libgocryptfs/internal/stupidgcm/openssl.go

// +build !without_openssl

package stupidgcm

import (
	"fmt"
	"log"
)

/*
#include "openssl_aead.h"
#cgo pkg-config: libcrypto
*/
import "C"

func openSSLSeal(a *stupidAEADCommon, dst, iv, in, authData []byte) []byte {
	if a.Wiped() {
		log.Panic("BUG: tried to use wiped key")
	}
	if len(iv) != a.NonceSize() {
		log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv))
	}

	// If the "dst" slice is large enough we can use it as our output buffer
	outLen := len(in) + tagLen
	var buf []byte
	inplace := false
	if cap(dst)-len(dst) >= outLen {
		inplace = true
		buf = dst[len(dst) : len(dst)+outLen]
	} else {
		buf = make([]byte, outLen)
	}

	res := int(C.openssl_aead_seal(a.openSSLEVPCipher,
		slicePointerOrNull(in),
		C.int(len(in)),
		(*C.uchar)(&authData[0]),
		C.int(len(authData)),
		(*C.uchar)(&a.key[0]),
		C.int(len(a.key)),
		(*C.uchar)(&iv[0]),
		C.int(len(iv)),
		(*C.uchar)(&buf[0]),
		C.int(len(buf))))

	if res != outLen {
		log.Panicf("expected length %d, got %d", outLen, res)
	}

	if inplace {
		return dst[:len(dst)+outLen]
	}
	return append(dst, buf...)
}

func openSSLOpen(a *stupidAEADCommon, dst, iv, in, authData []byte) ([]byte, error) {
	if a.Wiped() {
		log.Panic("BUG: tried to use wiped key")
	}
	if len(iv) != a.NonceSize() {
		log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv))
	}
	if len(in) < tagLen {
		return nil, fmt.Errorf("stupidChacha20poly1305: input data too short (%d bytes)", len(in))
	}

	// If the "dst" slice is large enough we can use it as our output buffer
	outLen := len(in) - tagLen
	var buf []byte
	inplace := false
	if cap(dst)-len(dst) >= outLen {
		inplace = true
		buf = dst[len(dst) : len(dst)+outLen]
	} else {
		buf = make([]byte, len(in)-tagLen)
	}

	ciphertext := in[:len(in)-tagLen]
	tag := in[len(in)-tagLen:]

	res := int(C.openssl_aead_open(a.openSSLEVPCipher,
		slicePointerOrNull(ciphertext),
		C.int(len(ciphertext)),
		(*C.uchar)(&authData[0]),
		C.int(len(authData)),
		(*C.uchar)(&tag[0]),
		C.int(len(tag)),
		(*C.uchar)(&a.key[0]),
		C.int(len(a.key)),
		(*C.uchar)(&iv[0]),
		C.int(len(iv)),
		slicePointerOrNull(buf),
		C.int(len(buf))))

	if res < 0 {
		return nil, ErrAuth
	}
	if res != outLen {
		log.Panicf("unexpected length %d", res)
	}

	if inplace {
		return dst[:len(dst)+outLen], nil
	}
	return append(dst, buf...), nil
}

// slicePointerOrNull returns a C pointer to the beginning of the byte slice,
// or NULL if the byte slice is empty. This is useful for slices that can be
// empty, otherwise you can directly use "(*C.uchar)(&s[0])".
func slicePointerOrNull(s []byte) (ptr *C.uchar) {
	if len(s) == 0 {
		return
	}
	return (*C.uchar)(&s[0])
}

// This functions exists to benchmark the C call overhead from Go.
// See BenchmarkCCall for resuts.
func noopCFunction() {
	C.noop_c_function()
}
stupidgcm: fix without_openssl build $ ./build-without-openssl.bash internal/speed/speed.go:152:14: undefined: stupidgcm.NewXchacha20poly1305 2021-09-04 11:58:43 +02:00			`// +build !without_openssl`

stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`package stupidgcm`

			`import (`
			`"fmt"`
			`"log"`
			`)`

			`/*`
			`#include "openssl_aead.h"`
			`#cgo pkg-config: libcrypto`
			`*/`
			`import "C"`

			`func openSSLSeal(a *stupidAEADCommon, dst, iv, in, authData []byte) []byte {`
			`if a.Wiped() {`
stupidgcm: replace naked panics 2021-09-04 12:01:50 +02:00			`log.Panic("BUG: tried to use wiped key")`
stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`}`
			`if len(iv) != a.NonceSize() {`
			`log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv))`
			`}`

			`// If the "dst" slice is large enough we can use it as our output buffer`
			`outLen := len(in) + tagLen`
			`var buf []byte`
			`inplace := false`
			`if cap(dst)-len(dst) >= outLen {`
			`inplace = true`
			`buf = dst[len(dst) : len(dst)+outLen]`
			`} else {`
			`buf = make([]byte, outLen)`
			`}`

			`res := int(C.openssl_aead_seal(a.openSSLEVPCipher,`
stupidgcm: allow zero-length input data We used to panic in this case because it is useless. But Go stdlib supports it, so we should as well. 2021-09-07 17:47:48 +02:00			`slicePointerOrNull(in),`
stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`C.int(len(in)),`
			`(*C.uchar)(&authData[0]),`
			`C.int(len(authData)),`
			`(*C.uchar)(&a.key[0]),`
			`C.int(len(a.key)),`
			`(*C.uchar)(&iv[0]),`
			`C.int(len(iv)),`
			`(*C.uchar)(&buf[0]),`
			`C.int(len(buf))))`

			`if res != outLen {`
			`log.Panicf("expected length %d, got %d", outLen, res)`
			`}`

			`if inplace {`
			`return dst[:len(dst)+outLen]`
			`}`
			`return append(dst, buf...)`
			`}`

			`func openSSLOpen(a *stupidAEADCommon, dst, iv, in, authData []byte) ([]byte, error) {`
			`if a.Wiped() {`
stupidgcm: replace naked panics 2021-09-04 12:01:50 +02:00			`log.Panic("BUG: tried to use wiped key")`
stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`}`
			`if len(iv) != a.NonceSize() {`
			`log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv))`
			`}`
stupidgcm: allow zero-length input data We used to panic in this case because it is useless. But Go stdlib supports it, so we should as well. 2021-09-07 17:47:48 +02:00			`if len(in) < tagLen {`
stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`return nil, fmt.Errorf("stupidChacha20poly1305: input data too short (%d bytes)", len(in))`
			`}`

			`// If the "dst" slice is large enough we can use it as our output buffer`
			`outLen := len(in) - tagLen`
			`var buf []byte`
			`inplace := false`
			`if cap(dst)-len(dst) >= outLen {`
			`inplace = true`
			`buf = dst[len(dst) : len(dst)+outLen]`
			`} else {`
			`buf = make([]byte, len(in)-tagLen)`
			`}`

			`ciphertext := in[:len(in)-tagLen]`
			`tag := in[len(in)-tagLen:]`

			`res := int(C.openssl_aead_open(a.openSSLEVPCipher,`
stupidgcm: allow zero-length input data We used to panic in this case because it is useless. But Go stdlib supports it, so we should as well. 2021-09-07 17:47:48 +02:00			`slicePointerOrNull(ciphertext),`
stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`C.int(len(ciphertext)),`
			`(*C.uchar)(&authData[0]),`
			`C.int(len(authData)),`
			`(*C.uchar)(&tag[0]),`
			`C.int(len(tag)),`
			`(*C.uchar)(&a.key[0]),`
			`C.int(len(a.key)),`
			`(*C.uchar)(&iv[0]),`
			`C.int(len(iv)),`
stupidgcm: allow zero-length input data We used to panic in this case because it is useless. But Go stdlib supports it, so we should as well. 2021-09-07 17:47:48 +02:00			`slicePointerOrNull(buf),`
stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`C.int(len(buf))))`

			`if res < 0 {`
			`return nil, ErrAuth`
			`}`
			`if res != outLen {`
			`log.Panicf("unexpected length %d", res)`
			`}`

			`if inplace {`
			`return dst[:len(dst)+outLen], nil`
			`}`
			`return append(dst, buf...), nil`
			`}`
stupidgcm: add BenchmarkCCall gocryptfs/internal/stupidgcm$ go test -bench . goos: linux goarch: amd64 pkg: github.com/rfjakob/gocryptfs/v2/internal/stupidgcm cpu: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz BenchmarkCCall-4 15864030 78.60 ns/op PASS ok github.com/rfjakob/gocryptfs/v2/internal/stupidgcm 1.898s 2021-09-05 12:17:38 +02:00
stupidgcm: allow zero-length input data We used to panic in this case because it is useless. But Go stdlib supports it, so we should as well. 2021-09-07 17:47:48 +02:00			`// slicePointerOrNull returns a C pointer to the beginning of the byte slice,`
			`// or NULL if the byte slice is empty. This is useful for slices that can be`
			`// empty, otherwise you can directly use "(*C.uchar)(&s[0])".`
			`func slicePointerOrNull(s []byte) (ptr *C.uchar) {`
			`if len(s) == 0 {`
			`return`
			`}`
			`return (*C.uchar)(&s[0])`
			`}`

stupidgcm: add BenchmarkCCall gocryptfs/internal/stupidgcm$ go test -bench . goos: linux goarch: amd64 pkg: github.com/rfjakob/gocryptfs/v2/internal/stupidgcm cpu: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz BenchmarkCCall-4 15864030 78.60 ns/op PASS ok github.com/rfjakob/gocryptfs/v2/internal/stupidgcm 1.898s 2021-09-05 12:17:38 +02:00			`// This functions exists to benchmark the C call overhead from Go.`
			`// See BenchmarkCCall for resuts.`
			`func noopCFunction() {`
			`C.noop_c_function()`
			`}`