a0814f04ed
Changes between 1.1.1r and 1.1.1s [1 Nov 2022]
*) Fixed a regression introduced in 1.1.1r version not refreshing the
certificate data to be signed before signing the certificate.
[Gibeom Gwon]
Changes between 1.1.1q and 1.1.1r [11 Oct 2022]
*) Fixed the linux-mips64 Configure target which was missing the
SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
platform.
[Adam Joseph]
*) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
causing incorrect results in some cases as a result.
[Paul Dale]
*) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
report correct results in some cases
[Matt Caswell]
*) Fixed a regression introduced in 1.1.1o for re-signing certificates with
different key sizes
[Todd Short]
*) Added the loongarch64 target
[Shi Pujin]
*) Fixed a DRBG seed propagation thread safety issue
[Bernd Edlinger]
*) Fixed a memory leak in tls13_generate_secret
[Bernd Edlinger]
*) Fixed reported performance degradation on aarch64. Restored the
implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
32-bit lane assignment in CTR mode") for 64bit targets only, since it is
reportedly 2-17% slower and the silicon errata only affects 32bit targets.
The new algorithm is still used for 32 bit targets.
[Bernd Edlinger]
*) Added a missing header for memcmp that caused compilation failure on some
platforms
[Gregor Jasny]
Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
|
Date: Mon, 11 Mar 2019 09:29:13 -0300
|
|
Subject: e_devcrypto: default to not use digests in engine
|
|
|
|
Digests are almost always slower when using /dev/crypto because of the
|
|
cost of the context switches. Only for large blocks it is worth it.
|
|
|
|
Also, when forking, the open context structures are duplicated, but the
|
|
internal kernel sessions are still shared between forks, which means an
|
|
update/close operation in one fork affects all processes using that
|
|
session.
|
|
|
|
This affects digests, especially for HMAC, where the session with the
|
|
key hash is used as a source for subsequent operations. At least one
|
|
popular application does this across a fork. Disabling digests by
|
|
default will mitigate the problem, while still allowing the user to
|
|
turn them on if it is safe and fast enough.
|
|
|
|
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
|
|
|
--- a/engines/e_devcrypto.c
|
|
+++ b/engines/e_devcrypto.c
|
|
@@ -852,7 +852,7 @@ static void prepare_digest_methods(void)
|
|
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
|
|
i++) {
|
|
|
|
- selected_digests[i] = 1;
|
|
+ selected_digests[i] = 0;
|
|
|
|
/*
|
|
* Check that the digest is usable
|
|
@@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
|
|
#ifdef IMPLEMENT_DIGEST
|
|
{DEVCRYPTO_CMD_DIGESTS,
|
|
"DIGESTS",
|
|
- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
|
|
+ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
|
|
ENGINE_CMD_FLAG_STRING},
|
|
#endif
|
|
|