2
2
mirror of https://github.com/octoleo/restic.git synced 2024-11-23 05:12:10 +00:00

Add 'plaintext' parameter to key.Decrypt()

% benchcmp /tmp/{before,after}
    benchmark                         old ns/op     new ns/op     delta
    BenchmarkChunkEncrypt             261144414     260252046     -0.34%
    BenchmarkChunkEncryptParallel     261201438     261267029     +0.03%
    BenchmarkArchiveDirectory         0.00          0.00          +0.00%
    BenchmarkEncryptWriter            88297245      87526529      -0.87%
    BenchmarkEncrypt                  87406446      87917897      +0.59%
    BenchmarkDecryptReader            89948630      90042541      +0.10%
    BenchmarkEncryptDecryptReader     178374144     179477306     +0.62%
    BenchmarkDecrypt                  88289705      87937073      -0.40%
    BenchmarkSaveJSON                 213917        213571        -0.16%
    BenchmarkSaveFrom                 74881361      75111148      +0.31%

    benchmark                         old MB/s     new MB/s     speedup
    BenchmarkChunkEncrypt             40.15        40.29        1.00x
    BenchmarkChunkEncryptParallel     40.14        40.13        1.00x
    BenchmarkEncryptWriter            95.00        95.84        1.01x
    BenchmarkEncrypt                  95.97        95.41        0.99x
    BenchmarkDecryptReader            93.26        93.16        1.00x
    BenchmarkEncryptDecryptReader     47.03        46.74        0.99x
    BenchmarkDecrypt                  95.01        95.39        1.00x
    BenchmarkSaveFrom                 56.01        55.84        1.00x

    benchmark                         old allocs     new allocs     delta
    BenchmarkChunkEncrypt             113            112            -0.88%
    BenchmarkChunkEncryptParallel     104            103            -0.96%
    BenchmarkArchiveDirectory         0              0              +0.00%
    BenchmarkEncryptWriter            20             20             +0.00%
    BenchmarkEncrypt                  14             14             +0.00%
    BenchmarkDecryptReader            18             18             +0.00%
    BenchmarkEncryptDecryptReader     40             45             +12.50%
    BenchmarkDecrypt                  17             16             -5.88%
    BenchmarkSaveJSON                 125            125            +0.00%
    BenchmarkSaveFrom                 116            119            +2.59%

    benchmark                         old bytes     new bytes     delta
    BenchmarkChunkEncrypt             8515750       118956        -98.60%
    BenchmarkChunkEncryptParallel     8515766       118972        -98.60%
    BenchmarkArchiveDirectory         0             0             +0.00%
    BenchmarkEncryptWriter            28927         28927         +0.00%
    BenchmarkEncrypt                  422313        2473          -99.41%
    BenchmarkDecryptReader            527827        527827        +0.00%
    BenchmarkEncryptDecryptReader     4100824       4100870       +0.00%
    BenchmarkDecrypt                  8391127       2509          -99.97%
    BenchmarkSaveJSON                 9208          9208          +0.00%
    BenchmarkSaveFrom                 39694         40541         +2.13%
This commit is contained in:
Alexander Neumann 2015-02-17 21:09:54 +01:00
parent 43ae0b69ab
commit 5a16a66973
4 changed files with 32 additions and 22 deletions

24
key.go
View File

@ -109,7 +109,7 @@ func OpenKey(s Server, id backend.ID, password string) (*Key, error) {
} }
// decrypt master keys // decrypt master keys
buf, err := k.DecryptUser(k.Data) buf, err := k.DecryptUser([]byte{}, k.Data)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -447,10 +447,15 @@ func (k *Key) EncryptUserTo(wr io.Writer) io.WriteCloser {
// Decrypt verifes and decrypts the ciphertext. Ciphertext must be in the form // Decrypt verifes and decrypts the ciphertext. Ciphertext must be in the form
// IV || Ciphertext || HMAC. // IV || Ciphertext || HMAC.
func (k *Key) decrypt(ks *keys, ciphertext []byte) ([]byte, error) { func (k *Key) decrypt(ks *keys, plaintext, ciphertext []byte) ([]byte, error) {
// check for plausible length // check for plausible length
if len(ciphertext) < ivSize+hmacSize { if len(ciphertext) < ivSize+hmacSize {
panic("trying to decryipt invalid data: ciphertext too small") panic("trying to decrypt invalid data: ciphertext too small")
}
if cap(plaintext) < len(ciphertext) {
// extend plaintext
plaintext = append(plaintext, make([]byte, len(ciphertext)-cap(plaintext))...)
} }
hm := hmac.New(sha256.New, ks.Sign) hm := hmac.New(sha256.New, ks.Sign)
@ -483,22 +488,22 @@ func (k *Key) decrypt(ks *keys, ciphertext []byte) ([]byte, error) {
// decrypt // decrypt
e := cipher.NewCTR(c, iv) e := cipher.NewCTR(c, iv)
plaintext := make([]byte, len(ciphertext))
e.XORKeyStream(plaintext, ciphertext) e.XORKeyStream(plaintext, ciphertext)
plaintext = plaintext[:len(ciphertext)]
return plaintext, nil return plaintext, nil
} }
// Decrypt verifes and decrypts the ciphertext with the master key. Ciphertext // Decrypt verifes and decrypts the ciphertext with the master key. Ciphertext
// must be in the form IV || Ciphertext || HMAC. // must be in the form IV || Ciphertext || HMAC.
func (k *Key) Decrypt(ciphertext []byte) ([]byte, error) { func (k *Key) Decrypt(plaintext, ciphertext []byte) ([]byte, error) {
return k.decrypt(k.master, ciphertext) return k.decrypt(k.master, plaintext, ciphertext)
} }
// DecryptUser verifes and decrypts the ciphertext with the user key. Ciphertext // DecryptUser verifes and decrypts the ciphertext with the user key. Ciphertext
// must be in the form IV || Ciphertext || HMAC. // must be in the form IV || Ciphertext || HMAC.
func (k *Key) DecryptUser(ciphertext []byte) ([]byte, error) { func (k *Key) DecryptUser(plaintext, ciphertext []byte) ([]byte, error) {
return k.decrypt(k.user, ciphertext) return k.decrypt(k.user, plaintext, ciphertext)
} }
type decryptReader struct { type decryptReader struct {
@ -518,8 +523,7 @@ func (d *decryptReader) Read(dst []byte) (int, error) {
remaining := len(d.buf) - d.pos remaining := len(d.buf) - d.pos
if len(dst) >= remaining { if len(dst) >= remaining {
n := copy(dst, d.buf[d.pos:]) n := copy(dst, d.buf[d.pos:])
FreeChunkBuf("decryptReader", d.buf) d.Close()
d.buf = nil
return n, io.EOF return n, io.EOF
} }

View File

@ -56,7 +56,7 @@ func TestCrypto(t *testing.T) {
msg = msg[:n] msg = msg[:n]
// decrypt message // decrypt message
_, err = r.decrypt(r.master, msg) _, err = r.decrypt(r.master, []byte{}, msg)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -64,12 +64,12 @@ func TestCrypto(t *testing.T) {
// change hmac, this must fail // change hmac, this must fail
msg[len(msg)-8] ^= 0x23 msg[len(msg)-8] ^= 0x23
if _, err = r.decrypt(r.master, msg); err != ErrUnauthenticated { if _, err = r.decrypt(r.master, []byte{}, msg); err != ErrUnauthenticated {
t.Fatal("wrong HMAC value not detected") t.Fatal("wrong HMAC value not detected")
} }
// test decryption // test decryption
p, err := r.decrypt(r.master, tv.ciphertext) p, err := r.decrypt(r.master, []byte{}, tv.ciphertext)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View File

@ -69,7 +69,7 @@ func TestEncryptDecrypt(t *testing.T) {
n, err := k.Encrypt(ciphertext, data) n, err := k.Encrypt(ciphertext, data)
ok(t, err) ok(t, err)
plaintext, err := k.Decrypt(ciphertext[:n]) plaintext, err := k.Decrypt(nil, ciphertext[:n])
ok(t, err) ok(t, err)
restic.FreeChunkBuf("TestEncryptDecrypt", ciphertext) restic.FreeChunkBuf("TestEncryptDecrypt", ciphertext)
@ -119,7 +119,7 @@ func TestLargeEncrypt(t *testing.T) {
n, err := k.Encrypt(ciphertext, data) n, err := k.Encrypt(ciphertext, data)
ok(t, err) ok(t, err)
plaintext, err := k.Decrypt(ciphertext[:n]) plaintext, err := k.Decrypt([]byte{}, ciphertext[:n])
ok(t, err) ok(t, err)
equals(t, plaintext, data) equals(t, plaintext, data)
@ -153,10 +153,11 @@ func BenchmarkEncrypt(b *testing.B) {
defer teardownBackend(b, be) defer teardownBackend(b, be)
k := setupKey(b, be, testPassword) k := setupKey(b, be, testPassword)
buf := make([]byte, len(data)+restic.CiphertextExtension)
b.ResetTimer() b.ResetTimer()
b.SetBytes(int64(size)) b.SetBytes(int64(size))
buf := make([]byte, len(data)+restic.CiphertextExtension)
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
_, err := k.Encrypt(buf, data) _, err := k.Encrypt(buf, data)
ok(b, err) ok(b, err)
@ -216,6 +217,8 @@ func BenchmarkEncryptDecryptReader(b *testing.B) {
_, err = io.Copy(ioutil.Discard, r) _, err = io.Copy(ioutil.Discard, r)
ok(b, err) ok(b, err)
} }
restic.PoolAlloc()
} }
func BenchmarkDecrypt(b *testing.B) { func BenchmarkDecrypt(b *testing.B) {
@ -227,6 +230,10 @@ func BenchmarkDecrypt(b *testing.B) {
k := setupKey(b, s, testPassword) k := setupKey(b, s, testPassword)
ciphertext := restic.GetChunkBuf("BenchmarkDecrypt") ciphertext := restic.GetChunkBuf("BenchmarkDecrypt")
defer restic.FreeChunkBuf("BenchmarkDecrypt", ciphertext)
plaintext := restic.GetChunkBuf("BenchmarkDecrypt")
defer restic.FreeChunkBuf("BenchmarkDecrypt", plaintext)
n, err := k.Encrypt(ciphertext, data) n, err := k.Encrypt(ciphertext, data)
ok(b, err) ok(b, err)
@ -234,10 +241,9 @@ func BenchmarkDecrypt(b *testing.B) {
b.SetBytes(int64(size)) b.SetBytes(int64(size))
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
_, err := k.Decrypt(ciphertext[:n]) plaintext, err = k.Decrypt(plaintext, ciphertext[:n])
ok(b, err) ok(b, err)
} }
restic.FreeChunkBuf("BenchmarkDecrypt", ciphertext)
} }
func TestEncryptStreamWriter(t *testing.T) { func TestEncryptStreamWriter(t *testing.T) {
@ -268,7 +274,7 @@ func TestEncryptStreamWriter(t *testing.T) {
l, len(ciphertext.Bytes())) l, len(ciphertext.Bytes()))
// decrypt with default function // decrypt with default function
plaintext, err := k.Decrypt(ciphertext.Bytes()) plaintext, err := k.Decrypt([]byte{}, ciphertext.Bytes())
ok(t, err) ok(t, err)
assert(t, bytes.Equal(data, plaintext), assert(t, bytes.Equal(data, plaintext),
"wrong plaintext after decryption: expected %02x, got %02x", "wrong plaintext after decryption: expected %02x, got %02x",
@ -342,7 +348,7 @@ func TestEncryptWriter(t *testing.T) {
l, len(ciphertext)) l, len(ciphertext))
// decrypt with default function // decrypt with default function
plaintext, err := k.Decrypt(ciphertext) plaintext, err := k.Decrypt([]byte{}, ciphertext)
ok(t, err) ok(t, err)
assert(t, bytes.Equal(data, plaintext), assert(t, bytes.Equal(data, plaintext),
"wrong plaintext after decryption: expected %02x, got %02x", "wrong plaintext after decryption: expected %02x, got %02x",

View File

@ -333,7 +333,7 @@ func (s Server) Decrypt(ciphertext []byte) ([]byte, error) {
return nil, errors.New("key for server not set") return nil, errors.New("key for server not set")
} }
return s.key.Decrypt(ciphertext) return s.key.Decrypt([]byte{}, ciphertext)
} }
func (s Server) Encrypt(ciphertext, plaintext []byte) (int, error) { func (s Server) Encrypt(ciphertext, plaintext []byte) (int, error) {
@ -361,7 +361,7 @@ func (s Server) EachDecrypted(t backend.Type, f func(backend.ID, []byte, error))
return return
} }
buf, err := s.key.Decrypt(data) buf, err := s.key.Decrypt([]byte{}, data)
if err != nil { if err != nil {
f(id, nil, err) f(id, nil, err)
return return