[dev.boringcrypto] crypto/internal/boring: avoid an allocation in AES-GCM Seal and Open

name old time/op new time/op delta AESGCMSeal1K-8 668ns ± 1% 643ns ± 1% -3.74% (p=0.008 n=5+5) AESGCMOpen1K-8 664ns ± 2% 640ns ± 2% -3.59% (p=0.016 n=5+5) AESGCMSign8K-8 1.44µs ± 1% 1.41µs ± 2% ~ (p=0.087 n=5+5) AESGCMSeal8K-8 3.32µs ± 1% 3.31µs ± 2% ~ (p=0.690 n=5+5) AESGCMOpen8K-8 3.34µs ± 2% 3.27µs ± 2% -2.07% (p=0.032 n=5+5) name old speed new speed delta AESGCMSeal1K-8 1.53GB/s ± 1% 1.59GB/s ± 1% +3.90% (p=0.008 n=5+5) AESGCMOpen1K-8 1.54GB/s ± 2% 1.60GB/s ± 2% +3.71% (p=0.016 n=5+5) AESGCMSign8K-8 5.67GB/s ± 2% 5.79GB/s ± 2% ~ (p=0.095 n=5+5) AESGCMSeal8K-8 2.47GB/s ± 1% 2.47GB/s ± 2% ~ (p=0.690 n=5+5) AESGCMOpen8K-8 2.45GB/s ± 2% 2.50GB/s ± 2% +2.11% (p=0.032 n=5+5) name old alloc/op new alloc/op delta AESGCMSeal1K-8 8.00B ± 0% 0.00B -100.00% (p=0.008 n=5+5) AESGCMOpen1K-8 8.00B ± 0% 0.00B -100.00% (p=0.008 n=5+5) AESGCMSign8K-8 8.00B ± 0% 0.00B -100.00% (p=0.008 n=5+5) AESGCMSeal8K-8 8.00B ± 0% 0.00B -100.00% (p=0.008 n=5+5) AESGCMOpen8K-8 8.00B ± 0% 0.00B -100.00% (p=0.008 n=5+5) name old allocs/op new allocs/op delta AESGCMSeal1K-8 1.00 ± 0% 0.00 -100.00% (p=0.008 n=5+5) AESGCMOpen1K-8 1.00 ± 0% 0.00 -100.00% (p=0.008 n=5+5) AESGCMSign8K-8 1.00 ± 0% 0.00 -100.00% (p=0.008 n=5+5) AESGCMSeal8K-8 1.00 ± 0% 0.00 -100.00% (p=0.008 n=5+5) AESGCMOpen8K-8 1.00 ± 0% 0.00 -100.00% (p=0.008 n=5+5) Change-Id: Ie2de0ad6b2f59b33af267b4e04aa6dff97b4ab75 Reviewed-on: https://go-review.googlesource.com/133836 Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2018-09-06 13:19:11 -04:00 · 2018-09-06 13:19:11 -04:00 · 693875e3f2
parent 4d1aa482b8
commit 693875e3f2
1 changed files with 42 additions and 13 deletions
--- a/src/crypto/internal/boring/aes.go
+++ b/src/crypto/internal/boring/aes.go
@ -9,7 +9,42 @@

 package boring

-// #include "goboringcrypto.h"
+/*
+
+#include "goboringcrypto.h"
+
+// These wrappers allocate out_len on the C stack, and check that it matches the expected
+// value, to avoid having to pass a pointer from Go, which would escape to the heap.
+
+int EVP_AEAD_CTX_seal_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
+							  size_t exp_out_len,
+							  const uint8_t *nonce, size_t nonce_len,
+							  const uint8_t *in, size_t in_len,
+							  const uint8_t *ad, size_t ad_len) {
+	size_t out_len;
+	int ok = _goboringcrypto_EVP_AEAD_CTX_seal(ctx, out, &out_len, exp_out_len,
+		nonce, nonce_len, in, in_len, ad, ad_len);
+	if (out_len != exp_out_len) {
+		return 0;
+	}
+	return ok;
+};
+
+int EVP_AEAD_CTX_open_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
+							  size_t exp_out_len,
+							  const uint8_t *nonce, size_t nonce_len,
+							  const uint8_t *in, size_t in_len,
+							  const uint8_t *ad, size_t ad_len) {
+	size_t out_len;
+	int ok = _goboringcrypto_EVP_AEAD_CTX_open(ctx, out, &out_len, exp_out_len,
+		nonce, nonce_len, in, in_len, ad, ad_len);
+	if (out_len != exp_out_len) {
+		return 0;
+	}
+	return ok;
+};
+
+*/
 import "C"
 import (
 	"crypto/cipher"
@ -289,10 +324,10 @@ func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
 		panic("cipher: invalid buffer overlap")
 	}

-	var outLen C.size_t
-	ok := C._goboringcrypto_EVP_AEAD_CTX_seal(
+	outLen := C.size_t(len(plaintext) + gcmTagSize)
+	ok := C.EVP_AEAD_CTX_seal_wrapper(
 		&g.ctx,
-		(*C.uint8_t)(unsafe.Pointer(&dst[n])), &outLen, C.size_t(len(plaintext)+gcmTagSize),
+		(*C.uint8_t)(unsafe.Pointer(&dst[n])), outLen,
 		base(nonce), C.size_t(len(nonce)),
 		base(plaintext), C.size_t(len(plaintext)),
 		base(additionalData), C.size_t(len(additionalData)))
@ -300,9 +335,6 @@ func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
 	if ok == 0 {
 		panic(fail("EVP_AEAD_CTX_seal"))
 	}
-	if outLen != C.size_t(len(plaintext)+gcmTagSize) {
-		panic("boringcrypto: internal confusion about GCM tag size")
-	}
 	return dst[:n+int(outLen)]
 }

@ -331,10 +363,10 @@ func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, er
 		panic("cipher: invalid buffer overlap")
 	}

-	var outLen C.size_t
-	ok := C._goboringcrypto_EVP_AEAD_CTX_open(
+	outLen := C.size_t(len(ciphertext) - gcmTagSize)
+	ok := C.EVP_AEAD_CTX_open_wrapper(
 		&g.ctx,
-		base(dst[n:]), &outLen, C.size_t(len(ciphertext)-gcmTagSize),
+		base(dst[n:]), outLen,
 		base(nonce), C.size_t(len(nonce)),
 		base(ciphertext), C.size_t(len(ciphertext)),
 		base(additionalData), C.size_t(len(additionalData)))
@ -342,9 +374,6 @@ func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, er
 	if ok == 0 {
 		return nil, errOpen
 	}
-	if outLen != C.size_t(len(ciphertext)-gcmTagSize) {
-		panic("boringcrypto: internal confusion about GCM tag size")
-	}
 	return dst[:n+int(outLen)], nil
 }