diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2019-08-10 14:07:22 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-09-27 10:53:11 +0100 |
| commit | 7960dbec6801c1c98c848b81ca00e73625e8970b (patch) | |
| tree | 58045a9618ce5668f8b95b966810a35b3285deb3 /crypto/crmf | |
| parent | 0c452a51a5dfe061e5080ae484f1cd06772d8f47 (diff) | |
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)
CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
Adds extensive man pages and tests. Integration into build scripts.
Incremental pull request based on OpenSSL commit 8869ad4a39f of 2019-04-02
4th chunk: CMP context/parameters and utilities
in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9107)
Diffstat (limited to 'crypto/crmf')
| -rw-r--r-- | crypto/crmf/crmf_int.h | 38 | ||||
| -rw-r--r-- | crypto/crmf/crmf_lib.c | 113 | ||||
| -rw-r--r-- | crypto/crmf/crmf_pbm.c | 16 |
3 files changed, 73 insertions, 94 deletions
diff --git a/crypto/crmf/crmf_int.h b/crypto/crmf/crmf_int.h index b76205784b..54f9a4a225 100644 --- a/crypto/crmf/crmf_int.h +++ b/crypto/crmf/crmf_int.h @@ -42,7 +42,7 @@ * -- the encrypted value itself * } */ -struct OSSL_crmf_encryptedvalue_st { +struct ossl_crmf_encryptedvalue_st { X509_ALGOR *intendedAlg; /* 0 */ X509_ALGOR *symmAlg; /* 1 */ ASN1_BIT_STRING *encSymmKey; /* 2 */ @@ -62,7 +62,7 @@ struct OSSL_crmf_encryptedvalue_st { * attributes [0] IMPLICIT Attributes OPTIONAL * } */ -typedef struct OSSL_crmf_privatekeyinfo_st { +typedef struct ossl_crmf_privatekeyinfo_st { ASN1_INTEGER *version; X509_ALGOR *privateKeyAlgorithm; ASN1_OCTET_STRING *privateKey; @@ -82,7 +82,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO) * } OPTIONAL * } */ -typedef struct OSSL_crmf_enckeywithid_identifier_st { +typedef struct ossl_crmf_enckeywithid_identifier_st { int type; union { ASN1_UTF8STRING *string; @@ -91,7 +91,7 @@ typedef struct OSSL_crmf_enckeywithid_identifier_st { } OSSL_CRMF_ENCKEYWITHID_IDENTIFIER; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER) -typedef struct OSSL_crmf_enckeywithid_st { +typedef struct ossl_crmf_enckeywithid_st { OSSL_CRMF_PRIVATEKEYINFO *privateKey; /* [0] */ OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier; @@ -104,7 +104,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID) * serialNumber INTEGER * } */ -struct OSSL_crmf_certid_st { +struct ossl_crmf_certid_st { GENERAL_NAME *issuer; ASN1_INTEGER *serialNumber; } /* OSSL_CRMF_CERTID */; @@ -120,7 +120,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID) * pubLocation GeneralName OPTIONAL * } */ -struct OSSL_crmf_singlepubinfo_st { +struct ossl_crmf_singlepubinfo_st { ASN1_INTEGER *pubMethod; GENERAL_NAME *pubLocation; } /* OSSL_CRMF_SINGLEPUBINFO */; @@ -139,7 +139,7 @@ typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS; * -- "dontCare" is assumed) * } */ -struct OSSL_crmf_pkipublicationinfo_st { +struct ossl_crmf_pkipublicationinfo_st { ASN1_INTEGER *action; OSSL_CRMF_PUBINFOS *pubInfos; } /* OSSL_CRMF_PKIPUBLICATIONINFO */; @@ -153,7 +153,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO) * value BIT STRING * } */ -typedef struct OSSL_crmf_pkmacvalue_st { +typedef struct ossl_crmf_pkmacvalue_st { X509_ALGOR *algId; ASN1_BIT_STRING *value; } OSSL_CRMF_PKMACVALUE; @@ -182,7 +182,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE) * } */ -typedef struct OSSL_crmf_popoprivkey_st { +typedef struct ossl_crmf_popoprivkey_st { int type; union { ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */ @@ -211,7 +211,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY) * -- or HMAC [HMAC, RFC2202]) * } */ -struct OSSL_crmf_pbmparameter_st { +struct ossl_crmf_pbmparameter_st { ASN1_OCTET_STRING *salt; X509_ALGOR *owf; ASN1_INTEGER *iterationCount; @@ -233,7 +233,7 @@ struct OSSL_crmf_pbmparameter_st { * publicKey SubjectPublicKeyInfo -- from CertTemplate * } */ -typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st { +typedef struct ossl_crmf_poposigningkeyinput_authinfo_st { int type; union { /* 0 */ GENERAL_NAME *sender; @@ -242,7 +242,7 @@ typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st { } OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO) -typedef struct OSSL_crmf_poposigningkeyinput_st { +typedef struct ossl_crmf_poposigningkeyinput_st { OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo; X509_PUBKEY *publicKey; } OSSL_CRMF_POPOSIGNINGKEYINPUT; @@ -255,7 +255,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT) * signature BIT STRING * } */ -struct OSSL_crmf_poposigningkey_st { +struct ossl_crmf_poposigningkey_st { OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput; X509_ALGOR *algorithmIdentifier; ASN1_BIT_STRING *signature; @@ -272,7 +272,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY) * keyAgreement [3] POPOPrivKey * } */ -typedef struct OSSL_crmf_popo_st { +typedef struct ossl_crmf_popo_st { int type; union { ASN1_NULL *raVerified; /* 0 */ @@ -289,7 +289,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO) * notAfter [1] Time OPTIONAL -- at least one MUST be present * } */ -struct OSSL_crmf_optionalvalidity_st { +struct ossl_crmf_optionalvalidity_st { /* 0 */ ASN1_TIME *notBefore; /* 1 */ ASN1_TIME *notAfter; } /* OSSL_CRMF_OPTIONALVALIDITY */; @@ -309,7 +309,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY) * extensions [9] Extensions OPTIONAL * } */ -struct OSSL_crmf_certtemplate_st { +struct ossl_crmf_certtemplate_st { ASN1_INTEGER *version; /* 0 */ ASN1_INTEGER *serialNumber; /* 1 */ /* serialNumber MUST be omitted */ /* This field is assigned by the CA during certificate creation */ @@ -333,7 +333,7 @@ struct OSSL_crmf_certtemplate_st { * controls Controls OPTIONAL -- Attributes affecting issuance * } */ -struct OSSL_crmf_certrequest_st { +struct ossl_crmf_certrequest_st { ASN1_INTEGER *certReqId; OSSL_CRMF_CERTTEMPLATE *certTemplate; /* TODO: make OSSL_CRMF_CONTROLS out of that - but only cosmetical */ @@ -343,7 +343,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST) DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST) /* TODO: isn't there a better way to have this for ANY type? */ -struct OSSL_crmf_attributetypeandvalue_st { +struct ossl_crmf_attributetypeandvalue_st { ASN1_OBJECT *type; union { /* NID_id_regCtrl_regToken */ @@ -383,7 +383,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) * regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL * } */ -struct OSSL_crmf_msg_st { +struct ossl_crmf_msg_st { OSSL_CRMF_CERTREQUEST *certReq; /* 0 */ OSSL_CRMF_POPO *popo; diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 2974341446..85444017ff 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -82,16 +82,14 @@ static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm, if (crm->certReq->controls == NULL) { crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null(); if (crm->certReq->controls == NULL) - goto oom; + goto err; new = 1; } if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl)) - goto oom; + goto err; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGCTRL, ERR_R_MALLOC_FAILURE); - + err: if (new != 0) { sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls); crm->certReq->controls = NULL; @@ -136,16 +134,9 @@ int OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo( if (pi->pubInfos == NULL) pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null(); if (pi->pubInfos == NULL) - goto oom; - - if (!sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi)) - goto oom; - return 1; + return 0; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_PKIPUBLICATIONINFO_PUSH0_SINGLEPUBINFO, - ERR_R_MALLOC_FAILURE); - return 0; + return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi); } int OSSL_CRMF_MSG_set_PKIPublicationInfo_action( @@ -180,20 +171,19 @@ OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer, } if ((cid = OSSL_CRMF_CERTID_new()) == NULL) - goto oom; + goto err; if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer)) - goto oom; + goto err; cid->issuer->type = GEN_DIRNAME; ASN1_INTEGER_free(cid->serialNumber); if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL) - goto oom; + goto err; return cid; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_CERTID_GEN, ERR_R_MALLOC_FAILURE); + err: OSSL_CRMF_CERTID_free(cid); return NULL; } @@ -222,13 +212,12 @@ static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm, if (crm->regInfo == NULL) crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null(); if (crm->regInfo == NULL) - goto oom; + goto err; if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri)) - goto oom; + goto err; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGINFO, ERR_R_MALLOC_FAILURE); + err: if (info != NULL) crm->regInfo = NULL; sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info); @@ -266,11 +255,11 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to) } if (from != 0 && ((from_asn = ASN1_TIME_set(NULL, from)) == NULL)) - goto oom; + goto err; if (to != 0 && ((to_asn = ASN1_TIME_set(NULL, to)) == NULL)) - goto oom; + goto err; if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL) - goto oom; + goto err; vld->notBefore = from_asn; vld->notAfter = to_asn; @@ -278,8 +267,7 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to) tmpl->validity = vld; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_SET_VALIDITY, ERR_R_MALLOC_FAILURE); + err: ASN1_TIME_free(from_asn); ASN1_TIME_free(to_asn); return 0; @@ -348,7 +336,7 @@ int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, - const X509_EXTENSION *ext) + X509_EXTENSION *ext) { int new = 0; OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm); @@ -360,16 +348,14 @@ int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, if (tmpl->extensions == NULL) { if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL) - goto oom; + goto err; new = 1; } - if (!sk_X509_EXTENSION_push(tmpl->extensions, (X509_EXTENSION *)ext)) - goto oom; + if (!sk_X509_EXTENSION_push(tmpl->extensions, ext)) + goto err; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_EXTENSION, ERR_R_MALLOC_FAILURE); - + err: if (new != 0) { sk_X509_EXTENSION_free(tmpl->extensions); tmpl->extensions = NULL; @@ -428,10 +414,8 @@ static int CRMF_poposigningkey_init(OSSL_CRMF_POPOSIGNINGKEY *ps, CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR); goto err; } - if ((sig = OPENSSL_malloc(siglen)) == NULL) { - CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, ERR_R_MALLOC_FAILURE); + if ((sig = OPENSSL_malloc(siglen)) == NULL) goto err; - } if (EVP_DigestSignFinal(ctx, sig, &siglen) <= 0 || !ASN1_BIT_STRING_set(ps->signature, sig, siglen)) { CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR); @@ -461,13 +445,13 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, if (ppmtd == OSSL_CRMF_POPO_NONE) goto end; if ((pp = OSSL_CRMF_POPO_new()) == NULL) - goto oom; + goto err; pp->type = ppmtd; switch (ppmtd) { case OSSL_CRMF_POPO_RAVERIFIED: if ((pp->value.raVerified = ASN1_NULL_new()) == NULL) - goto oom; + goto err; break; case OSSL_CRMF_POPO_SIGNATURE: @@ -484,14 +468,14 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, case OSSL_CRMF_POPO_KEYENC: if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL) - goto oom; + goto err; tag = ASN1_INTEGER_new(); pp->value.keyEncipherment->type = OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE; pp->value.keyEncipherment->value.subsequentMessage = tag; if (tag == NULL || !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT)) - goto oom; + goto err; break; default: @@ -505,8 +489,6 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, crm->popo = pp; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_CREATE_POPO, ERR_R_MALLOC_FAILURE); err: OSSL_CRMF_POPO_free(pp); return 0; @@ -609,7 +591,20 @@ X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl) return tmpl != NULL ? tmpl->issuer : NULL; } -/* +/* retrieves the issuer name of the given CertId or NULL on error */ +X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid) +{ + return cid != NULL && cid->issuer->type == GEN_DIRNAME ? + cid->issuer->d.directoryName : NULL; +} + +/* retrieves the serialNumber of the given CertId or NULL on error */ +ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid) +{ + return cid != NULL ? cid->serialNumber : NULL; +} + +/*- * fill in certificate template. * Any value argument that is NULL will leave the respective field unchanged. */ @@ -624,27 +619,23 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, return 0; } if (subject != NULL && !X509_NAME_set(&tmpl->subject, subject)) - goto oom; + return 0; if (issuer != NULL && !X509_NAME_set(&tmpl->issuer, issuer)) - goto oom; + return 0; if (serial != NULL) { ASN1_INTEGER_free(tmpl->serialNumber); if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL) - goto oom; + return 0; } if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey)) - goto oom; + return 0; return 1; - - oom: - CRMFerr(CRMF_F_OSSL_CRMF_CERTTEMPLATE_FILL, ERR_R_MALLOC_FAILURE); - return 0; } /*- - * Decrypts the certificate in the given encryptedValue - * this is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2 + * Decrypts the certificate in the given encryptedValue using private key pkey. + * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2. * * returns a pointer to the decrypted certificate * returns NULL on error or if no certificate available @@ -693,7 +684,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, if (EVP_PKEY_decrypt(pkctx, NULL, &eksize, encKey->data, encKey->length) <= 0 || (ek = OPENSSL_malloc(eksize)) == NULL) - goto oom; + goto end; retval = EVP_PKEY_decrypt(pkctx, ek, &eksize, encKey->data, encKey->length); ERR_clear_error(); /* error state may have sensitive information */ @@ -706,10 +697,10 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, goto end; } } else { - goto oom; + goto end; } if ((iv = OPENSSL_malloc(EVP_CIPHER_iv_length(cipher))) == NULL) - goto oom; + goto end; if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv, EVP_CIPHER_iv_length(cipher)) != EVP_CIPHER_iv_length(cipher)) { @@ -725,7 +716,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length + EVP_CIPHER_block_size(cipher))) == NULL || (evp_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto oom; + goto end; EVP_CIPHER_CTX_set_padding(evp_ctx, 0); if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv) @@ -744,10 +735,6 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT, CRMF_R_ERROR_DECODING_CERTIFICATE); } - goto end; - - oom: - CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT, ERR_R_MALLOC_FAILURE); end: EVP_PKEY_CTX_free(pkctx); OPENSSL_free(outbuf); diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c index a3ac45557d..47dc86a550 100644 --- a/crypto/crmf/crmf_pbm.c +++ b/crypto/crmf/crmf_pbm.c @@ -41,20 +41,16 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid, OSSL_CRMF_PBMPARAMETER *pbm = NULL; unsigned char *salt = NULL; - if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) { - CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE); + if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) goto err; - } /* * salt contains a randomly generated value used in computing the key * of the MAC process. The salt SHOULD be at least 8 octets (64 * bits) long. */ - if ((salt = OPENSSL_malloc(slen)) == NULL) { - CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE); + if ((salt = OPENSSL_malloc(slen)) == NULL) goto err; - } if (RAND_bytes(salt, (int)slen) <= 0) { CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM); goto err; @@ -145,10 +141,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT); goto err; } - if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) { - CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE); + if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) goto err; - } /* * owf identifies the hash algorithm and associated parameters used to @@ -160,10 +154,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, goto err; } - if ((ctx = EVP_MD_CTX_new()) == NULL) { - CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE); + if ((ctx = EVP_MD_CTX_new()) == NULL) goto err; - } /* compute the basekey of the salted secret */ if (!EVP_DigestInit_ex(ctx, m, NULL)) |