diff options
author | Tomas Mraz <tomas@openssl.org> | 2021-04-01 17:14:43 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-04-06 09:10:11 +0200 |
commit | 0cfbc828e03ad69c50ae51e0c88920d90906498a (patch) | |
tree | 1d931bc42093e7d9b119815785f7ada3330b8b6e /crypto/pkcs7 | |
parent | 5ad3e6c56eb1c295a7de92de5bb2f54614d5c277 (diff) |
Deprecate the EVP_PKEY controls for CMS and PKCS#7
Improve the ossl_rsa_check_key() to prevent non-signature
operations with PSS keys.
Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore
as they are not needed anymore and deprecate them.
Fixes #14276
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14760)
Diffstat (limited to 'crypto/pkcs7')
-rw-r--r-- | crypto/pkcs7/pk7_doit.c | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index c7a50ff57e..964b1367b2 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -122,12 +122,6 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, if (EVP_PKEY_encrypt_init(pctx) <= 0) goto err; - if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, - EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) { - ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CTRL_ERROR); - goto err; - } - if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) goto err; @@ -171,12 +165,6 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, if (EVP_PKEY_decrypt_init(pctx) <= 0) goto err; - if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, - EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) { - ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CTRL_ERROR); - goto err; - } - if (EVP_PKEY_decrypt(pctx, NULL, &eklen, ri->enc_key->data, ri->enc_key->length) <= 0) goto err; @@ -932,30 +920,6 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) NULL) <= 0) goto err; - /* - * TODO(3.0): This causes problems when providers are in use, so disabled - * for now. Can we get rid of this completely? AFAICT this ctrl has never - * been used since it was first put in. All internal implementations just - * return 1 and ignore this ctrl and have always done so by the looks of - * things. To fix this we could convert this ctrl into a param, which would - * require us to send all the signer info data as a set of params...but that - * is non-trivial and since this isn't used by anything it may be better - * just to remove it. The original commit that added it had this - * justification in CHANGES: - * - * "During PKCS7 signing pass the PKCS7 SignerInfo structure to the - * EVP_PKEY_METHOD before and after signing via the - * EVP_PKEY_CTRL_PKCS7_SIGN ctrl. It can then customise the structure - * before and/or after signing if necessary." - */ -#if 0 - if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, - EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) { - ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CTRL_ERROR); - goto err; - } -#endif - alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf, ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); if (!abuf) @@ -972,30 +936,6 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0) goto err; - /* - * TODO(3.0): This causes problems when providers are in use, so disabled - * for now. Can we get rid of this completely? AFAICT this ctrl has never - * been used since it was first put in. All internal implementations just - * return 1 and ignore this ctrl and have always done so by the looks of - * things. To fix this we could convert this ctrl into a param, which would - * require us to send all the signer info data as a set of params...but that - * is non-trivial and since this isn't used by anything it may be better - * just to remove it. The original commit that added it had this - * justification in CHANGES: - * - * "During PKCS7 signing pass the PKCS7 SignerInfo structure to the - * EVP_PKEY_METHOD before and after signing via the - * EVP_PKEY_CTRL_PKCS7_SIGN ctrl. It can then customise the structure - * before and/or after signing if necessary." - */ -#if 0 - if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, - EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) { - ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CTRL_ERROR); - goto err; - } -#endif - EVP_MD_CTX_free(mctx); ASN1_STRING_set0(si->enc_digest, abuf, siglen); |