]>
Commit | Line | Data |
---|---|---|
7e765f46 | 1 | /* |
4333b89f | 2 | * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. |
7e765f46 DDO |
3 | * Copyright Nokia 2007-2019 |
4 | * Copyright Siemens AG 2015-2019 | |
5 | * | |
6 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
7 | * this file except in compliance with the License. You can obtain a copy | |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | */ | |
11 | ||
12 | #include "cmp_local.h" | |
13 | #include "internal/cryptlib.h" | |
9be5f9a8 | 14 | #include "e_os.h" /* ossl_sleep() */ |
7e765f46 DDO |
15 | |
16 | /* explicit #includes not strictly needed since implied by the above: */ | |
17 | #include <openssl/bio.h> | |
18 | #include <openssl/cmp.h> | |
19 | #include <openssl/err.h> | |
20 | #include <openssl/evp.h> | |
21 | #include <openssl/x509v3.h> | |
6229815a | 22 | #include <openssl/cmp_util.h> |
7e765f46 DDO |
23 | |
24 | #define IS_CREP(t) ((t) == OSSL_CMP_PKIBODY_IP || (t) == OSSL_CMP_PKIBODY_CP \ | |
25 | || (t) == OSSL_CMP_PKIBODY_KUP) | |
26 | ||
27 | /*- | |
28 | * Evaluate whether there's an exception (violating the standard) configured for | |
29 | * handling negative responses without protection or with invalid protection. | |
30 | * Returns 1 on acceptance, 0 on rejection, or -1 on (internal) error. | |
31 | */ | |
32 | static int unprotected_exception(const OSSL_CMP_CTX *ctx, | |
33 | const OSSL_CMP_MSG *rep, | |
34 | int invalid_protection, | |
35 | int expected_type /* ignored here */) | |
36 | { | |
7df56ada | 37 | int rcvd_type = OSSL_CMP_MSG_get_bodytype(rep /* may be NULL */); |
7e765f46 DDO |
38 | const char *msg_type = NULL; |
39 | ||
40 | if (!ossl_assert(ctx != NULL && rep != NULL)) | |
41 | return -1; | |
42 | ||
43 | if (!ctx->unprotectedErrors) | |
44 | return 0; | |
45 | ||
46 | switch (rcvd_type) { | |
47 | case OSSL_CMP_PKIBODY_ERROR: | |
48 | msg_type = "error response"; | |
49 | break; | |
50 | case OSSL_CMP_PKIBODY_RP: | |
51 | { | |
52 | OSSL_CMP_PKISI *si = | |
53 | ossl_cmp_revrepcontent_get_pkisi(rep->body->value.rp, | |
54 | OSSL_CMP_REVREQSID); | |
55 | ||
56 | if (si == NULL) | |
57 | return -1; | |
58 | if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_rejection) | |
59 | msg_type = "revocation response message with rejection status"; | |
60 | break; | |
61 | } | |
62 | case OSSL_CMP_PKIBODY_PKICONF: | |
63 | msg_type = "PKI Confirmation message"; | |
64 | break; | |
65 | default: | |
66 | if (IS_CREP(rcvd_type)) { | |
67 | OSSL_CMP_CERTREPMESSAGE *crepmsg = rep->body->value.ip; | |
68 | OSSL_CMP_CERTRESPONSE *crep = | |
69 | ossl_cmp_certrepmessage_get0_certresponse(crepmsg, | |
70 | -1 /* any rid */); | |
71 | ||
72 | if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) | |
73 | return -1; | |
7e765f46 DDO |
74 | if (crep == NULL) |
75 | return -1; | |
76 | if (ossl_cmp_pkisi_get_status(crep->status) | |
77 | == OSSL_CMP_PKISTATUS_rejection) | |
78 | msg_type = "CertRepMessage with rejection status"; | |
79 | } | |
80 | } | |
81 | if (msg_type == NULL) | |
82 | return 0; | |
83 | ossl_cmp_log2(WARN, ctx, "ignoring %s protection of %s", | |
84 | invalid_protection ? "invalid" : "missing", msg_type); | |
85 | return 1; | |
86 | } | |
87 | ||
7e765f46 DDO |
88 | /* Save error info from PKIStatusInfo field of a certresponse into ctx */ |
89 | static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si) | |
90 | { | |
91 | int i; | |
92 | OSSL_CMP_PKIFREETEXT *ss; | |
93 | ||
94 | if (!ossl_assert(ctx != NULL && si != NULL)) | |
95 | return 0; | |
96 | ||
97 | if ((ctx->status = ossl_cmp_pkisi_get_status(si)) < 0) | |
98 | return 0; | |
99 | ||
100 | ctx->failInfoCode = 0; | |
101 | if (si->failInfo != NULL) { | |
102 | for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++) { | |
103 | if (ASN1_BIT_STRING_get_bit(si->failInfo, i)) | |
104 | ctx->failInfoCode |= (1 << i); | |
105 | } | |
106 | } | |
107 | ||
108 | if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null()) | |
109 | || (ctx->statusString == NULL)) | |
110 | return 0; | |
111 | ||
112 | ss = si->statusString; /* may be NULL */ | |
113 | for (i = 0; i < sk_ASN1_UTF8STRING_num(ss); i++) { | |
114 | ASN1_UTF8STRING *str = sk_ASN1_UTF8STRING_value(ss, i); | |
115 | ||
116 | if (!sk_ASN1_UTF8STRING_push(ctx->statusString, ASN1_STRING_dup(str))) | |
117 | return 0; | |
118 | } | |
119 | return 1; | |
120 | } | |
121 | ||
122 | /*- | |
123 | * Perform the generic aspects of sending a request and receiving a response. | |
124 | * Returns 1 on success and provides the received PKIMESSAGE in *rep. | |
125 | * Returns 0 on error. | |
126 | * Regardless of success, caller is responsible for freeing *rep (unless NULL). | |
127 | */ | |
128 | static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, | |
129 | OSSL_CMP_MSG **rep, int expected_type) | |
130 | { | |
5e128ed1 DDO |
131 | int is_enrollment = IS_CREP(expected_type) |
132 | || expected_type == OSSL_CMP_PKIBODY_POLLREP | |
133 | || expected_type == OSSL_CMP_PKIBODY_PKICONF; | |
7e765f46 | 134 | const char *req_type_str = |
7df56ada | 135 | ossl_cmp_bodytype_to_string(OSSL_CMP_MSG_get_bodytype(req)); |
7e765f46 DDO |
136 | const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type); |
137 | int msg_timeout; | |
138 | int bt; | |
139 | time_t now = time(NULL); | |
140 | int time_left; | |
141 | OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb; | |
142 | ||
143 | if (transfer_cb == NULL) | |
afe554c2 | 144 | transfer_cb = OSSL_CMP_MSG_http_perform; |
7e765f46 DDO |
145 | |
146 | *rep = NULL; | |
147 | msg_timeout = ctx->msg_timeout; /* backup original value */ | |
5e128ed1 | 148 | if (is_enrollment && ctx->total_timeout > 0 /* timeout is not infinite */) { |
7e765f46 | 149 | if (now >= ctx->end_time) { |
9311d0c4 | 150 | ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); |
7e765f46 DDO |
151 | return 0; |
152 | } | |
153 | if (!ossl_assert(ctx->end_time - time(NULL) < INT_MAX)) { | |
5e128ed1 | 154 | /* actually cannot happen due to assignment in initial_certreq() */ |
9311d0c4 | 155 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
7e765f46 DDO |
156 | return 0; |
157 | } | |
158 | time_left = (int)(ctx->end_time - now); | |
159 | if (ctx->msg_timeout == 0 || time_left < ctx->msg_timeout) | |
160 | ctx->msg_timeout = time_left; | |
161 | } | |
162 | ||
163 | /* should print error queue since transfer_cb may call ERR_clear_error() */ | |
164 | OSSL_CMP_CTX_print_errors(ctx); | |
165 | ||
166 | ossl_cmp_log1(INFO, ctx, "sending %s", req_type_str); | |
167 | ||
168 | *rep = (*transfer_cb)(ctx, req); | |
169 | ctx->msg_timeout = msg_timeout; /* restore original value */ | |
170 | ||
171 | if (*rep == NULL) { | |
5e128ed1 DDO |
172 | ERR_raise_data(ERR_LIB_CMP, |
173 | ctx->total_timeout > 0 && time(NULL) >= ctx->end_time ? | |
174 | CMP_R_TOTAL_TIMEOUT : CMP_R_TRANSFER_ERROR, | |
a150f8e1 RL |
175 | "request sent: %s, expected response: %s", |
176 | req_type_str, expected_type_str); | |
7e765f46 DDO |
177 | return 0; |
178 | } | |
179 | ||
7df56ada | 180 | bt = OSSL_CMP_MSG_get_bodytype(*rep); |
7e765f46 DDO |
181 | /* |
182 | * The body type in the 'bt' variable is not yet verified. | |
183 | * Still we use this preliminary value already for a progress report because | |
184 | * the following msg verification may also produce log entries and may fail. | |
185 | */ | |
186 | ossl_cmp_log1(INFO, ctx, "received %s", ossl_cmp_bodytype_to_string(bt)); | |
187 | ||
bb30bce2 DDO |
188 | /* copy received extraCerts to ctx->extraCertsIn so they can be retrieved */ |
189 | if (bt != OSSL_CMP_PKIBODY_POLLREP && bt != OSSL_CMP_PKIBODY_PKICONF | |
190 | && !ossl_cmp_ctx_set1_extraCertsIn(ctx, (*rep)->extraCerts)) | |
191 | return 0; | |
192 | ||
430efff1 DDO |
193 | if (!ossl_cmp_msg_check_update(ctx, *rep, unprotected_exception, |
194 | expected_type)) | |
7e765f46 DDO |
195 | return 0; |
196 | ||
197 | if (bt == expected_type | |
198 | /* as an answer to polling, there could be IP/CP/KUP: */ | |
199 | || (IS_CREP(bt) && expected_type == OSSL_CMP_PKIBODY_POLLREP)) | |
200 | return 1; | |
201 | ||
202 | /* received message type is not one of the expected ones (e.g., error) */ | |
9311d0c4 | 203 | ERR_raise(ERR_LIB_CMP, bt == OSSL_CMP_PKIBODY_ERROR ? CMP_R_RECEIVED_ERROR : |
4c0d49ed | 204 | CMP_R_UNEXPECTED_PKIBODY); /* in next line for mkerr.pl */ |
7e765f46 DDO |
205 | |
206 | if (bt != OSSL_CMP_PKIBODY_ERROR) { | |
207 | ERR_add_error_data(3, "message type is '", | |
208 | ossl_cmp_bodytype_to_string(bt), "'"); | |
209 | } else { | |
210 | OSSL_CMP_ERRORMSGCONTENT *emc = (*rep)->body->value.error; | |
211 | OSSL_CMP_PKISI *si = emc->pKIStatusInfo; | |
212 | char buf[OSSL_CMP_PKISI_BUFLEN]; | |
213 | ||
214 | if (save_statusInfo(ctx, si) | |
143be474 DDO |
215 | && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, |
216 | sizeof(buf)) != NULL) | |
7e765f46 DDO |
217 | ERR_add_error_data(1, buf); |
218 | if (emc->errorCode != NULL | |
991519ae | 219 | && BIO_snprintf(buf, sizeof(buf), "; errorCode: %08lX", |
7e765f46 DDO |
220 | ASN1_INTEGER_get(emc->errorCode)) > 0) |
221 | ERR_add_error_data(1, buf); | |
222 | if (emc->errorDetails != NULL) { | |
adf7e6d1 SL |
223 | char *text = ossl_sk_ASN1_UTF8STRING2text(emc->errorDetails, ", ", |
224 | OSSL_CMP_PKISI_BUFLEN - 1); | |
7e765f46 | 225 | |
991519ae | 226 | if (text != NULL && *text != '\0') |
7e765f46 DDO |
227 | ERR_add_error_data(2, "; errorDetails: ", text); |
228 | OPENSSL_free(text); | |
229 | } | |
230 | if (ctx->status != OSSL_CMP_PKISTATUS_rejection) { | |
9311d0c4 | 231 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS); |
7e765f46 DDO |
232 | if (ctx->status == OSSL_CMP_PKISTATUS_waiting) |
233 | ctx->status = OSSL_CMP_PKISTATUS_rejection; | |
234 | } | |
235 | } | |
236 | return 0; | |
237 | } | |
238 | ||
239 | /*- | |
240 | * When a 'waiting' PKIStatus has been received, this function is used to | |
241 | * poll, which should yield a pollRep or finally a CertRepMessage in ip/cp/kup. | |
242 | * On receiving a pollRep, which includes a checkAfter value, it return this | |
243 | * value if sleep == 0, else it sleeps as long as indicated and retries. | |
244 | * | |
245 | * A transaction timeout is enabled if ctx->total_timeout is > 0. | |
246 | * In this case polling will continue until the timeout is reached and then | |
247 | * polling is done a last time even if this is before the "checkAfter" time. | |
248 | * | |
249 | * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. | |
250 | * Returns 1 on success and provides the received PKIMESSAGE in *rep. | |
251 | * In this case the caller is responsible for freeing *rep. | |
252 | * Returns 0 on error (which includes the case that timeout has been reached). | |
253 | */ | |
254 | static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, | |
255 | OSSL_CMP_MSG **rep, int *checkAfter) | |
256 | { | |
257 | OSSL_CMP_MSG *preq = NULL; | |
258 | OSSL_CMP_MSG *prep = NULL; | |
259 | ||
260 | ossl_cmp_info(ctx, | |
261 | "received 'waiting' PKIStatus, starting to poll for response"); | |
262 | *rep = NULL; | |
263 | for (;;) { | |
7e765f46 DDO |
264 | if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL) |
265 | goto err; | |
266 | ||
267 | if (!send_receive_check(ctx, preq, &prep, OSSL_CMP_PKIBODY_POLLREP)) | |
268 | goto err; | |
269 | ||
270 | /* handle potential pollRep */ | |
7df56ada | 271 | if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) { |
7e765f46 DDO |
272 | OSSL_CMP_POLLREPCONTENT *prc = prep->body->value.pollRep; |
273 | OSSL_CMP_POLLREP *pollRep = NULL; | |
274 | int64_t check_after; | |
275 | char str[OSSL_CMP_PKISI_BUFLEN]; | |
276 | int len; | |
277 | ||
7e765f46 | 278 | if (sk_OSSL_CMP_POLLREP_num(prc) > 1) { |
9311d0c4 | 279 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED); |
7e765f46 DDO |
280 | goto err; |
281 | } | |
282 | pollRep = ossl_cmp_pollrepcontent_get0_pollrep(prc, rid); | |
283 | if (pollRep == NULL) | |
284 | goto err; | |
285 | ||
286 | if (!ASN1_INTEGER_get_int64(&check_after, pollRep->checkAfter)) { | |
9311d0c4 | 287 | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_CHECKAFTER_IN_POLLREP); |
7e765f46 DDO |
288 | goto err; |
289 | } | |
290 | if (check_after < 0 || (uint64_t)check_after | |
291 | > (sleep ? ULONG_MAX / 1000 : INT_MAX)) { | |
9311d0c4 | 292 | ERR_raise(ERR_LIB_CMP, CMP_R_CHECKAFTER_OUT_OF_RANGE); |
b5f7aa5c | 293 | if (BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN, "value = %jd", |
7e765f46 DDO |
294 | check_after) >= 0) |
295 | ERR_add_error_data(1, str); | |
296 | goto err; | |
297 | } | |
7e765f46 DDO |
298 | |
299 | if (pollRep->reason == NULL | |
300 | || (len = BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN, | |
301 | " with reason = '")) < 0) { | |
302 | *str = '\0'; | |
303 | } else { | |
adf7e6d1 SL |
304 | char *text = ossl_sk_ASN1_UTF8STRING2text(pollRep->reason, ", ", |
305 | sizeof(str) - len - 2); | |
7e765f46 DDO |
306 | |
307 | if (text == NULL | |
308 | || BIO_snprintf(str + len, sizeof(str) - len, | |
309 | "%s'", text) < 0) | |
310 | *str = '\0'; | |
311 | OPENSSL_free(text); | |
312 | } | |
313 | ossl_cmp_log2(INFO, ctx, | |
314 | "received polling response%s; checkAfter = %ld seconds", | |
315 | str, check_after); | |
316 | ||
3c28aa85 DDO |
317 | if (ctx->total_timeout > 0) { /* timeout is not infinite */ |
318 | const int exp = 5; /* expected max time per msg round trip */ | |
319 | int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL)); | |
320 | ||
321 | if (time_left <= 0) { | |
322 | ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); | |
323 | goto err; | |
324 | } | |
325 | if (time_left < check_after) | |
326 | check_after = time_left; | |
327 | /* poll one last time just when timeout was reached */ | |
328 | } | |
329 | ||
7e765f46 DDO |
330 | OSSL_CMP_MSG_free(preq); |
331 | preq = NULL; | |
332 | OSSL_CMP_MSG_free(prep); | |
333 | prep = NULL; | |
334 | if (sleep) { | |
335 | ossl_sleep((unsigned long)(1000 * check_after)); | |
336 | } else { | |
337 | if (checkAfter != NULL) | |
338 | *checkAfter = (int)check_after; | |
339 | return -1; /* exits the loop */ | |
340 | } | |
341 | } else { | |
342 | ossl_cmp_info(ctx, "received ip/cp/kup after polling"); | |
343 | /* any other body type has been rejected by send_receive_check() */ | |
344 | break; | |
345 | } | |
346 | } | |
347 | if (prep == NULL) | |
348 | goto err; | |
349 | ||
350 | OSSL_CMP_MSG_free(preq); | |
351 | *rep = prep; | |
352 | ||
353 | return 1; | |
354 | err: | |
355 | OSSL_CMP_MSG_free(preq); | |
356 | OSSL_CMP_MSG_free(prep); | |
357 | return 0; | |
358 | } | |
359 | ||
360 | /* Send certConf for IR, CR or KUR sequences and check response */ | |
361 | int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info, | |
362 | const char *txt) | |
363 | { | |
364 | OSSL_CMP_MSG *certConf; | |
365 | OSSL_CMP_MSG *PKIconf = NULL; | |
366 | int res = 0; | |
367 | ||
368 | /* OSSL_CMP_certConf_new() also checks if all necessary options are set */ | |
369 | if ((certConf = ossl_cmp_certConf_new(ctx, fail_info, txt)) == NULL) | |
370 | goto err; | |
371 | ||
372 | res = send_receive_check(ctx, certConf, &PKIconf, OSSL_CMP_PKIBODY_PKICONF); | |
373 | ||
374 | err: | |
375 | OSSL_CMP_MSG_free(certConf); | |
376 | OSSL_CMP_MSG_free(PKIconf); | |
377 | return res; | |
378 | } | |
379 | ||
380 | /* Send given error and check response */ | |
381 | int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, | |
382 | const char *txt, int errorCode, const char *details) | |
383 | { | |
384 | OSSL_CMP_MSG *error = NULL; | |
385 | OSSL_CMP_PKISI *si = NULL; | |
386 | OSSL_CMP_MSG *PKIconf = NULL; | |
387 | int res = 0; | |
388 | ||
389 | if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt)) == NULL) | |
390 | goto err; | |
391 | /* ossl_cmp_error_new() also checks if all necessary options are set */ | |
392 | if ((error = ossl_cmp_error_new(ctx, si, errorCode, details, 0)) == NULL) | |
393 | goto err; | |
394 | ||
395 | res = send_receive_check(ctx, error, &PKIconf, OSSL_CMP_PKIBODY_PKICONF); | |
396 | ||
397 | err: | |
398 | OSSL_CMP_MSG_free(error); | |
399 | OSSL_CMP_PKISI_free(si); | |
400 | OSSL_CMP_MSG_free(PKIconf); | |
401 | return res; | |
402 | } | |
403 | ||
404 | /*- | |
405 | * Retrieve a copy of the certificate, if any, from the given CertResponse. | |
406 | * Take into account PKIStatusInfo of CertResponse in ctx, report it on error. | |
407 | * Returns NULL if not found or on error. | |
408 | */ | |
409 | static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, | |
410 | OSSL_CMP_CERTRESPONSE *crep) | |
411 | { | |
412 | char buf[OSSL_CMP_PKISI_BUFLEN]; | |
413 | X509 *crt = NULL; | |
414 | EVP_PKEY *privkey; | |
415 | ||
416 | if (!ossl_assert(ctx != NULL && crep != NULL)) | |
417 | return NULL; | |
418 | ||
419 | privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); | |
420 | switch (ossl_cmp_pkisi_get_status(crep->status)) { | |
421 | case OSSL_CMP_PKISTATUS_waiting: | |
422 | ossl_cmp_err(ctx, | |
423 | "received \"waiting\" status for cert when actually aiming to extract cert"); | |
9311d0c4 | 424 | ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_WAITING); |
7e765f46 DDO |
425 | goto err; |
426 | case OSSL_CMP_PKISTATUS_grantedWithMods: | |
427 | ossl_cmp_warn(ctx, "received \"grantedWithMods\" for certificate"); | |
7e765f46 DDO |
428 | break; |
429 | case OSSL_CMP_PKISTATUS_accepted: | |
7e765f46 DDO |
430 | break; |
431 | /* get all information in case of a rejection before going to error */ | |
432 | case OSSL_CMP_PKISTATUS_rejection: | |
433 | ossl_cmp_err(ctx, "received \"rejection\" status rather than cert"); | |
9311d0c4 | 434 | ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER); |
7e765f46 DDO |
435 | goto err; |
436 | case OSSL_CMP_PKISTATUS_revocationWarning: | |
437 | ossl_cmp_warn(ctx, | |
438 | "received \"revocationWarning\" - a revocation of the cert is imminent"); | |
7e765f46 DDO |
439 | break; |
440 | case OSSL_CMP_PKISTATUS_revocationNotification: | |
441 | ossl_cmp_warn(ctx, | |
442 | "received \"revocationNotification\" - a revocation of the cert has occurred"); | |
7e765f46 DDO |
443 | break; |
444 | case OSSL_CMP_PKISTATUS_keyUpdateWarning: | |
445 | if (bodytype != OSSL_CMP_PKIBODY_KUR) { | |
9311d0c4 | 446 | ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_KEYUPDATEWARNING); |
7e765f46 DDO |
447 | goto err; |
448 | } | |
7e765f46 DDO |
449 | break; |
450 | default: | |
451 | ossl_cmp_log1(ERROR, ctx, | |
452 | "received unsupported PKIStatus %d for certificate", | |
453 | ctx->status); | |
9311d0c4 | 454 | ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); |
7e765f46 DDO |
455 | goto err; |
456 | } | |
6d1f50b5 | 457 | crt = ossl_cmp_certresponse_get1_cert(crep, ctx, privkey); |
7e765f46 | 458 | if (crt == NULL) /* according to PKIStatus, we can expect a cert */ |
9311d0c4 | 459 | ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND); |
7e765f46 DDO |
460 | |
461 | return crt; | |
462 | ||
463 | err: | |
464 | if (OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL) | |
465 | ERR_add_error_data(1, buf); | |
466 | return NULL; | |
467 | } | |
468 | ||
469 | /*- | |
470 | * Callback fn validating that the new certificate can be verified, using | |
471 | * ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and | |
bb30bce2 | 472 | * ctx->untrusted, which at this point already contains msg->extraCerts. |
7e765f46 DDO |
473 | * Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo. |
474 | * Quoting from RFC 4210 section 5.1. Overall PKI Message: | |
475 | * The extraCerts field can contain certificates that may be useful to | |
476 | * the recipient. For example, this can be used by a CA or RA to | |
477 | * present an end entity with certificates that it needs to verify its | |
478 | * own new certificate (if, for example, the CA that issued the end | |
479 | * entity's certificate is not a root CA for the end entity). Note that | |
480 | * this field does not necessarily contain a certification path; the | |
481 | * recipient may have to sort, select from, or otherwise process the | |
482 | * extra certificates in order to use them. | |
483 | * Note: While often handy, there is no hard requirement by CMP that | |
484 | * an EE must be able to validate the certificates it gets enrolled. | |
485 | */ | |
486 | int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, | |
487 | const char **text) | |
488 | { | |
489 | X509_STORE *out_trusted = OSSL_CMP_CTX_get_certConf_cb_arg(ctx); | |
a0745e2b | 490 | STACK_OF(X509) *chain = NULL; |
7e765f46 DDO |
491 | (void)text; /* make (artificial) use of var to prevent compiler warning */ |
492 | ||
493 | if (fail_info != 0) /* accept any error flagged by CMP core library */ | |
494 | return fail_info; | |
495 | ||
a0745e2b | 496 | ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); |
1c0eede9 DDO |
497 | chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */, |
498 | 0, ctx->libctx, ctx->propq); | |
a0745e2b DDO |
499 | if (sk_X509_num(chain) > 0) |
500 | X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ | |
501 | if (out_trusted != NULL) { | |
502 | if (chain == NULL) { | |
503 | ossl_cmp_err(ctx, "failed building chain for newly enrolled cert"); | |
504 | fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; | |
505 | } else { | |
506 | ossl_cmp_debug(ctx, | |
507 | "succeeded building proper chain for newly enrolled cert"); | |
508 | } | |
509 | } else if (chain == NULL) { | |
510 | ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts"); | |
511 | chain = OSSL_CMP_CTX_get1_extraCertsIn(ctx); | |
512 | } else { | |
513 | ossl_cmp_debug(ctx, | |
514 | "success building approximate chain for newly enrolled cert"); | |
515 | } | |
516 | (void)ossl_cmp_ctx_set1_newChain(ctx, chain); | |
517 | sk_X509_pop_free(chain, X509_free); | |
7e765f46 DDO |
518 | |
519 | return fail_info; | |
520 | } | |
521 | ||
522 | /*- | |
523 | * Perform the generic handling of certificate responses for IR/CR/KUR/P10CR. | |
524 | * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. | |
525 | * Returns 1 on success and provides the received PKIMESSAGE in *resp. | |
526 | * Returns 0 on error (which includes the case that timeout has been reached). | |
527 | * Regardless of success, caller is responsible for freeing *resp (unless NULL). | |
528 | */ | |
529 | static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, | |
530 | OSSL_CMP_MSG **resp, int *checkAfter, | |
531 | int req_type, int expected_type) | |
532 | { | |
533 | EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx /* may be NULL */, 0); | |
534 | int fail_info = 0; /* no failure */ | |
535 | const char *txt = NULL; | |
536 | OSSL_CMP_CERTREPMESSAGE *crepmsg; | |
537 | OSSL_CMP_CERTRESPONSE *crep; | |
a0745e2b | 538 | OSSL_CMP_certConf_cb_t cb; |
7e765f46 DDO |
539 | X509 *cert; |
540 | char *subj = NULL; | |
541 | int ret = 1; | |
542 | ||
a0745e2b DDO |
543 | if (!ossl_assert(ctx != NULL)) |
544 | return 0; | |
545 | ||
7e765f46 DDO |
546 | retry: |
547 | crepmsg = (*resp)->body->value.ip; /* same for cp and kup */ | |
548 | if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) { | |
9311d0c4 | 549 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED); |
7e765f46 DDO |
550 | return 0; |
551 | } | |
7e765f46 DDO |
552 | crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid); |
553 | if (crep == NULL) | |
554 | return 0; | |
555 | if (!save_statusInfo(ctx, crep->status)) | |
556 | return 0; | |
557 | if (rid == -1) { | |
558 | /* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */ | |
559 | rid = ossl_cmp_asn1_get_int(crep->certReqId); | |
560 | if (rid == -1) { | |
9311d0c4 | 561 | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); |
7e765f46 DDO |
562 | return 0; |
563 | } | |
564 | } | |
565 | ||
566 | if (ossl_cmp_pkisi_get_status(crep->status) == OSSL_CMP_PKISTATUS_waiting) { | |
567 | OSSL_CMP_MSG_free(*resp); | |
568 | *resp = NULL; | |
569 | if ((ret = poll_for_response(ctx, sleep, rid, resp, checkAfter)) != 0) { | |
570 | if (ret == -1) /* at this point implies sleep == 0 */ | |
571 | return ret; /* waiting */ | |
572 | goto retry; /* got ip/cp/kup, which may still indicate 'waiting' */ | |
573 | } else { | |
9311d0c4 | 574 | ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED); |
7e765f46 DDO |
575 | return 0; |
576 | } | |
577 | } | |
578 | ||
579 | cert = get1_cert_status(ctx, (*resp)->body->type, crep); | |
580 | if (cert == NULL) { | |
581 | ERR_add_error_data(1, "; cannot extract certificate from response"); | |
582 | return 0; | |
583 | } | |
584 | if (!ossl_cmp_ctx_set0_newCert(ctx, cert)) | |
585 | return 0; | |
586 | ||
587 | /* | |
588 | * if the CMP server returned certificates in the caPubs field, copy them | |
589 | * to the context so that they can be retrieved if necessary | |
590 | */ | |
591 | if (crepmsg->caPubs != NULL | |
592 | && !ossl_cmp_ctx_set1_caPubs(ctx, crepmsg->caPubs)) | |
593 | return 0; | |
594 | ||
7e765f46 DDO |
595 | subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); |
596 | if (rkey != NULL | |
597 | /* X509_check_private_key() also works if rkey is just public key */ | |
598 | && !(X509_check_private_key(ctx->newCert, rkey))) { | |
599 | fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; | |
600 | txt = "public key in new certificate does not match our enrollment key"; | |
601 | /*- | |
bb30bce2 DDO |
602 | * not calling (void)ossl_cmp_exchange_error(ctx, |
603 | * OSSL_CMP_PKISTATUS_rejection, fail_info, txt) | |
7e765f46 DDO |
604 | * not throwing CMP_R_CERTIFICATE_NOT_ACCEPTED with txt |
605 | * not returning 0 | |
a0745e2b | 606 | * since we better leave this for the certConf_cb to decide |
7e765f46 DDO |
607 | */ |
608 | } | |
609 | ||
610 | /* | |
a0745e2b | 611 | * Execute the certification checking callback function, |
7e765f46 DDO |
612 | * which can determine whether to accept a newly enrolled certificate. |
613 | * It may overrule the pre-decision reflected in 'fail_info' and '*txt'. | |
614 | */ | |
a0745e2b DDO |
615 | cb = ctx->certConf_cb != NULL ? ctx->certConf_cb : OSSL_CMP_certConf_cb; |
616 | if ((fail_info = cb(ctx, ctx->newCert, fail_info, &txt)) != 0 | |
617 | && txt == NULL) | |
618 | txt = "CMP client did not accept it"; | |
7e765f46 DDO |
619 | if (fail_info != 0) /* immediately log error before any certConf exchange */ |
620 | ossl_cmp_log1(ERROR, ctx, | |
621 | "rejecting newly enrolled cert with subject: %s", subj); | |
7e765f46 DDO |
622 | if (!ctx->disableConfirm |
623 | && !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) { | |
624 | if (!ossl_cmp_exchange_certConf(ctx, fail_info, txt)) | |
625 | ret = 0; | |
626 | } | |
627 | ||
628 | /* not throwing failure earlier as transfer_cb may call ERR_clear_error() */ | |
629 | if (fail_info != 0) { | |
a676c53c | 630 | ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED, |
4c0d49ed AS |
631 | "rejecting newly enrolled cert with subject: %s; %s", |
632 | subj, txt); | |
7e765f46 DDO |
633 | ret = 0; |
634 | } | |
635 | OPENSSL_free(subj); | |
636 | return ret; | |
637 | } | |
638 | ||
5e128ed1 DDO |
639 | static int initial_certreq(OSSL_CMP_CTX *ctx, |
640 | int req_type, const OSSL_CRMF_MSG *crm, | |
641 | OSSL_CMP_MSG **p_rep, int rep_type) | |
642 | { | |
643 | OSSL_CMP_MSG *req; | |
644 | int res; | |
645 | ||
646 | ctx->status = -1; | |
647 | if (!ossl_cmp_ctx_set0_newCert(ctx, NULL)) | |
648 | return 0; | |
649 | ||
650 | if (ctx->total_timeout > 0) /* else ctx->end_time is not used */ | |
651 | ctx->end_time = time(NULL) + ctx->total_timeout; | |
652 | ||
653 | /* also checks if all necessary options are set */ | |
654 | if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL) | |
655 | return 0; | |
656 | ||
657 | res = send_receive_check(ctx, req, p_rep, rep_type); | |
658 | OSSL_CMP_MSG_free(req); | |
659 | return res; | |
660 | } | |
661 | ||
299e0f1e DDO |
662 | int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, |
663 | const OSSL_CRMF_MSG *crm, int *checkAfter) | |
7e765f46 | 664 | { |
7e765f46 DDO |
665 | OSSL_CMP_MSG *rep = NULL; |
666 | int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; | |
667 | int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; | |
668 | int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; | |
669 | int res = 0; | |
670 | ||
671 | if (ctx == NULL) { | |
9311d0c4 | 672 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
7e765f46 DDO |
673 | return 0; |
674 | } | |
675 | ||
676 | if (ctx->status != OSSL_CMP_PKISTATUS_waiting) { /* not polling already */ | |
5e128ed1 | 677 | if (!initial_certreq(ctx, req_type, crm, &rep, rep_type)) |
7e765f46 DDO |
678 | goto err; |
679 | } else { | |
680 | if (req_type < 0) | |
681 | return ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection, | |
6f6c8b0e P |
682 | 0, "polling aborted", |
683 | 0 /* errorCode */, "by application"); | |
7e765f46 DDO |
684 | res = poll_for_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter); |
685 | if (res <= 0) /* waiting or error */ | |
686 | return res; | |
687 | } | |
688 | res = cert_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter, | |
689 | req_type, rep_type); | |
690 | ||
691 | err: | |
7e765f46 DDO |
692 | OSSL_CMP_MSG_free(rep); |
693 | return res; | |
694 | } | |
695 | ||
696 | /*- | |
697 | * Do the full sequence CR/IR/KUR/P10CR, CP/IP/KUP/CP, | |
698 | * certConf, PKIconf, and polling if required. | |
699 | * Will sleep as long as indicated by the server (according to checkAfter). | |
700 | * All enrollment options need to be present in the context. | |
7e765f46 DDO |
701 | * Returns pointer to received certificate, or NULL if none was received. |
702 | */ | |
299e0f1e DDO |
703 | X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, |
704 | const OSSL_CRMF_MSG *crm) | |
7e765f46 | 705 | { |
299e0f1e | 706 | |
7e765f46 | 707 | OSSL_CMP_MSG *rep = NULL; |
299e0f1e DDO |
708 | int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; |
709 | int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; | |
710 | int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; | |
7e765f46 DDO |
711 | X509 *result = NULL; |
712 | ||
713 | if (ctx == NULL) { | |
9311d0c4 | 714 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
7e765f46 DDO |
715 | return NULL; |
716 | } | |
7e765f46 | 717 | |
5e128ed1 | 718 | if (!initial_certreq(ctx, req_type, crm, &rep, rep_type)) |
7e765f46 DDO |
719 | goto err; |
720 | ||
721 | if (cert_response(ctx, 1 /* sleep */, rid, &rep, NULL, req_type, rep_type) | |
722 | <= 0) | |
723 | goto err; | |
724 | ||
725 | result = ctx->newCert; | |
726 | err: | |
7e765f46 DDO |
727 | OSSL_CMP_MSG_free(rep); |
728 | return result; | |
729 | } | |
730 | ||
3d46c81a | 731 | int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) |
7e765f46 DDO |
732 | { |
733 | OSSL_CMP_MSG *rr = NULL; | |
734 | OSSL_CMP_MSG *rp = NULL; | |
735 | const int num_RevDetails = 1; | |
736 | const int rsid = OSSL_CMP_REVREQSID; | |
737 | OSSL_CMP_REVREPCONTENT *rrep = NULL; | |
738 | OSSL_CMP_PKISI *si = NULL; | |
739 | char buf[OSSL_CMP_PKISI_BUFLEN]; | |
3d46c81a | 740 | int ret = 0; |
7e765f46 DDO |
741 | |
742 | if (ctx == NULL) { | |
9311d0c4 | 743 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
7e765f46 DDO |
744 | return 0; |
745 | } | |
3d46c81a | 746 | if (ctx->oldCert == NULL && ctx->p10CSR == NULL) { |
9311d0c4 | 747 | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT); |
753283cd DDO |
748 | return 0; |
749 | } | |
7e765f46 DDO |
750 | ctx->status = -1; |
751 | ||
752 | /* OSSL_CMP_rr_new() also checks if all necessary options are set */ | |
753 | if ((rr = ossl_cmp_rr_new(ctx)) == NULL) | |
754 | goto end; | |
755 | ||
756 | if (!send_receive_check(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP)) | |
757 | goto end; | |
758 | ||
759 | rrep = rp->body->value.rp; | |
e599d0ae | 760 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
7e765f46 | 761 | if (sk_OSSL_CMP_PKISI_num(rrep->status) != num_RevDetails) { |
9311d0c4 | 762 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
7e765f46 DDO |
763 | goto end; |
764 | } | |
e599d0ae DDO |
765 | #else |
766 | if (sk_OSSL_CMP_PKISI_num(rrep->status) < 1) { | |
9311d0c4 | 767 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
e599d0ae DDO |
768 | goto end; |
769 | } | |
770 | #endif | |
7e765f46 DDO |
771 | |
772 | /* evaluate PKIStatus field */ | |
773 | si = ossl_cmp_revrepcontent_get_pkisi(rrep, rsid); | |
774 | if (!save_statusInfo(ctx, si)) | |
775 | goto err; | |
776 | switch (ossl_cmp_pkisi_get_status(si)) { | |
777 | case OSSL_CMP_PKISTATUS_accepted: | |
778 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=accepted)"); | |
3d46c81a | 779 | ret = 1; |
7e765f46 DDO |
780 | break; |
781 | case OSSL_CMP_PKISTATUS_grantedWithMods: | |
782 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=grantedWithMods)"); | |
3d46c81a | 783 | ret = 1; |
7e765f46 DDO |
784 | break; |
785 | case OSSL_CMP_PKISTATUS_rejection: | |
9311d0c4 | 786 | ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER); |
7e765f46 DDO |
787 | goto err; |
788 | case OSSL_CMP_PKISTATUS_revocationWarning: | |
789 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)"); | |
3d46c81a | 790 | ret = 1; |
7e765f46 DDO |
791 | break; |
792 | case OSSL_CMP_PKISTATUS_revocationNotification: | |
793 | /* interpretation as warning or error depends on CA */ | |
794 | ossl_cmp_warn(ctx, | |
795 | "revocation accepted (PKIStatus=revocationNotification)"); | |
3d46c81a | 796 | ret = 1; |
7e765f46 DDO |
797 | break; |
798 | case OSSL_CMP_PKISTATUS_waiting: | |
799 | case OSSL_CMP_PKISTATUS_keyUpdateWarning: | |
9311d0c4 | 800 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS); |
7e765f46 DDO |
801 | goto err; |
802 | default: | |
9311d0c4 | 803 | ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); |
7e765f46 DDO |
804 | goto err; |
805 | } | |
806 | ||
5e128ed1 | 807 | /* check any present CertId in optional revCerts field */ |
3d46c81a | 808 | if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) { |
7e765f46 DDO |
809 | OSSL_CRMF_CERTID *cid; |
810 | OSSL_CRMF_CERTTEMPLATE *tmpl = | |
811 | sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails; | |
812 | const X509_NAME *issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl); | |
813 | ASN1_INTEGER *serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl); | |
814 | ||
815 | if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) { | |
9311d0c4 | 816 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
3d46c81a | 817 | ret = 0; |
7e765f46 DDO |
818 | goto err; |
819 | } | |
820 | if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) { | |
7df56ada | 821 | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID); |
3d46c81a | 822 | ret = 0; |
7e765f46 DDO |
823 | goto err; |
824 | } | |
825 | if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) { | |
e599d0ae | 826 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
9311d0c4 | 827 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP); |
3d46c81a | 828 | ret = 0; |
7e765f46 | 829 | goto err; |
e599d0ae | 830 | #endif |
7e765f46 DDO |
831 | } |
832 | if (ASN1_INTEGER_cmp(serial, | |
833 | OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) { | |
e599d0ae | 834 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
9311d0c4 | 835 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP); |
3d46c81a | 836 | ret = 0; |
7e765f46 | 837 | goto err; |
e599d0ae | 838 | #endif |
7e765f46 DDO |
839 | } |
840 | } | |
841 | ||
842 | /* check number of any optionally present crls */ | |
843 | if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) { | |
9311d0c4 | 844 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
3d46c81a | 845 | ret = 0; |
7e765f46 DDO |
846 | goto err; |
847 | } | |
848 | ||
849 | err: | |
3d46c81a | 850 | if (ret == 0 |
7e765f46 DDO |
851 | && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL) |
852 | ERR_add_error_data(1, buf); | |
853 | ||
854 | end: | |
855 | OSSL_CMP_MSG_free(rr); | |
856 | OSSL_CMP_MSG_free(rp); | |
3d46c81a | 857 | return ret; |
7e765f46 DDO |
858 | } |
859 | ||
860 | STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx) | |
861 | { | |
862 | OSSL_CMP_MSG *genm; | |
863 | OSSL_CMP_MSG *genp = NULL; | |
864 | STACK_OF(OSSL_CMP_ITAV) *rcvd_itavs = NULL; | |
865 | ||
866 | if (ctx == NULL) { | |
9311d0c4 | 867 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
7e765f46 DDO |
868 | return 0; |
869 | } | |
8c5c2fa5 | 870 | ctx->status = -1; |
7e765f46 DDO |
871 | |
872 | if ((genm = ossl_cmp_genm_new(ctx)) == NULL) | |
873 | goto err; | |
874 | ||
875 | if (!send_receive_check(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP)) | |
876 | goto err; | |
877 | ||
878 | /* received stack of itavs not to be freed with the genp */ | |
879 | rcvd_itavs = genp->body->value.genp; | |
880 | genp->body->value.genp = NULL; | |
881 | ||
882 | err: | |
883 | OSSL_CMP_MSG_free(genm); | |
884 | OSSL_CMP_MSG_free(genp); | |
885 | ||
886 | return rcvd_itavs; /* recv_itavs == NULL indicates an error */ | |
887 | } |