diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2023-01-04 13:45:57 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2024-01-17 15:03:41 +0100 |
commit | f21409fadf0e50130023656acc3ab72f8f72ff64 (patch) | |
tree | c52bec20ee9adb904a7957082d26c51c400db90d /crypto | |
parent | 657109aceabd941bd4862712a5379112f7802839 (diff) | |
download | openssl-f21409fadf0e50130023656acc3ab72f8f72ff64.tar.gz |
ossl_cmp_msg_check_update(): improve diagnostics of checking expected sender name
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19948)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/cmp/cmp_err.c | 1 | ||||
-rw-r--r-- | crypto/cmp/cmp_vfy.c | 41 | ||||
-rw-r--r-- | crypto/err/openssl.txt | 1 |
3 files changed, 28 insertions, 15 deletions
diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c index 6c2588d4d4..30095aa7c5 100644 --- a/crypto/cmp/cmp_err.c +++ b/crypto/cmp/cmp_err.c @@ -152,6 +152,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { "unexpected pkistatus"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_POLLREQ), "unexpected pollreq"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_PVNO), "unexpected pvno"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_SENDER), "unexpected sender"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_ALGORITHM_ID), "unknown algorithm id"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_CERT_TYPE), "unknown cert type"}, diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 39fca416ee..5c5cd456dd 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -175,8 +175,8 @@ static int check_name(const OSSL_CMP_CTX *ctx, int log_success, str = X509_NAME_oneline(actual_name, NULL, 0); if (X509_NAME_cmp(actual_name, expect_name) == 0) { if (log_success && str != NULL) - ossl_cmp_log2(INFO, ctx, " subject matches %s: %s", expect_desc, - str); + ossl_cmp_log3(INFO, ctx, " %s matches %s: %s", + actual_desc, expect_desc, str); OPENSSL_free(str); return 1; } @@ -711,22 +711,33 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, return 0; hdr = OSSL_CMP_MSG_get0_header(msg); - /* validate sender name of received msg */ - if (hdr->sender->type != GEN_DIRNAME) { - ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED); - return 0; - } - /* - * Compare actual sender name of response with expected sender name. - * Mitigates risk to accept misused PBM secret - * or misused certificate of an unauthorized entity of a trusted hierarchy. - */ + /* If expected_sender is given, validate sender name of received msg */ expected_sender = ctx->expected_sender; if (expected_sender == NULL && ctx->srvCert != NULL) expected_sender = X509_get_subject_name(ctx->srvCert); - if (!check_name(ctx, 0, "sender DN field", hdr->sender->d.directoryName, - "expected sender", expected_sender)) - return 0; + if (expected_sender != NULL) { + const X509_NAME *actual_sender; + char *str; + + if (hdr->sender->type != GEN_DIRNAME) { + ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED); + return 0; + } + actual_sender = hdr->sender->d.directoryName; + /* + * Compare actual sender name of response with expected sender name. + * Mitigates risk of accepting misused PBM secret or + * misused certificate of an unauthorized entity of a trusted hierarchy. + */ + if (!check_name(ctx, 0, "sender DN field", actual_sender, + "expected sender", expected_sender)) { + str = X509_NAME_oneline(actual_sender, NULL, 0); + ERR_raise_data(ERR_LIB_CMP, CMP_R_UNEXPECTED_SENDER, + str != NULL ? str : "<unknown>"); + OPENSSL_free(str); + return 0; + } + } /* Note: if recipient was NULL-DN it could be learned here if needed */ num_added = sk_X509_num(msg->extraCerts); diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index fd6b128a2a..b999ec3363 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -278,6 +278,7 @@ CMP_R_UNEXPECTED_PKIBODY:133:unexpected pkibody CMP_R_UNEXPECTED_PKISTATUS:185:unexpected pkistatus CMP_R_UNEXPECTED_POLLREQ:105:unexpected pollreq CMP_R_UNEXPECTED_PVNO:153:unexpected pvno +CMP_R_UNEXPECTED_SENDER:104:unexpected sender CMP_R_UNKNOWN_ALGORITHM_ID:134:unknown algorithm id CMP_R_UNKNOWN_CERT_TYPE:135:unknown cert type CMP_R_UNKNOWN_PKISTATUS:186:unknown pkistatus |