projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 62dcd2aa | 1 | /* |
| 4333b89f | 2 | * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. |
| 62dcd2aa DDO |
3 | * Copyright Nokia 2007-2019 |
| 4 | * Copyright Siemens AG 2015-2019 | |
| 5 | * | |
| 6 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
| 7 | * this file except in compliance with the License. You can obtain a copy | |
| 8 | * in the file LICENSE in the source distribution or at | |
| 9 | * https://www.openssl.org/source/license.html | |
| 10 | */ | |
| 11 | ||
| 12 | /* general CMP server functions */ | |
| 13 | ||
| 14 | #include <openssl/asn1t.h> | |
| 15 | ||
| 16 | #include "cmp_local.h" | |
| 17 | ||
| 18 | /* explicit #includes not strictly needed since implied by the above: */ | |
| 19 | #include <openssl/cmp.h> | |
| 20 | #include <openssl/err.h> | |
| 21 | ||
| 22 | /* the context for the generic CMP server */ | |
| 23 | struct ossl_cmp_srv_ctx_st | |
| 24 | { | |
| 25 | OSSL_CMP_CTX *ctx; /* Client CMP context, partly reused for srv */ | |
| 26 | void *custom_ctx; /* pointer to specific server context */ | |
| 27 | ||
| 28 | OSSL_CMP_SRV_cert_request_cb_t process_cert_request; | |
| 29 | OSSL_CMP_SRV_rr_cb_t process_rr; | |
| 30 | OSSL_CMP_SRV_genm_cb_t process_genm; | |
| 31 | OSSL_CMP_SRV_error_cb_t process_error; | |
| 32 | OSSL_CMP_SRV_certConf_cb_t process_certConf; | |
| 33 | OSSL_CMP_SRV_pollReq_cb_t process_pollReq; | |
| 34 | ||
| 35 | int sendUnprotectedErrors; /* Send error and rejection msgs unprotected */ | |
| 36 | int acceptUnprotected; /* Accept requests with no/invalid prot. */ | |
| 37 | int acceptRAVerified; /* Accept ir/cr/kur with POPO RAVerified */ | |
| 38 | int grantImplicitConfirm; /* Grant implicit confirmation if requested */ | |
| 39 | ||
| 40 | }; /* OSSL_CMP_SRV_CTX */ | |
| 41 | ||
| 42 | void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx) | |
| 43 | { | |
| 44 | if (srv_ctx == NULL) | |
| 45 | return; | |
| 46 | ||
| 47 | OSSL_CMP_CTX_free(srv_ctx->ctx); | |
| 48 | OPENSSL_free(srv_ctx); | |
| 49 | } | |
| 50 | ||
| b4250010 | 51 | OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) |
| 62dcd2aa DDO |
52 | { |
| 53 | OSSL_CMP_SRV_CTX *ctx = OPENSSL_zalloc(sizeof(OSSL_CMP_SRV_CTX)); | |
| 54 | ||
| 55 | if (ctx == NULL) | |
| 56 | goto err; | |
| 57 | ||
| 1a7cd250 | 58 | if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL) |
| 62dcd2aa DDO |
59 | goto err; |
| 60 | ||
| 61 | /* all other elements are initialized to 0 or NULL, respectively */ | |
| 62 | return ctx; | |
| 63 | err: | |
| 64 | OSSL_CMP_SRV_CTX_free(ctx); | |
| 65 | return NULL; | |
| 66 | } | |
| 67 | ||
| 68 | int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx, | |
| 69 | OSSL_CMP_SRV_cert_request_cb_t process_cert_request, | |
| 70 | OSSL_CMP_SRV_rr_cb_t process_rr, | |
| 71 | OSSL_CMP_SRV_genm_cb_t process_genm, | |
| 72 | OSSL_CMP_SRV_error_cb_t process_error, | |
| 73 | OSSL_CMP_SRV_certConf_cb_t process_certConf, | |
| 74 | OSSL_CMP_SRV_pollReq_cb_t process_pollReq) | |
| 75 | { | |
| 76 | if (srv_ctx == NULL) { | |
| 9311d0c4 | 77 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 62dcd2aa DDO |
78 | return 0; |
| 79 | } | |
| 80 | srv_ctx->custom_ctx = custom_ctx; | |
| 81 | srv_ctx->process_cert_request = process_cert_request; | |
| 82 | srv_ctx->process_rr = process_rr; | |
| 83 | srv_ctx->process_genm = process_genm; | |
| 84 | srv_ctx->process_error = process_error; | |
| 85 | srv_ctx->process_certConf = process_certConf; | |
| 86 | srv_ctx->process_pollReq = process_pollReq; | |
| 87 | return 1; | |
| 88 | } | |
| 89 | ||
| 90 | OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx) | |
| 91 | { | |
| 92 | if (srv_ctx == NULL) { | |
| 9311d0c4 | 93 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 62dcd2aa DDO |
94 | return NULL; |
| 95 | } | |
| 96 | return srv_ctx->ctx; | |
| 97 | } | |
| 98 | ||
| 99 | void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx) | |
| 100 | { | |
| 101 | if (srv_ctx == NULL) { | |
| 9311d0c4 | 102 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 62dcd2aa DDO |
103 | return NULL; |
| 104 | } | |
| 105 | return srv_ctx->custom_ctx; | |
| 106 | } | |
| 107 | ||
| 108 | int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 109 | int val) | |
| 110 | { | |
| 111 | if (srv_ctx == NULL) { | |
| 9311d0c4 | 112 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 62dcd2aa DDO |
113 | return 0; |
| 114 | } | |
| 115 | srv_ctx->sendUnprotectedErrors = val != 0; | |
| 116 | return 1; | |
| 117 | } | |
| 118 | ||
| 119 | int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val) | |
| 120 | { | |
| 121 | if (srv_ctx == NULL) { | |
| 9311d0c4 | 122 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 62dcd2aa DDO |
123 | return 0; |
| 124 | } | |
| 125 | srv_ctx->acceptUnprotected = val != 0; | |
| 126 | return 1; | |
| 127 | } | |
| 128 | ||
| 129 | int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val) | |
| 130 | { | |
| 131 | if (srv_ctx == NULL) { | |
| 9311d0c4 | 132 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 62dcd2aa DDO |
133 | return 0; |
| 134 | } | |
| 135 | srv_ctx->acceptRAVerified = val != 0; | |
| 136 | return 1; | |
| 137 | } | |
| 138 | ||
| 139 | int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 140 | int val) | |
| 141 | { | |
| 142 | if (srv_ctx == NULL) { | |
| 9311d0c4 | 143 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 62dcd2aa DDO |
144 | return 0; |
| 145 | } | |
| 146 | srv_ctx->grantImplicitConfirm = val != 0; | |
| 147 | return 1; | |
| 148 | } | |
| 149 | ||
| 150 | /* | |
| 151 | * Processes an ir/cr/p10cr/kur and returns a certification response. | |
| 152 | * Only handles the first certification request contained in req | |
| 153 | * returns an ip/cp/kup on success and NULL on error | |
| 154 | */ | |
| 155 | static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 156 | const OSSL_CMP_MSG *req) | |
| 157 | { | |
| 158 | OSSL_CMP_MSG *msg = NULL; | |
| 159 | OSSL_CMP_PKISI *si = NULL; | |
| 160 | X509 *certOut = NULL; | |
| 161 | STACK_OF(X509) *chainOut = NULL, *caPubs = NULL; | |
| 162 | const OSSL_CRMF_MSG *crm = NULL; | |
| 163 | const X509_REQ *p10cr = NULL; | |
| 164 | int bodytype; | |
| 165 | int certReqId; | |
| 166 | ||
| 167 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
| 168 | return NULL; | |
| 169 | ||
| 7df56ada | 170 | switch (OSSL_CMP_MSG_get_bodytype(req)) { |
| 62dcd2aa DDO |
171 | case OSSL_CMP_PKIBODY_P10CR: |
| 172 | case OSSL_CMP_PKIBODY_CR: | |
| 173 | bodytype = OSSL_CMP_PKIBODY_CP; | |
| 174 | break; | |
| 175 | case OSSL_CMP_PKIBODY_IR: | |
| 176 | bodytype = OSSL_CMP_PKIBODY_IP; | |
| 177 | break; | |
| 178 | case OSSL_CMP_PKIBODY_KUR: | |
| 179 | bodytype = OSSL_CMP_PKIBODY_KUP; | |
| 180 | break; | |
| 181 | default: | |
| 9311d0c4 | 182 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| 62dcd2aa DDO |
183 | return NULL; |
| 184 | } | |
| 185 | ||
| 7df56ada | 186 | if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) { |
| 62dcd2aa DDO |
187 | certReqId = OSSL_CMP_CERTREQID; |
| 188 | p10cr = req->body->value.p10cr; | |
| 189 | } else { | |
| 190 | OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */ | |
| 191 | ||
| 75e1191f | 192 | if (sk_OSSL_CRMF_MSG_num(reqs) != 1) { |
| 9311d0c4 | 193 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); |
| 62dcd2aa DDO |
194 | return NULL; |
| 195 | } | |
| 196 | ||
| 197 | if ((crm = sk_OSSL_CRMF_MSG_value(reqs, OSSL_CMP_CERTREQID)) == NULL) { | |
| 9311d0c4 | 198 | ERR_raise(ERR_LIB_CMP, CMP_R_CERTREQMSG_NOT_FOUND); |
| 62dcd2aa DDO |
199 | return NULL; |
| 200 | } | |
| 201 | certReqId = OSSL_CRMF_MSG_get_certReqId(crm); | |
| 202 | } | |
| 203 | ||
| 6d1f50b5 | 204 | if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) { |
| 62dcd2aa DDO |
205 | /* Proof of possession could not be verified */ |
| 206 | si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, | |
| 207 | 1 << OSSL_CMP_PKIFAILUREINFO_badPOP, | |
| 208 | ERR_reason_error_string(ERR_peek_error())); | |
| 209 | if (si == NULL) | |
| 210 | return NULL; | |
| 211 | } else { | |
| 212 | OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(req); | |
| 213 | ||
| 214 | si = srv_ctx->process_cert_request(srv_ctx, req, certReqId, crm, p10cr, | |
| 215 | &certOut, &chainOut, &caPubs); | |
| 216 | if (si == NULL) | |
| 217 | goto err; | |
| 7e765f46 | 218 | /* set OSSL_CMP_OPT_IMPLICIT_CONFIRM if and only if transaction ends */ |
| 143be474 DDO |
219 | if (!OSSL_CMP_CTX_set_option(srv_ctx->ctx, |
| 220 | OSSL_CMP_OPT_IMPLICIT_CONFIRM, | |
| 62dcd2aa DDO |
221 | ossl_cmp_hdr_has_implicitConfirm(hdr) |
| 222 | && srv_ctx->grantImplicitConfirm | |
| 223 | /* do not set if polling starts: */ | |
| 224 | && certOut != NULL)) | |
| 225 | goto err; | |
| 226 | } | |
| 227 | ||
| 299e0f1e | 228 | msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si, |
| 7b3990e3 | 229 | certOut, NULL /* enc */, chainOut, caPubs, |
| 62dcd2aa | 230 | srv_ctx->sendUnprotectedErrors); |
| 62dcd2aa | 231 | if (msg == NULL) |
| 9311d0c4 | 232 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP); |
| 62dcd2aa DDO |
233 | |
| 234 | err: | |
| 235 | OSSL_CMP_PKISI_free(si); | |
| 236 | X509_free(certOut); | |
| 237 | sk_X509_pop_free(chainOut, X509_free); | |
| 238 | sk_X509_pop_free(caPubs, X509_free); | |
| 239 | return msg; | |
| 240 | } | |
| 241 | ||
| 242 | static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 243 | const OSSL_CMP_MSG *req) | |
| 244 | { | |
| 245 | OSSL_CMP_MSG *msg = NULL; | |
| 246 | OSSL_CMP_REVDETAILS *details; | |
| 3d46c81a | 247 | OSSL_CRMF_CERTID *certId = NULL; |
| 62dcd2aa | 248 | OSSL_CRMF_CERTTEMPLATE *tmpl; |
| 8cc86b81 | 249 | const X509_NAME *issuer; |
| 62dcd2aa DDO |
250 | ASN1_INTEGER *serial; |
| 251 | OSSL_CMP_PKISI *si; | |
| 252 | ||
| 253 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
| 254 | return NULL; | |
| 255 | ||
| 256 | if (sk_OSSL_CMP_REVDETAILS_num(req->body->value.rr) != 1) { | |
| 9311d0c4 | 257 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); |
| 62dcd2aa DDO |
258 | return NULL; |
| 259 | } | |
| 260 | ||
| 261 | if ((details = sk_OSSL_CMP_REVDETAILS_value(req->body->value.rr, | |
| 262 | OSSL_CMP_REVREQSID)) == NULL) { | |
| 9311d0c4 | 263 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
| 62dcd2aa DDO |
264 | return NULL; |
| 265 | } | |
| 266 | ||
| 267 | tmpl = details->certDetails; | |
| 268 | issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl); | |
| 269 | serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl); | |
| 3d46c81a DDO |
270 | if (issuer != NULL && serial != NULL |
| 271 | && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL) | |
| 62dcd2aa DDO |
272 | return NULL; |
| 273 | if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL) | |
| 274 | goto err; | |
| 275 | ||
| 276 | if ((msg = ossl_cmp_rp_new(srv_ctx->ctx, si, certId, | |
| 277 | srv_ctx->sendUnprotectedErrors)) == NULL) | |
| 9311d0c4 | 278 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR); |
| 62dcd2aa DDO |
279 | |
| 280 | err: | |
| 281 | OSSL_CRMF_CERTID_free(certId); | |
| 282 | OSSL_CMP_PKISI_free(si); | |
| 283 | return msg; | |
| 284 | } | |
| 285 | ||
| 286 | /* | |
| 287 | * Processes genm and creates a genp message mirroring the contents of the | |
| 288 | * incoming message | |
| 289 | */ | |
| 290 | static OSSL_CMP_MSG *process_genm(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 291 | const OSSL_CMP_MSG *req) | |
| 292 | { | |
| 293 | OSSL_CMP_GENMSGCONTENT *itavs; | |
| 294 | OSSL_CMP_MSG *msg; | |
| 295 | ||
| 296 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
| 297 | return NULL; | |
| 298 | ||
| 299 | if (!srv_ctx->process_genm(srv_ctx, req, req->body->value.genm, &itavs)) | |
| 300 | return NULL; | |
| 301 | ||
| 302 | msg = ossl_cmp_genp_new(srv_ctx->ctx, itavs); | |
| 303 | sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); | |
| 304 | return msg; | |
| 305 | } | |
| 306 | ||
| 307 | static OSSL_CMP_MSG *process_error(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 308 | const OSSL_CMP_MSG *req) | |
| 309 | { | |
| 310 | OSSL_CMP_ERRORMSGCONTENT *errorContent; | |
| 311 | OSSL_CMP_MSG *msg; | |
| 312 | ||
| 313 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
| 314 | return NULL; | |
| 315 | errorContent = req->body->value.error; | |
| 316 | srv_ctx->process_error(srv_ctx, req, errorContent->pKIStatusInfo, | |
| 317 | errorContent->errorCode, errorContent->errorDetails); | |
| 318 | ||
| 319 | if ((msg = ossl_cmp_pkiconf_new(srv_ctx->ctx)) == NULL) | |
| 9311d0c4 | 320 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF); |
| 62dcd2aa DDO |
321 | return msg; |
| 322 | } | |
| 323 | ||
| 324 | static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 325 | const OSSL_CMP_MSG *req) | |
| 326 | { | |
| 327 | OSSL_CMP_CTX *ctx; | |
| 328 | OSSL_CMP_CERTCONFIRMCONTENT *ccc; | |
| 329 | int num; | |
| 330 | OSSL_CMP_MSG *msg = NULL; | |
| 331 | OSSL_CMP_CERTSTATUS *status = NULL; | |
| 332 | ||
| 333 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
| 334 | return NULL; | |
| 335 | ||
| 336 | ctx = srv_ctx->ctx; | |
| 337 | ccc = req->body->value.certConf; | |
| 338 | num = sk_OSSL_CMP_CERTSTATUS_num(ccc); | |
| 339 | ||
| 83c27441 DDO |
340 | if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 1 |
| 341 | || ctx->status != -2 /* transaction not open */) { | |
| 9311d0c4 | 342 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_UNEXPECTED_CERTCONF); |
| 62dcd2aa DDO |
343 | return NULL; |
| 344 | } | |
| 345 | ||
| 346 | if (num == 0) { | |
| 347 | ossl_cmp_err(ctx, "certificate rejected by client"); | |
| 348 | } else { | |
| 349 | if (num > 1) | |
| 350 | ossl_cmp_warn(ctx, "All CertStatus but the first will be ignored"); | |
| 351 | status = sk_OSSL_CMP_CERTSTATUS_value(ccc, OSSL_CMP_CERTREQID); | |
| 352 | } | |
| 353 | ||
| 354 | if (status != NULL) { | |
| 355 | int certReqId = ossl_cmp_asn1_get_int(status->certReqId); | |
| 356 | ASN1_OCTET_STRING *certHash = status->certHash; | |
| 357 | OSSL_CMP_PKISI *si = status->statusInfo; | |
| 358 | ||
| 359 | if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si)) | |
| 360 | return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */ | |
| 361 | ||
| 362 | if (si != NULL && ossl_cmp_pkisi_get_status(si) | |
| 363 | != OSSL_CMP_PKISTATUS_accepted) { | |
| 364 | int pki_status = ossl_cmp_pkisi_get_status(si); | |
| 365 | const char *str = ossl_cmp_PKIStatus_to_string(pki_status); | |
| 366 | ||
| 367 | ossl_cmp_log2(INFO, ctx, "certificate rejected by client %s %s", | |
| 368 | str == NULL ? "without" : "with", | |
| 369 | str == NULL ? "PKIStatus" : str); | |
| 370 | } | |
| 371 | } | |
| 372 | ||
| 373 | if ((msg = ossl_cmp_pkiconf_new(ctx)) == NULL) | |
| 9311d0c4 | 374 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF); |
| 62dcd2aa DDO |
375 | return msg; |
| 376 | } | |
| 377 | ||
| 378 | static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 379 | const OSSL_CMP_MSG *req) | |
| 380 | { | |
| 381 | OSSL_CMP_POLLREQCONTENT *prc; | |
| 382 | OSSL_CMP_POLLREQ *pr; | |
| 383 | int certReqId; | |
| 384 | OSSL_CMP_MSG *certReq; | |
| 385 | int64_t check_after = 0; | |
| 386 | OSSL_CMP_MSG *msg = NULL; | |
| 387 | ||
| 388 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
| 389 | return NULL; | |
| 390 | ||
| 391 | prc = req->body->value.pollReq; | |
| 75e1191f | 392 | if (sk_OSSL_CMP_POLLREQ_num(prc) != 1) { |
| 9311d0c4 | 393 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); |
| 62dcd2aa DDO |
394 | return NULL; |
| 395 | } | |
| 396 | ||
| 397 | pr = sk_OSSL_CMP_POLLREQ_value(prc, 0); | |
| 398 | certReqId = ossl_cmp_asn1_get_int(pr->certReqId); | |
| 399 | if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId, | |
| 400 | &certReq, &check_after)) | |
| 401 | return NULL; | |
| 402 | ||
| 403 | if (certReq != NULL) { | |
| 404 | msg = process_cert_request(srv_ctx, certReq); | |
| 405 | OSSL_CMP_MSG_free(certReq); | |
| 406 | } else { | |
| 407 | if ((msg = ossl_cmp_pollRep_new(srv_ctx->ctx, certReqId, | |
| 408 | check_after)) == NULL) | |
| 9311d0c4 | 409 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP); |
| 62dcd2aa DDO |
410 | } |
| 411 | return msg; | |
| 412 | } | |
| 413 | ||
| 414 | /* | |
| 7e765f46 DDO |
415 | * Determine whether missing/invalid protection of request message is allowed. |
| 416 | * Return 1 on acceptance, 0 on rejection, or -1 on (internal) error. | |
| 62dcd2aa DDO |
417 | */ |
| 418 | static int unprotected_exception(const OSSL_CMP_CTX *ctx, | |
| 419 | const OSSL_CMP_MSG *req, | |
| 420 | int invalid_protection, | |
| 421 | int accept_unprotected_requests) | |
| 422 | { | |
| 7e765f46 DDO |
423 | if (!ossl_assert(ctx != NULL && req != NULL)) |
| 424 | return -1; | |
| 425 | ||
| 62dcd2aa DDO |
426 | if (accept_unprotected_requests) { |
| 427 | ossl_cmp_log1(WARN, ctx, "ignoring %s protection of request message", | |
| 428 | invalid_protection ? "invalid" : "missing"); | |
| 429 | return 1; | |
| 430 | } | |
| 7df56ada | 431 | if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_ERROR |
| 62dcd2aa DDO |
432 | && OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS) == 1) { |
| 433 | ossl_cmp_warn(ctx, "ignoring missing protection of error message"); | |
| 434 | return 1; | |
| 435 | } | |
| 436 | return 0; | |
| 437 | } | |
| 438 | ||
| 439 | /* | |
| 440 | * returns created message and NULL on internal error | |
| 441 | */ | |
| 442 | OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, | |
| 443 | const OSSL_CMP_MSG *req) | |
| 444 | { | |
| 445 | OSSL_CMP_CTX *ctx; | |
| 12bbcee2 | 446 | ASN1_OCTET_STRING *backup_secret; |
| 62dcd2aa DDO |
447 | OSSL_CMP_PKIHEADER *hdr; |
| 448 | int req_type, rsp_type; | |
| 12bbcee2 | 449 | int res; |
| 62dcd2aa DDO |
450 | OSSL_CMP_MSG *rsp = NULL; |
| 451 | ||
| 452 | if (srv_ctx == NULL || srv_ctx->ctx == NULL | |
| 453 | || req == NULL || req->body == NULL | |
| 454 | || (hdr = OSSL_CMP_MSG_get0_header(req)) == NULL) { | |
| 9311d0c4 | 455 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 62dcd2aa DDO |
456 | return 0; |
| 457 | } | |
| 458 | ctx = srv_ctx->ctx; | |
| 12bbcee2 | 459 | backup_secret = ctx->secretValue; |
| 62dcd2aa | 460 | |
| 12bbcee2 DDO |
461 | /* |
| 462 | * Some things need to be done already before validating the message in | |
| 463 | * order to be able to send an error message as far as needed and possible. | |
| 464 | */ | |
| 62dcd2aa | 465 | if (hdr->sender->type != GEN_DIRNAME) { |
| 9311d0c4 | 466 | ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED); |
| 62dcd2aa DDO |
467 | goto err; |
| 468 | } | |
| 469 | if (!OSSL_CMP_CTX_set1_recipient(ctx, hdr->sender->d.directoryName)) | |
| 470 | goto err; | |
| 471 | ||
| 7df56ada | 472 | req_type = OSSL_CMP_MSG_get_bodytype(req); |
| 62dcd2aa DDO |
473 | switch (req_type) { |
| 474 | case OSSL_CMP_PKIBODY_IR: | |
| 475 | case OSSL_CMP_PKIBODY_CR: | |
| 476 | case OSSL_CMP_PKIBODY_P10CR: | |
| 477 | case OSSL_CMP_PKIBODY_KUR: | |
| 478 | case OSSL_CMP_PKIBODY_RR: | |
| 479 | case OSSL_CMP_PKIBODY_GENM: | |
| 480 | case OSSL_CMP_PKIBODY_ERROR: | |
| 481 | if (ctx->transactionID != NULL) { | |
| 482 | char *tid; | |
| 483 | ||
| 484 | tid = OPENSSL_buf2hexstr(ctx->transactionID->data, | |
| 485 | ctx->transactionID->length); | |
| 5aed1786 DDO |
486 | if (tid != NULL) |
| 487 | ossl_cmp_log1(WARN, ctx, | |
| 488 | "Assuming that last transaction with ID=%s got aborted", | |
| 489 | tid); | |
| 62dcd2aa DDO |
490 | OPENSSL_free(tid); |
| 491 | } | |
| 045229cf DDO |
492 | /* start of a new transaction, reset transactionID and senderNonce */ |
| 493 | if (!OSSL_CMP_CTX_set1_transactionID(ctx, NULL) | |
| 494 | || !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)) | |
| 62dcd2aa DDO |
495 | goto err; |
| 496 | break; | |
| 497 | default: | |
| 498 | /* transactionID should be already initialized */ | |
| 499 | if (ctx->transactionID == NULL) { | |
| e599d0ae | 500 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
| 9311d0c4 | 501 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| 62dcd2aa | 502 | goto err; |
| e599d0ae | 503 | #endif |
| 62dcd2aa DDO |
504 | } |
| 505 | } | |
| 5a0e0541 DDO |
506 | ossl_cmp_log1(DEBUG, ctx, |
| 507 | "received %s", ossl_cmp_bodytype_to_string(req_type)); | |
| 62dcd2aa | 508 | |
| 12bbcee2 DDO |
509 | res = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, |
| 510 | srv_ctx->acceptUnprotected); | |
| 511 | if (ctx->secretValue != NULL && ctx->pkey != NULL | |
| 512 | && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC) | |
| 513 | ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */ | |
| 514 | if (!res) | |
| 62dcd2aa DDO |
515 | goto err; |
| 516 | ||
| 517 | switch (req_type) { | |
| 518 | case OSSL_CMP_PKIBODY_IR: | |
| 519 | case OSSL_CMP_PKIBODY_CR: | |
| 520 | case OSSL_CMP_PKIBODY_P10CR: | |
| 521 | case OSSL_CMP_PKIBODY_KUR: | |
| 522 | if (srv_ctx->process_cert_request == NULL) | |
| 9311d0c4 | 523 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| 62dcd2aa DDO |
524 | else |
| 525 | rsp = process_cert_request(srv_ctx, req); | |
| 526 | break; | |
| 527 | case OSSL_CMP_PKIBODY_RR: | |
| 528 | if (srv_ctx->process_rr == NULL) | |
| 9311d0c4 | 529 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| 62dcd2aa DDO |
530 | else |
| 531 | rsp = process_rr(srv_ctx, req); | |
| 532 | break; | |
| 533 | case OSSL_CMP_PKIBODY_GENM: | |
| 534 | if (srv_ctx->process_genm == NULL) | |
| 9311d0c4 | 535 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| 62dcd2aa DDO |
536 | else |
| 537 | rsp = process_genm(srv_ctx, req); | |
| 538 | break; | |
| 539 | case OSSL_CMP_PKIBODY_ERROR: | |
| 540 | if (srv_ctx->process_error == NULL) | |
| 9311d0c4 | 541 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| 62dcd2aa DDO |
542 | else |
| 543 | rsp = process_error(srv_ctx, req); | |
| 544 | break; | |
| 545 | case OSSL_CMP_PKIBODY_CERTCONF: | |
| 546 | if (srv_ctx->process_certConf == NULL) | |
| 9311d0c4 | 547 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| 62dcd2aa DDO |
548 | else |
| 549 | rsp = process_certConf(srv_ctx, req); | |
| 550 | break; | |
| 551 | case OSSL_CMP_PKIBODY_POLLREQ: | |
| 552 | if (srv_ctx->process_pollReq == NULL) | |
| 9311d0c4 | 553 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| 62dcd2aa DDO |
554 | else |
| 555 | rsp = process_pollReq(srv_ctx, req); | |
| 556 | break; | |
| 557 | default: | |
| 9311d0c4 | 558 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
| e599d0ae | 559 | break; |
| 62dcd2aa DDO |
560 | } |
| 561 | ||
| 562 | err: | |
| 563 | if (rsp == NULL) { | |
| 564 | /* on error, try to respond with CMP error message to client */ | |
| 991519ae | 565 | const char *data = NULL, *reason = NULL; |
| 62dcd2aa DDO |
566 | int flags = 0; |
| 567 | unsigned long err = ERR_peek_error_data(&data, &flags); | |
| 568 | int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest; | |
| 62dcd2aa DDO |
569 | OSSL_CMP_PKISI *si = NULL; |
| 570 | ||
| 5aed1786 DDO |
571 | if (ctx->transactionID == NULL) { |
| 572 | /* ignore any (extra) error in next two function calls: */ | |
| 573 | (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); | |
| 574 | (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce); | |
| 575 | } | |
| 576 | ||
| 991519ae DDO |
577 | if ((flags & ERR_TXT_STRING) == 0 || *data == '\0') |
| 578 | data = NULL; | |
| 579 | reason = ERR_reason_error_string(err); | |
| 62dcd2aa | 580 | if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, |
| 991519ae DDO |
581 | fail_info, reason)) != NULL) { |
| 582 | rsp = ossl_cmp_error_new(srv_ctx->ctx, si, err, | |
| 12bbcee2 DDO |
583 | data, srv_ctx->sendUnprotectedErrors); |
| 584 | OSSL_CMP_PKISI_free(si); | |
| 585 | } | |
| 62dcd2aa | 586 | } |
| 35d445be | 587 | OSSL_CMP_CTX_print_errors(ctx); |
| 12bbcee2 | 588 | ctx->secretValue = backup_secret; |
| 62dcd2aa | 589 | |
| 62dcd2aa | 590 | rsp_type = |
| 7df56ada | 591 | rsp != NULL ? OSSL_CMP_MSG_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR; |
| 5a0e0541 DDO |
592 | if (rsp != NULL) |
| 593 | ossl_cmp_log1(DEBUG, ctx, | |
| 594 | "sending %s", ossl_cmp_bodytype_to_string(rsp_type)); | |
| 595 | else | |
| 596 | ossl_cmp_log(ERR, ctx, "cannot send proper CMP response"); | |
| 597 | ||
| 598 | /* possibly close the transaction */ | |
| 599 | ctx->status = -2; /* this indicates transaction is open */ | |
| 62dcd2aa DDO |
600 | switch (rsp_type) { |
| 601 | case OSSL_CMP_PKIBODY_IP: | |
| 602 | case OSSL_CMP_PKIBODY_CP: | |
| 603 | case OSSL_CMP_PKIBODY_KUP: | |
| 7e765f46 | 604 | if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 0) |
| 62dcd2aa DDO |
605 | break; |
| 606 | /* fall through */ | |
| 607 | ||
| 5a0e0541 | 608 | case OSSL_CMP_PKIBODY_RP: |
| 62dcd2aa DDO |
609 | case OSSL_CMP_PKIBODY_PKICONF: |
| 610 | case OSSL_CMP_PKIBODY_GENP: | |
| 611 | case OSSL_CMP_PKIBODY_ERROR: | |
| 045229cf DDO |
612 | (void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL); |
| 613 | (void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL); | |
| 5a0e0541 | 614 | ctx->status = -1; /* transaction closed */ |
| 62dcd2aa DDO |
615 | |
| 616 | default: /* not closing transaction in other cases */ | |
| 617 | break; | |
| 618 | } | |
| 619 | return rsp; | |
| 620 | } | |
| 621 | ||
| 622 | /* | |
| 623 | * Server interface that may substitute OSSL_CMP_MSG_http_perform at the client. | |
| 624 | * The OSSL_CMP_SRV_CTX must be set as client_ctx->transfer_cb_arg. | |
| 625 | * returns received message on success, else NULL and pushes an element on the | |
| 626 | * error stack. | |
| 627 | */ | |
| 5a0e0541 DDO |
628 | OSSL_CMP_MSG *OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx, |
| 629 | const OSSL_CMP_MSG *req) | |
| 62dcd2aa DDO |
630 | { |
| 631 | OSSL_CMP_SRV_CTX *srv_ctx = NULL; | |
| 632 | ||
| 633 | if (client_ctx == NULL || req == NULL) { | |
| 9311d0c4 | 634 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
| 5a0e0541 | 635 | return NULL; |
| 62dcd2aa DDO |
636 | } |
| 637 | ||
| 638 | if ((srv_ctx = OSSL_CMP_CTX_get_transfer_cb_arg(client_ctx)) == NULL) { | |
| 9311d0c4 | 639 | ERR_raise(ERR_LIB_CMP, CMP_R_TRANSFER_ERROR); |
| 5a0e0541 | 640 | return NULL; |
| 62dcd2aa DDO |
641 | } |
| 642 | ||
| 643 | return OSSL_CMP_SRV_process_request(srv_ctx, req); | |
| 644 | } |