aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
blob: df5c16d8d2ca9a34abb51f731332e94dde293a34 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 11 Mar 2019 09:29:13 -0300
Subject: e_devcrypto: default to not use digests in engine

Digests are almost always slower when using /dev/crypto because of the
cost of the context switches.  Only for large blocks it is worth it.

Also, when forking, the open context structures are duplicated, but the
internal kernel sessions are still shared between forks, which means an
update/close operation in one fork affects all processes using that
session.

This affects digests, especially for HMAC, where the session with the
key hash is used as a source for subsequent operations.  At least one
popular application does this across a fork.  Disabling digests by
default will mitigate the problem, while still allowing the user to
turn them on if it is safe and fast enough.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -852,7 +852,7 @@ static void prepare_digest_methods(void)
     for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
          i++) {
 
-        selected_digests[i] = 1;
+        selected_digests[i] = 0;
 
         /*
          * Check that the digest is usable
@@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
 #ifdef IMPLEMENT_DIGEST
    {DEVCRYPTO_CMD_DIGESTS,
     "DIGESTS",
-    "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
+    "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
     ENGINE_CMD_FLAG_STRING},
 #endif