Deprecate the EVP_PKEY controls for CMS and PKCS#7

Improve the ossl_rsa_check_key() to prevent non-signature
operations with PSS keys.

Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore
as they are not needed anymore and deprecate them.

Fixes #14276

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14760)

1 files changed, 0 insertions, 60 deletions

diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index c7a50ff57e..964b1367b2 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -122,12 +122,6 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
     if (EVP_PKEY_encrypt_init(pctx) <= 0)
         goto err;
 
-    if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
-                          EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) {
-        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CTRL_ERROR);
-        goto err;
-    }
-
     if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0)
         goto err;
 
@@ -171,12 +165,6 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
     if (EVP_PKEY_decrypt_init(pctx) <= 0)
         goto err;
 
-    if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT,
-                          EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) {
-        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CTRL_ERROR);
-        goto err;
-    }
-
     if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
                          ri->enc_key->data, ri->enc_key->length) <= 0)
         goto err;
@@ -932,30 +920,6 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
                               NULL) <= 0)
         goto err;
 
-    /*
-     * TODO(3.0): This causes problems when providers are in use, so disabled
-     * for now. Can we get rid of this completely? AFAICT this ctrl has never
-     * been used since it was first put in. All internal implementations just
-     * return 1 and ignore this ctrl and have always done so by the looks of
-     * things. To fix this we could convert this ctrl into a param, which would
-     * require us to send all the signer info data as a set of params...but that
-     * is non-trivial and since this isn't used by anything it may be better
-     * just to remove it. The original commit that added it had this
-     * justification in CHANGES:
-     *
-     * "During PKCS7 signing pass the PKCS7 SignerInfo structure to the
-     *  EVP_PKEY_METHOD before and after signing via the
-     *  EVP_PKEY_CTRL_PKCS7_SIGN ctrl. It can then customise the structure
-     *  before and/or after signing if necessary."
-     */
-#if 0
-    if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
-                          EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) {
-        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CTRL_ERROR);
-        goto err;
-    }
-#endif
-
     alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf,
                          ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
     if (!abuf)
@@ -972,30 +936,6 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
     if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0)
         goto err;
 
-    /*
-     * TODO(3.0): This causes problems when providers are in use, so disabled
-     * for now. Can we get rid of this completely? AFAICT this ctrl has never
-     * been used since it was first put in. All internal implementations just
-     * return 1 and ignore this ctrl and have always done so by the looks of
-     * things. To fix this we could convert this ctrl into a param, which would
-     * require us to send all the signer info data as a set of params...but that
-     * is non-trivial and since this isn't used by anything it may be better
-     * just to remove it. The original commit that added it had this
-     * justification in CHANGES:
-     *
-     * "During PKCS7 signing pass the PKCS7 SignerInfo structure to the
-     *  EVP_PKEY_METHOD before and after signing via the
-     *  EVP_PKEY_CTRL_PKCS7_SIGN ctrl. It can then customise the structure
-     *  before and/or after signing if necessary."
-     */
-#if 0
-    if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
-                          EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) {
-        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CTRL_ERROR);
-        goto err;
-    }
-#endif
-
     EVP_MD_CTX_free(mctx);
 
     ASN1_STRING_set0(si->enc_digest, abuf, siglen);