chacha20poly1305: Switch to one-pass encryption and decryption

str4d · str4d · commit 217851e10bc5 · 2022-04-21T16:24:08.000Z
diff --git a/chacha20poly1305/src/cipher.rs b/chacha20poly1305/src/cipher.rs
@@ -58,10 +58,10 @@ where
 
         self.mac.update_padded(associated_data);
 
-        // TODO(tarcieri): interleave encryption with Poly1305
-        // See: <https://github.com/RustCrypto/AEADs/issues/74>
-        self.cipher.apply_keystream(buffer);
-        self.mac.update_padded(buffer);
+        for block in buffer.chunks_mut(BLOCK_SIZE) {
+            self.cipher.apply_keystream(block);
+            self.mac.update_padded(block);
+        }
 
         self.authenticate_lengths(associated_data, buffer)?;
         Ok(self.mac.finalize())
@@ -80,16 +80,22 @@ where
         }
 
         self.mac.update_padded(associated_data);
-        self.mac.update_padded(buffer);
+
+        for block in buffer.chunks_mut(BLOCK_SIZE) {
+            self.mac.update_padded(block);
+            self.cipher.apply_keystream(block);
+        }
+
         self.authenticate_lengths(associated_data, buffer)?;
 
         // This performs a constant-time comparison using the `subtle` crate
         if self.mac.verify(tag).is_ok() {
-            // TODO(tarcieri): interleave decryption with Poly1305
-            // See: <https://github.com/RustCrypto/AEADs/issues/74>
-            self.cipher.apply_keystream(buffer);
             Ok(())
         } else {
+            // On MAC verify failure, re-encrypt the plaintext buffer to prevent
+            // accidental exposure.
+            self.cipher.seek(BLOCK_SIZE as u64);
+            self.cipher.apply_keystream(buffer);
             Err(Error)
         }
     }
