1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
3 Date: Mon, 11 Mar 2019 09:29:13 -0300
4 Subject: e_devcrypto: default to not use digests in engine
6 Digests are almost always slower when using /dev/crypto because of the
7 cost of the context switches. Only for large blocks it is worth it.
9 Also, when forking, the open context structures are duplicated, but the
10 internal kernel sessions are still shared between forks, which means an
11 update/close operation in one fork affects all processes using that
14 This affects digests, especially for HMAC, where the session with the
15 key hash is used as a source for subsequent operations. At least one
16 popular application does this across a fork. Disabling digests by
17 default will mitigate the problem, while still allowing the user to
18 turn them on if it is safe and fast enough.
20 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
22 diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
23 index 3fcd81de7a..d25230d366 100644
24 --- a/engines/e_devcrypto.c
25 +++ b/engines/e_devcrypto.c
26 @@ -852,7 +852,7 @@ static void prepare_digest_methods(void)
27 for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
30 - selected_digests[i] = 1;
31 + selected_digests[i] = 0;
34 * Check that the digest is usable
35 @@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
36 #ifdef IMPLEMENT_DIGEST
37 {DEVCRYPTO_CMD_DIGESTS,
39 - "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
40 + "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
41 ENGINE_CMD_FLAG_STRING},