1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
3 Date: Mon, 11 Mar 2019 09:29:13 -0300
4 Subject: e_devcrypto: default to not use digests in engine
6 Digests are almost always slower when using /dev/crypto because of the
7 cost of the context switches. Only for large blocks it is worth it.
9 Also, when forking, the open context structures are duplicated, but the
10 internal kernel sessions are still shared between forks, which means an
11 update/close operation in one fork affects all processes using that
14 This affects digests, especially for HMAC, where the session with the
15 key hash is used as a source for subsequent operations. At least one
16 popular application does this across a fork. Disabling digests by
17 default will mitigate the problem, while still allowing the user to
18 turn them on if it is safe and fast enough.
20 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
22 --- a/engines/e_devcrypto.c
23 +++ b/engines/e_devcrypto.c
24 @@ -905,7 +905,7 @@ static void prepare_digest_methods(void)
25 for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
28 - selected_digests[i] = 1;
29 + selected_digests[i] = 0;
32 * Check that the digest is usable
33 @@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
34 #ifdef IMPLEMENT_DIGEST
35 {DEVCRYPTO_CMD_DIGESTS,
37 - "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
38 + "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
39 ENGINE_CMD_FLAG_STRING},