EVP_SignFinal() behaviour change (provider dependent)

Steffen Nurpmeso steffen at sdaoden.eu
Wed Jan 31 14:38:12 UTC 2024


Hello.

I just stumbled over a possible backward-incompatible code
breakage in EVP_Sign.. code flow, documented as

   Note that not all providers support continuation, in case the selected
   provider does not allow to duplicate contexts EVP_SignFinal() will
   finalize the digest context and attempting to process additional data
   via EVP_SignUpdate() will result in an error.

since commit [0fc00fc0e3867fc5f95fab1046ad7d2a85db06f8] aka
openssl-3.0.0-beta2-2597-g0fc00fc0e3.
In there OpenSSL changed (trimmed a bit)

  -    dctx = EVP_PKEY_CTX_dup(pctx);
  -    if (dctx == NULL)
  -        return 0;
  -    r = dctx->op.sig.signature->digest_sign_final(dctx->op.sig.algctx,

to

  +    if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
  +        /* try dup */
  +        dctx = EVP_PKEY_CTX_dup(pctx);
  +        if (dctx != NULL)
  +            pctx = dctx;
  +    }
  +    r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,

Unless i am mistaken this is not announced in the
migration_guide(7).

I want to point out that this breaks code flow unexpectedly.
Yet i do not really care on whether a future Update() fails.

But i do have code paths which create a digest (on potential large
data) and then repeatedly sign the result with different keys.

As i am not a cryptographer, i would like to have some advise
regarding whether calling Final() repeatedly with different keys
is still supported by OpenSSL.  It would be very nice if that
could be explicitly documented if that is still the case.

I am of the opinion that OpenSSL *should* make this explicitly
supported, as otherwise existing code flows have to be changed in
that multiple message digest contexts have to updated concurrently
in order to create signatures of different type.

As a very personal opinion i find it strange that such
a *tremendous* behaviour change -- as can be seen above the
*original* object is simply used if the duplicate fails.
This changes behaviour which was documented and used for over the
quarter of a century!  I would have expected that instead the
provider implementations will be changed, or the necessity for
them to provide that functionality would be documented.

    Signed-off-by: Simo Sorce <simo at redhat.com>

    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/20375)

Ok .. but i do not know, really.

So please, could someone please attest that calling *only*
EVP_SignFinal() multiple adjacent times, that is, without
intervening EVP_SignUpdate() calls, but with different keys,
continues to be supported by OpenSSL?

Thank you very much.

Ciao,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)


More information about the openssl-users mailing list