From: Dr. David von Oheimb <dev@ddvo.net>
Date: Wed, 3 Dec 2025 18:00:44 +0000 (+0100)
Subject: CMP check_cert_path_3gpp(): add missing checks trying to retrieve newly enrolled... 
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8482cb8232444dde70c4b2b0a853fca050bea01a;p=thirdparty%2Fopenssl.git

CMP check_cert_path_3gpp(): add missing checks trying to retrieve newly enrolled cert

Fixes #29285

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29302)
---

diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index c24ce077dcd..bccdce2428f 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -348,7 +348,7 @@ static int check_cert_path_3gpp(const OSSL_CMP_CTX *ctx,
     if (!valid) {
         ossl_cmp_warn(ctx,
                       "also exceptional 3GPP mode cert path validation failed");
-    } else {
+    } else if (OSSL_CMP_MSG_get_bodytype(msg) == OSSL_CMP_PKIBODY_IP) {
         /*
          * verify that the newly enrolled certificate (which assumed rid ==
          * OSSL_CMP_CERTREQID) can also be validated with the same trusted store
@@ -356,13 +356,11 @@ static int check_cert_path_3gpp(const OSSL_CMP_CTX *ctx,
         OSSL_CMP_CERTRESPONSE *crep =
             ossl_cmp_certrepmessage_get0_certresponse(msg->body->value.ip,
                                                       OSSL_CMP_CERTREQID);
-        X509 *newcrt = ossl_cmp_certresponse_get1_cert(ctx, crep);
+        X509 *newcrt = NULL;
 
-        /*
-         * maybe better use get_cert_status() from cmp_client.c, which catches
-         * errors
-         */
-        valid = OSSL_CMP_validate_cert_path(ctx, store, newcrt);
+        valid = crep != NULL
+            && (newcrt = ossl_cmp_certresponse_get1_cert(ctx, crep)) != NULL
+            && OSSL_CMP_validate_cert_path(ctx, store, newcrt);
         X509_free(newcrt);
     }
 
@@ -644,8 +642,9 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
                 return 0;
             }
             if (check_msg_find_cert(ctx, msg)) {
-                ossl_cmp_debug(ctx,
-                               "successfully validated signature-based CMP message protection using trust store");
+                ossl_cmp_log1(DEBUG, ctx,
+                              "successfully validated signature-based CMP message protection using trust store%s",
+                              ctx->permitTAInExtraCertsForIR ? " or 3GPP mode": "");
                 return 1;
             }
         } else { /* use pinned sender cert */