From: Dr. David von Oheimb Date: Wed, 14 Sep 2022 15:37:27 +0000 (+0200) Subject: OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs X-Git-Tag: openssl-3.2.0-alpha1~1666 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c04866c671db4a6db0a1784399b351ea061bc16;p=thirdparty%2Fopenssl.git OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs Otherwise, further OSSL_CMP_exec_GENM_ses() calls will go wrong. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/19216) --- diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index e6bdbba7e6c..d890f7fde00 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -324,7 +324,7 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (ctx->sendError) { + if (sk_OSSL_CMP_ITAV_num(in) > 1 || ctx->sendError) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return 0; } diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index fd71ba099b5..d415877760e 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -148,6 +148,13 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) return NULL; } +#define OSSL_CMP_ITAVs_free(itavs) \ + sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); +#define X509_EXTENSIONS_free(exts) \ + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free) +#define OSSL_CMP_PKIFREETEXT_free(text) \ + sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free) + /* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) { @@ -164,6 +171,9 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) ctx->status = OSSL_CMP_PKISTATUS_unspecified; ctx->failInfoCode = -1; + OSSL_CMP_ITAVs_free(ctx->genm_ITAVs); + ctx->genm_ITAVs = NULL; + return ossl_cmp_ctx_set0_statusString(ctx, NULL) && ossl_cmp_ctx_set0_newCert(ctx, NULL) && ossl_cmp_ctx_set1_newChain(ctx, NULL) @@ -175,13 +185,6 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) && ossl_cmp_ctx_set1_recipNonce(ctx, NULL); } -#define OSSL_CMP_ITAVs_free(itavs) \ - sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); -#define X509_EXTENSIONS_free(exts) \ - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free) -#define OSSL_CMP_PKIFREETEXT_free(text) \ - sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free) - /* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx) { diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index f0933634490..1bdcf5fb6d5 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -188,6 +188,7 @@ OSSL_CMP_CTX_reinit() prepares the given I for a further transaction by clearing the internal CMP transaction (aka session) status, PKIStatusInfo, and any previous results (newCert, newChain, caPubs, and extraCertsIn) from the last executed transaction. +It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV(). All other field values (i.e., CMP options) are retained for potential re-use. OSSL_CMP_CTX_get0_libctx() returns the I argument that was used @@ -731,7 +732,8 @@ OSSL_CMP_certConf_cb() returns I if it is not equal to 0, else 0 on successful validation, or else a bit field with the B bit set. -All other functions return 1 on success, 0 on error. +All other functions, including OSSL_CMP_CTX_reinit(), +return 1 on success, 0 on error. =head1 EXAMPLES @@ -787,7 +789,7 @@ the id-it-signKeyPairTypes OID and prints info on the General Response contents: OSSL_CMP_CTX_reinit(cmp_ctx); ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1); - OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new(type, NULL); + OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, NULL); OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav); STACK_OF(OSSL_CMP_ITAV) *itavs; diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c index b25d98eb9f7..1727703d26d 100644 --- a/test/cmp_client_test.c +++ b/test/cmp_client_test.c @@ -94,9 +94,13 @@ static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixture) OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == 1); } -static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture) +static int execute_exec_GENM_ses_test_single(CMP_SES_TEST_FIXTURE *fixture) { - STACK_OF(OSSL_CMP_ITAV) *itavs = NULL; + ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1); + OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, NULL); + STACK_OF(OSSL_CMP_ITAV) *itavs; + + OSSL_CMP_CTX_push0_genm_ITAV(fixture->cmp_ctx, itav); if (!TEST_ptr(itavs = OSSL_CMP_exec_GENM_ses(fixture->cmp_ctx))) return 0; @@ -104,6 +108,13 @@ static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture) return 1; } +static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture) +{ + return execute_exec_GENM_ses_test_single(fixture) + && OSSL_CMP_CTX_reinit(fixture->cmp_ctx) + && execute_exec_GENM_ses_test_single(fixture); +} + static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture) { X509 *res = OSSL_CMP_exec_certreq(fixture->cmp_ctx,