From f16f865c242c4b8cbc5a2615d1a3926202dabd48 Mon Sep 17 00:00:00 2001 From: Paragon Initiative Enterprises Date: Fri, 10 Jun 2022 03:49:12 -0400 Subject: [PATCH] Do not allow base64url padding --- composer.json | 2 +- src/Keys/AsymmetricSecretKey.php | 2 +- src/Keys/SymmetricKey.php | 2 +- src/Parsing/PasetoMessage.php | 4 ++-- src/Protocol/Version3.php | 10 ++++------ src/Protocol/Version4.php | 10 ++++------ src/Util.php | 2 +- tests/KnownAnswerTest.php | 2 +- 8 files changed, 15 insertions(+), 19 deletions(-) diff --git a/composer.json b/composer.json index 890036b..5d0916e 100644 --- a/composer.json +++ b/composer.json @@ -24,7 +24,7 @@ "ext-json": "*", "ext-openssl": "*", "php": "^8.1", - "paragonie/constant_time_encoding": "^2", + "paragonie/constant_time_encoding": ">= 2.6", "paragonie/corner": "^2", "paragonie/easy-ecc": "^1", "paragonie/sodium_compat": "^1.17" diff --git a/src/Keys/AsymmetricSecretKey.php b/src/Keys/AsymmetricSecretKey.php index 525baf1..0fbc84f 100644 --- a/src/Keys/AsymmetricSecretKey.php +++ b/src/Keys/AsymmetricSecretKey.php @@ -226,7 +226,7 @@ public function encodePem(): string */ public static function fromEncodedString(string $encoded, ProtocolInterface $version = null): self { - $decoded = Base64UrlSafe::decode($encoded); + $decoded = Base64UrlSafe::decodeNoPadding($encoded); return new self($decoded, $version); } diff --git a/src/Keys/SymmetricKey.php b/src/Keys/SymmetricKey.php index d53d208..1d4c63c 100644 --- a/src/Keys/SymmetricKey.php +++ b/src/Keys/SymmetricKey.php @@ -154,7 +154,7 @@ public function encode(): string */ public static function fromEncodedString(string $encoded, ProtocolInterface $version = null): self { - $decoded = Base64UrlSafe::decode($encoded); + $decoded = Base64UrlSafe::decodeNoPadding($encoded); return new self($decoded, $version); } diff --git a/src/Parsing/PasetoMessage.php b/src/Parsing/PasetoMessage.php index b960bdf..698d9b9 100644 --- a/src/Parsing/PasetoMessage.php +++ b/src/Parsing/PasetoMessage.php @@ -59,8 +59,8 @@ public static function fromString(string $tainted): self } $header = new Header($pieces[0], $pieces[1]); - $payload = Base64UrlSafe::decode($pieces[2]); - $footer = $count > 3 ? Base64UrlSafe::decode($pieces[3]) : ''; + $payload = Base64UrlSafe::decodeNoPadding($pieces[2]); + $footer = $count > 3 ? Base64UrlSafe::decodeNoPadding($pieces[3]) : ''; return new self($header, $payload, $footer); } diff --git a/src/Protocol/Version3.php b/src/Protocol/Version3.php index ef9a651..cf277f1 100644 --- a/src/Protocol/Version3.php +++ b/src/Protocol/Version3.php @@ -354,9 +354,8 @@ public static function verify( } // PASETO Version 3 - Verify - Step 4: - $decoded = Base64UrlSafe::decode( - Binary::safeSubstr($signMsg, $headerLength), - true + $decoded = Base64UrlSafe::decodeNoPadding( + Binary::safeSubstr($signMsg, $headerLength) ); $len = Binary::safeStrlen($decoded); @@ -497,9 +496,8 @@ public static function aeadDecrypt( // PASETO Version 3 - Decrypt - Step 4: try { - $decoded = Base64UrlSafe::decode( - Binary::safeSubstr($message, $expectedLen), - true + $decoded = Base64UrlSafe::decodeNoPadding( + Binary::safeSubstr($message, $expectedLen) ); } catch (Throwable $ex) { throw new PasetoException( diff --git a/src/Protocol/Version4.php b/src/Protocol/Version4.php index 2147e34..907114a 100644 --- a/src/Protocol/Version4.php +++ b/src/Protocol/Version4.php @@ -326,9 +326,8 @@ public static function verify( } // PASETO Version 4 - Verify - Step 4: - $decoded = Base64UrlSafe::decode( - Binary::safeSubstr($signMsg, $headerLength), - true + $decoded = Base64UrlSafe::decodeNoPadding( + Binary::safeSubstr($signMsg, $headerLength) ); $len = Binary::safeStrlen($decoded); @@ -464,9 +463,8 @@ public static function aeadDecrypt( // PASETO Version 4 - Decrypt - Step 4: try { - $decoded = Base64UrlSafe::decode( - Binary::safeSubstr($message, $expectedLen), - true + $decoded = Base64UrlSafe::decodeNoPadding( + Binary::safeSubstr($message, $expectedLen) ); } catch (Throwable $ex) { throw new PasetoException( diff --git a/src/Util.php b/src/Util.php index 7ded05f..2f26b6b 100644 --- a/src/Util.php +++ b/src/Util.php @@ -138,7 +138,7 @@ public static function extractFooter(string $payload): string { $pieces = explode('.', $payload); if (count($pieces) > 3) { - return Base64UrlSafe::decode(array_pop($pieces)); + return Base64UrlSafe::decodeNoPadding(array_pop($pieces)); } return ''; } diff --git a/tests/KnownAnswerTest.php b/tests/KnownAnswerTest.php index 1faca46..40aa439 100644 --- a/tests/KnownAnswerTest.php +++ b/tests/KnownAnswerTest.php @@ -102,7 +102,7 @@ protected function genericTests(ProtocolInterface $protocol, array $tests): void } // If we're here, the first step did not fail, so let's assert this: - $this->assertFalse($test['expect-fail'], 'This test was expected to fail'); + $this->assertFalse($test['expect-fail'], 'This test was expected to fail: ' . $test['name']); // We should have the same plaintext payload: $this->assertSame($test['payload'], $decoded, $test['name']);