--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 09:29:13 -0300
+Subject: e_devcrypto: default to not use digests in engine
+
+Digests are almost always slower when using /dev/crypto because of the
+cost of the context switches. Only for large blocks it is worth it.
+
+Also, when forking, the open context structures are duplicated, but the
+internal kernel sessions are still shared between forks, which means an
+update/close operation in one fork affects all processes using that
+session.
+
+This affects digests, especially for HMAC, where the session with the
+key hash is used as a source for subsequent operations. At least one
+popular application does this across a fork. Disabling digests by
+default will mitigate the problem, while still allowing the user to
+turn them on if it is safe and fast enough.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -905,7 +905,7 @@ static void prepare_digest_methods(void)
+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+ i++) {
+
+- selected_digests[i] = 1;
++ selected_digests[i] = 0;
+
+ /*
+ * Check that the digest is usable
+@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
+ #ifdef IMPLEMENT_DIGEST
+ {DEVCRYPTO_CMD_DIGESTS,
+ "DIGESTS",
+- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
++ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
+ ENGINE_CMD_FLAG_STRING},
+ #endif
+
projects / openwrt / staging / dedeckeh.git / blobdiff