[openssl] master update
dev at ddvo.net
dev at ddvo.net
Fri Jun 25 05:45:14 UTC 2021
The branch master has been updated
via 991519aeb99b41e2239b20a254535436cad39553 (commit)
via cfd854a55e45626dd094f5d3846fd56fb4ec3cbf (commit)
via 7b3990e3f8c1d68c2afeb02a8f08f18f08916b95 (commit)
from 0f7a4ca5d6eba03d0bcd18bcc0c6705b8dd8f0b0 (commit)
- Log -----------------------------------------------------------------
commit 991519aeb99b41e2239b20a254535436cad39553
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Jun 23 14:47:57 2021 +0200
CMP: Improve reporting of error codes and related strings via 'error' msg
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15879)
commit cfd854a55e45626dd094f5d3846fd56fb4ec3cbf
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Jun 23 14:26:22 2021 +0200
ossl_sk_ASN1_UTF8STRING2text(): Minor generalization and refactoring for readability
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15879)
commit 7b3990e3f8c1d68c2afeb02a8f08f18f08916b95
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Jun 23 13:40:50 2021 +0200
CMP: Clean up internal message creation API and its documentation
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15879)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/asn1_lib.c | 17 ++---
crypto/cmp/cmp_client.c | 4 +-
crypto/cmp/cmp_local.h | 17 ++---
crypto/cmp/cmp_msg.c | 46 +++++++------
crypto/cmp/cmp_server.c | 14 ++--
doc/internal/man3/ossl_cmp_certreq_new.pod | 100 ++++++++++++-----------------
doc/internal/man3/ossl_cmp_hdr_init.pod | 12 +++-
doc/internal/man3/ossl_cmp_msg_create.pod | 69 ++++++++++++++++++--
test/cmp_server_test.c | 2 +-
9 files changed, 173 insertions(+), 108 deletions(-)
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index b1fa6b55a0..bdd0ec488d 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -413,9 +413,9 @@ unsigned char *ASN1_STRING_data(ASN1_STRING *x)
}
#endif
+/* |max_len| excludes NUL terminator and may be 0 to indicate no restriction */
char *ossl_sk_ASN1_UTF8STRING2text(STACK_OF(ASN1_UTF8STRING) *text,
- const char *sep,
- size_t max_len /* excluding NUL terminator */)
+ const char *sep, size_t max_len)
{
int i;
ASN1_UTF8STRING *current;
@@ -423,26 +423,27 @@ char *ossl_sk_ASN1_UTF8STRING2text(STACK_OF(ASN1_UTF8STRING) *text,
char *result = NULL;
char *p;
- if (!ossl_assert(sep != NULL))
- return NULL;
+ if (sep == NULL)
+ sep = "";
sep_len = strlen(sep);
- for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
+ for (i = 0; i < sk_ASN1_UTF8STRING_num(text); i++) {
current = sk_ASN1_UTF8STRING_value(text, i);
if (i > 0)
length += sep_len;
length += ASN1_STRING_length(current);
- if (length > max_len)
+ if (max_len != 0 && length > max_len)
return NULL;
}
if ((result = OPENSSL_malloc(length + 1)) == NULL)
return NULL;
- for (i = 0, p = result; i < sk_ASN1_UTF8STRING_num(text); ++i) {
+ p = result;
+ for (i = 0; i < sk_ASN1_UTF8STRING_num(text); i++) {
current = sk_ASN1_UTF8STRING_value(text, i);
length = ASN1_STRING_length(current);
if (i > 0 && sep_len > 0) {
- strncpy(p, sep, sep_len + 1);
+ strncpy(p, sep, sep_len + 1); /* using + 1 to silence gcc warning */
p += sep_len;
}
strncpy(p, (const char *)ASN1_STRING_get0_data(current), length);
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index ea6ca39fb3..c7a846f03e 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -216,14 +216,14 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
sizeof(buf)) != NULL)
ERR_add_error_data(1, buf);
if (emc->errorCode != NULL
- && BIO_snprintf(buf, sizeof(buf), "; errorCode: %ld",
+ && BIO_snprintf(buf, sizeof(buf), "; errorCode: %08lX",
ASN1_INTEGER_get(emc->errorCode)) > 0)
ERR_add_error_data(1, buf);
if (emc->errorDetails != NULL) {
char *text = ossl_sk_ASN1_UTF8STRING2text(emc->errorDetails, ", ",
OSSL_CMP_PKISI_BUFLEN - 1);
- if (text != NULL)
+ if (text != NULL && *text != '\0')
ERR_add_error_data(2, "; errorDetails: ", text);
OPENSSL_free(text);
}
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 9dba9e8169..1cca238916 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -864,13 +864,14 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype);
OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
const OSSL_CRMF_MSG *crm);
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
- int certReqId, OSSL_CMP_PKISI *si,
- X509 *cert, STACK_OF(X509) *chain,
- STACK_OF(X509) *caPubs, int encrypted,
+ int certReqId, const OSSL_CMP_PKISI *si,
+ X509 *cert, const X509 *encryption_recip,
+ STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx);
-OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
- OSSL_CRMF_CERTID *certId, int unprot_err);
+OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
+ const OSSL_CRMF_CERTID *cid,
+ int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
int64_t poll_after);
@@ -880,9 +881,9 @@ int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
const STACK_OF(OSSL_CMP_ITAV) *itavs);
-OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
- int errorCode,
- const char *details, int unprotected);
+OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
+ int64_t errorCode, const char *details,
+ int unprotected);
int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
ASN1_OCTET_STRING *hash);
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index cfe96f516d..fe4b64d575 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -454,9 +454,9 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
}
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
- int certReqId, OSSL_CMP_PKISI *si,
- X509 *cert, STACK_OF(X509) *chain,
- STACK_OF(X509) *caPubs, int encrypted,
+ int certReqId, const OSSL_CMP_PKISI *si,
+ X509 *cert, const X509 *encryption_recip,
+ STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
int unprotectedErrors)
{
OSSL_CMP_MSG *msg = NULL;
@@ -486,8 +486,8 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
status = ossl_cmp_pkisi_get_status(resp->status);
if (status != OSSL_CMP_PKISTATUS_rejection
&& status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
- if (encrypted) {
- ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
+ if (encryption_recip != NULL) {
+ ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED);
goto err;
}
@@ -579,8 +579,8 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
return NULL;
}
-OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
- OSSL_CRMF_CERTID *cid, int unprot_err)
+OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
+ const OSSL_CRMF_CERTID *cid, int unprotectedErrors)
{
OSSL_CMP_REVREPCONTENT *rep = NULL;
OSSL_CMP_PKISI *si1 = NULL;
@@ -613,7 +613,7 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
}
}
- if (!unprot_err
+ if (!unprotectedErrors
|| ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
if (!ossl_cmp_msg_protect(ctx, msg))
goto err;
@@ -726,11 +726,12 @@ OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
}
-OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
- int errorCode,
- const char *details, int unprotected)
+OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
+ int64_t errorCode, const char *details,
+ int unprotected)
{
OSSL_CMP_MSG *msg = NULL;
+ const char *lib = NULL, *reason = NULL;
OSSL_CMP_PKIFREETEXT *ft;
if (!ossl_assert(ctx != NULL && si != NULL))
@@ -743,17 +744,26 @@ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
== NULL)
goto err;
- if (errorCode >= 0) {
- if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
- goto err;
- if (!ASN1_INTEGER_set(msg->body->value.error->errorCode, errorCode))
- goto err;
+ if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
+ goto err;
+ if (!ASN1_INTEGER_set_int64(msg->body->value.error->errorCode, errorCode))
+ goto err;
+ if (errorCode > 0 && errorCode < (ERR_SYSTEM_FLAG << 1)) {
+ lib = ERR_lib_error_string((unsigned long)errorCode);
+ reason = ERR_reason_error_string((unsigned long)errorCode);
}
- if (details != NULL) {
+ if (lib != NULL || reason != NULL || details != NULL) {
if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
goto err;
msg->body->value.error->errorDetails = ft;
- if (!ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
+ if (lib != NULL && *lib != '\0'
+ && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib))
+ goto err;
+ if (reason != NULL && *reason != '\0'
+ && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason))
+ goto err;
+ if (details != NULL
+ && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
goto err;
}
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index a7cc38da5a..593c074f8d 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -226,7 +226,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
- certOut, chainOut, caPubs, 0 /* encrypted */,
+ certOut, NULL /* enc */, chainOut, caPubs,
srv_ctx->sendUnprotectedErrors);
if (msg == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
@@ -562,7 +562,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
err:
if (rsp == NULL) {
/* on error, try to respond with CMP error message to client */
- const char *data = NULL;
+ const char *data = NULL, *reason = NULL;
int flags = 0;
unsigned long err = ERR_peek_error_data(&data, &flags);
int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest;
@@ -574,12 +574,12 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
(void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce);
}
+ if ((flags & ERR_TXT_STRING) == 0 || *data == '\0')
+ data = NULL;
+ reason = ERR_reason_error_string(err);
if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection,
- fail_info, data)) != NULL) {
- if (err != 0 && (flags & ERR_TXT_STRING) != 0)
- data = ERR_reason_error_string(err);
- rsp = ossl_cmp_error_new(srv_ctx->ctx, si,
- err != 0 ? ERR_GET_REASON(err) : -1,
+ fail_info, reason)) != NULL) {
+ rsp = ossl_cmp_error_new(srv_ctx->ctx, si, err,
data, srv_ctx->sendUnprotectedErrors);
OSSL_CMP_PKISI_free(si);
}
diff --git a/doc/internal/man3/ossl_cmp_certreq_new.pod b/doc/internal/man3/ossl_cmp_certreq_new.pod
index 3c9654c18f..05530dafae 100644
--- a/doc/internal/man3/ossl_cmp_certreq_new.pod
+++ b/doc/internal/man3/ossl_cmp_certreq_new.pod
@@ -17,46 +17,19 @@ ossl_cmp_error_new
=head1 SYNOPSIS
- #include <openssl/cmp.h>
-
-# define OSSL_CMP_PKIBODY_IR 0
-# define OSSL_CMP_PKIBODY_IP 1
-# define OSSL_CMP_PKIBODY_CR 2
-# define OSSL_CMP_PKIBODY_CP 3
-# define OSSL_CMP_PKIBODY_P10CR 4
-# define OSSL_CMP_PKIBODY_POPDECC 5
-# define OSSL_CMP_PKIBODY_POPDECR 6
-# define OSSL_CMP_PKIBODY_KUR 7
-# define OSSL_CMP_PKIBODY_KUP 8
-# define OSSL_CMP_PKIBODY_KRR 9
-# define OSSL_CMP_PKIBODY_KRP 10
-# define OSSL_CMP_PKIBODY_RR 11
-# define OSSL_CMP_PKIBODY_RP 12
-# define OSSL_CMP_PKIBODY_CCR 13
-# define OSSL_CMP_PKIBODY_CCP 14
-# define OSSL_CMP_PKIBODY_CKUANN 15
-# define OSSL_CMP_PKIBODY_CANN 16
-# define OSSL_CMP_PKIBODY_RANN 17
-# define OSSL_CMP_PKIBODY_CRLANN 18
-# define OSSL_CMP_PKIBODY_PKICONF 19
-# define OSSL_CMP_PKIBODY_NESTED 20
-# define OSSL_CMP_PKIBODY_GENM 21
-# define OSSL_CMP_PKIBODY_GENP 22
-# define OSSL_CMP_PKIBODY_ERROR 23
-# define OSSL_CMP_PKIBODY_CERTCONF 24
-# define OSSL_CMP_PKIBODY_POLLREQ 25
-# define OSSL_CMP_PKIBODY_POLLREP 26
+ #include "cmp_local.h"
OSSL_ossl_cmp_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
const OSSL_CRMF_MSG *crm);
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
- int certReqId, OSSL_CMP_PKISI *si,
- X509 *cert, STACK_OF(X509) *chain,
- STACK_OF(X509) *caPubs,
- int encrypted, int unprotectedErrors);
+ int certReqId, const OSSL_CMP_PKISI *si,
+ X509 *cert, const X509 *encryption_recip,
+ STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
+ int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx);
- OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
- OSSL_CRMF_CERTID *cid, int unprot_err);
+ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
+ const OSSL_CRMF_CERTID *cid,
+ int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
const char *text);
OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx);
@@ -64,23 +37,23 @@ ossl_cmp_error_new
OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int poll_after);
OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx);
- OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
- int errorCode,
- OSSL_CMP_PKIFREETEXT *errorDetails,
+ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
+ int64_t errorCode, const char *details,
int unprotected);
=head1 DESCRIPTION
-This is the API for creating various CMP PKIMESSAGES. The
-functions allocate a new message, fill it with the relevant data derived from
-the given OSSL_CMP_CTX, and create the applicable protection.
+This is the internal API for creating various CMP PKIMESSAGES.
+All functions are based on L<ossl_cmp_msg_create(3)>.
+The allocate a new message, fill it with the relevant data derived from
+the given B<OSSL_CMP_CTX>, and create the applicable protection.
ossl_cmp_certreq_new() creates a PKIMessage for requesting a certificate,
-which can be either of IR/CR/KUR/P10CR, depending on the given B<bodytype>.
-The CRMF message to use may be given via the B<crm> argument;
-else (if B<crm> is NULL) it is created from the information in the B<ctx>.
+which can be either of IR/CR/KUR/P10CR, depending on the given I<bodytype>.
+The CRMF message to use may be given explicitly via a non-NULL I<crm> argument,
+otherwise it is created from the information in the I<ctx>.
-Available CMP certificate request PKIMessage B<bodytype>s are:
+Available CMP certificate request PKIMessage I<bodytype>s are:
=over 4
@@ -94,10 +67,16 @@ Available CMP certificate request PKIMessage B<bodytype>s are:
=back
-ossl_cmp_certrep_new() creates a PKIMessage for certificate response, which can
-be either of IP/CP/KUP, depending on the given B<bodytype>.
+ossl_cmp_certrep_new() creates a PKIMessage for certificate response,
+which can be either of IP/CP/KUP, depending on the given I<bodytype>,
+with the given I<certReqId> and I<si> values and optionally with I<cert>,
+I<chain>, and I<caPubs>. The I<cert>, I<chain>, and I<caPubs> arguments
+are not consumed if present but their internal reference counter is increased.
+The I<encryption_recip> is currently unsupported.
+The function does not protect the message if the B<status> value in I<si>
+is B<rejected> and I<unprotectedErrors> is nonzero.
-Available CMP certificate response PKIMessage B<bodytype>s are:
+Available CMP certificate response PKIMessage I<bodytype>s are:
=over 4
@@ -109,7 +88,7 @@ Available CMP certificate response PKIMessage B<bodytype>s are:
=back
-The list of all CMP PKIMessage B<bodytype>s is:
+The list of all CMP PKIMessage I<bodytype>s is:
#define OSSL_CMP_PKIBODY_IR 0
#define OSSL_CMP_PKIBODY_IP 1
@@ -140,29 +119,33 @@ The list of all CMP PKIMessage B<bodytype>s is:
ossl_cmp_rr_new() creates a Revocation Request message from the
information set via OSSL_CMP_CTX_set1_oldClCert().
-ossl_cmp_rp_new() creates a Revocation Response message with status set to
-B<si> and CertID set to B<cid>. Consumes B<cid>.
-Accepts unprotected errors if B<uprot_err> != 0.
+ossl_cmp_rp_new() creates a Revocation Response message with I<si> and I<cid>.
+It does not protect the message if the B<status> value in I<si> is B<rejected>
+and I<unprotectedErrors> is nonzero.
ossl_cmp_certConf_new() creates a Certificate Confirmation message for the last
-received certificate. PKIStatus defaults to B<accepted> if the B<fail_info> bit
+received certificate. PKIStatus defaults to B<accepted> if the I<fail_info> bit
field is 0. Else it is taken as the failInfo of the PKIStatusInfo, PKIStatus is
-set to B<rejected>, and B<text> is copied to statusString unless it is NULL.
+set to B<rejected>, and I<text> is copied to statusString unless it is NULL.
ossl_cmp_pkiconf_new() creates a PKI Confirmation message.
ossl_cmp_pollReq_new() creates a Polling Request message with certReqId set to
-B<crid>.
+I<crid>.
ossl_cmp_pollRep_new() creates a Polling Response message with certReqId set to
-B<crid> and pollAfter to B<poll_after>.
+I<crid> and pollAfter to I<poll_after>.
ossl_cmp_genm_new() creates a new General Message with an empty ITAV stack.
ossl_cmp_genp_new() creates a new General Response with an empty ITAV stack.
-ossl_cmp_error_new() creates a new Error Message with the given contents,
-copying B<si> and B<errorDetails>.
+ossl_cmp_error_new() creates a new Error Message with the given contents
+I<si>, I<errorCode>, and optional I<details>.
+If I<errorCode> is positive and in the range of an OpenSSL error code,
+the library and reason strings are included in the B<errorDetails> field.
+If given, the I<details> are added to the contents of the B<errorDetails> field.
+The function does not protect the message if I<unprotectedErrors> is nonzero.
=head1 NOTES
@@ -175,6 +158,7 @@ the generated message on success, or NULL on error.
=head1 SEE ALSO
+L<ossl_cmp_msg_create(3)>,
L<OSSL_CMP_CTX_new(3)>, L<ERR_load_strings(3)>
=head1 HISTORY
diff --git a/doc/internal/man3/ossl_cmp_hdr_init.pod b/doc/internal/man3/ossl_cmp_hdr_init.pod
index 60259dd4bd..7bc87a253a 100644
--- a/doc/internal/man3/ossl_cmp_hdr_init.pod
+++ b/doc/internal/man3/ossl_cmp_hdr_init.pod
@@ -17,8 +17,9 @@ ossl_cmp_hdr_generalinfo_item_push0,
ossl_cmp_hdr_generalinfo_items_push1,
ossl_cmp_hdr_set_implicitConfirm,
ossl_cmp_hdr_has_implicitConfirm,
+ossl_cmp_hdr_set_transactionID,
ossl_cmp_hdr_init
-- functions manipulating CMP message headers
+- functions handling CMP message headers
=head1 SYNOPSIS
@@ -46,6 +47,7 @@ ossl_cmp_hdr_init
ASN1_UTF8STRING *text);
int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
int ossl_cmp_hdr_has_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
+ int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
=head1 DESCRIPTION
@@ -98,6 +100,10 @@ of the PKIMessage header.
ossl_cmp_hdr_has_implicitConfirm() returns 1 if implicitConfirm is
set int generalInfo field of the given PKIMessage header, 0 if not.
+ossl_cmp_hdr_set_transactionID() sets the B<transactionID> field in C<hdr>.
+In case ctx->transactionID is NULL, it starts a new transaction
+by creating and storing a new random valuee with 128 bits length.
+
ossl_cmp_hdr_init() initializes a PKIHeader structure based on the
values in the given OSSL_CMP_CTX structure.
This starts a new transaction in case ctx->transactionID is NULL.
@@ -125,6 +131,10 @@ All other functions return 1 on success, 0 on error.
See the individual functions above.
+=head1 SEE ALSO
+
+L<ossl_cmp_msg_create(3)>
+
=head1 HISTORY
The OpenSSL CMP support was added in OpenSSL 3.0.
diff --git a/doc/internal/man3/ossl_cmp_msg_create.pod b/doc/internal/man3/ossl_cmp_msg_create.pod
index aca0a996f4..60f425b96e 100644
--- a/doc/internal/man3/ossl_cmp_msg_create.pod
+++ b/doc/internal/man3/ossl_cmp_msg_create.pod
@@ -2,17 +2,72 @@
=head1 NAME
+OSSL_CMP_PKIBODY_IR,
+OSSL_CMP_PKIBODY_IP,
+OSSL_CMP_PKIBODY_CR,
+OSSL_CMP_PKIBODY_CP,
+OSSL_CMP_PKIBODY_P10CR,
+OSSL_CMP_PKIBODY_POPDECC,
+OSSL_CMP_PKIBODY_POPDECR,
+OSSL_CMP_PKIBODY_KUR,
+OSSL_CMP_PKIBODY_KUP,
+OSSL_CMP_PKIBODY_KRR,
+OSSL_CMP_PKIBODY_KRP,
+OSSL_CMP_PKIBODY_RR,
+OSSL_CMP_PKIBODY_RP,
+OSSL_CMP_PKIBODY_CCR,
+OSSL_CMP_PKIBODY_CCP,
+OSSL_CMP_PKIBODY_CKUANN,
+OSSL_CMP_PKIBODY_CANN,
+OSSL_CMP_PKIBODY_RANN,
+OSSL_CMP_PKIBODY_CRLANN,
+OSSL_CMP_PKIBODY_PKICONF,
+OSSL_CMP_PKIBODY_NESTED,
+OSSL_CMP_PKIBODY_GENM,
+OSSL_CMP_PKIBODY_GENP,
+OSSL_CMP_PKIBODY_ERROR,
+OSSL_CMP_PKIBODY_CERTCONF,
+OSSL_CMP_PKIBODY_POLLREQ,
+OSSL_CMP_PKIBODY_POLLREP,
ossl_cmp_bodytype_to_string,
ossl_cmp_msg_get_bodytype,
ossl_cmp_msg_set_bodytype,
ossl_cmp_msg_create,
ossl_cmp_msg_gen_ITAV_push0,
ossl_cmp_msg_gen_ITAVs_push1
-- functions manipulating CMP messages
+- functions handling CMP messages
=head1 SYNOPSIS
- #include "cmp_local.h"
+ #include "cmp_local.h"
+
+ #define OSSL_CMP_PKIBODY_IR 0
+ #define OSSL_CMP_PKIBODY_IP 1
+ #define OSSL_CMP_PKIBODY_CR 2
+ #define OSSL_CMP_PKIBODY_CP 3
+ #define OSSL_CMP_PKIBODY_P10CR 4
+ #define OSSL_CMP_PKIBODY_POPDECC 5
+ #define OSSL_CMP_PKIBODY_POPDECR 6
+ #define OSSL_CMP_PKIBODY_KUR 7
+ #define OSSL_CMP_PKIBODY_KUP 8
+ #define OSSL_CMP_PKIBODY_KRR 9
+ #define OSSL_CMP_PKIBODY_KRP 10
+ #define OSSL_CMP_PKIBODY_RR 11
+ #define OSSL_CMP_PKIBODY_RP 12
+ #define OSSL_CMP_PKIBODY_CCR 13
+ #define OSSL_CMP_PKIBODY_CCP 14
+ #define OSSL_CMP_PKIBODY_CKUANN 15
+ #define OSSL_CMP_PKIBODY_CANN 16
+ #define OSSL_CMP_PKIBODY_RANN 17
+ #define OSSL_CMP_PKIBODY_CRLANN 18
+ #define OSSL_CMP_PKIBODY_PKICONF 19
+ #define OSSL_CMP_PKIBODY_NESTED 20
+ #define OSSL_CMP_PKIBODY_GENM 21
+ #define OSSL_CMP_PKIBODY_GENP 22
+ #define OSSL_CMP_PKIBODY_ERROR 23
+ #define OSSL_CMP_PKIBODY_CERTCONF 24
+ #define OSSL_CMP_PKIBODY_POLLREQ 25
+ #define OSSL_CMP_PKIBODY_POLLREP 26
const char *ossl_cmp_bodytype_to_string(int type);
int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg);
@@ -34,9 +89,12 @@ ossl_cmp_msg_set_bodytype() sets the type of the message contained in
the PKIMessage body field.
Returns 1 on success, 0 on error.
-ossl_cmp_msg_create() creates and initializes a OSSL_CMP_MSG structure,
-using B<ctx> for the header and B<bodytype> for the body.
-Returns pointer to created OSSL_CMP_MSG on success, NULL on error.
+ossl_cmp_msg_create() creates and initializes an B<OSSL_CMP_MSG> structure,
+using fields of B<ctx> for the header and B<bodytype> for the body.
+If the current B<transactionID> field in I<ctx> indicates that there is no
+current transaction, it creates and stores a random one with 128 bits length.
+Thus, the I<ctx> may be modified by this and related ossl_cmp_*_new() functions.
+Returns pointer to created B<OSSL_CMP_MSG> on success, NULL on error.
ossl_cmp_msg_gen_ITAV_push0() pushes the B<itav> to the body of the
PKIMessage B<msg> of GenMsg or GenRep type. Consumes the B<itavs> pointer.
@@ -57,6 +115,7 @@ See the individual functions above.
=head1 SEE ALSO
+L<ossl_cmp_hdr_init(3)>,
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>
=head1 HISTORY
diff --git a/test/cmp_server_test.c b/test/cmp_server_test.c
index 8583c6f608..9f20d27ac9 100644
--- a/test/cmp_server_test.c
+++ b/test/cmp_server_test.c
@@ -98,7 +98,7 @@ static int execute_test_handle_request(CMP_SRV_TEST_FIXTURE *fixture)
OSSL_CMP_PKIBODY_ERROR)
|| !TEST_ptr(errorContent = rsp->body->value.error)
|| !TEST_int_eq(ASN1_INTEGER_get(errorContent->errorCode),
- dummy_errorCode))
+ ERR_PACK(ERR_LIB_CMP, 0, dummy_errorCode)))
goto end;
res = 1;
More information about the openssl-commits
mailing list