mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-29 10:08:59 +00:00
2407b1edcc
Openssh uses digest contexts across forks, which is not supported by the /dev/crypto engine. The speed of digests is usually not worth enabling them anyway. This changes the default of the DIGESTS option to NONE, so the user still has the option to enable them. Added another patch related to the use of encryption contexts across forks, that ignores a failure to close a previous open session when reinitializing a context, instead of failing the reinitialization. Added a link to the Cryptographic Hardware Accelerators document to the engine pacakges description, to provide more detailed instructions to configure the engines. Revert the removal of the OPENSSL_ENGINE_CRYPTO symbol, currently used by openssh. There is an open PR to update openssh; when merged, this symbol can be safely removed. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [refresh patches]
42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
From 5d3be6bc8ed7d73ab2c4d389fb0f0a03dacd04b1 Mon Sep 17 00:00:00 2001
|
|
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
|
Date: Mon, 11 Mar 2019 09:29:13 -0300
|
|
Subject: [PATCH] e_devcrypto: default to not use digests in engine
|
|
|
|
Digests are almost always slower when using /dev/crypto because of the
|
|
cost of the context switches. Only for large blocks it is worth it.
|
|
|
|
Also, when forking, the open context structures are duplicated, but the
|
|
internal kernel sessions are still shared between forks, which means an
|
|
update/close operation in one fork affects all processes using that
|
|
session.
|
|
|
|
This affects digests, especially for HMAC, where the session with the
|
|
key hash is used as a source for subsequent operations. At least one
|
|
popular application does this across a fork. Disabling digests by
|
|
default will mitigate the problem, while still allowing the user to
|
|
turn them on if it is safe and fast enough.
|
|
|
|
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
|
|
|
--- a/engines/e_devcrypto.c
|
|
+++ b/engines/e_devcrypto.c
|
|
@@ -854,7 +854,7 @@ static void prepare_digest_methods(void)
|
|
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
|
|
i++) {
|
|
|
|
- selected_digests[i] = 1;
|
|
+ selected_digests[i] = 0;
|
|
|
|
/*
|
|
* Check that the digest is usable
|
|
@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
|
|
#ifdef IMPLEMENT_DIGEST
|
|
{DEVCRYPTO_CMD_DIGESTS,
|
|
"DIGESTS",
|
|
- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
|
|
+ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
|
|
ENGINE_CMD_FLAG_STRING},
|
|
#endif
|
|
|