Do not fail if ctx dup does not succeed

If the ctx was *really* needed we'll probably fail later with an error
anyway, so no point in failing immediately.

Document that this behavior is dependent on the provider used to
implement the signature/verification.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20375)

4 files changed, 31 insertions, 3 deletions

diff --git a/doc/man3/EVP_DigestSignInit.pod b/doc/man3/EVP_DigestSignInit.pod
index fe4a686184..f38eefcbbf 100644
--- a/doc/man3/EVP_DigestSignInit.pod
+++ b/doc/man3/EVP_DigestSignInit.pod
@@ -166,6 +166,13 @@ external circumstances (see L<RAND(7)>), the operation will fail.
 The call to EVP_DigestSignFinal() internally finalizes a copy of the digest
 context. This means that calls to EVP_DigestSignUpdate() and
 EVP_DigestSignFinal() can be called later to digest and sign additional data.
+Applications may disable this behavior by setting the EVP_MD_CTX_FLAG_FINALISE
+context flag via L<EVP_MD_CTX_set_flags(3)>.
+
+Note that not all providers support continuation, in case the selected
+provider does not allow to duplicate contexts EVP_DigestSignFinal() will
+finalize the digest context and attempting to process additional data via
+EVP_DigestSignUpdate() will result in an error.
 
 EVP_DigestSignInit() and EVP_DigestSignInit_ex() functions can be called
 multiple times on a context and the parameters set by previous calls should be
diff --git a/doc/man3/EVP_DigestVerifyInit.pod b/doc/man3/EVP_DigestVerifyInit.pod
index d4bb8163d1..0dc8151a90 100644
--- a/doc/man3/EVP_DigestVerifyInit.pod
+++ b/doc/man3/EVP_DigestVerifyInit.pod
@@ -154,7 +154,14 @@ external circumstances (see L<RAND(7)>), the operation will fail.
 
 The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest
 context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can
-be called later to digest and verify additional data.
+be called later to digest and verify additional data. Applications may disable
+this behavior by setting the EVP_MD_CTX_FLAG_FINALISE context flag via
+L<EVP_MD_CTX_set_flags(3)>.
+
+Note that not all providers support continuation, in case the selected
+provider does not allow to duplicate contexts EVP_DigestVerifyFinal() will
+finalize the digest context and attempting to process additional data via
+EVP_DigestVerifyUpdate() will result in an error.
 
 EVP_DigestVerifyInit() and EVP_DigestVerifyInit_ex() functions can be called
 multiple times on a context and the parameters set by previous calls should be
diff --git a/doc/man3/EVP_SignInit.pod b/doc/man3/EVP_SignInit.pod
index 11832ff761..c274ad9917 100644
--- a/doc/man3/EVP_SignInit.pod
+++ b/doc/man3/EVP_SignInit.pod
@@ -66,12 +66,19 @@ due to external circumstances (see L<RAND(7)>), the operation will fail.
 
 The call to EVP_SignFinal() internally finalizes a copy of the digest context.
 This means that calls to EVP_SignUpdate() and EVP_SignFinal() can be called
-later to digest and sign additional data.
+later to digest and sign additional data.cApplications may disable this
+behavior by setting the EVP_MD_CTX_FLAG_FINALISE context flag via
+L<EVP_MD_CTX_set_flags(3)>.
 
 Since only a copy of the digest context is ever finalized the context must
 be cleaned up after use by calling EVP_MD_CTX_free() or a memory leak
 will occur.
 
+Note that not all providers support continuation, in case the selected
+provider does not allow to duplicate contexts EVP_SignFinal() will
+finalize the digest context and attempting to process additional data via
+EVP_SignUpdate() will result in an error.
+
 =head1 BUGS
 
 Older versions of this documentation wrongly stated that calls to
diff --git a/doc/man3/EVP_VerifyInit.pod b/doc/man3/EVP_VerifyInit.pod
index a6d5772c3b..f05b9135bf 100644
--- a/doc/man3/EVP_VerifyInit.pod
+++ b/doc/man3/EVP_VerifyInit.pod
@@ -62,12 +62,19 @@ transparent to the algorithm used and much more flexible.
 
 The call to EVP_VerifyFinal() internally finalizes a copy of the digest context.
 This means that calls to EVP_VerifyUpdate() and EVP_VerifyFinal() can be called
-later to digest and verify additional data.
+later to digest and verify additional data. Applications may disable this
+behavior by setting the EVP_MD_CTX_FLAG_FINALISE context flag via
+L<EVP_MD_CTX_set_flags(3)>.
 
 Since only a copy of the digest context is ever finalized the context must
 be cleaned up after use by calling EVP_MD_CTX_free() or a memory leak
 will occur.
 
+Note that not all providers support continuation, in case the selected
+provider does not allow to duplicate contexts EVP_VerifyFinal() will
+finalize the digest context and attempting to process additional data via
+EVP_VerifyUpdate() will result in an error.
+
 =head1 BUGS
 
 Older versions of this documentation wrongly stated that calls to