fix

TLS.java

@@ -66,7 +66,7 @@ public static void main(String[] args) throws Exception {
         byte[] keyHash = sha256.digest(encodedServerEcdhPublicKey);
         Signature rsaSign = Signature.getInstance("RSASSA-PSS");
         PSSParameterSpec pssSpec = new PSSParameterSpec("SHA-256",
-            "MGF1", MGF1ParameterSpec.SHA256, 222, 1);
+            "MGF1", MGF1ParameterSpec.SHA256, (2048 / 8) - (256 / 8) - 2, 1);
         rsaSign.setParameter(pssSpec);
         rsaSign.initSign(rsaPrivateKey);
         rsaSign.update(keyHash);
@@ -131,7 +131,8 @@ public static void main(String[] args) throws Exception {
         }
 
         /*
-         * AES-256-GCM is used to encrypt a message. The ciphertext,
+         * AES-256-GCM is used to encrypt a message. The ciphertext (should be
+         * 28 bytes long, 12 bytes of data followed by 16 bytes for the tag),
          * initialization vector (IV, sometimes called a nonce), and additional
          * associated data (AAD) is sent over.
          *

tls.js

@@ -66,13 +66,15 @@ const aad = Buffer.from("authenticated but unencrypted data");
 const iv = crypto.randomBytes(12);
 const cipher = crypto.createCipheriv("aes-256-gcm", aesKey, iv);
 cipher.setAAD(aad);
-let ciphertext = cipher.update(Buffer.from(plaintext));
-// ciphertext += cipher.final();
+let ciphertext = cipher.update(plaintext);
+ciphertext = Buffer.concat([ciphertext, cipher.final()]);
+const authTag = cipher.getAuthTag();
 
 const decipher = crypto.createDecipheriv("aes-256-gcm", aesKey, iv);
 decipher.setAAD(aad);
+decipher.setAuthTag(authTag);
 let decrypted = decipher.update(ciphertext);
-// decrypted += decipher.final();
+decrypted = Buffer.concat([decrypted, decipher.final()]);
 const recovered = decrypted.toString();
 if (plaintext !== recovered) {
     throw new Error("Plaintexts don't match.");