Skip to content

Keep pre-warmed encryption state between operations #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bifurcation wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Keep pre-warmed encryption state between operations #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1bdab9c
Keep pre-warmed encryption state between operations
bifurcation Mar 5, 2026
3cefbad
clang-format
bifurcation Mar 5, 2026
0a6e713
Add .claude to gitignore
bifurcation Mar 5, 2026
dc77df7
Hold CipherState by value in KeyRecord
bifurcation Mar 5, 2026
ce4a43e
Simplify CipherHandle to be a direct typedef for EVP_CIPHER_CTX
bifurcation Mar 5, 2026
2d69846
Refactor CipherState to use consolidated Deleter and direct casts
bifurcation Mar 5, 2026
2518f14
Eliminate reinterpret_cast and consolidate duplicate AEAD code
bifurcation Mar 5, 2026
68d428e
Rename HMAC struct to HMACForHKDF to avoid OpenSSL 1.1 conflict
bifurcation Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,4 @@ build
*.exe
*.out
*.app
.claude/
59 changes: 57 additions & 2 deletions include/sframe/sframe.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#pragma once

#include <gsl/gsl-lite.hpp>
#include <memory>
#include <optional>

#include <sframe/map.h>
Expand Down Expand Up @@ -84,20 +85,74 @@ enum struct KeyUsage
unprotect,
};

///
/// CipherState - pre-warmed cipher state for efficient repeated operations
///
/// Holds a pre-initialized cipher context so that expensive key schedule
/// computation happens once at construction, not on every seal/open call.
///

// Opaque handles - defined by each crypto backend
struct CipherHandle;
struct HmacHandle;

struct CipherState
{
static CipherState create_seal(CipherSuite suite, input_bytes key);
static CipherState create_open(CipherSuite suite, input_bytes key);

output_bytes seal(input_bytes nonce,
output_bytes ct,
input_bytes aad,
input_bytes pt);

output_bytes open(input_bytes nonce,
output_bytes pt,
input_bytes aad,
input_bytes ct);

private:
struct Deleter
{
void operator()(CipherHandle* h) const;
void operator()(HmacHandle* h) const;
};

std::unique_ptr<CipherHandle, Deleter> cipher_handle;
std::unique_ptr<HmacHandle, Deleter> hmac_handle; // null for GCM
CipherSuite suite;

CipherState(CipherHandle* cipher, HmacHandle* hmac, CipherSuite suite);
};

struct KeyRecord
{
static constexpr size_t max_key_size = 48;
static constexpr size_t max_salt_size = 12;

static KeyRecord from_base_key(CipherSuite suite,
KeyID key_id,
KeyUsage usage,
input_bytes base_key);

static constexpr size_t max_key_size = 48;
static constexpr size_t max_salt_size = 12;
KeyRecord(owned_bytes<max_key_size> key,
owned_bytes<max_salt_size> salt,
KeyUsage usage,
Counter counter,
CipherState cipher);
~KeyRecord();

KeyRecord(KeyRecord&&) noexcept;
KeyRecord& operator=(KeyRecord&&) noexcept;

KeyRecord(const KeyRecord&) = delete;
KeyRecord& operator=(const KeyRecord&) = delete;

owned_bytes<max_key_size> key;
owned_bytes<max_salt_size> salt;
KeyUsage usage;
Counter counter;
CipherState cipher; // Pre-warmed cipher state
};

// Context applies the full SFrame transform. It tracks a counter for each key
Expand Down
Loading
Loading