aboutsummaryrefslogtreecommitdiff
path: root/crypto/cmp/cmp_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/cmp/cmp_server.c')
-rw-r--r--crypto/cmp/cmp_server.c128
1 files changed, 65 insertions, 63 deletions
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index 96f977636ca2..98fc52781dc4 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -20,9 +20,8 @@
#include <openssl/err.h>
/* the context for the generic CMP server */
-struct ossl_cmp_srv_ctx_st
-{
- void *custom_ctx; /* pointer to application-specific server context */
+struct ossl_cmp_srv_ctx_st {
+ void *custom_ctx; /* pointer to application-specific server context */
OSSL_CMP_CTX *ctx; /* Client CMP context, reusing transactionID etc. */
int certReqId; /* id of last ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */
@@ -34,9 +33,9 @@ struct ossl_cmp_srv_ctx_st
OSSL_CMP_SRV_pollReq_cb_t process_pollReq;
int sendUnprotectedErrors; /* Send error and rejection msgs unprotected */
- int acceptUnprotected; /* Accept requests with no/invalid prot. */
- int acceptRAVerified; /* Accept ir/cr/kur with POPO RAVerified */
- int grantImplicitConfirm; /* Grant implicit confirmation if requested */
+ int acceptUnprotected; /* Accept requests with no/invalid prot. */
+ int acceptRAVerified; /* Accept ir/cr/kur with POPO RAVerified */
+ int grantImplicitConfirm; /* Grant implicit confirmation if requested */
}; /* OSSL_CMP_SRV_CTX */
@@ -62,18 +61,18 @@ OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
- err:
+err:
OSSL_CMP_SRV_CTX_free(ctx);
return NULL;
}
int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx,
- OSSL_CMP_SRV_cert_request_cb_t process_cert_request,
- OSSL_CMP_SRV_rr_cb_t process_rr,
- OSSL_CMP_SRV_genm_cb_t process_genm,
- OSSL_CMP_SRV_error_cb_t process_error,
- OSSL_CMP_SRV_certConf_cb_t process_certConf,
- OSSL_CMP_SRV_pollReq_cb_t process_pollReq)
+ OSSL_CMP_SRV_cert_request_cb_t process_cert_request,
+ OSSL_CMP_SRV_rr_cb_t process_rr,
+ OSSL_CMP_SRV_genm_cb_t process_genm,
+ OSSL_CMP_SRV_error_cb_t process_error,
+ OSSL_CMP_SRV_certConf_cb_t process_certConf,
+ OSSL_CMP_SRV_pollReq_cb_t process_pollReq)
{
if (srv_ctx == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
@@ -108,7 +107,7 @@ void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx)
}
int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx,
- int val)
+ int val)
{
if (srv_ctx == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
@@ -139,7 +138,7 @@ int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val)
}
int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
- int val)
+ int val)
{
if (srv_ctx == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
@@ -155,7 +154,7 @@ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
* returns an ip/cp/kup on success and NULL on error
*/
static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
- const OSSL_CMP_MSG *req)
+ const OSSL_CMP_MSG *req)
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_PKISI *si = NULL;
@@ -211,34 +210,34 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) {
/* Proof of possession could not be verified */
si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection,
- 1 << OSSL_CMP_PKIFAILUREINFO_badPOP,
- ERR_reason_error_string(ERR_peek_error()));
+ 1 << OSSL_CMP_PKIFAILUREINFO_badPOP,
+ ERR_reason_error_string(ERR_peek_error()));
if (si == NULL)
return NULL;
} else {
OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(req);
si = srv_ctx->process_cert_request(srv_ctx, req, certReqId, crm, p10cr,
- &certOut, &chainOut, &caPubs);
+ &certOut, &chainOut, &caPubs);
if (si == NULL)
goto err;
/* set OSSL_CMP_OPT_IMPLICIT_CONFIRM if and only if transaction ends */
if (!OSSL_CMP_CTX_set_option(srv_ctx->ctx,
- OSSL_CMP_OPT_IMPLICIT_CONFIRM,
- ossl_cmp_hdr_has_implicitConfirm(hdr)
- && srv_ctx->grantImplicitConfirm
- /* do not set if polling starts: */
- && certOut != NULL))
+ OSSL_CMP_OPT_IMPLICIT_CONFIRM,
+ ossl_cmp_hdr_has_implicitConfirm(hdr)
+ && srv_ctx->grantImplicitConfirm
+ /* do not set if polling starts: */
+ && certOut != NULL))
goto err;
}
msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
- certOut, NULL /* enc */, chainOut, caPubs,
- srv_ctx->sendUnprotectedErrors);
+ certOut, NULL /* enc */, chainOut, caPubs,
+ srv_ctx->sendUnprotectedErrors);
if (msg == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
- err:
+err:
OSSL_CMP_PKISI_free(si);
X509_free(certOut);
sk_X509_pop_free(chainOut, X509_free);
@@ -247,7 +246,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
- const OSSL_CMP_MSG *req)
+ const OSSL_CMP_MSG *req)
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_REVDETAILS *details;
@@ -266,7 +265,8 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
}
if ((details = sk_OSSL_CMP_REVDETAILS_value(req->body->value.rr,
- OSSL_CMP_REVREQSID)) == NULL) {
+ OSSL_CMP_REVREQSID))
+ == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return NULL;
}
@@ -275,16 +275,17 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl);
serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
if (issuer != NULL && serial != NULL
- && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
+ && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
return NULL;
if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL)
goto err;
if ((msg = ossl_cmp_rp_new(srv_ctx->ctx, si, certId,
- srv_ctx->sendUnprotectedErrors)) == NULL)
+ srv_ctx->sendUnprotectedErrors))
+ == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
- err:
+err:
OSSL_CRMF_CERTID_free(certId);
OSSL_CMP_PKISI_free(si);
return msg;
@@ -295,7 +296,7 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
* incoming message
*/
static OSSL_CMP_MSG *process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
- const OSSL_CMP_MSG *req)
+ const OSSL_CMP_MSG *req)
{
OSSL_CMP_GENMSGCONTENT *itavs;
OSSL_CMP_MSG *msg;
@@ -312,7 +313,7 @@ static OSSL_CMP_MSG *process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
}
static OSSL_CMP_MSG *process_error(OSSL_CMP_SRV_CTX *srv_ctx,
- const OSSL_CMP_MSG *req)
+ const OSSL_CMP_MSG *req)
{
OSSL_CMP_ERRORMSGCONTENT *errorContent;
OSSL_CMP_MSG *msg;
@@ -321,7 +322,7 @@ static OSSL_CMP_MSG *process_error(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
errorContent = req->body->value.error;
srv_ctx->process_error(srv_ctx, req, errorContent->pKIStatusInfo,
- errorContent->errorCode, errorContent->errorDetails);
+ errorContent->errorCode, errorContent->errorDetails);
if ((msg = ossl_cmp_pkiconf_new(srv_ctx->ctx)) == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
@@ -329,7 +330,7 @@ static OSSL_CMP_MSG *process_error(OSSL_CMP_SRV_CTX *srv_ctx,
}
static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
- const OSSL_CMP_MSG *req)
+ const OSSL_CMP_MSG *req)
{
OSSL_CMP_CTX *ctx;
OSSL_CMP_CERTCONFIRMCONTENT *ccc;
@@ -345,7 +346,7 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
num = sk_OSSL_CMP_CERTSTATUS_num(ccc);
if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 1
- || ctx->status != OSSL_CMP_PKISTATUS_trans) {
+ || ctx->status != OSSL_CMP_PKISTATUS_trans) {
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_UNEXPECTED_CERTCONF);
return NULL;
}
@@ -376,8 +377,8 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
const char *str = ossl_cmp_PKIStatus_to_string(pki_status);
ossl_cmp_log2(INFO, ctx, "certificate rejected by client %s %s",
- str == NULL ? "without" : "with",
- str == NULL ? "PKIStatus" : str);
+ str == NULL ? "without" : "with",
+ str == NULL ? "PKIStatus" : str);
}
}
@@ -387,7 +388,7 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
}
static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
- const OSSL_CMP_MSG *req)
+ const OSSL_CMP_MSG *req)
{
OSSL_CMP_POLLREQCONTENT *prc;
OSSL_CMP_POLLREQ *pr;
@@ -412,7 +413,7 @@ static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId,
- &certReq, &check_after))
+ &certReq, &check_after))
return NULL;
if (certReq != NULL) {
@@ -420,7 +421,8 @@ static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
OSSL_CMP_MSG_free(certReq);
} else {
if ((msg = ossl_cmp_pollRep_new(srv_ctx->ctx, certReqId,
- check_after)) == NULL)
+ check_after))
+ == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
}
return msg;
@@ -431,16 +433,16 @@ static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
* Return 1 on acceptance, 0 on rejection, or -1 on (internal) error.
*/
static int unprotected_exception(const OSSL_CMP_CTX *ctx,
- const OSSL_CMP_MSG *req,
- int invalid_protection,
- int accept_unprotected_requests)
+ const OSSL_CMP_MSG *req,
+ int invalid_protection,
+ int accept_unprotected_requests)
{
if (!ossl_assert(ctx != NULL && req != NULL))
return -1;
if (accept_unprotected_requests) {
ossl_cmp_log1(WARN, ctx, "ignoring %s protection of request message",
- invalid_protection ? "invalid" : "missing");
+ invalid_protection ? "invalid" : "missing");
return 1;
}
if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_ERROR
@@ -455,7 +457,7 @@ static int unprotected_exception(const OSSL_CMP_CTX *ctx,
* returns created message and NULL on internal error
*/
OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
- const OSSL_CMP_MSG *req)
+ const OSSL_CMP_MSG *req)
{
OSSL_CMP_CTX *ctx;
ASN1_OCTET_STRING *backup_secret;
@@ -465,8 +467,8 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
OSSL_CMP_MSG *rsp = NULL;
if (srv_ctx == NULL || srv_ctx->ctx == NULL
- || req == NULL || req->body == NULL
- || (hdr = OSSL_CMP_MSG_get0_header(req)) == NULL) {
+ || req == NULL || req->body == NULL
+ || (hdr = OSSL_CMP_MSG_get0_header(req)) == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
@@ -474,7 +476,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
backup_secret = ctx->secretValue;
req_type = OSSL_CMP_MSG_get_bodytype(req);
ossl_cmp_log1(DEBUG, ctx,
- "received %s", ossl_cmp_bodytype_to_string(req_type));
+ "received %s", ossl_cmp_bodytype_to_string(req_type));
/*
* Some things need to be done already before validating the message in
@@ -499,16 +501,16 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
char *tid;
tid = OPENSSL_buf2hexstr(ctx->transactionID->data,
- ctx->transactionID->length);
+ ctx->transactionID->length);
if (tid != NULL)
ossl_cmp_log1(WARN, ctx,
- "Assuming that last transaction with ID=%s got aborted",
- tid);
+ "Assuming that last transaction with ID=%s got aborted",
+ tid);
OPENSSL_free(tid);
}
/* start of a new transaction, reset transactionID and senderNonce */
if (!OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
- || !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL))
+ || !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL))
goto err;
break;
default:
@@ -522,9 +524,9 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
req_verified = ossl_cmp_msg_check_update(ctx, req, unprotected_exception,
- srv_ctx->acceptUnprotected);
+ srv_ctx->acceptUnprotected);
if (ctx->secretValue != NULL && ctx->pkey != NULL
- && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC)
+ && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC)
ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */
if (!req_verified)
goto err;
@@ -574,7 +576,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
break;
}
- err:
+err:
if (rsp == NULL) {
/* on error, try to respond with CMP error message to client */
const char *data = NULL, *reason = NULL;
@@ -599,20 +601,20 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
data = NULL;
reason = ERR_reason_error_string(err);
if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection,
- fail_info, reason)) != NULL) {
+ fail_info, reason))
+ != NULL) {
rsp = ossl_cmp_error_new(srv_ctx->ctx, si, err,
- data, srv_ctx->sendUnprotectedErrors);
+ data, srv_ctx->sendUnprotectedErrors);
OSSL_CMP_PKISI_free(si);
}
}
OSSL_CMP_CTX_print_errors(ctx);
ctx->secretValue = backup_secret;
- rsp_type =
- rsp != NULL ? OSSL_CMP_MSG_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR;
+ rsp_type = rsp != NULL ? OSSL_CMP_MSG_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR;
if (rsp != NULL)
ossl_cmp_log1(DEBUG, ctx,
- "sending %s", ossl_cmp_bodytype_to_string(rsp_type));
+ "sending %s", ossl_cmp_bodytype_to_string(rsp_type));
else
ossl_cmp_log(ERR, ctx, "cannot send proper CMP response");
@@ -647,7 +649,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
* error stack.
*/
OSSL_CMP_MSG *OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx,
- const OSSL_CMP_MSG *req)
+ const OSSL_CMP_MSG *req)
{
OSSL_CMP_SRV_CTX *srv_ctx = NULL;
generated by cgit v1.3 (git 2.53.0) at 2026-04-07 17:03:12 +0000