First c bytes of crypto_secretbox_open must be padded with crypto_secretbox_boxzerobytes()

[gabriel]

+ (NSData *)secretBoxOpen:(NSData *)data key:(SecureData *)key {
  if (!data || [data length] < crypto_secretbox_noncebytes() || !key || [key length] != crypto_secretbox_keybytes())
    return nil;

  // Split it into nonce and encrypted data
  NSData *nonce = [NSData dataWithBytes:[data bytes] length:crypto_secretbox_noncebytes()];
  NSData *encryptedData = [NSData dataWithBytes:([data bytes] + crypto_secretbox_noncebytes()) length:[data length] - crypto_secretbox_noncebytes()];

  // First BOXZEROBYTES must be 0
  NSMutableData *encryptedPaddedData = [NSMutableData dataWithLength:crypto_secretbox_boxzerobytes()];
  [encryptedPaddedData appendData:encryptedData];
  NSMutableData *outData = [NSMutableData dataWithLength:[encryptedPaddedData length]];

  int retval = crypto_secretbox_open([outData mutableBytes],
                                     [encryptedPaddedData bytes], [encryptedPaddedData length],
                                     [nonce bytes], [key bytes]);
  if (retval != 0) return nil;

  // Remove ZEROBYTES from out data
  return [NSData dataWithBytes:([outData bytes] + crypto_secretbox_zerobytes())
                        length:([outData length] - crypto_secretbox_zerobytes())];
}

You'll notice in RbNaCL library open method here:
https://github.com/cryptosphere/rbnacl/blob/master/lib/rbnacl/secret_boxes/xsalsa20poly1305.rb

as required in docs at http://nacl.cr.yp.to/secretbox.html

Here is the other side:

+ (NSData *)secretBox:(NSData *)data key:(SecureData *)key {
  NSData *nonce = [Random randomData:crypto_secretbox_noncebytes()];

  if (!data || !key || [key length] != crypto_secretbox_keybytes() || !nonce || [nonce length] != crypto_secretbox_noncebytes())
    return nil;

  // Pad the datas by ZEROBYTES
  NSMutableData *paddedData = [NSMutableData dataWithLength:crypto_secretbox_zerobytes()];
  [paddedData appendData:data];

  NSMutableData *outData = [NSMutableData dataWithLength:[paddedData length]];

  int retval = crypto_secretbox([outData mutableBytes],
                         [paddedData bytes], [paddedData length],
                         [nonce bytes],
                         [key bytes]);

  if (retval != 0) return nil;

  // Remove BOXZEROBYTES from out data
  outData = [NSData dataWithBytes:([outData bytes] + crypto_secretbox_boxzerobytes())
                           length:([outData length] - crypto_secretbox_boxzerobytes())];

  NSMutableData *combined = [NSMutableData dataWithData:nonce];
  [combined appendData:outData];
  return combined;
}

[seb-m]

Hi Gabriel,

I'm not sure I understand the issue correctly, but I think the difference of code and the confusion may come from the fact that the encrypt methods in CryptoPill don't remove the padding bytes, therefore in the decrypt (*_open) methods, CryptoPill calls crypto_secretbox_boxzerobytes() but doesn't add any additional padding data. Of course I could have removed the first padding bytes to slightly reduce the size of the encrypted blob but I considered it was so small that it wouldn't really hurt to keep them.

[gabriel]

Yeah basically the problem I was having was data encrypted with RbNaCl (ruby's NaCl library) does this padding as suggested by the libsodium docs... So I couldn't decrypt stuff created from the ruby library without this padding fix.

Basically its important because stuff encrypted with libsodium in other libraries won't decrypt in CryptoPill :)

[gabriel]

A good way to test this is encrypt some data in RbNaCl and then try to decrypt in CryptoPill

password = "password"
hkdf = HKDF.new(password, :algorithm => "SHA256")
key = hkdf.next_bytes(32)
str = "This is a message"
secret_box = RbNaCl::SecretBox.new(key)
nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes)
encrypted = secret_box.encrypt(nonce, str)
return Base64.strict_encode64(nonce + encrypted)

(uses gems rbnacl and hkdf)

The above outputs:

+ms5qv+jxqt0IGNsvxNkID7iF3SIGCNLjReo31YcTjmy260BGDP61UX5TGsZJa4d8/H/SYuOpPnW

[seb-m]

Ok now I see your need, I just commited a change f5382b8 to add helpers to provide compatibility by stripping / inserting zero bytes to ciphertexts.

See the headers files for an example:

NSData *encryptedData = [SecretBox secretBoxRemoveZeroBytes:[SecretBox secretBoxData:plaintext key:secretKey]];
NSData *decryptedData = [SecretBox secretBoxDataOpen:[SecretBox secretBoxInsertZeroBytes:encryptedData] key:secretKey];

Test it and tell me if it fits your needs. This is maybe a bit cumbersome but I also need to maintain compatibility with my own code.