diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-19 12:30:11 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-06-13 15:13:21 +0200 |
| commit | b27ff9b87cdaeb25579d70c5b2bd6b27f8a788ec (patch) | |
| tree | 216dabb4777422e4fc20a984ca0c7e42632af7db | |
| parent | ce0465edc7a55fb7fb7d1a5e724b6467ede30f42 (diff) | |
Streamline the approach to set CMP message recipient and expected sender
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
| -rw-r--r-- | crypto/cmp/cmp_hdr.c | 21 | ||||
| -rw-r--r-- | crypto/cmp/cmp_msg.c | 2 | ||||
| -rw-r--r-- | crypto/cmp/cmp_vfy.c | 6 |
3 files changed, 16 insertions, 13 deletions
diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c index b07bf031bf..7f2506ba9e 100644 --- a/crypto/cmp/cmp_hdr.c +++ b/crypto/cmp/cmp_hdr.c @@ -309,23 +309,22 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr) return 0; /* determine recipient entry in PKIHeader */ - if (ctx->srvCert != NULL) { - rcp = X509_get_subject_name(ctx->srvCert); - /* set also as expected_sender of responses unless set explicitly */ - if (ctx->expected_sender == NULL && rcp != NULL - && !OSSL_CMP_CTX_set1_expected_sender(ctx, rcp)) - return 0; - } else if (ctx->recipient != NULL) { + if (ctx->recipient != NULL) rcp = ctx->recipient; - } else if (ctx->issuer != NULL) { + else if (ctx->srvCert != NULL) + rcp = X509_get_subject_name(ctx->srvCert); + else if (ctx->issuer != NULL) rcp = ctx->issuer; - } else if (ctx->oldCert != NULL) { + else if (ctx->oldCert != NULL) rcp = X509_get_issuer_name(ctx->oldCert); - } else if (ctx->cert != NULL) { + else if (ctx->cert != NULL) rcp = X509_get_issuer_name(ctx->cert); - } if (!ossl_cmp_hdr_set1_recipient(hdr, rcp)) return 0; + /* set also as expected_sender of responses unless set explicitly */ + if (ctx->expected_sender == NULL && rcp != NULL + && !OSSL_CMP_CTX_set1_expected_sender(ctx, rcp)) + return 0; /* set current time as message time */ if (!ossl_cmp_hdr_update_messageTime(hdr)) diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 7b338b2b01..bbce90c326 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -228,7 +228,7 @@ static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid) X509_EXTENSIONS *exts = NULL; if (rkey == NULL) - rkey = ctx->pkey; /* default is independent of ctx->oldClCert */ + rkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (rkey == NULL) { #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_NULL_ARGUMENT); diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index c124b0636f..289402d829 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -559,6 +559,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) int nid = NID_undef, pk_nid = NID_undef; const ASN1_OBJECT *algorOID = NULL; X509 *scrt; + const X509_NAME *expected_sender; if (ctx == NULL || msg == NULL || msg->header == NULL || msg->body == NULL) { @@ -642,9 +643,12 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) * Mitigates risk to accept misused certificate of an unauthorized * entity of a trusted hierarchy. */ + expected_sender = ctx->expected_sender; + if (expected_sender == NULL && ctx->srvCert != NULL) + expected_sender = X509_get_subject_name(ctx->srvCert); if (!check_name(ctx, "sender DN field", msg->header->sender->d.directoryName, - "expected sender", ctx->expected_sender)) + "expected sender", expected_sender)) break; /* Note: if recipient was NULL-DN it could be learned here if needed */ |