From 2bb349b7db5d592985c18d06080e00528fa35acc Mon Sep 17 00:00:00 2001 From: Christian Bundy Date: Wed, 2 Sep 2020 09:28:28 -0700 Subject: [PATCH] Fix backward crypto_secretbox_detached bug Problem: Both `crypto_secretbox_detached` and the corresponding `crypto_secretbox_open_detached` have a bug where the MAC is added as a suffix rather than the prefix. This creates a problem where the methods are compatible with each other but incompatible with other libsodium implementations. Solution: Reverse the backward implementation and ensure that the MAC is added to the output as a prefix rather than as a suffix. --- crypto_secretbox.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto_secretbox.js b/crypto_secretbox.js index 05fb264..9d52d43 100644 --- a/crypto_secretbox.js +++ b/crypto_secretbox.js @@ -69,8 +69,8 @@ function crypto_secretbox_detached (o, mac, msg, n, k) { const tmp = new Uint8Array(msg.byteLength + mac.byteLength) crypto_secretbox_easy(tmp, msg, n, k) - o.set(tmp.subarray(0, msg.byteLength)) - mac.set(tmp.subarray(msg.byteLength)) + o.set(tmp.subarray(mac.byteLength)) + mac.set(tmp.subarray(0, mac.byteLength)) return true } @@ -81,8 +81,8 @@ function crypto_secretbox_open_detached (msg, o, mac, n, k) { assert(k.byteLength === crypto_secretbox_KEYBYTES, "k must be 'crypto_secretbox_KEYBYTES' bytes") const tmp = new Uint8Array(o.byteLength + mac.byteLength) - tmp.set(o) - tmp.set(mac, msg.byteLength) + tmp.set(o, mac.byteLength) + tmp.set(mac) return crypto_secretbox_open_easy(msg, tmp, n, k) }