[openssl] master update

dev at ddvo.net dev at ddvo.net
Fri Nov 20 12:37:02 UTC 2020 

The branch master has been updated
       via  f87ead980187ba39c66eb6ed5825603ea343b73f (commit)
       via  8c5c2fa544e8ca05bb756e99dbc9cb5ed82db37c (commit)
       via  6fd8313589b3fd55e31f65097007c3c1fdbe5021 (commit)
       via  0e7bc901bf4675b5fb05dfdd98647ec141781f45 (commit)
      from  9498dac4dbda1a4f2eb5e6573df05bc295dc272c (commit)


- Log -----------------------------------------------------------------
commit f87ead980187ba39c66eb6ed5825603ea343b73f
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Fri Nov 13 21:45:46 2020 +0100

    ossl_cmp_certreq_new(): Fix POPO key mismatch in case newPkey is just public key
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13409)

commit 8c5c2fa544e8ca05bb756e99dbc9cb5ed82db37c
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Fri Nov 13 21:32:31 2020 +0100

    CMP: prevent misleading PKIStatusInfo output if not response available
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13409)

commit 6fd8313589b3fd55e31f65097007c3c1fdbe5021
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Fri Nov 13 08:39:14 2020 +0100

    apps/cmp.c: Improve diagnostics on -server URL parse error
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13409)

commit 0e7bc901bf4675b5fb05dfdd98647ec141781f45
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu Nov 12 20:35:50 2020 +0100

    apps/cmp.c: Add diagnostics on config file section(s) used
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13409)

-----------------------------------------------------------------------

Summary of changes:
 apps/cmp.c              | 14 +++++++++-----
 crypto/cmp/cmp_client.c |  1 +
 crypto/cmp/cmp_msg.c    |  7 ++++++-
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index c3efdfbbe9..ccb61ab497 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1834,8 +1834,10 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         CMP_err("missing -server option");
         goto err;
     }
-    if (!OSSL_HTTP_parse_url(opt_server, &server, &port, &portnum, &path, &ssl))
+    if (!OSSL_HTTP_parse_url(opt_server, &server, &port, &portnum, &path, &ssl)) {
+        CMP_err1("cannot parse -server URL: %s", opt_server);
         goto err;
+    }
     if (ssl && !opt_tls_used) {
         CMP_err("missing -tls_used option since -server URL indicates https");
         goto err;
@@ -2660,10 +2662,10 @@ int cmp_main(int argc, char **argv)
 
     /* read default values for options from config file */
     configfile = opt_config != NULL ? opt_config : default_config_file;
-    if (configfile && configfile[0] != '\0' /* non-empty string */
-            && (configfile != default_config_file
-                    || access(configfile, F_OK) != -1)) {
-        CMP_info1("using OpenSSL configuration file '%s'", configfile);
+    if (configfile != NULL && configfile[0] != '\0' /* non-empty string */
+            && (configfile != default_config_file || access(configfile, F_OK) != -1)) {
+        CMP_info2("using section(s) '%s' of OpenSSL configuration file '%s'",
+                  opt_section, configfile);
         conf = app_load_config(configfile);
         if (conf == NULL) {
             goto err;
@@ -2868,6 +2870,8 @@ int cmp_main(int argc, char **argv)
         default:
             break;
         }
+        if (OSSL_CMP_CTX_get_status(cmp_ctx) < 0)
+            goto err; /* we got no response, maybe even did not send request */
 
         {
             /* print PKIStatusInfo */
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index c19eea818f..75176cd195 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -886,6 +886,7 @@ STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx)
         ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
         return 0;
     }
+    ctx->status = -1;
 
     if ((genm = ossl_cmp_genm_new(ctx)) == NULL)
         goto err;
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 1a4a873168..45cda58879 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -334,7 +334,12 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
     if (type != OSSL_CMP_PKIBODY_P10CR) {
         EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
 
-        if (privkey == NULL)
+        /*
+         * privkey is NULL in case ctx->newPkey does not include a private key.
+         * We then may try to use ctx->pkey as fallback/default, but only
+         * if ctx-> newPkey does not include a (non-matching) public key:
+         */
+        if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL)
             privkey = ctx->pkey; /* default is independent of ctx->oldCert */
         if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
             ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);

More information about the openssl-commits mailing list