Reuse plaintext slice for ciphertext when encrypting

ProtonMail · Dec 16, 2024 · 04cfaf2 · 04cfaf2
1 parent fee7824
commit 04cfaf2
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 42 deletions.
diff --git a/ocb/ocb.go b/ocb/ocb.go
@@ -109,9 +109,10 @@ func (o *ocb) Seal(dst, nonce, plaintext, adata []byte) []byte {
 	if len(nonce) > o.nonceSize {
 		panic("crypto/ocb: Incorrect nonce length given to OCB")
 	}
-	ret, out := byteutil.SliceForAppend(dst, len(plaintext)+o.tagSize)
-	tag := o.crypt(enc, out, nonce, adata, plaintext)
-	copy(out[len(plaintext):], tag)
+	sep := len(plaintext)
+	ret, out := byteutil.SliceForAppend(dst, sep+o.tagSize)
+	tag := o.crypt(enc, out[:sep], nonce, adata, plaintext)
+	copy(out[sep:], tag)
 	return ret
 }
 
@@ -194,13 +195,14 @@ func (o *ocb) crypt(instruction int, Y, nonce, adata, X []byte) []byte {
 		byteutil.XorBytesMut(offset, o.mask.L[bits.TrailingZeros(uint(i+1))])
 		blockX := X[i*blockSize : (i+1)*blockSize]
 		blockY := Y[i*blockSize : (i+1)*blockSize]
-		byteutil.XorBytes(blockY, blockX, offset)
 		switch instruction {
 		case enc:
+			byteutil.XorBytesMut(checksum, blockX)
+			byteutil.XorBytes(blockY, blockX, offset)
 			o.block.Encrypt(blockY, blockY)
 			byteutil.XorBytesMut(blockY, offset)
-			byteutil.XorBytesMut(checksum, blockX)
 		case dec:
+			byteutil.XorBytes(blockY, blockX, offset)
 			o.block.Decrypt(blockY, blockY)
 			byteutil.XorBytesMut(blockY, offset)
 			byteutil.XorBytesMut(checksum, blockY)
@@ -216,26 +218,23 @@ func (o *ocb) crypt(instruction int, Y, nonce, adata, X []byte) []byte {
 		o.block.Encrypt(pad, offset)
 		chunkX := X[blockSize*m:]
 		chunkY := Y[blockSize*m : len(X)]
-		byteutil.XorBytes(chunkY, chunkX, pad[:len(chunkX)])
-		// P_* || bit(1) || zeroes(127) - len(P_*)
 		switch instruction {
 		case enc:
 			byteutil.XorBytesMut(checksum, chunkX)
 			checksum[len(chunkX)] ^= 128
+			byteutil.XorBytes(chunkY, chunkX, pad[:len(chunkX)])
+			// P_* || bit(1) || zeroes(127) - len(P_*)
 		case dec:
+			byteutil.XorBytes(chunkY, chunkX, pad[:len(chunkX)])
+			// P_* || bit(1) || zeroes(127) - len(P_*)
 			byteutil.XorBytesMut(checksum, chunkY)
 			checksum[len(chunkY)] ^= 128
 		}
-		byteutil.XorBytes(tag, checksum, offset)
-		byteutil.XorBytesMut(tag, o.mask.lDol)
-		o.block.Encrypt(tag, tag)
-		byteutil.XorBytesMut(tag, o.hash(adata))
-	} else {
-		byteutil.XorBytes(tag, checksum, offset)
-		byteutil.XorBytesMut(tag, o.mask.lDol)
-		o.block.Encrypt(tag, tag)
-		byteutil.XorBytesMut(tag, o.hash(adata))
 	}
+	byteutil.XorBytes(tag, checksum, offset)
+	byteutil.XorBytesMut(tag, o.mask.lDol)
+	o.block.Encrypt(tag, tag)
+	byteutil.XorBytesMut(tag, o.hash(adata))
 	return tag[:o.tagSize]
 }
 

diff --git a/openpgp/packet/aead_crypter.go b/openpgp/packet/aead_crypter.go
@@ -20,7 +20,6 @@ type aeadCrypter struct {
 	chunkIndex     []byte       // Chunk counter
 	packetTag      packetType   // SEIP packet (v2) or AEAD Encrypted Data packet
 	bytesProcessed int          // Amount of plaintext bytes encrypted/decrypted
-	buffer         bytes.Buffer // Buffered bytes across chunks
 }
 
 // computeNonce takes the incremental index and computes an eXclusive OR with
@@ -60,10 +59,11 @@ func (wo *aeadCrypter) incrementIndex() error {
 // aeadDecrypter reads and decrypts bytes. It buffers extra decrypted bytes when
 // necessary, similar to aeadEncrypter.
 type aeadDecrypter struct {
-	aeadCrypter           // Embedded ciphertext opener
-	reader      io.Reader // 'reader' is a partialLengthReader
+	aeadCrypter              // Embedded ciphertext opener
+	reader      io.Reader    // 'reader' is a partialLengthReader
 	chunkBytes  []byte
-	peekedBytes []byte    // Used to detect last chunk
+	peekedBytes []byte       // Used to detect last chunk
+	buffer      bytes.Buffer // Buffered decrypted bytes
 }
 
 // Read decrypts bytes and reads them into dst. It decrypts when necessary and
@@ -163,27 +163,29 @@ func (ar *aeadDecrypter) validateFinalTag(tag []byte) error {
 type aeadEncrypter struct {
 	aeadCrypter                // Embedded plaintext sealer
 	writer      io.WriteCloser // 'writer' is a partialLengthWriter
+	chunkBytes  []byte
+	offset      int
 }
 
 // Write encrypts and writes bytes. It encrypts when necessary and buffers extra
 // plaintext bytes for next call. When the stream is finished, Close() MUST be
 // called to append the final tag.
 func (aw *aeadEncrypter) Write(plaintextBytes []byte) (n int, err error) {
-	// Append plaintextBytes to existing buffered bytes
-	n, err = aw.buffer.Write(plaintextBytes)
-	if err != nil {
-		return n, err
-	}
-	// Encrypt and write chunks
-	for aw.buffer.Len() >= aw.chunkSize {
-		plainChunk := aw.buffer.Next(aw.chunkSize)
-		encryptedChunk, err := aw.sealChunk(plainChunk)
-		if err != nil {
-			return n, err
-		}
-		_, err = aw.writer.Write(encryptedChunk)
-		if err != nil {
-			return n, err
+	for n != len(plaintextBytes) {
+		copied := copy(aw.chunkBytes[aw.offset:aw.chunkSize], plaintextBytes[n:])
+		n += copied
+		aw.offset += copied
+
+		if aw.offset == aw.chunkSize {
+			encryptedChunk, err := aw.sealChunk(aw.chunkBytes[:aw.offset])
+			if err != nil {
+				return n, err
+			}
+			_, err = aw.writer.Write(encryptedChunk)
+			if err != nil {
+				return n, err
+			}
+			aw.offset = 0
 		}
 	}
 	return
@@ -195,9 +197,8 @@ func (aw *aeadEncrypter) Write(plaintextBytes []byte) (n int, err error) {
 func (aw *aeadEncrypter) Close() (err error) {
 	// Encrypt and write a chunk if there's buffered data left, or if we haven't
 	// written any chunks yet.
-	if aw.buffer.Len() > 0 || aw.bytesProcessed == 0 {
-		plainChunk := aw.buffer.Bytes()
-		lastEncryptedChunk, err := aw.sealChunk(plainChunk)
+	if aw.offset > 0 || aw.bytesProcessed == 0 {
+		lastEncryptedChunk, err := aw.sealChunk(aw.chunkBytes[:aw.offset])
 		if err != nil {
 			return err
 		}
@@ -243,7 +244,7 @@ func (aw *aeadEncrypter) sealChunk(data []byte) ([]byte, error) {
 	}
 
 	nonce := aw.computeNextNonce()
-	encrypted := aw.aead.Seal(data[:0:len(data)], nonce, data, adata)
+	encrypted := aw.aead.Seal(data[:0], nonce, data, adata)
 	aw.bytesProcessed += len(data)
 	if err := aw.aeadCrypter.incrementIndex(); err != nil {
 		return nil, err

diff --git a/openpgp/packet/aead_encrypted_test.go b/openpgp/packet/aead_encrypted_test.go
@@ -449,6 +449,8 @@ func SerializeAEADEncrypted(w io.Writer, key []byte, config *Config) (io.WriteCl
 	alg := aeadConf.Mode().new(blockCipher)
 
 	chunkSize := decodeAEADChunkSize(aeadConf.ChunkSizeByte())
+	tagLen := alg.Overhead()
+	chunkBytes := make([]byte, chunkSize+tagLen)
 	return &aeadEncrypter{
 		aeadCrypter: aeadCrypter{
 			aead:           alg,
@@ -458,6 +460,7 @@ func SerializeAEADEncrypted(w io.Writer, key []byte, config *Config) (io.WriteCl
 			nonce:          nonce,
 			packetTag:      packetTypeAEADEncrypted,
 		},
-		writer: writer,
+		writer:     writer,
+		chunkBytes: chunkBytes,
 	}, nil
 }
diff --git a/openpgp/packet/symmetrically_encrypted_aead.go b/openpgp/packet/symmetrically_encrypted_aead.go
@@ -133,16 +133,20 @@ func serializeSymmetricallyEncryptedAead(ciphertext io.WriteCloser, cipherSuite
 
 	aead, nonce := getSymmetricallyEncryptedAeadInstance(cipherSuite.Cipher, cipherSuite.Mode, inputKey, salt, prefix)
 
+	chunkSize := decodeAEADChunkSize(chunkSizeByte)
+	tagLen := aead.Overhead()
+	chunkBytes := make([]byte, chunkSize+tagLen)
 	return &aeadEncrypter{
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
-			chunkSize:      decodeAEADChunkSize(chunkSizeByte),
+			chunkSize:      chunkSize,
 			associatedData: prefix,
 			nonce:          nonce,
 			chunkIndex:     nonce[len(nonce)-8:],
 			packetTag:      packetTypeSymmetricallyEncryptedIntegrityProtected,
 		},
-		writer: ciphertext,
+		writer:     ciphertext,
+		chunkBytes: chunkBytes,
 	}, nil
 }