Support OpenSSL 3

[kislyuk]

Starting with OpenSSL 3, the message digest algorithm state is no longer stored in the EVP_MD structure but instead in an opaque algorithm context structure accessible via the "provider interface" (https://www.openssl.org/docs/manmaster/man7/provider-digest.html). It's unclear how to use the provider interface to serialize digest algorithm state.

[ohado-di]

hey,
any plans to implement this support?

[kislyuk]

I would love to support OpenSSL 3 but so far I have not seen a way to access hasher state using the new data structure. If someone can show me how to do it, I'd gladly update the library.

[luke-moore]

To get around the OpenSSL 3 problems, I created a different project here: https://github.com/luke-moore/resumablesha256

[kislyuk]

@luke-moore nice! Thanks for the link. It looks like it only supports sha256 and uses its own standalone implementation, which is great but I would love to find a way to support any hasher that uses the digest provider interface.

[kislyuk]

Unfortunately, OpenSSL 3 is quite serious about keeping the digest context opaque. The logic for EVP_MD_CTX_copy_ex is here:

https://github.com/openssl/openssl/blob/e599893a9fec932701ca824d73a794a0c9ce02e9/crypto/evp/digest.c#L592-L724

The provider side context is copied via the dupctx() function: out->algctx = in->digest->dupctx(in->algctx);

We should be able to call dupctx() via ctypes, however I don't see a way to find out how long the resulting structure is. It's deliberately kept opaque. Without knowing the size of the structure, there is no safe way to serialize it. The only way that I see to do this is to look at each provider, hardcode the expected provider side context size for that provider's algorithm name, and hope that none of the providers dynamically change the context size (or change it in a future API version, which is what the opaqueness was introduced to enable).