Changeset View
Changeset View
Standalone View
Standalone View
crypto/cmp/cmp_server.c
/* | /* | ||||
* Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. | * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. | ||||
* Copyright Nokia 2007-2019 | * Copyright Nokia 2007-2019 | ||||
* Copyright Siemens AG 2015-2019 | * Copyright Siemens AG 2015-2019 | ||||
* | * | ||||
Context not available. | |||||
/* the context for the generic CMP server */ | /* the context for the generic CMP server */ | ||||
struct ossl_cmp_srv_ctx_st | struct ossl_cmp_srv_ctx_st | ||||
{ | { | ||||
OSSL_CMP_CTX *ctx; /* Client CMP context, partly reused for srv */ | void *custom_ctx; /* pointer to application-specific server context */ | ||||
void *custom_ctx; /* pointer to specific server context */ | OSSL_CMP_CTX *ctx; /* Client CMP context, reusing transactionID etc. */ | ||||
int certReqId; /* id of last ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */ | |||||
OSSL_CMP_SRV_cert_request_cb_t process_cert_request; | OSSL_CMP_SRV_cert_request_cb_t process_cert_request; | ||||
OSSL_CMP_SRV_rr_cb_t process_rr; | OSSL_CMP_SRV_rr_cb_t process_rr; | ||||
Context not available. | |||||
if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL) | if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL) | ||||
goto err; | goto err; | ||||
ctx->certReqId = OSSL_CMP_CERTREQID_INVALID; | |||||
/* all other elements are initialized to 0 or NULL, respectively */ | /* all other elements are initialized to 0 or NULL, respectively */ | ||||
return ctx; | return ctx; | ||||
Context not available. | |||||
} | } | ||||
if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) { | if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) { | ||||
certReqId = OSSL_CMP_CERTREQID; | certReqId = OSSL_CMP_CERTREQID_NONE; /* p10cr does not include an Id */ | ||||
p10cr = req->body->value.p10cr; | p10cr = req->body->value.p10cr; | ||||
} else { | } else { | ||||
OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */ | OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */ | ||||
Context not available. | |||||
return NULL; | return NULL; | ||||
} | } | ||||
certReqId = OSSL_CRMF_MSG_get_certReqId(crm); | certReqId = OSSL_CRMF_MSG_get_certReqId(crm); | ||||
if (certReqId != OSSL_CMP_CERTREQID) { | |||||
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); | |||||
return 0; | |||||
} | |||||
} | } | ||||
srv_ctx->certReqId = certReqId; | |||||
if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) { | if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) { | ||||
/* Proof of possession could not be verified */ | /* Proof of possession could not be verified */ | ||||
Context not available. | |||||
ASN1_OCTET_STRING *certHash = status->certHash; | ASN1_OCTET_STRING *certHash = status->certHash; | ||||
OSSL_CMP_PKISI *si = status->statusInfo; | OSSL_CMP_PKISI *si = status->statusInfo; | ||||
if (certReqId != srv_ctx->certReqId) { | |||||
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); | |||||
return NULL; | |||||
} | |||||
if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si)) | if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si)) | ||||
return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */ | return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */ | ||||
Context not available. | |||||
return NULL; | return NULL; | ||||
} | } | ||||
pr = sk_OSSL_CMP_POLLREQ_value(prc, 0); | pr = sk_OSSL_CMP_POLLREQ_value(prc, OSSL_CMP_CERTREQID); | ||||
certReqId = ossl_cmp_asn1_get_int(pr->certReqId); | certReqId = ossl_cmp_asn1_get_int(pr->certReqId); | ||||
if (certReqId != srv_ctx->certReqId) { | |||||
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); | |||||
return NULL; | |||||
} | |||||
if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId, | if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId, | ||||
&certReq, &check_after)) | &certReq, &check_after)) | ||||
return NULL; | return NULL; | ||||
Context not available. | |||||
ASN1_OCTET_STRING *backup_secret; | ASN1_OCTET_STRING *backup_secret; | ||||
OSSL_CMP_PKIHEADER *hdr; | OSSL_CMP_PKIHEADER *hdr; | ||||
int req_type, rsp_type; | int req_type, rsp_type; | ||||
int res; | int req_verified = 0; | ||||
OSSL_CMP_MSG *rsp = NULL; | OSSL_CMP_MSG *rsp = NULL; | ||||
if (srv_ctx == NULL || srv_ctx->ctx == NULL | if (srv_ctx == NULL || srv_ctx->ctx == NULL | ||||
Context not available. | |||||
} | } | ||||
} | } | ||||
res = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, | req_verified = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, | ||||
srv_ctx->acceptUnprotected); | srv_ctx->acceptUnprotected); | ||||
if (ctx->secretValue != NULL && ctx->pkey != NULL | if (ctx->secretValue != NULL && ctx->pkey != NULL | ||||
&& ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC) | && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC) | ||||
ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */ | ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */ | ||||
if (!res) | if (!req_verified) | ||||
goto err; | goto err; | ||||
switch (req_type) { | switch (req_type) { | ||||
Context not available. | |||||
int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest; | int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest; | ||||
OSSL_CMP_PKISI *si = NULL; | OSSL_CMP_PKISI *si = NULL; | ||||
if (ctx->transactionID == NULL) { | if (!req_verified) { | ||||
/* ignore any (extra) error in next two function calls: */ | /* | ||||
(void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); | * Above ossl_cmp_msg_check_update() was not successfully executed, | ||||
* which normally would set ctx->transactionID and ctx->recipNonce. | |||||
* So anyway try to provide the right transactionID and recipNonce, | |||||
* while ignoring any (extra) error in next two function calls. | |||||
*/ | |||||
if (ctx->transactionID == NULL) | |||||
(void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); | |||||
(void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce); | (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce); | ||||
} | } | ||||
Context not available. |