[openssl] master update

dev at ddvo.net dev at ddvo.net
Mon Dec 13 08:53:28 UTC 2021 

The branch master has been updated
       via  61fa00a4d03f6808389bc1847937f72d184f0627 (commit)
       via  e46997111af3a11632df411b01d62fd39cc3faaf (commit)
      from  20b0579cbfd1986d00ad8eb2167bc865519f23cd (commit)


- Log -----------------------------------------------------------------
commit 61fa00a4d03f6808389bc1847937f72d184f0627
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue Dec 7 18:02:19 2021 +0100

    APPS/cmp: Simplify read_write_req_resp() - 'req' arg must not be NULL anyway
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17251)

commit e46997111af3a11632df411b01d62fd39cc3faaf
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu Dec 9 20:52:59 2021 +0100

    ossl_cmp_msg_check_update(): align recipNone check with improved transactionID check
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17251)

-----------------------------------------------------------------------

Summary of changes:
 apps/cmp.c           |  3 +--
 crypto/cmp/cmp_vfy.c | 52 ++++++++++++++++++++++++++--------------------------
 2 files changed, 27 insertions(+), 28 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index e35626ebb2..d6ab2a249b 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -789,8 +789,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
     OSSL_CMP_PKIHEADER *hdr;
     const char *prev_opt_rspin = opt_rspin;
 
-    if (req != NULL && opt_reqout != NULL
-            && !write_PKIMESSAGE(req, &opt_reqout))
+    if (opt_reqout != NULL && !write_PKIMESSAGE(req, &opt_reqout))
         goto err;
     if (opt_reqin != NULL && opt_rspin == NULL) {
         if ((req_new = read_PKIMESSAGE(&opt_reqin)) == NULL)
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index cdfad0a631..bea7e506b6 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -640,6 +640,28 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
     return 0;
 }
 
+static int check_transactionID_or_nonce(ASN1_OCTET_STRING *expected,
+                                        ASN1_OCTET_STRING *actual, int reason)
+{
+    if (expected != NULL
+        && (actual == NULL || ASN1_OCTET_STRING_cmp(expected, actual) != 0)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+        char *expected_str, *actual_str;
+
+        expected_str = i2s_ASN1_OCTET_STRING(NULL, expected);
+        actual_str = actual == NULL ? "(none)"
+            : i2s_ASN1_OCTET_STRING(NULL, actual);
+        ERR_raise_data(ERR_LIB_CMP, CMP_R_TRANSACTIONID_UNMATCHED,
+                       "expected = %s, actual = %s",
+                       expected_str == NULL ? "?" : expected_str,
+                       actual_str == NULL ? "?" : actual_str);
+        OPENSSL_free(expected_str);
+        OPENSSL_free(actual_str);
+        return 0;
+#endif
+    }
+    return 1;
+}
 
 /*-
  * Check received message (i.e., response by server or request from client)
@@ -742,36 +764,14 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
     }
 
     /* compare received transactionID with the expected one in previous msg */
-    if (ctx->transactionID != NULL
-            && (hdr->transactionID == NULL
-                || ASN1_OCTET_STRING_cmp(ctx->transactionID,
-                                         hdr->transactionID) != 0)) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-        char *ctx_str, *hdr_str;
-
-        ctx_str = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
-        hdr_str = hdr->transactionID == NULL ? "(none)"
-            : i2s_ASN1_OCTET_STRING(NULL, hdr->transactionID);
-        ERR_raise_data(ERR_LIB_CMP, CMP_R_TRANSACTIONID_UNMATCHED,
-                       "expected = %s, actual = %s",
-                       ctx_str == NULL ? "?" : ctx_str,
-                       hdr_str == NULL ? "?" : hdr_str);
-        OPENSSL_free(ctx_str);
-        OPENSSL_free(hdr_str);
+    if (!check_transactionID_or_nonce(ctx->transactionID, hdr->transactionID,
+                                      CMP_R_TRANSACTIONID_UNMATCHED))
         return 0;
-#endif
-    }
 
     /* compare received nonce with the one we sent */
-    if (ctx->senderNonce != NULL
-            && (msg->header->recipNonce == NULL
-                || ASN1_OCTET_STRING_cmp(ctx->senderNonce,
-                                         hdr->recipNonce) != 0)) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-        ERR_raise(ERR_LIB_CMP, CMP_R_RECIPNONCE_UNMATCHED);
+    if (!check_transactionID_or_nonce(ctx->senderNonce, hdr->recipNonce,
+                                      CMP_R_RECIPNONCE_UNMATCHED))
         return 0;
-#endif
-    }
 
     /*
      * RFC 4210 section 5.1.1 states: the recipNonce is copied from

More information about the openssl-commits mailing list