github openpgpjs/openpgpjs v4.3.0
v4.3.0 - Security Release
on GitHub

latest releases: v6.0.0-beta.0, v5.11.1, v6.0.0-alpha.1...
5 years ago

This release fixes more security issues. Please upgrade to the latest version as soon as possible.

Security fixes

  • Validate ECC public keys, to prevent an attack extracting private keys
  • Remove non-AES CFB quick check, to prevent side-channel timing attacks
  • Reject messages encrypted with a symmetric algorithm not in preferred algorithms
  • Check signature public key algorithm against issuer key algorithm
  • Always look at the same literal data packet in getText() and verify()
  • Return generic error on PKESK checksum mismatch when decrypting

Other changes

  • Fix undefined behavior when reading 3DES-encrypted packet
  • Consider non-expired signatures from expired keys to still be valid
  • Check that signing key was not expired at signature creation time
  • Check that message signatures are not expired when verifying them
  • Fix revocation example in README, use revocationCertificate instead of revocationSignature
  • Fix CMAC of the empty string
  • Add config values to preferred algorithms
  • Fall back to RFC4880bis-mandated symmetric algorithms (AES128 and EAX) instead of config value

Example of behavior changes for preferred algorithms

As an example, previously, if you set openpgp.config.encryption_cipher = openpgp.enums.symmetric.twofish, OpenPGP.js would:

  1. When generating a key, not add Twofish to the preferred algorithms
  2. When encrypting to that generated key, not use Twofish (since it wasn't in the preferred algorithms)
  3. When encrypting to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms, fall back to Twofish

Then, if you were to decrypt that last message using GPG, it would warn that the message was encrypted with an algorithm that's not in the preferred algorithms. This could happen even with the default config value of AES256, since RFC4880 mandates falling back to 3DES, not AES256. (RFC4880bis mandates falling back to AES128.)

Since this version, if you set openpgp.config.encryption_cipher = openpgp.enums.symmetric.twofish, OpenPGP.js will instead:

  1. When generating a key, add Twofish to the preferred algorithms
  2. When encrypting to that generated key, use Twofish (since it is in the preferred algorithms)
  3. When encrypting to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms, fall back to AES128 (since that's the algorithm mandated by RFC4880bis)

Example of backwards-incompatible behavior

In some edge cases, some of the above changes are not backwards-compatible. For example, if you use OpenPGP.js < 4.3.0 and:

  1. Set openpgp.config.encryption_cipher to any value other than openpgp.enums.symmetric.aes256, openpgp.enums.symmetric.aes128 or openpgp.enums.symmetric.tripledes, and
  2. Encrypt messages to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms

And then try to decrypt those messages using OpenPGP.js >= 4.3.0, you will get an error. (Similarly, GPG gives a warning in this situation, but still decrypts the messages as well.)

Check out latest releases or
releases around openpgpjs/openpgpjs v4.3.0

Don't miss a new openpgpjs release

NewReleases is sending notifications on new releases.

Get notifications