fix: safely handle nonces as 64 bit uints

Author: wemeetagain

src/@types/basic.d.ts

@@ -4,5 +4,4 @@ export type bytes = Buffer
 export type bytes32 = Buffer
 export type bytes16 = Buffer
 
-export type uint32 = number
 export type uint64 = number

src/@types/handshake.d.ts

@@ -1,4 +1,4 @@
-import { bytes, bytes32, uint32, uint64 } from './basic'
+import { bytes, bytes32, uint64 } from './basic'
 import { KeyPair } from './libp2p'
 
 export type Hkdf = [bytes, bytes, bytes]
@@ -11,7 +11,9 @@ export interface MessageBuffer {
 
 export interface CipherState {
   k: bytes32
-  n: uint32
+  // For performance reasons, the nonce is represented as a JS `number`
+  // The nonce is treated as a uint64, even though the underlying `number` only has 52 safely-available bits.
+  n: uint64
 }
 
 export interface SymmetricState {

src/handshakes/abstract-handshake.ts

@@ -3,12 +3,20 @@ import * as x25519 from '@stablelib/x25519'
 import * as SHA256 from '@stablelib/sha256'
 import { ChaCha20Poly1305 } from '@stablelib/chacha20poly1305'
 
-import { bytes, bytes32, uint32 } from '../@types/basic'
+import { bytes, bytes32, uint64 } from '../@types/basic'
 import { CipherState, MessageBuffer, SymmetricState } from '../@types/handshake'
 import { getHkdf } from '../utils'
 import { logger } from '../logger'
 
 export const MIN_NONCE = 0
+// For performance reasons, the nonce is represented as a JS `number`
+// JS `number` can only safely represent integers up to 2 ** 53 - 1
+// This is a slight deviation from the noise spec, which describes the max nonce as 2 ** 64 - 2
+// The effect is that this implementation will need a new handshake to be performed after fewer messages are exchanged than other implementations with full uint64 nonces.
+// 2 ** 53 - 1 is still a large number of messages, so the practical effect of this is negligible.
+export const MAX_NONCE = Number.MAX_SAFE_INTEGER
+
+const ERR_MAX_NONCE = 'Cipherstate has reached maximum n, a new handshake must be performed'
 
 export abstract class AbstractHandshake {
   public encryptWithAd (cs: CipherState, ad: bytes, plaintext: bytes): bytes {
@@ -30,7 +38,7 @@ export abstract class AbstractHandshake {
     return !this.isEmptyKey(cs.k)
   }
 
-  protected setNonce (cs: CipherState, nonce: uint32): void {
+  protected setNonce (cs: CipherState, nonce: uint64): void {
     cs.n = nonce
   }
 
@@ -43,18 +51,22 @@ export abstract class AbstractHandshake {
     return emptyKey.equals(k)
   }
 
-  protected incrementNonce (n: uint32): uint32 {
+  protected incrementNonce (n: uint64): uint64 {
     return n + 1
   }
 
-  protected nonceToBytes (n: uint32): bytes {
+  protected nonceToBytes (n: uint64): bytes {
+    // Even though we're treating the nonce as 8 bytes, RFC7539 specifies 12 bytes for a nonce.
     const nonce = Buffer.alloc(12)
     nonce.writeUInt32LE(n, 4)
 
     return nonce
   }
 
-  protected encrypt (k: bytes32, n: uint32, ad: bytes, plaintext: bytes): bytes {
+  protected encrypt (k: bytes32, n: uint64, ad: bytes, plaintext: bytes): bytes {
+    if (n > MAX_NONCE) {
+      throw new Error(ERR_MAX_NONCE)
+    }
     const nonce = this.nonceToBytes(n)
     const ctx = new ChaCha20Poly1305(k)
     const encryptedMessage = ctx.seal(nonce, plaintext, ad)
@@ -73,7 +85,10 @@ export abstract class AbstractHandshake {
     return ciphertext
   }
 
-  protected decrypt (k: bytes32, n: uint32, ad: bytes, ciphertext: bytes): {plaintext: bytes, valid: boolean} {
+  protected decrypt (k: bytes32, n: uint64, ad: bytes, ciphertext: bytes): {plaintext: bytes, valid: boolean} {
+    if (n > MAX_NONCE) {
+      throw new Error(ERR_MAX_NONCE)
+    }
     const nonce = this.nonceToBytes(n)
     const ctx = new ChaCha20Poly1305(k)
     const encryptedMessage = ctx.open(