Fix misleading error msg for PBM check w/o secret in OSSL_CMP_validate_msg()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11448)

diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c
index d64d60bf1d6677819f5f338513f9861bdc51b796..0f06fb3b42d81f957ec9eb186fb4739cebe504d9 100644 (file)
--- a/crypto/cmp/cmp_err.c
+++ b/crypto/cmp/cmp_err.c
@@ -33,6 +33,8 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
     "cert and key do not match"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_CHECKAFTER_OUT_OF_RANGE),
     "checkafter out of range"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_CHECKING_PBM_NO_SECRET_AVAILABLE),
+    "checking pbm no secret available"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ENCOUNTERED_KEYUPDATEWARNING),
     "encountered keyupdatewarning"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ENCOUNTERED_WAITING),
@@ -64,8 +66,6 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_RR), "error creating rr"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_PARSING_PKISTATUS),
     "error parsing pkistatus"},
-    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_PARSING_PKISTATUS),
-    "error parsing pkistatus"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_PROCESSING_MESSAGE),
     "error processing message"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_PROTECTING_MESSAGE),
@@ -110,8 +110,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_POLLING_FAILED), "polling failed"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_POTENTIALLY_INVALID_CERTIFICATE),
     "potentially invalid certificate"},
-    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_RECEIVED_ERROR),
-    "received error"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_RECEIVED_ERROR), "received error"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_RECIPNONCE_UNMATCHED),
     "recipnonce unmatched"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_REQUEST_NOT_ACCEPTED),

diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 8980d72fd4003ad42b047c8c06006635b4023807..11688059da210b7fa960c44886a5926b7c871b5c 100644 (file)
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -577,6 +577,11 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
     switch (nid) {
         /* 5.1.3.1.  Shared Secret Information */
     case NID_id_PasswordBasedMAC:
+        if (ctx->secretValue == 0) {
+            CMPerr(0, CMP_R_CHECKING_PBM_NO_SECRET_AVAILABLE);
+            break;
+        }
+
         if (verify_PBMAC(msg, ctx->secretValue)) {
             /*
              * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index f467ea909f4dd3646b1a46a7c493a45f5d75e327..80b92f84762a979801413ddc7d868dab28841c5e 100644 (file)
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2088,6 +2088,7 @@ CMP_R_CERTREQMSG_NOT_FOUND:157:certreqmsg not found
 CMP_R_CERTRESPONSE_NOT_FOUND:113:certresponse not found
 CMP_R_CERT_AND_KEY_DO_NOT_MATCH:114:cert and key do not match
 CMP_R_CHECKAFTER_OUT_OF_RANGE:181:checkafter out of range
+CMP_R_CHECKING_PBM_NO_SECRET_AVAILABLE:166:checking pbm no secret available
 CMP_R_ENCOUNTERED_KEYUPDATEWARNING:176:encountered keyupdatewarning
 CMP_R_ENCOUNTERED_WAITING:162:encountered waiting
 CMP_R_ERROR_CALCULATING_PROTECTION:115:error calculating protection

diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h
index c11f372ab5003525f54537cd3bd8bb8ac5448813..312fa5293210550084b0969b7abdeeaca6cab32e 100644 (file)
--- a/include/openssl/cmperr.h
+++ b/include/openssl/cmperr.h
@@ -44,6 +44,7 @@ int ERR_load_CMP_strings(void);
 #  define CMP_R_CERTRESPONSE_NOT_FOUND                     113
 #  define CMP_R_CERT_AND_KEY_DO_NOT_MATCH                  114
 #  define CMP_R_CHECKAFTER_OUT_OF_RANGE                    181
+#  define CMP_R_CHECKING_PBM_NO_SECRET_AVAILABLE           166
 #  define CMP_R_ENCOUNTERED_KEYUPDATEWARNING               176
 #  define CMP_R_ENCOUNTERED_WAITING                        162
 #  define CMP_R_ERROR_CALCULATING_PROTECTION               115