On Tue, Sep 2, 2025 at 2:27 AM Collin Funk <[email protected]> wrote:
> Hi,
>
> Here is a patch to add OpenSSL support for SHA-3 using the EVP API.
> There are two things I am not 100% happy with, but I do not see a way
> around.
>
> First, we must call EVP_MD_CTX_create to malloc an EVP_MD_CTX. This is
> because an EVP_MD_CTX field cannot be inside of a structure; it is a
> typedef to an incomplete type.
>
> Second, I used xalloc-die as a conditional dependency. This is because
> the EVP functions are documented as returning 0 on failure. In practice,
> I can only see this being the case for EVP_MD_CTX_create, but that
> should be rare (e.g. OOM). I would rather not change the prototypes to
> be different than the other digests in Gnulib, so there is no way to
> return errors back to the caller. This shouldn't matter for Coreutils,
> but calling abort in libraries is not great, in my opinion. Using
> xalloc_die is only slightly more friendly.
>
> Here are some basic benchmarks for reference, using no other arguments to
> ./configure besides --with-openssl={yes|no}:
>
> Gnulib:
> $ ./gltests/bench-sha3-512 1000000000 5
> real 30.514154
> user 30.374
> sys 0.001
>
> OpenSSL:
> $ ./gltests/bench-sha3-512 1000000000 5
> real 19.172793
> user 19.080
> sys 0.000
>
> Side note, SHA-3 seems really slow compared to SHA-2 from what I can
> tell from this little test:
>
> Gnulib:
> $ ./gltests/bench-sha512 1000000000 5
> real 10.915839
> user 10.858
> sys 0.000
>
> $ ./gltests/bench-sha512 1000000000 5
> real 5.702266
> user 5.670
> sys 0.001
>
> I guess that is because it isn't used enough to make Intel or AMD bother
> to create a special instruction set for it.
>
SHA3 uses Keccak core. Keccak is hardware accelerated for AVX2 and AVX512;
not SSE2, SSE4.2 and friends. In contrast, SHA2 is accelerated using SSE2.
See <https://github.com/openssl/openssl/tree/master/crypto/sha/asm>.
Maybe the test machine lacks AVX2 or above?
Will leave unpushed for now to allow others to review.
Jeff
