Fix PAE encoding.

Author: sjudson

lib/protocol/V1.js

@@ -236,8 +236,14 @@ function sign(data, key, footer, cb) {
 
   // sign
 
-  const payload = utils.pae(header, data, footer);
-  const signer  = crypto.createSign('SHA384');
+  let payload;
+  try {
+    payload = utils.pae(header, data, footer);
+  } catch (ex) {
+    return done(ex);
+  }
+
+  const signer = crypto.createSign('SHA384');
   signer.update(payload);
   signer.end();
 
@@ -292,7 +298,13 @@ function verify(token, key, footer, cb) {
 
   // verify signature
 
-  const expected = utils.pae(header, data, footer);
+  let expected;
+  try {
+    expected = utils.pae(header, data, footer);
+  } catch (ex) {
+    return done(ex);
+  }
+
   const verifier = crypto.createVerify('SHA384');
   verifier.update(expected);
   verifier.end();
@@ -377,7 +389,12 @@ function aeadEncrypt(key, header, plaintext, footer, nonce) {
       // an empty buffer is truthy, if no plaintext
       if (!ciphertext) { return reject(new PasetoError('Encryption failed.')); }
 
-      const payload = utils.pae(header, nonce, ciphertext, footer);
+      let payload;
+      try {
+        payload = utils.pae(header, nonce, ciphertext, footer);
+      } catch (ex) {
+        return done(ex);
+      }
 
       const authenticator = crypto.createHmac(self._constants.HASH_ALGO, authkey);
       const mac           = authenticator.update(payload).digest();
@@ -428,7 +445,12 @@ function aeadDecrypt(key, header, payload, footer) {
       if (err) { return reject(err); }
       const [ enckey, authkey ] = keys;
 
-      const payload = utils.pae(header, nonce, ciphertext, footer);
+      let payload;
+      try {
+        payload = utils.pae(header, nonce, ciphertext, footer);
+      } catch (ex) {
+        return done(ex);
+      }
 
       const authenticator = crypto.createHmac(self._constants.HASH_ALGO, authkey);
       const calc          = authenticator.update(payload).digest();

lib/protocol/V2.js

@@ -243,7 +243,13 @@ function sign(data, key, footer, cb) {
 
     // sign
 
-    const payload    = utils.pae(header, data, footer);
+    let payload;
+    try {
+      payload = utils.pae(header, data, footer);
+    } catch (ex) {
+      return done(ex);
+    }
+
     const _signature = sodium.crypto_sign_detached(payload, key.raw());
     const signature  = Buffer.from(_signature);
 
@@ -299,8 +305,14 @@ function verify(token, key, footer, cb) {
 
     // verify signature
 
-    const expected = utils.pae(header, data, footer);
-    const valid    = sodium.crypto_sign_verify_detached(signature, expected, key.raw());
+    let expected;
+    try {
+      expected = utils.pae(header, data, footer);
+    } catch (ex) {
+      return done(ex);
+    }
+
+    const valid = sodium.crypto_sign_verify_detached(signature, expected, key.raw());
 
     if (!valid) { return done(new PasetoError('Invalid signature for this message')); }
 
@@ -339,7 +351,13 @@ function aeadEncrypt(key, header, plaintext, footer, nonce) {
 
   // encrypt
 
-  const ad          = utils.pae(header, nonce, footer);
+  let ad;
+  try {
+    ad = utils.pae(header, nonce, footer);
+  } catch (ex) {
+    return done(ex);
+  }
+
   const _ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(plaintext, ad, null, nonce, key.raw());
   const ciphertext  = Buffer.from(_ciphertext);
 
@@ -380,7 +398,13 @@ function aeadDecrypt(key, header, payload, footer) {
 
   // decrypt and verify
 
-  const ad         = utils.pae(header, nonce, footer);
+  let ad;
+  try {
+    ad = utils.pae(header, nonce, footer);
+  } catch (ex) {
+    return done(ex);
+  }
+
   const ciphertext = Buffer.from(payload).slice(nlen, plen);
 
   const _plaintext = sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(null, ciphertext, ad, nonce, key.raw());

lib/utils.js

@@ -1,7 +1,8 @@
 const crypto = require('crypto');
 const sodium = require('libsodium-wrappers-sumo');
 
-const PasetoError = require('./error/PasetoError');
+const PasetoError   = require('./error/PasetoError');
+const EncodingError = require('./error/EncodingError');
 
 
 /***
@@ -154,20 +155,24 @@ module.exports.pae = pae;
 function pae() {
   const pieces = (parse('utf-8'))(...arguments);
 
-  // TODO: According to the spec this should be able to be a 64-bit
-  //       integer. However, the likelihood a token would be large
-  //       enough to where a 32-bit descriptor would be insufficient
-  //       is pretty negligable. As such, this is okay for the moment
-  //       as all tests pass, but should be cleaned up and made fully
-  //       conformant.
+  const LE64 = (n) => {
+    // also guarantees that msb will be zero as required
+    if (n > Number.MAX_SAFE_INTEGER) { throw new EncodingError('Message too long to encode'); }
 
-  let accumulator = Buffer.alloc(8);
-  accumulator.writeInt32LE(pieces.length);
+    const up = ~~(n / 0xFFFFFFFF);
+    const dn = (n % 0xFFFFFFFF) - up;
 
-  pieces.forEach((piece) => {
-    let len = Buffer.alloc(8);
-    len.writeInt32LE(Buffer.byteLength(piece));
+    let buf = Buffer.alloc(8);
+
+    buf.writeUInt32LE(up, 4);
+    buf.writeUInt32LE(dn, 0);
 
+    return buf;
+  }
+
+  let accumulator = LE64(pieces.length);
+  pieces.forEach((piece) => {
+    let len = LE64(Buffer.byteLength(piece));
     accumulator = Buffer.concat([ accumulator, len, piece ]);
   });