Add API support for pipelining in provided ciphers

[ShuaiYuan21]

Hi,

We are developing our own provider under OpenSSL 3.0 framework.

However, when it comes to aes_cbc_hmac_sha algorithm, we cannot find a way to setup the EVP_CIPHER structure.

Previously, take the engine in OpenSSL 1.1.1 as an example, after we created the EVP_CIPHER_CTX generated by EVP_CIPHER_CTX_new(), it can be initialized by EVP_CipherInit_ex(), which will call some of the preset functions in engine, and *EVP_CIPHER_meth_set_flags(EVP_CIPHER cipher, unsigned long flags) is one of them, and we can use this function to set the flags variable of cipher in the EVP_CIPHER_CTX structure.

Like this:

ctx = EVP_CIPHER_CTX_new();
    if (ctx == NULL)
        return NULL;
if (EVP_CipherInit_ex(ctx, EVP_aes_128_cbc_hmac_sha1(),
                        engine, key, _ivec, enc) != 1)
    goto err;

However, in openssl3.0, the entire framework has changed, EVP_CIPHER has been finalized as early as after EVP_CIPHER_fetch() function is excuted, we have no way to make any changes to the member variable flags of EVP_CIPHER.

static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
                                    const EVP_CIPHER *cipher,
                                    ENGINE *impl, const unsigned char *key,
                                    const unsigned char *iv, int enc,
                                    const OSSL_PARAM params[])
{
    ......

    if (cipher->prov == NULL) {
    ......
        EVP_CIPHER *provciph =
            EVP_CIPHER_fetch(NULL,
                             cipher->nid == NID_undef ? "NULL"
                                                      : OBJ_nid2sn(cipher->nid),
                             "");

        if (provciph == NULL)
            return 0;
        cipher = provciph;
        EVP_CIPHER_free(ctx->fetched_cipher);
        ctx->fetched_cipher = provciph;
#endif
    }

    ......

    ctx->cipher = cipher;
    if (ctx->algctx == NULL) {
        ctx->algctx = ctx->cipher->newctx(ossl_provider_ctx(cipher->prov));
        if (ctx->algctx == NULL) {
            ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
            return 0;
        }
    }

    ......
}

What we want to do is to be able to configure EVP_CIPHER to support the pipeline feature by adding EVP_CIPH_FLAG_PIPELINE to its flags variable.

We can still find the definition of pipeline in the code of openssl 3.0, but the flags variable in cipher is marked as legacy,
so does openssl 3.0 still support the pipeline feature? And if so, then how to configure it?

• The definition of EVP_CIPH_FLAG_PIPELINE:

/* Cipher can handle pipeline operations */
# define         EVP_CIPH_FLAG_PIPELINE          0X800000

• EVP_CIPHER structure:

struct evp_cipher_st {
    ......
    /* Legacy structure members */
    /* Various flags */
    unsigned long flags;
    ......
} /* EVP_CIPHER */ ;

Thanks!

[daweiq]

We have enabled the pipeline in our engine which need to set the EVP_CIPHER->flags to EVP_CIPH_FLAG_PIPELINE in engine.
Does OpenSSL-3.0 provider support pipeline?
If yes, how to updating EVP_CIPHER->flags inside provider?

[paulidale]

The 3.0 method would be to implement the entire algorithm in the provider.

[daweiq]

@paulidale Do you mean using the void *ossl_method_construct(OSSL_LIB_CTX *ctx, int operation_id,
to construct a method for storing the cipher->flags?

[mattcaswell]

Does OpenSSL-3.0 provider support pipeline?

No. There is no support for pipelining in OpenSSL 3.0 provided ciphers at the moment. We might like to add it in the future.

[daweiq]

Is there any timeline for enabling pipeline support in provider?
We are relaying on this feature to accelerate bulk-crypto through HW.

[mattcaswell]

Is there any timeline for enabling pipeline support in provider?

Unfortunately not. It's not currently planned.

[nhorman]

Marking as inactive, to be closed when 3.4 dev cycle ends, barring further input