CMP: fix handling of unset or missing failInfo PKI status information

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19205)
This commit is contained in:
Dr. David von Oheimb 2022-09-13 22:22:48 +02:00 committed by Dr. David von Oheimb
parent 19ddcc4cbb
commit cba0e2afd6
3 changed files with 8 additions and 12 deletions

View File

@ -97,13 +97,7 @@ static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si)
if (ctx->status < OSSL_CMP_PKISTATUS_accepted)
return 0;
ctx->failInfoCode = 0;
if (si->failInfo != NULL) {
for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++) {
if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
ctx->failInfoCode |= (1 << i);
}
}
ctx->failInfoCode = ossl_cmp_pkisi_get_pkifailureinfo(si);
if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null())
|| (ctx->statusString == NULL))

View File

@ -73,6 +73,7 @@ int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si)
if (!ossl_assert(si != NULL))
return -1;
if (si->failInfo != NULL)
for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++)
if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
res |= 1 << i;
@ -193,7 +194,7 @@ char *snprint_PKIStatusInfo_parts(int status, int fail_info,
* failInfo is optional and may be empty;
* if present, print failInfo before statusString because it is more concise
*/
if (fail_info != 0) {
if (fail_info != -1 && fail_info != 0) {
printed_chars = BIO_snprintf(write_ptr, bufsize, "; PKIFailureInfo: ");
ADVANCE_BUFFER;
for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {

View File

@ -660,7 +660,8 @@ OSSL_CMP_CTX_get0_statusString() returns the statusString from the last received
CertRepMessage or Revocation Response or error message, or NULL if unset.
OSSL_CMP_CTX_get_failInfoCode() returns the error code from the failInfo field
of the last received CertRepMessage or Revocation Response or error message.
of the last received CertRepMessage or Revocation Response or error message,
or -1 if no such response was received or OSSL_CMP_CTX_reinit() has been called.
This is a bit field and the flags for it are specified in the header file
F<< <openssl/cmp.h> >>.
The flags start with OSSL_CMP_CTX_FAILINFO, for example: