An alternative to address the SM2 ID issues

[InfoHunter]

This is an alternative to #6757 , to fix some SM2 ID relevant issues. Comments are very appreciated.

The idea in this PR is:

1. the ID in SM2 is a "Distinguishing Identifier" defined as "OCTET STRING" instead of ASCII style string. So this PR implements the ID as a pointer-length style instead of assuming it as a null-terminated one.
2. Rename some variables to match the only official English SM2 standard - "ISO/IEC-14888".
3. Don't bother with the default ID '1234567812345678' anymore, that should be the responsibility of the consumer of SM2, not the SM2 low level algorithm.
4. Make it more flexible for the null-length ID, since the base SM2 algorithm makes this thing very unclear. Although GM/T 0009-2012 defines the default ID, but for the algorithm itself, no specification says null-length ID in invalid.
5. Avoid the 'two-calls' to EVP_DigestSign/VerifyInit. Introduce a method to pass an EVP_PKEY_CTX to MD and make it configurable before calling EVP_DigestSign/VerifyInit, so the current sequence of calls is something as follows:

/* obtain an EVP_PKEY from whatever methods... */
EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
mctx = EVP_MD_CTX_new();
pctx = EVP_PKEY_CTX_new(pkey, NULL);
EVP_PKEY_CTX_set_sm2_id(pctx, id, id_len);
EVP_MD_CTX_set_pkey_ctx(mctx, pctx);;
EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, pkey);
EVP_DigestVerifyUpdate(mctx, msg, msg_len);
EVP_DigestVerifyFinal(mctx, sig, sig_len)

Document is not updated and test cases are not complete, if this concept is accepted then it should be very easy to complete them.

I borrowed some test code from #6757 to test the correctness of the ID involved signature verification process.

Actually there is another much simpler way of doing this, by using the EVP_ctrl stuffs to set the ID and compute the 'Z' digest after the calls to EVP_DigestSign/VerifyInit. But that will cut the whole algorithm into separated parts so I finally abandoned that idea.

Checklist

• documentation is added or updated
• tests are added or updated

[InfoHunter]

Resolving the travis failures

[mattcaswell]

Looks good. My initial review comments below. Also if I understood you correctly some of the test stuff was lifted from the other PR. Can that bit be in a separate commit with appropriate git author attribution?

[mattcaswell]

Probably this should be size_t

[mattcaswell]

...but this is problematic if it were to be size_t. I still think it should be though...I had too much pain sorting out the "it's a size_t, no it's a long, no it's an int" mess that we used to have in libssl (casts everywhere).

[InfoHunter]

Actually I used size_t initially and changed that to int in 7659f41. Because without the -1 value, it can distinguish if the ID is set or not, any ideas on this?

[mattcaswell]

Perhaps just add an additional flag into the ctx?

[InfoHunter]

Perhaps just add an additional flag into the ctx?

That is workable

[mattcaswell]

Probably you need to copy id_len unconditionally to pick up the -1 initialisation

[mattcaswell]

Probably this should be ...SET1_ID?

[InfoHunter]

I am a little confused with the number after get/set, so 1 here stands for the caller could free the passed-in parameter at his will?

[mattcaswell]

Yes. The number is supposed to give you a hint about the memory management:

get0 == returns a pointer to the internal data. The caller should therefore not free it
get1 == creates a copy of the data or ups a ref count. The caller should free.
set0 == the caller passes ownership of the pointer to the library, so the caller should not subsequently free it
set1 == the caller does not pass ownership of the pointer to the library. The library will take a copy or up a ref count. The caller should free the original pointer.

[InfoHunter]

Understood, thanks for the clear explanation.

[mattcaswell]

Perhaps reword as: "An ID value must be set. The specifications are not clear whether a NULL is allowed. We only allow it if set explicitly for maximum flexibility"

[mattcaswell]

...set1_sm2_id?

[mattcaswell]

Actually, I wonder whether we should lose the sm2 bit altogether. This seems like a fairly general concept that might be needed for other algs in the future. Similarly for the macros below.

[t-j-h]

There should be no sm2 in the name ...

[InfoHunter]

But how to deal with the EVP_PKEY_SM2 parameter in EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_SM2, ...?

[InfoHunter]

Perhaps set that to -1?

[mattcaswell]

Yes, that is what is done elsewhere.

[mattcaswell]

This feels misplaced in the public header - although I understand why you put it there.

[t-j-h]

It should also have a different name - it is do-not-free and neglect isn't the right name to use.
Perhaps EVP_MD_CTX_FLAG_KEEP_PKEY_CTX ... I'd also not abbreviate to PCTX ...

[mattcaswell]

Similarly this seems misplaced.

[InfoHunter]

Hmm, if this is placed in an internal header file, then the value of the flag should be chosen safe...

[mattcaswell]

I'd suggest a comment in the public header stating that the value 8 is reserved for internal use. In the internal header file where we put the definition we add a reference to the public header values.

[levitte]

Why is this flag even needed? If there's a non-NULL digest_custom in a EVP_PKEY_METHOD, then it has a digest custom function... isn't that enough?
(I know that we have sometimes used flags to tell if certain pointers are defined or not, but that's from the time when all structures were public, so flagging was done to allow for a certain level of ABI backward compatibility, to tell if added fields could be relied upon. Since EVP_PKEY_METHOD is opaque, this methodology is no longer needed)

[mattcaswell]

If the type were size_t the int cast would not be needed here.

[mattcaswell]

...and here

[InfoHunter]

Also if I understood you correctly some of the test stuff was lifted from the other PR. Can that bit be in a separate commit with appropriate git author attribution?

Makes sense, will do that.

[levitte]

Why is this flag even needed? If there's a non-NULL digest_custom in a EVP_PKEY_METHOD, then it has a digest custom function... isn't that enough?
(I know that we have sometimes used flags to tell if certain pointers are defined or not, but that's from the time when all structures were public, so flagging was done to allow for a certain level of ABI backward compatibility, to tell if added fields could be relied upon. Since EVP_PKEY_METHOD is opaque, this methodology is no longer needed)

[levitte]

This comment needs editing, since that flag doesn't exist.

[levitte]

EVP_PKEY_FLAG_DIGEST_CUSTOM is unnecessary, it should be enough to check that digest_custom is non-NULL

[InfoHunter]

Ahh, makes sense

[levitte]

Check that digest_custom is non-NULL instead

[levitte]

As I argued before, not necessary, just throw it away

[levitte]

Remove this line

[InfoHunter]

Document is updated to reflect the modification in this PR

[dot-asm]

So that void *foo(EVP_PKEY_METHOD *pmeth) { void *p; EVP_PKEY_meth_get_digest_custom(pmeth, &p); return p; } might return sensible or garbage value. But even if corrected, the check is arguably inappropriate. In sense that it's more appropriate to punish caller with crash if programmer didn't care to arrange proper location that would receive the value, than to let caller believe that everything is fine. "Is fine" means that there is no way of telling it's not fine.

The remark applies to multiple cases. [Which in turn effectively means review process failure.]

[levitte]

These checks exist in other (not all???) method function getters, but are implemented differently in some. I don't think it's a fix to do in this PR, but it would be good to clean this up.

In my opinion, the check should be this:

    if (pdigest_custom)

[InfoHunter]

I agree to the form that Richard suggested

[dot-asm]

I don't think it's a fix to do in this PR,

So suggestion is to perpetuate bugs?

but it would be good to clean this up.

??? "Good" to "clean up"? It's not something that would be "good to do". They are bugs that has to be fixed.

the check should be this:

It's equivalent to demanding NULL-check in memcpy(NULL, p, 1).

[InfoHunter]

I opened an issue (#7130) to keep track of this.

[levitte]

s/degest/digest/

[levitte]

Looking at this had me stumble on stuff I haven't looked at before, the custom signctx functions... and the similarity with what digest_custom is used for is striking! That has me wonder if digest_custom reimplements something that's already there, just in sliiiiightly different form. @InfoHunter, is this something you have explored?

[mattcaswell]

Can this function be called with a NULL pctx (e.g. say if you want to clear one that was previously set)?
What should happen if ctx->pctx is not NULL when this function is called?

[InfoHunter]

Good question. TBH I didn't consider the 'set to NULL' or the 'clear' scenario. But after a quick thinking, I think it would be useful to allow users to set ctx->pctx to NULL (for instance someone wants to reuse the MD_CTX). So the current implementation supports that already.

If ctx->pctx is not NULL when this function is called, then I think it should be the user's responsibility to free the old pctx attached in MD_CTX, makes sense?

[mattcaswell]

If ctx->pctx is not NULL when this function is called, then I think it should be the user's responsibility to free the old pctx attached in MD_CTX, makes sense?

Yes, if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set - but not otherwise.

[InfoHunter]

Ahh, nah, the flag should also be cleared if the ctx->pctx is set to NULL if someone wants to reuse the MD_CTX. So I think there should be a separated EVP_MD_CTX_clr_pkey_ctx` function to do this?

[InfoHunter]

Or we could mix the set/clr behavior into one function by doing something like:

if (pctx == NULL) {
    /* clear the flag... */
}

[mattcaswell]

Hmm..I'm not sure that is necessary. Surely all we need is something like this:

if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX))
    EVP_PKEY_CTX_free(ctx->pctx);
ctx->pctx = pctx;
if (pctx != NULL)
    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
else
    EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);

[InfoHunter]

Okay, I get the point - It's complicated to deal with such stuffs: one pointer holds two different memory management strategy objects...

[InfoHunter]

In my experience, another way is to have two pointers containing system-created and user-created objects respectively - if the user-created on is used, the the system one will always be NULL. Thus it would make it simpler. But this time let's just mix them together

[mattcaswell]

Add != NULL

[mattcaswell]

!= NULL

[dot-asm]

Facepalm.

[mattcaswell]

Should we free any pre-existing id?

[InfoHunter]

Ahh, you mean if malloc fails, then we should not touch the original previous set smctx->id?

[mattcaswell]

No I mean if there was a pre-existing id then we just introduced a mem leak because we didn't free the old one. So I think you need to add OPENSSL_free(smctx->id); before the malloc.

[InfoHunter]

It seems that is already there. But I improved the logical to defer OPNESSL_free to a more suitable position in the new version of this function.

[mattcaswell]

Duh...why did I not see that?

[InfoHunter]

;-)

[mattcaswell]

"No B<EVP_PKEY_CTX> will be created by EVP_DigsetSignInit() if the passed B<ctx> has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also L<SM2(7)>."

[mattcaswell]

Oh...but wait...there is no SM2(7)!? There probably needs to be something (maybe not in this PR) - otherwise how will people know about the special hoops they need to jump through to be able to use SM2?

[InfoHunter]

In fact I forgot to include that SM2(7)... I used 'git add -u' so the new SM2.pod file is left on my disk...now added

[mattcaswell]

There is no description here of how EVP_PKEY_CTX_set1_id() and EVP_PKEY_get1_id() actually work and what the parameters mean. There should at least be a sentence about the memory management aspects I think.

[mattcaswell]

s/are added/were added/

[mattcaswell]

typo: customized

[mattcaswell]

s/could/will/ ?

[mattcaswell]

Probably there needs to be a call to SM2err here.

[InfoHunter]

That has me wonder if digest_custom reimplements something that's already there, just in sliiiiightly different form. @InfoHunter, is this something you have explored?

The real difference is the position of triggering for signctx (or other function pointers) and digest_custom. Actually we need a calling point right after the 'digest' is initialized and before the 'DigestSign/Verify' is initialized. There is no such thing yet, which makes it's very hard to be fit in some scenarios...

[InfoHunter]

I forgot to include a man(7) page of SM2, now updated...

[levitte]

The real difference is the position of triggering for signctx (or other function pointers) and digest_custom. Actually we need a calling point right after the 'digest' is initialized and before the 'DigestSign/Verify' is initialized. There is no such thing yet, which makes it's very hard to be fit in some scenarios...

Good, so you looked at least. I gotta admit, signctx is new to me, and seems to have multiple applications (depending on the flag EVP_PKEY_FLAG_SIGCTX_CUSTOM); I haven't quite wrapped my head around the differences.

It does worry me, though, that we seems to add more hooks for almost, but not quite the same the same things. I guess that's a future clean-up job 😉

[InfoHunter]

It does worry me, though, that we seems to add more hooks for almost, but not quite the same the same things. I guess that's a future clean-up job

Right. The concept behind this is the 'calling points' for these hooks should be considered and defined carefully and precisely. A very challenging job to design a decent framework as current EVP...

[t-j-h]

This looks like it is missing an SM2err(SM2_F_PKEY_SM2_COPY, ERR_R_MALLOC_FAILURE) call ... for consistency with the other error handling.

[t-j-h]

This looks like it is missing an SM2err(SM2_F_PKEY_SM2_CTRL, ERR_R_MALLOC_FAILURE) call ... for consistency with the other error handling.

[t-j-h]

Once you have added the SM2err calls for malloc failures and fixed the typo in the SM2.pod file this is good to go.

[t-j-h]

Currnet -> The current

[t-j-h]

LGTM

[InfoHunter]

Oops, a nit is fixed

[InfoHunter]

Travis failures are not related. Force a push to re-trigger it...

[InfoHunter]

There is adequate approvals for merging this PR. I would squash and cleanup the commits soon.

[InfoHunter]

I squashed the commits into proper styles - no actual code modified after the 'ready' label is assigned so I don't think this needs to re-approve for the approval by Tim

[mattcaswell]

Lots of comments but I think they're all minor nits in the documentation which should be easy to fix. This looks almost ready.

[mattcaswell]

Nit: manipulate the special identifier field
Nit: for specific signature algorithms

[mattcaswell]

Nit: s/null/NULL/

[mattcaswell]

insert the word "macro" before "returns"

[mattcaswell]

Typo: EVP_PKEY_CTX_set1_id()

[mattcaswell]

Insert the word "macro" before "returns"

[mattcaswell]

Typo: EVP_DigestSignInit()

[mattcaswell]

such a scenario

[mattcaswell]

calling sequence for using an B<EVP_PKEY>...

[mattcaswell]

with the SM2....and the SM3

[mattcaswell]

Perhaps add this sentence. "The example below omits error checking code for clarity. Application code should check the return codes of function calls for errors."

[mattcaswell]

The text above says this is an example for signing. But actually its an example for verifying a signature.

[mattcaswell]

using whatever method

[ronaldtse]

Sounds like things here moved much, much faster here compared to at #6757 . Our unfamiliarity with OpenSSL internals is apparent. Happy to see this merged with appropriate attribution. Thanks @InfoHunter !

[t-j-h]

Approval still stands after @mattcaswell suggested doc changes applied.

[InfoHunter]

Doc nits are all fixed

[InfoHunter]

@mattcaswell , it seems I could merge this now, right?

[mattcaswell]

Sorry a few more nits. Approved assuming you fix those.

[mattcaswell]

Insert the word "macros" before "are used"

[mattcaswell]

Typo: EVP_PKEY_CTX_set1_id()

[mattcaswell]

Change this to "The library takes a copy of the id so that the caller can safely free the original memory pointed to by B<id>"

[mattcaswell]

to the caller in B<id>. The caller should...

[mattcaswell]

typo: missing space "It should"

[mattcaswell]

Typo: EVP_DigestSignInit(()

[mattcaswell]

s/sign/verify/

[InfoHunter]

New nits are fixed, Merged to master from 5bd0abe to f922dac. Closing...