From 71a1dbb38b95c31f5c4bf5dc544ee9cc3f5874c7 Mon Sep 17 00:00:00 2001
From: Juerg Wullschleger <juerg@google.com>
Date: Tue, 23 May 2023 00:58:49 -0700
Subject: [PATCH] Always allocate new toAuthData, and specify the size needed.

This ensures that encrypt or decrypt do not have unexpected side-effects if associated data is a slice of a bigger byte array. See test.

PiperOrigin-RevId: 534332269
Change-Id: I063cea81c498b3a6ae2e4841461226dbda22190f
---
 aead/subtle/encrypt_then_authenticate.go      | 15 +++++++----
 aead/subtle/encrypt_then_authenticate_test.go | 25 +++++++++++++++++++
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/aead/subtle/encrypt_then_authenticate.go b/aead/subtle/encrypt_then_authenticate.go
index bfec634..c1e7ded 100644
--- a/aead/subtle/encrypt_then_authenticate.go
+++ b/aead/subtle/encrypt_then_authenticate.go
@@ -70,10 +70,12 @@ func (e *EncryptThenAuthenticate) Encrypt(plaintext, associatedData []byte) ([]b
 		return nil, fmt.Errorf("encrypt_then_authenticate: %v", err)
 	}
 
-	toAuthData := append(associatedData, ciphertext...)
 	adSizeInBits := uint64(len(associatedData)) * 8
-	toAuthData = append(toAuthData, uint64ToByte(adSizeInBits)...)
-
+	adSizeInBitsEncoded := uint64ToByte(adSizeInBits)
+	toAuthData := make([]byte, 0, len(associatedData)+len(ciphertext)+len(adSizeInBitsEncoded))
+	toAuthData = append(toAuthData, associatedData...)
+	toAuthData = append(toAuthData, ciphertext...)
+	toAuthData = append(toAuthData, adSizeInBitsEncoded...)
 	tag, err := e.mac.ComputeMAC(toAuthData)
 	if err != nil {
 		return nil, fmt.Errorf("encrypt_then_authenticate: %v", err)
@@ -98,9 +100,12 @@ func (e *EncryptThenAuthenticate) Decrypt(ciphertext, associatedData []byte) ([]
 
 	// Authenticate the following data:
 	// associatedData || payload || adSizeInBits
-	toAuthData := append(associatedData, payload...)
 	adSizeInBits := uint64(len(associatedData)) * 8
-	toAuthData = append(toAuthData, uint64ToByte(adSizeInBits)...)
+	adSizeInBitsEncoded := uint64ToByte(adSizeInBits)
+	toAuthData := make([]byte, 0, len(associatedData)+len(payload)+len(adSizeInBitsEncoded))
+	toAuthData = append(toAuthData, associatedData...)
+	toAuthData = append(toAuthData, payload...)
+	toAuthData = append(toAuthData, adSizeInBitsEncoded...)
 
 	err := e.mac.VerifyMAC(ciphertext[len(ciphertext)-e.tagSize:], toAuthData)
 	if err != nil {
diff --git a/aead/subtle/encrypt_then_authenticate_test.go b/aead/subtle/encrypt_then_authenticate_test.go
index e04a56a..d2eb750 100644
--- a/aead/subtle/encrypt_then_authenticate_test.go
+++ b/aead/subtle/encrypt_then_authenticate_test.go
@@ -175,6 +175,31 @@ func TestETAEncryptDecrypt(t *testing.T) {
 	}
 }
 
+func TestETAWithAssociatedDataSlice(t *testing.T) {
+	const keySize = 16
+	const ivSize = 12
+	const macKeySize = 16
+	const tagSize = 16
+	cipher, err := createAEAD(keySize, ivSize, "SHA1", macKeySize, tagSize)
+	if err != nil {
+		t.Fatalf("got: %v, want: success", err)
+	}
+
+	message := []byte("message")
+	largeData := []byte("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")
+	associatedData := largeData[:1]
+
+	_, err = cipher.Encrypt(message, associatedData)
+	if err != nil {
+		t.Fatalf("encryption failed, error: %v", err)
+	}
+
+	wantLargeData := []byte("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")
+	if !bytes.Equal(largeData, wantLargeData) {
+		t.Errorf("largeData = %q, want: %q", largeData, wantLargeData)
+	}
+}
+
 func TestETAEncryptDecryptRandomMessage(t *testing.T) {
 	const keySize = 16
 	const ivSize = 12