Re: [PATCH] use libcrypto routines in gnulib

Tue, 03 Dec 2013 14:45:34 -0800 

On 12/03/2013 03:19 PM, Nikos Mavrogiannopoulos wrote:
> On Tue, 2013-12-03 at 17:39 +0100, Ludovic Courtès wrote:
>> Pádraig Brady <p...@draigbrady.com> skribis:
>>
>>> The speed of md5 and sha* hashes has lagged a bit in gnulib.
>>> So to address that and to take advantage of the architecture
>>> specific assembly used in libcrypto, the attached gnulib patch
>>> allows projects to configure --with-openssl to use that if
>>> available or fall back to the existing internal routines.
>>
>> Any idea how libcrypto compares to what libgcrypt and Nettle provide?
>> Nettle has fine-tuned assembly implementations of various hash functions
>> (e.g., <http://git.lysator.liu.se/nettle/nettle/trees/master/x86_64>);
>> libgcrypt seems to have fewer of them currently (see
>> <http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=tree;f=cipher;hb=refs/heads/master>.)
>> It would be ideal if Coreutils could push these GNU packages.
> 
> I agree. It would be quite ironic if gnulib uses openssl when there are
> 2 gnu crypto libraries. Nettle is very close in performance to openssl
> (and in several parts outperforms it). Libgcrypt used to lag behind
> openssl but there is much going on optimizing it lately, so it may be
> comparable or better.

Libvirt would prefer a solution that uses nettle, at least when used in
RHEL.  This is because Red Hat is paying some certification fees for
analysis of libvirt use, where those fees depend in part on analyzing
all use of crypto in the build.  Libvirt already links to gnutls, which
in turn links to nettle.  If libvirt's use of gnulib modules starts to
also pull in libgcrypt, then libvirt now has 2 crypto libraries instead
of 1 that must be certified, which doubles the (expensive) cost of
certification.

Which is why I'd like a solution that mirrors what gnulib already does
for threads:

  --enable-threads={posix|solaris|pth|windows}
                          specify multithreading API

if we have --enable-crypto={basic|nettle|openssl|gcrypt}, then distro
packagers can choose WHICH library they want to drag in, rather than
forcing a binary decision of using or avoiding a single library.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to