diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2023-04-28 13:45:21 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2023-12-21 23:06:42 +0100 |
| commit | bedffe1731e8c587d3d854e05535175863447dc3 (patch) | |
| tree | dacd36294473787f970bd0587d0472e268bc1093 /crypto/cmp | |
| parent | 192bfec487b27ee9398138ce5f0c5b00f536dc95 (diff) | |
crypto/cmp/,apps/lib/cmp_mock_srv.c: various improvements on delayed delivery
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20727)
Diffstat (limited to 'crypto/cmp')
| -rw-r--r-- | crypto/cmp/cmp_client.c | 60 | ||||
| -rw-r--r-- | crypto/cmp/cmp_err.c | 4 | ||||
| -rw-r--r-- | crypto/cmp/cmp_msg.c | 3 | ||||
| -rw-r--r-- | crypto/cmp/cmp_server.c | 84 | ||||
| -rw-r--r-- | crypto/cmp/cmp_vfy.c | 5 |
5 files changed, 79 insertions, 77 deletions
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index cf352c9d71..23b3a8bd05 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -113,7 +113,7 @@ static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si) return 1; } -static int is_crep_with_waiting(OSSL_CMP_MSG *resp, int rid) +static int is_crep_with_waiting(const OSSL_CMP_MSG *resp, int rid) { OSSL_CMP_CERTREPMESSAGE *crepmsg; OSSL_CMP_CERTRESPONSE *crep; @@ -210,11 +210,11 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, return 0; /* - * 'rep' can have the expected response type, which during polling is - * pollRep. When polling, also any other non-error response (the final - * response) is fine here. When not yet polling, delayed delivery may - * be started by an error with 'waiting' status (while it may also be - * started by an expected response type ip/cp/kup). + * rep can have the expected response type, which during polling is pollRep. + * When polling, also any other non-error response (the final response) + * is fine here. When not yet polling, delayed delivery may be initiated + * by the server returning an error message with 'waiting' status (or a + * response message of expected type ip/cp/kup with 'waiting' status). */ if (bt == expected_type || (expected_type == OSSL_CMP_PKIBODY_POLLREP @@ -272,8 +272,8 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. * Returns 1 on success and provides the received PKIMESSAGE in *rep. * In this case the caller is responsible for freeing *rep. - * Returns 0 on error (which includes the case that timeout has been reached or - * received response with waiting status). + * Returns 0 on error (which includes the cases that timeout has been reached + * or a response with 'waiting' status has been received). */ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, OSSL_CMP_MSG **rep, int *checkAfter) @@ -364,7 +364,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, } } else if (is_crep_with_waiting(prep, rid) || ossl_cmp_is_error_with_waiting(prep)) { - /* status cannot be 'waiting' at this point */ + /* received status must not be 'waiting' */ (void)ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection, OSSL_CMP_CTX_FAILINFO_badRequest, "polling already started", @@ -393,12 +393,12 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, } static int save_senderNonce_if_waiting(OSSL_CMP_CTX *ctx, - OSSL_CMP_MSG *rep, int rid) + const OSSL_CMP_MSG *rep, int rid) { /* - * LWCMP section 4.4 states: the senderNonce of the preceding request - * message because this value will be needed for checking the recipNonce - * of the final response to be received after polling. + * Lightweight CMP Profile section 4.4 states: the senderNonce of the + * preceding request message because this value will be needed for checking + * the recipNonce of the final response to be received after polling. */ if ((is_crep_with_waiting(rep, rid) || ossl_cmp_is_error_with_waiting(rep)) @@ -409,8 +409,8 @@ static int save_senderNonce_if_waiting(OSSL_CMP_CTX *ctx, } /* - * send request and get response possibly with polling initiated by error msg. - * Polling for ip/cp/kup/ with 'waiting' status is handled elsewhere. + * Send request and get response possibly with polling initiated by error msg. + * Polling for ip/cp/kup/ with 'waiting' status is handled by cert_response(). */ static int send_receive_also_delayed(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, OSSL_CMP_MSG **rep, int expected_type) @@ -420,12 +420,9 @@ static int send_receive_also_delayed(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, return 0; if (ossl_cmp_is_error_with_waiting(*rep)) { - if (!save_senderNonce_if_waiting(ctx, *rep, -1 /* rid */)) + if (!save_senderNonce_if_waiting(ctx, *rep, OSSL_CMP_CERTREQID_NONE)) return 0; - /* - * not modifying ctx->status during the certConf & error exchange, - * because these additional exchanges should not change the status. - */ + /* not modifying ctx->status during certConf and error exchanges */ if (expected_type != OSSL_CMP_PKIBODY_PKICONF && !save_statusInfo(ctx, (*rep)->body->value.error->pKIStatusInfo)) return 0; @@ -433,7 +430,7 @@ static int send_receive_also_delayed(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, OSSL_CMP_MSG_free(*rep); *rep = NULL; - if (poll_for_response(ctx, 1 /* can sleep */, -1 /* rid */, + if (poll_for_response(ctx, 1 /* can sleep */, OSSL_CMP_CERTREQID_NONE, rep, NULL /* checkAfter */) <= 0) { ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED); return 0; @@ -462,8 +459,8 @@ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, if (certConf == NULL) goto err; - res = send_receive_also_delayed(ctx, certConf, - &PKIconf, OSSL_CMP_PKIBODY_PKICONF); + res = send_receive_also_delayed(ctx, certConf, &PKIconf, + OSSL_CMP_PKIBODY_PKICONF); err: OSSL_CMP_MSG_free(certConf); @@ -683,10 +680,10 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, return 0; si = crep->status; - if (rid == OSSL_CMP_CERTREQID_NONE) { + if (rid == OSSL_CMP_CERTREQID_NONE) { /* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */ rid = ossl_cmp_asn1_get_int(crep->certReqId); - if (rid == OSSL_CMP_CERTREQID_NONE) { + if (rid != OSSL_CMP_CERTREQID_NONE) { ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); return 0; } @@ -702,7 +699,11 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, return 0; if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_waiting) { - /* here we allow different flavor of ip/cp/kup & error with waiting */ + /* + * Here we allow both and error message with waiting indication + * as well as a certificate response with waiting indication, where + * its flavor (ip, cp, or kup) may not strictly match ir/cr/p10cr/kur. + */ OSSL_CMP_MSG_free(*resp); *resp = NULL; if ((ret = poll_for_response(ctx, sleep, rid, resp, checkAfter)) != 0) { @@ -715,12 +716,12 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, } } - /* at this point, ip/cp/kup or error without waiting */ + /* at this point, we have received ip/cp/kup/error without waiting */ if (rcvd_type == OSSL_CMP_PKIBODY_ERROR) { ERR_raise(ERR_LIB_CMP, CMP_R_RECEIVED_ERROR); return 0; } - /* here we are strict on the flavor of ip/cp/kup */ + /* here we are strict on the flavor of ip/cp/kup: must match request */ if (rcvd_type != expected_type) { ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); return 0; @@ -738,8 +739,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, * if the CMP server returned certificates in the caPubs field, copy them * to the context so that they can be retrieved if necessary */ - if (crepmsg != NULL - && crepmsg->caPubs != NULL + if (crepmsg != NULL && crepmsg->caPubs != NULL && !ossl_cmp_ctx_set1_caPubs(ctx, crepmsg->caPubs)) return 0; diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c index c4d5c97f9e..6c2588d4d4 100644 --- a/crypto/cmp/cmp_err.c +++ b/crypto/cmp/cmp_err.c @@ -76,6 +76,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { "error validating protection"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_VALIDATING_SIGNATURE), "error validating signature"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_EXPECTED_POLLREQ), "expected pollreq"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_FAILED_BUILDING_OWN_CHAIN), "failed building own chain"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_FAILED_EXTRACTING_PUBKEY), @@ -149,6 +150,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_PKIBODY), "unexpected pkibody"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_PKISTATUS), "unexpected pkistatus"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_POLLREQ), "unexpected pollreq"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_PVNO), "unexpected pvno"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_ALGORITHM_ID), "unknown algorithm id"}, @@ -158,6 +160,8 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { "unsupported algorithm"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNSUPPORTED_KEY_TYPE), "unsupported key type"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNSUPPORTED_PKIBODY), + "unsupported pkibody"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC), "unsupported protection alg dhbasedmac"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_VALUE_TOO_LARGE), "value too large"}, diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 1b9e275d7a..2b421ee83b 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -984,8 +984,7 @@ static int suitable_rid(const ASN1_INTEGER *certReqId, int rid) return 1; trid = ossl_cmp_asn1_get_int(certReqId); - - if (trid == OSSL_CMP_CERTREQID_NONE) { + if (trid < OSSL_CMP_CERTREQID_NONE) { ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); return 0; } diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index 1e3ca15e89..f8dd03e69a 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -22,9 +22,9 @@ /* the context for the generic CMP server */ struct ossl_cmp_srv_ctx_st { - void *custom_ctx; /* pointer to application-specific server context */ - OSSL_CMP_CTX *ctx; /* Client CMP context, reusing transactionID etc. */ - int certReqId; /* id of last ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */ + OSSL_CMP_CTX *ctx; /* CMP client context reused for transactionID etc. */ + void *custom_ctx; /* application-specific server context */ + int certReqId; /* of ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */ OSSL_CMP_SRV_cert_request_cb_t process_cert_request; OSSL_CMP_SRV_rr_cb_t process_rr; @@ -32,8 +32,8 @@ struct ossl_cmp_srv_ctx_st OSSL_CMP_SRV_error_cb_t process_error; OSSL_CMP_SRV_certConf_cb_t process_certConf; OSSL_CMP_SRV_pollReq_cb_t process_pollReq; - OSSL_CMP_SRV_reset_transaction_cb_t reset_transaction; OSSL_CMP_SRV_delayed_delivery_cb_t delayed_delivery; + OSSL_CMP_SRV_clean_transaction_cb_t clean_transaction; int sendUnprotectedErrors; /* Send error and rejection msgs unprotected */ int acceptUnprotected; /* Accept requests with no/invalid prot. */ @@ -91,16 +91,16 @@ int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx, return 1; } -int OSSL_CMP_SRV_CTX_setup_polling(OSSL_CMP_SRV_CTX *srv_ctx, - OSSL_CMP_SRV_reset_transaction_cb_t reset_transaction, - OSSL_CMP_SRV_delayed_delivery_cb_t delayed_delivery) +int OSSL_CMP_SRV_CTX_init_trans(OSSL_CMP_SRV_CTX *srv_ctx, + OSSL_CMP_SRV_delayed_delivery_cb_t delay, + OSSL_CMP_SRV_clean_transaction_cb_t clean) { if (srv_ctx == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - srv_ctx->reset_transaction = reset_transaction; - srv_ctx->delayed_delivery = delayed_delivery; + srv_ctx->delayed_delivery = delay; + srv_ctx->clean_transaction = clean; return 1; } @@ -164,13 +164,13 @@ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, return 1; } -/* Return error msg with waiting status if polling is initiated, else NULL. */ +/* return error msg with waiting status if polling is initiated, else NULL */ static OSSL_CMP_MSG *delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req) { - OSSL_CMP_MSG *msg = NULL; - OSSL_CMP_PKISI *si = NULL; int ret; + OSSL_CMP_PKISI *si; + OSSL_CMP_MSG *msg; if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL && srv_ctx->delayed_delivery != NULL)) @@ -180,8 +180,8 @@ static OSSL_CMP_MSG *delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, if (ret == 0 || !ossl_assert(ret != -1)) return NULL; - if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL)) - == NULL) + si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL); + if (si == NULL) return NULL; msg = ossl_cmp_error_new(srv_ctx->ctx, si, 0, @@ -236,15 +236,14 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); return NULL; } - - if ((crm = sk_OSSL_CRMF_MSG_value(reqs, OSSL_CMP_CERTREQID)) == NULL) { + if ((crm = sk_OSSL_CRMF_MSG_value(reqs, 0)) == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_CERTREQMSG_NOT_FOUND); return NULL; } certReqId = OSSL_CRMF_MSG_get_certReqId(crm); - if (certReqId != OSSL_CMP_CERTREQID) { + if (certReqId != OSSL_CMP_CERTREQID) { /* so far, only possible value */ ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); - return 0; + return NULL; } } srv_ctx->certReqId = certReqId; @@ -306,9 +305,8 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); return NULL; } - - if ((details = sk_OSSL_CMP_REVDETAILS_value(req->body->value.rr, - OSSL_CMP_REVREQSID)) == NULL) { + details = sk_OSSL_CMP_REVDETAILS_value(req->body->value.rr, 0); + if (details == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); return NULL; } @@ -397,7 +395,7 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, } else { if (num > 1) ossl_cmp_warn(ctx, "All CertStatus but the first will be ignored"); - status = sk_OSSL_CMP_CERTSTATUS_value(ccc, OSSL_CMP_CERTREQID); + status = sk_OSSL_CMP_CERTSTATUS_value(ccc, 0); } if (status != NULL) { @@ -428,7 +426,7 @@ static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, return msg; } -/* pollreq should be handled separately, to avoid recursive call */ +/* pollReq is handled separately, to avoid recursive call */ static OSSL_CMP_MSG *process_non_polling_request(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req) { @@ -444,38 +442,41 @@ static OSSL_CMP_MSG *process_non_polling_request(OSSL_CMP_SRV_CTX *srv_ctx, case OSSL_CMP_PKIBODY_P10CR: case OSSL_CMP_PKIBODY_KUR: if (srv_ctx->process_cert_request == NULL) - ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); + ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); else rsp = process_cert_request(srv_ctx, req); break; case OSSL_CMP_PKIBODY_RR: if (srv_ctx->process_rr == NULL) - ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); + ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); else rsp = process_rr(srv_ctx, req); break; case OSSL_CMP_PKIBODY_GENM: if (srv_ctx->process_genm == NULL) - ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); + ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); else rsp = process_genm(srv_ctx, req); break; case OSSL_CMP_PKIBODY_ERROR: if (srv_ctx->process_error == NULL) - ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); + ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); else rsp = process_error(srv_ctx, req); break; case OSSL_CMP_PKIBODY_CERTCONF: if (srv_ctx->process_certConf == NULL) - ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); + ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); else rsp = process_certConf(srv_ctx, req); break; - default: - /* Other request message types are not supported */ + + case OSSL_CMP_PKIBODY_POLLREQ: ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); break; + default: + ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); + break; } return rsp; @@ -500,12 +501,8 @@ static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, return NULL; } - pr = sk_OSSL_CMP_POLLREQ_value(prc, OSSL_CMP_CERTREQID); + pr = sk_OSSL_CMP_POLLREQ_value(prc, 0); certReqId = ossl_cmp_asn1_get_int(pr->certReqId); - if (certReqId != srv_ctx->certReqId) { - ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); - return NULL; - } if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId, &orig_req, &check_after)) return NULL; @@ -604,8 +601,11 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, || !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)) goto err; - if (srv_ctx->reset_transaction != NULL) - (void)srv_ctx->reset_transaction(srv_ctx); + if (srv_ctx->clean_transaction != NULL + && !srv_ctx->clean_transaction(srv_ctx, NULL)) { + ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); + goto err; + } break; default: @@ -628,7 +628,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, if (req_type == OSSL_CMP_PKIBODY_POLLREQ) { if (srv_ctx->process_pollReq == NULL) - ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); + ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); else rsp = process_pollReq(srv_ctx, req); } else { @@ -693,8 +693,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, /* fall through */ case OSSL_CMP_PKIBODY_ERROR: - if (rsp != NULL - && ossl_cmp_is_error_with_waiting(rsp)) + if (rsp != NULL && ossl_cmp_is_error_with_waiting(rsp)) break; /* fall through */ @@ -702,12 +701,13 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, case OSSL_CMP_PKIBODY_PKICONF: case OSSL_CMP_PKIBODY_GENP: /* Other terminating response message types are not supported */ + srv_ctx->certReqId = OSSL_CMP_CERTREQID_INVALID; /* Prepare for next transaction, ignoring any errors here: */ + if (srv_ctx->clean_transaction != NULL) + (void)srv_ctx->clean_transaction(srv_ctx, ctx->transactionID); (void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL); (void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL); ctx->status = OSSL_CMP_PKISTATUS_unspecified; /* transaction closed */ - if (srv_ctx->reset_transaction != NULL) - (void)srv_ctx->reset_transaction(srv_ctx); default: /* not closing transaction in other cases */ break; diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 8d4de1017d..5944b43526 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -787,8 +787,8 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, return 0; /* - * enable clearing irrelevant errors in attempts to validate recipient nonce - * in case of delayed delivery. + * enable clearing irrelevant errors + * in attempts to validate recipient nonce in case of delayed delivery. */ (void)ERR_set_mark(); /* compare received nonce with the one we sent */ @@ -805,7 +805,6 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, return 0; } } - /* discard any intermediate error while trying to check recipient nonce */ (void)ERR_pop_to_mark(); /* if not yet present, learn transactionID */ |