| 1234567891011121314151617181920212223242526272829303132333435363738394041 |
- From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
- From: Eneas U de Queiroz <[email protected]>
- Date: Mon, 11 Mar 2019 09:29:13 -0300
- Subject: e_devcrypto: default to not use digests in engine
- Digests are almost always slower when using /dev/crypto because of the
- cost of the context switches. Only for large blocks it is worth it.
- Also, when forking, the open context structures are duplicated, but the
- internal kernel sessions are still shared between forks, which means an
- update/close operation in one fork affects all processes using that
- session.
- This affects digests, especially for HMAC, where the session with the
- key hash is used as a source for subsequent operations. At least one
- popular application does this across a fork. Disabling digests by
- default will mitigate the problem, while still allowing the user to
- turn them on if it is safe and fast enough.
- Signed-off-by: Eneas U de Queiroz <[email protected]>
- --- a/engines/e_devcrypto.c
- +++ b/engines/e_devcrypto.c
- @@ -852,7 +852,7 @@ static void prepare_digest_methods(void)
- for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
- i++) {
-
- - selected_digests[i] = 1;
- + selected_digests[i] = 0;
-
- /*
- * Check that the digest is usable
- @@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
- #ifdef IMPLEMENT_DIGEST
- {DEVCRYPTO_CMD_DIGESTS,
- "DIGESTS",
- - "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
- + "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
- ENGINE_CMD_FLAG_STRING},
- #endif
-
|
