OP-01-009 Cleartext Messages Spoofing by Lax Armor Headers parsing (Critical). Add armor header verification. Verify "Hash" header in cleartext signed message.

Thomas Oberndörfer · Thomas Oberndörfer · commit 329c92bc7375 · 2014-03-21T15:37:52.000+01:00
diff --git a/src/cleartext.js b/src/cleartext.js
@@ -39,7 +39,7 @@ var config = require('./config'),
 
 function CleartextMessage(text, packetlist) {
   if (!(this instanceof CleartextMessage)) {
-    return new CleartextMessage(packetlist);
+    return new CleartextMessage(text, packetlist);
   }
   // normalize EOL to canonical form <CR><LF>
   this.text = text.replace(/\r/g, '').replace(/[\t ]+\n/g, "\n").replace(/\n/g,"\r\n");
@@ -142,9 +142,55 @@ function readArmored(armoredText) {
   }
   var packetlist = new packet.List();
   packetlist.read(input.data);
+  verifyHeaders(input.headers, packetlist);
   var newMessage = new CleartextMessage(input.text, packetlist);
   return newMessage;
 }
 
+/**
+ * Compare hash algorithm specified in the armor header with signatures
+ * @private
+ * @param  {Array<String>} headers    Armor headers
+ * @param  {module:packet/packetlist} packetlist The packetlist with signature packets
+ */
+function verifyHeaders(headers, packetlist) {
+  var checkHashAlgos = function(hashAlgos) {
+    for (var i = 0; i < packetlist.length; i++) {
+      if (packetlist[i].tag === enums.packet.signature &&
+          !hashAlgos.some(function(algo) {
+            return packetlist[i].hashAlgorithm === algo;
+          })) {
+        return false;
+      }
+    }
+    return true;
+  }
+  var oneHeader = null;
+  var hashAlgos = [];
+  for (var i = 0; i < headers.length; i++) {
+    oneHeader = headers[i].match(/Hash: (.+)/); // get header value
+    if (oneHeader) {
+      oneHeader = oneHeader[1].replace(/\s/g, '');  // remove whitespace
+      oneHeader = oneHeader.split(',');
+      oneHeader = oneHeader.map(function(hash) {
+        hash = hash.toLowerCase();
+        try {
+          return enums.write(enums.hash, hash);
+        } catch (e) {
+          throw new Error('Unknown hash algorithm in armor header: ' + hash);
+        }
+      });
+      hashAlgos = hashAlgos.concat(oneHeader);
+    } else {
+      throw new Error('Only "Hash" header allowed in cleartext signed message');
+    }
+  }
+  if (!hashAlgos.length && !checkHashAlgos([enums.hash.md5])) {
+    throw new Error('If no "Hash" header in cleartext signed message, then only MD5 signatures allowed');
+  } else if (!checkHashAlgos(hashAlgos)) {
+    throw new Error('Hash algorithm mismatch in armor header and signature');
+  }
+}
+
 exports.CleartextMessage = CleartextMessage;
 exports.readArmored = readArmored;
diff --git a/src/encoding/armor.js b/src/encoding/armor.js
@@ -207,20 +207,40 @@ function createcrc24(input) {
  * and an attribute "body" containing the body.
  */
 function splitHeaders(text) {
-  var reEmptyLine = /^[\t ]*\n/m;
-  var headers = "";
+  var reEmptyLine = /^\s*\n/m;
+  var headers = '';
   var body = text;
 
   var matchResult = reEmptyLine.exec(text);
 
   if (matchResult !== null) {
     headers = text.slice(0, matchResult.index);
     body = text.slice(matchResult.index + matchResult[0].length);
+  } else {
+    throw new Error('Mandatory blank line missing between armor headers and armor data');
   }
 
+  headers = headers.split('\n');
+  // remove empty entry
+  headers.pop();
+
   return { headers: headers, body: body };
 }
 
+/**
+ * Verify armored headers. RFC4880, section 6.3: "OpenPGP should consider improperly formatted
+ * Armor Headers to be corruption of the ASCII Armor."
+ * @private
+ * @param  {Array<String>} headers Armor headers
+ */
+function verifyHeaders(headers) {
+  for (var i = 0; i < headers.length; i++) {
+    if (!headers[i].match(/^(Version|Comment|MessageID|Hash|Charset): .+$/)) {
+      throw new Error('Improperly formatted armor header: ' + headers[i]);;
+    }
+  }
+}
+
 /**
  * Splits a message into two parts, the body and the checksum. This is an internal function
  * @param {String} text OpenPGP armored message part
@@ -280,19 +300,22 @@ function dearmor(text) {
 
     result = {
       data: base64.decode(msg_sum.body),
+      headers: msg.headers,
       type: type
     };
 
     checksum = msg_sum.checksum;
   } else {
-    // Reverse dash-escaping for msg and remove trailing whitespace at end of line
+    // Reverse dash-escaping for msg and remove trailing whitespace (0x20) and tabs (0x09) at end of line
     msg = splitHeaders(splittext[indexBase].replace(/^- /mg, '').replace(/[\t ]+\n/g, "\n"));
     var sig = splitHeaders(splittext[indexBase + 1].replace(/^- /mg, ''));
+    verifyHeaders(sig.headers);
     var sig_sum = splitChecksum(sig.body);
 
     result = {
       text:  msg.body.replace(/\n$/, '').replace(/\n/g, "\r\n"),
       data: base64.decode(sig_sum.body),
+      headers: msg.headers,
       type: type
     };
 
@@ -304,9 +327,11 @@ function dearmor(text) {
       checksum +
       "' should be '" +
       getCheckSum(result) + "'");
-  } else {
-    return result;
   }
+
+  verifyHeaders(result.headers);
+
+  return result;
 }
 
 
diff --git a/test/general/armor.js b/test/general/armor.js
@@ -0,0 +1,117 @@
+'use strict';
+
+var openpgp = typeof window != 'undefined' && window.openpgp ? window.openpgp : require('../../src/index');
+
+var chai = require('chai'),
+  expect = chai.expect;
+
+
+describe("ASCII armor", function() {
+
+  function getArmor(headers) {
+    return ['-----BEGIN PGP SIGNED MESSAGE-----']
+      .concat(headers)
+      .concat(
+        ['',
+        'sign this',
+        '-----BEGIN PGP SIGNATURE-----',
+        'Version: GnuPG v2.0.22 (GNU/Linux)',
+        '',
+        'iJwEAQECAAYFAlMrPj0ACgkQ4IT3RGwgLJfYkQQAgHMQieazCVdfGAfzQM69Egm5',
+        'HhcQszODD898wpoGCHgiNdNo1+5nujQAtXnkcxM+Vf7onfbTvUqut/siyO3fzqhK',
+        'LQ9DiQUwJMBE8nOwVR7Mpc4kLNngMTNaHAjZaVaDpTCrklPY+TPHIZnu0B6Ur+6t',
+        'skTzzVXIxMYw8ihbHfk=',
+        '=e/eA',
+        '-----END PGP SIGNATURE-----']
+      ).join('\n');
+  }
+
+  it('Parse cleartext signed message', function () {
+    var msg = getArmor(['Hash: SHA1']);
+    msg = openpgp.cleartext.readArmored(msg);
+    expect(msg).to.be.an.instanceof(openpgp.cleartext.CleartextMessage);
+  });
+
+  it('Exception if mismatch in armor header and signature', function () {
+    var msg = getArmor(['Hash: SHA256']);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /Hash algorithm mismatch in armor header and signature/);
+  });
+
+  it('Exception if no header and non-MD5 signature', function () {
+    var msg = getArmor(null);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /If no "Hash" header in cleartext signed message, then only MD5 signatures allowed/);
+  });
+
+  it('Exception if unknown hash algorithm', function () {
+    var msg = getArmor(['Hash: LAV750']);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /Unknown hash algorithm in armor header/);
+  });
+
+  it('Multiple hash values', function () {
+    var msg = getArmor(['Hash: SHA1, SHA256']);
+    msg = openpgp.cleartext.readArmored(msg);
+    expect(msg).to.be.an.instanceof(openpgp.cleartext.CleartextMessage);
+  });
+
+  it('Multiple hash header lines', function () {
+    var msg = getArmor(['Hash: SHA1', 'Hash: SHA256']);
+    msg = openpgp.cleartext.readArmored(msg);
+    expect(msg).to.be.an.instanceof(openpgp.cleartext.CleartextMessage);
+  });
+
+  it('Non-hash header line throws exception', function () {
+    var msg = getArmor(['Hash: SHA1', 'Comment: could be anything']);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /Only "Hash" header allowed in cleartext signed message/);
+  });
+
+  it('Multiple wrong hash values', function () {
+    var msg = getArmor(['Hash: SHA512, SHA256']);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /Hash algorithm mismatch in armor header and signature/);
+  });
+
+  it('Multiple wrong hash values', function () {
+    var msg = getArmor(['Hash: SHA512, SHA256']);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /Hash algorithm mismatch in armor header and signature/);
+  });
+
+  it('Filter whitespace in blank line', function () {
+    var msg =
+      ['-----BEGIN PGP SIGNED MESSAGE-----',
+      'Hash: SHA1',
+      '\u000b\u00a0',
+      'sign this',
+      '-----BEGIN PGP SIGNATURE-----',
+      'Version: GnuPG v2.0.22 (GNU/Linux)',
+      '',
+      'iJwEAQECAAYFAlMrPj0ACgkQ4IT3RGwgLJfYkQQAgHMQieazCVdfGAfzQM69Egm5',
+      'HhcQszODD898wpoGCHgiNdNo1+5nujQAtXnkcxM+Vf7onfbTvUqut/siyO3fzqhK',
+      'LQ9DiQUwJMBE8nOwVR7Mpc4kLNngMTNaHAjZaVaDpTCrklPY+TPHIZnu0B6Ur+6t',
+      'skTzzVXIxMYw8ihbHfk=',
+      '=e/eA',
+      '-----END PGP SIGNATURE-----'].join('\n');
+
+    msg = openpgp.cleartext.readArmored(msg);
+    expect(msg).to.be.an.instanceof(openpgp.cleartext.CleartextMessage);
+  });
+
+  it('Exception if improperly formatted armor header', function () {
+    var msg = getArmor(['Hash:SHA256']);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /Improperly formatted armor header/);
+    msg = getArmor(['<script>: SHA256']);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /Improperly formatted armor header/);
+    msg = getArmor(['Hash SHA256']);
+    msg = openpgp.cleartext.readArmored.bind(null, msg);
+    expect(msg).to.throw(Error, /Improperly formatted armor header/);
+  });
+
+});
+
+ 
diff --git a/test/general/basic.js b/test/general/basic.js
@@ -119,7 +119,6 @@ describe('Basic', function() {
     var pub_key =
        ['-----BEGIN PGP PUBLIC KEY BLOCK-----',
         'Version: GnuPG v2.0.19 (GNU/Linux)',
-        'Type: RSA/RSA',
         '',
         'mI0EUmEvTgEEANyWtQQMOybQ9JltDqmaX0WnNPJeLILIM36sw6zL0nfTQ5zXSS3+',
         'fIF6P29lJFxpblWk02PSID5zX/DYU9/zjM2xPO8Oa4xo0cVTOTLj++Ri5mtr//f5',
@@ -145,8 +144,6 @@ describe('Basic', function() {
     var priv_key =
         ['-----BEGIN PGP PRIVATE KEY BLOCK-----',
         'Version: GnuPG v2.0.19 (GNU/Linux)',
-        'Type: RSA/RSA',
-        'Pwd: hello world',
         '',
         'lQH+BFJhL04BBADclrUEDDsm0PSZbQ6pml9FpzTyXiyCyDN+rMOsy9J300Oc10kt',
         '/nyBej9vZSRcaW5VpNNj0iA+c1/w2FPf84zNsTzvDmuMaNHFUzky4/vkYuZra//3',
diff --git a/test/general/index.js b/test/general/index.js
@@ -1,5 +1,6 @@
 describe('General', function () {
   require('./basic.js');
+  require('./armor.js');
   require('./key.js');
   require('./keyring.js');
   require('./packet.js');
diff --git a/test/general/key.js b/test/general/key.js
@@ -224,8 +224,6 @@ describe('Key', function() {
   var priv_key_rsa =
     ['-----BEGIN PGP PRIVATE KEY BLOCK-----',
     'Version: GnuPG v2.0.19 (GNU/Linux)',
-    'Type: RSA/RSA 1024',
-    'Pwd: hello world',
     '',
     'lQH+BFJhL04BBADclrUEDDsm0PSZbQ6pml9FpzTyXiyCyDN+rMOsy9J300Oc10kt',
     '/nyBej9vZSRcaW5VpNNj0iA+c1/w2FPf84zNsTzvDmuMaNHFUzky4/vkYuZra//3',
diff --git a/test/general/signature.js b/test/general/signature.js
@@ -77,8 +77,6 @@ describe("Signature", function() {
   var priv_key_arm2 =
     [ '-----BEGIN PGP PRIVATE KEY BLOCK-----',
       'Version: GnuPG v2.0.19 (GNU/Linux)',
-      'Type: RSA/RSA',
-      'Pwd: hello world',
       '',
       'lQH+BFJhL04BBADclrUEDDsm0PSZbQ6pml9FpzTyXiyCyDN+rMOsy9J300Oc10kt',
       '/nyBej9vZSRcaW5VpNNj0iA+c1/w2FPf84zNsTzvDmuMaNHFUzky4/vkYuZra//3',
@@ -120,7 +118,6 @@ describe("Signature", function() {
   var pub_key_arm2 =
     [ '-----BEGIN PGP PUBLIC KEY BLOCK-----',
       'Version: GnuPG v2.0.19 (GNU/Linux)',
-      'Type: RSA/RSA',
       '',
       'mI0EUmEvTgEEANyWtQQMOybQ9JltDqmaX0WnNPJeLILIM36sw6zL0nfTQ5zXSS3+',
       'fIF6P29lJFxpblWk02PSID5zX/DYU9/zjM2xPO8Oa4xo0cVTOTLj++Ri5mtr//f5',
diff --git a/test/worker/api.js b/test/worker/api.js
@@ -9,7 +9,6 @@ var chai = require('chai'),
 var pub_key_rsa =
   ['-----BEGIN PGP PUBLIC KEY BLOCK-----',
   'Version: GnuPG v2.0.19 (GNU/Linux)',
-  'Type: RSA/RSA',
   '',
   'mI0EUmEvTgEEANyWtQQMOybQ9JltDqmaX0WnNPJeLILIM36sw6zL0nfTQ5zXSS3+',
   'fIF6P29lJFxpblWk02PSID5zX/DYU9/zjM2xPO8Oa4xo0cVTOTLj++Ri5mtr//f5',
@@ -35,8 +34,6 @@ var pub_key_rsa =
 var priv_key_rsa =
   ['-----BEGIN PGP PRIVATE KEY BLOCK-----',
   'Version: GnuPG v2.0.19 (GNU/Linux)',
-  'Type: RSA/RSA 1024',
-  'Pwd: hello world',
   '',
   'lQH+BFJhL04BBADclrUEDDsm0PSZbQ6pml9FpzTyXiyCyDN+rMOsy9J300Oc10kt',
   '/nyBej9vZSRcaW5VpNNj0iA+c1/w2FPf84zNsTzvDmuMaNHFUzky4/vkYuZra//3',
