diff options
Diffstat (limited to 'crypto/cmp')
| -rw-r--r-- | crypto/cmp/cmp_client.c | 23 | ||||
| -rw-r--r-- | crypto/cmp/cmp_ctx.c | 4 | ||||
| -rw-r--r-- | crypto/cmp/cmp_local.h | 4 | ||||
| -rw-r--r-- | crypto/cmp/cmp_vfy.c | 25 |
4 files changed, 35 insertions, 21 deletions
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index ec865b243789..d6a4230d243e 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2026 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -149,6 +149,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, int time_left; OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb; + ctx->status = OSSL_CMP_PKISTATUS_trans; #ifndef OPENSSL_NO_HTTP if (transfer_cb == NULL) transfer_cb = OSSL_CMP_MSG_http_perform; @@ -175,7 +176,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, /* should print error queue since transfer_cb may call ERR_clear_error() */ OSSL_CMP_CTX_print_errors(ctx); - if (ctx->server != NULL) + if (ctx->server != NULL || ctx->transfer_cb != NULL) ossl_cmp_log1(INFO, ctx, "sending %s", req_type_str); *rep = (*transfer_cb)(ctx, req); @@ -189,6 +190,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, return 0; } + ctx->status = OSSL_CMP_PKISTATUS_checking_response; bt = OSSL_CMP_MSG_get_bodytype(*rep); /* * The body type in the 'bt' variable is not yet verified. @@ -284,11 +286,15 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, "received 'waiting' PKIStatus, starting to poll for response"); *rep = NULL; for (;;) { + int bak = ctx->status; + + ctx->status = OSSL_CMP_PKISTATUS_request; if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL) goto err; if (!send_receive_check(ctx, preq, &prep, OSSL_CMP_PKIBODY_POLLREP)) goto err; + ctx->status = bak; /* handle potential pollRep */ if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) { @@ -344,6 +350,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL)); if (time_left <= 0) { + ctx->status = OSSL_CMP_PKISTATUS_trans; ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); goto err; } @@ -455,7 +462,9 @@ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, OSSL_CMP_MSG *certConf; OSSL_CMP_MSG *PKIconf = NULL; int res = 0; + int bak = ctx->status; + ctx->status = OSSL_CMP_PKISTATUS_request; /* OSSL_CMP_certConf_new() also checks if all necessary options are set */ certConf = ossl_cmp_certConf_new(ctx, certReqId, fail_info, txt); if (certConf == NULL) @@ -464,6 +473,9 @@ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, res = send_receive_also_delayed(ctx, certConf, &PKIconf, OSSL_CMP_PKIBODY_PKICONF); + if (res) + ctx->status = bak; + err: OSSL_CMP_MSG_free(certConf); OSSL_CMP_MSG_free(PKIconf); @@ -479,6 +491,7 @@ int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, OSSL_CMP_MSG *PKIconf = NULL; int res = 0; + ctx->status = OSSL_CMP_PKISTATUS_request; /* not overwriting ctx->status on error exchange */ if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt)) == NULL) goto err; @@ -488,6 +501,7 @@ int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, res = send_receive_also_delayed(ctx, error, &PKIconf, OSSL_CMP_PKIBODY_PKICONF); + ctx->status = OSSL_CMP_PKISTATUS_rejected_by_client; err: OSSL_CMP_MSG_free(error); @@ -790,7 +804,7 @@ retry: ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED, "rejecting newly enrolled cert with subject: %s; %s", subj, txt); - ctx->status = OSSL_CMP_PKISTATUS_rejection; + ctx->status = OSSL_CMP_PKISTATUS_rejected_by_client; ret = 0; } OPENSSL_free(subj); @@ -812,7 +826,6 @@ static int initial_certreq(OSSL_CMP_CTX *ctx, if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL) return 0; - ctx->status = OSSL_CMP_PKISTATUS_trans; res = send_receive_check(ctx, req, p_rep, rep_type); OSSL_CMP_MSG_free(req); return res; @@ -918,7 +931,6 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) if ((rr = ossl_cmp_rr_new(ctx)) == NULL) goto end; - ctx->status = OSSL_CMP_PKISTATUS_trans; if (!send_receive_also_delayed(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP)) goto end; @@ -1038,7 +1050,6 @@ STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx) if ((genm = ossl_cmp_genm_new(ctx)) == NULL) goto err; - ctx->status = OSSL_CMP_PKISTATUS_trans; if (!send_receive_also_delayed(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP)) goto err; ctx->status = OSSL_CMP_PKISTATUS_accepted; diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 947374d4ec2e..7fdc478cf8f2 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2026 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -742,7 +742,7 @@ DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, oldCert, X509) */ DEFINE_OSSL_set0(ossl_cmp_ctx, newCert, X509) - /* Get successfully validated server cert, if any, of current transaction */ + /* Get successfully validated sender cert, if any, of current transaction */ DEFINE_OSSL_CMP_CTX_get0(validatedSrvCert, X509) /* diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 4b98b8cb78ff..3542256e0bca 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2026 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -66,7 +66,7 @@ struct ossl_cmp_ctx_st { int unprotectedErrors; int noCacheExtraCerts; X509 *srvCert; /* certificate used to identify the server */ - X509 *validatedSrvCert; /* caches any already validated server cert */ + X509 *validatedSrvCert; /* caches any already validated sender cert */ X509_NAME *expected_sender; /* expected sender in header of response */ X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */ STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */ diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 873bee8b6ad3..eaa700d139d1 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2026 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2020 * Copyright Siemens AG 2015-2020 * @@ -363,13 +363,12 @@ err: return valid; } +/* checks protection of msg but not cert revocation nor cert chain */ static int check_msg_given_cert(const OSSL_CMP_CTX *ctx, X509 *cert, const OSSL_CMP_MSG *msg) { return cert_acceptable(ctx, "previously validated", "sender cert", - cert, NULL, NULL, msg) - && (check_cert_path(ctx, ctx->trusted, cert) - || check_cert_path_3gpp(ctx, msg, cert)); + cert, NULL, NULL, msg); } /*- @@ -479,22 +478,26 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) (void)ERR_set_mark(); ctx->log_cb = NULL; /* temporarily disable logging */ - /* - * try first cached scrt, used successfully earlier in same transaction, - * for validating this and any further msgs where extraCerts may be left out - */ if (scrt != NULL) { + /*- + * try first using cached message sender cert (in 'scrt' variable), + * which was used successfully earlier in the same transaction + * (assuming that the certificate itself was not revoked meanwhile and + * is a good guess for use in validating also the current message) + */ if (check_msg_given_cert(ctx, scrt, msg)) { ctx->log_cb = backup_log_cb; (void)ERR_pop_to_mark(); return 1; } /* cached sender cert has shown to be no more successfully usable */ - (void)ossl_cmp_ctx_set1_validatedSrvCert(ctx, NULL); /* re-do the above check (just) for adding diagnostic information */ ossl_cmp_info(ctx, "trying to verify msg signature with previously validated cert"); + ctx->log_cb = backup_log_cb; (void)check_msg_given_cert(ctx, scrt, msg); + ctx->log_cb = NULL; + (void)ossl_cmp_ctx_set1_validatedSrvCert(ctx, NULL); /* this invalidates scrt */ } res = check_msg_all_certs(ctx, msg, 0 /* using ctx->trusted */) @@ -628,7 +631,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) scrt = ctx->srvCert; if (scrt == NULL) { if (ctx->trusted == NULL && ctx->secretValue != NULL) { - ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection"); + ossl_cmp_info(ctx, "no trust store nor pinned sender cert available for verifying signature-based CMP message protection"); ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR); return 0; } @@ -642,7 +645,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) /* use ctx->srvCert for signature check even if not acceptable */ if (verify_signature(ctx, msg, scrt)) { ossl_cmp_debug(ctx, - "successfully validated signature-based CMP message protection using pinned server cert"); + "successfully validated signature-based CMP message protection using pinned sender cert"); return ossl_cmp_ctx_set1_validatedSrvCert(ctx, scrt); } ossl_cmp_warn(ctx, "CMP message signature verification failed"); |