Old version works

Author: martinthomson

nodejs/ece.js

@@ -6,7 +6,7 @@ var base64 = require('urlsafe-base64');
 var savedKeys = {};
 var keyLabels = {};
 var AES_GCM = 'aes-128-gcm';
-var PAD_SIZE = 2;
+var PAD_SIZE = { 'aes128gcm': 2, 'aesgcm': 2, 'aesgcm128': 1 };
 var TAG_LENGTH = 16;
 var KEY_LENGTH = 16;
 var NONCE_LENGTH = 12;
@@ -62,31 +62,19 @@ function info(base, context) {
   return result;
 }
 
-function extractSalt(salt) {
-  if (!salt) {
-    throw new Error('A salt is required');
-  }
-  salt = base64.decode(salt);
-  if (salt.length !== KEY_LENGTH) {
-    throw new Error('The salt parameter must be ' + KEY_LENGTH + ' bytes');
-  }
-  return salt;
-}
-
 function lengthPrefix(buffer) {
-  var b = Buffer.concat([ new Buffer(2), buffer ]);
+  var b = Buffer.concat([new Buffer(2), buffer]);
   b.writeUIntBE(buffer.length, 0, 2);
   return b;
 }
 
-function extractDH(keyid, dh, mode) {
+function extractDH(keyid, share, mode) {
   if (!savedKeys[keyid]) {
     throw new Error('No known DH key for ' + keyid);
   }
   if (!keyLabels[keyid]) {
     throw new Error('No known DH key label for ' + keyid);
   }
-  var share = base64.decode(dh);
   var key = savedKeys[keyid];
   var senderPubKey, receiverPubKey;
   if (mode === MODE_ENCRYPT) {
@@ -109,46 +97,51 @@ function extractDH(keyid, dh, mode) {
   };
 }
 
-function extractSecretAndContext(params, mode) {
+function extractSecretAndContext(header, mode) {
   var result = { secret: null, context: new Buffer(0) };
-  if (params.key) {
-    result.secret = base64.decode(params.key);
+  if (header.key) {
+    result.secret = header.key;
     if (result.secret.length !== KEY_LENGTH) {
       throw new Error('An explicit key must be ' + KEY_LENGTH + ' bytes');
     }
-  } else if (params.dh) { // receiver/decrypt
-    result = extractDH(params.keyid, params.dh, mode);
-  } else if (params.keyid) {
-    result.secret = savedKeys[params.keyid];
+  } else if (header.dh) { // receiver/decrypt
+    result = extractDH(header.keyid, header.dh, mode);
+  } else if (header.keyid) {
+    result.secret = savedKeys[header.keyid];
   }
   if (!result.secret) {
+    console.warn(header);
     throw new Error('Unable to determine key');
   }
   keylog('secret', result.secret);
   keylog('context', result.context);
-  if (params.authSecret) {
-    result.secret = HKDF(base64.decode(params.authSecret), result.secret,
+  if (header.authSecret) {
+    result.secret = HKDF(base64.decode(header.authSecret), result.secret,
                          info('auth', new Buffer(0)), SHA_256_LENGTH);
     keylog('authsecret', result.secret);
   }
   return result;
 }
 
-function deriveKeyAndNonce(params, mode) {
-  var padSize = params.padSize || PAD_SIZE;
-  var salt = extractSalt(params.salt);
-  var s = extractSecretAndContext(params, mode);
-  var prk = HKDF_extract(salt, s.secret);
+function deriveKeyAndNonce(header, mode) {
+  if (!header.salt) {
+    throw new Error('must include a salt parameter for ' + header.type);
+  }
+  var s = extractSecretAndContext(header, mode);
+  var prk = HKDF_extract(header.salt, s.secret);
   var keyInfo;
   var nonceInfo;
-  if (padSize === 1) {
+  if (header.type === 'aesgcm128') {
     keyInfo = 'Content-Encoding: aesgcm128';
     nonceInfo = 'Content-Encoding: nonce';
-  } else if (padSize === 2) {
+  } else if (header.type === 'aesgcm') {
     keyInfo = info('aesgcm', s.context);
     nonceInfo = info('nonce', s.context);
+  } else if (header.type === 'aes128gcm') {
+    keyInfo = 'Content-Encoding: aesgcm128\0';
+    nonceInfo = 'Content-Encoding: nonce\0';
   } else {
-    throw new Error('Unable to set context for padSize ' + params.padSize);
+    throw new Error('Unable to set context for mode ' + params.type);
   }
   var result = {
     key: HKDF_expand(prk, keyInfo, KEY_LENGTH),
@@ -159,18 +152,58 @@ function deriveKeyAndNonce(params, mode) {
   return result;
 }
 
-function determineRecordSize(params) {
-  var rs = parseInt(params.rs, 10);
+function determineRecordSize(rs, type) {
+  rs = parseInt(rs, 10);
   if (isNaN(rs)) {
     return 4096;
   }
-  var padSize = params.padSize || PAD_SIZE;
+  var padSize = PAD_SIZE[type];
   if (rs <= padSize) {
     throw new Error('The rs parameter has to be greater than ' + padSize);
   }
   return rs;
 }
 
+function extractSalt(salt) {
+  if (!salt) {
+    throw new Error('A salt is required');
+  }
+  salt = base64.decode(salt);
+  if (salt.length !== KEY_LENGTH) {
+    throw new Error('The salt parameter must be ' + KEY_LENGTH + ' bytes');
+  }
+  return salt;
+}
+
+/* Used when decrypting aes128gcm to populate the header values. */
+function readHeader(params, buffer) {
+  var idsz = buffer.readUIntBE(20, 1);
+  return {
+    type: 'aes128gcm',
+    salt: buffer.slice(0, KEY_LENGTH),
+    rs: buffer.readUIntBE(KEY_LENGTH, 4),
+    keyid: buffer.slice(21, 21 + idsz).toString('utf-8'),
+    key: params.key ? base64.decode(params.key) : undefined,
+    dh: params.dh ? base64.decode(params.dh) : undefined,
+    authSecret: params.authSecret ? base64.decode(params.authSecret) : undefined
+  };
+}
+
+/* Used when decrypting to populate the header values for aesgcm[128]. */
+function parseParams(params) {
+  console.warn(params);
+  var type = (params.padSize === 1) ? 'aesgcm128' : 'aesgcm';
+  return {
+    type: type,
+    salt: params.salt ? extractSalt(params.salt) : undefined,
+    rs: determineRecordSize(params.rs, type),
+    keyid: params.keyid,
+    key: params.key ? base64.decode(params.key) : undefined,
+    dh: params.dh ? base64.decode(params.dh) : undefined,
+    authSecret: params.authSecret ? base64.decode(params.authSecret) : undefined
+  };
+}
+
 function generateNonce(base, counter) {
   var nonce = new Buffer(base);
   var m = nonce.readUIntBE(nonce.length - 6, 6);
@@ -181,17 +214,21 @@ function generateNonce(base, counter) {
   return nonce;
 }
 
-function decryptRecord(key, counter, buffer, padSize) {
+function decryptRecord(key, counter, buffer, header) {
   keylog('decrypt', buffer);
   var nonce = generateNonce(key.nonce, counter);
   var gcm = crypto.createDecipheriv(AES_GCM, key.key, nonce);
   gcm.setAuthTag(buffer.slice(buffer.length - TAG_LENGTH));
   var data = gcm.update(buffer.slice(0, buffer.length - TAG_LENGTH));
   data = Buffer.concat([data, gcm.final()]);
   keylog('decrypted', data);
-  padSize = padSize || PAD_SIZE
+  var padSize = PAD_SIZE[header.type];
   var pad = data.readUIntBE(0, padSize);
   if (pad + padSize > data.length) {
+    console.warn(header);
+    console.warn(pad);
+    console.warn(padSize);
+    console.warn(data.length);
     throw new Error('padding exceeds block size');
   }
   var padCheck = new Buffer(pad);
@@ -214,13 +251,19 @@ function decryptRecord(key, counter, buffer, padSize) {
  * saveKey().
  */
 function decrypt(buffer, params) {
-  var key = deriveKeyAndNonce(params, MODE_DECRYPT);
-  var rs = determineRecordSize(params);
+  var header;
+  if (params.salt) {
+    header = parseParams(params);
+  } else {
+    header = readHeader(buffer, params);
+  }
+  var key = deriveKeyAndNonce(header, MODE_DECRYPT);
+  buffer = buffer.slice(header.len);
   var start = 0;
   var result = new Buffer(0);
 
   for (var i = 0; start < buffer.length; ++i) {
-    var end = start + rs + TAG_LENGTH;
+    var end = start + header.rs + TAG_LENGTH;
     if (end === buffer.length) {
       throw new Error('Truncated payload');
     }
@@ -229,7 +272,7 @@ function decrypt(buffer, params) {
       throw new Error('Invalid block: too small at ' + i);
     }
     var block = decryptRecord(key, i, buffer.slice(start, end),
-                              params.padSize);
+                              header);
     result = Buffer.concat([result, block]);
     start = end;
   }
@@ -241,7 +284,6 @@ function encryptRecord(key, counter, buffer, pad, padSize) {
   pad = pad || 0;
   var nonce = generateNonce(key.nonce, counter);
   var gcm = crypto.createCipheriv(AES_GCM, key.key, nonce);
-  padSize = padSize || PAD_SIZE;
   var padding = new Buffer(pad + padSize);
   padding.fill(0);
   padding.writeUIntBE(pad, 0, padSize);
@@ -257,6 +299,17 @@ function encryptRecord(key, counter, buffer, pad, padSize) {
   return encrypted;
 }
 
+function encodeHeader(header) {
+  var ints = new Buffer(5);
+  var keyid = Buffer.from(header.keyid || '');
+  if (keyid.length > 255) {
+    throw new Error('keyid is too large');
+  }
+  ints.writeUIntBE(header.rs, 0, 4);
+  ints.writeUIntBE(keyid.length, 4, 1);
+  return Buffer.concat([header.salt, ints, keyid]);
+}
+
 /**
  * Encrypt some bytes.  This uses the parameters to determine the key and block
  * size, which are described in the draft.  Note that for encryption, the
@@ -268,26 +321,36 @@ function encrypt(buffer, params) {
   if (!Buffer.isBuffer(buffer)) {
     throw new Error('buffer argument must be a Buffer');
   }
-  var key = deriveKeyAndNonce(params, MODE_ENCRYPT);
-  var rs = determineRecordSize(params);
+  var result;
+  var header;
+  header = parseParams(params);
+  if (params.salt) { // old versions
+    result = new Buffer(0);
+  } else {
+    header.type = 'aes128gcm';
+    header.salt = crypto.randomBytes(KEY_LENGTH);
+    result = encodeHeader(header);
+  }
+  header.rs = determineRecordSize(params.rs, header.type);
+
+  var key = deriveKeyAndNonce(header, MODE_ENCRYPT);
   var start = 0;
-  var result = new Buffer(0);
-  var padSize = params.padSize || PAD_SIZE;
+  var padSize = PAD_SIZE[header.type];
   var pad = isNaN(parseInt(params.pad, 10)) ? 0 : parseInt(params.pad, 10);
 
   // Note the <= here ensures that we write out a padding-only block at the end
   // of a buffer.
   for (var i = 0; start <= buffer.length; ++i) {
     // Pad so that at least one data byte is in a block.
     var recordPad = Math.min((1 << (padSize * 8)) - 1, // maximum padding
-                             Math.min(rs - padSize - 1, pad));
+                             Math.min(header.rs - padSize - 1, pad));
     pad -= recordPad;
 
-    var end = Math.min(start + rs - padSize - recordPad, buffer.length);
+    var end = Math.min(start + header.rs - padSize - recordPad, buffer.length);
     var block = encryptRecord(key, i, buffer.slice(start, end),
                               recordPad, padSize);
     result = Buffer.concat([result, block]);
-    start += rs - padSize - recordPad;
+    start += header.rs - padSize - recordPad;
   }
   if (pad) {
     throw new Error('Unable to pad by requested amount, ' + pad + ' remaining');