Example (disabled) padding strategy for attachment sender

The padding strategy the sender uses can change without needing to
update the receiver, so long as we continue to record the unpadded
length of the attachment in the attachment pointer.

// FREEBIE

SignalServiceKit/src/Util/Cryptography.m

@@ -363,6 +363,19 @@ const NSUInteger kAES256_KeyByteLength = 32;
     }
 }
 
++ (unsigned long)paddedSize:(unsigned long)unpaddedSize
+{
+    // Don't enable this until clients are sufficiently rolled out.
+    BOOL shouldPad = NO;
+    if (shouldPad) {
+        // Note: This just rounds up to the nearsest power of two,
+        // but the actual padding scheme is TBD
+        return pow(2, ceil( log2( unpaddedSize )));
+    } else {
+        return unpaddedSize;
+    }
+}
+
 + (NSData *)encryptAttachmentData:(NSData *)attachmentData
                            outKey:(NSData *_Nonnull *_Nullable)outKey
                         outDigest:(NSData *_Nonnull *_Nullable)outDigest
@@ -377,8 +390,13 @@ const NSUInteger kAES256_KeyByteLength = 32;
     [attachmentKey appendData:hmacKey];
     *outKey = [attachmentKey copy];
 
+    // Apply any padding
+    unsigned long desiredSize = [self paddedSize:attachmentData.length];
+    NSMutableData *paddedAttachmentData = [attachmentData mutableCopy];
+    paddedAttachmentData.length = desiredSize;
+
     // Encrypt
-    size_t bufferSize = [attachmentData length] + kCCBlockSizeAES128;
+    size_t bufferSize = [paddedAttachmentData length] + kCCBlockSizeAES128;
     void *buffer = malloc(bufferSize);
 
     if (buffer == NULL) {
@@ -393,8 +411,8 @@ const NSUInteger kAES256_KeyByteLength = 32;
                                           [encryptionKey bytes],
                                           [encryptionKey length],
                                           [iv bytes],
-                                          [attachmentData bytes],
+                                          [paddedAttachmentData bytes],
-                                          [attachmentData length],
+                                          [paddedAttachmentData length],
                                           buffer,
                                           bufferSize,
                                           &bytesEncrypted);
@@ -407,22 +425,22 @@ const NSUInteger kAES256_KeyByteLength = 32;
 
     NSData *cipherText = [NSData dataWithBytesNoCopy:buffer length:bytesEncrypted freeWhenDone:YES];
 
-    NSMutableData *encryptedAttachmentData = [NSMutableData data];
+    NSMutableData *encryptedPaddedData = [NSMutableData data];
-    [encryptedAttachmentData appendData:iv];
+    [encryptedPaddedData appendData:iv];
-    [encryptedAttachmentData appendData:cipherText];
+    [encryptedPaddedData appendData:cipherText];
 
     // compute hmac of: iv || encrypted data
     NSData *hmac =
-        [Cryptography truncatedSHA256HMAC:encryptedAttachmentData withHMACKey:hmacKey truncation:HMAC256_OUTPUT_LENGTH];
+        [Cryptography truncatedSHA256HMAC:encryptedPaddedData withHMACKey:hmacKey truncation:HMAC256_OUTPUT_LENGTH];
     DDLogVerbose(@"%@ computed hmac: %@", self.tag, hmac);
 
-    [encryptedAttachmentData appendData:hmac];
+    [encryptedPaddedData appendData:hmac];
 
     // compute digest of: iv || encrypted data || hmac
-    *outDigest = [self computeSHA256Digest:encryptedAttachmentData];
+    *outDigest = [self computeSHA256Digest:encryptedPaddedData];
     DDLogVerbose(@"%@ computed digest: %@", self.tag, *outDigest);
 
-    return [encryptedAttachmentData copy];
+    return [encryptedPaddedData copy];
 }
 
 + (nullable NSData *)encryptAESGCMWithData:(NSData *)plaintext key:(OWSAES256Key *)key