mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-30 02:29:01 +00:00
d868d0a5d7
This version fixes 3 low-severity vulnerabilities: - CVE-2019-1547: ECDSA remote timing attack - CVE-2019-1549: Fork Protection - CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
44 lines
1.7 KiB
Diff
44 lines
1.7 KiB
Diff
From 52ddedc09ee81fe05ea2fa384fce89afe92d6d72 Mon Sep 17 00:00:00 2001
|
|
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
|
Date: Mon, 11 Mar 2019 09:29:13 -0300
|
|
Subject: e_devcrypto: default to not use digests in engine
|
|
|
|
Digests are almost always slower when using /dev/crypto because of the
|
|
cost of the context switches. Only for large blocks it is worth it.
|
|
|
|
Also, when forking, the open context structures are duplicated, but the
|
|
internal kernel sessions are still shared between forks, which means an
|
|
update/close operation in one fork affects all processes using that
|
|
session.
|
|
|
|
This affects digests, especially for HMAC, where the session with the
|
|
key hash is used as a source for subsequent operations. At least one
|
|
popular application does this across a fork. Disabling digests by
|
|
default will mitigate the problem, while still allowing the user to
|
|
turn them on if it is safe and fast enough.
|
|
|
|
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
|
|
|
diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
|
|
index fb5c6e1636..7741138b82 100644
|
|
--- a/engines/e_devcrypto.c
|
|
+++ b/engines/e_devcrypto.c
|
|
@@ -854,7 +854,7 @@ static void prepare_digest_methods(void)
|
|
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
|
|
i++) {
|
|
|
|
- selected_digests[i] = 1;
|
|
+ selected_digests[i] = 0;
|
|
|
|
/*
|
|
* Check that the digest is usable
|
|
@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
|
|
#ifdef IMPLEMENT_DIGEST
|
|
{DEVCRYPTO_CMD_DIGESTS,
|
|
"DIGESTS",
|
|
- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
|
|
+ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
|
|
ENGINE_CMD_FLAG_STRING},
|
|
#endif
|
|
|