mirror of
https://github.com/octoleo/restic.git
synced 2024-11-26 23:06:32 +00:00
Add 'plaintext' parameter to key.Decrypt()
% benchcmp /tmp/{before,after} benchmark old ns/op new ns/op delta BenchmarkChunkEncrypt 261144414 260252046 -0.34% BenchmarkChunkEncryptParallel 261201438 261267029 +0.03% BenchmarkArchiveDirectory 0.00 0.00 +0.00% BenchmarkEncryptWriter 88297245 87526529 -0.87% BenchmarkEncrypt 87406446 87917897 +0.59% BenchmarkDecryptReader 89948630 90042541 +0.10% BenchmarkEncryptDecryptReader 178374144 179477306 +0.62% BenchmarkDecrypt 88289705 87937073 -0.40% BenchmarkSaveJSON 213917 213571 -0.16% BenchmarkSaveFrom 74881361 75111148 +0.31% benchmark old MB/s new MB/s speedup BenchmarkChunkEncrypt 40.15 40.29 1.00x BenchmarkChunkEncryptParallel 40.14 40.13 1.00x BenchmarkEncryptWriter 95.00 95.84 1.01x BenchmarkEncrypt 95.97 95.41 0.99x BenchmarkDecryptReader 93.26 93.16 1.00x BenchmarkEncryptDecryptReader 47.03 46.74 0.99x BenchmarkDecrypt 95.01 95.39 1.00x BenchmarkSaveFrom 56.01 55.84 1.00x benchmark old allocs new allocs delta BenchmarkChunkEncrypt 113 112 -0.88% BenchmarkChunkEncryptParallel 104 103 -0.96% BenchmarkArchiveDirectory 0 0 +0.00% BenchmarkEncryptWriter 20 20 +0.00% BenchmarkEncrypt 14 14 +0.00% BenchmarkDecryptReader 18 18 +0.00% BenchmarkEncryptDecryptReader 40 45 +12.50% BenchmarkDecrypt 17 16 -5.88% BenchmarkSaveJSON 125 125 +0.00% BenchmarkSaveFrom 116 119 +2.59% benchmark old bytes new bytes delta BenchmarkChunkEncrypt 8515750 118956 -98.60% BenchmarkChunkEncryptParallel 8515766 118972 -98.60% BenchmarkArchiveDirectory 0 0 +0.00% BenchmarkEncryptWriter 28927 28927 +0.00% BenchmarkEncrypt 422313 2473 -99.41% BenchmarkDecryptReader 527827 527827 +0.00% BenchmarkEncryptDecryptReader 4100824 4100870 +0.00% BenchmarkDecrypt 8391127 2509 -99.97% BenchmarkSaveJSON 9208 9208 +0.00% BenchmarkSaveFrom 39694 40541 +2.13%
This commit is contained in:
parent
43ae0b69ab
commit
5a16a66973
24
key.go
24
key.go
@ -109,7 +109,7 @@ func OpenKey(s Server, id backend.ID, password string) (*Key, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// decrypt master keys
|
// decrypt master keys
|
||||||
buf, err := k.DecryptUser(k.Data)
|
buf, err := k.DecryptUser([]byte{}, k.Data)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -447,10 +447,15 @@ func (k *Key) EncryptUserTo(wr io.Writer) io.WriteCloser {
|
|||||||
|
|
||||||
// Decrypt verifes and decrypts the ciphertext. Ciphertext must be in the form
|
// Decrypt verifes and decrypts the ciphertext. Ciphertext must be in the form
|
||||||
// IV || Ciphertext || HMAC.
|
// IV || Ciphertext || HMAC.
|
||||||
func (k *Key) decrypt(ks *keys, ciphertext []byte) ([]byte, error) {
|
func (k *Key) decrypt(ks *keys, plaintext, ciphertext []byte) ([]byte, error) {
|
||||||
// check for plausible length
|
// check for plausible length
|
||||||
if len(ciphertext) < ivSize+hmacSize {
|
if len(ciphertext) < ivSize+hmacSize {
|
||||||
panic("trying to decryipt invalid data: ciphertext too small")
|
panic("trying to decrypt invalid data: ciphertext too small")
|
||||||
|
}
|
||||||
|
|
||||||
|
if cap(plaintext) < len(ciphertext) {
|
||||||
|
// extend plaintext
|
||||||
|
plaintext = append(plaintext, make([]byte, len(ciphertext)-cap(plaintext))...)
|
||||||
}
|
}
|
||||||
|
|
||||||
hm := hmac.New(sha256.New, ks.Sign)
|
hm := hmac.New(sha256.New, ks.Sign)
|
||||||
@ -483,22 +488,22 @@ func (k *Key) decrypt(ks *keys, ciphertext []byte) ([]byte, error) {
|
|||||||
|
|
||||||
// decrypt
|
// decrypt
|
||||||
e := cipher.NewCTR(c, iv)
|
e := cipher.NewCTR(c, iv)
|
||||||
plaintext := make([]byte, len(ciphertext))
|
|
||||||
e.XORKeyStream(plaintext, ciphertext)
|
e.XORKeyStream(plaintext, ciphertext)
|
||||||
|
plaintext = plaintext[:len(ciphertext)]
|
||||||
|
|
||||||
return plaintext, nil
|
return plaintext, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Decrypt verifes and decrypts the ciphertext with the master key. Ciphertext
|
// Decrypt verifes and decrypts the ciphertext with the master key. Ciphertext
|
||||||
// must be in the form IV || Ciphertext || HMAC.
|
// must be in the form IV || Ciphertext || HMAC.
|
||||||
func (k *Key) Decrypt(ciphertext []byte) ([]byte, error) {
|
func (k *Key) Decrypt(plaintext, ciphertext []byte) ([]byte, error) {
|
||||||
return k.decrypt(k.master, ciphertext)
|
return k.decrypt(k.master, plaintext, ciphertext)
|
||||||
}
|
}
|
||||||
|
|
||||||
// DecryptUser verifes and decrypts the ciphertext with the user key. Ciphertext
|
// DecryptUser verifes and decrypts the ciphertext with the user key. Ciphertext
|
||||||
// must be in the form IV || Ciphertext || HMAC.
|
// must be in the form IV || Ciphertext || HMAC.
|
||||||
func (k *Key) DecryptUser(ciphertext []byte) ([]byte, error) {
|
func (k *Key) DecryptUser(plaintext, ciphertext []byte) ([]byte, error) {
|
||||||
return k.decrypt(k.user, ciphertext)
|
return k.decrypt(k.user, plaintext, ciphertext)
|
||||||
}
|
}
|
||||||
|
|
||||||
type decryptReader struct {
|
type decryptReader struct {
|
||||||
@ -518,8 +523,7 @@ func (d *decryptReader) Read(dst []byte) (int, error) {
|
|||||||
remaining := len(d.buf) - d.pos
|
remaining := len(d.buf) - d.pos
|
||||||
if len(dst) >= remaining {
|
if len(dst) >= remaining {
|
||||||
n := copy(dst, d.buf[d.pos:])
|
n := copy(dst, d.buf[d.pos:])
|
||||||
FreeChunkBuf("decryptReader", d.buf)
|
d.Close()
|
||||||
d.buf = nil
|
|
||||||
return n, io.EOF
|
return n, io.EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -56,7 +56,7 @@ func TestCrypto(t *testing.T) {
|
|||||||
msg = msg[:n]
|
msg = msg[:n]
|
||||||
|
|
||||||
// decrypt message
|
// decrypt message
|
||||||
_, err = r.decrypt(r.master, msg)
|
_, err = r.decrypt(r.master, []byte{}, msg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
@ -64,12 +64,12 @@ func TestCrypto(t *testing.T) {
|
|||||||
// change hmac, this must fail
|
// change hmac, this must fail
|
||||||
msg[len(msg)-8] ^= 0x23
|
msg[len(msg)-8] ^= 0x23
|
||||||
|
|
||||||
if _, err = r.decrypt(r.master, msg); err != ErrUnauthenticated {
|
if _, err = r.decrypt(r.master, []byte{}, msg); err != ErrUnauthenticated {
|
||||||
t.Fatal("wrong HMAC value not detected")
|
t.Fatal("wrong HMAC value not detected")
|
||||||
}
|
}
|
||||||
|
|
||||||
// test decryption
|
// test decryption
|
||||||
p, err := r.decrypt(r.master, tv.ciphertext)
|
p, err := r.decrypt(r.master, []byte{}, tv.ciphertext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
20
key_test.go
20
key_test.go
@ -69,7 +69,7 @@ func TestEncryptDecrypt(t *testing.T) {
|
|||||||
n, err := k.Encrypt(ciphertext, data)
|
n, err := k.Encrypt(ciphertext, data)
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
|
|
||||||
plaintext, err := k.Decrypt(ciphertext[:n])
|
plaintext, err := k.Decrypt(nil, ciphertext[:n])
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
|
|
||||||
restic.FreeChunkBuf("TestEncryptDecrypt", ciphertext)
|
restic.FreeChunkBuf("TestEncryptDecrypt", ciphertext)
|
||||||
@ -119,7 +119,7 @@ func TestLargeEncrypt(t *testing.T) {
|
|||||||
n, err := k.Encrypt(ciphertext, data)
|
n, err := k.Encrypt(ciphertext, data)
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
|
|
||||||
plaintext, err := k.Decrypt(ciphertext[:n])
|
plaintext, err := k.Decrypt([]byte{}, ciphertext[:n])
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
|
|
||||||
equals(t, plaintext, data)
|
equals(t, plaintext, data)
|
||||||
@ -153,10 +153,11 @@ func BenchmarkEncrypt(b *testing.B) {
|
|||||||
defer teardownBackend(b, be)
|
defer teardownBackend(b, be)
|
||||||
k := setupKey(b, be, testPassword)
|
k := setupKey(b, be, testPassword)
|
||||||
|
|
||||||
|
buf := make([]byte, len(data)+restic.CiphertextExtension)
|
||||||
|
|
||||||
b.ResetTimer()
|
b.ResetTimer()
|
||||||
b.SetBytes(int64(size))
|
b.SetBytes(int64(size))
|
||||||
|
|
||||||
buf := make([]byte, len(data)+restic.CiphertextExtension)
|
|
||||||
for i := 0; i < b.N; i++ {
|
for i := 0; i < b.N; i++ {
|
||||||
_, err := k.Encrypt(buf, data)
|
_, err := k.Encrypt(buf, data)
|
||||||
ok(b, err)
|
ok(b, err)
|
||||||
@ -216,6 +217,8 @@ func BenchmarkEncryptDecryptReader(b *testing.B) {
|
|||||||
_, err = io.Copy(ioutil.Discard, r)
|
_, err = io.Copy(ioutil.Discard, r)
|
||||||
ok(b, err)
|
ok(b, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
restic.PoolAlloc()
|
||||||
}
|
}
|
||||||
|
|
||||||
func BenchmarkDecrypt(b *testing.B) {
|
func BenchmarkDecrypt(b *testing.B) {
|
||||||
@ -227,6 +230,10 @@ func BenchmarkDecrypt(b *testing.B) {
|
|||||||
k := setupKey(b, s, testPassword)
|
k := setupKey(b, s, testPassword)
|
||||||
|
|
||||||
ciphertext := restic.GetChunkBuf("BenchmarkDecrypt")
|
ciphertext := restic.GetChunkBuf("BenchmarkDecrypt")
|
||||||
|
defer restic.FreeChunkBuf("BenchmarkDecrypt", ciphertext)
|
||||||
|
plaintext := restic.GetChunkBuf("BenchmarkDecrypt")
|
||||||
|
defer restic.FreeChunkBuf("BenchmarkDecrypt", plaintext)
|
||||||
|
|
||||||
n, err := k.Encrypt(ciphertext, data)
|
n, err := k.Encrypt(ciphertext, data)
|
||||||
ok(b, err)
|
ok(b, err)
|
||||||
|
|
||||||
@ -234,10 +241,9 @@ func BenchmarkDecrypt(b *testing.B) {
|
|||||||
b.SetBytes(int64(size))
|
b.SetBytes(int64(size))
|
||||||
|
|
||||||
for i := 0; i < b.N; i++ {
|
for i := 0; i < b.N; i++ {
|
||||||
_, err := k.Decrypt(ciphertext[:n])
|
plaintext, err = k.Decrypt(plaintext, ciphertext[:n])
|
||||||
ok(b, err)
|
ok(b, err)
|
||||||
}
|
}
|
||||||
restic.FreeChunkBuf("BenchmarkDecrypt", ciphertext)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestEncryptStreamWriter(t *testing.T) {
|
func TestEncryptStreamWriter(t *testing.T) {
|
||||||
@ -268,7 +274,7 @@ func TestEncryptStreamWriter(t *testing.T) {
|
|||||||
l, len(ciphertext.Bytes()))
|
l, len(ciphertext.Bytes()))
|
||||||
|
|
||||||
// decrypt with default function
|
// decrypt with default function
|
||||||
plaintext, err := k.Decrypt(ciphertext.Bytes())
|
plaintext, err := k.Decrypt([]byte{}, ciphertext.Bytes())
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
assert(t, bytes.Equal(data, plaintext),
|
assert(t, bytes.Equal(data, plaintext),
|
||||||
"wrong plaintext after decryption: expected %02x, got %02x",
|
"wrong plaintext after decryption: expected %02x, got %02x",
|
||||||
@ -342,7 +348,7 @@ func TestEncryptWriter(t *testing.T) {
|
|||||||
l, len(ciphertext))
|
l, len(ciphertext))
|
||||||
|
|
||||||
// decrypt with default function
|
// decrypt with default function
|
||||||
plaintext, err := k.Decrypt(ciphertext)
|
plaintext, err := k.Decrypt([]byte{}, ciphertext)
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
assert(t, bytes.Equal(data, plaintext),
|
assert(t, bytes.Equal(data, plaintext),
|
||||||
"wrong plaintext after decryption: expected %02x, got %02x",
|
"wrong plaintext after decryption: expected %02x, got %02x",
|
||||||
|
@ -333,7 +333,7 @@ func (s Server) Decrypt(ciphertext []byte) ([]byte, error) {
|
|||||||
return nil, errors.New("key for server not set")
|
return nil, errors.New("key for server not set")
|
||||||
}
|
}
|
||||||
|
|
||||||
return s.key.Decrypt(ciphertext)
|
return s.key.Decrypt([]byte{}, ciphertext)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s Server) Encrypt(ciphertext, plaintext []byte) (int, error) {
|
func (s Server) Encrypt(ciphertext, plaintext []byte) (int, error) {
|
||||||
@ -361,7 +361,7 @@ func (s Server) EachDecrypted(t backend.Type, f func(backend.ID, []byte, error))
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
buf, err := s.key.Decrypt(data)
|
buf, err := s.key.Decrypt([]byte{}, data)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
f(id, nil, err)
|
f(id, nil, err)
|
||||||
return
|
return
|
||||||
|
Loading…
Reference in New Issue
Block a user