From: Dr. David von Oheimb Date: Mon, 2 Jun 2025 18:58:01 +0000 (+0200) Subject: crmf_lib.c create_popo_signature(): add error queue entry on signature failure X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~513 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84c526862104eac3ed8f715d212070b00bf0cc6d;p=thirdparty%2Fopenssl.git crmf_lib.c create_popo_signature(): add error queue entry on signature failure Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/28482) --- diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 173b9ac55a0..6078a61b248 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -116,7 +116,7 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART), msg->header->protectionAlg, /* sets X509_ALGOR */ NULL, prot, &prot_part, NULL, ctx->pkey, md, - ctx->libctx, ctx->propq)) + ctx->libctx, ctx->propq) != 0) return prot; ASN1_BIT_STRING_free(prot); return NULL; diff --git a/crypto/crmf/crmf_err.c b/crypto/crmf/crmf_err.c index 4727c833530..55c543d563a 100644 --- a/crypto/crmf/crmf_err.c +++ b/crypto/crmf/crmf_err.c @@ -36,6 +36,8 @@ static const ERR_STRING_DATA CRMF_str_reasons[] = { "error decrypting symmetric key"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_SETTING_PURPOSE), "error setting purpose"}, + {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_SIGNING_POPO), + "error signing popo"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY), "error verifying encryptedkey"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_FAILURE_OBTAINING_RANDOM), diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 68432e53006..ecdd3526e38 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -379,10 +379,13 @@ static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps, && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */ digest = NULL; - return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), - ps->algorithmIdentifier, /* sets this X509_ALGOR */ - NULL, ps->signature, /* sets the ASN1_BIT_STRING */ - cr, NULL, pkey, digest, libctx, propq); + if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), + ps->algorithmIdentifier, /* sets this X509_ALGOR */ + NULL, ps->signature, /* sets the ASN1_BIT_STRING */ + cr, NULL, pkey, digest, libctx, propq) != 0) + return 1; + ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_SIGNING_POPO); + return 0; } int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index e819a808ca9..f47bc5ae756 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -464,6 +464,7 @@ CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY:124:error decrypting encryptedkey CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE:125:error decrypting encryptedvalue CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY:106:error decrypting symmetric key CRMF_R_ERROR_SETTING_PURPOSE:126:error setting purpose +CRMF_R_ERROR_SIGNING_POPO:129:error signing popo CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY:127:error verifying encryptedkey CRMF_R_FAILURE_OBTAINING_RANDOM:107:failure obtaining random CRMF_R_ITERATIONCOUNT_BELOW_100:108:iterationcount below 100 diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h index a9b04e0ebb2..9269006c464 100644 --- a/include/openssl/crmferr.h +++ b/include/openssl/crmferr.h @@ -34,6 +34,7 @@ # define CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE 125 # define CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY 106 # define CRMF_R_ERROR_SETTING_PURPOSE 126 +# define CRMF_R_ERROR_SIGNING_POPO 129 # define CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY 127 # define CRMF_R_FAILURE_OBTAINING_RANDOM 107 # define CRMF_R_ITERATIONCOUNT_BELOW_100 108