Make Parent Selection Hash configurable and add SipHash-1-3 and Wyhash v4.1.

Author: PSUdaemon

configs/records.yaml.default.in

@@ -130,6 +130,7 @@ records:
 ##############################################################################
     parent_proxy:
       retry_time: 300
+      consistent_hash_algorithm: siphash24
 
 ##############################################################################
 # Security. Docs:

doc/admin-guide/files/parent.config.en.rst

@@ -278,6 +278,13 @@ The following list shows the possible actions and their allowed values.
        The other traffic is unaffected. Once the downed parent becomes
        available, the traffic distribution returns to the pre-down
        state.
+
+       The hash algorithm used for consistent hashing can be configured via
+       :ts:cv:`proxy.config.http.parent_proxy.consistent_hash_algorithm`. Available
+       algorithms are ``siphash24`` (default), ``siphash13`` (faster), and ``wyhash``
+       (fastest). See the records.yaml documentation for performance characteristics
+       and migration considerations.
+
     - ``latched`` - The first parent in the list is marked as primary and is
       always chosen until connection errors cause it to be marked down.  When
       this occurs the next parent in the list then becomes primary.  The primary

doc/admin-guide/files/records.yaml.en.rst

@@ -1471,6 +1471,28 @@ Parent Proxy Configuration
    ``2`` Mark the host down. This is the default.
    ===== ======================================================================
 
+.. ts:cv:: CONFIG proxy.config.http.parent_proxy.consistent_hash_algorithm STRING siphash24
+
+   Selects the hash algorithm used for consistent hash parent selection. This setting
+   only affects parent selection when ``round_robin=consistent_hash`` is configured in
+   :file:`parent.config`. The hash algorithm determines how requests are distributed
+   across parent proxies.
+
+   ============== ================================================================================
+   Value          Description
+   ============== ================================================================================
+   ``siphash24``  SipHash-2-4 (default). Cryptographically strong, DoS-resistant hash function.
+   ``siphash13``  SipHash-1-3. ~50% faster than SipHash-2-4, still DoS-resistant.
+   ``wyhash``     Wyhash v4.1. ~3-5x faster than SipHash-2-4, DoS-resistant.
+   ============== ================================================================================
+
+   .. warning::
+
+      Changing this setting will cause requests to be redistributed differently across
+      parent proxies. This can lead to cache churn and increased origin load during the
+      transition period. Plan the migration carefully and consider doing it during
+      low-traffic periods.
+
 .. ts:cv:: CONFIG proxy.config.http.parent_proxy.enable_parent_timeout_markdowns INT 0
    :reloadable:
    :overridable:

include/proxy/ParentConsistentHash.h

@@ -38,14 +38,15 @@
 //
 class ParentConsistentHash : public ParentSelectionStrategy
 {
-  // there are two hashes PRIMARY parents
-  // and SECONDARY parents.
-  ATSHash64Sip24                     hash[2];
+  std::unique_ptr<ATSHash64>         hash[2];
   std::unique_ptr<ATSConsistentHash> chash[2];
   pRecord                           *parents[2];
   bool                               foundParents[2][MAX_PARENTS];
   bool                               ignore_query;
   int                                secondary_mode;
+  ParentHashAlgorithm                selected_algorithm;
+
+  std::unique_ptr<ATSHash64> createHashInstance(ParentHashAlgorithm algo);
 
 public:
   static const int PRIMARY   = 0;

include/proxy/ParentSelection.h

@@ -73,6 +73,8 @@ enum class ParentRetry_t {
   BOTH = 3
 };
 
+enum class ParentHashAlgorithm { SIPHASH24 = 0, SIPHASH13, WYHASH };
+
 struct UnavailableServerResponseCodes {
   UnavailableServerResponseCodes(char *val);
   ~UnavailableServerResponseCodes(){};
@@ -163,6 +165,7 @@ class ParentRecord : public ControlBase
   int                             max_unavailable_server_retries     = 1;
   int                             secondary_mode                     = 1;
   bool                            ignore_self_detect                 = false;
+  ParentHashAlgorithm             consistent_hash_algorithm          = ParentHashAlgorithm::SIPHASH24;
 };
 
 // If the parent was set by the external customer api,

include/tscore/HashSip.h

@@ -23,22 +23,145 @@
 
 #include "tscore/Hash.h"
 #include <cstdint>
+#include <cstring>
 
 /*
-  Siphash is a Hash Message Authentication Code and can take a key.
+  SipHash is a Hash Message Authentication Code and can take a key.
 
   If you don't care about MAC use the void constructor and it will use
   a zero key for you.
- */
 
-struct ATSHash64Sip24 : ATSHash64 {
-  ATSHash64Sip24();
-  ATSHash64Sip24(const unsigned char key[16]);
-  ATSHash64Sip24(std::uint64_t key0, std::uint64_t key1);
-  void          update(const void *data, std::size_t len) override;
-  void          final() override;
-  std::uint64_t get() const override;
-  void          clear() override;
+  Template parameters:
+  - c_rounds: number of compression rounds per message block
+  - d_rounds: number of finalization rounds
+*/
+
+#define SIP_BLOCK_SIZE 8
+
+#define ROTL64(a, b) (((a) << (b)) | ((a) >> (64 - b)))
+
+static inline std::uint64_t
+U8TO64_LE(const std::uint8_t *p)
+{
+  std::uint64_t result;
+  std::memcpy(&result, p, sizeof(result));
+  return result;
+}
+
+#define SIPCOMPRESS(x0, x1, x2, x3) \
+  x0 += x1;                         \
+  x2 += x3;                         \
+  x1  = ROTL64(x1, 13);             \
+  x3  = ROTL64(x3, 16);             \
+  x1 ^= x0;                         \
+  x3 ^= x2;                         \
+  x0  = ROTL64(x0, 32);             \
+  x2 += x1;                         \
+  x0 += x3;                         \
+  x1  = ROTL64(x1, 17);             \
+  x3  = ROTL64(x3, 21);             \
+  x1 ^= x2;                         \
+  x3 ^= x0;                         \
+  x2  = ROTL64(x2, 32);
+
+template <int c_rounds, int d_rounds> struct ATSHashSip : ATSHash64 {
+  ATSHashSip() { this->clear(); }
+
+  ATSHashSip(const unsigned char key[16]) : k0(U8TO64_LE(key)), k1(U8TO64_LE(key + sizeof(k0))) { this->clear(); }
+
+  ATSHashSip(std::uint64_t key0, std::uint64_t key1) : k0(key0), k1(key1) { this->clear(); }
+
+  void
+  update(const void *data, std::size_t len) override
+  {
+    std::size_t    i, blocks;
+    unsigned char *m;
+    std::uint64_t  mi;
+    std::uint8_t   block_off = 0;
+
+    if (!finalized) {
+      m          = (unsigned char *)data;
+      total_len += len;
+
+      if (len + block_buffer_len < SIP_BLOCK_SIZE) {
+        std::memcpy(block_buffer + block_buffer_len, m, len);
+        block_buffer_len += len;
+      } else {
+        if (block_buffer_len > 0) {
+          block_off = SIP_BLOCK_SIZE - block_buffer_len;
+          std::memcpy(block_buffer + block_buffer_len, m, block_off);
+
+          mi  = U8TO64_LE(block_buffer);
+          v3 ^= mi;
+          for (int r = 0; r < c_rounds; r++) {
+            SIPCOMPRESS(v0, v1, v2, v3);
+          }
+          v0 ^= mi;
+        }
+
+        for (i = block_off, blocks = ((len - block_off) & ~(SIP_BLOCK_SIZE - 1)); i < blocks; i += SIP_BLOCK_SIZE) {
+          mi  = U8TO64_LE(m + i);
+          v3 ^= mi;
+          for (int r = 0; r < c_rounds; r++) {
+            SIPCOMPRESS(v0, v1, v2, v3);
+          }
+          v0 ^= mi;
+        }
+
+        block_buffer_len = (len - block_off) & (SIP_BLOCK_SIZE - 1);
+        std::memcpy(block_buffer, m + block_off + blocks, block_buffer_len);
+      }
+    }
+  }
+
+  void
+  final() override
+  {
+    std::uint64_t last7;
+    int           i;
+
+    if (!finalized) {
+      last7 = static_cast<std::uint64_t>(total_len & 0xff) << 56;
+
+      for (i = block_buffer_len - 1; i >= 0; i--) {
+        last7 |= static_cast<std::uint64_t>(block_buffer[i]) << (i * 8);
+      }
+
+      v3 ^= last7;
+      for (int r = 0; r < c_rounds; r++) {
+        SIPCOMPRESS(v0, v1, v2, v3);
+      }
+      v0 ^= last7;
+      v2 ^= 0xff;
+      for (int r = 0; r < d_rounds; r++) {
+        SIPCOMPRESS(v0, v1, v2, v3);
+      }
+      hfinal    = v0 ^ v1 ^ v2 ^ v3;
+      finalized = true;
+    }
+  }
+
+  std::uint64_t
+  get() const override
+  {
+    if (finalized) {
+      return hfinal;
+    } else {
+      return 0;
+    }
+  }
+
+  void
+  clear() override
+  {
+    v0               = k0 ^ 0x736f6d6570736575ull;
+    v1               = k1 ^ 0x646f72616e646f6dull;
+    v2               = k0 ^ 0x6c7967656e657261ull;
+    v3               = k1 ^ 0x7465646279746573ull;
+    finalized        = false;
+    total_len        = 0;
+    block_buffer_len = 0;
+  }
 
 private:
   unsigned char block_buffer[8]  = {0};
@@ -53,3 +176,7 @@ struct ATSHash64Sip24 : ATSHash64 {
   std::size_t   total_len        = 0;
   bool          finalized        = false;
 };
+
+// Standard SipHash variants
+using ATSHash64Sip24 = ATSHashSip<2, 4>;
+using ATSHash64Sip13 = ATSHashSip<1, 3>;

include/tscore/HashWyhash.h

@@ -0,0 +1,44 @@
+/** @file
+
+  @section license License
+
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+ */
+
+#pragma once
+
+#include "tscore/Hash.h"
+#include <cstdint>
+
+struct ATSHash64Wyhash : ATSHash64 {
+  ATSHash64Wyhash();
+  ATSHash64Wyhash(std::uint64_t seed);
+  void          update(const void *data, std::size_t len) override;
+  void          final() override;
+  std::uint64_t get() const override;
+  void          clear() override;
+
+private:
+  std::uint64_t seed      = 0;
+  std::uint64_t state     = 0;
+  std::uint64_t total_len = 0;
+  std::uint64_t hfinal    = 0;
+  bool          finalized = false;
+
+  unsigned char buffer[32] = {0};
+  std::uint8_t  buffer_len = 0;
+};

src/proxy/CMakeLists.txt

@@ -55,4 +55,8 @@ if(TS_USE_QUIC)
   add_subdirectory(http3)
 endif()
 
+if(BUILD_TESTING)
+  add_subdirectory(unit_tests)
+endif()
+
 clang_tidy_check(proxy)