Fetching composite algorithms and using them - adding the bits still missing
============================================================================

Quick background
----------------

We currently support - at least in the public libcrypto API - explicitly
fetching composite algorithms (such as AES-128-CBC or HMAC-SHA256), and
using them in most cases.  In some cases (symmetric ciphers), our providers
also provide them.

However, there is one class of algorithms where the support for *using*
explicitly fetched algorithms is lacking: asymmetric algorithms.

For a longer background and explanation, see
[Background / tl;dr](#background-tldr) at the end of this design.

Public API - Add variants of `EVP_PKEY_CTX` initializers
--------------------------------------------------------

As far as this design is concerned, these API sets are affected:

- SIGNATURE
- ASYM_CIPHER
- KEYEXCH

The proposal is to add these initializer functions:

``` C
int EVP_PKEY_sign_init_ex2(EVP_PKEY_CTX *pctx,
                           EVP_SIGNATURE *algo, const OSSL_PARAM params[]);
int EVP_PKEY_verify_init_ex2(EVP_PKEY_CTX *pctx,
                             EVP_SIGNATURE *algo, const OSSL_PARAM params[]);
int EVP_PKEY_verify_recover_init_ex2(EVP_PKEY_CTX *pctx,
                                     EVP_SIGNATURE *algo, const OSSL_PARAM params[]);

int EVP_PKEY_encrypt_init_ex2(EVP_PKEY_CTX *ctx, EVP_ASYM_CIPHER *asymciph,
                              const OSSL_PARAM params[]);
int EVP_PKEY_decrypt_init_ex2(EVP_PKEY_CTX *ctx, EVP_ASYM_CIPHER *asymciph,
                              const OSSL_PARAM params[]);

int EVP_PKEY_derive_init_ex2(EVP_PKEY_CTX *ctx, EVP_KEYEXCH *exchange,
                             const OSSL_PARAM params[]);
```

Detailed proposal for these APIs will be or are prepared in other design
documents:

- [Functions for explicitly fetched signature algorithms]
- [Functions for explicitly fetched asym-cipher algorithms] (not yet designed)
- [Functions for explicitly fetched keyexch algorithms] (not yet designed)

-----

-----

Background / tl;dr
------------------

### What is a composite algorithm?

A composite algorithm is an algorithm that's composed of more than one other
algorithm.  In OpenSSL parlance with a focus on signatures, they have been
known as "sigalgs", but this is really broader than just signature algorithms.
Examples are:

-   AES-128-CBC
-   hmacWithSHA256
-   sha256WithRSAEncryption

### The connection with AlgorithmIdentifiers

AlgorithmIdentifier is an ASN.1 structure that defines an algorithm as an
OID, along with parameters that should be passed to that algorithm.

It is expected that an application should be able to take that OID and
fetch it directly, after conversion to string form (either a name if the
application or libcrypto happens to know it, or the OID itself in canonical
numerical form).  To enable this, explicit fetching is necessary.

### What we have today

As a matter of fact, we already have built-in support for fetching
composite algorithms, although our providers do not fully participate in
that support, and *most of the time*, we also have public APIs to use the
fetched result, commonly known as support for explicit fetching.

The idea is that providers can declare the different compositions of a base
algorithm in the `OSSL_ALGORITHM` array, each pointing to different
`OSSL_DISPATCH` tables, which would in turn refer to pretty much the same
functions, apart from the constructor function.

For example, we already do this with symmetric ciphers.

Another example, which we could implement in our providers today, would be
compositions of HMAC:

``` C
static const OSSL_ALGORITHM deflt_macs[] = {
    /* ... */
    { "HMAC-SHA1:hmacWithSHA1:1.2.840.113549.2.7",
      "provider=default", ossl_hmac_sha1_functions },
    { "HMAC-SHA224:hmacWithSHA224:1.2.840.113549.2.8",
      "provider=default", ossl_hmac_sha224_functions },
    { "HMAC-SHA256:hmacWithSHA256:1.2.840.113549.2.9",
      "provider=default", ossl_hmac_sha256_functions },
    { "HMAC-SHA384:hmacWithSHA384:1.2.840.113549.2.10",
      "provider=default", ossl_hmac_sha384_functions },
    { "HMAC-SHA512:hmacWithSHA512:1.2.840.113549.2.11",
      "provider=default", ossl_hmac_sha512_functions },
    /* ... */
```

### What we don't have today

There are some classes of algorithms for which we have no support for using
the result of explicit fetching.  So for example, while it's possible for a
provider to declare composite algorithms through the `OSSL_ALGORITHM` array,
there's currently no way for an application to use them.

This all revolves around asymmetric algorithms, where we currently only
support implicit fetching.

This is hurtful in multiple ways:

-   It fails the provider authors in terms being able to consistently
    declare all algorithms through `OSSL_ALGORITHM` arrays.
-   It fails the applications in terms of being able to fetch algorithms and
    use the result.
-   It fails discoverability, for example through the `openssl list`
    command.

<!-- links -->
[Functions for explicitly fetched signature algorithms]:
    functions-for-explicitly-fetched-signature-algorithms.md