Whisper: Wraps any Go io.ReadWriter in a secure tunnel using Ed25519/X25519

There is no description of the protocol or of its security goals, so I am making some guesses based on a cursory look at the source and what I imagine this might be for.<p>A single symmetric key is derived for both directions, and there is no checking of nonces, so as far as I can tell any message can be dropped, reordered, or replayed in both directions. (Including replaying message from A to B as if they were from B to A.) This is a bit like using ECB and likely to lead to fun application-specific attacks like [0].<p>This is very much rolling your own crypto, in a dangerous way. I am on the record as being &quot;against&quot; the &quot;don&#x27;t roll your own crypto&quot; refrain [1], but mostly because it doesn&#x27;t work: it should discourage people from publishing hand-rolled protocols such as this, but instead people think it means &quot;don&#x27;t roll your own primitives&quot; and accept any use of &quot;Ed25519&#x2F;X25519&quot; as probably secure.<p>Please read about the Noise framework [2] to get an idea of how much nuance there is to this, and consider using a Go implementation of it [3] instead.<p>P.S. This kind of issue is also why I maintain that NaCl is not a high-level scheme [4]: this could have used NaCl and have the exact same issues. libsodium has a couple slightly higher-level APIs that could have helped, secretstream [5] and kx [6], but again please use Noise.<p>[0] <a href="https:&#x2F;&#x2F;cryptopals.com&#x2F;sets&#x2F;2&#x2F;challenges&#x2F;13" rel="nofollow">https:&#x2F;&#x2F;cryptopals.com&#x2F;sets&#x2F;2&#x2F;challenges&#x2F;13</a><p>[1] <a href="https:&#x2F;&#x2F;securitycryptographywhatever.buzzsprout.com&#x2F;1822302&#x2F;8953842-the-great-roll-your-own-crypto-debate-with-filippo-valsorda" rel="nofollow">https:&#x2F;&#x2F;securitycryptographywhatever.buzzsprout.com&#x2F;1822302&#x2F;...</a><p>[2] <a href="https:&#x2F;&#x2F;noiseprotocol.org&#x2F;noise.html" rel="nofollow">https:&#x2F;&#x2F;noiseprotocol.org&#x2F;noise.html</a><p>[3] <a href="https:&#x2F;&#x2F;github.com&#x2F;flynn&#x2F;noise">https:&#x2F;&#x2F;github.com&#x2F;flynn&#x2F;noise</a><p>[4] <a href="https:&#x2F;&#x2F;words.filippo.io&#x2F;dispatches&#x2F;nacl-api&#x2F;" rel="nofollow">https:&#x2F;&#x2F;words.filippo.io&#x2F;dispatches&#x2F;nacl-api&#x2F;</a><p>[5] <a href="https:&#x2F;&#x2F;libsodium.gitbook.io&#x2F;doc&#x2F;secret-key_cryptography&#x2F;secretstream" rel="nofollow">https:&#x2F;&#x2F;libsodium.gitbook.io&#x2F;doc&#x2F;secret-key_cryptography&#x2F;sec...</a><p>[6] <a href="https:&#x2F;&#x2F;libsodium.gitbook.io&#x2F;doc&#x2F;key_exchange" rel="nofollow">https:&#x2F;&#x2F;libsodium.gitbook.io&#x2F;doc&#x2F;key_exchange</a>

There has been a lot of discussion about how the crypto doesn&#x27;t work. I have some quibbles about the Go.<p>Don&#x27;t put a mutex in your io.Reader. It is assumed that, unless mentioned in the documentation, it is not safe to use anything in Go from multiple goroutines. If someone wants to make the reader synchronous for use among multiple goroutines, they can do so themselves. But it&#x27;s so rare that it&#x27;s unlikely anyone would want this.<p>read&#x2F;write mutexes typically perform worse than a plain mutex. You pay a performance cost to prevent readers and writers from starving each other; if you don&#x27;t care (and this code doesn&#x27;t), use a Mutex. <a href="https:&#x2F;&#x2F;zephyrtronium.github.io&#x2F;articles&#x2F;rwmutex.html" rel="nofollow">https:&#x2F;&#x2F;zephyrtronium.github.io&#x2F;articles&#x2F;rwmutex.html</a><p>Finally, it&#x27;s fine to embed the mutex value directly in your struct if your methods take pointer receivers. &amp;MyThing{Mutex: new(sync.Mutex)} is pretty weird to see. If the mutex were included as its value, then the zero value of MyThing is ready to use; &amp;MyThing{} has a new mutex in it. (You can&#x27;t copy the value of &amp;MyThing either way; a correct copy requires holding the mutex. The reason to embed a *sync.Mutex instead of a sync.Mutex is so that you can copy the containing type, but that is actually unsafe. You grab a pointer to the wrong Mutex in your copy, and you also copy data protected by the mutex without holding it. So your methods MUST have a pointer receiver either way, and thus the indirection to *sync.Mutex is unnecessary.)

Interesting, though AFAIK a secure tunnel is only useful for a net.Conn, not an io.ReadWriter. What&#x27;s the usecase for a &quot;secure tunnel&quot; over a bytes.Buffer?<p>btw, I noticed that the decrypt function reads a 32-bit message length and immediately allocates a slice of that size. That means an attacker can send 0xFFFFFFFF and cause you to allocate 4GiB.

See also: <a href="https:&#x2F;&#x2F;github.com&#x2F;flynn&#x2F;noise">https:&#x2F;&#x2F;github.com&#x2F;flynn&#x2F;noise</a>

I recently implemented a very similar service to service gRPC authentication mechanism for Go using EC25519 and the noise protocol framework.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;sillystack&#x2F;api&#x2F;blob&#x2F;main&#x2F;transport&#x2F;transport.go">https:&#x2F;&#x2F;github.com&#x2F;sillystack&#x2F;api&#x2F;blob&#x2F;main&#x2F;transport&#x2F;transp...</a><p>The code is very fresh and hasn&#x27;t yet gone through a audit so please don&#x27;t use it for anything where security actually matters.