use subtle.XORBytes instead of manual loops

.github/workflows/go.yml

@@ -24,6 +24,6 @@ jobs:
       run: go test -v -vet all -tags purego ./...
     - uses: dominikh/staticcheck-action@v1.1.0
       with:
-        version: '2022.1'
+        version: '2022.1.3'
         install-go: false
         cache-key: ${{ matrix.go }}

go.mod

@@ -6,7 +6,8 @@ require github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391
 
 require (
 	github.com/ericlagergren/saferand v0.0.0-20220206064634-960a4dd2bc5c
-	github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010
+	github.com/ericlagergren/subtle v0.0.0-20220814022531-5b12fc128823
+	github.com/ericlagergren/testutil v0.0.0-20220814024112-d21c9429edc2
 	github.com/google/tink/go v1.6.1
 	golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f
 )

go.sum

@@ -92,8 +92,10 @@ github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 h1:8j2RH289R
 github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391/go.mod h1:K2R7GhgxrlJzHw2qiPWsCZXf/kXEJN9PLnQK73Ll0po=
 github.com/ericlagergren/saferand v0.0.0-20220206064634-960a4dd2bc5c h1:RUzBDdZ+e/HEe2Nh8lYsduiPAZygUfVXJn0Ncj5sHMg=
 github.com/ericlagergren/saferand v0.0.0-20220206064634-960a4dd2bc5c/go.mod h1:ETASDWf/FmEb6Ysrtd1QhjNedUU/ZQxBCRLh60bQ/UI=
-github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010 h1:fuGucgPk5dN6wzfnxl3D0D3rVLw4v2SbBT9jb4VnxzA=
-github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010/go.mod h1:JtBcj7sBuTTRupn7c2bFspMDIObMJsVK8TeUvpShPok=
+github.com/ericlagergren/subtle v0.0.0-20220814022531-5b12fc128823 h1:Tck38aaf6vBeE4sTdlsShSfyJTuMke4UzbtPAuRW1WE=
+github.com/ericlagergren/subtle v0.0.0-20220814022531-5b12fc128823/go.mod h1:JtBcj7sBuTTRupn7c2bFspMDIObMJsVK8TeUvpShPok=
+github.com/ericlagergren/testutil v0.0.0-20220814024112-d21c9429edc2 h1:j9adob+s2qXdvdeJywrVifDfHAIq0XwoaK/0q4D1BGw=
+github.com/ericlagergren/testutil v0.0.0-20220814024112-d21c9429edc2/go.mod h1:E4aJHbNMb6zjyVd1Mrpf3FIJ6kAtnVUq2yl0T6DHZ/I=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=

siv.go

@@ -112,7 +112,7 @@ func (a *aead) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, erro
 	}
 	ok := a.open(out, nonce, ciphertext, tag, additionalData)
 	if !ok {
-		wipe(out)
+		subtle.Wipe(out)
 		return nil, errOpen
 	}
 	return ret, nil
@@ -157,9 +157,7 @@ func authGeneric(tag []byte, b cipher.Block, authKey, nonce, plaintext, addition
 	padS(p, plaintext)
 	p.Update(length)
 	p.Sum(tag[:0])
-	for i := range nonce {
-		tag[i] ^= nonce[i]
-	}
+	subtle.XORBytes(tag, tag, nonce)
 	tag[15] &= 0x7f
 	b.Encrypt(tag, tag)
 }
@@ -248,7 +246,7 @@ func aesctrGeneric(b cipher.Block, tag, dst, src []byte) {
 
 	if len(src) > 0 {
 		b.Encrypt(ks[:], block[:])
-		xor(dst, src, ks[:], len(src))
+		subtle.XORBytes(dst, src, ks[:])
 	}
 }
 
@@ -261,19 +259,3 @@ func xorBlock(z, x, y *[blockSize]byte) {
 	binary.LittleEndian.PutUint64(z[0:], x0^y0)
 	binary.LittleEndian.PutUint64(z[8:], x1^y1)
 }
-
-// xor sets z = x^y for up to n bytes.
-func xor(z, x, y []byte, n int) {
-	// This loop condition prevents needless bounds checks.
-	for i := 0; i < n && i < len(z) && i < len(x) && i < len(y); i++ {
-		z[i] = x[i] ^ y[i]
-	}
-}
-
-//go:noinline
-func wipe(p []byte) {
-	for i := range p {
-		p[i] = 0
-	}
-	runtime.KeepAlive(p)
-}

siv_amd64.go

@@ -178,6 +178,6 @@ func aesctr(nr int, enc *uint32, block *[TagSize]byte, dst, src []byte) {
 
 	if len(src) > 0 {
 		encryptBlockAsm(nr, enc, &ks[0], &block[0])
-		xor(dst, src, ks[:], len(src))
+		subtle.XORBytes(dst, src, ks[:])
 	}
 }

siv_arm64.go

@@ -175,6 +175,6 @@ func aesctr(nr int, enc *uint32, block *[TagSize]byte, dst, src []byte) {
 		ctr := binary.LittleEndian.Uint32(block[0:4]) + uint32(n)
 		binary.LittleEndian.PutUint32(block[0:4], ctr)
 		encryptBlockAsm(nr, enc, &ks[0], &block[0])
-		xor(dst, src, ks[:], len(src))
+		subtle.XORBytes(dst, src, ks[:])
 	}
 }

siv_test.go

@@ -12,14 +12,16 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
+	"strconv"
 	"strings"
 	"testing"
 	"testing/quick"
 
 	rand "github.com/ericlagergren/saferand"
-	tink "github.com/google/tink/go/aead/subtle"
-
 	"github.com/ericlagergren/subtle"
+	"github.com/ericlagergren/testutil"
+	tink "github.com/google/tink/go/aead/subtle"
 )
 
 func randbuf(n int) []byte {
@@ -590,6 +592,32 @@ func testInvalidNonceSize(t *testing.T, keySize int) {
 	})
 }
 
+func TestInlining(t *testing.T) {
+	want := []string{
+		"dup",
+		"NewGCM",
+		"aead.NonceSize",
+		"aead.Overhead",
+	}
+	if version() >= 18 {
+		want = append(want, "xorBlock")
+	}
+	testutil.TestInlining(t, "github.com/ericlagergren/siv", want...)
+}
+
+func version() int {
+	s := runtime.Version()
+	s = strings.TrimPrefix(s, "go1.")
+	if i := strings.IndexByte(s, '.'); i > 0 {
+		s = s[:i]
+	}
+	x, err := strconv.Atoi(s)
+	if err != nil {
+		panic(err)
+	}
+	return x
+}
+
 // AES-GCM-SIV
 
 func BenchmarkSeal1K_AES_GCM_SIV_128(b *testing.B) {

stub_arm64.go

@@ -17,4 +17,6 @@ func aesctrAsm(nr int, enc *uint32, iv *[blockSize]byte, dst, src *byte, nblocks
 //
 // Commenting out or deleting this constant restricts aesctrAsm
 // to just one block a a time.
+//
+//lint:ignore U1000 used in an assembly file.
 const useMultiBlock = true