Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq()

Fixes #12395

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431)

diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index f38d8651f47db61afc20f8e02422c3f07a0638e3..37473c7a6c4c97c7caa98ae40b9572a3fab3619d 100644 (file)
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -630,7 +630,8 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
     return ret;
 }
 
-int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter)
+int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
+                         const OSSL_CRMF_MSG *crm, int *checkAfter)
 {
     OSSL_CMP_MSG *req = NULL;
     OSSL_CMP_MSG *rep = NULL;
@@ -652,7 +653,7 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter)
         if (ctx->total_timeout > 0) /* else ctx->end_time is not used */
             ctx->end_time = time(NULL) + ctx->total_timeout;
 
-        req = ossl_cmp_certReq_new(ctx, req_type, 0 /* req_err */);
+        req = ossl_cmp_certreq_new(ctx, req_type, crm);
         if (req == NULL) /* also checks if all necessary options are set */
             return 0;
 
@@ -685,18 +686,26 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter)
  * TODO: another function to request two certificates at once should be created.
  * Returns pointer to received certificate, or NULL if none was received.
  */
-static X509 *do_certreq_seq(OSSL_CMP_CTX *ctx, int req_type, int req_err,
-                            int rep_type)
+X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
+                            const OSSL_CRMF_MSG *crm)
 {
+
     OSSL_CMP_MSG *req = NULL;
     OSSL_CMP_MSG *rep = NULL;
-    int rid = (req_type == OSSL_CMP_PKIBODY_P10CR) ? -1 : OSSL_CMP_CERTREQID;
+    int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR;
+    int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID;
+    int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1;
     X509 *result = NULL;
 
     if (ctx == NULL) {
         CMPerr(0, CMP_R_NULL_ARGUMENT);
         return NULL;
     }
+    if (is_p10 && crm != NULL) {
+        CMPerr(0, CMP_R_INVALID_ARGS);
+        return NULL;
+    }
+
     ctx->status = -1;
     if (!ossl_cmp_ctx_set0_newCert(ctx, NULL))
         return NULL;
@@ -705,7 +714,7 @@ static X509 *do_certreq_seq(OSSL_CMP_CTX *ctx, int req_type, int req_err,
         ctx->end_time = time(NULL) + ctx->total_timeout;
 
     /* OSSL_CMP_certreq_new() also checks if all necessary options are set */
-    if ((req = ossl_cmp_certReq_new(ctx, req_type, req_err)) == NULL)
+    if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL)
         goto err;
 
     if (!send_receive_check(ctx, req, &rep, rep_type))
@@ -722,30 +731,6 @@ static X509 *do_certreq_seq(OSSL_CMP_CTX *ctx, int req_type, int req_err,
     return result;
 }
 
-X509 *OSSL_CMP_exec_IR_ses(OSSL_CMP_CTX *ctx)
-{
-    return do_certreq_seq(ctx, OSSL_CMP_PKIBODY_IR,
-                          CMP_R_ERROR_CREATING_IR, OSSL_CMP_PKIBODY_IP);
-}
-
-X509 *OSSL_CMP_exec_CR_ses(OSSL_CMP_CTX *ctx)
-{
-    return do_certreq_seq(ctx, OSSL_CMP_PKIBODY_CR,
-                          CMP_R_ERROR_CREATING_CR, OSSL_CMP_PKIBODY_CP);
-}
-
-X509 *OSSL_CMP_exec_KUR_ses(OSSL_CMP_CTX *ctx)
-{
-    return do_certreq_seq(ctx, OSSL_CMP_PKIBODY_KUR,
-                          CMP_R_ERROR_CREATING_KUR, OSSL_CMP_PKIBODY_KUP);
-}
-
-X509 *OSSL_CMP_exec_P10CR_ses(OSSL_CMP_CTX *ctx)
-{
-    return do_certreq_seq(ctx, OSSL_CMP_PKIBODY_P10CR,
-                          CMP_R_ERROR_CREATING_P10CR, OSSL_CMP_PKIBODY_CP);
-}
-
 X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
 {
     OSSL_CMP_MSG *rr = NULL;

diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c
index 1ee10022331c20a2d8773c37979767cd9c72116f..87d0f0f1b0908093cab151fd3ecfc287f9f20912 100644 (file)
--- a/crypto/cmp/cmp_err.c
+++ b/crypto/cmp/cmp_err.c
@@ -45,17 +45,14 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
     "error creating certconf"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_CERTREP),
     "error creating certrep"},
-    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_CR), "error creating cr"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_CERTREQ),
+    "error creating certreq"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_ERROR),
     "error creating error"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_GENM),
     "error creating genm"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_GENP),
     "error creating genp"},
-    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_IR), "error creating ir"},
-    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_KUR), "error creating kur"},
-    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_P10CR),
-    "error creating p10cr"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_PKICONF),
     "error creating pkiconf"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_POLLREP),
@@ -90,6 +87,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
     "missing key input for creating protection"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE),
     "missing key usage digitalsignature"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_P10CSR), "missing p10csr"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY),
     "missing private key"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PROTECTION), "missing protection"},

diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 0d874ae78507a38ba2b1ba4e945b2c1bd8aa908d..92f192bb5f9191aa4cd971974f2f5a735b59d135 100644 (file)
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -855,9 +855,9 @@ const char *ossl_cmp_bodytype_to_string(int type);
 int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type);
 int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg);
 OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype);
-OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int bodytype,
-                                   int err_code);
-OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
+OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
+                                   const OSSL_CRMF_MSG *crm);
+OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
                                    int certReqId, OSSL_CMP_PKISI *si,
                                    X509 *cert, STACK_OF(X509) *chain,
                                    STACK_OF(X509) *caPubs, int encrypted,

diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index c5a9dbccf856f7fdbc132f364a0acf0c880e86e8..290a4ee10fac5b5d0521ab5b38e161c3a9e5bcf5 100644 (file)
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -128,7 +128,7 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
 
     case OSSL_CMP_PKIBODY_P10CR:
         if (ctx->p10CSR == NULL) {
-            CMPerr(0, CMP_R_ERROR_CREATING_P10CR);
+            CMPerr(0, CMP_R_MISSING_P10CSR);
             goto err;
         }
         if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
@@ -321,10 +321,11 @@ static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
     return crm;
 }
 
-OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
+OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
+                                   const OSSL_CRMF_MSG *crm)
 {
     OSSL_CMP_MSG *msg;
-    OSSL_CRMF_MSG *crm = NULL;
+    OSSL_CRMF_MSG *local_crm = NULL;
 
     if (!ossl_assert(ctx != NULL))
         return NULL;
@@ -353,13 +354,20 @@ OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
             CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
             goto err;
         }
-        if ((crm = crm_new(ctx, type, OSSL_CMP_CERTREQID)) == NULL
-            || !OSSL_CRMF_MSG_create_popo(crm, privkey, ctx->digest,
-                                          ctx->popoMethod)
-            /* value.ir is same for cr and kur */
-            || !sk_OSSL_CRMF_MSG_push(msg->body->value.ir, crm))
+        if (crm == NULL) {
+            if ((local_crm = crm_new(ctx, type, OSSL_CMP_CERTREQID)) == NULL
+                || !OSSL_CRMF_MSG_create_popo(local_crm, privkey, ctx->digest,
+                                              ctx->popoMethod))
+                goto err;
+        } else {
+            if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
+                goto err;
+        }
+
+        /* value.ir is same for cr and kur */
+        if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
             goto err;
-        crm = NULL;
+        local_crm = NULL;
         /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
     }
 
@@ -369,14 +377,13 @@ OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
     return msg;
 
  err:
-    if (err_code != 0)
-        CMPerr(0, err_code);
-    OSSL_CRMF_MSG_free(crm);
+    CMPerr(0, CMP_R_ERROR_CREATING_CERTREQ);
+    OSSL_CRMF_MSG_free(local_crm);
     OSSL_CMP_MSG_free(msg);
     return NULL;
 }
 
-OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
+OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
                                    int certReqId, OSSL_CMP_PKISI *si,
                                    X509 *cert, STACK_OF(X509) *chain,
                                    STACK_OF(X509) *caPubs, int encrypted,

diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index 8570885eedf141dd2c733a01b2bb5ebc30ec68ac..a9a86cb5dec045ad55c8535a5faf75a11a307023 100644 (file)
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -230,7 +230,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
             goto err;
     }
 
-    msg = ossl_cmp_certRep_new(srv_ctx->ctx, bodytype, certReqId, si,
+    msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
                                certOut, chainOut, caPubs, 0 /* encrypted */,
                                srv_ctx->sendUnprotectedErrors);
     /*

diff --git a/crypto/crmf/crmf_asn.c b/crypto/crmf/crmf_asn.c
index 567cfaaeec441487807d1bc1e90cd09320a1fca2..0f6de3ce8d2654c46f776c923d25cbc2bc9ef052 100644 (file)
--- a/crypto/crmf/crmf_asn.c
+++ b/crypto/crmf/crmf_asn.c
@@ -230,7 +230,7 @@ ASN1_SEQUENCE(OSSL_CRMF_MSG) = {
                          OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
 } ASN1_SEQUENCE_END(OSSL_CRMF_MSG)
 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
-
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_MSG)
 
 ASN1_ITEM_TEMPLATE(OSSL_CRMF_MSGS) =
     ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index a99648a1fde090ee922f8c624d101ec9a9d7be94..0124d1d3ae585c4cb3e45c6822a56bf3186800af 100644 (file)
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2098,13 +2098,10 @@ CMP_R_ENCOUNTERED_WAITING:162:encountered waiting
 CMP_R_ERROR_CALCULATING_PROTECTION:115:error calculating protection
 CMP_R_ERROR_CREATING_CERTCONF:116:error creating certconf
 CMP_R_ERROR_CREATING_CERTREP:117:error creating certrep
-CMP_R_ERROR_CREATING_CR:163:error creating cr
+CMP_R_ERROR_CREATING_CERTREQ:163:error creating certreq
 CMP_R_ERROR_CREATING_ERROR:118:error creating error
 CMP_R_ERROR_CREATING_GENM:119:error creating genm
 CMP_R_ERROR_CREATING_GENP:120:error creating genp
-CMP_R_ERROR_CREATING_IR:164:error creating ir
-CMP_R_ERROR_CREATING_KUR:165:error creating kur
-CMP_R_ERROR_CREATING_P10CR:121:error creating p10cr
 CMP_R_ERROR_CREATING_PKICONF:122:error creating pkiconf
 CMP_R_ERROR_CREATING_POLLREP:123:error creating pollrep
 CMP_R_ERROR_CREATING_POLLREQ:124:error creating pollreq
@@ -2125,6 +2122,7 @@ CMP_R_INVALID_OPTION:174:invalid option
 CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION:130:\
        missing key input for creating protection
 CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature
+CMP_R_MISSING_P10CSR:121:missing p10csr
 CMP_R_MISSING_PRIVATE_KEY:131:missing private key
 CMP_R_MISSING_PROTECTION:143:missing protection
 CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert

diff --git a/doc/internal/man3/ossl_cmp_certReq_new.pod b/doc/internal/man3/ossl_cmp_certreq_new.pod
similarity index 93%
rename from doc/internal/man3/ossl_cmp_certReq_new.pod
rename to doc/internal/man3/ossl_cmp_certreq_new.pod
index 1bf0311e77b7755cf2495bb48299e1b270a0ceac..3c9654c18fedb1d809cc5e0a500ff5d28700459a 100644 (file)
--- a/doc/internal/man3/ossl_cmp_certReq_new.pod
+++ b/doc/internal/man3/ossl_cmp_certreq_new.pod
@@ -2,8 +2,8 @@
 
 =head1 NAME
 
-ossl_cmp_certReq_new,
-ossl_cmp_certRep_new,
+ossl_cmp_certreq_new,
+ossl_cmp_certrep_new,
 ossl_cmp_rr_new,
 ossl_cmp_rp_new,
 ossl_cmp_certConf_new,
@@ -47,9 +47,9 @@ ossl_cmp_error_new
 # define OSSL_CMP_PKIBODY_POLLREQ  25
 # define OSSL_CMP_PKIBODY_POLLREP  26
 
- OSSL_ossl_cmp_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int bodytype,
-                                         int err_code);
- OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
+ OSSL_ossl_cmp_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
+                                         const OSSL_CRMF_MSG *crm);
+ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
                                     int certReqId, OSSL_CMP_PKISI *si,
                                     X509 *cert, STACK_OF(X509) *chain,
                                     STACK_OF(X509) *caPubs,
@@ -75,10 +75,10 @@ This is the API for creating various CMP PKIMESSAGES. The
 functions allocate a new message, fill it with the relevant data derived from
 the given OSSL_CMP_CTX, and create the applicable protection.
 
-ossl_cmp_certReq_new() creates a PKIMessage for requesting a certificate,
+ossl_cmp_certreq_new() creates a PKIMessage for requesting a certificate,
 which can be either of IR/CR/KUR/P10CR, depending on the given B<bodytype>.
-The OpenSSL error reason code defined in err.h to use on error is given as
-B<err_code>.
+The CRMF message to use may be given via the B<crm> argument;
+else (if B<crm> is NULL) it is created from the information in the B<ctx>.
 
 Available CMP certificate request PKIMessage B<bodytype>s are:
 

diff --git a/doc/internal/man3/ossl_cmp_msg_create.pod b/doc/internal/man3/ossl_cmp_msg_create.pod
index ebc08f7ef1a669cdc88a741ebc3cd5c90d02f986..3c236a3b4948a9aa6a7dd913f6212051a98cfd92 100644 (file)
--- a/doc/internal/man3/ossl_cmp_msg_create.pod
+++ b/doc/internal/man3/ossl_cmp_msg_create.pod
@@ -62,7 +62,7 @@ See the individual functions above.
 
 =head1 SEE ALSO
 
-L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_IR_ses(3)>
+L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>
 
 =head1 HISTORY
 

diff --git a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod
index fe91834139bcdb3242462e354d6d5b2d441cd6b6..cd32c9015d4fd89150241b55dd1e0dd3ceaa24b2 100644 (file)
--- a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod
+++ b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod
@@ -74,7 +74,7 @@ See the individual functions above.
 
 =head1 SEE ALSO
 
-L<OSSL_CMP_CTX_new(3)>, L<ossl_cmp_certReq_new(3)>
+L<OSSL_CMP_CTX_new(3)>, L<ossl_cmp_certreq_new(3)>
 
 =head1 HISTORY
 

diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index cb2d68a44b0495e7d56bde75f2cfc0b978f2687a..368d73f820e84f77fefcf46e294ddd1b24ee525d 100644 (file)
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -682,8 +682,9 @@ the id-it-signKeyPairTypes OID and prints info on the General Response contents:
 
 =head1 SEE ALSO
 
-L<OSSL_CMP_exec_IR_ses(3)>, L<OSSL_CMP_exec_KUR_ses(3)>,
-L<OSSL_CMP_exec_GENM_ses(3)>
+L<OSSL_CMP_exec_IR_ses(3)>, L<OSSL_CMP_exec_CR_ses(3)>,
+L<OSSL_CMP_exec_KUR_ses(3)>, L<OSSL_CMP_exec_GENM_ses(3)>,
+L<OSSL_CMP_exec_certreq(3)>
 
 =head1 HISTORY
 

diff --git a/doc/man3/OSSL_CMP_exec_IR_ses.pod b/doc/man3/OSSL_CMP_exec_certreq.pod
similarity index 78%
rename from doc/man3/OSSL_CMP_exec_IR_ses.pod
rename to doc/man3/OSSL_CMP_exec_certreq.pod
index 22d8e87cad31b510d074148c1a6262633c196fac..098b60ae61b210b5b0c442bb38960314ad47a6eb 100644 (file)
--- a/doc/man3/OSSL_CMP_exec_IR_ses.pod
+++ b/doc/man3/OSSL_CMP_exec_certreq.pod
@@ -2,6 +2,7 @@
 
 =head1 NAME
 
+OSSL_CMP_exec_certreq,
 OSSL_CMP_exec_IR_ses,
 OSSL_CMP_exec_CR_ses,
 OSSL_CMP_exec_P10CR_ses,
@@ -20,6 +21,8 @@ OSSL_CMP_certConf_cb
 
  #include <openssl/cmp.h>
 
+ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
+                             const OSSL_CRMF_MSG *crm);
  X509 *OSSL_CMP_exec_IR_ses(OSSL_CMP_CTX *ctx);
  X509 *OSSL_CMP_exec_CR_ses(OSSL_CMP_CTX *ctx);
  X509 *OSSL_CMP_exec_P10CR_ses(OSSL_CMP_CTX *ctx);
@@ -28,7 +31,8 @@ OSSL_CMP_certConf_cb
  #define OSSL_CMP_CR
  #define OSSL_CMP_P10CR
  #define OSSL_CMP_KUR
- int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter);
+ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
+                          const OSSL_CRMF_MSG *crm, int *checkAfter);
  int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
                           const char **text);
  X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
@@ -43,8 +47,6 @@ All functions take a populated OSSL_CMP_CTX structure as their first argument.
 Usually the server name, port, and path ("CMP alias") need to be set, as well as
 credentials the client can use for authenticating itself to the client.
 In order to authenticate the server the client typically needs a trust store.
-For performing certificate enrollment requests the certificate template needs
-to be sufficiently filled in, giving at least the subject name and key.
 The functions return their respective main results directly, while there are
 also accessor functions for retrieving various results and status information
 from the B<ctx>. See L<OSSL_CMP_CTX_new(3)> etc. for details.
@@ -61,21 +63,30 @@ OSSL_CMP_exec_P10CR_ses() conveys a legacy PKCS#10 CSR requesting a certificate.
 
 OSSL_CMP_exec_KUR_ses() obtains an updated certificate.
 
-All these four types of certificate enrollment may be blocked by sleeping until the
-CAs or an intermedate PKI component can fully process and answer the request.
-
-OSSL_CMP_try_certreq() is an alternative to these four functions that is
-more uniform regarding the type of the certificate request to use and
+These four types of certificate enrollment are implemented as macros
+calling OSSL_CMP_exec_certreq().
+
+OSSL_CMP_exec_certreq() performs a certificate request of the type specified
+by the B<req_type> parameter, which may be IR, CR, P10CR, or KUR.
+For IR, CR, and KUR, the certificate template to be used in the request
+may be supplied via the B<crm> parameter pointing to a CRMF structure.
+Typically B<crm> is NULL, then the template ingredients are taken from B<ctx>
+and need to be filled in using L<OSSL_CMP_CTX_set1_subjectName(3)>,
+L<OSSL_CMP_CTX_set0_newPkey(3)>, L<OSSL_CMP_CTX_set1_oldCert(3)>, etc.
+For P10CR, L<OSSL_CMP_CTX_set1_p10CSR(3)> needs to be used instead.
+The enrollment session may be blocked by sleeping until the addressed
+CA (or an intermedate PKI component) can fully process and answer the request.
+
+OSSL_CMP_try_certreq() is an alternative to the above functions that is
 more flexible regarding what to do after receiving a checkAfter value.
 When called for the first time (with no certificate request in progress for
 the given B<ctx>) it starts a new transaction by sending a certificate request
-of the given type,
-which may be IR, CR, P10CR, or KUR as specified by the B<req_type> parameter.
+constructed as stated above using the B<req_type> and optional B<crm> parameter.
 Otherwise (when according to B<ctx> a 'waiting' status has been received before)
 it continues polling for the pending request
 unless the B<req_type> argument is < 0, which aborts the request.
 If the requested certificate is available the function returns 1 and the
-caller can use B<OSSL_CMP_CTX_get0_newCert()> to retrieve the new certificate.
+caller can use L<OSSL_CMP_CTX_get0_newCert(3)> to retrieve the new certificate.
 If no error occurred but no certificate is available yet then
 OSSL_CMP_try_certreq() remembers in the CMP context that it should be retried
 and returns -1 after assigning the received checkAfter value
@@ -121,17 +132,17 @@ So far the CMP client implementation is limited to one request per CMP message
 
 =head1 RETURN VALUES
 
-OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(),
+OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(),
 OSSL_CMP_exec_P10CR_ses(), and OSSL_CMP_exec_KUR_ses() return a
 pointer to the newly obtained X509 certificate on success, B<NULL> on error.
 This pointer will be freed implicitly by OSSL_CMP_CTX_free() or
 CSSL_CMP_CTX_reinit().
 
 OSSL_CMP_try_certreq() returns 1 if the requested certificate is available
-via B<OSSL_CMP_CTX_get0_newCert()>
+via L<OSSL_CMP_CTX_get0_newCert(3)>
 or on successfully aborting a pending certificate request, 0 on error, and -1
 in case a 'waiting' status has been received and checkAfter value is available.
-In the latter case B<OSSL_CMP_CTX_get0_newCert()> yields NULL
+In the latter case L<OSSL_CMP_CTX_get0_newCert(3)> yields NULL
 and the output parameter B<checkAfter> has been used to
 assign the received value unless B<checkAfter> is NULL.
 
@@ -154,7 +165,11 @@ functions.
 
 =head1 SEE ALSO
 
-L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_MSG_http_perform(3)>
+L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_CTX_free(3)>,
+L<OSSL_CMP_CTX_set1_subjectName(3)>, L<OSSL_CMP_CTX_set0_newPkey(3)>,
+L<OSSL_CMP_CTX_set1_p10CSR(3)>, L<OSSL_CMP_CTX_set1_oldCert(3)>,
+L<OSSL_CMP_CTX_get0_newCert(3)>, L<OSSL_CMP_CTX_push0_genm_ITAV(3)>,
+L<OSSL_CMP_MSG_http_perform(3)>
 
 =head1 HISTORY
 

diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod
index 3bf5c0681112565c174958c132290a9443f52fdc..637032502803a8d0386c6bd92ef6c318ffea8d82 100644 (file)
--- a/doc/man3/OSSL_CMP_validate_msg.pod
+++ b/doc/man3/OSSL_CMP_validate_msg.pod
@@ -61,7 +61,7 @@ return 1 on success, 0 on error or validation failed.
 
 =head1 SEE ALSO
 
-L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_IR_ses(3)>
+L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>
 
 =head1 HISTORY
 

diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index d348acdfd26d67eababbee5101619c738ab27d0a..18ba40cee6870968cbb84a8f37a66a2579922930 100644 (file)
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -152,6 +152,7 @@ OSSL_CRMF_ENCRYPTEDVALUE_new,
 OSSL_CRMF_MSGS_free,
 OSSL_CRMF_MSGS_it,
 OSSL_CRMF_MSGS_new,
+OSSL_CRMF_MSG_dup,
 OSSL_CRMF_MSG_free,
 OSSL_CRMF_MSG_it,
 OSSL_CRMF_MSG_new,

diff --git a/fuzz/cmp.c b/fuzz/cmp.c
index 100350ebfe5e214f972e9363755d8b001b215097..a63ef9c2386ed5f03246d6ba683273abae1801e0 100644 (file)
--- a/fuzz/cmp.c
+++ b/fuzz/cmp.c
@@ -84,7 +84,7 @@ static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
         break;
     case OSSL_CMP_PKIBODY_POLLREP:
         ctx->status = OSSL_CMP_PKISTATUS_waiting;
-        (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL);
+        (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL);
         break;
     case OSSL_CMP_PKIBODY_RP:
         (void)OSSL_CMP_exec_RR_ses(ctx);

diff --git a/include/openssl/cmp.h b/include/openssl/cmp.h
index 9bd576cf1e38e0e63eda44b2cb951ad95a543e9b..eaefd68e8b26a9aa6451b82f58e49bf2aa3df475 100644 (file)
--- a/include/openssl/cmp.h
+++ b/include/openssl/cmp.h
@@ -417,15 +417,22 @@ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
                                                 int val);
 
 /* from cmp_client.c */
-X509 *OSSL_CMP_exec_IR_ses(OSSL_CMP_CTX *ctx);
-X509 *OSSL_CMP_exec_CR_ses(OSSL_CMP_CTX *ctx);
-X509 *OSSL_CMP_exec_P10CR_ses(OSSL_CMP_CTX *ctx);
-X509 *OSSL_CMP_exec_KUR_ses(OSSL_CMP_CTX *ctx);
-#  define OSSL_CMP_IR    OSSL_CMP_PKIBODY_IR
-#  define OSSL_CMP_CR    OSSL_CMP_PKIBODY_CR
-#  define OSSL_CMP_P10CR OSSL_CMP_PKIBODY_P10CR
-#  define OSSL_CMP_KUR   OSSL_CMP_PKIBODY_KUR
-int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter);
+X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
+                            const OSSL_CRMF_MSG *crm);
+#  define OSSL_CMP_IR    0
+#  define OSSL_CMP_CR    2
+#  define OSSL_CMP_P10CR 4
+#  define OSSL_CMP_KUR   7
+#  define OSSL_CMP_exec_IR_ses(ctx) \
+    OSSL_CMP_exec_certreq(ctx, OSSL_CMP_IR, NULL)
+#  define OSSL_CMP_exec_CR_ses(ctx) \
+    OSSL_CMP_exec_certreq(ctx, OSSL_CMP_CR, NULL)
+#  define OSSL_CMP_exec_P10CR_ses(ctx) \
+    OSSL_CMP_exec_certreq(ctx, OSSL_CMP_P10CR, NULL)
+#  define OSSL_CMP_exec_KUR_ses(ctx) \
+    OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL)
+int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
+                         const OSSL_CRMF_MSG *crm, int *checkAfter);
 int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
                          const char **text);
 X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);

diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h
index d220e55c5eb6703e1eb174c23e9c86ba7f4f2364..f18ba386bc4a652d0a3185cc25a45acb7ff05cf0 100644 (file)
--- a/include/openssl/cmperr.h
+++ b/include/openssl/cmperr.h
@@ -51,13 +51,10 @@ int ERR_load_CMP_strings(void);
 #  define CMP_R_ERROR_CALCULATING_PROTECTION               115
 #  define CMP_R_ERROR_CREATING_CERTCONF                    116
 #  define CMP_R_ERROR_CREATING_CERTREP                     117
-#  define CMP_R_ERROR_CREATING_CR                          163
+#  define CMP_R_ERROR_CREATING_CERTREQ                     163
 #  define CMP_R_ERROR_CREATING_ERROR                       118
 #  define CMP_R_ERROR_CREATING_GENM                        119
 #  define CMP_R_ERROR_CREATING_GENP                        120
-#  define CMP_R_ERROR_CREATING_IR                          164
-#  define CMP_R_ERROR_CREATING_KUR                         165
-#  define CMP_R_ERROR_CREATING_P10CR                       121
 #  define CMP_R_ERROR_CREATING_PKICONF                     122
 #  define CMP_R_ERROR_CREATING_POLLREP                     123
 #  define CMP_R_ERROR_CREATING_POLLREQ                     124
@@ -77,6 +74,7 @@ int ERR_load_CMP_strings(void);
 #  define CMP_R_INVALID_OPTION                             174
 #  define CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION  130
 #  define CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE         142
+#  define CMP_R_MISSING_P10CSR                             121
 #  define CMP_R_MISSING_PRIVATE_KEY                        131
 #  define CMP_R_MISSING_PROTECTION                         143
 #  define CMP_R_MISSING_REFERENCE_CERT                     168

diff --git a/include/openssl/crmf.h b/include/openssl/crmf.h
index bf9c1c6159fb593b736513312d9400b56a489e64..bf0e32d499d315eab08aaede656eb3a3d3bbf820 100644 (file)
--- a/include/openssl/crmf.h
+++ b/include/openssl/crmf.h
@@ -43,6 +43,7 @@ typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE)
 typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
+DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_MSG)
 DEFINE_OR_DECLARE_STACK_OF(OSSL_CRMF_MSG)
 typedef struct ossl_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
 typedef struct ossl_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;

diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index 2f7fbf7b1e5ad31cd7251d8016960ea705648509..d305eb561007b7fd6f1122dcfc45bf659d7d6fe6 100644 (file)
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -28,8 +28,8 @@ typedef struct test_fixture {
     const char *test_case_name;
     OSSL_CMP_CTX *cmp_ctx;
     OSSL_CMP_SRV_CTX *srv_ctx;
+    int req_type;
     int expected;
-    X509 *(*exec_cert_ses_cb) (OSSL_CMP_CTX *);
     STACK_OF(X509) *caPubs;
 } CMP_SES_TEST_FIXTURE;
 
@@ -81,7 +81,7 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
             || !OSSL_CMP_CTX_set1_srvCert(ctx, server_cert)
             || !OSSL_CMP_CTX_set1_referenceValue(ctx, ref, sizeof(ref)))
         goto err;
-    fixture->exec_cert_ses_cb = NULL;
+    fixture->req_type = -1;
     return fixture;
 
  err:
@@ -107,13 +107,13 @@ static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
 
 static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture)
 {
-    X509 *res;
+    X509 *res = OSSL_CMP_exec_certreq(fixture->cmp_ctx,
+                                      fixture->req_type, NULL);
 
     if (fixture->expected == 0)
-        return TEST_ptr_null(fixture->exec_cert_ses_cb(fixture->cmp_ctx));
+        return TEST_ptr_null(res);
 
-    if (!TEST_ptr(res = fixture->exec_cert_ses_cb(fixture->cmp_ctx))
-            || !TEST_int_eq(X509_cmp(res, client_cert), 0))
+    if (!TEST_ptr(res) || !TEST_int_eq(X509_cmp(res, client_cert), 0))
         return 0;
     /* TODO: check that cerfConf has been exchanged unless implicitConfirm */
     if (fixture->caPubs != NULL) {
@@ -150,7 +150,7 @@ static int test_exec_RR_ses_receive_error(void)
 static int test_exec_IR_ses(void)
 {
     SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
-    fixture->exec_cert_ses_cb = OSSL_CMP_exec_IR_ses;
+    fixture->req_type = OSSL_CMP_IR;
     fixture->expected = 1;
     fixture->caPubs = sk_X509_new_null();
     sk_X509_push(fixture->caPubs, server_cert);
@@ -164,7 +164,7 @@ static const int checkAfter = 1;
 static int test_exec_IR_ses_poll(void)
 {
     SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
-    fixture->exec_cert_ses_cb = OSSL_CMP_exec_IR_ses;
+    fixture->req_type = OSSL_CMP_IR;
     fixture->expected = 1;
     ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 2);
     ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, checkAfter);
@@ -179,7 +179,7 @@ static int test_exec_IR_ses_poll_timeout(void)
     const int tout = pollCount * checkAfter;
 
     SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
-    fixture->exec_cert_ses_cb = OSSL_CMP_exec_IR_ses;
+    fixture->req_type = OSSL_CMP_IR;
     fixture->expected = 0;
     ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, pollCount + 1);
     ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, checkAfter);
@@ -192,7 +192,7 @@ static int test_exec_IR_ses_poll_timeout(void)
 static int test_exec_CR_ses(void)
 {
     SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
-    fixture->exec_cert_ses_cb = OSSL_CMP_exec_CR_ses;
+    fixture->req_type = OSSL_CMP_CR;
     fixture->expected = 1;
     EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
     return result;
@@ -201,7 +201,7 @@ static int test_exec_CR_ses(void)
 static int test_exec_CR_ses_implicit_confirm(void)
 {
     SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
-    fixture->exec_cert_ses_cb = OSSL_CMP_exec_CR_ses;
+    fixture->req_type = OSSL_CMP_CR;
     fixture->expected = 1;
     OSSL_CMP_CTX_set_option(fixture->cmp_ctx,
                             OSSL_CMP_OPT_IMPLICIT_CONFIRM, 1);
@@ -213,7 +213,7 @@ static int test_exec_CR_ses_implicit_confirm(void)
 static int test_exec_KUR_ses(void)
 {
     SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
-    fixture->exec_cert_ses_cb = OSSL_CMP_exec_KUR_ses;
+    fixture->req_type = OSSL_CMP_KUR;
     fixture->expected = 1;
     EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
     return result;
@@ -224,7 +224,7 @@ static int test_exec_P10CR_ses(void)
     X509_REQ *req = NULL;
 
     SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
-    fixture->exec_cert_ses_cb = OSSL_CMP_exec_P10CR_ses;
+    fixture->req_type = OSSL_CMP_P10CR;
     fixture->expected = 1;
     if (!TEST_ptr(req = load_csr(pkcs10_f))
             || !TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, req))) {
@@ -245,13 +245,14 @@ static int execute_try_certreq_poll_test(CMP_SES_TEST_FIXTURE *fixture)
 
     ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 3);
     ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, CHECK_AFTER);
-    return TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, &check_after))
+    return TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, NULL, &check_after))
         && check_after == CHECK_AFTER
         && TEST_ptr_eq(OSSL_CMP_CTX_get0_newCert(ctx), NULL)
-        && TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, &check_after))
+        && TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, NULL, &check_after))
         && check_after == CHECK_AFTER
         && TEST_ptr_eq(OSSL_CMP_CTX_get0_newCert(ctx), NULL)
-        && TEST_int_eq(fixture->expected, OSSL_CMP_try_certreq(ctx, TYPE, NULL))
+        && TEST_int_eq(fixture->expected,
+                       OSSL_CMP_try_certreq(ctx, TYPE, NULL, NULL))
         && TEST_int_eq(0,
                        X509_cmp(OSSL_CMP_CTX_get0_newCert(ctx), client_cert));
 }
@@ -273,10 +274,11 @@ static int execute_try_certreq_poll_abort_test(CMP_SES_TEST_FIXTURE *fixture)
 
     ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 3);
     ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, CHECK_AFTER);
-    return TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, &check_after))
+    return TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, NULL, &check_after))
         && check_after == CHECK_AFTER
         && TEST_ptr_eq(OSSL_CMP_CTX_get0_newCert(ctx), NULL)
-        && TEST_int_eq(fixture->expected, OSSL_CMP_try_certreq(ctx, -1, NULL))
+        && TEST_int_eq(fixture->expected,
+                       OSSL_CMP_try_certreq(ctx, -1, NULL, NULL))
         && TEST_ptr_eq(OSSL_CMP_CTX_get0_newCert(fixture->cmp_ctx), NULL);
 }
 

diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c
index ca03dc23e3a58d0429dfbaf630f4dbebf47cdb60..92989f95e19ad19214767b1ba92d8be36ee55b4c 100644 (file)
--- a/test/cmp_msg_test.c
+++ b/test/cmp_msg_test.c
@@ -84,9 +84,9 @@ static X509 *cert = NULL;
  */
 static int execute_certreq_create_test(CMP_MSG_TEST_FIXTURE *fixture)
 {
-    EXECUTE_MSG_CREATION_TEST(ossl_cmp_certReq_new(fixture->cmp_ctx,
+    EXECUTE_MSG_CREATION_TEST(ossl_cmp_certreq_new(fixture->cmp_ctx,
                                                    fixture->bodytype,
-                                                   fixture->err_code));
+                                                   NULL));
 }
 
 static int execute_errormsg_create_test(CMP_MSG_TEST_FIXTURE *fixture)
@@ -218,7 +218,7 @@ static int test_cmp_create_p10cr(void)
     X509_REQ *p10cr = NULL;
 
     fixture->bodytype = OSSL_CMP_PKIBODY_P10CR;
-    fixture->err_code = CMP_R_ERROR_CREATING_P10CR;
+    fixture->err_code = CMP_R_ERROR_CREATING_CERTREQ;
     fixture->expected = 1;
     if (!TEST_ptr(p10cr = load_csr(pkcs10_f))
             || !TEST_true(set1_newPkey(ctx, newkey))
@@ -235,7 +235,7 @@ static int test_cmp_create_p10cr_null(void)
 {
     SETUP_TEST_FIXTURE(CMP_MSG_TEST_FIXTURE, set_up);
     fixture->bodytype = OSSL_CMP_PKIBODY_P10CR;
-    fixture->err_code = CMP_R_ERROR_CREATING_P10CR;
+    fixture->err_code = CMP_R_ERROR_CREATING_CERTREQ;
     fixture->expected = 0;
     if (!TEST_true(set1_newPkey(fixture->cmp_ctx, newkey))) {
         tear_down(fixture);

diff --git a/util/libcrypto.num b/util/libcrypto.num
index a4642f1973561a301d6bfd1121eaadf1f3d86836..4afac9fd6f0823110cd1a2b1a692827d6f61bef6 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4498,6 +4498,7 @@ OSSL_CRMF_ENCRYPTEDVALUE_new            ? 3_0_0   EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDVALUE_it             ?      3_0_0   EXIST::FUNCTION:CRMF
 d2i_OSSL_CRMF_MSG                       ?      3_0_0   EXIST::FUNCTION:CRMF
 i2d_OSSL_CRMF_MSG                       ?      3_0_0   EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_dup                       ?      3_0_0   EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_free                      ?      3_0_0   EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_new                       ?      3_0_0   EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_it                        ?      3_0_0   EXIST::FUNCTION:CRMF
@@ -4985,10 +4986,7 @@ OSSL_CMP_SRV_CTX_set_send_unprotected_errors ?   3_0_0   EXIST::FUNCTION:CMP
 OSSL_CMP_SRV_CTX_set_accept_unprotected ?      3_0_0   EXIST::FUNCTION:CMP
 OSSL_CMP_SRV_CTX_set_accept_raverified  ?      3_0_0   EXIST::FUNCTION:CMP
 OSSL_CMP_SRV_CTX_set_grant_implicit_confirm ?  3_0_0   EXIST::FUNCTION:CMP
-OSSL_CMP_exec_IR_ses                    ?      3_0_0   EXIST::FUNCTION:CMP
-OSSL_CMP_exec_CR_ses                    ?      3_0_0   EXIST::FUNCTION:CMP
-OSSL_CMP_exec_P10CR_ses                 ?      3_0_0   EXIST::FUNCTION:CMP
-OSSL_CMP_exec_KUR_ses                   ?      3_0_0   EXIST::FUNCTION:CMP
+OSSL_CMP_exec_certreq                   ?      3_0_0   EXIST::FUNCTION:CMP
 OSSL_CMP_try_certreq                    ?      3_0_0   EXIST::FUNCTION:CMP
 OSSL_CMP_certConf_cb                    ?      3_0_0   EXIST::FUNCTION:CMP
 OSSL_CMP_exec_RR_ses                    ?      3_0_0   EXIST::FUNCTION:CMP

diff --git a/util/other.syms b/util/other.syms
index a623ff5e775f41a735a1385fcd16d0b47571eb81..38ad3d3a33bad0f32edf6c7844811bfa2653bcc2 100644 (file)
--- a/util/other.syms
+++ b/util/other.syms
@@ -368,6 +368,10 @@ OpenSSL_add_all_algorithms              define deprecated 1.1.0
 OpenSSL_add_all_ciphers                 define deprecated 1.1.0
 OpenSSL_add_all_digests                 define deprecated 1.1.0
 OpenSSL_add_ssl_algorithms              define
+OSSL_CMP_exec_IR_ses                    define
+OSSL_CMP_exec_CR_ses                    define
+OSSL_CMP_exec_P10CR_ses                 define
+OSSL_CMP_exec_KUR_ses                   define
 OSSL_CMP_CTX_set_log_verbosity          define
 OSSL_CMP_CR                             define
 OSSL_CMP_IR                             define