Generating with input of multipler of 32 bytes causing .verify to fail with padding error..

[fairbairn]

We found this issue when encoding a string that happened to be exactly 160 bytes in length.

The token generates, but upon .verify, it fails with a padding error.

Our guess is it would fail on any coded input that happened to have a length that is a multipler of 32 bytes.

[alex]

Which implementation are you describing? This repo covers the specification itself.

[fairbairn]

Not sure what you mean. We’re using the Elixir Fernetex library.

On a .generate when passing in an input that is a length evenly divided by 32, say 160 bytes, the token is created, but when the same token is later passed into .verify, it generates a padding error.

Actually, depending on the input string, it might fail then.

But heck, just doing this causes an issue..

iex(1)> s = "hello" "hello" iex(2)> secret = "fJXYWeIEcXMO3tLDheFVezM5QWBVFvkymG80n0Rluqs" "fJXYWeIEcXMO3tLDheFVezM5QWBVFvkymG80n0Rluqs" iex(3)> Fernet.generate(s, key: secret) ** (ArgumentError) incorrect padding (elixir) lib/base.ex:1104: Base.do_decode64url/2 (fernetex) lib/fernetex.ex:191: Fernet.generate/4

{:fernetex, 'fernetex', '0.3.0’},

The issue we encountered was that we were parsing in a string comprised of JSON, which worked fine until the actual length of that payload hit 160 bytes on the dot. It would generate the toke, but it would fail to verify with a “padding error”. We then added a single space to the end of that, and it worked end to end.

On Jun 26, 2018, at 2:16 PM, Alex Gaynor notifications@github.com wrote:

Which implementation are you describing? This repo covers the specification itself.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/fernet/spec/issues/23#issuecomment-400412793, or mute the thread https://github.com/notifications/unsubscribe-auth/AFC2mW3Hg2i-BDtleYtHKo867Syu8-X1ks5uAnplgaJpZM4U4bcv.

[fairbairn]

Sorry, last example I miscopied the secret..

Here’s the issue..

iex(1)> secret = "fJXYWeIEcXMO3tLDheFVezM5QWBVFvkymG80n0Rluqs=" "fJXYWeIEcXMO3tLDheFVezM5QWBVFvkymG80n0Rluqs=" iex(2)> s = "abc" "abc" iex(3)> {:ok, _iv, t} = Fernet.generate(s, key: secret) {:ok, <<171, 20, 174, 159, 83, 157, 204, 91, 237, 149, 121, 205, 255, 101, 152, 241>>, "gAAAAABbMo1mqxSun1OdzFvtlXnN_2WY8TlATVJvCKC6oPuO_kzHnLSC3YN6uj0b-a0DBzBQYfWmaxdUb28p3-RyFOLV8gBwPQ=="} iex(4)> t "gAAAAABbMo1mqxSun1OdzFvtlXnN_2WY8TlATVJvCKC6oPuO_kzHnLSC3YN6uj0b-a0DBzBQYfWmaxdUb28p3-RyFOLV8gBwPQ==" iex(5)> Fernet.verify(t, key: secret) {:ok, "abc"} iex(6)> s = String.pad_trailing("hello", 32) "hello " iex(7)> {:ok, iv, t} = Fernet.generate(s, key: secret) {:ok, <<4, 195, 63, 250, 139, 163, 64, 222, 249, 190, 47, 118, 19, 79, 199, 13>>, "gAAAAABbMo2BBMM-oujQN75vi92E0_HDf-TWTLLZYX6S3sqDyJh4QL9Qqi4oPP47mEcc5OBQ2qUmqJfJVmt1UBuRBK096V8Rp5M-f-sjS79HKJedlg9Ay4="} iex(8)> Fernet.verify(t, key: secret) {:error, "padding error"}

On Jun 26, 2018, at 2:16 PM, Alex Gaynor notifications@github.com wrote:

Which implementation are you describing? This repo covers the specification itself.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/fernet/spec/issues/23#issuecomment-400412793, or mute the thread https://github.com/notifications/unsubscribe-auth/AFC2mW3Hg2i-BDtleYtHKo867Syu8-X1ks5uAnplgaJpZM4U4bcv.

[alex]

This sounds like a bug with the Fernetex library, and you should file it in their bug tracker, not a bug with the spec.

[fairbairn]

And you are correct, I'm not entirely certain how we ended up filing it under the spec. That was not our intent.

You dream it. We build it!

Breakthrough Technologies breakthrough-tech.com

On Tue, Jun 26, 2018, 3:07 PM Alex Gaynor notifications@github.com wrote:

This sounds like a bug with the Fernetex library, and you should file it in their bug tracker, not a bug with the spec.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/fernet/spec/issues/23#issuecomment-400428539, or mute the thread https://github.com/notifications/unsubscribe-auth/AFC2mRtFQL0_XItS4tuCaZVb7qIjaRwOks5uAoaLgaJpZM4U4bcv .

[kennyp]

I believe this was fixed in https://github.com/kennyp/fernetex/issues/8. Thanks for reaching out over there!