]>
Commit | Line | Data |
---|---|---|
62dcd2aa | 1 | /* |
33388b44 | 2 | * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. |
62dcd2aa DDO |
3 | * Copyright Nokia 2007-2019 |
4 | * Copyright Siemens AG 2015-2019 | |
5 | * | |
6 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
7 | * this file except in compliance with the License. You can obtain a copy | |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | */ | |
11 | ||
12 | /* general CMP server functions */ | |
13 | ||
14 | #include <openssl/asn1t.h> | |
15 | ||
16 | #include "cmp_local.h" | |
17 | ||
18 | /* explicit #includes not strictly needed since implied by the above: */ | |
19 | #include <openssl/cmp.h> | |
20 | #include <openssl/err.h> | |
21 | ||
852c2ed2 RS |
22 | DEFINE_STACK_OF(OSSL_CRMF_MSG) |
23 | DEFINE_STACK_OF(X509) | |
24 | DEFINE_STACK_OF(OSSL_CMP_ITAV) | |
25 | DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS) | |
26 | ||
62dcd2aa DDO |
27 | /* the context for the generic CMP server */ |
28 | struct ossl_cmp_srv_ctx_st | |
29 | { | |
30 | OSSL_CMP_CTX *ctx; /* Client CMP context, partly reused for srv */ | |
31 | void *custom_ctx; /* pointer to specific server context */ | |
32 | ||
33 | OSSL_CMP_SRV_cert_request_cb_t process_cert_request; | |
34 | OSSL_CMP_SRV_rr_cb_t process_rr; | |
35 | OSSL_CMP_SRV_genm_cb_t process_genm; | |
36 | OSSL_CMP_SRV_error_cb_t process_error; | |
37 | OSSL_CMP_SRV_certConf_cb_t process_certConf; | |
38 | OSSL_CMP_SRV_pollReq_cb_t process_pollReq; | |
39 | ||
40 | int sendUnprotectedErrors; /* Send error and rejection msgs unprotected */ | |
41 | int acceptUnprotected; /* Accept requests with no/invalid prot. */ | |
42 | int acceptRAVerified; /* Accept ir/cr/kur with POPO RAVerified */ | |
43 | int grantImplicitConfirm; /* Grant implicit confirmation if requested */ | |
44 | ||
45 | }; /* OSSL_CMP_SRV_CTX */ | |
46 | ||
47 | void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx) | |
48 | { | |
49 | if (srv_ctx == NULL) | |
50 | return; | |
51 | ||
52 | OSSL_CMP_CTX_free(srv_ctx->ctx); | |
53 | OPENSSL_free(srv_ctx); | |
54 | } | |
55 | ||
56 | OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(void) | |
57 | { | |
58 | OSSL_CMP_SRV_CTX *ctx = OPENSSL_zalloc(sizeof(OSSL_CMP_SRV_CTX)); | |
59 | ||
60 | if (ctx == NULL) | |
61 | goto err; | |
62 | ||
63 | if ((ctx->ctx = OSSL_CMP_CTX_new()) == NULL) | |
64 | goto err; | |
65 | ||
66 | /* all other elements are initialized to 0 or NULL, respectively */ | |
67 | return ctx; | |
68 | err: | |
69 | OSSL_CMP_SRV_CTX_free(ctx); | |
70 | return NULL; | |
71 | } | |
72 | ||
73 | int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx, | |
74 | OSSL_CMP_SRV_cert_request_cb_t process_cert_request, | |
75 | OSSL_CMP_SRV_rr_cb_t process_rr, | |
76 | OSSL_CMP_SRV_genm_cb_t process_genm, | |
77 | OSSL_CMP_SRV_error_cb_t process_error, | |
78 | OSSL_CMP_SRV_certConf_cb_t process_certConf, | |
79 | OSSL_CMP_SRV_pollReq_cb_t process_pollReq) | |
80 | { | |
81 | if (srv_ctx == NULL) { | |
82 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
83 | return 0; | |
84 | } | |
85 | srv_ctx->custom_ctx = custom_ctx; | |
86 | srv_ctx->process_cert_request = process_cert_request; | |
87 | srv_ctx->process_rr = process_rr; | |
88 | srv_ctx->process_genm = process_genm; | |
89 | srv_ctx->process_error = process_error; | |
90 | srv_ctx->process_certConf = process_certConf; | |
91 | srv_ctx->process_pollReq = process_pollReq; | |
92 | return 1; | |
93 | } | |
94 | ||
95 | OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx) | |
96 | { | |
97 | if (srv_ctx == NULL) { | |
98 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
99 | return NULL; | |
100 | } | |
101 | return srv_ctx->ctx; | |
102 | } | |
103 | ||
104 | void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx) | |
105 | { | |
106 | if (srv_ctx == NULL) { | |
107 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
108 | return NULL; | |
109 | } | |
110 | return srv_ctx->custom_ctx; | |
111 | } | |
112 | ||
113 | int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx, | |
114 | int val) | |
115 | { | |
116 | if (srv_ctx == NULL) { | |
117 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
118 | return 0; | |
119 | } | |
120 | srv_ctx->sendUnprotectedErrors = val != 0; | |
121 | return 1; | |
122 | } | |
123 | ||
124 | int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val) | |
125 | { | |
126 | if (srv_ctx == NULL) { | |
127 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
128 | return 0; | |
129 | } | |
130 | srv_ctx->acceptUnprotected = val != 0; | |
131 | return 1; | |
132 | } | |
133 | ||
134 | int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val) | |
135 | { | |
136 | if (srv_ctx == NULL) { | |
137 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
138 | return 0; | |
139 | } | |
140 | srv_ctx->acceptRAVerified = val != 0; | |
141 | return 1; | |
142 | } | |
143 | ||
144 | int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, | |
145 | int val) | |
146 | { | |
147 | if (srv_ctx == NULL) { | |
148 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
149 | return 0; | |
150 | } | |
151 | srv_ctx->grantImplicitConfirm = val != 0; | |
152 | return 1; | |
153 | } | |
154 | ||
155 | /* | |
156 | * Processes an ir/cr/p10cr/kur and returns a certification response. | |
157 | * Only handles the first certification request contained in req | |
158 | * returns an ip/cp/kup on success and NULL on error | |
159 | */ | |
160 | static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, | |
161 | const OSSL_CMP_MSG *req) | |
162 | { | |
163 | OSSL_CMP_MSG *msg = NULL; | |
164 | OSSL_CMP_PKISI *si = NULL; | |
165 | X509 *certOut = NULL; | |
166 | STACK_OF(X509) *chainOut = NULL, *caPubs = NULL; | |
167 | const OSSL_CRMF_MSG *crm = NULL; | |
168 | const X509_REQ *p10cr = NULL; | |
169 | int bodytype; | |
170 | int certReqId; | |
171 | ||
172 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
173 | return NULL; | |
174 | ||
175 | switch (ossl_cmp_msg_get_bodytype(req)) { | |
176 | case OSSL_CMP_PKIBODY_P10CR: | |
177 | case OSSL_CMP_PKIBODY_CR: | |
178 | bodytype = OSSL_CMP_PKIBODY_CP; | |
179 | break; | |
180 | case OSSL_CMP_PKIBODY_IR: | |
181 | bodytype = OSSL_CMP_PKIBODY_IP; | |
182 | break; | |
183 | case OSSL_CMP_PKIBODY_KUR: | |
184 | bodytype = OSSL_CMP_PKIBODY_KUP; | |
185 | break; | |
186 | default: | |
187 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); | |
188 | return NULL; | |
189 | } | |
190 | ||
191 | if (ossl_cmp_msg_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) { | |
192 | certReqId = OSSL_CMP_CERTREQID; | |
193 | p10cr = req->body->value.p10cr; | |
194 | } else { | |
195 | OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */ | |
196 | ||
197 | if (sk_OSSL_CRMF_MSG_num(reqs) != 1) { /* TODO: handle case > 1 */ | |
198 | CMPerr(0, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); | |
199 | return NULL; | |
200 | } | |
201 | ||
202 | if ((crm = sk_OSSL_CRMF_MSG_value(reqs, OSSL_CMP_CERTREQID)) == NULL) { | |
203 | CMPerr(0, CMP_R_CERTREQMSG_NOT_FOUND); | |
204 | return NULL; | |
205 | } | |
206 | certReqId = OSSL_CRMF_MSG_get_certReqId(crm); | |
207 | } | |
208 | ||
209 | if (!ossl_cmp_verify_popo(req, srv_ctx->acceptRAVerified)) { | |
210 | /* Proof of possession could not be verified */ | |
211 | si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, | |
212 | 1 << OSSL_CMP_PKIFAILUREINFO_badPOP, | |
213 | ERR_reason_error_string(ERR_peek_error())); | |
214 | if (si == NULL) | |
215 | return NULL; | |
216 | } else { | |
217 | OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(req); | |
218 | ||
219 | si = srv_ctx->process_cert_request(srv_ctx, req, certReqId, crm, p10cr, | |
220 | &certOut, &chainOut, &caPubs); | |
221 | if (si == NULL) | |
222 | goto err; | |
7e765f46 | 223 | /* set OSSL_CMP_OPT_IMPLICIT_CONFIRM if and only if transaction ends */ |
143be474 DDO |
224 | if (!OSSL_CMP_CTX_set_option(srv_ctx->ctx, |
225 | OSSL_CMP_OPT_IMPLICIT_CONFIRM, | |
62dcd2aa DDO |
226 | ossl_cmp_hdr_has_implicitConfirm(hdr) |
227 | && srv_ctx->grantImplicitConfirm | |
228 | /* do not set if polling starts: */ | |
229 | && certOut != NULL)) | |
230 | goto err; | |
231 | } | |
232 | ||
299e0f1e | 233 | msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si, |
62dcd2aa DDO |
234 | certOut, chainOut, caPubs, 0 /* encrypted */, |
235 | srv_ctx->sendUnprotectedErrors); | |
236 | /* | |
237 | * TODO when implemented in ossl_cmp_certrep_new(): | |
238 | * in case OSSL_CRMF_POPO_KEYENC, set encrypted | |
239 | */ | |
240 | if (msg == NULL) | |
241 | CMPerr(0, CMP_R_ERROR_CREATING_CERTREP); | |
242 | ||
243 | err: | |
244 | OSSL_CMP_PKISI_free(si); | |
245 | X509_free(certOut); | |
246 | sk_X509_pop_free(chainOut, X509_free); | |
247 | sk_X509_pop_free(caPubs, X509_free); | |
248 | return msg; | |
249 | } | |
250 | ||
251 | static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, | |
252 | const OSSL_CMP_MSG *req) | |
253 | { | |
254 | OSSL_CMP_MSG *msg = NULL; | |
255 | OSSL_CMP_REVDETAILS *details; | |
256 | OSSL_CRMF_CERTID *certId; | |
257 | OSSL_CRMF_CERTTEMPLATE *tmpl; | |
8cc86b81 | 258 | const X509_NAME *issuer; |
62dcd2aa DDO |
259 | ASN1_INTEGER *serial; |
260 | OSSL_CMP_PKISI *si; | |
261 | ||
262 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
263 | return NULL; | |
264 | ||
265 | if (sk_OSSL_CMP_REVDETAILS_num(req->body->value.rr) != 1) { | |
266 | /* TODO: handle multiple elements if multiple requests have been sent */ | |
267 | CMPerr(0, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); | |
268 | return NULL; | |
269 | } | |
270 | ||
271 | if ((details = sk_OSSL_CMP_REVDETAILS_value(req->body->value.rr, | |
272 | OSSL_CMP_REVREQSID)) == NULL) { | |
7e765f46 | 273 | CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE); |
62dcd2aa DDO |
274 | return NULL; |
275 | } | |
276 | ||
277 | tmpl = details->certDetails; | |
278 | issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl); | |
279 | serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl); | |
280 | /* here issuer and serial may safely be NULL */ | |
281 | if ((certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL) | |
282 | return NULL; | |
283 | if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL) | |
284 | goto err; | |
285 | ||
286 | if ((msg = ossl_cmp_rp_new(srv_ctx->ctx, si, certId, | |
287 | srv_ctx->sendUnprotectedErrors)) == NULL) | |
288 | CMPerr(0, CMP_R_ERROR_CREATING_RR); | |
289 | ||
290 | err: | |
291 | OSSL_CRMF_CERTID_free(certId); | |
292 | OSSL_CMP_PKISI_free(si); | |
293 | return msg; | |
294 | } | |
295 | ||
296 | /* | |
297 | * Processes genm and creates a genp message mirroring the contents of the | |
298 | * incoming message | |
299 | */ | |
300 | static OSSL_CMP_MSG *process_genm(OSSL_CMP_SRV_CTX *srv_ctx, | |
301 | const OSSL_CMP_MSG *req) | |
302 | { | |
303 | OSSL_CMP_GENMSGCONTENT *itavs; | |
304 | OSSL_CMP_MSG *msg; | |
305 | ||
306 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
307 | return NULL; | |
308 | ||
309 | if (!srv_ctx->process_genm(srv_ctx, req, req->body->value.genm, &itavs)) | |
310 | return NULL; | |
311 | ||
312 | msg = ossl_cmp_genp_new(srv_ctx->ctx, itavs); | |
313 | sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); | |
314 | return msg; | |
315 | } | |
316 | ||
317 | static OSSL_CMP_MSG *process_error(OSSL_CMP_SRV_CTX *srv_ctx, | |
318 | const OSSL_CMP_MSG *req) | |
319 | { | |
320 | OSSL_CMP_ERRORMSGCONTENT *errorContent; | |
321 | OSSL_CMP_MSG *msg; | |
322 | ||
323 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
324 | return NULL; | |
325 | errorContent = req->body->value.error; | |
326 | srv_ctx->process_error(srv_ctx, req, errorContent->pKIStatusInfo, | |
327 | errorContent->errorCode, errorContent->errorDetails); | |
328 | ||
329 | if ((msg = ossl_cmp_pkiconf_new(srv_ctx->ctx)) == NULL) | |
330 | CMPerr(0, CMP_R_ERROR_CREATING_PKICONF); | |
331 | return msg; | |
332 | } | |
333 | ||
334 | static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, | |
335 | const OSSL_CMP_MSG *req) | |
336 | { | |
337 | OSSL_CMP_CTX *ctx; | |
338 | OSSL_CMP_CERTCONFIRMCONTENT *ccc; | |
339 | int num; | |
340 | OSSL_CMP_MSG *msg = NULL; | |
341 | OSSL_CMP_CERTSTATUS *status = NULL; | |
342 | ||
343 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
344 | return NULL; | |
345 | ||
346 | ctx = srv_ctx->ctx; | |
347 | ccc = req->body->value.certConf; | |
348 | num = sk_OSSL_CMP_CERTSTATUS_num(ccc); | |
349 | ||
7e765f46 | 350 | if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 1) { |
62dcd2aa DDO |
351 | CMPerr(0, CMP_R_ERROR_UNEXPECTED_CERTCONF); |
352 | return NULL; | |
353 | } | |
354 | ||
355 | if (num == 0) { | |
356 | ossl_cmp_err(ctx, "certificate rejected by client"); | |
357 | } else { | |
358 | if (num > 1) | |
359 | ossl_cmp_warn(ctx, "All CertStatus but the first will be ignored"); | |
360 | status = sk_OSSL_CMP_CERTSTATUS_value(ccc, OSSL_CMP_CERTREQID); | |
361 | } | |
362 | ||
363 | if (status != NULL) { | |
364 | int certReqId = ossl_cmp_asn1_get_int(status->certReqId); | |
365 | ASN1_OCTET_STRING *certHash = status->certHash; | |
366 | OSSL_CMP_PKISI *si = status->statusInfo; | |
367 | ||
368 | if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si)) | |
369 | return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */ | |
370 | ||
371 | if (si != NULL && ossl_cmp_pkisi_get_status(si) | |
372 | != OSSL_CMP_PKISTATUS_accepted) { | |
373 | int pki_status = ossl_cmp_pkisi_get_status(si); | |
374 | const char *str = ossl_cmp_PKIStatus_to_string(pki_status); | |
375 | ||
376 | ossl_cmp_log2(INFO, ctx, "certificate rejected by client %s %s", | |
377 | str == NULL ? "without" : "with", | |
378 | str == NULL ? "PKIStatus" : str); | |
379 | } | |
380 | } | |
381 | ||
382 | if ((msg = ossl_cmp_pkiconf_new(ctx)) == NULL) | |
383 | CMPerr(0, CMP_R_ERROR_CREATING_PKICONF); | |
384 | return msg; | |
385 | } | |
386 | ||
387 | static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, | |
388 | const OSSL_CMP_MSG *req) | |
389 | { | |
390 | OSSL_CMP_POLLREQCONTENT *prc; | |
391 | OSSL_CMP_POLLREQ *pr; | |
392 | int certReqId; | |
393 | OSSL_CMP_MSG *certReq; | |
394 | int64_t check_after = 0; | |
395 | OSSL_CMP_MSG *msg = NULL; | |
396 | ||
397 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) | |
398 | return NULL; | |
399 | ||
400 | prc = req->body->value.pollReq; | |
401 | if (sk_OSSL_CMP_POLLREQ_num(prc) != 1) { /* TODO: handle case > 1 */ | |
402 | CMPerr(0, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); | |
403 | return NULL; | |
404 | } | |
405 | ||
406 | pr = sk_OSSL_CMP_POLLREQ_value(prc, 0); | |
407 | certReqId = ossl_cmp_asn1_get_int(pr->certReqId); | |
408 | if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId, | |
409 | &certReq, &check_after)) | |
410 | return NULL; | |
411 | ||
412 | if (certReq != NULL) { | |
413 | msg = process_cert_request(srv_ctx, certReq); | |
414 | OSSL_CMP_MSG_free(certReq); | |
415 | } else { | |
416 | if ((msg = ossl_cmp_pollRep_new(srv_ctx->ctx, certReqId, | |
417 | check_after)) == NULL) | |
418 | CMPerr(0, CMP_R_ERROR_CREATING_POLLREP); | |
419 | } | |
420 | return msg; | |
421 | } | |
422 | ||
423 | /* | |
7e765f46 DDO |
424 | * Determine whether missing/invalid protection of request message is allowed. |
425 | * Return 1 on acceptance, 0 on rejection, or -1 on (internal) error. | |
62dcd2aa DDO |
426 | */ |
427 | static int unprotected_exception(const OSSL_CMP_CTX *ctx, | |
428 | const OSSL_CMP_MSG *req, | |
429 | int invalid_protection, | |
430 | int accept_unprotected_requests) | |
431 | { | |
7e765f46 DDO |
432 | if (!ossl_assert(ctx != NULL && req != NULL)) |
433 | return -1; | |
434 | ||
62dcd2aa DDO |
435 | if (accept_unprotected_requests) { |
436 | ossl_cmp_log1(WARN, ctx, "ignoring %s protection of request message", | |
437 | invalid_protection ? "invalid" : "missing"); | |
438 | return 1; | |
439 | } | |
440 | if (ossl_cmp_msg_get_bodytype(req) == OSSL_CMP_PKIBODY_ERROR | |
441 | && OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS) == 1) { | |
442 | ossl_cmp_warn(ctx, "ignoring missing protection of error message"); | |
443 | return 1; | |
444 | } | |
445 | return 0; | |
446 | } | |
447 | ||
448 | /* | |
449 | * returns created message and NULL on internal error | |
450 | */ | |
451 | OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, | |
452 | const OSSL_CMP_MSG *req) | |
453 | { | |
454 | OSSL_CMP_CTX *ctx; | |
12bbcee2 | 455 | ASN1_OCTET_STRING *backup_secret; |
62dcd2aa DDO |
456 | OSSL_CMP_PKIHEADER *hdr; |
457 | int req_type, rsp_type; | |
12bbcee2 | 458 | int res; |
62dcd2aa DDO |
459 | OSSL_CMP_MSG *rsp = NULL; |
460 | ||
461 | if (srv_ctx == NULL || srv_ctx->ctx == NULL | |
462 | || req == NULL || req->body == NULL | |
463 | || (hdr = OSSL_CMP_MSG_get0_header(req)) == NULL) { | |
464 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
465 | return 0; | |
466 | } | |
467 | ctx = srv_ctx->ctx; | |
12bbcee2 | 468 | backup_secret = ctx->secretValue; |
62dcd2aa | 469 | |
12bbcee2 DDO |
470 | /* |
471 | * Some things need to be done already before validating the message in | |
472 | * order to be able to send an error message as far as needed and possible. | |
473 | */ | |
62dcd2aa DDO |
474 | if (hdr->sender->type != GEN_DIRNAME) { |
475 | CMPerr(0, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED); | |
476 | goto err; | |
477 | } | |
478 | if (!OSSL_CMP_CTX_set1_recipient(ctx, hdr->sender->d.directoryName)) | |
479 | goto err; | |
480 | ||
481 | req_type = ossl_cmp_msg_get_bodytype(req); | |
482 | switch (req_type) { | |
483 | case OSSL_CMP_PKIBODY_IR: | |
484 | case OSSL_CMP_PKIBODY_CR: | |
485 | case OSSL_CMP_PKIBODY_P10CR: | |
486 | case OSSL_CMP_PKIBODY_KUR: | |
487 | case OSSL_CMP_PKIBODY_RR: | |
488 | case OSSL_CMP_PKIBODY_GENM: | |
489 | case OSSL_CMP_PKIBODY_ERROR: | |
490 | if (ctx->transactionID != NULL) { | |
491 | char *tid; | |
492 | ||
493 | tid = OPENSSL_buf2hexstr(ctx->transactionID->data, | |
494 | ctx->transactionID->length); | |
5aed1786 DDO |
495 | if (tid != NULL) |
496 | ossl_cmp_log1(WARN, ctx, | |
497 | "Assuming that last transaction with ID=%s got aborted", | |
498 | tid); | |
62dcd2aa DDO |
499 | OPENSSL_free(tid); |
500 | } | |
045229cf DDO |
501 | /* start of a new transaction, reset transactionID and senderNonce */ |
502 | if (!OSSL_CMP_CTX_set1_transactionID(ctx, NULL) | |
503 | || !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)) | |
62dcd2aa DDO |
504 | goto err; |
505 | break; | |
506 | default: | |
507 | /* transactionID should be already initialized */ | |
508 | if (ctx->transactionID == NULL) { | |
e599d0ae | 509 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
62dcd2aa | 510 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); |
62dcd2aa | 511 | goto err; |
e599d0ae | 512 | #endif |
62dcd2aa DDO |
513 | } |
514 | } | |
515 | ||
12bbcee2 DDO |
516 | res = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, |
517 | srv_ctx->acceptUnprotected); | |
518 | if (ctx->secretValue != NULL && ctx->pkey != NULL | |
519 | && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC) | |
520 | ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */ | |
521 | if (!res) | |
62dcd2aa DDO |
522 | goto err; |
523 | ||
524 | switch (req_type) { | |
525 | case OSSL_CMP_PKIBODY_IR: | |
526 | case OSSL_CMP_PKIBODY_CR: | |
527 | case OSSL_CMP_PKIBODY_P10CR: | |
528 | case OSSL_CMP_PKIBODY_KUR: | |
529 | if (srv_ctx->process_cert_request == NULL) | |
530 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); | |
531 | else | |
532 | rsp = process_cert_request(srv_ctx, req); | |
533 | break; | |
534 | case OSSL_CMP_PKIBODY_RR: | |
535 | if (srv_ctx->process_rr == NULL) | |
536 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); | |
537 | else | |
538 | rsp = process_rr(srv_ctx, req); | |
539 | break; | |
540 | case OSSL_CMP_PKIBODY_GENM: | |
541 | if (srv_ctx->process_genm == NULL) | |
542 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); | |
543 | else | |
544 | rsp = process_genm(srv_ctx, req); | |
545 | break; | |
546 | case OSSL_CMP_PKIBODY_ERROR: | |
547 | if (srv_ctx->process_error == NULL) | |
548 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); | |
549 | else | |
550 | rsp = process_error(srv_ctx, req); | |
551 | break; | |
552 | case OSSL_CMP_PKIBODY_CERTCONF: | |
553 | if (srv_ctx->process_certConf == NULL) | |
554 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); | |
555 | else | |
556 | rsp = process_certConf(srv_ctx, req); | |
557 | break; | |
558 | case OSSL_CMP_PKIBODY_POLLREQ: | |
559 | if (srv_ctx->process_pollReq == NULL) | |
560 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); | |
561 | else | |
562 | rsp = process_pollReq(srv_ctx, req); | |
563 | break; | |
564 | default: | |
565 | /* TODO possibly support further request message types */ | |
566 | CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); | |
e599d0ae | 567 | break; |
62dcd2aa DDO |
568 | } |
569 | ||
570 | err: | |
571 | if (rsp == NULL) { | |
572 | /* on error, try to respond with CMP error message to client */ | |
573 | const char *data = NULL; | |
574 | int flags = 0; | |
575 | unsigned long err = ERR_peek_error_data(&data, &flags); | |
576 | int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest; | |
577 | /* TODO fail_info could be more specific */ | |
578 | OSSL_CMP_PKISI *si = NULL; | |
579 | ||
5aed1786 DDO |
580 | if (ctx->transactionID == NULL) { |
581 | /* ignore any (extra) error in next two function calls: */ | |
582 | (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); | |
583 | (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce); | |
584 | } | |
585 | ||
62dcd2aa | 586 | if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, |
12bbcee2 DDO |
587 | fail_info, NULL)) != NULL) { |
588 | if (err != 0 && (flags & ERR_TXT_STRING) != 0) | |
589 | data = ERR_reason_error_string(err); | |
590 | rsp = ossl_cmp_error_new(srv_ctx->ctx, si, | |
591 | err != 0 ? ERR_GET_REASON(err) : -1, | |
592 | data, srv_ctx->sendUnprotectedErrors); | |
593 | OSSL_CMP_PKISI_free(si); | |
594 | } | |
62dcd2aa | 595 | } |
12bbcee2 | 596 | ctx->secretValue = backup_secret; |
62dcd2aa DDO |
597 | |
598 | /* possibly close the transaction */ | |
599 | rsp_type = | |
600 | rsp != NULL ? ossl_cmp_msg_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR; | |
601 | switch (rsp_type) { | |
602 | case OSSL_CMP_PKIBODY_IP: | |
603 | case OSSL_CMP_PKIBODY_CP: | |
604 | case OSSL_CMP_PKIBODY_KUP: | |
605 | case OSSL_CMP_PKIBODY_RP: | |
7e765f46 | 606 | if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 0) |
62dcd2aa DDO |
607 | break; |
608 | /* fall through */ | |
609 | ||
610 | case OSSL_CMP_PKIBODY_PKICONF: | |
611 | case OSSL_CMP_PKIBODY_GENP: | |
612 | case OSSL_CMP_PKIBODY_ERROR: | |
613 | /* TODO possibly support further terminating response message types */ | |
045229cf DDO |
614 | /* prepare for next transaction, ignoring any errors here: */ |
615 | (void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL); | |
616 | (void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL); | |
62dcd2aa DDO |
617 | |
618 | default: /* not closing transaction in other cases */ | |
619 | break; | |
620 | } | |
621 | return rsp; | |
622 | } | |
623 | ||
624 | /* | |
625 | * Server interface that may substitute OSSL_CMP_MSG_http_perform at the client. | |
626 | * The OSSL_CMP_SRV_CTX must be set as client_ctx->transfer_cb_arg. | |
627 | * returns received message on success, else NULL and pushes an element on the | |
628 | * error stack. | |
629 | */ | |
630 | OSSL_CMP_MSG * OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx, | |
631 | const OSSL_CMP_MSG *req) | |
632 | { | |
633 | OSSL_CMP_SRV_CTX *srv_ctx = NULL; | |
634 | ||
635 | if (client_ctx == NULL || req == NULL) { | |
636 | CMPerr(0, CMP_R_NULL_ARGUMENT); | |
637 | return 0; | |
638 | } | |
639 | ||
640 | if ((srv_ctx = OSSL_CMP_CTX_get_transfer_cb_arg(client_ctx)) == NULL) { | |
7e765f46 | 641 | CMPerr(0, CMP_R_TRANSFER_ERROR); |
62dcd2aa DDO |
642 | return 0; |
643 | } | |
644 | ||
645 | return OSSL_CMP_SRV_process_request(srv_ctx, req); | |
646 | } |