From a1dcbcab8da8a3eeaaa35ee27b414415179a294c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 16 Jan 2023 11:12:06 +0100 Subject: [PATCH 1/3] Use OpenSSL EVP_MD API directly in isc_iterated_hash() Instead of going through another layer, use OpenSSL EVP_MD API directly in the isc_iterated_hash() implementation. This shaves off couple of microseconds in the microbenchmark. (cherry picked from commit 36654df732786b4feebcc0b3c1b02550a31beef9) --- lib/isc/iterated_hash.c | 57 +++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 31 deletions(-) diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c index 14c63fb7f7..5e5b67c388 100644 --- a/lib/isc/iterated_hash.c +++ b/lib/isc/iterated_hash.c @@ -13,6 +13,8 @@ #include +#include + #include #include #include @@ -22,55 +24,48 @@ isc_iterated_hash(unsigned char *out, const unsigned int hashalg, const int iterations, const unsigned char *salt, const int saltlength, const unsigned char *in, const int inlength) { - isc_md_t *md; - isc_result_t result; - int n = 0; - unsigned int outlength = 0; - size_t len; - const unsigned char *buf; - REQUIRE(out != NULL); - if (hashalg != 1) { - return (0); - } + int n = 0; + size_t len; + unsigned int outlength = 0; + const unsigned char *buf; + EVP_MD_CTX *ctx = EVP_MD_CTX_create(); - if ((md = isc_md_new()) == NULL) { + RUNTIME_CHECK(ctx != NULL); + + if (hashalg != 1) { return (0); } len = inlength; buf = in; do { - result = isc_md_init(md, ISC_MD_SHA1); - if (result != ISC_R_SUCCESS) { - goto md_fail; + if (EVP_DigestInit_ex(ctx, ISC_MD_SHA1, NULL) != 1) { + goto fail; } - result = isc_md_update(md, buf, len); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (EVP_DigestUpdate(ctx, buf, len) != 1) { + goto fail; } - result = isc_md_update(md, salt, saltlength); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (EVP_DigestUpdate(ctx, salt, saltlength) != 1) { + goto fail; } - result = isc_md_final(md, out, &outlength); - if (result != ISC_R_SUCCESS) { - goto md_fail; - } - result = isc_md_reset(md); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (EVP_DigestFinal_ex(ctx, out, &outlength) != 1) { + goto fail; } + buf = out; len = outlength; } while (n++ < iterations); - isc_md_free(md); + EVP_MD_CTX_free(ctx); return (outlength); -md_fail: - isc_md_free(md); + +fail: + EVP_MD_CTX_free(ctx); return (0); } -#undef RETERR From bf1a29e9e192a001e7e91fdb18b38462d36709da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 16 Jan 2023 12:56:53 +0100 Subject: [PATCH 2/3] Use OpenSSL 1.x SHA_CTX API in isc_iterated_hash() If the OpenSSL SHA1_{Init,Update,Final} API is still available, use it. The API has been deprecated in OpenSSL 3.0, but it is significantly faster than EVP_MD API, so make an exception here and keep using it until we can't. (cherry picked from commit 25db8d010337b8f62705b44a7f01aa4658ce1c6f) --- lib/isc/iterated_hash.c | 77 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 70 insertions(+), 7 deletions(-) diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c index 5e5b67c388..de1f3a36a3 100644 --- a/lib/isc/iterated_hash.c +++ b/lib/isc/iterated_hash.c @@ -13,12 +13,64 @@ #include -#include +#include #include -#include #include +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + +#include + +int +isc_iterated_hash(unsigned char *out, const unsigned int hashalg, + const int iterations, const unsigned char *salt, + const int saltlength, const unsigned char *in, + const int inlength) { + REQUIRE(out != NULL); + + int n = 0; + size_t len; + const unsigned char *buf; + SHA_CTX ctx; + + if (hashalg != 1) { + return (0); + } + + buf = in; + len = inlength; + + do { + if (SHA1_Init(&ctx) != 1) { + return (0); + } + + if (SHA1_Update(&ctx, buf, len) != 1) { + return (0); + } + + if (SHA1_Update(&ctx, salt, saltlength) != 1) { + return (0); + } + + if (SHA1_Final(out, &ctx) != 1) { + return (0); + } + + buf = out; + len = SHA_DIGEST_LENGTH; + } while (n++ < iterations); + + return (SHA_DIGEST_LENGTH); +} + +#else + +#include + +#include + int isc_iterated_hash(unsigned char *out, const unsigned int hashalg, const int iterations, const unsigned char *salt, @@ -30,18 +82,24 @@ isc_iterated_hash(unsigned char *out, const unsigned int hashalg, size_t len; unsigned int outlength = 0; const unsigned char *buf; - EVP_MD_CTX *ctx = EVP_MD_CTX_create(); - - RUNTIME_CHECK(ctx != NULL); + EVP_MD_CTX *ctx; + ; + EVP_MD *md; if (hashalg != 1) { return (0); } - len = inlength; + ctx = EVP_MD_CTX_new(); + RUNTIME_CHECK(ctx != NULL); + md = EVP_MD_fetch(NULL, "SHA1", NULL); + RUNTIME_CHECK(md != NULL); + buf = in; + len = inlength; + do { - if (EVP_DigestInit_ex(ctx, ISC_MD_SHA1, NULL) != 1) { + if (EVP_DigestInit_ex(ctx, md, NULL) != 1) { goto fail; } @@ -62,10 +120,15 @@ isc_iterated_hash(unsigned char *out, const unsigned int hashalg, } while (n++ < iterations); EVP_MD_CTX_free(ctx); + EVP_MD_free(md); return (outlength); fail: EVP_MD_CTX_free(ctx); + EVP_MD_free(md); + return (0); } + +#endif From 9679417cfa0fb2e2b51acca727f924b115517fdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 16 Jan 2023 10:09:35 +0100 Subject: [PATCH 3/3] Add CHANGES and release note for [GL #3795] (cherry picked from commit 401294cf60bac9665299a8260bca0a49d9957e9d) --- CHANGES | 6 ++++++ doc/notes/notes-current.rst | 3 +++ 2 files changed, 9 insertions(+) diff --git a/CHANGES b/CHANGES index 929d9c9155..907ff0de34 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +6072. [bug] Avoid the OpenSSL lock contention when initializing + Message Digest Contexts by using explicit algorithm + fetching, initializing static contexts for every + supported algorithms, and initializing the new context + by copying the static copy. [GL #3795] + 6069. [bug] Detach from the view in zone_shutdown() to release the memory held by the dead view early. [GL #3801] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 1e00dde0c2..c4fc060d68 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -39,6 +39,9 @@ Bug Fixes cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. :gl:`#3801` +- Improve the speed of the message digest algorithms (MD5, SHA-1, + SHA-2) and NSEC3 hashing. :gl:`#3795` + Known Issues ~~~~~~~~~~~~