[openssl-dev] Adding async support

[Matt Caswell]

Hi all

A number of people have expressed interest in the async work that I have
been doing in collaboration with Intel. This has now progressed to the
point where it is going through team review. I thought some of you might
like to get early sight of this so I have pushed it to my personal
github repo (see the "main-async" branch):

https://github.com/mattcaswell/openssl

Obviously there may be some tweaks that occur during the review process
but hopefully it is stable enough to give you an idea of how it will work.

I have also opened a github pull request so you can post comments on the
code there if you wish:

https://github.com/openssl/openssl/pull/433

The idea is that async aware application code will be able to use
OpenSSL to initiate crypto operations asynchronously. In order to work
this will require the presence of an async capable engine. For example
you could imagine an engine that could initiate work on some external
hardware and enable application code to come back at some later time for
the results.

This has been implemented through the concept of an ASYNC_JOB. At the
libcrypto level an application developer would write a function that
they wish to execute asynchronously which might call a number of
different crypto operations. They can then initiate that job using a new
API call "ASYNC_start_job()". The function will then execute until the
engine (or indeed anything - it doesn't have to be in an engine; it
could be user code) calls "ASYNC_pause_job()". At this point control
returns back to the application code. The job can be resumed later
through a second call to "ASYNC_start_job()" - it will pick up where it
left off. The main restriction here is that this must be done from the
same thread as the original ASYNC_start_job() call. A flagging mechanism
has been implemented to enable application code to know whether the
async job is "ready" to be resumed.

libssl has been made async aware through the introduction of a new mode
"SSL_MODE_ASYNC". The mode is set using a call to one of the existing
functions SSL_CTX_set_mode() or SSL_set_mode(). Having set that mode
calls to functions such as SSL_read/SSL_write etc, may now start
returning an SSL_ERROR_WANT_ASYNC response (if an async capable engine
is present). To resume you simply recall SSL_read/SSL_write in the same
way as you would if you got an SSL_ERROR_WANT_READ or
SSL_ERROR_WANT_WRITE. Similarly to above you must do this from the same
thread as the original call.

In order to enable people to test this out I have provided a "Dummy
Async" engine (dasync). This can't really do async work, but it pretends
it can :-). For certain crypto operations (currently only SHA1 and RSA)
it will call ASYNC_pause_job() at various points. Once you resume the
job it will just continue synchronously.

I have also added async support to s_server and s_client through the new
"-async" flag. The will set the SSL_MODE_ASYNC mode. In order to have an
effect you will obviously also need an async engine (such as dasync)
loaded through the "-engine" flag. Note that dasync will only be loaded
dynamically and thus OpenSSL must be built "shared" for this to work.

Documentation including some example code is available on all of this here:
https://github.com/mattcaswell/openssl/blob/main-async/doc/crypto/ASYNC_start_job.pod
https://github.com/mattcaswell/openssl/blob/main-async/doc/ssl/SSL_get_error.pod
https://github.com/mattcaswell/openssl/blob/main-async/doc/ssl/SSL_get_async_wait_fd.pod
https://github.com/mattcaswell/openssl/blob/main-async/doc/ssl/SSL_CTX_set_mode.pod

I'd be interested to hear your thoughts.

Matt