search

assaabloy-ppi / salt-channel

The specification and the reference implementation of Salt Channel - a simple, light-weight secure channel protocol based on TweetNaCl by Bernstein.
MIT License
14 stars 11 forks source link

No enforcement of ASCII characters in A2Packet #8

Closed fgrape closed 7 years ago

fgrape commented 7 years ago

P1 and P2 are specified to represent 10 bytes of ASCII characters, this is not enforced because UTF-8 is used to encode and decode the byte values. UTF-8 characters are of variable length so the string "😊😊ö", which is 3 characters but 10 bytes long, can be serialized and deserialized.

Strings with whitespace, and I'm assuming control characters, can be serialized and deserialized.

The only thing that is actually enforced is that the strings are exactly 10 bytes long when serialized.

Suggested fix: Add checks to ensure that the char codes for each serialized character and deserialized byte lie within the valid range [33, 126] or [0x21, 0x7E] (inclusive). This range corresponds to ASCII characters from "!" to "~", all ASCII characters except for control characters and whitespace.

It's also possible to use US-ASCII as the charset, but this does not enforce that no control or whitespace characters are in the string.

To decide on a good range of valid characters this helps: http://www.asciitable.com/

franslundberg commented 7 years ago

Added to spec, fixed in Java implementation.