Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto: NaCl compatibility not clear #33109

Closed
flyn-org opened this issue Jul 14, 2019 · 7 comments
Closed

x/crypto: NaCl compatibility not clear #33109

flyn-org opened this issue Jul 14, 2019 · 7 comments
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Unreleased

Comments

@flyn-org
Copy link

flyn-org commented Jul 14, 2019
edited

What version of Go are you using (go version)?

$ go version
go version go1.12.6 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mike/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/mike/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/lib/golang"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build347076838=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I spent some time investigating the compatibility of golang.org/x/crypto/nacl/box/ with DJB's NaCL and libsodium.

What did you expect to see?

The documentation at https://godoc.org/golang.org/x/crypto/nacl/box states "This package is interoperable with NaCl: https://nacl.cr.yp.to/box.html," so I expected the package's Seal function would produce ciphertext that NaCl's crypto_box_open function could decrypt.

What did you see instead?

After some experimentation, I found that the Go package instead seem to be compatible with libsodium's "easy" API. That is, Seal produces ciphertext that crypto_box_open_easy will decrypt, and crypto_box_easy produces ciphertext that Open will decrypt.

I recommend amending the documentation at https://godoc.org/golang.org/x/crypto/nacl/box to provide more clarity about this. I wrote some sample programs in Go and C which might help illustrate this.
@gopherbot gopherbot added this to the Unreleased milestone Jul 14, 2019
@flyn-org
Copy link
Author

box.c.txt
unbox.c.txt
box.go.txt
unbox.go.txt

@flyn-org
Copy link
Author

@FiloSottile

@slrz
Copy link

slrz commented Jul 15, 2019
edited

Why do you think the x/crypto implementations don't interoperate with NaCl's crypto_box? Did you test it? If so, please provide the code for your tests.

Isn't libsodium's crypto_box_easy supposed to be the same as djb NaCl's crypto_box? Libsodium just offers an additional detached mode (called crypto_box_detached) that allows you to write the tag somewhere else instead of prepending it to the ciphertext.

@ohir
Copy link

ohir commented Jul 15, 2019
edited

@flyn-org
Where is the sample code using DJB's reference NaCl that fails to interoperate with your sample .go?

Have you tested either with tweetNaCl/20140427/tweetnacl.{h,c} ?

P.S. Check whether your NaCl code fulfills all "caller must ensure" points of NaCl documentation like:

WARNING: Messages in the C NaCl API are 0-padded versions of messages in the C++ NaCl API. Specifically: The caller must ensure, before calling the C NaCl crypto_box function, that the first crypto_box_ZEROBYTES bytes of the message m are all 0. Typical higher-level applications will work with the remaining bytes of the message; note, however, that mlen counts all of the bytes, including the bytes required to be 0.

@dmitshur dmitshur added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Jul 15, 2019
@dmitshur

This comment has been minimized.

Sign in to view
@FiloSottile

This comment has been minimized.

Sign in to view
@FiloSottile
Copy link
Contributor

The original NaCl API is bizarre to the point of being perplexing and unsafe, so while x/crypto/nacl is interoperable with it, it doesn't match its idiosyncrasies, so doesn't require the same padding.

If you use the more reasonable "easy" libsodium API, or if you properly apply padding as required by the original NaCl API, you should find it to interoperate correctly with x/crypto/nacl. (If not, please open a new issue!)

@golang golang locked and limited conversation to collaborators Jul 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@FiloSottile @dmitshur @slrz @flyn-org @gopherbot @ohir