[dev.boringcrypto] crypto/internal/boring: avoid an allocation in AES-GCM Seal and...

name            old time/op    new time/op    delta
AESGCMSeal1K-8     668ns ± 1%     643ns ± 1%    -3.74%  (p=0.008 n=5+5)
AESGCMOpen1K-8     664ns ± 2%     640ns ± 2%    -3.59%  (p=0.016 n=5+5)
AESGCMSign8K-8    1.44µs ± 1%    1.41µs ± 2%      ~     (p=0.087 n=5+5)
AESGCMSeal8K-8    3.32µs ± 1%    3.31µs ± 2%      ~     (p=0.690 n=5+5)
AESGCMOpen8K-8    3.34µs ± 2%    3.27µs ± 2%    -2.07%  (p=0.032 n=5+5)

name            old speed      new speed      delta
AESGCMSeal1K-8  1.53GB/s ± 1%  1.59GB/s ± 1%    +3.90%  (p=0.008 n=5+5)
AESGCMOpen1K-8  1.54GB/s ± 2%  1.60GB/s ± 2%    +3.71%  (p=0.016 n=5+5)
AESGCMSign8K-8  5.67GB/s ± 2%  5.79GB/s ± 2%      ~     (p=0.095 n=5+5)
AESGCMSeal8K-8  2.47GB/s ± 1%  2.47GB/s ± 2%      ~     (p=0.690 n=5+5)
AESGCMOpen8K-8  2.45GB/s ± 2%  2.50GB/s ± 2%    +2.11%  (p=0.032 n=5+5)

name            old alloc/op   new alloc/op   delta
AESGCMSeal1K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)
AESGCMOpen1K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)
AESGCMSign8K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)
AESGCMSeal8K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)
AESGCMOpen8K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)

name            old allocs/op  new allocs/op  delta
AESGCMSeal1K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)
AESGCMOpen1K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)
AESGCMSign8K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)
AESGCMSeal8K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)
AESGCMOpen8K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)

Change-Id: Ie2de0ad6b2f59b33af267b4e04aa6dff97b4ab75
Reviewed-on: https://go-review.googlesource.com/133836
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
index 881cd8e2ddc7ce94b6f3812f908d14bb815155a3..504a841cd82719dbd66c516680c5c839c3d5fb86 100644 (file)
--- a/src/crypto/internal/boring/aes.go
+++ b/src/crypto/internal/boring/aes.go
@@ -9,7 +9,42 @@
 
 package boring
 
-// #include "goboringcrypto.h"
+/*
+
+#include "goboringcrypto.h"
+
+// These wrappers allocate out_len on the C stack, and check that it matches the expected
+// value, to avoid having to pass a pointer from Go, which would escape to the heap.
+
+int EVP_AEAD_CTX_seal_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
+                                                         size_t exp_out_len,
+                                                         const uint8_t *nonce, size_t nonce_len,
+                                                         const uint8_t *in, size_t in_len,
+                                                         const uint8_t *ad, size_t ad_len) {
+       size_t out_len;
+       int ok = _goboringcrypto_EVP_AEAD_CTX_seal(ctx, out, &out_len, exp_out_len,
+               nonce, nonce_len, in, in_len, ad, ad_len);
+       if (out_len != exp_out_len) {
+               return 0;
+       }
+       return ok;
+};
+
+int EVP_AEAD_CTX_open_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
+                                                         size_t exp_out_len,
+                                                         const uint8_t *nonce, size_t nonce_len,
+                                                         const uint8_t *in, size_t in_len,
+                                                         const uint8_t *ad, size_t ad_len) {
+       size_t out_len;
+       int ok = _goboringcrypto_EVP_AEAD_CTX_open(ctx, out, &out_len, exp_out_len,
+               nonce, nonce_len, in, in_len, ad, ad_len);
+       if (out_len != exp_out_len) {
+               return 0;
+       }
+       return ok;
+};
+
+*/
 import "C"
 import (
        "crypto/cipher"
@@ -289,10 +324,10 @@ func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
                panic("cipher: invalid buffer overlap")
        }
 
-       var outLen C.size_t
-       ok := C._goboringcrypto_EVP_AEAD_CTX_seal(
+       outLen := C.size_t(len(plaintext) + gcmTagSize)
+       ok := C.EVP_AEAD_CTX_seal_wrapper(
                &g.ctx,
-               (*C.uint8_t)(unsafe.Pointer(&dst[n])), &outLen, C.size_t(len(plaintext)+gcmTagSize),
+               (*C.uint8_t)(unsafe.Pointer(&dst[n])), outLen,
                base(nonce), C.size_t(len(nonce)),
                base(plaintext), C.size_t(len(plaintext)),
                base(additionalData), C.size_t(len(additionalData)))
@@ -300,9 +335,6 @@ func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
        if ok == 0 {
                panic(fail("EVP_AEAD_CTX_seal"))
        }
-       if outLen != C.size_t(len(plaintext)+gcmTagSize) {
-               panic("boringcrypto: internal confusion about GCM tag size")
-       }
        return dst[:n+int(outLen)]
 }
 
@@ -331,10 +363,10 @@ func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, er
                panic("cipher: invalid buffer overlap")
        }
 
-       var outLen C.size_t
-       ok := C._goboringcrypto_EVP_AEAD_CTX_open(
+       outLen := C.size_t(len(ciphertext) - gcmTagSize)
+       ok := C.EVP_AEAD_CTX_open_wrapper(
                &g.ctx,
-               base(dst[n:]), &outLen, C.size_t(len(ciphertext)-gcmTagSize),
+               base(dst[n:]), outLen,
                base(nonce), C.size_t(len(nonce)),
                base(ciphertext), C.size_t(len(ciphertext)),
                base(additionalData), C.size_t(len(additionalData)))
@@ -342,9 +374,6 @@ func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, er
        if ok == 0 {
                return nil, errOpen
        }
-       if outLen != C.size_t(len(ciphertext)-gcmTagSize) {
-               panic("boringcrypto: internal confusion about GCM tag size")
-       }
        return dst[:n+int(outLen)], nil
 }