Fix error in case CMP msg POPO is not provided in OSSL_CRMF_MSGS_verify_popo()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

4 files changed, 10 insertions, 5 deletions

diff --git a/crypto/crmf/crmf_err.c b/crypto/crmf/crmf_err.c
index 80f71543ca..159d5b2c91 100644
--- a/crypto/crmf/crmf_err.c
+++ b/crypto/crmf/crmf_err.c
@@ -32,6 +32,7 @@ static const ERR_STRING_DATA CRMF_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_NULL_ARGUMENT), "null argument"},
     {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY),
     "popo inconsistent public key"},
+    {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_MISSING), "popo missing"},
     {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_MISSING_PUBLIC_KEY),
     "popo missing public key"},
     {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_MISSING_SUBJECT),
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index acbc9af5cb..dd69372f3e 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -485,11 +485,13 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
     X509_PUBKEY *pubkey = NULL;
     OSSL_CRMF_POPOSIGNINGKEY *sig = NULL;
 
-    if (reqs == NULL
-            || (req = sk_OSSL_CRMF_MSG_value(reqs, rid)) == NULL
-            || req->popo == NULL) {
-        CRMFerr(CRMF_F_OSSL_CRMF_MSGS_VERIFY_POPO,
-                CRMF_R_NULL_ARGUMENT);
+    if (reqs == NULL || (req = sk_OSSL_CRMF_MSG_value(reqs, rid)) == NULL) {
+        CRMFerr(CRMF_F_OSSL_CRMF_MSGS_VERIFY_POPO, CRMF_R_NULL_ARGUMENT);
+        return 0;
+    }
+
+    if (req->popo == NULL) {
+        CRMFerr(0, CRMF_R_POPO_MISSING);
         return 0;
     }
 
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index c35d235e18..c921207698 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2263,6 +2263,7 @@ CRMF_R_ITERATIONCOUNT_BELOW_100:108:iterationcount below 100
 CRMF_R_MALFORMED_IV:101:malformed iv
 CRMF_R_NULL_ARGUMENT:109:null argument
 CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY:117:popo inconsistent public key
+CRMF_R_POPO_MISSING:121:popo missing
 CRMF_R_POPO_MISSING_PUBLIC_KEY:118:popo missing public key
 CRMF_R_POPO_MISSING_SUBJECT:119:popo missing subject
 CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED:120:popo raverified not accepted
diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h
index f7b5b906e2..22936c620e 100644
--- a/include/openssl/crmferr.h
+++ b/include/openssl/crmferr.h
@@ -63,6 +63,7 @@ int ERR_load_CRMF_strings(void);
 #  define CRMF_R_MALFORMED_IV                              101
 #  define CRMF_R_NULL_ARGUMENT                             109
 #  define CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY              117
+#  define CRMF_R_POPO_MISSING                              121
 #  define CRMF_R_POPO_MISSING_PUBLIC_KEY                   118
 #  define CRMF_R_POPO_MISSING_SUBJECT                      119
 #  define CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED              120