Add config.maxArgon2MemoryExponent for argon2 memory limit (openpgpjs#1943)

Add `config.maxArgon2MemoryExponent` for argon2 memory limit

This limit is applied both on encryption (if `config.s2kType` is set to `enums.s2k.argon2`)
and decryption.
If the input memory exponent exceeds this value, the library will not attempt the argon2 key
derivation and instead directly throw an `Argon2OutOfMemoryError` error.

Author: larabr

src/config/config.d.ts

@@ -35,6 +35,7 @@ export interface Config {
   s2kType: enums.s2k.iterated | enums.s2k.argon2;
   s2kIterationCountByte: number;
   s2kArgon2Params: { passes: number, parallelism: number; memoryExponent: number; };
+  maxArgon2MemoryExponent: number;
   maxUserIDLength: number;
   maxDecompressedMessageSize: number;
   knownNotations: string[];

src/config/config.js

@@ -136,6 +136,17 @@ export default {
     parallelism: 4, // lanes
     memoryExponent: 16 // 64 MiB of RAM
   },
+  /**
+   * Max memory exponent allowed for Argon2 memory allocation (e.g. `maxArgon2MemoryExponent: 20` corresponds
+   * to a memory limit of 2**20 = 1GiB).
+   * This limit is applied both on encryption (if `config.s2kType` is set to `enums.s2k.argon2`)
+   * and decryption.
+   * If the input memory exponent exceeds this value, the library will not attempt the argon2 key derivation
+   * and instead directly throw an `Argon2OutOfMemoryError` error.
+   * NB: on encryption, if `s2kArgon2Params.memoryExponent` is larger than `maxArgon2MemoryExponent`,
+   * the operation will fail.
+   */
+  maxArgon2MemoryExponent: Infinity,
   /**
    * Allow decryption of messages without integrity protection.
    * This is an **insecure** setting:

src/message.js

@@ -185,7 +185,7 @@ export class Message {
         }
         await Promise.all(packets.map(async function(skeskPacket) {
           try {
-            await skeskPacket.decrypt(password);
+            await skeskPacket.decrypt(password, config);
             decryptedSessionKeyPackets.push(skeskPacket);
           } catch (err) {
             util.printDebugError(err);
@@ -460,7 +460,7 @@ export class Message {
     if (passwords) {
       const testDecrypt = async function(keyPacket, password) {
         try {
-          await keyPacket.decrypt(password);
+          await keyPacket.decrypt(password, config);
           return 1;
         } catch {
           return 0;

src/openpgp.js

@@ -194,7 +194,7 @@ export async function decryptKey({ privateKey, passphrase, config, ...rest }) {
   try {
     await Promise.all(clonedPrivateKey.getKeys().map(key => (
       // try to decrypt each key with any of the given passphrases
-      util.anyPromise(passphrases.map(passphrase => key.keyPacket.decrypt(passphrase)))
+      util.anyPromise(passphrases.map(passphrase => key.keyPacket.decrypt(passphrase, config)))
     )));
 
     await clonedPrivateKey.validate(config);

src/packet/secret_key.js

@@ -399,7 +399,7 @@ class SecretKeyPacket extends PublicKeyPacket {
       this.usedModernAEAD = !this.isLegacyAEAD; // legacy AEAD does not guarantee integrity of public key material
 
       const serializedPacketTag = writeTag(this.constructor.tag);
-      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD);
+      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD, config);
 
       const modeInstance = await mode(this.symmetric, key);
       this.iv = this.isLegacyAEAD ? getRandomBytes(blockSize) : getRandomBytes(mode.ivLength);
@@ -411,7 +411,7 @@ class SecretKeyPacket extends PublicKeyPacket {
     } else {
       this.s2kUsage = 254;
       this.usedModernAEAD = false;
-      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric);
+      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, undefined, undefined, undefined, config);
       this.iv = getRandomBytes(blockSize);
       this.keyMaterial = await cipherMode.cfb.encrypt(this.symmetric, key, util.concatUint8Array([
         cleartext,
@@ -426,10 +426,11 @@ class SecretKeyPacket extends PublicKeyPacket {
    * {@link SecretKeyPacket.isDecrypted} should be false, as
    * otherwise calls to this function will throw an error.
    * @param {String} passphrase - The passphrase for this private key as string
+   * @param {Object} config
    * @throws {Error} if the key is already decrypted, or if decryption was not successful
    * @async
    */
-  async decrypt(passphrase) {
+  async decrypt(passphrase, config = defaultConfig) {
     if (this.isDummy()) {
       return false;
     }
@@ -446,7 +447,7 @@ class SecretKeyPacket extends PublicKeyPacket {
     const serializedPacketTag = writeTag(this.constructor.tag); // relevant for AEAD only
     if (this.s2kUsage === 254 || this.s2kUsage === 253) {
       key = await produceEncryptionKey(
-        this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD);
+        this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD, config);
     } else if (this.s2kUsage === 255) {
       throw new Error('Encrypted private key is authenticated using an insecure two-byte hash');
     } else {
@@ -569,18 +570,19 @@ class SecretKeyPacket extends PublicKeyPacket {
  * @param {module:enums.aead} [aeadMode] - for AEAD-encrypted keys only (excluding v5)
  * @param {Uint8Array} [serializedPacketTag] - for AEAD-encrypted keys only (excluding v5)
  * @param {Boolean} [isLegacyAEAD] - for AEAD-encrypted keys from RFC4880bis (v4 and v5 only)
+ * @param {Object} config
  * @returns encryption key
  * @access private
  */
-async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {
+async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD, config) {
   if (s2k.type === 'argon2' && !aeadMode) {
     throw new Error('Using Argon2 S2K without AEAD is not allowed');
   }
   if (s2k.type === 'simple' && keyVersion === 6) {
     throw new Error('Using Simple S2K with version 6 keys is not allowed');
   }
   const { keySize } = getCipherParams(cipherAlgo);
-  const derivedKey = await s2k.produceKey(passphrase, keySize);
+  const derivedKey = await s2k.produceKey(passphrase, keySize, config);
   if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {
     return derivedKey;
   }

src/packet/sym_encrypted_session_key.js

@@ -157,16 +157,17 @@ class SymEncryptedSessionKeyPacket {
   /**
    * Decrypts the session key with the given passphrase
    * @param {String} passphrase - The passphrase in string form
+   * @param {Object} config
    * @throws {Error} if decryption was not successful
    * @async
    */
-  async decrypt(passphrase) {
+  async decrypt(passphrase, config = defaultConfig) {
     const algo = this.sessionKeyEncryptionAlgorithm !== null ?
       this.sessionKeyEncryptionAlgorithm :
       this.sessionKeyAlgorithm;
 
     const { blockSize, keySize } = getCipherParams(algo);
-    const key = await this.s2k.produceKey(passphrase, keySize);
+    const key = await this.s2k.produceKey(passphrase, keySize, config);
 
     if (this.version >= 5) {
       const mode = cipherMode.getAEADMode(this.aeadAlgorithm, true);
@@ -206,7 +207,7 @@ class SymEncryptedSessionKeyPacket {
     this.s2k.generateSalt();
 
     const { blockSize, keySize } = getCipherParams(algo);
-    const key = await this.s2k.produceKey(passphrase, keySize);
+    const key = await this.s2k.produceKey(passphrase, keySize, config);
 
     if (this.sessionKey === null) {
       this.sessionKey = generateSessionKey(this.sessionKeyAlgorithm);

src/type/s2k/argon2.js

@@ -114,11 +114,16 @@ class Argon2S2K {
   * Produces a key using the specified passphrase and the defined
   * hashAlgorithm
   * @param {String} passphrase - Passphrase containing user input
+  * @param {Number} keySize
+  * @param {Object} config
   * @returns {Promise<Uint8Array>} Produced key with a length corresponding to `keySize`
   * @throws {Argon2OutOfMemoryError|Errors}
   * @async
   */
-  async produceKey(passphrase, keySize) {
+  async produceKey(passphrase, keySize, config) {
+    if (this.encodedM > config.maxArgon2MemoryExponent) {
+      throw new Argon2OutOfMemoryError('Argon2 required memory exceeds `config.maxArgon2MemoryExponent`');
+    }
     const decodedM = 2 << (this.encodedM - 1);
 
     try {

src/type/s2k/generic.js

@@ -156,7 +156,7 @@ class GenericS2K {
    * hashAlgorithm hash length
    * @async
    */
-  async produceKey(passphrase, numBytes) {
+  async produceKey(passphrase, numBytes, _config) {
     passphrase = util.encodeUTF8(passphrase);
 
     const arr = [];

test/general/openpgp.js

@@ -14,7 +14,7 @@ import { getPreferredCipherSuite } from '../../src/key';
 
 import * as input from './testInputs.js';
 
-const detectBrowser = () => typeof navigator === 'object';
+const detectBrowser = () => typeof navigator === 'object' && !navigator.userAgent.includes('Node.js');
 
 const pub_key = [
   '-----BEGIN PGP PUBLIC KEY BLOCK-----',
@@ -2562,7 +2562,7 @@ XfA3pqV4mTzF
         expect(decryptedSessionKey.algorithm).to.equal('aes128');
       } catch (err) {
         if (detectBrowser()) { // Expected to fail in the CI, especially in Browserstack
-          expect(err.message).to.match(/Could not allocate required memory/);
+          expect(err.message).to.match(/Could not allocate required memory|Argon2 required memory exceeds `config.maxArgon2MemoryExponent`/);
         }
       }
     });

test/initOpenpgp.js

@@ -12,6 +12,13 @@ if (typeof window !== 'undefined') {
 
 openpgp.config.s2kIterationCountByte = 0;
 
+if (typeof window !== 'undefined' &&
+  /** Mobile Safari 26 reloads the page if Argon2 tries to allocate memory above 1GB */
+  window.navigator.userAgent.match(/Version\/26\.\d(\.\d)* (Mobile\/\w+ )Safari/)) {
+
+  openpgp.config.maxArgon2MemoryExponent = 20;
+}
+
 if (!globalThis.TransformStream) {
   Object.assign(globalThis, webStreamsPonyfill);
 }