diff --git a/CHANGES b/CHANGES index 929d9c9155..907ff0de34 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +6072. [bug] Avoid the OpenSSL lock contention when initializing + Message Digest Contexts by using explicit algorithm + fetching, initializing static contexts for every + supported algorithms, and initializing the new context + by copying the static copy. [GL #3795] + 6069. [bug] Detach from the view in zone_shutdown() to release the memory held by the dead view early. [GL #3801] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 1e00dde0c2..c4fc060d68 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -39,6 +39,9 @@ Bug Fixes cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. :gl:`#3801` +- Improve the speed of the message digest algorithms (MD5, SHA-1, + SHA-2) and NSEC3 hashing. :gl:`#3795` + Known Issues ~~~~~~~~~~~~ diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c index 14c63fb7f7..de1f3a36a3 100644 --- a/lib/isc/iterated_hash.c +++ b/lib/isc/iterated_hash.c @@ -13,64 +13,122 @@ #include +#include + #include -#include #include +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + +#include + int isc_iterated_hash(unsigned char *out, const unsigned int hashalg, const int iterations, const unsigned char *salt, const int saltlength, const unsigned char *in, const int inlength) { - isc_md_t *md; - isc_result_t result; + REQUIRE(out != NULL); + int n = 0; - unsigned int outlength = 0; size_t len; const unsigned char *buf; - - REQUIRE(out != NULL); + SHA_CTX ctx; if (hashalg != 1) { return (0); } - if ((md = isc_md_new()) == NULL) { + buf = in; + len = inlength; + + do { + if (SHA1_Init(&ctx) != 1) { + return (0); + } + + if (SHA1_Update(&ctx, buf, len) != 1) { + return (0); + } + + if (SHA1_Update(&ctx, salt, saltlength) != 1) { + return (0); + } + + if (SHA1_Final(out, &ctx) != 1) { + return (0); + } + + buf = out; + len = SHA_DIGEST_LENGTH; + } while (n++ < iterations); + + return (SHA_DIGEST_LENGTH); +} + +#else + +#include + +#include + +int +isc_iterated_hash(unsigned char *out, const unsigned int hashalg, + const int iterations, const unsigned char *salt, + const int saltlength, const unsigned char *in, + const int inlength) { + REQUIRE(out != NULL); + + int n = 0; + size_t len; + unsigned int outlength = 0; + const unsigned char *buf; + EVP_MD_CTX *ctx; + ; + EVP_MD *md; + + if (hashalg != 1) { return (0); } - len = inlength; + ctx = EVP_MD_CTX_new(); + RUNTIME_CHECK(ctx != NULL); + md = EVP_MD_fetch(NULL, "SHA1", NULL); + RUNTIME_CHECK(md != NULL); + buf = in; + len = inlength; + do { - result = isc_md_init(md, ISC_MD_SHA1); - if (result != ISC_R_SUCCESS) { - goto md_fail; + if (EVP_DigestInit_ex(ctx, md, NULL) != 1) { + goto fail; } - result = isc_md_update(md, buf, len); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (EVP_DigestUpdate(ctx, buf, len) != 1) { + goto fail; } - result = isc_md_update(md, salt, saltlength); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (EVP_DigestUpdate(ctx, salt, saltlength) != 1) { + goto fail; } - result = isc_md_final(md, out, &outlength); - if (result != ISC_R_SUCCESS) { - goto md_fail; - } - result = isc_md_reset(md); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (EVP_DigestFinal_ex(ctx, out, &outlength) != 1) { + goto fail; } + buf = out; len = outlength; } while (n++ < iterations); - isc_md_free(md); + EVP_MD_CTX_free(ctx); + EVP_MD_free(md); return (outlength); -md_fail: - isc_md_free(md); + +fail: + EVP_MD_CTX_free(ctx); + EVP_MD_free(md); + return (0); } -#undef RETERR + +#endif