2 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
12 /* general CMP server functions */
14 #include <openssl/asn1t.h>
16 #include "cmp_local.h"
18 /* explicit #includes not strictly needed since implied by the above: */
19 #include <openssl/cmp.h>
20 #include <openssl/err.h>
22 /* the context for the generic CMP server */
23 struct ossl_cmp_srv_ctx_st
25 OSSL_CMP_CTX
*ctx
; /* Client CMP context, partly reused for srv */
26 void *custom_ctx
; /* pointer to specific server context */
28 OSSL_CMP_SRV_cert_request_cb_t process_cert_request
;
29 OSSL_CMP_SRV_rr_cb_t process_rr
;
30 OSSL_CMP_SRV_genm_cb_t process_genm
;
31 OSSL_CMP_SRV_error_cb_t process_error
;
32 OSSL_CMP_SRV_certConf_cb_t process_certConf
;
33 OSSL_CMP_SRV_pollReq_cb_t process_pollReq
;
35 int sendUnprotectedErrors
; /* Send error and rejection msgs unprotected */
36 int acceptUnprotected
; /* Accept requests with no/invalid prot. */
37 int acceptRAVerified
; /* Accept ir/cr/kur with POPO RAVerified */
38 int grantImplicitConfirm
; /* Grant implicit confirmation if requested */
40 }; /* OSSL_CMP_SRV_CTX */
42 void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX
*srv_ctx
)
47 OSSL_CMP_CTX_free(srv_ctx
->ctx
);
48 OPENSSL_free(srv_ctx
);
51 OSSL_CMP_SRV_CTX
*OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX
*libctx
, const char *propq
)
53 OSSL_CMP_SRV_CTX
*ctx
= OPENSSL_zalloc(sizeof(OSSL_CMP_SRV_CTX
));
58 if ((ctx
->ctx
= OSSL_CMP_CTX_new(libctx
, propq
)) == NULL
)
61 /* all other elements are initialized to 0 or NULL, respectively */
64 OSSL_CMP_SRV_CTX_free(ctx
);
68 int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX
*srv_ctx
, void *custom_ctx
,
69 OSSL_CMP_SRV_cert_request_cb_t process_cert_request
,
70 OSSL_CMP_SRV_rr_cb_t process_rr
,
71 OSSL_CMP_SRV_genm_cb_t process_genm
,
72 OSSL_CMP_SRV_error_cb_t process_error
,
73 OSSL_CMP_SRV_certConf_cb_t process_certConf
,
74 OSSL_CMP_SRV_pollReq_cb_t process_pollReq
)
76 if (srv_ctx
== NULL
) {
77 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
80 srv_ctx
->custom_ctx
= custom_ctx
;
81 srv_ctx
->process_cert_request
= process_cert_request
;
82 srv_ctx
->process_rr
= process_rr
;
83 srv_ctx
->process_genm
= process_genm
;
84 srv_ctx
->process_error
= process_error
;
85 srv_ctx
->process_certConf
= process_certConf
;
86 srv_ctx
->process_pollReq
= process_pollReq
;
90 OSSL_CMP_CTX
*OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX
*srv_ctx
)
92 if (srv_ctx
== NULL
) {
93 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
99 void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX
*srv_ctx
)
101 if (srv_ctx
== NULL
) {
102 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
105 return srv_ctx
->custom_ctx
;
108 int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX
*srv_ctx
,
111 if (srv_ctx
== NULL
) {
112 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
115 srv_ctx
->sendUnprotectedErrors
= val
!= 0;
119 int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX
*srv_ctx
, int val
)
121 if (srv_ctx
== NULL
) {
122 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
125 srv_ctx
->acceptUnprotected
= val
!= 0;
129 int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX
*srv_ctx
, int val
)
131 if (srv_ctx
== NULL
) {
132 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
135 srv_ctx
->acceptRAVerified
= val
!= 0;
139 int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX
*srv_ctx
,
142 if (srv_ctx
== NULL
) {
143 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
146 srv_ctx
->grantImplicitConfirm
= val
!= 0;
151 * Processes an ir/cr/p10cr/kur and returns a certification response.
152 * Only handles the first certification request contained in req
153 * returns an ip/cp/kup on success and NULL on error
155 static OSSL_CMP_MSG
*process_cert_request(OSSL_CMP_SRV_CTX
*srv_ctx
,
156 const OSSL_CMP_MSG
*req
)
158 OSSL_CMP_MSG
*msg
= NULL
;
159 OSSL_CMP_PKISI
*si
= NULL
;
160 X509
*certOut
= NULL
;
161 STACK_OF(X509
) *chainOut
= NULL
, *caPubs
= NULL
;
162 const OSSL_CRMF_MSG
*crm
= NULL
;
163 const X509_REQ
*p10cr
= NULL
;
167 if (!ossl_assert(srv_ctx
!= NULL
&& srv_ctx
->ctx
!= NULL
&& req
!= NULL
))
170 switch (ossl_cmp_msg_get_bodytype(req
)) {
171 case OSSL_CMP_PKIBODY_P10CR
:
172 case OSSL_CMP_PKIBODY_CR
:
173 bodytype
= OSSL_CMP_PKIBODY_CP
;
175 case OSSL_CMP_PKIBODY_IR
:
176 bodytype
= OSSL_CMP_PKIBODY_IP
;
178 case OSSL_CMP_PKIBODY_KUR
:
179 bodytype
= OSSL_CMP_PKIBODY_KUP
;
182 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
186 if (ossl_cmp_msg_get_bodytype(req
) == OSSL_CMP_PKIBODY_P10CR
) {
187 certReqId
= OSSL_CMP_CERTREQID
;
188 p10cr
= req
->body
->value
.p10cr
;
190 OSSL_CRMF_MSGS
*reqs
= req
->body
->value
.ir
; /* same for cr and kur */
192 if (sk_OSSL_CRMF_MSG_num(reqs
) != 1) {
193 ERR_raise(ERR_LIB_CMP
, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED
);
197 if ((crm
= sk_OSSL_CRMF_MSG_value(reqs
, OSSL_CMP_CERTREQID
)) == NULL
) {
198 ERR_raise(ERR_LIB_CMP
, CMP_R_CERTREQMSG_NOT_FOUND
);
201 certReqId
= OSSL_CRMF_MSG_get_certReqId(crm
);
204 if (!ossl_cmp_verify_popo(srv_ctx
->ctx
, req
, srv_ctx
->acceptRAVerified
)) {
205 /* Proof of possession could not be verified */
206 si
= OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection
,
207 1 << OSSL_CMP_PKIFAILUREINFO_badPOP
,
208 ERR_reason_error_string(ERR_peek_error()));
212 OSSL_CMP_PKIHEADER
*hdr
= OSSL_CMP_MSG_get0_header(req
);
214 si
= srv_ctx
->process_cert_request(srv_ctx
, req
, certReqId
, crm
, p10cr
,
215 &certOut
, &chainOut
, &caPubs
);
218 /* set OSSL_CMP_OPT_IMPLICIT_CONFIRM if and only if transaction ends */
219 if (!OSSL_CMP_CTX_set_option(srv_ctx
->ctx
,
220 OSSL_CMP_OPT_IMPLICIT_CONFIRM
,
221 ossl_cmp_hdr_has_implicitConfirm(hdr
)
222 && srv_ctx
->grantImplicitConfirm
223 /* do not set if polling starts: */
228 msg
= ossl_cmp_certrep_new(srv_ctx
->ctx
, bodytype
, certReqId
, si
,
229 certOut
, NULL
/* enc */, chainOut
, caPubs
,
230 srv_ctx
->sendUnprotectedErrors
);
232 ERR_raise(ERR_LIB_CMP
, CMP_R_ERROR_CREATING_CERTREP
);
235 OSSL_CMP_PKISI_free(si
);
237 sk_X509_pop_free(chainOut
, X509_free
);
238 sk_X509_pop_free(caPubs
, X509_free
);
242 static OSSL_CMP_MSG
*process_rr(OSSL_CMP_SRV_CTX
*srv_ctx
,
243 const OSSL_CMP_MSG
*req
)
245 OSSL_CMP_MSG
*msg
= NULL
;
246 OSSL_CMP_REVDETAILS
*details
;
247 OSSL_CRMF_CERTID
*certId
= NULL
;
248 OSSL_CRMF_CERTTEMPLATE
*tmpl
;
249 const X509_NAME
*issuer
;
250 ASN1_INTEGER
*serial
;
253 if (!ossl_assert(srv_ctx
!= NULL
&& srv_ctx
->ctx
!= NULL
&& req
!= NULL
))
256 if (sk_OSSL_CMP_REVDETAILS_num(req
->body
->value
.rr
) != 1) {
257 ERR_raise(ERR_LIB_CMP
, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED
);
261 if ((details
= sk_OSSL_CMP_REVDETAILS_value(req
->body
->value
.rr
,
262 OSSL_CMP_REVREQSID
)) == NULL
) {
263 ERR_raise(ERR_LIB_CMP
, CMP_R_ERROR_PROCESSING_MESSAGE
);
267 tmpl
= details
->certDetails
;
268 issuer
= OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl
);
269 serial
= OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl
);
270 if (issuer
!= NULL
&& serial
!= NULL
271 && (certId
= OSSL_CRMF_CERTID_gen(issuer
, serial
)) == NULL
)
273 if ((si
= srv_ctx
->process_rr(srv_ctx
, req
, issuer
, serial
)) == NULL
)
276 if ((msg
= ossl_cmp_rp_new(srv_ctx
->ctx
, si
, certId
,
277 srv_ctx
->sendUnprotectedErrors
)) == NULL
)
278 ERR_raise(ERR_LIB_CMP
, CMP_R_ERROR_CREATING_RR
);
281 OSSL_CRMF_CERTID_free(certId
);
282 OSSL_CMP_PKISI_free(si
);
287 * Processes genm and creates a genp message mirroring the contents of the
290 static OSSL_CMP_MSG
*process_genm(OSSL_CMP_SRV_CTX
*srv_ctx
,
291 const OSSL_CMP_MSG
*req
)
293 OSSL_CMP_GENMSGCONTENT
*itavs
;
296 if (!ossl_assert(srv_ctx
!= NULL
&& srv_ctx
->ctx
!= NULL
&& req
!= NULL
))
299 if (!srv_ctx
->process_genm(srv_ctx
, req
, req
->body
->value
.genm
, &itavs
))
302 msg
= ossl_cmp_genp_new(srv_ctx
->ctx
, itavs
);
303 sk_OSSL_CMP_ITAV_pop_free(itavs
, OSSL_CMP_ITAV_free
);
307 static OSSL_CMP_MSG
*process_error(OSSL_CMP_SRV_CTX
*srv_ctx
,
308 const OSSL_CMP_MSG
*req
)
310 OSSL_CMP_ERRORMSGCONTENT
*errorContent
;
313 if (!ossl_assert(srv_ctx
!= NULL
&& srv_ctx
->ctx
!= NULL
&& req
!= NULL
))
315 errorContent
= req
->body
->value
.error
;
316 srv_ctx
->process_error(srv_ctx
, req
, errorContent
->pKIStatusInfo
,
317 errorContent
->errorCode
, errorContent
->errorDetails
);
319 if ((msg
= ossl_cmp_pkiconf_new(srv_ctx
->ctx
)) == NULL
)
320 ERR_raise(ERR_LIB_CMP
, CMP_R_ERROR_CREATING_PKICONF
);
324 static OSSL_CMP_MSG
*process_certConf(OSSL_CMP_SRV_CTX
*srv_ctx
,
325 const OSSL_CMP_MSG
*req
)
328 OSSL_CMP_CERTCONFIRMCONTENT
*ccc
;
330 OSSL_CMP_MSG
*msg
= NULL
;
331 OSSL_CMP_CERTSTATUS
*status
= NULL
;
333 if (!ossl_assert(srv_ctx
!= NULL
&& srv_ctx
->ctx
!= NULL
&& req
!= NULL
))
337 ccc
= req
->body
->value
.certConf
;
338 num
= sk_OSSL_CMP_CERTSTATUS_num(ccc
);
340 if (OSSL_CMP_CTX_get_option(ctx
, OSSL_CMP_OPT_IMPLICIT_CONFIRM
) == 1
341 || ctx
->status
!= -2 /* transaction not open */) {
342 ERR_raise(ERR_LIB_CMP
, CMP_R_ERROR_UNEXPECTED_CERTCONF
);
347 ossl_cmp_err(ctx
, "certificate rejected by client");
350 ossl_cmp_warn(ctx
, "All CertStatus but the first will be ignored");
351 status
= sk_OSSL_CMP_CERTSTATUS_value(ccc
, OSSL_CMP_CERTREQID
);
354 if (status
!= NULL
) {
355 int certReqId
= ossl_cmp_asn1_get_int(status
->certReqId
);
356 ASN1_OCTET_STRING
*certHash
= status
->certHash
;
357 OSSL_CMP_PKISI
*si
= status
->statusInfo
;
359 if (!srv_ctx
->process_certConf(srv_ctx
, req
, certReqId
, certHash
, si
))
360 return NULL
; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */
362 if (si
!= NULL
&& ossl_cmp_pkisi_get_status(si
)
363 != OSSL_CMP_PKISTATUS_accepted
) {
364 int pki_status
= ossl_cmp_pkisi_get_status(si
);
365 const char *str
= ossl_cmp_PKIStatus_to_string(pki_status
);
367 ossl_cmp_log2(INFO
, ctx
, "certificate rejected by client %s %s",
368 str
== NULL
? "without" : "with",
369 str
== NULL
? "PKIStatus" : str
);
373 if ((msg
= ossl_cmp_pkiconf_new(ctx
)) == NULL
)
374 ERR_raise(ERR_LIB_CMP
, CMP_R_ERROR_CREATING_PKICONF
);
378 static OSSL_CMP_MSG
*process_pollReq(OSSL_CMP_SRV_CTX
*srv_ctx
,
379 const OSSL_CMP_MSG
*req
)
381 OSSL_CMP_POLLREQCONTENT
*prc
;
382 OSSL_CMP_POLLREQ
*pr
;
384 OSSL_CMP_MSG
*certReq
;
385 int64_t check_after
= 0;
386 OSSL_CMP_MSG
*msg
= NULL
;
388 if (!ossl_assert(srv_ctx
!= NULL
&& srv_ctx
->ctx
!= NULL
&& req
!= NULL
))
391 prc
= req
->body
->value
.pollReq
;
392 if (sk_OSSL_CMP_POLLREQ_num(prc
) != 1) {
393 ERR_raise(ERR_LIB_CMP
, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED
);
397 pr
= sk_OSSL_CMP_POLLREQ_value(prc
, 0);
398 certReqId
= ossl_cmp_asn1_get_int(pr
->certReqId
);
399 if (!srv_ctx
->process_pollReq(srv_ctx
, req
, certReqId
,
400 &certReq
, &check_after
))
403 if (certReq
!= NULL
) {
404 msg
= process_cert_request(srv_ctx
, certReq
);
405 OSSL_CMP_MSG_free(certReq
);
407 if ((msg
= ossl_cmp_pollRep_new(srv_ctx
->ctx
, certReqId
,
408 check_after
)) == NULL
)
409 ERR_raise(ERR_LIB_CMP
, CMP_R_ERROR_CREATING_POLLREP
);
415 * Determine whether missing/invalid protection of request message is allowed.
416 * Return 1 on acceptance, 0 on rejection, or -1 on (internal) error.
418 static int unprotected_exception(const OSSL_CMP_CTX
*ctx
,
419 const OSSL_CMP_MSG
*req
,
420 int invalid_protection
,
421 int accept_unprotected_requests
)
423 if (!ossl_assert(ctx
!= NULL
&& req
!= NULL
))
426 if (accept_unprotected_requests
) {
427 ossl_cmp_log1(WARN
, ctx
, "ignoring %s protection of request message",
428 invalid_protection
? "invalid" : "missing");
431 if (ossl_cmp_msg_get_bodytype(req
) == OSSL_CMP_PKIBODY_ERROR
432 && OSSL_CMP_CTX_get_option(ctx
, OSSL_CMP_OPT_UNPROTECTED_ERRORS
) == 1) {
433 ossl_cmp_warn(ctx
, "ignoring missing protection of error message");
440 * returns created message and NULL on internal error
442 OSSL_CMP_MSG
*OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX
*srv_ctx
,
443 const OSSL_CMP_MSG
*req
)
446 ASN1_OCTET_STRING
*backup_secret
;
447 OSSL_CMP_PKIHEADER
*hdr
;
448 int req_type
, rsp_type
;
450 OSSL_CMP_MSG
*rsp
= NULL
;
452 if (srv_ctx
== NULL
|| srv_ctx
->ctx
== NULL
453 || req
== NULL
|| req
->body
== NULL
454 || (hdr
= OSSL_CMP_MSG_get0_header(req
)) == NULL
) {
455 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
459 backup_secret
= ctx
->secretValue
;
462 * Some things need to be done already before validating the message in
463 * order to be able to send an error message as far as needed and possible.
465 if (hdr
->sender
->type
!= GEN_DIRNAME
) {
466 ERR_raise(ERR_LIB_CMP
, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED
);
469 if (!OSSL_CMP_CTX_set1_recipient(ctx
, hdr
->sender
->d
.directoryName
))
472 req_type
= ossl_cmp_msg_get_bodytype(req
);
474 case OSSL_CMP_PKIBODY_IR
:
475 case OSSL_CMP_PKIBODY_CR
:
476 case OSSL_CMP_PKIBODY_P10CR
:
477 case OSSL_CMP_PKIBODY_KUR
:
478 case OSSL_CMP_PKIBODY_RR
:
479 case OSSL_CMP_PKIBODY_GENM
:
480 case OSSL_CMP_PKIBODY_ERROR
:
481 if (ctx
->transactionID
!= NULL
) {
484 tid
= OPENSSL_buf2hexstr(ctx
->transactionID
->data
,
485 ctx
->transactionID
->length
);
487 ossl_cmp_log1(WARN
, ctx
,
488 "Assuming that last transaction with ID=%s got aborted",
492 /* start of a new transaction, reset transactionID and senderNonce */
493 if (!OSSL_CMP_CTX_set1_transactionID(ctx
, NULL
)
494 || !OSSL_CMP_CTX_set1_senderNonce(ctx
, NULL
))
498 /* transactionID should be already initialized */
499 if (ctx
->transactionID
== NULL
) {
500 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
501 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
506 ossl_cmp_log1(DEBUG
, ctx
,
507 "received %s", ossl_cmp_bodytype_to_string(req_type
));
509 res
= ossl_cmp_msg_check_update(ctx
, req
, unprotected_exception
,
510 srv_ctx
->acceptUnprotected
);
511 if (ctx
->secretValue
!= NULL
&& ctx
->pkey
!= NULL
512 && ossl_cmp_hdr_get_protection_nid(hdr
) != NID_id_PasswordBasedMAC
)
513 ctx
->secretValue
= NULL
; /* use MSG_SIG_ALG when protecting rsp */
518 case OSSL_CMP_PKIBODY_IR
:
519 case OSSL_CMP_PKIBODY_CR
:
520 case OSSL_CMP_PKIBODY_P10CR
:
521 case OSSL_CMP_PKIBODY_KUR
:
522 if (srv_ctx
->process_cert_request
== NULL
)
523 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
525 rsp
= process_cert_request(srv_ctx
, req
);
527 case OSSL_CMP_PKIBODY_RR
:
528 if (srv_ctx
->process_rr
== NULL
)
529 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
531 rsp
= process_rr(srv_ctx
, req
);
533 case OSSL_CMP_PKIBODY_GENM
:
534 if (srv_ctx
->process_genm
== NULL
)
535 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
537 rsp
= process_genm(srv_ctx
, req
);
539 case OSSL_CMP_PKIBODY_ERROR
:
540 if (srv_ctx
->process_error
== NULL
)
541 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
543 rsp
= process_error(srv_ctx
, req
);
545 case OSSL_CMP_PKIBODY_CERTCONF
:
546 if (srv_ctx
->process_certConf
== NULL
)
547 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
549 rsp
= process_certConf(srv_ctx
, req
);
551 case OSSL_CMP_PKIBODY_POLLREQ
:
552 if (srv_ctx
->process_pollReq
== NULL
)
553 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
555 rsp
= process_pollReq(srv_ctx
, req
);
558 ERR_raise(ERR_LIB_CMP
, CMP_R_UNEXPECTED_PKIBODY
);
564 /* on error, try to respond with CMP error message to client */
565 const char *data
= NULL
, *reason
= NULL
;
567 unsigned long err
= ERR_peek_error_data(&data
, &flags
);
568 int fail_info
= 1 << OSSL_CMP_PKIFAILUREINFO_badRequest
;
569 OSSL_CMP_PKISI
*si
= NULL
;
571 if (ctx
->transactionID
== NULL
) {
572 /* ignore any (extra) error in next two function calls: */
573 (void)OSSL_CMP_CTX_set1_transactionID(ctx
, hdr
->transactionID
);
574 (void)ossl_cmp_ctx_set1_recipNonce(ctx
, hdr
->senderNonce
);
577 if ((flags
& ERR_TXT_STRING
) == 0 || *data
== '\0')
579 reason
= ERR_reason_error_string(err
);
580 if ((si
= OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection
,
581 fail_info
, reason
)) != NULL
) {
582 rsp
= ossl_cmp_error_new(srv_ctx
->ctx
, si
, err
,
583 data
, srv_ctx
->sendUnprotectedErrors
);
584 OSSL_CMP_PKISI_free(si
);
587 OSSL_CMP_CTX_print_errors(ctx
);
588 ctx
->secretValue
= backup_secret
;
591 rsp
!= NULL
? ossl_cmp_msg_get_bodytype(rsp
) : OSSL_CMP_PKIBODY_ERROR
;
593 ossl_cmp_log1(DEBUG
, ctx
,
594 "sending %s", ossl_cmp_bodytype_to_string(rsp_type
));
596 ossl_cmp_log(ERR
, ctx
, "cannot send proper CMP response");
598 /* possibly close the transaction */
599 ctx
->status
= -2; /* this indicates transaction is open */
601 case OSSL_CMP_PKIBODY_IP
:
602 case OSSL_CMP_PKIBODY_CP
:
603 case OSSL_CMP_PKIBODY_KUP
:
604 if (OSSL_CMP_CTX_get_option(ctx
, OSSL_CMP_OPT_IMPLICIT_CONFIRM
) == 0)
608 case OSSL_CMP_PKIBODY_RP
:
609 case OSSL_CMP_PKIBODY_PKICONF
:
610 case OSSL_CMP_PKIBODY_GENP
:
611 case OSSL_CMP_PKIBODY_ERROR
:
612 (void)OSSL_CMP_CTX_set1_transactionID(ctx
, NULL
);
613 (void)OSSL_CMP_CTX_set1_senderNonce(ctx
, NULL
);
614 ctx
->status
= -1; /* transaction closed */
616 default: /* not closing transaction in other cases */
623 * Server interface that may substitute OSSL_CMP_MSG_http_perform at the client.
624 * The OSSL_CMP_SRV_CTX must be set as client_ctx->transfer_cb_arg.
625 * returns received message on success, else NULL and pushes an element on the
628 OSSL_CMP_MSG
*OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX
*client_ctx
,
629 const OSSL_CMP_MSG
*req
)
631 OSSL_CMP_SRV_CTX
*srv_ctx
= NULL
;
633 if (client_ctx
== NULL
|| req
== NULL
) {
634 ERR_raise(ERR_LIB_CMP
, CMP_R_NULL_ARGUMENT
);
638 if ((srv_ctx
= OSSL_CMP_CTX_get_transfer_cb_arg(client_ctx
)) == NULL
) {
639 ERR_raise(ERR_LIB_CMP
, CMP_R_TRANSFER_ERROR
);
643 return OSSL_CMP_SRV_process_request(srv_ctx
, req
);