| b.liu | e958203 | 2025-04-17 19:18:16 +0800 | [diff] [blame^] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Eneas U de Queiroz <cote2004-github@yahoo.com> |
| 3 | Date: Mon, 11 Mar 2019 09:29:13 -0300 |
| 4 | Subject: e_devcrypto: default to not use digests in engine |
| 5 | |
| 6 | Digests are almost always slower when using /dev/crypto because of the |
| 7 | cost of the context switches. Only for large blocks it is worth it. |
| 8 | |
| 9 | Also, when forking, the open context structures are duplicated, but the |
| 10 | internal kernel sessions are still shared between forks, which means an |
| 11 | update/close operation in one fork affects all processes using that |
| 12 | session. |
| 13 | |
| 14 | This affects digests, especially for HMAC, where the session with the |
| 15 | key hash is used as a source for subsequent operations. At least one |
| 16 | popular application does this across a fork. Disabling digests by |
| 17 | default will mitigate the problem, while still allowing the user to |
| 18 | turn them on if it is safe and fast enough. |
| 19 | |
| 20 | Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> |
| 21 | |
| 22 | --- a/engines/e_devcrypto.c |
| 23 | +++ b/engines/e_devcrypto.c |
| 24 | @@ -905,7 +905,7 @@ static void prepare_digest_methods(void) |
| 25 | for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); |
| 26 | i++) { |
| 27 | |
| 28 | - selected_digests[i] = 1; |
| 29 | + selected_digests[i] = 0; |
| 30 | |
| 31 | /* |
| 32 | * Check that the digest is usable |
| 33 | @@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c |
| 34 | #ifdef IMPLEMENT_DIGEST |
| 35 | {DEVCRYPTO_CMD_DIGESTS, |
| 36 | "DIGESTS", |
| 37 | - "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", |
| 38 | + "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]", |
| 39 | ENGINE_CMD_FLAG_STRING}, |
| 40 | #endif |
| 41 | |