Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OpenSSL 3.0 for ipcipher CA6 encryption/decryption #12411

Merged
merged 3 commits into from Jan 13, 2023
Merged

Support OpenSSL 3.0 for ipcipher CA6 encryption/decryption #12411

merged 3 commits into from Jan 13, 2023

Conversation

fredmorcos
Copy link
Contributor

Short description

Support OpenSSL 3.0 for ipcipher CA6 encryption/decryption. Nothing special here, use OpenSSL 3.0's EVP_CIPHER_* instead of the deprecated AES_* API but continue to support the deprecated OpenSSL 1.1.1 API.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@fredmorcos fredmorcos self-assigned this Jan 11, 2023
rgacogne
rgacogne requested changes Jan 11, 2023
View reviewed changes
pdns/ipcipher.cc Outdated Show resolved Hide resolved
pdns/ipcipher.cc Outdated Show resolved Hide resolved
pdns/ipcipher.cc Outdated Show resolved Hide resolved
pdns/ipcipher.cc Show resolved Hide resolved
@rgacogne
Copy link
Member

That's absolutely not on you but it looks like the new code is three times slower than the existing one when doing one round of encryption/decryption. I guess that's likely because the new API requires at least two allocations per round while the deprecated one did no allocation at all..

@fredmorcos
Copy link
Contributor Author

That's absolutely not on you but it looks like the new code is three times slower than the existing one when doing one round of encryption/decryption. I guess that's likely because the new API requires at least two allocations per round while the deprecated one did no allocation at all..

Perhaps we can reuse context objects. But I would attempt to do that after all the openssl3 updates so that we at least have a basis of "correctness" to base that change on.

@rgacogne
Copy link
Member

Perhaps we can reuse context objects. But I would attempt to do that after all the openssl3 updates so that we at least have a basis of "correctness" to base that change on.

Agreed, and even then I would not worry too much about it until we measure an actual regression. I don't know how many people actually use that ipcipher code in production nowadays.

rgacogne
rgacogne approved these changes Jan 12, 2023
View reviewed changes
Copy link
Member

@rgacogne rgacogne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, nice work!

@rgacogne rgacogne merged commit ee56a2d into PowerDNS:master Jan 13, 2023
@fredmorcos fredmorcos deleted the openssl3-ipcipher-ca6-crypto branch January 13, 2023 08:32
@fredmorcos fredmorcos mentioned this pull request Feb 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rgacogne rgacogne rgacogne approved these changes

@Habbie Habbie Awaiting requested review from Habbie

@omoerbeek omoerbeek Awaiting requested review from omoerbeek

Assignees

@fredmorcos fredmorcos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@fredmorcos @rgacogne