xserver dependency on crypto library because of a hashmap

Marek Behun kabel at blackhole.sk
Mon Jun 9 15:57:39 PDT 2014


On Mon, 09 Jun 2014 15:37:25 -0700
Alan Coopersmith <alan.coopersmith at oracle.com> wrote:

> On 06/ 9/14 04:04 AM, Pali Rohár wrote:
> > I think that security flaws found in openssl/gnutls last
> > days/months is very good reason to not use it - when it is not
> > needed.
> 
> I believe all of those have been in the SSL/TLS layers, and not down
> in the cryptographic hash primitives themselves.
> 
> One of the prime motivators we had for moving to an externally
> maintained SHA-1 implementation for Xorg was to let someone else deal
> with all the optimizations for specific CPUs and let us simply reap
> the benefits of their work.
> 
> If you don't want to use one of the existing libraries, you can take
> your own SHA-1 implementation, make it conform to one of the existing
> API's and simply build with it, but that seems like a lot of work to
> move from a known good implementation to one that's probably not as
> good.
> 

I think the best thing would be to try find some cheaper hash function
(with a proof on collision probability) and test it, probably try to
run a test of collisions on a large glyph database.
Worst case scenario: There can be a compile-time choice to use internal
sha1 implementation with all the ifdefs in x_sha1_*.c

Marek Behun
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20140610/9b26d9a7/attachment.sig>


More information about the xorg-devel mailing list