Don't allocate the nonce for each chunk

ProtonMail · Dec 9, 2024 · add07bd · add07bd
1 parent b01f065
commit add07bd
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 14 deletions.
diff --git a/openpgp/packet/aead_crypter.go b/openpgp/packet/aead_crypter.go
@@ -15,7 +15,7 @@ import (
 type aeadCrypter struct {
 	aead           cipher.AEAD
 	chunkSize      int
-	initialNonce   []byte
+	nonce          []byte
 	associatedData []byte       // Chunk-independent associated data
 	chunkIndex     []byte       // Chunk counter
 	packetTag      packetType   // SEIP packet (v2) or AEAD Encrypted Data packet
@@ -28,12 +28,12 @@ type aeadCrypter struct {
 // 5.16.1 and 5.16.2). It returns the resulting nonce.
 func (wo *aeadCrypter) computeNextNonce() (nonce []byte) {
 	if wo.packetTag == packetTypeSymmetricallyEncryptedIntegrityProtected {
-		return append(wo.initialNonce, wo.chunkIndex...)
+		return wo.nonce
 	}
 
-	nonce = make([]byte, len(wo.initialNonce))
-	copy(nonce, wo.initialNonce)
-	offset := len(wo.initialNonce) - 8
+	nonce = make([]byte, len(wo.nonce))
+	copy(nonce, wo.nonce)
+	offset := len(wo.nonce) - 8
 	for i := 0; i < 8; i++ {
 		nonce[i+offset] ^= wo.chunkIndex[i]
 	}

diff --git a/openpgp/packet/aead_encrypted.go b/openpgp/packet/aead_encrypted.go
@@ -76,7 +76,7 @@ func (ae *AEADEncrypted) decrypt(key []byte) (io.ReadCloser, error) {
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
 			chunkSize:      chunkSize,
-			initialNonce:   ae.initialNonce,
+			nonce:          ae.initialNonce,
 			associatedData: ae.associatedData(),
 			chunkIndex:     make([]byte, 8),
 			packetTag:      packetTypeAEADEncrypted,

diff --git a/openpgp/packet/aead_encrypted_test.go b/openpgp/packet/aead_encrypted_test.go
@@ -454,7 +454,7 @@ func SerializeAEADEncrypted(w io.Writer, key []byte, config *Config) (io.WriteCl
 			chunkSize:      chunkSize,
 			associatedData: prefix,
 			chunkIndex:     make([]byte, 8),
-			initialNonce:   nonce,
+			nonce:          nonce,
 			packetTag:      packetTypeAEADEncrypted,
 		},
 		writer: writer,

diff --git a/openpgp/packet/symmetrically_encrypted_aead.go b/openpgp/packet/symmetrically_encrypted_aead.go
@@ -81,9 +81,9 @@ func (se *SymmetricallyEncrypted) decryptAead(inputKey []byte) (io.ReadCloser, e
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
 			chunkSize:      decodeAEADChunkSize(se.ChunkSizeByte),
-			initialNonce:   nonce,
+			nonce:          nonce,
 			associatedData: se.associatedData(),
-			chunkIndex:     make([]byte, 8),
+			chunkIndex:     nonce[len(nonce)-8:],
 			packetTag:      packetTypeSymmetricallyEncryptedIntegrityProtected,
 		},
 		reader:      se.Contents,
@@ -135,8 +135,8 @@ func serializeSymmetricallyEncryptedAead(ciphertext io.WriteCloser, cipherSuite
 			aead:           aead,
 			chunkSize:      decodeAEADChunkSize(chunkSizeByte),
 			associatedData: prefix,
-			chunkIndex:     make([]byte, 8),
-			initialNonce:   nonce,
+			nonce:          nonce,
+			chunkIndex:     nonce[len(nonce)-8:],
 			packetTag:      packetTypeSymmetricallyEncryptedIntegrityProtected,
 		},
 		writer: ciphertext,
@@ -149,10 +149,10 @@ func getSymmetricallyEncryptedAeadInstance(c CipherFunction, mode AEADMode, inpu
 	encryptionKey := make([]byte, c.KeySize())
 	_, _ = readFull(hkdfReader, encryptionKey)
 
-	// Last 64 bits of nonce are the counter
-	nonce = make([]byte, mode.IvLength()-8)
+	nonce = make([]byte, mode.IvLength())
 
-	_, _ = readFull(hkdfReader, nonce)
+	// Last 64 bits of nonce are the counter
+	_, _ = readFull(hkdfReader, nonce[:len(nonce)-8])
 
 	blockCipher := c.new(encryptionKey)
 	aead = mode.new(blockCipher)