Cache Digest constants

[mattcaswell]

EVP_CIPHER already caches certain constants so that we don't have to query the provider every time. We do the same thing with EVP_MD constants. Without this we can get performance issues, e.g. running "speed" with small blocks of data to digest can spend a long time in EVP_MD_size(), which should be quick.

Partialy fixes #13578

I've also refactored the EVP_CIPHER constant caching to move it into evp_cipher_from_dispatch, i.e. to where the EVP_CIPHER actually gets constructed rather than where it is fetched in EVP_CIPHER_fetch. The problem with the latter is that we construct a cipher once, but we may fetch it many times. We shouldn't have to cache the constants every time we fetch.

[mattcaswell]

I've run some tests to see the effect on performance of this change. I ran both the "before" and "after" tests with #13721 applied. I'm seeing quite a lot of variability in the results from one run to the next, so my confidence the precise numbers is quite low. To try and reduce variability as much as possible I "warmed up" my machine before both the "before" and "after" tests by repeating the same speed command 5 times and discarding the results. I then ran the command again 5 times and recorded the results.

I compiled with just config --strict-warnings, and ran this speed command:

openssl speed -evp sha256 -bytes 16

The "before" output was:

sha256           38566.15k
sha256           36042.71k
sha256           42937.12k
sha256           42312.67k
sha256           44117.60k

Which gives an average of 40795.25k

The "after" output was:

sha256           46979.81k
sha256           49308.40k
sha256           48095.66k
sha256           46935.39k
sha256           46201.71k

Which gives an average of 47504.19k.

This represents a speed-up of approximately 16% (if you believe the numbers).

[beldmit]

Why do we don't check for md here but check in EVP_MD_size?

[beldmit]

The same question is about EVP_MD_flags

[mattcaswell]

I'm just reverting the implementation back to the way it used to be in 1.1.1. There, EVP_MD_size() has the check:

openssl/crypto/evp/evp_lib.c

Lines 320 to 327 in 64a1b94

	int EVP_MD_size(const EVP_MD *md)
	{
	if (!md) {
	EVPerr(EVP_F_EVP_MD_SIZE, EVP_R_MESSAGE_DIGEST_IS_NULL);
	return -1;
	}
	return md->md_size;
	}

But EVP_MD_block_size and EVP_MD_flags do not:

openssl/crypto/evp/evp_lib.c

Lines 305 to 308 in 64a1b94

	int EVP_MD_block_size(const EVP_MD *md)
	{
	return md->block_size;
	}

openssl/crypto/evp/evp_lib.c

Lines 329 to 332 in 64a1b94

	unsigned long EVP_MD_flags(const EVP_MD *md)
	{
	return md->flags;
	}

[beldmit]

LGTM

[kroeckx]

Deprecated functions like EVP_MD_meth_set_result_size() set md->md_size, which is now the cached value. Either they should actually change something in the provider, return an error, or be removed. This PR doesn't actually introduce the problem, but now seems to use existing variables that were not initialized before, but that we did read and then don't do anything with.

The functions are currently documented to just return 1.

[beldmit]

I think it's a separate issue and these functions should not be applicable to provided digests.

[mattcaswell]

I think it's a separate issue and these functions should not be applicable to provided digests.

Exactly. Those functions are deprecated for a reason. They are intended for use when you are setting up your own custom EVP_MD which you have created yourself.

Either they should actually change something in the provider, return an error, or be removed.

I disagree. They are deprecated and therefore their usage is strongly discouraged. Existing uses will not be broken. I don't see a problem here.

[openssl-machine]

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

[beldmit]

Merged. Thanks!