Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto: NaCl compatibility not clear #33109

Closed
flyn-org opened this issue Jul 14, 2019 · 7 comments
Closed

x/crypto: NaCl compatibility not clear #33109

flyn-org opened this issue Jul 14, 2019 · 7 comments

Comments

@flyn-org
Copy link

@flyn-org flyn-org commented Jul 14, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12.6 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mike/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/mike/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/lib/golang"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build347076838=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I spent some time investigating the compatibility of golang.org/x/crypto/nacl/box/ with DJB's NaCL and libsodium.

What did you expect to see?

The documentation at https://godoc.org/golang.org/x/crypto/nacl/box states "This package is interoperable with NaCl: https://nacl.cr.yp.to/box.html," so I expected the package's Seal function would produce ciphertext that NaCl's crypto_box_open function could decrypt.

What did you see instead?

After some experimentation, I found that the Go package instead seem to be compatible with libsodium's "easy" API. That is, Seal produces ciphertext that crypto_box_open_easy will decrypt, and crypto_box_easy produces ciphertext that Open will decrypt.

I recommend amending the documentation at https://godoc.org/golang.org/x/crypto/nacl/box to provide more clarity about this. I wrote some sample programs in Go and C which might help illustrate this.

@gopherbot gopherbot added this to the Unreleased milestone Jul 14, 2019
@flyn-org
Copy link
Author

@flyn-org flyn-org commented Jul 14, 2019

@slrz
Copy link

@slrz slrz commented Jul 15, 2019

Why do you think the x/crypto implementations don't interoperate with NaCl's crypto_box? Did you test it? If so, please provide the code for your tests.

Isn't libsodium's crypto_box_easy supposed to be the same as djb NaCl's crypto_box? Libsodium just offers an additional detached mode (called crypto_box_detached) that allows you to write the tag somewhere else instead of prepending it to the ciphertext.

@ohir
Copy link

@ohir ohir commented Jul 15, 2019

@flyn-org
Where is the sample code using DJB's reference NaCl that fails to interoperate with your sample .go?

Have you tested either with tweetNaCl/20140427/tweetnacl.{h,c} ?

P.S. Check whether your NaCl code fulfills all "caller must ensure" points of NaCl documentation like:

WARNING: Messages in the C NaCl API are 0-padded versions of messages in the C++ NaCl API. Specifically: The caller must ensure, before calling the C NaCl crypto_box function, that the first crypto_box_ZEROBYTES bytes of the message m are all 0. Typical higher-level applications will work with the remaining bytes of the message; note, however, that mlen counts all of the bytes, including the bytes required to be 0.

@dmitshur

This comment has been hidden.

@FiloSottile

This comment has been hidden.

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Jul 15, 2019

The original NaCl API is bizarre to the point of being perplexing and unsafe, so while x/crypto/nacl is interoperable with it, it doesn't match its idiosyncrasies, so doesn't require the same padding.

If you use the more reasonable "easy" libsodium API, or if you properly apply padding as required by the original NaCl API, you should find it to interoperate correctly with x/crypto/nacl. (If not, please open a new issue!)

@golang golang locked and limited conversation to collaborators Jul 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.