New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Deprecate DSA_sign_setup() in the documentation #6460
Conversation
I could be wrong about this but I don't see the issue here. On general software design principles (not being a cryptograpgpher) I would ask the question: What does Is that a useful, neutral third-party viewpoint. I'd like to think so. Just get rid of it, I say. |
@HPaulS I can show an example of why different ENGINE implementations matter in updating the documentation for this function. Reading this or this (which I think refer to 1.0.2 or before), the idea behind that "precomputation in time-critical scenarios" sentence is that DSA signing is made of two computationally expensive parts:
How much the computational complexity of the first step outweighs the second depends on the host architecture and the DSA modulus size. Both scenarios can be implemented using OpenSSL ENGINEs (as the ( This is why I am asking feedback from the OpenSSL dev team, as I don't have a full picture of what existing alternative implementations do and expect. @richsalz, @mattcaswell what are your thoughts on the matter? |
@romen OK, I see where you're coming from. In fact I can see benefits in being able to run
Then just update the docs with the new API (and how it behaves) and deprecate |
While yes that is technically true, I think its a corner case that most users don't need to worry about. I don't think we need to elaborate it in the docs. |
@mattcaswell @romen My$0.02, for what it's worth, regarding the API, rather then the docs themselves. My benchmark (performed on Windows with 1.0.2, since that's the latest version I could test this with directly) showed that at least 99% of the time required to sign a message is spent in So, if the decision is to get rid of If I need to open a new issue to request this, please let me know and I will do so. And I'm sorry if I have caused any confusion or extra work for you all by jumping in with both feet as I did. |
It should go from 1.2.0 (whenever that is), but cannot go from current releases due to ABI compatibility rules. An issue reminding us to do that when we get to 1.2.0 (which we can flag with the 1.2.0 label) might be helpful. |
@HPaulS I agree that also the current API is misleading, but no change whatsoever can happen in the API now, we need to wait until the next major release, as changing the public API affects binary compatibility, and that cannot happen in a minor release. @mattcaswell approved the documentation change as it is now, simply deprecating the usage of |
@mattcaswell you ninjaed me!! :) I will open the separate issue to request a change in the API for the next major version. |
Thank you guys, over and out. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for master (and 1.1.0 if you want).
@richsalz do I need to open a separate pr for 1.1.0 or can this be cherry picked? |
I hope Matt can/will cherry-pick.
|
Pushed. @romen - over to you to raise a new issue for 1.2.0. Thanks! |
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #6460)
I opened #6464 to track the API revision for the next major release |
See #6465 for a 1.0.2 counterpart of this PR. |
Please note that there is a macro |
The deprecation mark should only be done in the master / 1.1.1 branch, though... |
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#6460) (cherry picked from commit 8fe4c0b)
Fixes #6447 by updating the documentation about
DSA_sign_setup()
as the current version is misleading and can be easily interpreted by users as suggesting to reuse the DSA nonce, which should never happen.This should apply to master (1.1.1) and 1.1.0.
I'm not familiar with the original rationale for suggesting to precompute
kinv
andr
, but I believe that even in 1.0.2 the paragraph aboutDSA_sign_setup()
should be rephrased to explicitly warn users that they should not use it to precompute a single nonce and then cal severalDSA_sign()
.To cryptographers this might seem obvious, but we should not expect the users of the library to be cryptography experts.
I marked the PR as WIP because I need feedback about ENGINE implementations of
DSA_meth
: what I wrote is true for the default OpenSSL implementation, as a user has no way to feed the precomputedkinv
andr
back toDSA_sign
, but I can imagine HW ENGINEs using this function to alter the internal state and separate the setup phase from the message/digest consuming phase.If the above is a concern, I would rewrite the documentation to distinguish between the default OpenSSL DSA implementation (for which what I wrote is true) and alternative ENGINE implementations: to write something meaningful in this case I would definitely welcome details or suggestions on how to properly phrase what to expect from non-default implementations.
Also, depending on the answer to the above concern, I would also open an issue for the next major release about completely removing
DSA_sign_setup
as a public function.Checklist