/*
- * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
#include <openssl/trace.h>
#include <openssl/bio.h>
#include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */
+#include "crypto/x509.h" /* for x509v3_cache_extensions() */
#include "cmp_local.h"
* Set certificate store containing trusted (root) CA certs and possibly CRLs
* and a cert verification callback function used for CMP server authentication.
* Any already existing store entry is freed. Given NULL, the entry is reset.
- * returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
{
return 1;
}
-/*
- * Get current list of non-trusted intermediate certs
- */
-STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
+/* Get current list of non-trusted intermediate certs */
+STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return NULL;
}
- return ctx->untrusted_certs;
+ return ctx->untrusted;
}
/*
* Set untrusted certificates for path construction in authentication of
* the CMP server and potentially others (TLS server, newly enrolled cert).
- * returns 1 on success, 0 on error
*/
-int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
+int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
{
- STACK_OF(X509) *untrusted_certs;
+ STACK_OF(X509) *untrusted;
if (ctx == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
- if ((untrusted_certs = sk_X509_new_null()) == NULL)
+ if ((untrusted = sk_X509_new_null()) == NULL)
return 0;
- if (ossl_cmp_sk_X509_add1_certs(untrusted_certs, certs, 0, 1, 0) != 1)
+ if (X509_add_certs(untrusted, certs,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) != 1)
goto err;
- sk_X509_pop_free(ctx->untrusted_certs, X509_free);
- ctx->untrusted_certs = untrusted_certs;
+ sk_X509_pop_free(ctx->untrusted, X509_free);
+ ctx->untrusted = untrusted;
return 1;
err:
- sk_X509_pop_free(untrusted_certs, X509_free);
+ sk_X509_pop_free(untrusted, X509_free);
return 0;
}
+static int cmp_ctx_set_md(OSSL_CMP_CTX *ctx, EVP_MD **pmd, int nid)
+{
+ EVP_MD *md = EVP_MD_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propq);
+ /* fetching in advance to be able to throw error early if unsupported */
+
+ if (md == NULL) {
+ CMPerr(0, CMP_R_UNSUPPORTED_ALGORITHM);
+ return 0;
+ }
+ EVP_MD_free(*pmd);
+ *pmd = md;
+ return 1;
+}
+
/*
* Allocates and initializes OSSL_CMP_CTX context structure with default values.
* Returns new context on success, NULL on error
*/
-OSSL_CMP_CTX *OSSL_CMP_CTX_new(void)
+OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
{
OSSL_CMP_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL)
- return NULL;
+ goto err;
+
+ ctx->libctx = libctx;
+ if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)
+ goto err;
ctx->log_verbosity = OSSL_CMP_LOG_INFO;
ctx->status = -1;
ctx->failInfoCode = -1;
- ctx->serverPort = OSSL_CMP_DEFAULT_PORT;
- ctx->proxyPort = OSSL_CMP_DEFAULT_PORT;
ctx->msg_timeout = 2 * 60;
- if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL)
+ if ((ctx->untrusted = sk_X509_new_null()) == NULL)
goto err;
ctx->pbm_slen = 16;
- ctx->pbm_owf = NID_sha256;
+ if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256))
+ goto err;
ctx->pbm_itercnt = 500;
ctx->pbm_mac = NID_hmac_sha1;
- ctx->digest = NID_sha256;
+ if (!cmp_ctx_set_md(ctx, &ctx->digest, NID_sha256))
+ goto err;
ctx->popoMethod = OSSL_CRMF_POPO_SIGNATURE;
ctx->revocationReason = CRL_REASON_NONE;
err:
OSSL_CMP_CTX_free(ctx);
+ X509err(0, ERR_R_MALLOC_FAILURE);
return NULL;
}
-/*
- * Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX
- */
+/* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
return ossl_cmp_ctx_set0_statusString(ctx, NULL)
&& ossl_cmp_ctx_set0_newCert(ctx, NULL)
+ && ossl_cmp_ctx_set1_newChain(ctx, NULL)
&& ossl_cmp_ctx_set1_caPubs(ctx, NULL)
&& ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL)
&& ossl_cmp_ctx_set0_validatedSrvCert(ctx, NULL)
&& ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
}
-/*
- * Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new()
- */
+/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL)
return;
OPENSSL_free(ctx->serverPath);
- OPENSSL_free(ctx->serverName);
- OPENSSL_free(ctx->proxyName);
+ OPENSSL_free(ctx->server);
+ OPENSSL_free(ctx->proxy);
+ OPENSSL_free(ctx->no_proxy);
X509_free(ctx->srvCert);
X509_free(ctx->validatedSrvCert);
X509_NAME_free(ctx->expected_sender);
X509_STORE_free(ctx->trusted);
- sk_X509_pop_free(ctx->untrusted_certs, X509_free);
+ sk_X509_pop_free(ctx->untrusted, X509_free);
- X509_free(ctx->clCert);
+ X509_free(ctx->cert);
+ sk_X509_pop_free(ctx->chain, X509_free);
EVP_PKEY_free(ctx->pkey);
ASN1_OCTET_STRING_free(ctx->referenceValue);
if (ctx->secretValue != NULL)
OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
ASN1_OCTET_STRING_free(ctx->secretValue);
+ EVP_MD_free(ctx->pbm_owf);
X509_NAME_free(ctx->recipient);
+ EVP_MD_free(ctx->digest);
ASN1_OCTET_STRING_free(ctx->transactionID);
ASN1_OCTET_STRING_free(ctx->senderNonce);
ASN1_OCTET_STRING_free(ctx->recipNonce);
sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
X509_free(ctx->newCert);
+ sk_X509_pop_free(ctx->newChain, X509_free);
sk_X509_pop_free(ctx->caPubs, X509_free);
sk_X509_pop_free(ctx->extraCertsIn, X509_free);
return 1;
}
-/*
- * Set callback function for checking if the cert is ok or should
- * it be rejected.
- * Returns 1 on success, 0 on error
- */
+/* Set callback function for checking if the cert is ok or should be rejected */
int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
{
if (ctx == NULL) {
/*
* Set argument, respectively a pointer to a structure containing arguments,
* optionally to be used by the certConf callback.
- * Returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
return res;
}
-/*
- * Set a callback function for error reporting and logging messages.
- * Returns 1 on success, 0 on error
- */
+/* Set a callback function for error reporting and logging messages */
int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
{
if (ctx == NULL) {
}
/* Print OpenSSL and CMP errors via the log cb of the ctx or ERR_print_errors */
-void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx)
+void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx)
{
+ if (ctx != NULL && OSSL_CMP_LOG_ERR > ctx->log_verbosity)
+ return; /* suppress output since severity is not sufficient */
OSSL_CMP_print_errors_cb(ctx == NULL ? NULL : ctx->log_cb);
}
/*
* Set or clear the reference value to be used for identification
* (i.e., the user name) when using PBMAC.
- * Returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
const unsigned char *ref, int len)
len);
}
-/*
- * Set or clear the password to be used for protecting messages with PBMAC.
- * Returns 1 on success, 0 on error
- */
+/* Set or clear the password to be used for protecting messages with PBMAC */
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
const int len)
{
return 1;
}
+/* Returns the cert chain computed by OSSL_CMP_certConf_cb(), NULL on error */
+STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx)
+{
+ if (ctx == NULL) {
+ CMPerr(0, CMP_R_NULL_ARGUMENT);
+ return NULL;
+ }
+ if (ctx->newChain == NULL)
+ return sk_X509_new_null();
+ return X509_chain_up_ref(ctx->newChain);
+}
+
/*
- * Returns the stack of certificates received in a response message.
- * The stack is duplicated so the caller must handle freeing it!
- * Returns pointer to created stack on success, NULL on error
+ * Copies any given stack of inbound X509 certificates to newChain
+ * of the OSSL_CMP_CTX structure so that they may be retrieved later.
*/
+int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain)
+{
+ if (!ossl_assert(ctx != NULL))
+ return 0;
+
+ sk_X509_pop_free(ctx->newChain, X509_free);
+ ctx->newChain= NULL;
+ if (newChain == NULL)
+ return 1;
+ return (ctx->newChain = X509_chain_up_ref(newChain)) != NULL;
+}
+
+/* Returns the stack of extraCerts received in CertRepMessage, NULL on error */
STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
/*
* Copies any given stack of inbound X509 certificates to extraCertsIn
* of the OSSL_CMP_CTX structure so that they may be retrieved later.
- * Returns 1 on success, 0 on error.
*/
int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsIn)
}
/*
- * Duplicate and set the given stack as the new stack of X509
+ * Copies any given stack as the new stack of X509
* certificates to send out in the extraCerts field.
- * Returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsOut)
/*
* Add the given policy info object
* to the X509_EXTENSIONS of the requested certificate template.
- * Returns 1 on success, 0 on error.
*/
int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
{
return sk_POLICYINFO_push(ctx->policies, pinfo);
}
-/*
- * Add an ITAV for geninfo of the PKI message header
- */
+/* Add an ITAV for geninfo of the PKI message header */
int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
if (ctx == NULL) {
return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
}
-/*
- * Add an itav for the body of outgoing general messages
- */
+/* Add an itav for the body of outgoing general messages */
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
if (ctx == NULL) {
}
/*
- * Duplicate and copy the given stack of certificates to the given
+ * Copies any given stack of certificates to the given
* OSSL_CMP_CTX structure so that they may be retrieved later.
- * Returns 1 on success, 0 on error
*/
int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs)
{
return 1; \
}
+#define X509_invalid(cert) (!x509v3_cache_extensions(cert))
+#define EVP_PKEY_invalid(key) 0
#define DEFINE_OSSL_CMP_CTX_set1_up_ref(FIELD, TYPE) \
int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
{ \
return 0; \
} \
\
+ /* prevent misleading error later on malformed cert or provider issue */ \
+ if (val != NULL && TYPE##_invalid(val)) { \
+ CMPerr(0, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
+ return 0; \
+ } \
if (val != NULL && !TYPE##_up_ref(val)) \
return 0; \
TYPE##_free(ctx->FIELD); \
* Pins the server certificate to be directly trusted (even if it is expired)
* for verifying response messages.
* Cert pointer is not consumed. It may be NULL to clear the entry.
- * Returns 1 on success, 0 on error
*/
DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509)
-/*
- * Set the X509 name of the recipient. Set in the PKIHeader.
- * returns 1 on success, 0 on error
- */
+/* Set the X509 name of the recipient. Set in the PKIHeader */
DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
-/*
- * Store the X509 name of the expected sender in the PKIHeader of responses.
- * Returns 1 on success, 0 on error
- */
+/* Store the X509 name of the expected sender in the PKIHeader of responses */
DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
-/*
- * Set the X509 name of the issuer. Set in the PKIHeader.
- * Returns 1 on success, 0 on error
- */
+/* Set the X509 name of the issuer. Set in the PKIHeader */
DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
/*
* Set the subject name that will be placed in the certificate
* request. This will be the subject name on the received certificate.
- * Returns 1 on success, 0 on error
*/
DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME)
-/*
- * Set the X.509v3 certificate request extensions to be used in IR/CR/KUR.
- * Returns 1 on success, 0 on error
- */
+/* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */
int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
{
if (ctx == NULL) {
/*
* Add a GENERAL_NAME structure that will be added to the CRMF
* request's extensions field to request subject alternative names.
- * Returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
const GENERAL_NAME *name)
/*
* Set our own client certificate, used for example in KUR and when
* doing the IR with existing certificate.
- * Returns 1 on success, 0 on error
*/
-DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509)
+DEFINE_OSSL_CMP_CTX_set1_up_ref(cert, X509)
+
+int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
+ STACK_OF(X509) *candidates)
+{
+ STACK_OF(X509) *chain;
+
+ if (ctx == NULL) {
+ CMPerr(0, CMP_R_NULL_ARGUMENT);
+ return 0;
+ }
+
+ if (ctx->untrusted != NULL ?
+ !X509_add_certs(ctx->untrusted, candidates,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) :
+ !OSSL_CMP_CTX_set1_untrusted(ctx, candidates))
+ return 0;
+
+ ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
+ chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, own_trusted,
+ ctx->untrusted, ctx->cert);
+ if (chain == NULL) {
+ CMPerr(0, CMP_R_FAILED_BUILDING_OWN_CHAIN);
+ return 0;
+ }
+ ossl_cmp_debug(ctx, "success building chain for own CMP signer cert");
+ ctx->chain = chain;
+ return 1;
+}
/*
* Set the old certificate that we are updating in KUR
* or the certificate to be revoked in RR, respectively.
- * Also used as reference cert (defaulting to clCert) for deriving subject DN
+ * Also used as reference cert (defaulting to cert) for deriving subject DN
* and SANs. Its issuer is used as default recipient in the CMP message header.
- * Returns 1 on success, 0 on error
*/
DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509)
-/*
- * Set the PKCS#10 CSR to be sent in P10CR.
- * Returns 1 on success, 0 on error
- */
+/* Set the PKCS#10 CSR to be sent in P10CR */
DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
/*
- * Sets the (newly received in IP/KUP/CP) certificate in the context.
- * Returns 1 on success, 0 on error
+ * Set the (newly received in IP/KUP/CP) certificate in the context.
* TODO: this only permits for one cert to be enrolled at a time.
*/
int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
return ctx->newCert;
}
-/*
- * Set the client's current private key.
- * Returns 1 on success, 0 on error
- */
+/* Set the client's current private key */
DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY)
-/*
- * Set new key pair. Used e.g. when doing Key Update.
- * Returns 1 on success, 0 on error
- */
+/* Set new key pair. Used e.g. when doing Key Update */
int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
{
if (ctx == NULL) {
return 1;
}
-/*
- * gets the private/public key to use for certificate enrollment, NULL on error
- */
+/* Get the private/public key to use for cert enrollment, or NULL on error */
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
{
if (ctx == NULL) {
return ctx->pkey; /* may be NULL */
}
-/*
- * Sets the given transactionID to the context.
- * Returns 1 on success, 0 on error
- */
+/* Set the given transactionID to the context */
int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *id)
{
return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id);
}
-/*
- * sets the given nonce to be used for the recipNonce in the next message to be
- * created.
- * returns 1 on success, 0 on error
- */
+/* Set the nonce to be used for the recipNonce in the message created next */
int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce)
{
return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce);
}
-/*
- * Stores the given nonce as the last senderNonce sent out.
- * Returns 1 on success, 0 on error
- */
+/* Stores the given nonce as the last senderNonce sent out */
int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce)
{
return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce);
}
-/*
- * Set the host name of the (HTTP) proxy server to use for all connections
- * returns 1 on success, 0 on error
- */
-DEFINE_OSSL_CMP_CTX_set1(proxyName, char)
+/* Set the proxy server to use for HTTP(S) connections */
+DEFINE_OSSL_CMP_CTX_set1(proxy, char)
-/*
- * Set the (HTTP) host name of the CA server.
- * Returns 1 on success, 0 on error
- */
-DEFINE_OSSL_CMP_CTX_set1(serverName, char)
+/* Set the (HTTP) host name of the CMP server */
+DEFINE_OSSL_CMP_CTX_set1(server, char)
-/*
- * Sets the (HTTP) proxy port to be used.
- * Returns 1 on success, 0 on error
- */
-int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->proxyPort = port;
- return 1;
-}
+/* Set the server exclusion list of the HTTP proxy server */
+DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
-/*
- * sets the http connect/disconnect callback function to be used for HTTP(S)
- * returns 1 on success, 0 on error
- */
+/* Set the http connect/disconnect callback function to be used for HTTP(S) */
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
{
if (ctx == NULL) {
return 1;
}
-/*
- * Set argument optionally to be used by the http connect/disconnect callback.
- * Returns 1 on success, 0 on error
- */
+/* Set argument optionally to be used by the http connect/disconnect callback */
int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
if (ctx == NULL) {
return ctx->http_cb_arg;
}
-/*
- * Set callback function for sending CMP request and receiving response.
- * Returns 1 on success, 0 on error
- */
+/* Set callback function for sending CMP request and receiving response */
int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
{
if (ctx == NULL) {
return 1;
}
-/*
- * Set argument optionally to be used by the transfer callback.
- * Returns 1 on success, 0 on error
- */
+/* Set argument optionally to be used by the transfer callback */
int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
if (ctx == NULL) {
return ctx->transfer_cb_arg;
}
-/*
- * Sets the (HTTP) server port to be used.
- * Returns 1 on success, 0 on error
- */
+/** Set the HTTP server port to be used */
int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
{
if (ctx == NULL) {
return 1;
}
-/*
- * Sets the HTTP path to be used on the server (e.g "pkix/").
- * Returns 1 on success, 0 on error
- */
+/* Set the HTTP path to be used on the server (e.g "pkix/") */
DEFINE_OSSL_CMP_CTX_set1(serverPath, char)
-/*
- * Set the failInfo error code as bit encoding in OSSL_CMP_CTX.
- * Returns 1 on success, 0 on error
- */
+/* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */
int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info)
{
if (!ossl_assert(ctx != NULL))
return ctx->failInfoCode;
}
-/*
- * Sets a Boolean or integer option of the context to the "val" arg.
- * Returns 1 on success, 0 on error
- */
+/* Set a Boolean or integer option of the context to the "val" arg */
int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
{
int min_val;
break;
}
if (val < min_val) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_VALUE_TOO_SMALL);
return 0;
}
switch (opt) {
case OSSL_CMP_OPT_LOG_VERBOSITY:
- if (val > OSSL_CMP_LOG_DEBUG) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ if (val > OSSL_CMP_LOG_MAX) {
+ CMPerr(0, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->log_verbosity = val;
break;
case OSSL_CMP_OPT_POPO_METHOD:
if (val > OSSL_CRMF_POPO_KEYAGREE) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->popoMethod = val;
break;
case OSSL_CMP_OPT_DIGEST_ALGNID:
- ctx->digest = val;
+ if (!cmp_ctx_set_md(ctx, &ctx->digest, val))
+ return 0;
break;
case OSSL_CMP_OPT_OWF_ALGNID:
- ctx->pbm_owf = val;
+ if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, val))
+ return 0;
break;
case OSSL_CMP_OPT_MAC_ALGNID:
ctx->pbm_mac = val;
break;
case OSSL_CMP_OPT_REVOCATION_REASON:
if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->revocationReason = val;
break;
default:
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_INVALID_OPTION);
return 0;
}
case OSSL_CMP_OPT_POPO_METHOD:
return ctx->popoMethod;
case OSSL_CMP_OPT_DIGEST_ALGNID:
- return ctx->digest;
+ return EVP_MD_type(ctx->digest);
case OSSL_CMP_OPT_OWF_ALGNID:
- return ctx->pbm_owf;
+ return EVP_MD_type(ctx->pbm_owf);
case OSSL_CMP_OPT_MAC_ALGNID:
return ctx->pbm_mac;
case OSSL_CMP_OPT_MSG_TIMEOUT:
case OSSL_CMP_OPT_REVOCATION_REASON:
return ctx->revocationReason;
default:
- CMPerr(0, CMP_R_INVALID_ARGS);
+ CMPerr(0, CMP_R_INVALID_OPTION);
return -1;
}
}
projects / openssl.git / blobdiff