From 693875e3f2f814d65bfbb89271d9d880f0ea83a3 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Thu, 6 Sep 2018 13:19:11 -0400
Subject: [PATCH] [dev.boringcrypto] crypto/internal/boring: avoid an
 allocation in AES-GCM Seal and Open
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

name            old time/op    new time/op    delta
AESGCMSeal1K-8     668ns ± 1%     643ns ± 1%    -3.74%  (p=0.008 n=5+5)
AESGCMOpen1K-8     664ns ± 2%     640ns ± 2%    -3.59%  (p=0.016 n=5+5)
AESGCMSign8K-8    1.44µs ± 1%    1.41µs ± 2%      ~     (p=0.087 n=5+5)
AESGCMSeal8K-8    3.32µs ± 1%    3.31µs ± 2%      ~     (p=0.690 n=5+5)
AESGCMOpen8K-8    3.34µs ± 2%    3.27µs ± 2%    -2.07%  (p=0.032 n=5+5)

name            old speed      new speed      delta
AESGCMSeal1K-8  1.53GB/s ± 1%  1.59GB/s ± 1%    +3.90%  (p=0.008 n=5+5)
AESGCMOpen1K-8  1.54GB/s ± 2%  1.60GB/s ± 2%    +3.71%  (p=0.016 n=5+5)
AESGCMSign8K-8  5.67GB/s ± 2%  5.79GB/s ± 2%      ~     (p=0.095 n=5+5)
AESGCMSeal8K-8  2.47GB/s ± 1%  2.47GB/s ± 2%      ~     (p=0.690 n=5+5)
AESGCMOpen8K-8  2.45GB/s ± 2%  2.50GB/s ± 2%    +2.11%  (p=0.032 n=5+5)

name            old alloc/op   new alloc/op   delta
AESGCMSeal1K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)
AESGCMOpen1K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)
AESGCMSign8K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)
AESGCMSeal8K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)
AESGCMOpen8K-8     8.00B ± 0%     0.00B       -100.00%  (p=0.008 n=5+5)

name            old allocs/op  new allocs/op  delta
AESGCMSeal1K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)
AESGCMOpen1K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)
AESGCMSign8K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)
AESGCMSeal8K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)
AESGCMOpen8K-8      1.00 ± 0%      0.00       -100.00%  (p=0.008 n=5+5)

Change-Id: Ie2de0ad6b2f59b33af267b4e04aa6dff97b4ab75
Reviewed-on: https://go-review.googlesource.com/133836
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 src/crypto/internal/boring/aes.go | 55 +++++++++++++++++++++++--------
 1 file changed, 42 insertions(+), 13 deletions(-)

diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
index 881cd8e2dd..504a841cd8 100644
--- a/src/crypto/internal/boring/aes.go
+++ b/src/crypto/internal/boring/aes.go
@@ -9,7 +9,42 @@
 
 package boring
 
-// #include "goboringcrypto.h"
+/*
+
+#include "goboringcrypto.h"
+
+// These wrappers allocate out_len on the C stack, and check that it matches the expected
+// value, to avoid having to pass a pointer from Go, which would escape to the heap.
+
+int EVP_AEAD_CTX_seal_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
+							  size_t exp_out_len,
+							  const uint8_t *nonce, size_t nonce_len,
+							  const uint8_t *in, size_t in_len,
+							  const uint8_t *ad, size_t ad_len) {
+	size_t out_len;
+	int ok = _goboringcrypto_EVP_AEAD_CTX_seal(ctx, out, &out_len, exp_out_len,
+		nonce, nonce_len, in, in_len, ad, ad_len);
+	if (out_len != exp_out_len) {
+		return 0;
+	}
+	return ok;
+};
+
+int EVP_AEAD_CTX_open_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
+							  size_t exp_out_len,
+							  const uint8_t *nonce, size_t nonce_len,
+							  const uint8_t *in, size_t in_len,
+							  const uint8_t *ad, size_t ad_len) {
+	size_t out_len;
+	int ok = _goboringcrypto_EVP_AEAD_CTX_open(ctx, out, &out_len, exp_out_len,
+		nonce, nonce_len, in, in_len, ad, ad_len);
+	if (out_len != exp_out_len) {
+		return 0;
+	}
+	return ok;
+};
+
+*/
 import "C"
 import (
 	"crypto/cipher"
@@ -289,10 +324,10 @@ func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
 		panic("cipher: invalid buffer overlap")
 	}
 
-	var outLen C.size_t
-	ok := C._goboringcrypto_EVP_AEAD_CTX_seal(
+	outLen := C.size_t(len(plaintext) + gcmTagSize)
+	ok := C.EVP_AEAD_CTX_seal_wrapper(
 		&g.ctx,
-		(*C.uint8_t)(unsafe.Pointer(&dst[n])), &outLen, C.size_t(len(plaintext)+gcmTagSize),
+		(*C.uint8_t)(unsafe.Pointer(&dst[n])), outLen,
 		base(nonce), C.size_t(len(nonce)),
 		base(plaintext), C.size_t(len(plaintext)),
 		base(additionalData), C.size_t(len(additionalData)))
@@ -300,9 +335,6 @@ func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
 	if ok == 0 {
 		panic(fail("EVP_AEAD_CTX_seal"))
 	}
-	if outLen != C.size_t(len(plaintext)+gcmTagSize) {
-		panic("boringcrypto: internal confusion about GCM tag size")
-	}
 	return dst[:n+int(outLen)]
 }
 
@@ -331,10 +363,10 @@ func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, er
 		panic("cipher: invalid buffer overlap")
 	}
 
-	var outLen C.size_t
-	ok := C._goboringcrypto_EVP_AEAD_CTX_open(
+	outLen := C.size_t(len(ciphertext) - gcmTagSize)
+	ok := C.EVP_AEAD_CTX_open_wrapper(
 		&g.ctx,
-		base(dst[n:]), &outLen, C.size_t(len(ciphertext)-gcmTagSize),
+		base(dst[n:]), outLen,
 		base(nonce), C.size_t(len(nonce)),
 		base(ciphertext), C.size_t(len(ciphertext)),
 		base(additionalData), C.size_t(len(additionalData)))
@@ -342,9 +374,6 @@ func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, er
 	if ok == 0 {
 		return nil, errOpen
 	}
-	if outLen != C.size_t(len(ciphertext)-gcmTagSize) {
-		panic("boringcrypto: internal confusion about GCM tag size")
-	}
 	return dst[:n+int(outLen)], nil
 }
 
-- 
2.48.1