diff options
| author | Tomas Mraz <tomas@openssl.org> | 2021-04-01 17:14:43 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-04-06 09:10:11 +0200 |
| commit | 0cfbc828e03ad69c50ae51e0c88920d90906498a (patch) | |
| tree | 1d931bc42093e7d9b119815785f7ada3330b8b6e /crypto/cms | |
| parent | 5ad3e6c56eb1c295a7de92de5bb2f54614d5c277 (diff) | |
Deprecate the EVP_PKEY controls for CMS and PKCS#7
Improve the ossl_rsa_check_key() to prevent non-signature
operations with PSS keys.
Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore
as they are not needed anymore and deprecate them.
Fixes #14276
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14760)
Diffstat (limited to 'crypto/cms')
| -rw-r--r-- | crypto/cms/cms_env.c | 12 | ||||
| -rw-r--r-- | crypto/cms/cms_sd.c | 36 |
2 files changed, 0 insertions, 48 deletions
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 494c2cc8fc..aa020cedfd 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -485,12 +485,6 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms, goto err; } - if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, - EVP_PKEY_CTRL_CMS_ENCRYPT, 0, ri) <= 0) { - ERR_raise(ERR_LIB_CMS, CMS_R_CTRL_ERROR); - goto err; - } - if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) goto err; @@ -574,12 +568,6 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (!ossl_cms_env_asn1_ctrl(ri, 1)) goto err; - if (EVP_PKEY_CTX_ctrl(ktri->pctx, -1, EVP_PKEY_OP_DECRYPT, - EVP_PKEY_CTRL_CMS_DECRYPT, 0, ri) <= 0) { - ERR_raise(ERR_LIB_CMS, CMS_R_CTRL_ERROR); - goto err; - } - if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, ktri->encryptedKey->data, ktri->encryptedKey->length) <= 0) diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index c98d118f4b..287021fc21 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -749,24 +749,6 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si) si->pctx = pctx; } - /* - * TODO(3.0): This causes problems when providers are in use, so disabled - * for now. Can we get rid of this completely? AFAICT this ctrl has been - * present since CMS was first put in - but has never been used to do - * anything. All internal implementations just return 1 and ignore this ctrl - * and have always done so by the looks of things. To fix this we could - * convert this ctrl into a param, which would require us to send all the - * signer info data as a set of params...but that is non-trivial and since - * this isn't used by anything it may be better just to remove it. - */ -#if 0 - if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, - EVP_PKEY_CTRL_CMS_SIGN, 0, si) <= 0) { - ERR_raise(ERR_LIB_CMS, CMS_R_CTRL_ERROR); - goto err; - } -#endif - alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf, ASN1_ITEM_rptr(CMS_Attributes_Sign)); if (!abuf) @@ -782,24 +764,6 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si) if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0) goto err; - /* - * TODO(3.0): This causes problems when providers are in use, so disabled - * for now. Can we get rid of this completely? AFAICT this ctrl has been - * present since CMS was first put in - but has never been used to do - * anything. All internal implementations just return 1 and ignore this ctrl - * and have always done so by the looks of things. To fix this we could - * convert this ctrl into a param, which would require us to send all the - * signer info data as a set of params...but that is non-trivial and since - * this isn't used by anything it may be better just to remove it. - */ -#if 0 - if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, - EVP_PKEY_CTRL_CMS_SIGN, 1, si) <= 0) { - ERR_raise(ERR_LIB_CMS, CMS_R_CTRL_ERROR); - goto err; - } -#endif - EVP_MD_CTX_reset(mctx); ASN1_STRING_set0(si->signature, abuf, siglen); |