aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--apps/lib/cmp_mock_srv.c83
-rw-r--r--crypto/cmp/cmp_client.c191
-rw-r--r--crypto/cmp/cmp_ctx.c5
-rw-r--r--crypto/cmp/cmp_local.h6
-rw-r--r--crypto/cmp/cmp_msg.c10
-rw-r--r--crypto/cmp/cmp_server.c164
-rw-r--r--crypto/cmp/cmp_vfy.c21
-rw-r--r--doc/man3/OSSL_CMP_SRV_CTX_new.pod12
-rw-r--r--fuzz/cmp.c15
-rw-r--r--include/openssl/cmp.h.in8
-rw-r--r--test/cmp_client_test.c68
-rw-r--r--test/cmp_server_test.c1
-rw-r--r--util/libcrypto.num1
-rw-r--r--util/other.syms2
14 files changed, 477 insertions, 110 deletions
diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
index d58937e..edfb1d0 100644
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c
@@ -27,7 +27,7 @@ typedef struct
X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
int sendError; /* send error response on given request type */
- OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
+ OSSL_CMP_MSG *req; /* original request message during polling */
int pollCount; /* number of polls before actual cert response */
int curr_pollCount; /* number of polls so far for current request */
int checkAfterTime; /* time the client should wait between polling */
@@ -43,7 +43,7 @@ static void mock_srv_ctx_free(mock_srv_ctx *ctx)
X509_free(ctx->certOut);
OSSL_STACK_OF_X509_free(ctx->chainOut);
OSSL_STACK_OF_X509_free(ctx->caPubsOut);
- OSSL_CMP_MSG_free(ctx->certReq);
+ OSSL_CMP_MSG_free(ctx->req);
OPENSSL_free(ctx);
}
@@ -183,6 +183,44 @@ int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
return 1;
}
+static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx,
+ const OSSL_CMP_MSG *req)
+{
+ mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
+ int req_type = OSSL_CMP_MSG_get_bodytype(req);
+
+ if (ctx == NULL || req == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+ return 0;
+ }
+
+ /*
+ * For ir/cr/p10cr/kur delayed delivery is handled separately in
+ * process_cert_request
+ */
+ if (req_type == OSSL_CMP_IR
+ || req_type == OSSL_CMP_CR
+ || req_type == OSSL_CMP_P10CR
+ || req_type == OSSL_CMP_KUR
+ /* Client may use error to abort the ongoing polling */
+ || req_type == OSSL_CMP_ERROR)
+ return 0;
+
+ if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
+ /* start polling */
+ if (ctx->req != NULL) { /* TODO: move this check to cmp_server.c */
+ /* already in polling mode */
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ return 0;
+ }
+ if ((ctx->req = OSSL_CMP_MSG_dup(req)) == NULL)
+ return -1;
+
+ return 1;
+ }
+ return 0;
+}
+
/* check for matching reference cert components, as far as given */
static int refcert_cmp(const X509 *refcert,
const X509_NAME *issuer, const ASN1_INTEGER *serial)
@@ -198,6 +236,23 @@ static int refcert_cmp(const X509 *refcert,
&& (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0);
}
+/* Reset dynamic variable in case of incomplete tansaction */
+static int reset_transaction(OSSL_CMP_SRV_CTX *srv_ctx)
+{
+ mock_srv_ctx *ctx = NULL;
+
+ if (srv_ctx == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+ return 0;
+ }
+
+ ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
+ ctx->curr_pollCount = 0;
+ OSSL_CMP_MSG_free(ctx->req);
+ ctx->req = NULL;
+ return 1;
+}
+
static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *cert_req,
ossl_unused int certReqId,
@@ -228,12 +283,12 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
/* start polling */
- if (ctx->certReq != NULL) {
+ if (ctx->req != NULL) {
/* already in polling mode */
ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
return NULL;
}
- if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
+ if ((ctx->req = OSSL_CMP_MSG_dup(cert_req)) == NULL)
return NULL;
return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
}
@@ -481,35 +536,35 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *pollReq,
ossl_unused int certReqId,
- OSSL_CMP_MSG **certReq, int64_t *check_after)
+ OSSL_CMP_MSG **req, int64_t *check_after)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
if (ctx == NULL || pollReq == NULL
- || certReq == NULL || check_after == NULL) {
+ || req == NULL || check_after == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (ctx->sendError == 1
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
- *certReq = NULL;
+ *req = NULL;
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
return 0;
}
- if (ctx->certReq == NULL) {
+ if (ctx->req == NULL) { /* TODO: move this check to cmp_server.c */
/* not currently in polling mode */
- *certReq = NULL;
+ *req = NULL;
ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
return 0;
}
if (++ctx->curr_pollCount >= ctx->pollCount) {
/* end polling */
- *certReq = ctx->certReq;
- ctx->certReq = NULL;
+ *req = ctx->req;
+ ctx->req = NULL;
*check_after = 0;
} else {
- *certReq = NULL;
+ *req = NULL;
*check_after = ctx->checkAfterTime;
}
return 1;
@@ -523,7 +578,9 @@ OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
if (srv_ctx != NULL && ctx != NULL
&& OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
process_rr, process_genm, process_error,
- process_certConf, process_pollReq))
+ process_certConf, process_pollReq)
+ && OSSL_CMP_SRV_CTX_setup_polling(srv_ctx, reset_transaction,
+ delayed_delivery))
return srv_ctx;
mock_srv_ctx_free(ctx);
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index b5b0557..cf352c9 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -113,6 +113,23 @@ static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si)
return 1;
}
+static int is_crep_with_waiting(OSSL_CMP_MSG *resp, int rid)
+{
+ OSSL_CMP_CERTREPMESSAGE *crepmsg;
+ OSSL_CMP_CERTRESPONSE *crep;
+ int bt = OSSL_CMP_MSG_get_bodytype(resp);
+
+ if (!IS_CREP(bt))
+ return 0;
+
+ crepmsg = resp->body->value.ip; /* same for cp and kup */
+ crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid);
+
+ return (crep != NULL
+ && ossl_cmp_pkisi_get_status(crep->status)
+ == OSSL_CMP_PKISTATUS_waiting);
+}
+
/*-
* Perform the generic aspects of sending a request and receiving a response.
* Returns 1 on success and provides the received PKIMESSAGE in *rep.
@@ -180,7 +197,8 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
* Still we use this preliminary value already for a progress report because
* the following msg verification may also produce log entries and may fail.
*/
- ossl_cmp_log1(INFO, ctx, "received %s", ossl_cmp_bodytype_to_string(bt));
+ ossl_cmp_log2(INFO, ctx, "received %s%s", ossl_cmp_bodytype_to_string(bt),
+ ossl_cmp_is_error_with_waiting(*rep) ? " (waiting)" : "");
/* copy received extraCerts to ctx->extraCertsIn so they can be retrieved */
if (bt != OSSL_CMP_PKIBODY_POLLREP && bt != OSSL_CMP_PKIBODY_PKICONF
@@ -191,9 +209,17 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
expected_type))
return 0;
+ /*
+ * 'rep' can have the expected response type, which during polling is
+ * pollRep. When polling, also any other non-error response (the final
+ * response) is fine here. When not yet polling, delayed delivery may
+ * be started by an error with 'waiting' status (while it may also be
+ * started by an expected response type ip/cp/kup).
+ */
if (bt == expected_type
- /* as an answer to polling, there could be IP/CP/KUP: */
- || (IS_CREP(bt) && expected_type == OSSL_CMP_PKIBODY_POLLREP))
+ || (expected_type == OSSL_CMP_PKIBODY_POLLREP
+ ? bt != OSSL_CMP_PKIBODY_ERROR
+ : ossl_cmp_is_error_with_waiting(*rep)))
return 1;
/* received message type is not one of the expected ones (e.g., error) */
@@ -235,7 +261,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
/*-
* When a 'waiting' PKIStatus has been received, this function is used to
- * poll, which should yield a pollRep or finally a CertRepMessage in ip/cp/kup.
+ * poll, which should yield a pollRep or the final response.
* On receiving a pollRep, which includes a checkAfter value, it return this
* value if sleep == 0, else it sleeps as long as indicated and retries.
*
@@ -246,7 +272,8 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
* Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value.
* Returns 1 on success and provides the received PKIMESSAGE in *rep.
* In this case the caller is responsible for freeing *rep.
- * Returns 0 on error (which includes the case that timeout has been reached).
+ * Returns 0 on error (which includes the case that timeout has been reached or
+ * received response with waiting status).
*/
static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
OSSL_CMP_MSG **rep, int *checkAfter)
@@ -312,7 +339,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
str, check_after);
if (ctx->total_timeout != 0) { /* timeout is not infinite */
- const int exp = 5; /* expected max time per msg round trip */
+ const int exp = OSSL_CMP_EXPECTED_RESP_TIME;
int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL));
if (time_left <= 0) {
@@ -335,9 +362,19 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
*checkAfter = (int)check_after;
return -1; /* exits the loop */
}
+ } else if (is_crep_with_waiting(prep, rid)
+ || ossl_cmp_is_error_with_waiting(prep)) {
+ /* status cannot be 'waiting' at this point */
+ (void)ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection,
+ OSSL_CMP_CTX_FAILINFO_badRequest,
+ "polling already started",
+ 0 /* errorCode */, NULL);
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS);
+ goto err;
} else {
- ossl_cmp_info(ctx, "received ip/cp/kup after polling");
- /* any other body type has been rejected by send_receive_check() */
+ ossl_cmp_info(ctx, "received final response after polling");
+ if (!ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL))
+ return 0;
break;
}
}
@@ -349,11 +386,66 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
return 1;
err:
+ (void)ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL);
OSSL_CMP_MSG_free(preq);
OSSL_CMP_MSG_free(prep);
return 0;
}
+static int save_senderNonce_if_waiting(OSSL_CMP_CTX *ctx,
+ OSSL_CMP_MSG *rep, int rid)
+{
+ /*
+ * LWCMP section 4.4 states: the senderNonce of the preceding request
+ * message because this value will be needed for checking the recipNonce
+ * of the final response to be received after polling.
+ */
+ if ((is_crep_with_waiting(rep, rid)
+ || ossl_cmp_is_error_with_waiting(rep))
+ && !ossl_cmp_ctx_set1_first_senderNonce(ctx, ctx->senderNonce))
+ return 0;
+
+ return 1;
+}
+
+/*
+ * send request and get response possibly with polling initiated by error msg.
+ * Polling for ip/cp/kup/ with 'waiting' status is handled elsewhere.
+ */
+static int send_receive_also_delayed(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
+ OSSL_CMP_MSG **rep, int expected_type)
+{
+
+ if (!send_receive_check(ctx, req, rep, expected_type))
+ return 0;
+
+ if (ossl_cmp_is_error_with_waiting(*rep)) {
+ if (!save_senderNonce_if_waiting(ctx, *rep, -1 /* rid */))
+ return 0;
+ /*
+ * not modifying ctx->status during the certConf & error exchange,
+ * because these additional exchanges should not change the status.
+ */
+ if (expected_type != OSSL_CMP_PKIBODY_PKICONF
+ && !save_statusInfo(ctx, (*rep)->body->value.error->pKIStatusInfo))
+ return 0;
+
+ OSSL_CMP_MSG_free(*rep);
+ *rep = NULL;
+
+ if (poll_for_response(ctx, 1 /* can sleep */, -1 /* rid */,
+ rep, NULL /* checkAfter */) <= 0) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED);
+ return 0;
+ }
+ }
+ if (OSSL_CMP_MSG_get_bodytype(*rep) != expected_type) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ return 0;
+ }
+
+ return 1;
+}
/*
* Send certConf for IR, CR or KUR sequences and check response,
* not modifying ctx->status during the certConf exchange
@@ -370,7 +462,8 @@ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId,
if (certConf == NULL)
goto err;
- res = send_receive_check(ctx, certConf, &PKIconf, OSSL_CMP_PKIBODY_PKICONF);
+ res = send_receive_also_delayed(ctx, certConf,
+ &PKIconf, OSSL_CMP_PKIBODY_PKICONF);
err:
OSSL_CMP_MSG_free(certConf);
@@ -394,7 +487,8 @@ int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
if ((error = ossl_cmp_error_new(ctx, si, errorCode, details, 0)) == NULL)
goto err;
- res = send_receive_check(ctx, error, &PKIconf, OSSL_CMP_PKIBODY_PKICONF);
+ res = send_receive_also_delayed(ctx, error,
+ &PKIconf, OSSL_CMP_PKIBODY_PKICONF);
err:
OSSL_CMP_MSG_free(error);
@@ -515,7 +609,7 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
if (X509_verify_cert(csc) <= 0)
goto err;
- if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc),
+ if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc),
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_NO_SS)) {
sk_X509_free(chain);
@@ -564,48 +658,74 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx);
int fail_info = 0; /* no failure */
const char *txt = NULL;
- OSSL_CMP_CERTREPMESSAGE *crepmsg;
- OSSL_CMP_CERTRESPONSE *crep;
+ OSSL_CMP_CERTREPMESSAGE *crepmsg = NULL;
+ OSSL_CMP_CERTRESPONSE *crep = NULL;
OSSL_CMP_certConf_cb_t cb;
X509 *cert;
char *subj = NULL;
int ret = 1;
+ int rcvd_type;
+ OSSL_CMP_PKISI *si;
if (!ossl_assert(ctx != NULL))
return 0;
retry:
- crepmsg = (*resp)->body->value.ip; /* same for cp and kup */
- if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) {
- ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
- return 0;
- }
- crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid);
- if (crep == NULL)
- return 0;
- if (!save_statusInfo(ctx, crep->status))
- return 0;
- if (rid == OSSL_CMP_CERTREQID_NONE) { /* used for OSSL_CMP_PKIBODY_P10CR */
- rid = ossl_cmp_asn1_get_int(crep->certReqId);
- if (rid < OSSL_CMP_CERTREQID_NONE) {
- ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
+ rcvd_type = OSSL_CMP_MSG_get_bodytype(*resp);
+ if (IS_CREP(rcvd_type)) {
+ crepmsg = (*resp)->body->value.ip; /* same for cp and kup */
+ if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
return 0;
}
+ crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid);
+ if (crep == NULL)
+ return 0;
+ si = crep->status;
+
+ if (rid == OSSL_CMP_CERTREQID_NONE) {
+ /* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */
+ rid = ossl_cmp_asn1_get_int(crep->certReqId);
+ if (rid == OSSL_CMP_CERTREQID_NONE) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
+ return 0;
+ }
+ }
+ } else if (rcvd_type == OSSL_CMP_PKIBODY_ERROR) {
+ si = (*resp)->body->value.error->pKIStatusInfo;
+ } else {
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ return 0;
}
- if (ossl_cmp_pkisi_get_status(crep->status) == OSSL_CMP_PKISTATUS_waiting) {
+ if (!save_statusInfo(ctx, si))
+ return 0;
+
+ if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_waiting) {
+ /* here we allow different flavor of ip/cp/kup & error with waiting */
OSSL_CMP_MSG_free(*resp);
*resp = NULL;
if ((ret = poll_for_response(ctx, sleep, rid, resp, checkAfter)) != 0) {
if (ret == -1) /* at this point implies sleep == 0 */
return ret; /* waiting */
- goto retry; /* got ip/cp/kup, which may still indicate 'waiting' */
+ goto retry; /* got some response other than pollRep */
} else {
ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED);
return 0;
}
}
+ /* at this point, ip/cp/kup or error without waiting */
+ if (rcvd_type == OSSL_CMP_PKIBODY_ERROR) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_RECEIVED_ERROR);
+ return 0;
+ }
+ /* here we are strict on the flavor of ip/cp/kup */
+ if (rcvd_type != expected_type) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ return 0;
+ }
+
cert = get1_cert_status(ctx, (*resp)->body->type, crep);
if (cert == NULL) {
ERR_add_error_data(1, "; cannot extract certificate from response");
@@ -618,7 +738,8 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
* if the CMP server returned certificates in the caPubs field, copy them
* to the context so that they can be retrieved if necessary
*/
- if (crepmsg->caPubs != NULL
+ if (crepmsg != NULL
+ && crepmsg->caPubs != NULL
&& !ossl_cmp_ctx_set1_caPubs(ctx, crepmsg->caPubs))
return 0;
@@ -709,6 +830,9 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
if (ctx->status != OSSL_CMP_PKISTATUS_waiting) { /* not polling already */
if (!initial_certreq(ctx, req_type, crm, &rep, rep_type))
goto err;
+
+ if (!save_senderNonce_if_waiting(ctx, rep, rid))
+ return 0;
} else {
if (req_type < 0)
return ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection,
@@ -750,6 +874,9 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
if (!initial_certreq(ctx, req_type, crm, &rep, rep_type))
goto err;
+ if (!save_senderNonce_if_waiting(ctx, rep, rid))
+ return 0;
+
if (cert_response(ctx, 1 /* sleep */, rid, &rep, NULL, req_type, rep_type)
<= 0)
goto err;
@@ -787,7 +914,7 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
goto end;
ctx->status = OSSL_CMP_PKISTATUS_trans;
- if (!send_receive_check(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP))
+ if (!send_receive_also_delayed(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP))
goto end;
rrep = rp->body->value.rp;
@@ -908,7 +1035,7 @@ STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx)
goto err;
ctx->status = OSSL_CMP_PKISTATUS_trans;
- if (!send_receive_check(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP))
+ if (!send_receive_also_delayed(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP))
goto err;
ctx->status = OSSL_CMP_PKISTATUS_accepted;
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 5e54220..cc62ae4 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -183,6 +183,7 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
&& ossl_cmp_ctx_set1_caPubs(ctx, NULL)
&& ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL)
&& ossl_cmp_ctx_set1_validatedSrvCert(ctx, NULL)
+ && ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL)
&& OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
&& OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)
&& ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
@@ -226,6 +227,7 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
ASN1_OCTET_STRING_free(ctx->transactionID);
ASN1_OCTET_STRING_free(ctx->senderNonce);
ASN1_OCTET_STRING_free(ctx->recipNonce);
+ ASN1_OCTET_STRING_free(ctx->first_senderNonce);
OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs);
OSSL_STACK_OF_X509_free(ctx->extraCertsOut);
@@ -814,6 +816,9 @@ DEFINE_set1_ASN1_OCTET_STRING(ossl_cmp_ctx, recipNonce)
/* Stores the given nonce as the last senderNonce sent out */
DEFINE_set1_ASN1_OCTET_STRING(OSSL_CMP_CTX, senderNonce)
+/* store the first req sender nonce for verifying delayed delivery */
+DEFINE_set1_ASN1_OCTET_STRING(ossl_cmp_ctx, first_senderNonce)
+
/* Set the proxy server to use for HTTP(S) connections */
DEFINE_OSSL_CMP_CTX_set1(proxy, char)
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index b8da48a..175cc25 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -95,6 +95,7 @@ struct ossl_cmp_ctx_st {
ASN1_OCTET_STRING *transactionID; /* the current transaction ID */
ASN1_OCTET_STRING *senderNonce; /* last nonce sent */
ASN1_OCTET_STRING *recipNonce; /* last nonce received */
+ ASN1_OCTET_STRING *first_senderNonce; /* sender nonce when starting to poll */
ASN1_UTF8STRING *freeText; /* optional string to include each msg */
STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs;
int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */
@@ -823,6 +824,8 @@ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce);
EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx);
+int ossl_cmp_ctx_set1_first_senderNonce(OSSL_CMP_CTX *ctx,
+ const ASN1_OCTET_STRING *nonce);
/* from cmp_status.c */
int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si);
@@ -939,6 +942,7 @@ ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx,
const OSSL_CMP_CERTRESPONSE *crep);
OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file);
+int ossl_cmp_is_error_with_waiting(const OSSL_CMP_MSG *msg);
/* from cmp_protect.c */
int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
@@ -958,6 +962,8 @@ int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx,
const OSSL_CMP_MSG *msg, int accept_RAVerified);
/* from cmp_client.c */
+/* expected max time per msg round trip, used for last try during polling: */
+# define OSSL_CMP_EXPECTED_RESP_TIME 2
int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId,
int fail_info, const char *txt);
int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index e00afc8..1b9e275 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -1200,3 +1200,13 @@ int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
{
return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
}
+
+int ossl_cmp_is_error_with_waiting(const OSSL_CMP_MSG *msg)
+{
+ if (!ossl_assert(msg != NULL))
+ return 0;
+
+ return (OSSL_CMP_MSG_get_bodytype(msg) == OSSL_CMP_PKIBODY_ERROR
+ && ossl_cmp_pkisi_get_status(msg->body->value.error->pKIStatusInfo)
+ == OSSL_CMP_PKISTATUS_waiting);
+}
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index 06ef8fb..1e3ca15 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -32,6 +32,8 @@ struct ossl_cmp_srv_ctx_st
OSSL_CMP_SRV_error_cb_t process_error;
OSSL_CMP_SRV_certConf_cb_t process_certConf;
OSSL_CMP_SRV_pollReq_cb_t process_pollReq;
+ OSSL_CMP_SRV_reset_transaction_cb_t reset_transaction;
+ OSSL_CMP_SRV_delayed_delivery_cb_t delayed_delivery;
int sendUnprotectedErrors; /* Send error and rejection msgs unprotected */
int acceptUnprotected; /* Accept requests with no/invalid prot. */
@@ -89,6 +91,19 @@ int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx,
return 1;
}
+int OSSL_CMP_SRV_CTX_setup_polling(OSSL_CMP_SRV_CTX *srv_ctx,
+ OSSL_CMP_SRV_reset_transaction_cb_t reset_transaction,
+ OSSL_CMP_SRV_delayed_delivery_cb_t delayed_delivery)
+{
+ if (srv_ctx == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+ return 0;
+ }
+ srv_ctx->reset_transaction = reset_transaction;
+ srv_ctx->delayed_delivery = delayed_delivery;
+ return 1;
+}
+
OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx)
{
if (srv_ctx == NULL) {
@@ -149,6 +164,32 @@ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
return 1;
}
+/* Return error msg with waiting status if polling is initiated, else NULL. */
+static OSSL_CMP_MSG *delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx,
+ const OSSL_CMP_MSG *req)
+{
+ OSSL_CMP_MSG *msg = NULL;
+ OSSL_CMP_PKISI *si = NULL;
+ int ret;
+
+ if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL
+ && srv_ctx->delayed_delivery != NULL))
+ return NULL;
+
+ ret = srv_ctx->delayed_delivery(srv_ctx, req);
+ if (ret == 0 || !ossl_assert(ret != -1))
+ return NULL;
+
+ if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL))
+ == NULL)
+ return NULL;
+
+ msg = ossl_cmp_error_new(srv_ctx->ctx, si, 0,
+ NULL, srv_ctx->sendUnprotectedErrors);
+ OSSL_CMP_PKISI_free(si);
+ return msg;
+}
+
/*
* Processes an ir/cr/p10cr/kur and returns a certification response.
* Only handles the first certification request contained in req
@@ -387,13 +428,66 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
return msg;
}
+/* pollreq should be handled separately, to avoid recursive call */
+static OSSL_CMP_MSG *process_non_polling_request(OSSL_CMP_SRV_CTX *srv_ctx,
+ const OSSL_CMP_MSG *req)
+{
+ OSSL_CMP_MSG *rsp = NULL;
+
+ if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL
+ && req->body != NULL))
+ return NULL;
+
+ switch (OSSL_CMP_MSG_get_bodytype(req)) {
+ case OSSL_CMP_PKIBODY_IR:
+ case OSSL_CMP_PKIBODY_CR:
+ case OSSL_CMP_PKIBODY_P10CR:
+ case OSSL_CMP_PKIBODY_KUR:
+ if (srv_ctx->process_cert_request == NULL)
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ else
+ rsp = process_cert_request(srv_ctx, req);
+ break;
+ case OSSL_CMP_PKIBODY_RR:
+ if (srv_ctx->process_rr == NULL)
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ else
+ rsp = process_rr(srv_ctx, req);
+ break;
+ case OSSL_CMP_PKIBODY_GENM:
+ if (srv_ctx->process_genm == NULL)
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ else
+ rsp = process_genm(srv_ctx, req);
+ break;
+ case OSSL_CMP_PKIBODY_ERROR:
+ if (srv_ctx->process_error == NULL)
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ else
+ rsp = process_error(srv_ctx, req);
+ break;
+ case OSSL_CMP_PKIBODY_CERTCONF:
+ if (srv_ctx->process_certConf == NULL)
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ else
+ rsp = process_certConf(srv_ctx, req);
+ break;
+ default:
+ /* Other request message types are not supported */
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
+ break;
+ }
+
+ return rsp;
+}
+
static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *req)
{
OSSL_CMP_POLLREQCONTENT *prc;
OSSL_CMP_POLLREQ *pr;
int certReqId;
- OSSL_CMP_MSG *certReq;
+ OSSL_CMP_MSG *orig_req;
int64_t check_after = 0;
OSSL_CMP_MSG *msg = NULL;
@@ -413,12 +507,12 @@ static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId,
- &certReq, &check_after))
+ &orig_req, &check_after))
return NULL;
- if (certReq != NULL) {
- msg = process_cert_request(srv_ctx, certReq);
- OSSL_CMP_MSG_free(certReq);
+ if (orig_req != NULL) {
+ msg = process_non_polling_request(srv_ctx, orig_req);
+ OSSL_CMP_MSG_free(orig_req);
} else {
if ((msg = ossl_cmp_pollRep_new(srv_ctx->ctx, certReqId,
check_after)) == NULL)
@@ -509,6 +603,10 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
if (!OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
|| !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL))
goto err;
+
+ if (srv_ctx->reset_transaction != NULL)
+ (void)srv_ctx->reset_transaction(srv_ctx);
+
break;
default:
/* transactionID should be already initialized */
@@ -528,50 +626,17 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
if (!req_verified)
goto err;
- switch (req_type) {
- case OSSL_CMP_PKIBODY_IR:
- case OSSL_CMP_PKIBODY_CR:
- case OSSL_CMP_PKIBODY_P10CR:
- case OSSL_CMP_PKIBODY_KUR:
- if (srv_ctx->process_cert_request == NULL)
- ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
- else
- rsp = process_cert_request(srv_ctx, req);
- break;
- case OSSL_CMP_PKIBODY_RR:
- if (srv_ctx->process_rr == NULL)
- ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
- else
- rsp = process_rr(srv_ctx, req);
- break;
- case OSSL_CMP_PKIBODY_GENM:
- if (srv_ctx->process_genm == NULL)
- ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
- else
- rsp = process_genm(srv_ctx, req);
- break;
- case OSSL_CMP_PKIBODY_ERROR:
- if (srv_ctx->process_error == NULL)
- ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
- else
- rsp = process_error(srv_ctx, req);
- break;
- case OSSL_CMP_PKIBODY_CERTCONF:
- if (srv_ctx->process_certConf == NULL)
- ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
- else
- rsp = process_certConf(srv_ctx, req);
- break;
- case OSSL_CMP_PKIBODY_POLLREQ:
+ if (req_type == OSSL_CMP_PKIBODY_POLLREQ) {
if (srv_ctx->process_pollReq == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
else
rsp = process_pollReq(srv_ctx, req);
- break;
- default:
- /* Other request message types are not supported */
- ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
- break;
+ } else {
+ if (srv_ctx->delayed_delivery != NULL
+ && (rsp = delayed_delivery(srv_ctx, req)) != NULL) {
+ goto err;
+ }
+ rsp = process_non_polling_request(srv_ctx, req);
}
err:
@@ -627,15 +692,22 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
break;
/* fall through */
+ case OSSL_CMP_PKIBODY_ERROR:
+ if (rsp != NULL
+ && ossl_cmp_is_error_with_waiting(rsp))
+ break;
+ /* fall through */
+
case OSSL_CMP_PKIBODY_RP:
case OSSL_CMP_PKIBODY_PKICONF:
case OSSL_CMP_PKIBODY_GENP:
- case OSSL_CMP_PKIBODY_ERROR:
/* Other terminating response message types are not supported */
/* Prepare for next transaction, ignoring any errors here: */
(void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL);
(void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL);
ctx->status = OSSL_CMP_PKISTATUS_unspecified; /* transaction closed */
+ if (srv_ctx->reset_transaction != NULL)
+ (void)srv_ctx->reset_transaction(srv_ctx);
default: /* not closing transaction in other cases */
break;
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 1869fae..8d4de10 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -786,10 +786,27 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
CMP_R_TRANSACTIONID_UNMATCHED))
return 0;
+ /*
+ * enable clearing irrelevant errors in attempts to validate recipient nonce
+ * in case of delayed delivery.
+ */
+ (void)ERR_set_mark();
/* compare received nonce with the one we sent */
if (!check_transactionID_or_nonce(ctx->senderNonce, hdr->recipNonce,
- CMP_R_RECIPNONCE_UNMATCHED))
- return 0;
+ CMP_R_RECIPNONCE_UNMATCHED)) {
+ /* check if we are polling and received final response */
+ if (ctx->first_senderNonce == NULL
+ || OSSL_CMP_MSG_get_bodytype(msg) == OSSL_CMP_PKIBODY_POLLREP
+ /* compare received nonce with our sender nonce at poll start */
+ || !check_transactionID_or_nonce(ctx->first_senderNonce,
+ hdr->recipNonce,
+ CMP_R_RECIPNONCE_UNMATCHED)) {
+ (void)ERR_clear_last_mark();
+ return 0;
+ }
+ }
+ /* discard any intermediate error while trying to check recipient nonce */
+ (void)ERR_pop_to_mark();
/* if not yet present, learn transactionID */
if (ctx->transactionID == NULL
diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod
index d7f1a2e..fada992 100644
--- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod
@@ -12,7 +12,10 @@ OSSL_CMP_SRV_certConf_cb_t,
OSSL_CMP_SRV_genm_cb_t,
OSSL_CMP_SRV_error_cb_t,
OSSL_CMP_SRV_pollReq_cb_t,
+OSSL_CMP_SRV_reset_transaction_cb_t,
+OSSL_CMP_SRV_delayed_delivery_cb_t,
OSSL_CMP_SRV_CTX_init,
+OSSL_CMP_SRV_CTX_setup_polling,
OSSL_CMP_SRV_CTX_get0_cmp_ctx,
OSSL_CMP_SRV_CTX_get0_custom_ctx,
OSSL_CMP_SRV_CTX_set_send_unprotected_errors,
@@ -64,6 +67,9 @@ OSSL_CMP_SRV_CTX_set_grant_implicit_confirm
int certReqId,
OSSL_CMP_MSG **certReq,
int64_t *check_after);
+ typedef int (*OSSL_CMP_SRV_reset_transaction_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx);
+ typedef int (*OSSL_CMP_SRV_delayed_delivery_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+ const OSSL_CMP_MSG *req);
int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx,
OSSL_CMP_SRV_cert_request_cb_t process_cert_request,
OSSL_CMP_SRV_rr_cb_t process_rr,
@@ -71,6 +77,9 @@ OSSL_CMP_SRV_CTX_set_grant_implicit_confirm
OSSL_CMP_SRV_error_cb_t process_error,
OSSL_CMP_SRV_certConf_cb_t process_certConf,
OSSL_CMP_SRV_pollReq_cb_t process_pollReq);
+ int OSSL_CMP_SRV_CTX_setup_polling(OSSL_CMP_SRV_CTX *srv_ctx,
+ OSSL_CMP_SRV_reset_transaction_cb_t reset_transaction,
+ OSSL_CMP_SRV_delayed_delivery_cb_t delayed_delivery);
OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx);
void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx);
@@ -113,6 +122,9 @@ All arguments except I<srv_ctx> may be NULL.
If a callback for some message type is not given this means that the respective
type of CMP message is not supported by the server.
+OSSL_CMP_SRV_CTX_setup_polling() sets in the given I<srv_ctx> callback functions
+for reseting transaction and intitiating delayed delivery.
+
OSSL_CMP_SRV_CTX_get0_cmp_ctx() returns the B<OSSL_CMP_CTX> from the I<srv_ctx>.
OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context from
diff --git a/fuzz/cmp.c b/fuzz/cmp.c
index 490c421..37b6c31 100644
--- a/fuzz/cmp.c
+++ b/fuzz/cmp.c
@@ -155,6 +155,17 @@ static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
return 0;
}
+static int reset_transaction(OSSL_CMP_SRV_CTX *srv_ctx)
+{
+ return 1;
+}
+
+static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx,
+ const OSSL_CMP_MSG *req)
+{
+ return 0;
+}
+
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
OSSL_CMP_MSG *msg;
@@ -183,7 +194,9 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
print_noop)
&& OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request,
process_rr, process_genm, process_error,
- process_certConf, process_pollReq))
+ process_certConf, process_pollReq)
+ && OSSL_CMP_SRV_CTX_setup_polling(srv_ctx, reset_transaction,
+ delayed_delivery))
OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg));
OSSL_CMP_CTX_free(client_ctx);
diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in
index fa4fe00..2e92510 100644
--- a/include/openssl/cmp.h.in
+++ b/include/openssl/cmp.h.in
@@ -469,6 +469,9 @@ typedef int (*OSSL_CMP_SRV_pollReq_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
const OSSL_CMP_MSG *req, int certReqId,
OSSL_CMP_MSG **certReq,
int64_t *check_after);
+typedef int (*OSSL_CMP_SRV_reset_transaction_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx);
+typedef int (*OSSL_CMP_SRV_delayed_delivery_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+ const OSSL_CMP_MSG *req);
int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx,
OSSL_CMP_SRV_cert_request_cb_t process_cert_request,
OSSL_CMP_SRV_rr_cb_t process_rr,
@@ -476,6 +479,9 @@ int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx,
OSSL_CMP_SRV_error_cb_t process_error,
OSSL_CMP_SRV_certConf_cb_t process_certConf,
OSSL_CMP_SRV_pollReq_cb_t process_pollReq);
+int OSSL_CMP_SRV_CTX_setup_polling(OSSL_CMP_SRV_CTX *srv_ctx,
+ OSSL_CMP_SRV_reset_transaction_cb_t reset_transaction,
+ OSSL_CMP_SRV_delayed_delivery_cb_t delayed_delivery);
OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx);
void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx);
int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx,
@@ -492,6 +498,8 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
# define OSSL_CMP_CR 2
# define OSSL_CMP_P10CR 4
# define OSSL_CMP_KUR 7
+# define OSSL_CMP_GENM 21
+# define OSSL_CMP_ERROR 23
# define OSSL_CMP_exec_IR_ses(ctx) \
OSSL_CMP_exec_certreq(ctx, OSSL_CMP_IR, NULL)
# define OSSL_CMP_exec_CR_ses(ctx) \
diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index 44c369b..ad78c86 100644
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -184,7 +184,7 @@ static int test_exec_RR_ses_receive_error(void)
static int test_exec_IR_ses(void)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
- fixture->req_type = OSSL_CMP_IR;
+ fixture->req_type = OSSL_CMP_PKIBODY_IR;
fixture->expected = OSSL_CMP_PKISTATUS_accepted;
fixture->caPubs = sk_X509_new_null();
sk_X509_push(fixture->caPubs, server_cert);
@@ -194,42 +194,55 @@ static int test_exec_IR_ses(void)
return result;
}
-static int test_exec_IR_ses_poll(int check_after, int poll_count,
- int total_timeout, int expect)
+static int test_exec_any_ses_poll(int req_type, int check_after,
+ int poll_count, int total_timeout,
+ int expect)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
- fixture->req_type = OSSL_CMP_IR;
+ fixture->req_type = req_type;
fixture->expected = expect;
ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, check_after);
ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, poll_count);
OSSL_CMP_CTX_set_option(fixture->cmp_ctx,
OSSL_CMP_OPT_TOTAL_TIMEOUT, total_timeout);
- EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
+
+ if (req_type == OSSL_CMP_PKIBODY_IR || req_type == OSSL_CMP_PKIBODY_CR
+ || req_type == OSSL_CMP_PKIBODY_KUR
+ || req_type == OSSL_CMP_PKIBODY_P10CR) {
+ EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
+ } else if (req_type == OSSL_CMP_PKIBODY_GENM) {
+ EXECUTE_TEST(execute_exec_GENM_ses_test, tear_down);
+ } else {
+ result = 0;
+ }
return result;
}
static int checkAfter = 1;
static int test_exec_IR_ses_poll_ok(void)
{
- return test_exec_IR_ses_poll(checkAfter, 2, 0, OSSL_CMP_PKISTATUS_accepted);
+ return test_exec_any_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter, 2, 0,
+ OSSL_CMP_PKISTATUS_accepted);
}
static int test_exec_IR_ses_poll_no_timeout(void)
{
- return test_exec_IR_ses_poll(checkAfter, 1 /* pollCount */, checkAfter + 1,
- OSSL_CMP_PKISTATUS_accepted);
+ return test_exec_any_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter,
+ 2 /* pollCount */, checkAfter + 4,
+ OSSL_CMP_PKISTATUS_accepted);
}
static int test_exec_IR_ses_poll_total_timeout(void)
{
- return test_exec_IR_ses_poll(checkAfter + 1, 2 /* pollCount */, checkAfter,
- OSSL_CMP_PKISTATUS_waiting);
+ return !test_exec_any_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter + 1,
+ 3 /* pollCount */, checkAfter + 6,
+ OSSL_CMP_PKISTATUS_waiting);
}
static int test_exec_CR_ses(int implicit_confirm, int granted, int reject)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
- fixture->req_type = OSSL_CMP_CR;
+ fixture->req_type = OSSL_CMP_PKIBODY_CR;
OSSL_CMP_CTX_set_option(fixture->cmp_ctx,
OSSL_CMP_OPT_IMPLICIT_CONFIRM, implicit_confirm);
OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(fixture->srv_ctx, granted);
@@ -256,7 +269,7 @@ static int test_exec_CR_ses_implicit_confirm(void)
static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
- fixture->req_type = OSSL_CMP_KUR;
+ fixture->req_type = OSSL_CMP_PKIBODY_KUR;
/* ctx->oldCert has already been set */
if (transfer_error)
@@ -324,7 +337,7 @@ static int test_exec_P10CR_ses(int reject)
X509_REQ *csr = NULL;
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
- fixture->req_type = OSSL_CMP_P10CR;
+ fixture->req_type = OSSL_CMP_PKIBODY_P10CR;
fixture->expected = reject ? OSSL_CMP_PKISTATUS_rejection
: OSSL_CMP_PKISTATUS_accepted;
ctx = fixture->cmp_ctx;
@@ -354,8 +367,8 @@ static int execute_try_certreq_poll_test(CMP_SES_TEST_FIXTURE *fixture)
{
OSSL_CMP_CTX *ctx = fixture->cmp_ctx;
int check_after;
- const int CHECK_AFTER = 5;
- const int TYPE = OSSL_CMP_KUR;
+ const int CHECK_AFTER = 0;
+ const int TYPE = OSSL_CMP_PKIBODY_KUR;
ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 3);
ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, CHECK_AFTER);
@@ -384,7 +397,7 @@ static int execute_try_certreq_poll_abort_test(CMP_SES_TEST_FIXTURE *fixture)
OSSL_CMP_CTX *ctx = fixture->cmp_ctx;
int check_after;
const int CHECK_AFTER = 99;
- const int TYPE = OSSL_CMP_CR;
+ const int TYPE = OSSL_CMP_PKIBODY_CR;
ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 3);
ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, CHECK_AFTER);
@@ -404,6 +417,26 @@ static int test_try_certreq_poll_abort(void)
return result;
}
+static int test_exec_GENM_ses_poll_ok(void)
+{
+ return test_exec_any_ses_poll(OSSL_CMP_PKIBODY_GENM, checkAfter, 2, 0,
+ OSSL_CMP_PKISTATUS_accepted);
+}
+
+static int test_exec_GENM_ses_poll_no_timeout(void)
+{
+ return test_exec_any_ses_poll(OSSL_CMP_PKIBODY_GENM, checkAfter,
+ 1 /* pollCount */, checkAfter + 1,
+ OSSL_CMP_PKISTATUS_accepted);
+}
+
+static int test_exec_GENM_ses_poll_total_timeout(void)
+{
+ return test_exec_any_ses_poll(OSSL_CMP_PKIBODY_GENM, checkAfter + 1,
+ 3 /* pollCount */, checkAfter + 2,
+ OSSL_CMP_PKISTATUS_waiting);
+}
+
static int test_exec_GENM_ses(int transfer_error, int total_timeout, int expect)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
@@ -539,6 +572,9 @@ int setup_tests(void)
ADD_TEST(test_exec_GENM_ses_ok);
ADD_TEST(test_exec_GENM_ses_transfer_error);
ADD_TEST(test_exec_GENM_ses_total_timeout);
+ ADD_TEST(test_exec_GENM_ses_poll_ok);
+ ADD_TEST(test_exec_GENM_ses_poll_no_timeout);
+ ADD_TEST(test_exec_GENM_ses_poll_total_timeout);
ADD_TEST(test_exchange_certConf);
ADD_TEST(test_exchange_error);
return 1;
diff --git a/test/cmp_server_test.c b/test/cmp_server_test.c
index e270bb9..e375ae3 100644
--- a/test/cmp_server_test.c
+++ b/test/cmp_server_test.c
@@ -76,6 +76,7 @@ static int execute_test_handle_request(CMP_SRV_TEST_FIXTURE *fixture)
if (!TEST_true(OSSL_CMP_SRV_CTX_init(ctx, dummy_custom_ctx,
process_cert_request, NULL, NULL,
NULL, NULL, NULL))
+ || !TEST_true(OSSL_CMP_SRV_CTX_setup_polling(ctx, NULL, NULL))
|| !TEST_ptr(custom_ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(ctx))
|| !TEST_int_eq(strcmp(custom_ctx, dummy_custom_ctx), 0))
goto end;
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 0b72559..6b7e6c2 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5540,5 +5540,6 @@ OSSL_CMP_CTX_get0_geninfo_ITAVs ? 3_3_0 EXIST::FUNCTION:CMP
OSSL_CMP_HDR_get0_geninfo_ITAVs ? 3_3_0 EXIST::FUNCTION:CMP
OSSL_CMP_ITAV_new0_certProfile ? 3_3_0 EXIST::FUNCTION:CMP
OSSL_CMP_ITAV_get0_certProfile ? 3_3_0 EXIST::FUNCTION:CMP
+OSSL_CMP_SRV_CTX_setup_polling ? 3_3_0 EXIST::FUNCTION:CMP
EVP_DigestSqueeze ? 3_3_0 EXIST::FUNCTION:
ERR_pop ? 3_3_0 EXIST::FUNCTION:
diff --git a/util/other.syms b/util/other.syms
index fa7a59d..bf7eb8b 100644
--- a/util/other.syms
+++ b/util/other.syms
@@ -461,6 +461,8 @@ OSSL_CMP_SRV_certConf_cb_t datatype
OSSL_CMP_SRV_genm_cb_t datatype
OSSL_CMP_SRV_error_cb_t datatype
OSSL_CMP_SRV_pollReq_cb_t datatype
+OSSL_CMP_SRV_delayed_delivery_cb_t datatype
+OSSL_CMP_SRV_clean_transaction_cb_t datatype
OSSL_CORE_MAKE_FUNC define
OSSL_PARAM_TYPE define
OSSL_PARAM_octet_ptr define
generated by cgit v1.1 at 2024-09-18 09:27:13 +0000