On Thu, Jan 29, 2026 at 4:33 PM Daniel Sahlberg <[email protected]> wrote:
> Den tors 29 jan. 2026 kl 11:24 skrev Joe Orton <[email protected]>: > >> On Wed, Dec 31, 2025 at 11:44:26AM +0100, Daniel Sahlberg wrote: >> > Hi, >> > >> > Subversion is using the APR/APR-util checksum implementations (SHA1 and >> > MD5). One of our committers in Subversion made some tests switching out >> > these for the ones in OpenSSL instead. OpenSSL is (opt-out) using an ASM >> > optimized implementation on many platforms. >> > >> > Copy-pasting from the commit message[1] to include some raw numbers: >> >> Hi Daniel, >> >> The apr_crypto API already wraps the OpenSSL EVP API, so adding another >> wrapper using the deprecated digest APIs wouldn't really make sense IMO. >> It's also (again IMO) important to note that the OpenSSL digest >> implementations should be treated as having restricted availability; >> MD5_Init() etc will fail under FIPS mode (as do the EVP equivalents). > > > Hi, > > I'm not sure I understand the above... If it relates to the actual > implementation in Subversion, it wasn't my intention to say "hey, let's > copypaste this to APR". I believe it should be updated to a current API > (although I've seen Ivan's e-mails about performance - these need to be > considered). > > My question was rather: Would it make sense for APR to use OpenSSL's > digest algorithms, if available (and if built with OpenSSL support)? > > Hello, It might be not as straightforward to be done on APR's side because it publicly exposes its context which most certainly doesn't match OpenSSL's context. (considering apr_sha/apr_md APIs). But it's not as big of a deal because a new version can be introduced that works around it. I just realized that there is apr_crypto_digest* API in the APR crypto module that is probably being discussed right now. I believe it's worth it to support it in Subversion. But we need some additional testing to find out if it adds any significant performance issues. -- Timofei Zhakov
