seg fault with ED25519 one shot sign/verify.

[parasssh]

Trying to perform a ED25519 sign/verify operation with one-shot EVP API. Since PureEdDSA does not have a digest, the type input parameter must be NULL in the EVP_DigestSignInit() API. But this results in Segmentation fault:11

Here is the specimen code:

#include <stdio.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/err.h>

int main() {
    // Generate ED25519 keypair
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
    EVP_PKEY_keygen_init(pctx);
    EVP_PKEY_keygen(pctx, &pkey);
    
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    
    // type parameter must be NULL for ED25519 since it is PureEdDSA.
    EVP_DigestSignInit(ctx, &pctx, NULL, NULL, pkey);
    
    unsigned char tbs[] = "Hello world";
    unsigned char sigret[256];
    size_t siglen = 256;

    EVP_DigestSign(ctx, sigret, &siglen, tbs, sizeof(tbs));

    printf("Siglen = %d\n", (int)siglen); // expect Siglen = 64 for ED25519 signautre

    // free keys and contexts
    EVP_PKEY_CTX_free(pctx);
    EVP_PKEY_free(pkey);  
    EVP_MD_CTX_free(ctx); // Seg Fault: 11 here. Changing type from NULL to non-NULL such as EVP_sha1() in EVP_DigestSignInit fixes it.

    return 0;
}

Output from command line:

$ gcc main.c -I/usr/local/Cellar/openssl\@1.1/1.1.1-pre8/include -L/usr/local/Cellar/openssl\@1.1/1.1.1-pre8/lib -lcrypto  
$ ./a.out
Siglen = 64
Segmentation fault: 11

[parasssh]

It is noteworthy that when the type parameter to EVP_DigestSignInit() is non-null (in spite of Ed25519 needing no digest) such as EVP_sha1(), there are no seg faults.

[parasssh]

Similar issue is observed while doing ED25519 Verify operations. Here too, using a non-null type parameter results in no seg fault.

[mattcaswell]

There is a problem in your code. I made the following change and it works for me:

--- ed25519segfault.c	2018-08-23 11:02:10.806616965 +0100
+++ ed25519segfault2.c	2018-08-23 11:02:35.789686562 +0100
@@ -9,7 +9,10 @@
     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
     EVP_PKEY_keygen_init(pctx);
     EVP_PKEY_keygen(pctx, &pkey);
-    
+
+    EVP_PKEY_CTX_free(pctx);
+    pctx = NULL;
+
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     
     // type parameter must be NULL for ED25519 since it is PureEdDSA.
@@ -24,7 +27,6 @@
     printf("Siglen = %d\n", (int)siglen); // expect Siglen = 64 for ED25519 signautre
 
     // free keys and contexts
-    EVP_PKEY_CTX_free(pctx);
     EVP_PKEY_free(pkey);  
     EVP_MD_CTX_free(ctx); // Seg Fault: 11 here. Changing type from NULL to non-NULL such as EVP_sha1() in EVP_DigestSignInit fixes it.

The pctx parameter of EVP_DigestSignInit is an output only. Any existing EVP_PKEY_CTX that is pointed to by that parameter is ignored, and it is overwritten with one that EVP_DigestSignInit creates. This is a pointer to the internal EVP_PKEY_CTX structure managed by the containing EVP_MD_CTX and must not be freed by applications. Since you were explicitly freeing it, this causes a double-free when you subsequently also call EVP_MD_CTX_free().

There is probably a documentation problem here, because reading the docs for EVP_DigestSignInit() it does not make this clear.

[parasssh]

Thank you. Indeed, a doc clarification is needed.

[mattcaswell]

This shouldn't be against the 1.1.1 milestone - it isn't 1.1.1 specific.