1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-31 20:08:43 +01:00

g10: Avoid extra hash contexts when decrypting MDC input

* g10/mainproc.c (mainproc_context): New member
'seen_pkt_encrypted_mdc'.
(release_list): Clear 'seen_pkt_encrypted_mdc'.
(proc_encrypted): Set 'seen_pkt_encrypted_mdc'.
(have_seen_pkt_encrypted_aead): Rename to...
(have_seen_pkt_encrypted_aead_or_mdc): ...this and add check for
'seen_pkt_encrypted_mdc'.
(proc_plaintext): Do not enable extra hash contexts when decrypting
MDC input.
--

Avoiding extra hash contexts speeds up CFB/MDC decryption quite
a lot. For example, decrypting symmetric-key AES-256 encrypted
4 GiB file from RAM to /dev/null sees ~3.4x speed increase on
AMD Ryzen 5800X:

 AES256.CFB encryption: 783 MB/s
 AES256.CFB decryption: 386 MB/s (before)
 AES256.CFB encryption: 1.3 GB/s (after patch)

Note, AEAD is still significantly faster:

 AES256.OCB encryption: 2.2 GB/s
 AES256.OCB decryption: 3.0 GB/s

GnuPG-bug-id: T5820
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
(cherry picked from commit ab177eed51)

Even 2.2 with the older Libgcrypt 1.8 gets a threefold speedup; see
https://dev.gnupg.org/T5820#155447 (AES-128 vs. AES-256 does not make
a substanial difference)

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Jussi Kivilinna 2022-02-08 18:31:54 +02:00 committed by Werner Koch
parent a2db490de5
commit 9116fd1e9a
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -98,6 +98,7 @@ struct mainproc_context
ulong symkeys; /* Number of symmetrically encrypted session keys. */
struct kidlist_item *pkenc_list; /* List of encryption packets. */
int seen_pkt_encrypted_aead; /* PKT_ENCRYPTED_AEAD packet seen. */
int seen_pkt_encrypted_mdc; /* PKT_ENCRYPTED_MDC packet seen. */
struct {
unsigned int sig_seen:1; /* Set to true if a signature packet
has been seen. */
@ -147,6 +148,7 @@ release_list( CTX c )
c->any.uncompress_failed = 0;
c->last_was_session_key = 0;
c->seen_pkt_encrypted_aead = 0;
c->seen_pkt_encrypted_mdc = 0;
xfree (c->dek);
c->dek = NULL;
}
@ -639,6 +641,8 @@ proc_encrypted (CTX c, PACKET *pkt)
if (pkt->pkttype == PKT_ENCRYPTED_AEAD)
c->seen_pkt_encrypted_aead = 1;
if (pkt->pkttype == PKT_ENCRYPTED_MDC)
c->seen_pkt_encrypted_mdc = 1;
if (early_plaintext)
{
@ -864,7 +868,7 @@ proc_encrypted (CTX c, PACKET *pkt)
static int
have_seen_pkt_encrypted_aead( CTX c )
have_seen_pkt_encrypted_aead_or_mdc( CTX c )
{
CTX cc;
@ -872,6 +876,8 @@ have_seen_pkt_encrypted_aead( CTX c )
{
if (cc->seen_pkt_encrypted_aead)
return 1;
if (cc->seen_pkt_encrypted_mdc)
return 1;
}
return 0;
@ -953,7 +959,7 @@ proc_plaintext( CTX c, PACKET *pkt )
}
}
if (!any && !opt.skip_verify && !have_seen_pkt_encrypted_aead(c))
if (!any && !opt.skip_verify && !have_seen_pkt_encrypted_aead_or_mdc(c))
{
/* This is for the old GPG LITERAL+SIG case. It's not legal
according to 2440, so hopefully it won't come up that often.