summaryrefslogtreecommitdiffstats
path: root/crypto/cmp
diff options
context:
space:
mode:
authorRichard Levitte <levitte@openssl.org>2020-11-04 12:23:19 +0100
committerRichard Levitte <levitte@openssl.org>2020-11-13 09:35:02 +0100
commit9311d0c471ca2eaa259e8c1bbbeb7c46394c7ba2 (patch)
treee82c26569e5a952980e65a746af920beed602aab /crypto/cmp
parent31a6b52f6db009c639c67387a707dd235f29a430 (diff)
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call
This includes error reporting for libcrypto sub-libraries in surprising places. This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13318)
Diffstat (limited to 'crypto/cmp')
-rw-r--r--crypto/cmp/cmp_asn.c8
-rw-r--r--crypto/cmp/cmp_client.c66
-rw-r--r--crypto/cmp/cmp_ctx.c106
-rw-r--r--crypto/cmp/cmp_hdr.c6
-rw-r--r--crypto/cmp/cmp_http.c2
-rw-r--r--crypto/cmp/cmp_msg.c62
-rw-r--r--crypto/cmp/cmp_protect.c26
-rw-r--r--crypto/cmp/cmp_server.c62
-rw-r--r--crypto/cmp/cmp_status.c8
-rw-r--r--crypto/cmp/cmp_util.c12
-rw-r--r--crypto/cmp/cmp_vfy.c44
11 files changed, 202 insertions, 200 deletions
diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c
index d9013911a0..e2f7169dda 100644
--- a/crypto/cmp/cmp_asn.c
+++ b/crypto/cmp/cmp_asn.c
@@ -167,7 +167,7 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
int created = 0;
if (itav_sk_p == NULL || itav == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
goto err;
}
@@ -194,15 +194,15 @@ int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
int64_t res;
if (!ASN1_INTEGER_get_int64(&res, a)) {
- CMPerr(0, ASN1_R_INVALID_NUMBER);
+ ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);
return -1;
}
if (res < INT_MIN) {
- CMPerr(0, ASN1_R_TOO_SMALL);
+ ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);
return -1;
}
if (res > INT_MAX) {
- CMPerr(0, ASN1_R_TOO_LARGE);
+ ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);
return -1;
}
return (int)res;
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index ef256e6c72..dd974413c0 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -147,12 +147,12 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
if ((IS_CREP(expected_type) || expected_type == OSSL_CMP_PKIBODY_POLLREP)
&& ctx->total_timeout > 0 /* timeout is not infinite */) {
if (now >= ctx->end_time) {
- CMPerr(0, CMP_R_TOTAL_TIMEOUT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
return 0;
}
if (!ossl_assert(ctx->end_time - time(NULL) < INT_MAX)) {
/* cannot really happen due to the assignment in do_certreq_seq() */
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
return 0;
}
time_left = (int)(ctx->end_time - now);
@@ -169,7 +169,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
ctx->msg_timeout = msg_timeout; /* restore original value */
if (*rep == NULL) {
- CMPerr(0, CMP_R_TRANSFER_ERROR); /* or receiving response */
+ ERR_raise(ERR_LIB_CMP, CMP_R_TRANSFER_ERROR); /* or receiving response */
ERR_add_error_data(2, "request sent: ", req_type_str);
ERR_add_error_data(2, ", expected response: ", expected_type_str);
return 0;
@@ -198,7 +198,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
return 1;
/* received message type is not one of the expected ones (e.g., error) */
- CMPerr(0, bt == OSSL_CMP_PKIBODY_ERROR ? CMP_R_RECEIVED_ERROR :
+ ERR_raise(ERR_LIB_CMP, bt == OSSL_CMP_PKIBODY_ERROR ? CMP_R_RECEIVED_ERROR :
CMP_R_UNEXPECTED_PKIBODY); /* in next line for mkerr.pl */
if (bt != OSSL_CMP_PKIBODY_ERROR) {
@@ -226,7 +226,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
OPENSSL_free(text);
}
if (ctx->status != OSSL_CMP_PKISTATUS_rejection) {
- CMPerr(0, CMP_R_UNEXPECTED_PKISTATUS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS);
if (ctx->status == OSSL_CMP_PKISTATUS_waiting)
ctx->status = OSSL_CMP_PKISTATUS_rejection;
}
@@ -276,7 +276,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
/* TODO: handle potentially multiple elements in pollRep */
if (sk_OSSL_CMP_POLLREP_num(prc) > 1) {
- CMPerr(0, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
+ ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
goto err;
}
pollRep = ossl_cmp_pollrepcontent_get0_pollrep(prc, rid);
@@ -284,12 +284,12 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
goto err;
if (!ASN1_INTEGER_get_int64(&check_after, pollRep->checkAfter)) {
- CMPerr(0, CMP_R_BAD_CHECKAFTER_IN_POLLREP);
+ ERR_raise(ERR_LIB_CMP, CMP_R_BAD_CHECKAFTER_IN_POLLREP);
goto err;
}
if (check_after < 0 || (uint64_t)check_after
> (sleep ? ULONG_MAX / 1000 : INT_MAX)) {
- CMPerr(0, CMP_R_CHECKAFTER_OUT_OF_RANGE);
+ ERR_raise(ERR_LIB_CMP, CMP_R_CHECKAFTER_OUT_OF_RANGE);
if (BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN, "value = %jd",
check_after) >= 0)
ERR_add_error_data(1, str);
@@ -300,7 +300,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL));
if (time_left <= 0) {
- CMPerr(0, CMP_R_TOTAL_TIMEOUT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
goto err;
}
if (time_left < check_after)
@@ -420,7 +420,7 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype,
case OSSL_CMP_PKISTATUS_waiting:
ossl_cmp_err(ctx,
"received \"waiting\" status for cert when actually aiming to extract cert");
- CMPerr(0, CMP_R_ENCOUNTERED_WAITING);
+ ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_WAITING);
goto err;
case OSSL_CMP_PKISTATUS_grantedWithMods:
ossl_cmp_warn(ctx, "received \"grantedWithMods\" for certificate");
@@ -430,7 +430,7 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype,
/* get all information in case of a rejection before going to error */
case OSSL_CMP_PKISTATUS_rejection:
ossl_cmp_err(ctx, "received \"rejection\" status rather than cert");
- CMPerr(0, CMP_R_REQUEST_REJECTED_BY_SERVER);
+ ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER);
goto err;
case OSSL_CMP_PKISTATUS_revocationWarning:
ossl_cmp_warn(ctx,
@@ -442,7 +442,7 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype,
break;
case OSSL_CMP_PKISTATUS_keyUpdateWarning:
if (bodytype != OSSL_CMP_PKIBODY_KUR) {
- CMPerr(0, CMP_R_ENCOUNTERED_KEYUPDATEWARNING);
+ ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_KEYUPDATEWARNING);
goto err;
}
break;
@@ -450,12 +450,12 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype,
ossl_cmp_log1(ERROR, ctx,
"received unsupported PKIStatus %d for certificate",
ctx->status);
- CMPerr(0, CMP_R_UNKNOWN_PKISTATUS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS);
goto err;
}
crt = ossl_cmp_certresponse_get1_cert(crep, ctx, privkey);
if (crt == NULL) /* according to PKIStatus, we can expect a cert */
- CMPerr(0, CMP_R_CERTIFICATE_NOT_FOUND);
+ ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
return crt;
@@ -546,7 +546,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
retry:
crepmsg = (*resp)->body->value.ip; /* same for cp and kup */
if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) {
- CMPerr(0, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
+ ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
return 0;
}
/* TODO: handle potentially multiple CertResponses in CertRepMsg */
@@ -559,7 +559,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
/* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */
rid = ossl_cmp_asn1_get_int(crep->certReqId);
if (rid == -1) {
- CMPerr(0, CMP_R_BAD_REQUEST_ID);
+ ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
return 0;
}
}
@@ -572,7 +572,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
return ret; /* waiting */
goto retry; /* got ip/cp/kup, which may still indicate 'waiting' */
} else {
- CMPerr(0, CMP_R_POLLING_FAILED);
+ ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED);
return 0;
}
}
@@ -633,7 +633,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
/* not throwing failure earlier as transfer_cb may call ERR_clear_error() */
if (fail_info != 0) {
- CMPerr(0, CMP_R_CERTIFICATE_NOT_ACCEPTED);
+ ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED);
ERR_add_error_data(2, "rejecting newly enrolled cert with subject: ",
subj);
if (txt != NULL)
@@ -655,7 +655,7 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
int res = 0;
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
@@ -712,11 +712,11 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
X509 *result = NULL;
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
if (is_p10 && crm != NULL) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
return NULL;
}
@@ -757,11 +757,11 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
X509 *result = NULL;
if (ctx == NULL) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
return 0;
}
if (ctx->oldCert == NULL) {
- CMPerr(0, CMP_R_MISSING_REFERENCE_CERT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
return 0;
}
ctx->status = -1;
@@ -776,12 +776,12 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
rrep = rp->body->value.rp;
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
if (sk_OSSL_CMP_PKISI_num(rrep->status) != num_RevDetails) {
- CMPerr(0, CMP_R_WRONG_RP_COMPONENT_COUNT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
goto end;
}
#else
if (sk_OSSL_CMP_PKISI_num(rrep->status) < 1) {
- CMPerr(0, CMP_R_WRONG_RP_COMPONENT_COUNT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
goto end;
}
#endif
@@ -800,7 +800,7 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
result = ctx->oldCert;
break;
case OSSL_CMP_PKISTATUS_rejection:
- CMPerr(0, CMP_R_REQUEST_REJECTED_BY_SERVER);
+ ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER);
goto err;
case OSSL_CMP_PKISTATUS_revocationWarning:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)");
@@ -814,10 +814,10 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
break;
case OSSL_CMP_PKISTATUS_waiting:
case OSSL_CMP_PKISTATUS_keyUpdateWarning:
- CMPerr(0, CMP_R_UNEXPECTED_PKISTATUS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS);
goto err;
default:
- CMPerr(0, CMP_R_UNKNOWN_PKISTATUS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS);
goto err;
}
@@ -830,7 +830,7 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
ASN1_INTEGER *serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) {
- CMPerr(0, CMP_R_WRONG_RP_COMPONENT_COUNT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
result = NULL;
goto err;
}
@@ -840,7 +840,7 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
}
if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
- CMPerr(0, CMP_R_WRONG_CERTID_IN_RP);
+ ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP);
result = NULL;
goto err;
#endif
@@ -848,7 +848,7 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
if (ASN1_INTEGER_cmp(serial,
OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
- CMPerr(0, CMP_R_WRONG_SERIAL_IN_RP);
+ ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP);
result = NULL;
goto err;
#endif
@@ -857,7 +857,7 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
/* check number of any optionally present crls */
if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) {
- CMPerr(0, CMP_R_WRONG_RP_COMPONENT_COUNT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
result = NULL;
goto err;
}
@@ -880,7 +880,7 @@ STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx)
STACK_OF(OSSL_CMP_ITAV) *rcvd_itavs = NULL;
if (ctx == NULL) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
return 0;
}
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 97d76f0223..e1b4e50ea9 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -27,7 +27,7 @@
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->trusted;
@@ -41,7 +41,7 @@ X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
X509_STORE_free(ctx->trusted);
@@ -53,7 +53,7 @@ int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->untrusted;
@@ -67,7 +67,7 @@ int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
{
STACK_OF(X509) *untrusted;
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if ((untrusted = sk_X509_new_null()) == NULL)
@@ -89,7 +89,7 @@ static int cmp_ctx_set_md(OSSL_CMP_CTX *ctx, EVP_MD **pmd, int nid)
/* fetching in advance to be able to throw error early if unsupported */
if (md == NULL) {
- CMPerr(0, CMP_R_UNSUPPORTED_ALGORITHM);
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_ALGORITHM);
return 0;
}
EVP_MD_free(*pmd);
@@ -138,7 +138,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
err:
OSSL_CMP_CTX_free(ctx);
- X509err(0, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return NULL;
}
@@ -146,7 +146,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
@@ -233,7 +233,7 @@ int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status)
int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return -1;
}
return ctx->status;
@@ -246,7 +246,7 @@ int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx)
OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->statusString;
@@ -275,7 +275,7 @@ int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert)
int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->certConf_cb = cb;
@@ -289,7 +289,7 @@ int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->certConf_cb_arg = arg;
@@ -304,7 +304,7 @@ int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->certConf_cb_arg;
@@ -398,7 +398,7 @@ int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->log_cb = cb;
@@ -429,7 +429,7 @@ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
const unsigned char *ref, int len)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref,
@@ -442,7 +442,7 @@ int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
{
ASN1_OCTET_STRING *secretValue = NULL;
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1)
@@ -459,7 +459,7 @@ int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
if (ctx->newChain == NULL)
@@ -487,7 +487,7 @@ int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain)
STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
if (ctx->extraCertsIn == NULL)
@@ -520,7 +520,7 @@ int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsOut)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
@@ -538,7 +538,7 @@ int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
{
if (ctx == NULL || pinfo == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
@@ -553,7 +553,7 @@ int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
@@ -563,7 +563,7 @@ int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
return OSSL_CMP_ITAV_push0_stack_item(&ctx->genm_ITAVs, itav);
@@ -577,7 +577,7 @@ int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
if (ctx->caPubs == NULL)
@@ -609,7 +609,7 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \
TYPE *val_dup = NULL; \
\
if (ctx == NULL) { \
- CMPerr(0, CMP_R_NULL_ARGUMENT); \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
return 0; \
} \
\
@@ -626,13 +626,13 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \
int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
{ \
if (ctx == NULL) { \
- CMPerr(0, CMP_R_NULL_ARGUMENT); \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
return 0; \
} \
\
/* prevent misleading error later on malformed cert or provider issue */ \
if (val != NULL && TYPE##_invalid(val)) { \
- CMPerr(0, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
+ ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
return 0; \
} \
if (val != NULL && !TYPE##_up_ref(val)) \
@@ -668,13 +668,13 @@ DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME)
int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && exts != NULL
&& X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1) >= 0) {
- CMPerr(0, CMP_R_MULTIPLE_SAN_SOURCES);
+ ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
return 0;
}
sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
@@ -686,7 +686,7 @@ int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return -1;
}
/* if one of the following conditions 'fail' this is not an error */
@@ -705,12 +705,12 @@ int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
GENERAL_NAME *name_dup;
if (ctx == NULL || name == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) {
- CMPerr(0, CMP_R_MULTIPLE_SAN_SOURCES);
+ ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
return 0;
}
@@ -738,7 +738,7 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
STACK_OF(X509) *chain;
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
@@ -752,7 +752,7 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, own_trusted,
ctx->untrusted, ctx->cert);
if (chain == NULL) {
- CMPerr(0, CMP_R_FAILED_BUILDING_OWN_CHAIN);
+ ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN);
return 0;
}
ossl_cmp_debug(ctx, "success building chain for own CMP signer cert");
@@ -792,7 +792,7 @@ int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->newCert;
@@ -805,7 +805,7 @@ DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY)
int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
@@ -819,7 +819,7 @@ int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
@@ -835,7 +835,7 @@ int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *id)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id);
@@ -855,7 +855,7 @@ int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce);
@@ -874,7 +874,7 @@ DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->http_cb = cb;
@@ -885,7 +885,7 @@ int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->http_cb_arg = arg;
@@ -899,7 +899,7 @@ int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->http_cb_arg;
@@ -909,7 +909,7 @@ void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx)
int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->transfer_cb = cb;
@@ -920,7 +920,7 @@ int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->transfer_cb_arg = arg;
@@ -934,7 +934,7 @@ int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->transfer_cb_arg;
@@ -944,7 +944,7 @@ void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx)
int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->serverPort = port;
@@ -970,7 +970,7 @@ int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info)
int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return -1;
}
return ctx->failInfoCode;
@@ -982,7 +982,7 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
int min_val;
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
@@ -998,14 +998,14 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
break;
}
if (val < min_val) {
- CMPerr(0, CMP_R_VALUE_TOO_SMALL);
+ ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_SMALL);
return 0;
}
switch (opt) {
case OSSL_CMP_OPT_LOG_VERBOSITY:
if (val > OSSL_CMP_LOG_MAX) {
- CMPerr(0, CMP_R_VALUE_TOO_LARGE);
+ ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->log_verbosity = val;
@@ -1039,7 +1039,7 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
break;
case OSSL_CMP_OPT_POPO_METHOD:
if (val > OSSL_CRMF_POPO_KEYAGREE) {
- CMPerr(0, CMP_R_VALUE_TOO_LARGE);
+ ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->popoMethod = val;
@@ -1066,13 +1066,13 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
break;
case OSSL_CMP_OPT_REVOCATION_REASON:
if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) {
- CMPerr(0, CMP_R_VALUE_TOO_LARGE);
+ ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->revocationReason = val;
break;
default:
- CMPerr(0, CMP_R_INVALID_OPTION);
+ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
return 0;
}
@@ -1086,7 +1086,7 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return -1;
}
@@ -1128,7 +1128,7 @@ int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
case OSSL_CMP_OPT_REVOCATION_REASON:
return ctx->revocationReason;
default:
- CMPerr(0, CMP_R_INVALID_OPTION);
+ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
return -1;
}
}
diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c
index 947f984505..5882d9c9de 100644
--- a/crypto/cmp/cmp_hdr.c
+++ b/crypto/cmp/cmp_hdr.c
@@ -50,7 +50,7 @@ ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_transactionID(const
OSSL_CMP_PKIHEADER *hdr)
{
if (hdr == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return hdr->transactionID;
@@ -66,7 +66,7 @@ ASN1_OCTET_STRING *ossl_cmp_hdr_get0_senderNonce(const OSSL_CMP_PKIHEADER *hdr)
ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr)
{
if (hdr == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return hdr->recipNonce;
@@ -147,7 +147,7 @@ static int set_random(ASN1_OCTET_STRING **tgt, OSSL_CMP_CTX *ctx, size_t len)
int res = 0;
if (bytes == NULL || RAND_bytes_ex(ctx->libctx, bytes, len) <= 0)
- CMPerr(0, CMP_R_FAILURE_OBTAINING_RANDOM);
+ ERR_raise(ERR_LIB_CMP, CMP_R_FAILURE_OBTAINING_RANDOM);
else
res = ossl_cmp_asn1_octet_string_set1_bytes(tgt, bytes, len);
OPENSSL_free(bytes);
diff --git a/crypto/cmp/cmp_http.c b/crypto/cmp/cmp_http.c
index 33b5f6af7a..215c47c7c5 100644
--- a/crypto/cmp/cmp_http.c
+++ b/crypto/cmp/cmp_http.c
@@ -42,7 +42,7 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
OSSL_CMP_MSG *res;
if (ctx == NULL || req == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 2333b0bc2b..eff093c6b5 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -24,7 +24,7 @@
OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
{
if (msg == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return msg->header;
@@ -118,7 +118,7 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
case OSSL_CMP_PKIBODY_P10CR:
if (ctx->p10CSR == NULL) {
- CMPerr(0, CMP_R_MISSING_P10CSR);
+ ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_P10CSR);
goto err;
}
if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
@@ -173,7 +173,7 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
return msg;
default:
- CMPerr(0, CMP_R_UNEXPECTED_PKIBODY);
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
goto err;
}
@@ -219,12 +219,12 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
rkey = ctx->pkey; /* default is independent of ctx->oldCert */