fix: The final frame can not be larger than the Frame Length

modules/encrypt-browser/src/encrypt.ts

@@ -113,6 +113,7 @@ export async function encrypt (
   /* The final frame has a variable length.
    * The value needs to be known, but should only be calculated once.
    * So I calculate how much of a frame I should have at the end.
+   * This value will NEVER be larger than the frameLength.
    */
   const finalFrameLength = frameLength - ((numberOfFrames * frameLength) - plaintextLength)
   const bodyContent = []

modules/encrypt-node/src/framed_encrypt_stream.ts

@@ -190,11 +190,18 @@ type EncryptFrameInput = {
 export function getEncryptFrame (input: EncryptFrameInput): EncryptFrame {
   const { pendingFrame, messageHeader, getCipher, isFinalFrame } = input
   const { sequenceNumber, contentLength, content } = pendingFrame
-  const frameIv = serialize.frameIv(messageHeader.headerIvLength, sequenceNumber)
+  const { frameLength, contentType, messageId, headerIvLength } = messageHeader
+  /* Precondition: The content length MUST correlate with the frameLength.
+   * In the case of a regular frame,
+   * the content length must strictly equal the frame length.
+   * In the case of the final frame,
+   * it MUST not be larger than the frame length.
+   */
+  needs(frameLength === contentLength || (isFinalFrame && frameLength >= contentLength), 'Final frame length exceeds frame length.')
+  const frameIv = serialize.frameIv(headerIvLength, sequenceNumber)
   const bodyHeader = Buffer.from(isFinalFrame
     ? finalFrameHeader(sequenceNumber, frameIv, contentLength)
     : frameHeader(sequenceNumber, frameIv))
-  const { contentType, messageId } = messageHeader
   const contentString = aadUtility.messageAADContentString({ contentType, isFinalFrame })
   const { buffer, byteOffset, byteLength } = aadUtility.messageAAD(messageId, contentString, sequenceNumber, contentLength)
   const cipher = getCipher(frameIv)

modules/encrypt-node/test/framed_encrypt_stream.test.ts

@@ -18,7 +18,7 @@
 import * as chai from 'chai'
 import chaiAsPromised from 'chai-as-promised'
 import 'mocha'
-import { getFramedEncryptStream } from '../src/framed_encrypt_stream'
+import { getFramedEncryptStream, getEncryptFrame } from '../src/framed_encrypt_stream'
 
 chai.use(chaiAsPromised)
 const { expect } = chai
@@ -61,3 +61,90 @@ describe('getFramedEncryptStream', () => {
     expect(called).to.equal(true)
   })
 })
+
+describe('getEncryptFrame', () => {
+  it('can return an EncryptFrame', () => {
+    const input = {
+      pendingFrame: {
+        content: [Buffer.from([1, 2, 3, 4, 5])],
+        contentLength: 5,
+        sequenceNumber: 1
+      },
+      isFinalFrame: false,
+      getCipher: () => ({ setAAD: () => {} }) as any,
+      messageHeader: {
+        frameLength: 5,
+        contentType: 2,
+        messageId: Buffer.from([]),
+        headerIvLength: 12 as 12,
+        version: 1,
+        type: 12,
+        suiteId: 1,
+        encryptionContext: {},
+        encryptedDataKeys: []
+      }
+    }
+    const test1 = getEncryptFrame(input)
+    expect(test1.content).to.equal(input.pendingFrame.content)
+    expect(test1.isFinalFrame).to.equal(input.isFinalFrame)
+
+    // Just a quick flip to make sure...
+    input.isFinalFrame = true
+    const test2 = getEncryptFrame(input)
+    expect(test2.content).to.equal(input.pendingFrame.content)
+    expect(test2.isFinalFrame).to.equal(input.isFinalFrame)
+  })
+
+  it('Precondition: The content length MUST correlate with the frameLength.', () => {
+    const inputFinalFrameToLarge = {
+      pendingFrame: {
+        content: [Buffer.from([1, 2, 3, 4, 5, 6])],
+        // This exceeds the frameLength below
+        contentLength: 6,
+        sequenceNumber: 1
+      },
+      isFinalFrame: true,
+      getCipher: () => ({ setAAD: () => {} }) as any,
+      messageHeader: {
+        frameLength: 5,
+        contentType: 2,
+        messageId: Buffer.from([]),
+        headerIvLength: 12 as 12,
+        version: 1,
+        type: 12,
+        suiteId: 1,
+        encryptionContext: {},
+        encryptedDataKeys: []
+      }
+    }
+
+    expect(() => getEncryptFrame(inputFinalFrameToLarge)).to.throw('Final frame length exceeds frame length.')
+
+    const inputFrame = {
+      pendingFrame: {
+        content: [Buffer.from([1, 2, 3, 4, 5])],
+        contentLength: 5,
+        sequenceNumber: 1
+      },
+      isFinalFrame: false,
+      getCipher: () => ({ setAAD: () => {} }) as any,
+      messageHeader: {
+        frameLength: 5,
+        contentType: 2,
+        messageId: Buffer.from([]),
+        headerIvLength: 12 as 12,
+        version: 1,
+        type: 12,
+        suiteId: 1,
+        encryptionContext: {},
+        encryptedDataKeys: []
+      }
+    }
+
+    // Make sure that it must be equal as long as we are here...
+    inputFrame.pendingFrame.contentLength = 4
+    expect(() => getEncryptFrame(inputFrame)).to.throw('Final frame length exceeds frame length.')
+    inputFrame.pendingFrame.contentLength = 6
+    expect(() => getEncryptFrame(inputFrame)).to.throw('Final frame length exceeds frame length.')
+  })
+})