Update Documentation for EVP_DigestSign, EVP_DigestVerify.

Fixes #23075

In OpenSSL 3.2 EVP_DigestSign and EVP_DigestVerify
were changed so that a flag is set once these functions
do a one-shot sign or verify operation. This PR updates the
documentation to match the behaviour.

Investigations showed that prior to 3.2 different key
type behaved differently if multiple calls were done.

By accident X25519 and X448 would produce the same signature,
but ECDSA and RSA remembered the digest state between calls,
so the signature was different when multiple calls were done.

Because of this undefined behaviour something needed to be done,
so keeping the 'only allow it to be called once' behaviour
seems a reasonable approach.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23834)

(cherry picked from commit 5e908e6068708c89da7b5591cc65ff4b3d3135d2)

1 files changed, 3 insertions, 0 deletions

diff --git a/doc/man3/EVP_DigestVerifyInit.pod b/doc/man3/EVP_DigestVerifyInit.pod
index c927b7e4e8..84401a8c80 100644
--- a/doc/man3/EVP_DigestVerifyInit.pod
+++ b/doc/man3/EVP_DigestVerifyInit.pod
@@ -168,6 +168,9 @@ multiple times on a context and the parameters set by previous calls should be
 preserved if the I<pkey> parameter is NULL. The call then just resets the state
 of the I<ctx>.
 
+EVP_DigestVerify() can only be called once, and cannot be used again without
+reinitialising the B<EVP_MD_CTX> by calling EVP_DigestVerifyInit_ex().
+
 Ignoring failure returns of EVP_DigestVerifyInit() and EVP_DigestVerifyInit_ex()
 functions can lead to subsequent undefined behavior when calling
 EVP_DigestVerifyUpdate(), EVP_DigestVerifyFinal(), or EVP_DigestVerify().