From: Dr. Stephen Henson <steve@openssl.org>
Date: Thu, 1 Dec 2016 21:53:58 +0000 (+0000)
Subject: Don't allow PKCS#7/CMS encrypt with PSS.
X-Git-Tag: OpenSSL_1_1_1-pre1~2771
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=53d2260c4078fed562cd7ce30e62817070fa39d6;p=oweals%2Fopenssl.git

Don't allow PKCS#7/CMS encrypt with PSS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2177)
---

diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index b091746b1c..c030c27560 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -413,6 +413,8 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
         break;
 
     case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
+        if (pkey_is_pss(pkey))
+            return -2;
         if (arg1 == 0)
             PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
         break;
@@ -425,6 +427,8 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
         break;
 
     case ASN1_PKEY_CTRL_CMS_ENVELOPE:
+        if (pkey_is_pss(pkey))
+            return -2;
         if (arg1 == 0)
             return rsa_cms_encrypt(arg2);
         else if (arg1 == 1)
@@ -432,6 +436,8 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
         break;
 
     case ASN1_PKEY_CTRL_CMS_RI_TYPE:
+        if (pkey_is_pss(pkey))
+            return -2;
         *(int *)arg2 = CMS_RECIPINFO_TRANS;
         return 1;
 #endif