From 52ddedc09ee81fe05ea2fa384fce89afe92d6d72 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 11 Mar 2019 09:29:13 -0300
Subject: e_devcrypto: default to not use digests in engine

Digests are almost always slower when using /dev/crypto because of the
cost of the context switches.  Only for large blocks it is worth it.

Also, when forking, the open context structures are duplicated, but the
internal kernel sessions are still shared between forks, which means an
update/close operation in one fork affects all processes using that
session.

This affects digests, especially for HMAC, where the session with the
key hash is used as a source for subsequent operations.  At least one
popular application does this across a fork.  Disabling digests by
default will mitigate the problem, while still allowing the user to
turn them on if it is safe and fast enough.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c
index fb5c6e1636..7741138b82 100644
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -854,7 +854,7 @@ static void prepare_digest_methods(void)
     for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
          i++) {
 
-        selected_digests[i] = 1;
+        selected_digests[i] = 0;
 
         /*
          * Check that the digest is usable
@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
 #ifdef IMPLEMENT_DIGEST
    {DEVCRYPTO_CMD_DIGESTS,
     "DIGESTS",
-    "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
+    "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
     ENGINE_CMD_FLAG_STRING},
 #endif