[openssl] master update
dev at ddvo.net
dev at ddvo.net
Tue Sep 8 21:25:06 UTC 2020
The branch master has been updated
via b434b2c08d2025936fb8b7ece3a5908613333f6b (commit)
from 15633d74dcfe446d309d612c69fd075616d45c5b (commit)
- Log -----------------------------------------------------------------
commit b434b2c08d2025936fb8b7ece3a5908613333f6b
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Aug 28 13:37:04 2020 +0200
Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12806)
-----------------------------------------------------------------------
Summary of changes:
apps/cmp.c | 6 ++----
crypto/cmp/cmp_vfy.c | 8 ++++++++
doc/man1/openssl-cmp.pod.in | 8 ++++++++
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index dd49142309..f9b50fc659 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1546,10 +1546,8 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
}
EVP_PKEY_free(pkey);
}
- if (opt_secret == NULL && opt_srvcert == NULL && opt_trusted == NULL) {
- CMP_err("missing -secret or -srvcert or -trusted");
- goto err;
- }
+ if (opt_secret == NULL && opt_srvcert == NULL && opt_trusted == NULL)
+ CMP_warn("will not authenticate server due to missing -secret, -trusted, or -srvcert");
if (opt_cert != NULL) {
X509 *cert;
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 9b8a88f94b..f5026e0bbc 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -568,6 +568,10 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
switch (ossl_cmp_hdr_get_protection_nid(msg->header)) {
/* 5.1.3.1. Shared Secret Information */
case NID_id_PasswordBasedMAC:
+ if (ctx->secretValue == NULL) {
+ ossl_cmp_warn(ctx, "no secret available for verifying PBM-based CMP message protection");
+ return 1;
+ }
if (verify_PBMAC(ctx, msg)) {
/*
* RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is
@@ -615,6 +619,10 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
default:
scrt = ctx->srvCert;
if (scrt == NULL) {
+ if (ctx->trusted == NULL) {
+ ossl_cmp_warn(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
+ return 1;
+ }
if (check_msg_find_cert(ctx, msg))
return 1;
} else { /* use pinned sender cert */
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 46c5059d84..623e3f7dee 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -174,6 +174,7 @@ Default filename is from the environment variable C<OPENSSL_CONF>.
Section(s) to use within config file defining CMP options.
An empty string C<""> means no specific section.
Default is C<cmp>.
+
Multiple section names may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Contents of sections named later may override contents of sections named before.
@@ -485,6 +486,9 @@ This option gives more flexibility than the B<-srvcert> option because the
protection certificate is not pinned but may be any certificate
for which a chain to one of the given trusted certificates can be constructed.
+If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
+then protected response messages from the server are not authenticated.
+
Multiple filenames may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@@ -809,6 +813,7 @@ Default is one invocation.
=item B<-reqin> I<filenames>
Take sequence of CMP requests from file(s).
+
Multiple filenames may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
As many files are read as needed for a complete transaction.
@@ -823,18 +828,21 @@ and the CMP server complains that the transaction ID has already been used.
=item B<-reqout> I<filenames>
Save sequence of CMP requests to file(s).
+
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are written as needed to store the complete transaction.
=item B<-rspin> I<filenames>
Process sequence of CMP responses provided in file(s), skipping server.
+
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are read as needed for the complete transaction.
=item B<-rspout> I<filenames>
Save sequence of CMP responses to file(s).
+
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are written as needed to store the complete transaction.
More information about the openssl-commits
mailing list