cmp_server.c 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770
  1. /*
  2. * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. /* general CMP server functions */
  12. #include <openssl/asn1t.h>
  13. #include "cmp_local.h"
  14. /* explicit #includes not strictly needed since implied by the above: */
  15. #include <openssl/cmp.h>
  16. #include <openssl/err.h>
  17. /* the context for the generic CMP server */
  18. struct ossl_cmp_srv_ctx_st
  19. {
  20. OSSL_CMP_CTX *ctx; /* CMP client context reused for transactionID etc. */
  21. void *custom_ctx; /* application-specific server context */
  22. int certReqId; /* of ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */
  23. int polling; /* current transaction is in polling mode */
  24. OSSL_CMP_SRV_cert_request_cb_t process_cert_request;
  25. OSSL_CMP_SRV_rr_cb_t process_rr;
  26. OSSL_CMP_SRV_genm_cb_t process_genm;
  27. OSSL_CMP_SRV_error_cb_t process_error;
  28. OSSL_CMP_SRV_certConf_cb_t process_certConf;
  29. OSSL_CMP_SRV_pollReq_cb_t process_pollReq;
  30. OSSL_CMP_SRV_delayed_delivery_cb_t delayed_delivery;
  31. OSSL_CMP_SRV_clean_transaction_cb_t clean_transaction;
  32. int sendUnprotectedErrors; /* Send error and rejection msgs unprotected */
  33. int acceptUnprotected; /* Accept requests with no/invalid prot. */
  34. int acceptRAVerified; /* Accept ir/cr/kur with POPO RAVerified */
  35. int grantImplicitConfirm; /* Grant implicit confirmation if requested */
  36. }; /* OSSL_CMP_SRV_CTX */
  37. void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx)
  38. {
  39. if (srv_ctx == NULL)
  40. return;
  41. OSSL_CMP_CTX_free(srv_ctx->ctx);
  42. OPENSSL_free(srv_ctx);
  43. }
  44. OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
  45. {
  46. OSSL_CMP_SRV_CTX *ctx = OPENSSL_zalloc(sizeof(OSSL_CMP_SRV_CTX));
  47. if (ctx == NULL)
  48. goto err;
  49. if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL)
  50. goto err;
  51. ctx->certReqId = OSSL_CMP_CERTREQID_INVALID;
  52. ctx->polling = 0;
  53. /* all other elements are initialized to 0 or NULL, respectively */
  54. return ctx;
  55. err:
  56. OSSL_CMP_SRV_CTX_free(ctx);
  57. return NULL;
  58. }
  59. int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx,
  60. OSSL_CMP_SRV_cert_request_cb_t process_cert_request,
  61. OSSL_CMP_SRV_rr_cb_t process_rr,
  62. OSSL_CMP_SRV_genm_cb_t process_genm,
  63. OSSL_CMP_SRV_error_cb_t process_error,
  64. OSSL_CMP_SRV_certConf_cb_t process_certConf,
  65. OSSL_CMP_SRV_pollReq_cb_t process_pollReq)
  66. {
  67. if (srv_ctx == NULL) {
  68. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  69. return 0;
  70. }
  71. srv_ctx->custom_ctx = custom_ctx;
  72. srv_ctx->process_cert_request = process_cert_request;
  73. srv_ctx->process_rr = process_rr;
  74. srv_ctx->process_genm = process_genm;
  75. srv_ctx->process_error = process_error;
  76. srv_ctx->process_certConf = process_certConf;
  77. srv_ctx->process_pollReq = process_pollReq;
  78. return 1;
  79. }
  80. int OSSL_CMP_SRV_CTX_init_trans(OSSL_CMP_SRV_CTX *srv_ctx,
  81. OSSL_CMP_SRV_delayed_delivery_cb_t delay,
  82. OSSL_CMP_SRV_clean_transaction_cb_t clean)
  83. {
  84. if (srv_ctx == NULL) {
  85. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  86. return 0;
  87. }
  88. srv_ctx->delayed_delivery = delay;
  89. srv_ctx->clean_transaction = clean;
  90. return 1;
  91. }
  92. OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx)
  93. {
  94. if (srv_ctx == NULL) {
  95. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  96. return NULL;
  97. }
  98. return srv_ctx->ctx;
  99. }
  100. void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx)
  101. {
  102. if (srv_ctx == NULL) {
  103. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  104. return NULL;
  105. }
  106. return srv_ctx->custom_ctx;
  107. }
  108. int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx,
  109. int val)
  110. {
  111. if (srv_ctx == NULL) {
  112. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  113. return 0;
  114. }
  115. srv_ctx->sendUnprotectedErrors = val != 0;
  116. return 1;
  117. }
  118. int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val)
  119. {
  120. if (srv_ctx == NULL) {
  121. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  122. return 0;
  123. }
  124. srv_ctx->acceptUnprotected = val != 0;
  125. return 1;
  126. }
  127. int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val)
  128. {
  129. if (srv_ctx == NULL) {
  130. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  131. return 0;
  132. }
  133. srv_ctx->acceptRAVerified = val != 0;
  134. return 1;
  135. }
  136. int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
  137. int val)
  138. {
  139. if (srv_ctx == NULL) {
  140. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  141. return 0;
  142. }
  143. srv_ctx->grantImplicitConfirm = val != 0;
  144. return 1;
  145. }
  146. /* return error msg with waiting status if polling is initiated, else NULL */
  147. static OSSL_CMP_MSG *delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx,
  148. const OSSL_CMP_MSG *req)
  149. {
  150. int ret;
  151. unsigned long err;
  152. int status = OSSL_CMP_PKISTATUS_waiting,
  153. fail_info = 0, errorCode = 0;
  154. const char *txt = NULL, *details = NULL;
  155. OSSL_CMP_PKISI *si;
  156. OSSL_CMP_MSG *msg;
  157. if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL
  158. && srv_ctx->delayed_delivery != NULL))
  159. return NULL;
  160. ret = srv_ctx->delayed_delivery(srv_ctx, req);
  161. if (ret == 0)
  162. return NULL;
  163. if (ret == 1) {
  164. srv_ctx->polling = 1;
  165. } else {
  166. status = OSSL_CMP_PKISTATUS_rejection;
  167. fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_systemFailure;
  168. txt = "server application error";
  169. err = ERR_peek_error();
  170. errorCode = ERR_GET_REASON(err);
  171. details = ERR_reason_error_string(err);
  172. }
  173. si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt);
  174. if (si == NULL)
  175. return NULL;
  176. msg = ossl_cmp_error_new(srv_ctx->ctx, si, errorCode, details,
  177. srv_ctx->sendUnprotectedErrors);
  178. OSSL_CMP_PKISI_free(si);
  179. return msg;
  180. }
  181. /*
  182. * Processes an ir/cr/p10cr/kur and returns a certification response.
  183. * Only handles the first certification request contained in req
  184. * returns an ip/cp/kup on success and NULL on error
  185. */
  186. static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
  187. const OSSL_CMP_MSG *req)
  188. {
  189. OSSL_CMP_MSG *msg = NULL;
  190. OSSL_CMP_PKISI *si = NULL;
  191. X509 *certOut = NULL;
  192. STACK_OF(X509) *chainOut = NULL, *caPubs = NULL;
  193. const OSSL_CRMF_MSG *crm = NULL;
  194. const X509_REQ *p10cr = NULL;
  195. int bodytype;
  196. int certReqId;
  197. if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
  198. return NULL;
  199. switch (OSSL_CMP_MSG_get_bodytype(req)) {
  200. case OSSL_CMP_PKIBODY_P10CR:
  201. case OSSL_CMP_PKIBODY_CR:
  202. bodytype = OSSL_CMP_PKIBODY_CP;
  203. break;
  204. case OSSL_CMP_PKIBODY_IR:
  205. bodytype = OSSL_CMP_PKIBODY_IP;
  206. break;
  207. case OSSL_CMP_PKIBODY_KUR:
  208. bodytype = OSSL_CMP_PKIBODY_KUP;
  209. break;
  210. default:
  211. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  212. return NULL;
  213. }
  214. if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) {
  215. certReqId = OSSL_CMP_CERTREQID_NONE; /* p10cr does not include an Id */
  216. p10cr = req->body->value.p10cr;
  217. } else {
  218. OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */
  219. if (sk_OSSL_CRMF_MSG_num(reqs) != 1) {
  220. ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
  221. return NULL;
  222. }
  223. if ((crm = sk_OSSL_CRMF_MSG_value(reqs, 0)) == NULL) {
  224. ERR_raise(ERR_LIB_CMP, CMP_R_CERTREQMSG_NOT_FOUND);
  225. return NULL;
  226. }
  227. certReqId = OSSL_CRMF_MSG_get_certReqId(crm);
  228. if (certReqId != OSSL_CMP_CERTREQID) { /* so far, only possible value */
  229. ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
  230. return NULL;
  231. }
  232. }
  233. srv_ctx->certReqId = certReqId;
  234. if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) {
  235. /* Proof of possession could not be verified */
  236. si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection,
  237. 1 << OSSL_CMP_PKIFAILUREINFO_badPOP,
  238. ERR_reason_error_string(ERR_peek_error()));
  239. if (si == NULL)
  240. return NULL;
  241. } else {
  242. OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(req);
  243. si = srv_ctx->process_cert_request(srv_ctx, req, certReqId, crm, p10cr,
  244. &certOut, &chainOut, &caPubs);
  245. if (si == NULL)
  246. goto err;
  247. if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_waiting)
  248. srv_ctx->polling = 1;
  249. /* set OSSL_CMP_OPT_IMPLICIT_CONFIRM if and only if transaction ends */
  250. if (!OSSL_CMP_CTX_set_option(srv_ctx->ctx,
  251. OSSL_CMP_OPT_IMPLICIT_CONFIRM,
  252. ossl_cmp_hdr_has_implicitConfirm(hdr)
  253. && srv_ctx->grantImplicitConfirm
  254. /* do not set if polling starts: */
  255. && certOut != NULL))
  256. goto err;
  257. }
  258. msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
  259. certOut, NULL /* enc */, chainOut, caPubs,
  260. srv_ctx->sendUnprotectedErrors);
  261. /* When supporting OSSL_CRMF_POPO_KEYENC, "enc" will need to be set */
  262. if (msg == NULL)
  263. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
  264. err:
  265. OSSL_CMP_PKISI_free(si);
  266. X509_free(certOut);
  267. OSSL_STACK_OF_X509_free(chainOut);
  268. OSSL_STACK_OF_X509_free(caPubs);
  269. return msg;
  270. }
  271. static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
  272. const OSSL_CMP_MSG *req)
  273. {
  274. OSSL_CMP_MSG *msg = NULL;
  275. OSSL_CMP_REVDETAILS *details;
  276. OSSL_CRMF_CERTID *certId = NULL;
  277. OSSL_CRMF_CERTTEMPLATE *tmpl;
  278. const X509_NAME *issuer;
  279. const ASN1_INTEGER *serial;
  280. OSSL_CMP_PKISI *si;
  281. if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
  282. return NULL;
  283. if (sk_OSSL_CMP_REVDETAILS_num(req->body->value.rr) != 1) {
  284. ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
  285. return NULL;
  286. }
  287. details = sk_OSSL_CMP_REVDETAILS_value(req->body->value.rr, 0);
  288. if (details == NULL) {
  289. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  290. return NULL;
  291. }
  292. tmpl = details->certDetails;
  293. issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl);
  294. serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
  295. if (issuer != NULL && serial != NULL
  296. && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
  297. return NULL;
  298. if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL)
  299. goto err;
  300. if ((msg = ossl_cmp_rp_new(srv_ctx->ctx, si, certId,
  301. srv_ctx->sendUnprotectedErrors)) == NULL)
  302. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
  303. err:
  304. OSSL_CRMF_CERTID_free(certId);
  305. OSSL_CMP_PKISI_free(si);
  306. return msg;
  307. }
  308. /*
  309. * Processes genm and creates a genp message mirroring the contents of the
  310. * incoming message
  311. */
  312. static OSSL_CMP_MSG *process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
  313. const OSSL_CMP_MSG *req)
  314. {
  315. OSSL_CMP_GENMSGCONTENT *itavs;
  316. OSSL_CMP_MSG *msg;
  317. if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
  318. return NULL;
  319. if (!srv_ctx->process_genm(srv_ctx, req, req->body->value.genm, &itavs))
  320. return NULL;
  321. msg = ossl_cmp_genp_new(srv_ctx->ctx, itavs);
  322. sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
  323. return msg;
  324. }
  325. static OSSL_CMP_MSG *process_error(OSSL_CMP_SRV_CTX *srv_ctx,
  326. const OSSL_CMP_MSG *req)
  327. {
  328. OSSL_CMP_ERRORMSGCONTENT *errorContent;
  329. OSSL_CMP_MSG *msg;
  330. if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
  331. return NULL;
  332. errorContent = req->body->value.error;
  333. srv_ctx->process_error(srv_ctx, req, errorContent->pKIStatusInfo,
  334. errorContent->errorCode, errorContent->errorDetails);
  335. if ((msg = ossl_cmp_pkiconf_new(srv_ctx->ctx)) == NULL)
  336. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
  337. return msg;
  338. }
  339. static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
  340. const OSSL_CMP_MSG *req)
  341. {
  342. OSSL_CMP_CTX *ctx;
  343. OSSL_CMP_CERTCONFIRMCONTENT *ccc;
  344. int num;
  345. OSSL_CMP_MSG *msg = NULL;
  346. OSSL_CMP_CERTSTATUS *status = NULL;
  347. if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
  348. return NULL;
  349. ctx = srv_ctx->ctx;
  350. ccc = req->body->value.certConf;
  351. num = sk_OSSL_CMP_CERTSTATUS_num(ccc);
  352. if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 1
  353. || ctx->status != OSSL_CMP_PKISTATUS_trans) {
  354. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_UNEXPECTED_CERTCONF);
  355. return NULL;
  356. }
  357. if (num == 0) {
  358. ossl_cmp_err(ctx, "certificate rejected by client");
  359. } else {
  360. if (num > 1)
  361. ossl_cmp_warn(ctx, "All CertStatus but the first will be ignored");
  362. status = sk_OSSL_CMP_CERTSTATUS_value(ccc, 0);
  363. }
  364. if (status != NULL) {
  365. int certReqId = ossl_cmp_asn1_get_int(status->certReqId);
  366. ASN1_OCTET_STRING *certHash = status->certHash;
  367. OSSL_CMP_PKISI *si = status->statusInfo;
  368. if (certReqId != srv_ctx->certReqId) {
  369. ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
  370. return NULL;
  371. }
  372. if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si))
  373. return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */
  374. if (si != NULL
  375. && ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_accepted) {
  376. int pki_status = ossl_cmp_pkisi_get_status(si);
  377. const char *str = ossl_cmp_PKIStatus_to_string(pki_status);
  378. ossl_cmp_log2(INFO, ctx, "certificate rejected by client %s %s",
  379. str == NULL ? "without" : "with",
  380. str == NULL ? "PKIStatus" : str);
  381. }
  382. }
  383. if ((msg = ossl_cmp_pkiconf_new(ctx)) == NULL)
  384. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
  385. return msg;
  386. }
  387. /* pollReq is handled separately, to avoid recursive call */
  388. static OSSL_CMP_MSG *process_non_polling_request(OSSL_CMP_SRV_CTX *srv_ctx,
  389. const OSSL_CMP_MSG *req)
  390. {
  391. OSSL_CMP_MSG *rsp = NULL;
  392. if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL
  393. && req->body != NULL))
  394. return NULL;
  395. switch (OSSL_CMP_MSG_get_bodytype(req)) {
  396. case OSSL_CMP_PKIBODY_IR:
  397. case OSSL_CMP_PKIBODY_CR:
  398. case OSSL_CMP_PKIBODY_P10CR:
  399. case OSSL_CMP_PKIBODY_KUR:
  400. if (srv_ctx->process_cert_request == NULL)
  401. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY);
  402. else
  403. rsp = process_cert_request(srv_ctx, req);
  404. break;
  405. case OSSL_CMP_PKIBODY_RR:
  406. if (srv_ctx->process_rr == NULL)
  407. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY);
  408. else
  409. rsp = process_rr(srv_ctx, req);
  410. break;
  411. case OSSL_CMP_PKIBODY_GENM:
  412. if (srv_ctx->process_genm == NULL)
  413. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY);
  414. else
  415. rsp = process_genm(srv_ctx, req);
  416. break;
  417. case OSSL_CMP_PKIBODY_ERROR:
  418. if (srv_ctx->process_error == NULL)
  419. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY);
  420. else
  421. rsp = process_error(srv_ctx, req);
  422. break;
  423. case OSSL_CMP_PKIBODY_CERTCONF:
  424. if (srv_ctx->process_certConf == NULL)
  425. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY);
  426. else
  427. rsp = process_certConf(srv_ctx, req);
  428. break;
  429. case OSSL_CMP_PKIBODY_POLLREQ:
  430. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  431. break;
  432. default:
  433. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY);
  434. break;
  435. }
  436. return rsp;
  437. }
  438. static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
  439. const OSSL_CMP_MSG *req)
  440. {
  441. OSSL_CMP_POLLREQCONTENT *prc;
  442. OSSL_CMP_POLLREQ *pr;
  443. int certReqId;
  444. OSSL_CMP_MSG *orig_req;
  445. int64_t check_after = 0;
  446. OSSL_CMP_MSG *msg = NULL;
  447. if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
  448. return NULL;
  449. if (!srv_ctx->polling) {
  450. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  451. return NULL;
  452. }
  453. prc = req->body->value.pollReq;
  454. if (sk_OSSL_CMP_POLLREQ_num(prc) != 1) {
  455. ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
  456. return NULL;
  457. }
  458. pr = sk_OSSL_CMP_POLLREQ_value(prc, 0);
  459. certReqId = ossl_cmp_asn1_get_int(pr->certReqId);
  460. if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId,
  461. &orig_req, &check_after))
  462. return NULL;
  463. if (orig_req != NULL) {
  464. srv_ctx->polling = 0;
  465. msg = process_non_polling_request(srv_ctx, orig_req);
  466. OSSL_CMP_MSG_free(orig_req);
  467. } else {
  468. if ((msg = ossl_cmp_pollRep_new(srv_ctx->ctx, certReqId,
  469. check_after)) == NULL)
  470. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
  471. }
  472. return msg;
  473. }
  474. /*
  475. * Determine whether missing/invalid protection of request message is allowed.
  476. * Return 1 on acceptance, 0 on rejection, or -1 on (internal) error.
  477. */
  478. static int unprotected_exception(const OSSL_CMP_CTX *ctx,
  479. const OSSL_CMP_MSG *req,
  480. int invalid_protection,
  481. int accept_unprotected_requests)
  482. {
  483. if (!ossl_assert(ctx != NULL && req != NULL))
  484. return -1;
  485. if (accept_unprotected_requests) {
  486. ossl_cmp_log1(WARN, ctx, "ignoring %s protection of request message",
  487. invalid_protection ? "invalid" : "missing");
  488. return 1;
  489. }
  490. if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_ERROR
  491. && OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS) == 1) {
  492. ossl_cmp_warn(ctx, "ignoring missing protection of error message");
  493. return 1;
  494. }
  495. return 0;
  496. }
  497. /*
  498. * returns created message and NULL on internal error
  499. */
  500. OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
  501. const OSSL_CMP_MSG *req)
  502. {
  503. OSSL_CMP_CTX *ctx;
  504. ASN1_OCTET_STRING *backup_secret;
  505. OSSL_CMP_PKIHEADER *hdr;
  506. int req_type, rsp_type;
  507. int req_verified = 0;
  508. OSSL_CMP_MSG *rsp = NULL;
  509. if (srv_ctx == NULL || srv_ctx->ctx == NULL
  510. || req == NULL || req->body == NULL
  511. || (hdr = OSSL_CMP_MSG_get0_header(req)) == NULL) {
  512. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  513. return 0;
  514. }
  515. ctx = srv_ctx->ctx;
  516. backup_secret = ctx->secretValue;
  517. req_type = OSSL_CMP_MSG_get_bodytype(req);
  518. ossl_cmp_log1(DEBUG, ctx,
  519. "received %s", ossl_cmp_bodytype_to_string(req_type));
  520. /*
  521. * Some things need to be done already before validating the message in
  522. * order to be able to send an error message as far as needed and possible.
  523. */
  524. if (hdr->sender->type != GEN_DIRNAME) {
  525. ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
  526. goto err;
  527. }
  528. if (!OSSL_CMP_CTX_set1_recipient(ctx, hdr->sender->d.directoryName))
  529. goto err;
  530. if (srv_ctx->polling && req_type != OSSL_CMP_PKIBODY_POLLREQ
  531. && req_type != OSSL_CMP_PKIBODY_ERROR) {
  532. ERR_raise(ERR_LIB_CMP, CMP_R_EXPECTED_POLLREQ);
  533. goto err;
  534. }
  535. switch (req_type) {
  536. case OSSL_CMP_PKIBODY_IR:
  537. case OSSL_CMP_PKIBODY_CR:
  538. case OSSL_CMP_PKIBODY_P10CR:
  539. case OSSL_CMP_PKIBODY_KUR:
  540. case OSSL_CMP_PKIBODY_RR:
  541. case OSSL_CMP_PKIBODY_GENM:
  542. case OSSL_CMP_PKIBODY_ERROR:
  543. if (ctx->transactionID != NULL) {
  544. char *tid = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID);
  545. if (tid != NULL)
  546. ossl_cmp_log1(WARN, ctx,
  547. "Assuming that last transaction with ID=%s got aborted",
  548. tid);
  549. OPENSSL_free(tid);
  550. }
  551. /* start of a new transaction, reset transactionID and senderNonce */
  552. if (!OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
  553. || !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL))
  554. goto err;
  555. if (srv_ctx->clean_transaction != NULL
  556. && !srv_ctx->clean_transaction(srv_ctx, NULL)) {
  557. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  558. goto err;
  559. }
  560. break;
  561. default:
  562. /* transactionID should be already initialized */
  563. if (ctx->transactionID == NULL) {
  564. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  565. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  566. goto err;
  567. #endif
  568. }
  569. }
  570. req_verified = ossl_cmp_msg_check_update(ctx, req, unprotected_exception,
  571. srv_ctx->acceptUnprotected);
  572. if (ctx->secretValue != NULL && ctx->pkey != NULL
  573. && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC)
  574. ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */
  575. if (!req_verified)
  576. goto err;
  577. if (req_type == OSSL_CMP_PKIBODY_POLLREQ) {
  578. if (srv_ctx->process_pollReq == NULL)
  579. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY);
  580. else
  581. rsp = process_pollReq(srv_ctx, req);
  582. } else {
  583. if (srv_ctx->delayed_delivery != NULL
  584. && (rsp = delayed_delivery(srv_ctx, req)) != NULL) {
  585. goto err;
  586. }
  587. rsp = process_non_polling_request(srv_ctx, req);
  588. }
  589. err:
  590. if (rsp == NULL) {
  591. /* on error, try to respond with CMP error message to client */
  592. const char *data = NULL, *reason = NULL;
  593. int flags = 0;
  594. unsigned long err = ERR_peek_error_data(&data, &flags);
  595. int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest;
  596. /* fail_info is not very specific */
  597. OSSL_CMP_PKISI *si = NULL;
  598. if (!req_verified) {
  599. /*
  600. * Above ossl_cmp_msg_check_update() was not successfully executed,
  601. * which normally would set ctx->transactionID and ctx->recipNonce.
  602. * So anyway try to provide the right transactionID and recipNonce,
  603. * while ignoring any (extra) error in next two function calls.
  604. */
  605. if (ctx->transactionID == NULL)
  606. (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID);
  607. (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce);
  608. }
  609. if ((flags & ERR_TXT_STRING) == 0 || *data == '\0')
  610. data = NULL;
  611. reason = ERR_reason_error_string(err);
  612. if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection,
  613. fail_info, reason)) != NULL) {
  614. rsp = ossl_cmp_error_new(srv_ctx->ctx, si, err,
  615. data, srv_ctx->sendUnprotectedErrors);
  616. OSSL_CMP_PKISI_free(si);
  617. }
  618. }
  619. OSSL_CMP_CTX_print_errors(ctx);
  620. ctx->secretValue = backup_secret;
  621. rsp_type =
  622. rsp != NULL ? OSSL_CMP_MSG_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR;
  623. if (rsp != NULL)
  624. ossl_cmp_log1(DEBUG, ctx,
  625. "sending %s", ossl_cmp_bodytype_to_string(rsp_type));
  626. else
  627. ossl_cmp_log(ERR, ctx, "cannot send proper CMP response");
  628. /* determine whether to keep the transaction open or not */
  629. ctx->status = OSSL_CMP_PKISTATUS_trans;
  630. switch (rsp_type) {
  631. case OSSL_CMP_PKIBODY_IP:
  632. case OSSL_CMP_PKIBODY_CP:
  633. case OSSL_CMP_PKIBODY_KUP:
  634. if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 0)
  635. break;
  636. /* fall through */
  637. case OSSL_CMP_PKIBODY_ERROR:
  638. if (rsp != NULL && ossl_cmp_is_error_with_waiting(rsp))
  639. break;
  640. /* fall through */
  641. case OSSL_CMP_PKIBODY_RP:
  642. case OSSL_CMP_PKIBODY_PKICONF:
  643. case OSSL_CMP_PKIBODY_GENP:
  644. /* Other terminating response message types are not supported */
  645. srv_ctx->certReqId = OSSL_CMP_CERTREQID_INVALID;
  646. /* Prepare for next transaction, ignoring any errors here: */
  647. if (srv_ctx->clean_transaction != NULL)
  648. (void)srv_ctx->clean_transaction(srv_ctx, ctx->transactionID);
  649. (void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL);
  650. (void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL);
  651. ctx->status = OSSL_CMP_PKISTATUS_unspecified; /* transaction closed */
  652. default: /* not closing transaction in other cases */
  653. break;
  654. }
  655. return rsp;
  656. }
  657. /*
  658. * Server interface that may substitute OSSL_CMP_MSG_http_perform at the client.
  659. * The OSSL_CMP_SRV_CTX must be set as client_ctx->transfer_cb_arg.
  660. * returns received message on success, else NULL and pushes an element on the
  661. * error stack.
  662. */
  663. OSSL_CMP_MSG *OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx,
  664. const OSSL_CMP_MSG *req)
  665. {
  666. OSSL_CMP_SRV_CTX *srv_ctx = NULL;
  667. if (client_ctx == NULL || req == NULL) {
  668. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  669. return NULL;
  670. }
  671. if ((srv_ctx = OSSL_CMP_CTX_get_transfer_cb_arg(client_ctx)) == NULL) {
  672. ERR_raise(ERR_LIB_CMP, CMP_R_TRANSFER_ERROR);
  673. return NULL;
  674. }
  675. return OSSL_CMP_SRV_process_request(srv_ctx, req);
  676. }