2eba33 Mon Sep 17 00:00:00 2001 From: Daniel Huigens Date: Tue, 7 Jan 2020 18:17:00 +0100 Subject: [PATCH] Remove support for legacy encrypted private keys (#1029) Both those with a 2-byte hash (instead of SHA1 or an AEAD authentication tag) and those without an S2K specifier (i.e., using MD5 for S2K) - support for the latter was already broken. Vulnerabilities can arise not just from generating keys like this, but from using them as well (if an attacker can tamper with them), hence why we're removing support. --- src/packet/secret_key.js | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/src/packet/secret_key.js b/src/packet/secret_key.js index 355273cc..20dc27ef 100644 --- a/src/packet/secret_key.js +++ b/src/packet/secret_key.js @@ -334,10 +334,10 @@ SecretKey.prototype.decrypt = async function (passphrase) { } let key; - if (this.s2k_usage === 255 || this.s2k_usage === 254 || this.s2k_usage === 253) { + if (this.s2k_usage === 254 || this.s2k_usage === 253) { key = await produceEncryptionKey(this.s2k, passphrase, this.symmetric); } else { - key = await crypto.hash.md5(passphrase); + throw new Error('Unsupported legacy encrypted key'); } let cleartext; @@ -355,19 +355,10 @@ SecretKey.prototype.decrypt = async function (passphrase) { } else { const cleartextWithHash = await crypto.cfb.decrypt(this.symmetric, key, this.keyMaterial, this.iv); - let hash; - let hashlen; - if (this.s2k_usage === 255) { - hashlen = 2; - cleartext = cleartextWithHash.subarray(0, -hashlen); - hash = util.write_checksum(cleartext); - } else { - hashlen = 20; - cleartext = cleartextWithHash.subarray(0, -hashlen); - hash = await crypto.hash.sha1(cleartext); - } + cleartext = cleartextWithHash.subarray(0, -20); + const hash = await crypto.hash.sha1(cleartext); - if (!util.equalsUint8Array(hash, cleartextWithHash.subarray(-hashlen))) { + if (!util.equalsUint8Array(hash, cleartextWithHash.subarray(-20))) { throw new Error('Incorrect key passphrase'); } }