Move part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update()

as checking expected_sender and adding caPubs is not part of msg validation.
Also constify a couple of internal and public functions related to cmp_vfy.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

1 files changed, 10 insertions, 0 deletions

diff --git a/doc/internal/man3/ossl_cmp_msg_check_update.pod b/doc/internal/man3/ossl_cmp_msg_check_update.pod
index c058e90ffb..4e7a9224af 100644
--- a/doc/internal/man3/ossl_cmp_msg_check_update.pod
+++ b/doc/internal/man3/ossl_cmp_msg_check_update.pod
@@ -27,6 +27,9 @@ The B<msg> is checked for the following:
 
 =over 4
 
+=item its sender is of appropriate type (currently only B<X509_NAME>)
+      and matches any expected sender or srvCert subject given in B<ctx>,
+
 =item its protection is present and valid (or a callback function B<cb>
 is present and indicates that a missing or invalid protection is acceptable),
 
@@ -61,6 +64,13 @@ If all checks pass then ossl_cmp_msg_check_update()
 records in B<ctx> the senderNonce of the received message as the new recipNonce
 and learns the transaction ID if none is currently present in B<ctx>.
 
+Moreover, according to RFC 4210 section 5.3.2, if the message protection is
+PBM-based then any certificates in the caPubs field are added to the list of
+trusted certificates (if set via L<OSSL_CMP_CTX_set0_trustedStore(3)>).
+This way these certs are available for validating subsequent messages in the
+same context and could apply to any Polling Response (pollRep), error, or PKI
+Confirmation (PKIConf) messages following in the same or future transactions.
+
 =head1 RETURN VALUES
 
 ossl_cmp_msg_check_update() returns 1 on success, -1 on error.