From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Tue, 13 Sep 2022 20:22:48 +0000 (+0200)
Subject: CMP: fix handling of unset or missing failInfo PKI status information
X-Git-Tag: openssl-3.2.0-alpha1~1673
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cba0e2afd6a222aa041e05f8455e83c9e959d05b;p=thirdparty%2Fopenssl.git

CMP: fix handling of unset or missing failInfo PKI status information

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19205)
---

diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index 25f179e107f..800f22316c3 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -97,13 +97,7 @@ static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si)
     if (ctx->status < OSSL_CMP_PKISTATUS_accepted)
         return 0;
 
-    ctx->failInfoCode = 0;
-    if (si->failInfo != NULL) {
-        for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++) {
-            if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
-                ctx->failInfoCode |= (1 << i);
-        }
-    }
+    ctx->failInfoCode = ossl_cmp_pkisi_get_pkifailureinfo(si);
 
     if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null())
             || (ctx->statusString == NULL))
diff --git a/crypto/cmp/cmp_status.c b/crypto/cmp/cmp_status.c
index 176c546f9c9..5c02faec103 100644
--- a/crypto/cmp/cmp_status.c
+++ b/crypto/cmp/cmp_status.c
@@ -73,9 +73,10 @@ int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si)
 
     if (!ossl_assert(si != NULL))
         return -1;
-    for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++)
-        if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
-            res |= 1 << i;
+    if (si->failInfo != NULL)
+        for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++)
+            if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
+                res |= 1 << i;
     return res;
 }
 
@@ -193,7 +194,7 @@ char *snprint_PKIStatusInfo_parts(int status, int fail_info,
      * failInfo is optional and may be empty;
      * if present, print failInfo before statusString because it is more concise
      */
-    if (fail_info != 0) {
+    if (fail_info != -1 && fail_info != 0) {
         printed_chars = BIO_snprintf(write_ptr, bufsize, "; PKIFailureInfo: ");
         ADVANCE_BUFFER;
         for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index 1949a60910e..f0933634490 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -660,7 +660,8 @@ OSSL_CMP_CTX_get0_statusString() returns the statusString from the last received
 CertRepMessage or Revocation Response or error message, or NULL if unset.
 
 OSSL_CMP_CTX_get_failInfoCode() returns the error code from the failInfo field
-of the last received CertRepMessage or Revocation Response or error message.
+of the last received CertRepMessage or Revocation Response or error message,
+or -1 if no such response was received or OSSL_CMP_CTX_reinit() has been called.
 This is a bit field and the flags for it are specified in the header file
 F<< <openssl/cmp.h> >>.
 The flags start with OSSL_CMP_CTX_FAILINFO, for example: