From 21d751dfc72f02134e573687dc393938e9980388 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 16 Jul 2020 16:48:39 +0200
Subject: [PATCH] Remove OpenSSL based SipHash 2-4 implementation

Creation of EVP_MD_CTX and EVP_PKEY is quite expensive, so until we fix the code
to reuse the OpenSSL contexts and keys we'll use our own implementation of
siphash instead of trying to integrate with OpenSSL.
---
 configure.ac                 | 13 ---------
 lib/isc/siphash.c            | 39 -------------------------
 lib/isc/tests/siphash_test.c | 56 ++++--------------------------------
 3 files changed, 5 insertions(+), 103 deletions(-)

diff --git a/configure.ac b/configure.ac
index 2415fce783..a32fb68f18 100644
--- a/configure.ac
+++ b/configure.ac
@@ -650,19 +650,6 @@ AC_COMPILE_IFELSE(
      AC_MSG_RESULT([yes])],
     [AC_MSG_RESULT([no])])
 
-AC_MSG_CHECKING([for SipHash support])
-AC_COMPILE_IFELSE(
-    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
-		       #include <openssl/opensslv.h>]],
-		     [[#if OPENSSL_VERSION_NUMBER < 0x10101010L
-		       #error OpenSSL >= 1.1.1a required for working SipHash initialization
-		       #endif
-		       EVP_PKEY *key = EVP_PKEY_new_raw_private_key(
-			   EVP_PKEY_SIPHASH, NULL, NULL, 0);]])],
-    [AC_DEFINE([HAVE_OPENSSL_SIPHASH], [1], [define if OpenSSL supports SipHash])
-     AC_MSG_RESULT([yes])],
-    [AC_MSG_RESULT([no])])
-
 #
 # Check for OpenSSL SHA-1 support
 #
diff --git a/lib/isc/siphash.c b/lib/isc/siphash.c
index 87e3c285ec..cc1610f3f4 100644
--- a/lib/isc/siphash.c
+++ b/lib/isc/siphash.c
@@ -17,44 +17,6 @@
 #include <isc/siphash.h>
 #include <isc/util.h>
 
-/*
- * Creation of EVP_MD_CTX and EVP_PKEY is quite expensive, until
- * we fix the code to reuse the context and key we'll use our own
- * implementation of siphash.
- */
-#if 0 /* HAVE_OPENSSL_SIPHASH */
-#include <openssl/evp.h>
-
-void
-isc_siphash24(const uint8_t*k,const uint8_t*in,const size_t inlen,uint8_t*out)
-{
-	REQUIRE(k != NULL);
-	REQUIRE(out != NULL);
-	size_t outlen = 8;
-	EVP_PKEY_CTX*pctx = NULL;
-
-	EVP_MD_CTX*mctx = EVP_MD_CTX_new();
-	EVP_PKEY*key = EVP_PKEY_new_raw_private_key(EVP_PKEY_SIPHASH,NULL,
-						    k,16);
-	RUNTIME_CHECK(mctx != NULL);
-	RUNTIME_CHECK(key != NULL);
-
-	RUNTIME_CHECK(EVP_DigestSignInit(mctx,&pctx,NULL,NULL,key) == 1);
-	RUNTIME_CHECK(EVP_PKEY_CTX_ctrl(pctx,EVP_PKEY_SIPHASH,
-					EVP_PKEY_OP_SIGNCTX,
-					EVP_PKEY_CTRL_SET_DIGEST_SIZE,outlen,
-					NULL) == 1);
-	RUNTIME_CHECK(EVP_DigestSignUpdate(mctx,in,inlen) == 1);
-	RUNTIME_CHECK(EVP_DigestSignFinal(mctx,out,&outlen) == 1);
-
-	ENSURE(outlen == 8);
-
-	EVP_PKEY_free(key);
-	EVP_MD_CTX_free(mctx);
-}
-
-#else /* HAVE_OPENSSL_SIPHASH */
-
 /*
  * The implementation is based on SipHash reference C implementation by
  *
@@ -185,4 +147,3 @@ isc_siphash24(const uint8_t *k, const uint8_t *in, const size_t inlen,
 
 	U64TO8_LE(out, b);
 }
-#endif /* HAVE_OPENSSL_SIPHASH */
diff --git a/lib/isc/tests/siphash_test.c b/lib/isc/tests/siphash_test.c
index 465d2565c9..7247e6310e 100644
--- a/lib/isc/tests/siphash_test.c
+++ b/lib/isc/tests/siphash_test.c
@@ -22,32 +22,7 @@
 
 #include <isc/siphash.h>
 
-void
-native_isc_siphash24(const uint8_t *, const uint8_t *, const size_t, uint8_t *);
-
-#if HAVE_OPENSSL_SIPHASH
-
-void
-openssl_isc_siphash24(const uint8_t *, const uint8_t *, const size_t,
-		      uint8_t *);
-
-#undef HAVE_OPENSSL_SIPHASH
-#define isc_siphash24 native_isc_siphash24
 #include "../siphash.c"
-#undef isc_siphash24
-
-#define HAVE_OPENSSL_SIPHASH 1
-#define isc_siphash24	     openssl_isc_siphash24
-#include "../siphash.c"
-#undef isc_siphash24
-
-#else /* if HAVE_OPENSSL_SIPHASH */
-
-#define isc_siphash24 native_isc_siphash24
-#include "../siphash.c"
-#undef isc_siphash24
-
-#endif /* if HAVE_OPENSSL_SIPHASH */
 
 const uint8_t vectors[64][8] = {
 	{
@@ -692,36 +667,18 @@ const uint8_t vectors[64][8] = {
 	},
 };
 
-#if HAVE_OPENSSL_SIPHASH
 static void
-openssl_isc_siphash24_test(void **state) {
+isc_siphash24_test(void **state) {
 	UNUSED(state);
 
 	uint8_t in[64], out[8], key[16];
-	for (int i = 0; i < 16; i++) {
+	for (size_t i = 0; i < ARRAY_SIZE(key); i++) {
 		key[i] = i;
 	}
 
-	for (int i = 0; i < 64; i++) {
+	for (size_t i = 0; i < ARRAY_SIZE(in); i++) {
 		in[i] = i;
-		openssl_isc_siphash24(key, in, i, out);
-		assert_memory_equal(out, vectors[i], 8);
-	}
-}
-#endif /* if HAVE_OPENSSL_SIPHASH */
-
-static void
-native_isc_siphash24_test(void **state) {
-	UNUSED(state);
-
-	uint8_t in[64], out[8], key[16];
-	for (int i = 0; i < 16; i++) {
-		key[i] = i;
-	}
-
-	for (int i = 0; i < 64; i++) {
-		in[i] = i;
-		native_isc_siphash24(key, in, i, out);
+		isc_siphash24(key, in, i, out);
 		assert_memory_equal(out, vectors[i], 8);
 	}
 }
@@ -729,10 +686,7 @@ native_isc_siphash24_test(void **state) {
 int
 main(void) {
 	const struct CMUnitTest tests[] = {
-#if HAVE_OPENSSL_SIPHASH
-		cmocka_unit_test(openssl_isc_siphash24_test),
-#endif /* if HAVE_OPENSSL_SIPHASH */
-		cmocka_unit_test(native_isc_siphash24_test),
+		cmocka_unit_test(isc_siphash24_test),
 	};
 
 	return (cmocka_run_group_tests(tests, NULL, NULL));