Remove OpenSSL based SipHash 2-4 implementation

Creation of EVP_MD_CTX and EVP_PKEY is quite expensive, so until we fix the code to reuse the OpenSSL contexts and keys we'll use our own implementation of siphash instead of trying to integrate with OpenSSL.
2026-06-11 12:30:00 -04:00 · 2020-07-16 16:48:39 +02:00 · 2020-07-16 16:48:39 +02:00 · 21d751dfc7
commit 21d751dfc7
parent e24bc324b4
3 changed files with 5 additions and 103 deletions
--- a/configure.ac
+++ b/configure.ac
@ -650,19 +650,6 @@ AC_COMPILE_IFELSE(
     AC_MSG_RESULT([yes])],
    [AC_MSG_RESULT([no])])

-AC_MSG_CHECKING([for SipHash support])
-AC_COMPILE_IFELSE(
-    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
-		       #include <openssl/opensslv.h>]],
-		     [[#if OPENSSL_VERSION_NUMBER < 0x10101010L
-		       #error OpenSSL >= 1.1.1a required for working SipHash initialization
-		       #endif
-		       EVP_PKEY *key = EVP_PKEY_new_raw_private_key(
-			   EVP_PKEY_SIPHASH, NULL, NULL, 0);]])],
-    [AC_DEFINE([HAVE_OPENSSL_SIPHASH], [1], [define if OpenSSL supports SipHash])
-     AC_MSG_RESULT([yes])],
-    [AC_MSG_RESULT([no])])
-
 #
 # Check for OpenSSL SHA-1 support
 #
--- a/lib/isc/siphash.c
+++ b/lib/isc/siphash.c
@ -17,44 +17,6 @@
 #include <isc/siphash.h>
 #include <isc/util.h>

-/*
- * Creation of EVP_MD_CTX and EVP_PKEY is quite expensive, until
- * we fix the code to reuse the context and key we'll use our own
- * implementation of siphash.
- */
-#if 0 /* HAVE_OPENSSL_SIPHASH */
-#include <openssl/evp.h>
-
-void
-isc_siphash24(const uint8_t*k,const uint8_t*in,const size_t inlen,uint8_t*out)
-{
-	REQUIRE(k != NULL);
-	REQUIRE(out != NULL);
-	size_t outlen = 8;
-	EVP_PKEY_CTX*pctx = NULL;
-
-	EVP_MD_CTX*mctx = EVP_MD_CTX_new();
-	EVP_PKEY*key = EVP_PKEY_new_raw_private_key(EVP_PKEY_SIPHASH,NULL,
-						    k,16);
-	RUNTIME_CHECK(mctx != NULL);
-	RUNTIME_CHECK(key != NULL);
-
-	RUNTIME_CHECK(EVP_DigestSignInit(mctx,&pctx,NULL,NULL,key) == 1);
-	RUNTIME_CHECK(EVP_PKEY_CTX_ctrl(pctx,EVP_PKEY_SIPHASH,
-					EVP_PKEY_OP_SIGNCTX,
-					EVP_PKEY_CTRL_SET_DIGEST_SIZE,outlen,
-					NULL) == 1);
-	RUNTIME_CHECK(EVP_DigestSignUpdate(mctx,in,inlen) == 1);
-	RUNTIME_CHECK(EVP_DigestSignFinal(mctx,out,&outlen) == 1);
-
-	ENSURE(outlen == 8);
-
-	EVP_PKEY_free(key);
-	EVP_MD_CTX_free(mctx);
-}
-
-#else /* HAVE_OPENSSL_SIPHASH */
-
 /*
 * The implementation is based on SipHash reference C implementation by
 *
@ -185,4 +147,3 @@ isc_siphash24(const uint8_t *k, const uint8_t *in, const size_t inlen,

 	U64TO8_LE(out, b);
 }
-#endif /* HAVE_OPENSSL_SIPHASH */
--- a/lib/isc/tests/siphash_test.c
+++ b/lib/isc/tests/siphash_test.c
@ -22,32 +22,7 @@

 #include <isc/siphash.h>

-void
-native_isc_siphash24(const uint8_t *, const uint8_t *, const size_t, uint8_t *);
-
-#if HAVE_OPENSSL_SIPHASH
-
-void
-openssl_isc_siphash24(const uint8_t *, const uint8_t *, const size_t,
-		      uint8_t *);
-
-#undef HAVE_OPENSSL_SIPHASH
-#define isc_siphash24 native_isc_siphash24
 #include "../siphash.c"
-#undef isc_siphash24
-
-#define HAVE_OPENSSL_SIPHASH 1
-#define isc_siphash24	     openssl_isc_siphash24
-#include "../siphash.c"
-#undef isc_siphash24
-
-#else /* if HAVE_OPENSSL_SIPHASH */
-
-#define isc_siphash24 native_isc_siphash24
-#include "../siphash.c"
-#undef isc_siphash24
-
-#endif /* if HAVE_OPENSSL_SIPHASH */

 const uint8_t vectors[64][8] = {
 	{
@ -692,36 +667,18 @@ const uint8_t vectors[64][8] = {
 	},
 };

-#if HAVE_OPENSSL_SIPHASH
 static void
-openssl_isc_siphash24_test(void **state) {
+isc_siphash24_test(void **state) {
 	UNUSED(state);

 	uint8_t in[64], out[8], key[16];
-	for (int i = 0; i < 16; i++) {
+	for (size_t i = 0; i < ARRAY_SIZE(key); i++) {
 		key[i] = i;
 	}

-	for (int i = 0; i < 64; i++) {
+	for (size_t i = 0; i < ARRAY_SIZE(in); i++) {
 		in[i] = i;
-		openssl_isc_siphash24(key, in, i, out);
-		assert_memory_equal(out, vectors[i], 8);
-	}
-}
-#endif /* if HAVE_OPENSSL_SIPHASH */
-
-static void
-native_isc_siphash24_test(void **state) {
-	UNUSED(state);
-
-	uint8_t in[64], out[8], key[16];
-	for (int i = 0; i < 16; i++) {
-		key[i] = i;
-	}
-
-	for (int i = 0; i < 64; i++) {
-		in[i] = i;
-		native_isc_siphash24(key, in, i, out);
+		isc_siphash24(key, in, i, out);
 		assert_memory_equal(out, vectors[i], 8);
 	}
 }
@ -729,10 +686,7 @@ native_isc_siphash24_test(void **state) {
 int
 main(void) {
 	const struct CMUnitTest tests[] = {
-#if HAVE_OPENSSL_SIPHASH
-		cmocka_unit_test(openssl_isc_siphash24_test),
-#endif /* if HAVE_OPENSSL_SIPHASH */
-		cmocka_unit_test(native_isc_siphash24_test),
+		cmocka_unit_test(isc_siphash24_test),
 	};

 	return (cmocka_run_group_tests(tests, NULL, NULL));