Deprecate the EVP_PKEY controls for CMS and PKCS#7

Improve the ossl_rsa_check_key() to prevent non-signature operations with PSS keys. Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore as they are not needed anymore and deprecate them. Fixes #14276 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/14760)
author: Tomas Mraz <tomas@openssl.org> 2021-04-01 17:14:43 +0200
committer: Tomas Mraz <tomas@openssl.org> 2021-04-06 09:10:11 +0200
commit: 0cfbc828e03ad69c50ae51e0c88920d90906498a (patch)
tree: 1d931bc42093e7d9b119815785f7ada3330b8b6e /CHANGES.md
parent: 5ad3e6c56eb1c295a7de92de5bb2f54614d5c277 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 54fc6855f0..581fda0c96 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -31,6 +31,15 @@ OpenSSL 3.0
 
    *Shane Lontis*
 
+ * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT,
+   EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT,
+   EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
+   are deprecated. They are not invoked by the OpenSSL library anymore and
+   are replaced by direct checks of the key operation against the key type
+   when the operation is initialized.
+
+   *Tomáš Mráz*
+
  * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
    more key types including RSA, DSA, ED25519, X25519, ED448 and X448.
    Previously (in 1.1.1) they would return -2. For key types that do not have
author	Tomas Mraz <tomas@openssl.org>	2021-04-01 17:14:43 +0200
committer	Tomas Mraz <tomas@openssl.org>	2021-04-06 09:10:11 +0200
commit	0cfbc828e03ad69c50ae51e0c88920d90906498a (patch)
tree	1d931bc42093e7d9b119815785f7ada3330b8b6e /CHANGES.md
parent	5ad3e6c56eb1c295a7de92de5bb2f54614d5c277 (diff)