devcrypto engine cipher_data_st structure missing CFB and OFB ciphers

[Ashok-d-attikatti]

Hello,

I was just walking through the Openssl 1.1.1f version source code. below is the flow of the code, kindly correct me if I am wrong.

~/openssl-1.1.1f |----> main() ------------------------------------------------------------------------------------- > apps/openssl.c |----> apps_statup() |----> OPENSSL_init_ssl() -------------------------------------------> ssl/ssl_init.c |----> OPENSSL_init_crypto() ------------------------> crypto/init.c |----> &engine_devcrypto |----> engine_load_devcrypto_int() |----> prepare_cipher_methods() |----> cipher_data[]

in the cipher_data[] list i found only for AES-ECB, AES-CBC and AES_CTR ciphers are listed, and AES-OFB and AES-CFB ciphers are missing.

Can anyone give me clarification about the openssl flow and cipher_data[]? why the OFB and CFB are missing in the list.?

Thanks, Ashoka A D

[t8m]

AES-OFB and AES-CFB cipher modes aren't supported by the devcrypto engine.

[Ashok-d-attikatti]

Understood your point and I have a scenario below.

Here can you confirm the user space OpenSSL will access and set the hardware registers for AES-OFB/CFB? If not then which mode will be set the register by default.?

Thanks, Ashoka A D

[Ashok-d-attikatti]

I found the below sources and they mentioned cfb & ofb modes support are available. https://github.com/cryptodev-linux/cryptodev-linux/blob/master/crypto/cryptodev.h

[paulidale]

The answer is still no. The OpenSSL devcrypto engine doesn't support these modes. That's regardless of the underlying kernel implementation and hardware having them or not.

Given that engines are deprecates and on the way out, I don't see this becoming a sufficiently high priority for the project to look at addressing. That doesn't mean we wouldn't accept a pull request from a third party adding it. It would be far better done as a provider.

[Ashok-d-attikatti]

Hi Team,

We had raised this issue quite sometime back. Looking to seek details have AES-OFB, AES-CFB in the OpenSSL, which will used to access the hardware via devcrypto engine, This is been a very critical part to verify the state of our Hardware does supports (OFB, & CFB).

As we were exploring to implement this, we tried to add the support in the cipher_data[], but we are unable to achieve this, As are observing the below error and attached the log for your reference...

Error setting cipher AES-256-CFB 20C481C63F000000:error:13000092:engine routines:ENGINE_get_cipher:unimplemented cipher:crypto/engine/tb_cipher.c:80: 20C481C63F000000:error:03000086:digital envelope routines:evp_cipher_init_internal:initialization error:crypto/evp/evp_enc.c:296: Can you please help us to implement the AES support for OFB, & CFB, to further understand the challenges and feasibility to know if this is possible to do so?

Thanks, Ashoka A D

[t8m]

I am sorry but implementing additional ciphers support into an existing engine is unlikely to be a team priority as the engines API is deprecated and will be removed in future.

It would be interesting to have OpenSSL providers that would utilize the devcrypto or afalg interfaces to kernel crypto implementations however this is not a small effort and it is not on the current list of priorities for the team either.

[Ashok-d-attikatti]

Hi @t8m,

Thanks for your replay, Can you please let us know if the AES-OFB and AES-CFB modes are deprecated in the current OpenSSL are there any older versions of OpenSSL that have the cipher support for the same?

Thanks, Ashoka A D

[t8m]

No, neither AES-OFB nor AES-CFB are deprecated.

You have to understand that these ciphers are just unsupported by the devcrypto engine (which is deprecated). They are otherwise supported and not deprecated.