-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
corrupt SecretBox ciphertext #19
Comments
You should consider It is way easier than juggling with zero padding and |
I'm still digging, but so far I've learned that the input message inside sodium.cc's bind_crypto_secretbox() is getting corrupted. If I check the input plaintext here:
Then on specific iterations of my script above (always i=2285, 12915, 16956, 20981, 41321, for some reason), I see the buffer being passed into crypto_secretbox() change from:
to:
On other runs, the corruption happens on the same iterations, but has different bits flipped. The glitch in the first 16 bytes causes the poly1305 key to be wrong (it flips a couple of bits in the auth key), so the emitted tag is wrong. |
Looks like the corruption is happening during the |
If I move the
which looks like a dead giveaway. I don't know enough about how Node (or webkit, or C++) does memory management to see what's wrong with |
@warner are you sure you're getting the right size when you move that |
Oh, good catch. I completely forgot that With your fix, I still get the same malloc error. |
fixed in #20, see explanation there |
I'd also recommend moving to nan asap for 0.11+ support |
@rvagg GOOOOOOOOOOOOOOOOOOOOOOOAL! |
sweet! thanks! |
We're tracking down a problem in which secretbox produces ciphertexts that cannot be decrypted (with @Natim's workaround in mozilla-services/msisdn-gateway#105). This appears to happen about once out of every 80000 encryptions. I'm still tracking down the problem, but the following test program (which bypasses the SecretBox object and calls the low-level
binding.crypto_secretbox
directly) shows the problem:crypto_secretbox
is supposed to be deterministic (same key+message+nonce gives you the same output), but this program emits a couple lines of differences within the first few seconds. So far, the differences are in the poly1305 MAC portion of the output, not the encrypted data, so I suspect memory corruption or stack overflow or something funny happening in that part of the code, rather than the xsalsa keystream.(Also, I was surprised to see that the SecretBox output includes the 16 bytes of zero padding that the NaCl C API imposes: most of the other nacl/libsodium bindings I've seen strip that out)
I'll try to trace this down more thoroughly tomorrow.
The text was updated successfully, but these errors were encountered: