stupidgcm: batch C calls in chacha20poly1305_seal

Go has a high overhead for each C call, so batch
all openssl operations in the new C function chacha20poly1305_seal.

Benchmark results:

internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > old.txt
internal/speed$ go test -bench BenchmarkStupidXchacha -count 10 > new.txt

internal/speed$ benchstat old.txt new.txt
name             old time/op   new time/op   delta
StupidXchacha-4   8.79µs ± 1%   7.25µs ± 1%  -17.54%  (p=0.000 n=10+10)

name             old speed     new speed     delta
StupidXchacha-4  466MB/s ± 1%  565MB/s ± 1%  +21.27%  (p=0.000 n=10+10)

4 files changed, 127 insertions, 56 deletions

diff --git a/internal/stupidgcm/.gitignore b/internal/stupidgcm/.gitignore
new file mode 100644
index 0000000..5761abc
--- /dev/null
+++ b/internal/stupidgcm/.gitignore
@@ -0,0 +1 @@
+*.o
diff --git a/internal/stupidgcm/Makefile b/internal/stupidgcm/Makefile
new file mode 100644
index 0000000..19f9914
--- /dev/null
+++ b/internal/stupidgcm/Makefile
@@ -0,0 +1,7 @@
+.PHONY: gcc
+gcc:
+	gcc -Wall -Wextra -Wformat-security -Wconversion -lcrypto -c *.c
+
+.PHONY: format
+format:
+	clang-format --style=WebKit -i *.c
diff --git a/internal/stupidgcm/chacha.c b/internal/stupidgcm/chacha.c
new file mode 100644
index 0000000..c85cf78
--- /dev/null
+++ b/internal/stupidgcm/chacha.c
@@ -0,0 +1,98 @@
+#include <openssl/evp.h>
+#include <stdio.h>
+//#cgo pkg-config: libcrypto
+
+extern void panic1(void);
+
+static void panic(const char* const msg)
+{
+    fprintf(stderr, "panic in C code: %s\n", msg);
+    __builtin_trap();
+}
+
+// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
+int chacha20poly1305_seal(
+    const unsigned char* const plaintext,
+    const int plaintextLen,
+    const unsigned char* const authData,
+    const int authDataLen,
+    const unsigned char* const key,
+    const int keyLen,
+    const unsigned char* const iv,
+    const int ivLen,
+    unsigned char* const ciphertext,
+    const int ciphertextBufLen)
+{
+    // Create scratch space "context"
+    EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
+    if (!ctx) {
+        panic("EVP_CIPHER_CTX_new failed");
+    }
+
+    // Set cipher
+    if (EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, NULL, NULL) != 1) {
+        panic("EVP_EncryptInit_ex set cipher failed");
+    }
+
+    // Check keyLen by trying to set it (fails if keyLen != 32)
+    if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {
+        panic("keyLen mismatch");
+    }
+
+    // Set IV length so we do not depend on the default
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {
+        panic("EVP_CTRL_AEAD_SET_IVLEN failed");
+    }
+
+    // Set key and IV
+    if (EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {
+        panic("EVP_EncryptInit_ex set key & iv failed");
+    }
+
+    // Provide authentication data
+    int outLen = 0;
+    if (EVP_EncryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {
+        panic("EVP_EncryptUpdate authData failed");
+    }
+    if (outLen != authDataLen) {
+        panic("EVP_EncryptUpdate authData: unexpected length");
+    }
+
+    // Encrypt "plaintext" into "ciphertext"
+    if (plaintextLen > ciphertextBufLen) {
+        panic("plaintext overflows output buffer");
+    }
+    if (EVP_EncryptUpdate(ctx, ciphertext, &outLen, plaintext, plaintextLen) != 1) {
+        panic("EVP_EncryptUpdate ciphertext failed");
+    }
+    if (outLen != plaintextLen) {
+        panic("EVP_EncryptUpdate ciphertext: unexpected length");
+    }
+    int ciphertextLen = outLen;
+
+    // Finalise encryption
+    // Normally ciphertext bytes may be written at this stage, but this does not occur in GCM mode
+    if (EVP_EncryptFinal_ex(ctx, ciphertext + plaintextLen, &outLen) != 1) {
+        panic("EVP_EncryptFinal_ex failed");
+    }
+    if (outLen != 0) {
+        panic("EVP_EncryptFinal_ex: unexpected length");
+    }
+
+    // We only support 16-byte tags
+    const int tagLen = 16;
+
+    // Get MAC tag and append it to the ciphertext
+    if (ciphertextLen + tagLen > ciphertextBufLen) {
+        panic("tag overflows output buffer");
+    }
+    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tagLen, ciphertext + plaintextLen) != 1) {
+        panic("EVP_CTRL_AEAD_GET_TAG failed");
+    }
+    ciphertextLen += tagLen;
+
+    // Free scratch space
+    EVP_CIPHER_CTX_free(ctx);
+
+    return ciphertextLen;
+}
diff --git a/internal/stupidgcm/stupidchacha.go b/internal/stupidgcm/stupidchacha.go
index a6fe318..1f16a5e 100644
--- a/internal/stupidgcm/stupidchacha.go
+++ b/internal/stupidgcm/stupidchacha.go
@@ -2,10 +2,6 @@
 
 package stupidgcm
 
-// #include <openssl/evp.h>
-// #cgo pkg-config: libcrypto
-import "C"
-
 import (
 	"crypto/cipher"
 	"fmt"
@@ -15,6 +11,17 @@ import (
 	"golang.org/x/crypto/chacha20poly1305"
 )
 
+/*
+#include <openssl/evp.h>
+#cgo pkg-config: libcrypto
+int chacha20poly1305_seal(const unsigned char * const plaintext, const int plaintextLen,
+                const unsigned char * const authData, const int authDataLen,
+                const unsigned char * const key, const int keyLen,
+                const unsigned char * const iv, const int ivLen,
+                unsigned char * const ciphertext, const int ciphertextBufLen);
+*/
+import "C"
+
 type stupidChacha20poly1305 struct {
 	key   [chacha20poly1305.KeySize]byte
 	wiped bool
@@ -68,58 +75,16 @@ func (g *stupidChacha20poly1305) Seal(dst, iv, in, authData []byte) []byte {
 		buf = make([]byte, outLen)
 	}
 
-	// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
-
-	// Create scratch space "context"
-	ctx := C.EVP_CIPHER_CTX_new()
-	if ctx == nil {
-		log.Panic("EVP_CIPHER_CTX_new failed")
-	}
-
-	// Set cipher
-	if C.EVP_EncryptInit_ex(ctx, C.EVP_chacha20_poly1305(), nil, nil, nil) != 1 {
-		log.Panic("EVP_EncryptInit_ex I failed")
-	}
-
-	// Set key and IV
-	if C.EVP_EncryptInit_ex(ctx, nil, nil, (*C.uchar)(&g.key[0]), (*C.uchar)(&iv[0])) != 1 {
-		log.Panic("EVP_EncryptInit_ex II failed")
-	}
-
-	// Provide authentication data
-	var resultLen C.int
-	if C.EVP_EncryptUpdate(ctx, nil, &resultLen, (*C.uchar)(&authData[0]), C.int(len(authData))) != 1 {
-		log.Panic("EVP_EncryptUpdate authData failed")
-	}
-	if int(resultLen) != len(authData) {
-		log.Panicf("Unexpected length %d", resultLen)
-	}
-
-	// Encrypt "in" into "buf"
-	if C.EVP_EncryptUpdate(ctx, (*C.uchar)(&buf[0]), &resultLen, (*C.uchar)(&in[0]), C.int(len(in))) != 1 {
-		log.Panic("EVP_EncryptUpdate failed")
-	}
-	if int(resultLen) != len(in) {
-		log.Panicf("Unexpected length %d", resultLen)
-	}
-
-	// Finalise encryption
-	// Because GCM is a stream encryption, this will not write out any data.
-	dummy := make([]byte, 16)
-	if C.EVP_EncryptFinal_ex(ctx, (*C.uchar)(&dummy[0]), &resultLen) != 1 {
-		log.Panic("EVP_EncryptFinal_ex failed")
-	}
-	if resultLen != 0 {
-		log.Panicf("Unexpected length %d", resultLen)
-	}
-
-	// Get MAC tag and append it to the ciphertext in "buf"
-	if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_AEAD_GET_TAG, tagLen, (unsafe.Pointer)(&buf[len(in)])) != 1 {
-		log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_AEAD_GET_TAG failed")
-	}
-
-	// Free scratch space
-	C.EVP_CIPHER_CTX_free(ctx)
+	C.chacha20poly1305_seal((*C.uchar)(&in[0]),
+		C.int(len(in)),
+		(*C.uchar)(&authData[0]),
+		C.int(len(authData)),
+		(*C.uchar)(&g.key[0]),
+		C.int(len(g.key)),
+		(*C.uchar)(&iv[0]),
+		C.int(len(iv)),
+		(*C.uchar)(&buf[0]),
+		C.int(len(buf)))
 
 	if inplace {
 		return dst[:len(dst)+outLen]