libgocryptfs/internal/stupidgcm/openssl_aead.c

// +build !without_openssl

#include "openssl_aead.h"
#include <openssl/evp.h>
#include <stdio.h>
//#cgo pkg-config: libcrypto

static void panic(const char* const msg)
{
    fprintf(stderr, "panic in C code: %s\n", msg);
    __builtin_trap();
}

// We only support 16-byte tags
static const int supportedTagLen = 16;

// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
int openssl_aead_seal(
    const EVP_CIPHER* evpCipher,
    const unsigned char* const plaintext,
    const int plaintextLen,
    const unsigned char* const authData,
    const int authDataLen,
    const unsigned char* const key,
    const int keyLen,
    const unsigned char* const iv,
    const int ivLen,
    unsigned char* const ciphertext,
    const int ciphertextBufLen)
{
    // Create scratch space "ctx"
    EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
    if (!ctx) {
        panic("EVP_CIPHER_CTX_new failed");
    }

    // Set cipher
    if (EVP_EncryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) {
        panic("EVP_EncryptInit_ex set cipher failed");
    }

    // Check keyLen by trying to set it (fails if keyLen != 32)
    if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {
        panic("keyLen mismatch");
    }

    // Set IV length so we do not depend on the default
    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {
        panic("EVP_CTRL_AEAD_SET_IVLEN failed");
    }

    // Set key and IV
    if (EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {
        panic("EVP_EncryptInit_ex set key & iv failed");
    }

    // Provide authentication data
    int outLen = 0;
    if (EVP_EncryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {
        panic("EVP_EncryptUpdate authData failed");
    }
    if (outLen != authDataLen) {
        panic("EVP_EncryptUpdate authData: unexpected length");
    }

    // Encrypt "plaintext" into "ciphertext"
    if (plaintextLen > ciphertextBufLen) {
        panic("plaintext overflows output buffer");
    }
    if (EVP_EncryptUpdate(ctx, ciphertext, &outLen, plaintext, plaintextLen) != 1) {
        panic("EVP_EncryptUpdate ciphertext failed");
    }
    if (outLen != plaintextLen) {
        panic("EVP_EncryptUpdate ciphertext: unexpected length");
    }
    int ciphertextLen = outLen;

    // Finalise encryption
    // Normally ciphertext bytes may be written at this stage, but this does not occur in GCM mode
    if (EVP_EncryptFinal_ex(ctx, ciphertext + plaintextLen, &outLen) != 1) {
        panic("EVP_EncryptFinal_ex failed");
    }
    if (outLen != 0) {
        panic("EVP_EncryptFinal_ex: unexpected length");
    }

    // Get MAC tag and append it to the ciphertext
    if (ciphertextLen + supportedTagLen > ciphertextBufLen) {
        panic("tag overflows output buffer");
    }
    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, supportedTagLen, ciphertext + plaintextLen) != 1) {
        panic("EVP_CTRL_AEAD_GET_TAG failed");
    }
    ciphertextLen += supportedTagLen;

    // Free scratch space
    EVP_CIPHER_CTX_free(ctx);

    return ciphertextLen;
}

int openssl_aead_open(
    const EVP_CIPHER* evpCipher,
    const unsigned char* const ciphertext,
    const int ciphertextLen,
    const unsigned char* const authData,
    const int authDataLen,
    unsigned char* const tag,
    const int tagLen,
    const unsigned char* const key,
    const int keyLen,
    const unsigned char* const iv,
    const int ivLen,
    unsigned char* const plaintext,
    const int plaintextBufLen)
{
    // Create scratch space "ctx"
    EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
    if (!ctx) {
        panic("EVP_CIPHER_CTX_new failed");
    }

    // Set cipher
    if (EVP_DecryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) {
        panic("EVP_DecryptInit_ex set cipher failed");
    }

    // Check keyLen by trying to set it (fails if keyLen != 32)
    if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {
        panic("keyLen mismatch");
    }

    // Set IV length so we do not depend on the default
    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {
        panic("EVP_CTRL_AEAD_SET_IVLEN failed");
    }

    // Set key and IV
    if (EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {
        panic("EVP_DecryptInit_ex set key & iv failed");
    }

    // Provide authentication data
    int outLen = 0;
    if (EVP_DecryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {
        panic("EVP_DecryptUpdate authData failed");
    }
    if (outLen != authDataLen) {
        panic("EVP_DecryptUpdate authData: unexpected length");
    }

    // Decrypt "ciphertext" into "plaintext"
    if (ciphertextLen > plaintextBufLen) {
        panic("ciphertextLen overflows output buffer");
    }
    if (EVP_DecryptUpdate(ctx, plaintext, &outLen, ciphertext, ciphertextLen) != 1) {
        panic("EVP_DecryptUpdate failed");
    }
    int plaintextLen = outLen;

    // Check tag
    if (tagLen != supportedTagLen) {
        panic("unsupported tag length");
    }
    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tagLen, tag) != 1) {
        panic("EVP_CTRL_AEAD_SET_TAG failed");
    }
    if (EVP_DecryptFinal_ex(ctx, plaintext + plaintextLen, &outLen) != 1) {
        // authentication failed
        return -1;
    }
    if (outLen != 0) {
        panic("EVP_EncryptFinal_ex: unexpected length");
    }

    /* Clean up */
    EVP_CIPHER_CTX_free(ctx);

    return plaintextLen;
}

// This functions exists to benchmark the C call overhead from Go.
void noop_c_function(void) {
    return;
}
stupidgcm: fix build with CGO_ENABLED=1 without_openssl We missed some "// +build" lines 2021-09-07 12:57:52 +02:00			`// +build !without_openssl`

stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`#include "openssl_aead.h"`
stupidgcm: batch C calls in chacha20poly1305_seal Go has a high overhead for each C call, so batch all openssl operations in the new C function chacha20poly1305_seal. Benchmark results: internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 8.79µs ± 1% 7.25µs ± 1% -17.54% (p=0.000 n=10+10) name old speed new speed delta StupidXchacha-4 466MB/s ± 1% 565MB/s ± 1% +21.27% (p=0.000 n=10+10) 2021-09-03 16:44:13 +02:00			`#include <openssl/evp.h>`
			`#include <stdio.h>`
			`//#cgo pkg-config: libcrypto`

			`static void panic(const char* const msg)`
			`{`
			`fprintf(stderr, "panic in C code: %s\n", msg);`
			`__builtin_trap();`
			`}`

stupidgcm: stupidChacha20poly1305.Open: batch C calls in aead_open Gets the decryption speed to the same level as the encryption speed. internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 732MB/s ± 0% 740MB/s ± 0% ~ (p=1.000 n=1+1) StupidXchachaDecrypt-4 602MB/s ± 0% 741MB/s ± 0% ~ (p=1.000 n=1+1) 2021-09-03 18:44:41 +02:00			`// We only support 16-byte tags`
			`static const int supportedTagLen = 16;`

stupidgcm: batch C calls in chacha20poly1305_seal Go has a high overhead for each C call, so batch all openssl operations in the new C function chacha20poly1305_seal. Benchmark results: internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 8.79µs ± 1% 7.25µs ± 1% -17.54% (p=0.000 n=10+10) name old speed new speed delta StupidXchacha-4 466MB/s ± 1% 565MB/s ± 1% +21.27% (p=0.000 n=10+10) 2021-09-03 16:44:13 +02:00			`// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode`
stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`int openssl_aead_seal(`
			`const EVP_CIPHER* evpCipher,`
stupidgcm: batch C calls in chacha20poly1305_seal Go has a high overhead for each C call, so batch all openssl operations in the new C function chacha20poly1305_seal. Benchmark results: internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 8.79µs ± 1% 7.25µs ± 1% -17.54% (p=0.000 n=10+10) name old speed new speed delta StupidXchacha-4 466MB/s ± 1% 565MB/s ± 1% +21.27% (p=0.000 n=10+10) 2021-09-03 16:44:13 +02:00			`const unsigned char* const plaintext,`
			`const int plaintextLen,`
			`const unsigned char* const authData,`
			`const int authDataLen,`
			`const unsigned char* const key,`
			`const int keyLen,`
			`const unsigned char* const iv,`
			`const int ivLen,`
			`unsigned char* const ciphertext,`
			`const int ciphertextBufLen)`
			`{`
stupidgcm: stupidChacha20poly1305.Open: batch C calls in aead_open Gets the decryption speed to the same level as the encryption speed. internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 732MB/s ± 0% 740MB/s ± 0% ~ (p=1.000 n=1+1) StupidXchachaDecrypt-4 602MB/s ± 0% 741MB/s ± 0% ~ (p=1.000 n=1+1) 2021-09-03 18:44:41 +02:00			`// Create scratch space "ctx"`
stupidgcm: batch C calls in chacha20poly1305_seal Go has a high overhead for each C call, so batch all openssl operations in the new C function chacha20poly1305_seal. Benchmark results: internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 8.79µs ± 1% 7.25µs ± 1% -17.54% (p=0.000 n=10+10) name old speed new speed delta StupidXchacha-4 466MB/s ± 1% 565MB/s ± 1% +21.27% (p=0.000 n=10+10) 2021-09-03 16:44:13 +02:00			`EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();`
			`if (!ctx) {`
			`panic("EVP_CIPHER_CTX_new failed");`
			`}`

			`// Set cipher`
stupidgcm: replace chacha20poly1305_seal with generic aead_seal 2021-09-03 17:11:57 +02:00			`if (EVP_EncryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) {`
stupidgcm: batch C calls in chacha20poly1305_seal Go has a high overhead for each C call, so batch all openssl operations in the new C function chacha20poly1305_seal. Benchmark results: internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 8.79µs ± 1% 7.25µs ± 1% -17.54% (p=0.000 n=10+10) name old speed new speed delta StupidXchacha-4 466MB/s ± 1% 565MB/s ± 1% +21.27% (p=0.000 n=10+10) 2021-09-03 16:44:13 +02:00			`panic("EVP_EncryptInit_ex set cipher failed");`
			`}`

			`// Check keyLen by trying to set it (fails if keyLen != 32)`
			`if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {`
			`panic("keyLen mismatch");`
			`}`

			`// Set IV length so we do not depend on the default`
			`if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {`
			`panic("EVP_CTRL_AEAD_SET_IVLEN failed");`
			`}`

			`// Set key and IV`
			`if (EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {`
			`panic("EVP_EncryptInit_ex set key & iv failed");`
			`}`

			`// Provide authentication data`
			`int outLen = 0;`
			`if (EVP_EncryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {`
			`panic("EVP_EncryptUpdate authData failed");`
			`}`
			`if (outLen != authDataLen) {`
			`panic("EVP_EncryptUpdate authData: unexpected length");`
			`}`

			`// Encrypt "plaintext" into "ciphertext"`
			`if (plaintextLen > ciphertextBufLen) {`
			`panic("plaintext overflows output buffer");`
			`}`
			`if (EVP_EncryptUpdate(ctx, ciphertext, &outLen, plaintext, plaintextLen) != 1) {`
			`panic("EVP_EncryptUpdate ciphertext failed");`
			`}`
			`if (outLen != plaintextLen) {`
			`panic("EVP_EncryptUpdate ciphertext: unexpected length");`
			`}`
			`int ciphertextLen = outLen;`

			`// Finalise encryption`
			`// Normally ciphertext bytes may be written at this stage, but this does not occur in GCM mode`
			`if (EVP_EncryptFinal_ex(ctx, ciphertext + plaintextLen, &outLen) != 1) {`
			`panic("EVP_EncryptFinal_ex failed");`
			`}`
			`if (outLen != 0) {`
			`panic("EVP_EncryptFinal_ex: unexpected length");`
			`}`

			`// Get MAC tag and append it to the ciphertext`
stupidgcm: stupidChacha20poly1305.Open: batch C calls in aead_open Gets the decryption speed to the same level as the encryption speed. internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 732MB/s ± 0% 740MB/s ± 0% ~ (p=1.000 n=1+1) StupidXchachaDecrypt-4 602MB/s ± 0% 741MB/s ± 0% ~ (p=1.000 n=1+1) 2021-09-03 18:44:41 +02:00			`if (ciphertextLen + supportedTagLen > ciphertextBufLen) {`
stupidgcm: batch C calls in chacha20poly1305_seal Go has a high overhead for each C call, so batch all openssl operations in the new C function chacha20poly1305_seal. Benchmark results: internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 8.79µs ± 1% 7.25µs ± 1% -17.54% (p=0.000 n=10+10) name old speed new speed delta StupidXchacha-4 466MB/s ± 1% 565MB/s ± 1% +21.27% (p=0.000 n=10+10) 2021-09-03 16:44:13 +02:00			`panic("tag overflows output buffer");`
			`}`
stupidgcm: stupidChacha20poly1305.Open: batch C calls in aead_open Gets the decryption speed to the same level as the encryption speed. internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 732MB/s ± 0% 740MB/s ± 0% ~ (p=1.000 n=1+1) StupidXchachaDecrypt-4 602MB/s ± 0% 741MB/s ± 0% ~ (p=1.000 n=1+1) 2021-09-03 18:44:41 +02:00			`if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, supportedTagLen, ciphertext + plaintextLen) != 1) {`
stupidgcm: batch C calls in chacha20poly1305_seal Go has a high overhead for each C call, so batch all openssl operations in the new C function chacha20poly1305_seal. Benchmark results: internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 8.79µs ± 1% 7.25µs ± 1% -17.54% (p=0.000 n=10+10) name old speed new speed delta StupidXchacha-4 466MB/s ± 1% 565MB/s ± 1% +21.27% (p=0.000 n=10+10) 2021-09-03 16:44:13 +02:00			`panic("EVP_CTRL_AEAD_GET_TAG failed");`
			`}`
stupidgcm: stupidChacha20poly1305.Open: batch C calls in aead_open Gets the decryption speed to the same level as the encryption speed. internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 732MB/s ± 0% 740MB/s ± 0% ~ (p=1.000 n=1+1) StupidXchachaDecrypt-4 602MB/s ± 0% 741MB/s ± 0% ~ (p=1.000 n=1+1) 2021-09-03 18:44:41 +02:00			`ciphertextLen += supportedTagLen;`
stupidgcm: batch C calls in chacha20poly1305_seal Go has a high overhead for each C call, so batch all openssl operations in the new C function chacha20poly1305_seal. Benchmark results: internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 8.79µs ± 1% 7.25µs ± 1% -17.54% (p=0.000 n=10+10) name old speed new speed delta StupidXchacha-4 466MB/s ± 1% 565MB/s ± 1% +21.27% (p=0.000 n=10+10) 2021-09-03 16:44:13 +02:00
			`// Free scratch space`
			`EVP_CIPHER_CTX_free(ctx);`

			`return ciphertextLen;`
			`}`
stupidgcm: stupidChacha20poly1305.Open: batch C calls in aead_open Gets the decryption speed to the same level as the encryption speed. internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 732MB/s ± 0% 740MB/s ± 0% ~ (p=1.000 n=1+1) StupidXchachaDecrypt-4 602MB/s ± 0% 741MB/s ± 0% ~ (p=1.000 n=1+1) 2021-09-03 18:44:41 +02:00
stupidgcm: introduce stupidAEADCommon and use for both chacha & gcm Nice deduplication and brings the GCM decrypt speed up to par. internal/speed$ benchstat old new name old time/op new time/op delta StupidGCM-4 4.71µs ± 0% 4.66µs ± 0% -0.99% (p=0.008 n=5+5) StupidGCMDecrypt-4 5.77µs ± 1% 4.51µs ± 0% -21.80% (p=0.008 n=5+5) name old speed new speed delta StupidGCM-4 870MB/s ± 0% 879MB/s ± 0% +1.01% (p=0.008 n=5+5) StupidGCMDecrypt-4 710MB/s ± 1% 908MB/s ± 0% +27.87% (p=0.008 n=5+5) 2021-09-04 11:41:56 +02:00			`int openssl_aead_open(`
			`const EVP_CIPHER* evpCipher,`
stupidgcm: stupidChacha20poly1305.Open: batch C calls in aead_open Gets the decryption speed to the same level as the encryption speed. internal/speed$ benchstat old.txt new.txt name old time/op new time/op delta StupidXchacha-4 732MB/s ± 0% 740MB/s ± 0% ~ (p=1.000 n=1+1) StupidXchachaDecrypt-4 602MB/s ± 0% 741MB/s ± 0% ~ (p=1.000 n=1+1) 2021-09-03 18:44:41 +02:00			`const unsigned char* const ciphertext,`
			`const int ciphertextLen,`
			`const unsigned char* const authData,`
			`const int authDataLen,`
			`unsigned char* const tag,`
			`const int tagLen,`
			`const unsigned char* const key,`
			`const int keyLen,`
			`const unsigned char* const iv,`
			`const int ivLen,`
			`unsigned char* const plaintext,`
			`const int plaintextBufLen)`
			`{`
			`// Create scratch space "ctx"`
			`EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();`
			`if (!ctx) {`
			`panic("EVP_CIPHER_CTX_new failed");`
			`}`

			`// Set cipher`
			`if (EVP_DecryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) {`
			`panic("EVP_DecryptInit_ex set cipher failed");`
			`}`

			`// Check keyLen by trying to set it (fails if keyLen != 32)`
			`if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {`
			`panic("keyLen mismatch");`
			`}`

			`// Set IV length so we do not depend on the default`
			`if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {`
			`panic("EVP_CTRL_AEAD_SET_IVLEN failed");`
			`}`

			`// Set key and IV`
			`if (EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {`
			`panic("EVP_DecryptInit_ex set key & iv failed");`
			`}`

			`// Provide authentication data`
			`int outLen = 0;`
			`if (EVP_DecryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {`
			`panic("EVP_DecryptUpdate authData failed");`
			`}`
			`if (outLen != authDataLen) {`
			`panic("EVP_DecryptUpdate authData: unexpected length");`
			`}`

			`// Decrypt "ciphertext" into "plaintext"`
			`if (ciphertextLen > plaintextBufLen) {`
			`panic("ciphertextLen overflows output buffer");`
			`}`
			`if (EVP_DecryptUpdate(ctx, plaintext, &outLen, ciphertext, ciphertextLen) != 1) {`
			`panic("EVP_DecryptUpdate failed");`
			`}`
			`int plaintextLen = outLen;`

			`// Check tag`
			`if (tagLen != supportedTagLen) {`
			`panic("unsupported tag length");`
			`}`
			`if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tagLen, tag) != 1) {`
			`panic("EVP_CTRL_AEAD_SET_TAG failed");`
			`}`
			`if (EVP_DecryptFinal_ex(ctx, plaintext + plaintextLen, &outLen) != 1) {`
			`// authentication failed`
			`return -1;`
			`}`
			`if (outLen != 0) {`
			`panic("EVP_EncryptFinal_ex: unexpected length");`
			`}`

			`/* Clean up */`
			`EVP_CIPHER_CTX_free(ctx);`

			`return plaintextLen;`
			`}`
stupidgcm: add BenchmarkCCall gocryptfs/internal/stupidgcm$ go test -bench . goos: linux goarch: amd64 pkg: github.com/rfjakob/gocryptfs/v2/internal/stupidgcm cpu: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz BenchmarkCCall-4 15864030 78.60 ns/op PASS ok github.com/rfjakob/gocryptfs/v2/internal/stupidgcm 1.898s 2021-09-05 12:17:38 +02:00
			`// This functions exists to benchmark the C call overhead from Go.`
			`void noop_c_function(void) {`
			`return;`
			`}`