Also replace stored header in encryptStream with just the version.

Added tests to make sure truncating a message while leaving the footer alone still produced errors.

Moved signature calculation in signcryption inside if statement so as to not be misleading.

Also mix in index into MAC nonce.

This prevents tampering of previously produced message ciphertexts, even if the sender's private key is compromised.

Make them read multiple chunks if possible. Also fix a possible infinite loop if the input buffer is zero-length.

Unify all the check*State functions into one for encoders, and another for decoders.

Error if an empty block is encountered in V2, except if the entire message is empty.

Also add comment for assertEndOfStream().

The Go msgpack encoder we're using has a counterintuitive order for struct fields when serializing as arrays. We meant to put the final flag at the end, but it's actually at the beginning (though not for signcryption mode). Update the v2 specs to reflect this unfortunate reality.

r? @mlsteele @akalin-keybase

frame.go now handles arbitrary amounts and combinations of whitespace in between words in either the header or the footer. It doesn't work with whitespace in the middle of a word (e.g. 'KEY BASE'), so the spec has been updated as we decided we don't want it to do that.

Hi, the saltpack.org website appears to be broken in its current state. The homepage and pages listed under the "Basics" menu all work, but the spec details (e.g: Encryption, Signing) display "Error: Couldn't load /home/keybase/src/keybase/saltpack.org/views/doc_symlink/saltpack_signing_v2.md" (or whatever page should be shown).

First bug: io.ReadAtLeast drops errors if it reads enough characters.

Second bug: both io.ReadAtLeast and punctuatedReader (among other) things return io.ErrUnexpectedEOF, so we were dropping errors from the latter.

The solution to both is to not use io.ReadAtLeast, and instead refill the buffer manually.

Reenable a test (which was hitting the second bug!).

Fix a few typos.

To install, run pre-commit install.

After running, to view all gometalinter warnings: pre-commit run -a.

The current output is:

verify_stream.go:103:5:warning: should omit nil check; len() for nil slices is defined as zero (gosimple)
encrypt_test.go:317::warning: declaration of err shadows declaration at encrypt_test.go:313: (vetshadow)
encrypt_test.go:406::warning: declaration of err shadows declaration at encrypt_test.go:401: (vetshadow)
encrypt_test.go:428::warning: declaration of err shadows declaration at encrypt_test.go:423: (vetshadow)
encoding/basex/encoding.go:275:2:warning: should use 'return <expr>' instead of 'if <expr> { return <bool> }; return <bool>' (gosimple)
armor_test.go:164:11:warning: ftr assigned and not used (ineffassign)
armor_test.go:164:3:warning: m assigned and not used (ineffassign)
armor_test.go:164:16:warning: err assigned and not used (ineffassign)
armor_test.go:164:6:warning: hdr assigned and not used (ineffassign)
frame.go:37:3:warning: brand assigned and not used (ineffassign)
encoding/basex/go_base64_test.go:146:4:warning: count assigned and not used (ineffassign)
encoding/basex/bases.go:17:1:warning: comment on exported var Base58StdEncodingStrict should be of the form "Base58StdEncodingStrict ..." (golint)
encoding/basex/bases.go:28:1:warning: comment on exported var Base62StdEncodingStrict should be of the form "Base62StdEncodingStrict ..." (golint)
encoding/basex/basex_test.go:102:11:warning: error return value not checked (rand.Read(r)) (errcheck)
encoding/basex/basex_test.go:107:33:warning: error return value not checked (Base62StdEncoding.DecodeString(data)) (errcheck)
encoding/basex/go_base64_test.go:92:16:warning: error return value not checked (encoder.Write([]byte(p.decoded))) (errcheck)
encoding/basex/go_base64_test.go:93:16:warning: error return value not checked (encoder.Close()) (errcheck)
encoding/basex/go_base64_test.go:358:33:warning: error return value not checked (Base58StdEncoding.DecodeString(data)) (errcheck)
common.go:68:1:warning: detachedSignatureInput is unused (deadcode)
packets.go:64:25:warning: sender can be BasePublicKey (interfacer)
armor.go:75:37:warning: unnecessary conversion (unconvert)
packets.go:104:2:warning: unused struct field github.com/keybase/saltpack.signatureBlock._struct (structcheck)
packets.go:16:2:warning: unused struct field github.com/keybase/saltpack.Version._struct (structcheck)
encrypt.go:27:2:warning: unused struct field github.com/keybase/saltpack.encryptStream.didHeader (structcheck)
encrypt.go:28:2:warning: unused struct field github.com/keybase/saltpack.encryptStream.eof (structcheck)
packets.go:56:2:warning: unused struct field github.com/keybase/saltpack.SignatureHeader._struct (structcheck)
packets.go:25:2:warning: unused struct field github.com/keybase/saltpack.EncryptionHeader._struct (structcheck)
packets.go:38:2:warning: unused struct field github.com/keybase/saltpack.encryptionBlock._struct (structcheck)
packets.go:9:2:warning: unused struct field github.com/keybase/saltpack.receiverKeys._struct (structcheck)
decrypt.go:31:6:warning: struct MessageKeyInfo could have size 72 (currently 80) (aligncheck)

MessagePack has some ambiguity in encoding numbers, so clarify that the version numbers and mode should be encoded as positive fixnums.

Also clarify ambiguity re. encoding strings, bytes arrays, and arrays.

Also add tests.

This is in preparation for adding more hardcoded tests.

Separate out ephemeral key generation into its own interface separate from keys and keyrings.

Make signcryption return an error if there are no receivers.

Better upper bound for receiver count.

This prevents leaking whether two recipient public keys are identical, which can then be used to confirm guesses of other recipients (by presenting their public keys as ours).

The sample cipher text found at the following website is invalid when used in the latest version of the Keybase client for macOS (Version 5.3.0-20200310172631+4f2689009b (5.3.0-20200310172631+4f2689009b)):

Website:

https://saltpack.org/in-the-wild

Ciphertext Sample

BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. ZUHRHckf9VJ6ich bKthcfFYyHcFs9n NI27ndpDFCqUnXj allzG097b3s5NfZ GYqoBPt7GnyCccB i0UhaCcVmbF55ms SYpOCl7tkjUJd40 DO6iR0dJpW60EKj 1K5x2hclL9hZb7V DRObuimxmStmqqs 7yWy26mVOa5Z5RM S7NeocvOyNlgBUp fhsPaNFrYuI3D4H Ku217LIW3V2wniP 7XkayWcyAfH8jWj ETF0WJPn2Aa1aOI Jz5olg5vyxIpofL FIuerimZ6n5qI3p NZr3pfBVjVLbYDO N3VgqUd5r2F85LE vWH3Qg8aK0aFkVw q1ZVVWbOm5ucueX 9RkRpkb2tZOenqu Ik7RAQEbcW5JIlv EFY8c5WjUYMONiM H0DQtdKsdZRjfTm ajt71qa33pffsSE rYDTXFBtGudM9FX SHXAMCGDHVH2sSF yb23QJVJuyGAHuO XpHP06EXRCHj23y GOk77q23cYVd01X 08U6bsPmweu5jvS 7SLTg0OsJpqTsUB NfrZyJ2gSppcPlL bZaTgtoL8U9ZzBV sHKMD5vGiUgb74u llrukVSRcTqk2bO 5wdQ57EmY8IjJSn Lznnv9PhY8xnsTT EVPQcAH0CszKDQN LskpyRGDhsCbuzH 6YSFe2grnjccVAK uvaqEELV4Fnf90s cLxe65hn8918oz6 8BNj30RaMiEJbpq wXfb7vHPfrd1vVe raU4tfG5MZD34s7 xfvLCKSlctVLO7O q1MAgPtT73CGVU8 c4gkvmFWANwUC7g YivwSxNkn5PWiL2 NsaE8UfQDptjGDN hR96GQfuWJ63JTE gGa19OrSzgIErLK IAexacwBNiAXbPb ViAIrl0w6BL4aSa j5p5GZi5PPNlJ2Q OPo67OkcmweyfwE vNGrC7y3PxAemOU GRxeHbQ3FI77C2Y 9OyFG0LT3Qo04iK BVbp0r7xAX0i26O mybjcCqn4eBLKcy 87YiDgQRSa4n2fk c1Q0plK9e2U8rk6 6D0kx3bkxdG8Boy s6kTH9moQzAuKoG yLnoq9cmjCKfrOt 2K4vlJiAqJglyeu rm2lZEHIPW9sELw 06cowGDsmfcGN7h T6j9fbMgNGo9eIs s4YQd5tIKzoWsXl SSPNrVjaNMxtJsI IIjSCrPdjL2oSv6 eHDWXWmPJW6XIBI Ar7ZE8vAFRQSvr8 v9vAB7kALQpHdMv SiRbM1bQ6or7r0l P2QHXfA2lRykA9y 6kX8n0CCWZPO8Qo V4mhJCSF3snj9RK kwZosJw2AyvqDLs OAZ8OPdyYGx3FTg 7PaOijY9fQxcBVM 3omDhcawPWdA7jN 3ZQMvd9FKwIbu7H sF1YJixcN6OLzCp tbCKIi7xwUK0oGw XrO7QaFsHYEXNg9 RbMpaYtGfewhkUj 6LFRs9zfq8K13ni dV8d6V8eApAmgTp 8x3DtGdazE8F0ZG cSAwjiKLJVzYmpj jUiWtx0xcx0J6Hn VeSxuHKKYa7NASA BBzX454HGK3OXvt hPJua8eygXO9Ucp 2nNT12FOfkozrYM M4CkXaBQzYMkYzY sGO1c2plDJaEbV9 9guG5XJg3iJO23K CB7WtsJypxmkMoy eQYuNQMlKk4MU8b NuZhauMnqqQQfNG 1tJLhLyzyHfkBBL rnQo9cstcFLZAd0 md5lpy0X. END KEYBASE SALTPACK ENCRYPTED MESSAGE.

Error Message in macOS client Decrypt tab:

This ciphertext is not in a valid Saltpack format. Please enter Saltpack ciphertext.

It was expected that the client would say the following for a message encrypted to max that I don't have the key for:

Your message couldn't be decrypted, because no suitable key was found.

... or user should not be allowed to generate unparseable messages.

	smsg, err := saltpack.SignArmor62(
		saltpack.CurrentVersion(),
		[]byte("message here"),
		secretKey,
		"TWO PART",
	)
	if err != nil {
		panic(err)
	}

	skey, msg, brand, err := saltpack.Dearmor62Verify(
		saltpack.CheckKnownMajorVersion,
		smsg,
		kr,
	)
	if err != nil {
		panic(err) // will panic here, unable to parse the header
	}

https://github.com/minio/sio (D.A.R.E. v2) seems very similar to NaCL providing an stream of GCM encrypted chunks + Salsa20 and Poly1305. It looks like this project improves on the "Armor" / display part of things for binary chunks.

I was looking for an encrypted messagepack library and found this project. My goal is to add encryption to a location based app which uses websockets to stream in real time the position of its users. As such, I would expect to send less than 100bytes per user every 5 or 10 seconds at most, which is far away from the readme description of breaking up messages in sizes of 1MB sizes.

Is there anything bad in saltpack for short messages? Will each of them pad to 1MB chunks of gibberish or this is this sentence just aimed at developers willing to implement multimedia communications (sending pictures, audio, video, which weight much more)?

My friend send me a message on Slack with a BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE prelude. I typed this phrase into Google, landed on saltpack.org and have been trying to figure out how to decrypt the message.

I've scanned the sidebar, read the intro, read the homepage, read https://saltpack.org/signing-format, read https://saltpack.org/implementations. I ran go get github.com/keybase/saltpack and expected to find a saltpack binary on my $PATH - I could then call saltpack -h and maybe learn about decryption options, but that also failed. I'd rather not write a Go main function to decrypt the message.

I expected to find something like this:

Decrypting messages with Saltpack

To decrypt messages, save the encrypted message to a file, then run keybase decrypt foo.bar or call saltpack decrypt file.name

or whatever other instructions I need.

Or a list item in the sidebar that says "decrypting messages", or something.