Assaf Gordon wrote:
I think that for the same reason that --with-openssl defaults to 'no'
and not to 'auto' applies here.
This is a good point; it's easier to understand and explain if the two options
have similar defaults.
I'm not sure there is significant improvement of using af_alg
compared to using OpenSSL, unless one has additional crypto hardware
(which is perhaps more common in embedded systems? but them their
users compile dedicated packages anyhow).
Is there some easy way to detect whether the hardware supports crypto directly?
If so, we could use the new interface only on platforms where that is true. This
should alleviate many of the qualms you express.
It won't matter to a single user on a desktop, but imagine
a shared server at a university, when all of a sudden a sysadmin
might see a very very high %SYS load - with almost no way to disagnose
what's going on.
Why won't sysadmins be able to diagnose this? Isn't %SYS time accounted for?
If I'm not mistaken, running
"./configure --with-openssl=yes"
Still detects and uses crypto API (but also links with libcrypto).
Only "--with-openssl=yes --without-linux-crypto" disables it.
I think this is quite unexpected, perhaps even a regression:
if someone explicitly asked to use OpenSSL, they certainly don't
want to not use it...
Good catch, thanks.
Perhaps we should have one --with option rather than two? This might help reduce
the confusion mentioned above.
I installed the attached patch to try to fix the minor glitches you mentioned.
The code glitches were my fault (blush).
From 75e235abccb275a83b15fe4e60fb73bc14035b67 Mon Sep 17 00:00:00 2001
From: Paul Eggert <egg...@cs.ucla.edu>
Date: Mon, 7 May 2018 00:25:57 -0700
Subject: [PATCH] af_alg: Pacify --enable-gcc-warnings
Problem reported by Assaf Gordon in:
https://lists.gnu.org/r/bug-gnulib/2018-05/msg00041.html
* lib/af_alg.c (afalg_buffer): Move local decls to pacify
gcc -Wjump-misses-init.
* lib/sha512.c (shaxxx_stream): Now static.
---
ChangeLog | 9 +++++++++
lib/af_alg.c | 12 +++++++-----
lib/sha512.c | 2 +-
3 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index ab3143c..428897f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-07 Paul Eggert <egg...@cs.ucla.edu>
+
+ af_alg: Pacify --enable-gcc-warnings
+ Problem reported by Assaf Gordon in:
+ https://lists.gnu.org/r/bug-gnulib/2018-05/msg00041.html
+ * lib/af_alg.c (afalg_buffer): Move local decls to pacify
+ gcc -Wjump-misses-init.
+ * lib/sha512.c (shaxxx_stream): Now static.
+
2018-05-06 Bruno Haible <br...@clisp.org>
af_alg: Add ability to use Linux kernel crypto API on data in memory.
diff --git a/lib/af_alg.c b/lib/af_alg.c
index 08d6659..c9809c7 100644
--- a/lib/af_alg.c
+++ b/lib/af_alg.c
@@ -41,7 +41,7 @@ afalg_buffer (const char *buffer, size_t len, const char *alg,
void *resblock, ssize_t hashlen)
{
/* On Linux < 4.9, the value for an empty stream is wrong (all zeroes).
- See <https://patchwork.kernel.org/patch/9434741/>. */
+ See <https://patchwork.kernel.org/patch/9308641/>. */
if (len == 0)
return -EAFNOSUPPORT;
@@ -109,6 +109,9 @@ afalg_stream (FILE *stream, const char *alg,
if (cfd < 0)
return -EAFNOSUPPORT;
+ int fd;
+ struct stat st;
+
int result;
struct sockaddr_alg salg = {
.salg_family = AF_ALG,
@@ -137,8 +140,7 @@ afalg_stream (FILE *stream, const char *alg,
}
/* if file is a regular file, attempt sendfile to pipe the data. */
- int fd = fileno (stream);
- struct stat st;
+ fd = fileno (stream);
if (fstat (fd, &st) == 0
&& (S_ISREG (st.st_mode) || S_TYPEISSHM (&st) || S_TYPEISTMO (&st))
&& 0 < st.st_size && st.st_size <= SYS_BUFSIZE_MAX)
@@ -159,7 +161,7 @@ afalg_stream (FILE *stream, const char *alg,
off_t nbytes = st.st_size - lseek (fd, 0, SEEK_CUR);
/* On Linux < 4.9, the value for an empty stream is wrong (all zeroes).
- See <https://patchwork.kernel.org/patch/9434741/>. */
+ See <https://patchwork.kernel.org/patch/9308641/>. */
if (nbytes <= 0)
{
result = -EAFNOSUPPORT;
@@ -192,7 +194,7 @@ afalg_stream (FILE *stream, const char *alg,
goto out_ofd;
}
/* On Linux < 4.9, the value for an empty stream is wrong (all zeroes).
- See <https://patchwork.kernel.org/patch/9434741/>. */
+ See <https://patchwork.kernel.org/patch/9308641/>. */
if (!non_empty)
{
result = -EAFNOSUPPORT;
diff --git a/lib/sha512.c b/lib/sha512.c
index af0776c..852c434 100644
--- a/lib/sha512.c
+++ b/lib/sha512.c
@@ -183,7 +183,7 @@ sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
Write the message digest into RESBLOCK, which contains HASHLEN bytes.
The initial and finishing operations are INIT_CTX and FINISH_CTX.
Return zero if and only if successful. */
-int
+static int
shaxxx_stream (FILE *stream, char const *alg, void *resblock,
ssize_t hashlen, void (*init_ctx) (struct sha512_ctx *),
void *(*finish_ctx) (struct sha512_ctx *, void *))
--
2.7.4
