I still am of the opinion that there should be used some simpler hash function. If it was the case that the sha1 hash was the best option, here I present my opinion on why an external implementation is irrelevant and does not make a difference on effectivity.
> I believe all of those have been in the SSL/TLS layers, and not down > in the cryptographic hash primitives themselves. Yes, that is true, xserver isn't making itself vulnerable by using the library. I am aware that many applications depend on openssl because of similar stuff, but all these applications together are making it difficult for the whole system not to depend on openssl. Perhaps the distribution does not need security library because of security at all, and these applications pull in the whole library (or some other), because they need some simple stuff like sha1. It would be something different if xserver wanted to make it a runtime configuration parameter - which hash to use for a hashmap. Then depending on a hash/crypto library is understandable: I'm not going to rewrite every hash function into my source code. But if I need only one hash function, there should at least be an option to use internal implementation. > One of the prime motivators we had for moving to an externally > maintained SHA-1 implementation for Xorg was to let someone else deal > with all the optimizations for specific CPUs and let us simply reap > the benefits of their work. As I understand it, such optimizations make a difference for large inputs or when the hash function is called significantly many times. Thus I made an experiment: on my computer the openssl implementation is cca 100% faster than the naive implementation in C. That is: for 10*1024*1024 random strings of random length between 300-1000 the openssl implementation took 10 seconds of CPU time, the naive implementation took 19.5 seconds. I chose the length from 300 to 1000 because such lengths were used by the HashGlyph function. How frequently is HashGlyph called? On my computer by normal usage it was called 10 000 times per hour. Even on a 50× slower computer than mine that would take cca 1 sec per hour of CPU time for hashing glyphs. The openssl implementation would take 0.5 sec per hour. In my opinion the effectivity of optimized sha1 is irrelevant for HashGlyph. Please, can someone make me wrong? Marek
signature.asc
Description: PGP signature
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
