Keep pre-warmed encryption state between operations#74
Open
bifurcation wants to merge 8 commits intomainfrom
Open
Keep pre-warmed encryption state between operations#74bifurcation wants to merge 8 commits intomainfrom
bifurcation wants to merge 8 commits intomainfrom
Conversation
Addresses #55 by caching cipher contexts to avoid redundant key schedule computation on every seal/open call. Changes: - Add CipherState class to crypto.h with RAII-managed cipher handle - KeyRecord now holds a std::unique_ptr<CipherState> for cached state - All three backends (OpenSSL 3.x, OpenSSL 1.1, BoringSSL) implement: - GCM suites: EVP_CIPHER_CTX cached and reset with new nonce only - CTR+HMAC suites: Both AES-CTR and HMAC contexts cached The key optimization is that EVP_EncryptInit_ex/EVP_DecryptInit_ex with nullptr for cipher preserves the key schedule while updating the nonce. Similarly, HMAC_Init_ex with nullptr key preserves the HMAC key state. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- CipherHandle is now EVP_CIPHER_CTX via reinterpret_cast - Add separate HmacHandle struct for HMAC state - CipherState members are now cipher_handle and hmac_handle - Use unique_ptr throughout to avoid raw pointer temporaries - Fix BoringSSL endif comment Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Consolidate CipherDeleter and HmacDeleter into single Deleter struct with overloaded operator() - For OpenSSL 1.1 and BoringSSL, HmacHandle is now a direct cast to HMAC_CTX (like CipherHandle to EVP_CIPHER_CTX) - For OpenSSL 3.x, HmacHandle struct uses unique_ptr for members - Move scoped typedefs to top of files, remove duplicates - Use scoped_evp_ctx and scoped_hmac_ctx in create_seal/create_open Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Define CipherHandle and HmacHandle as actual structs wrapping unique_ptr members (no more reinterpret_cast) - Remove forward declarations, move helper functions earlier in file - Consolidate seal_ctr/open_ctr/seal_aead/open_aead to take contexts - Stateless seal/open now create temporary CipherState and delegate - Removes ~840 lines of duplicate code Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The struct HMAC name conflicts with OpenSSL's HMAC function. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses #55 by caching cipher contexts to avoid redundant key schedule computation on every
seal()/open()call.CipherStateclass tocrypto.hwith RAII-managed cipher handleKeyRecordnow holds astd::unique_ptr<CipherState>for cached stateHow it works
GCM suites:
EVP_CIPHER_CTXis cached and initialized once with the key. On each operation,EVP_EncryptInit_ex(ctx, nullptr, nullptr, nullptr, nonce)resets with the new nonce while preserving the key schedule.CTR+HMAC suites: Both AES-CTR (
EVP_CIPHER_CTX) and HMAC contexts are cached.HMAC_Init_ex(ctx, nullptr, 0, nullptr, nullptr)resets HMAC state while preserving the key.Fixes #55
Test plan
🤖 Generated with Claude Code