From d803930448476c3a6c50904b1cfb5ef20433652f Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 31 Mar 2020 16:04:55 +0200 Subject: [PATCH] Fix misleading error msg for PBM check w/o secret in OSSL_CMP_validate_msg() Reviewed-by: Matt Caswell Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/11448) --- crypto/cmp/cmp_err.c | 7 +++---- crypto/cmp/cmp_vfy.c | 5 +++++ crypto/err/openssl.txt | 1 + include/openssl/cmperr.h | 1 + 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c index d64d60bf1d..0f06fb3b42 100644 --- a/crypto/cmp/cmp_err.c +++ b/crypto/cmp/cmp_err.c @@ -33,6 +33,8 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { "cert and key do not match"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_CHECKAFTER_OUT_OF_RANGE), "checkafter out of range"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_CHECKING_PBM_NO_SECRET_AVAILABLE), + "checking pbm no secret available"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ENCOUNTERED_KEYUPDATEWARNING), "encountered keyupdatewarning"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ENCOUNTERED_WAITING), @@ -64,8 +66,6 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_RR), "error creating rr"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_PARSING_PKISTATUS), "error parsing pkistatus"}, - {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_PARSING_PKISTATUS), - "error parsing pkistatus"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_PROCESSING_MESSAGE), "error processing message"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_PROTECTING_MESSAGE), @@ -110,8 +110,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_POLLING_FAILED), "polling failed"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_POTENTIALLY_INVALID_CERTIFICATE), "potentially invalid certificate"}, - {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_RECEIVED_ERROR), - "received error"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_RECEIVED_ERROR), "received error"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_RECIPNONCE_UNMATCHED), "recipnonce unmatched"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_REQUEST_NOT_ACCEPTED), diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 8980d72fd4..11688059da 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -577,6 +577,11 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) switch (nid) { /* 5.1.3.1. Shared Secret Information */ case NID_id_PasswordBasedMAC: + if (ctx->secretValue == 0) { + CMPerr(0, CMP_R_CHECKING_PBM_NO_SECRET_AVAILABLE); + break; + } + if (verify_PBMAC(msg, ctx->secretValue)) { /* * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index f467ea909f..80b92f8476 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2088,6 +2088,7 @@ CMP_R_CERTREQMSG_NOT_FOUND:157:certreqmsg not found CMP_R_CERTRESPONSE_NOT_FOUND:113:certresponse not found CMP_R_CERT_AND_KEY_DO_NOT_MATCH:114:cert and key do not match CMP_R_CHECKAFTER_OUT_OF_RANGE:181:checkafter out of range +CMP_R_CHECKING_PBM_NO_SECRET_AVAILABLE:166:checking pbm no secret available CMP_R_ENCOUNTERED_KEYUPDATEWARNING:176:encountered keyupdatewarning CMP_R_ENCOUNTERED_WAITING:162:encountered waiting CMP_R_ERROR_CALCULATING_PROTECTION:115:error calculating protection diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h index c11f372ab5..312fa52932 100644 --- a/include/openssl/cmperr.h +++ b/include/openssl/cmperr.h @@ -44,6 +44,7 @@ int ERR_load_CMP_strings(void); # define CMP_R_CERTRESPONSE_NOT_FOUND 113 # define CMP_R_CERT_AND_KEY_DO_NOT_MATCH 114 # define CMP_R_CHECKAFTER_OUT_OF_RANGE 181 +# define CMP_R_CHECKING_PBM_NO_SECRET_AVAILABLE 166 # define CMP_R_ENCOUNTERED_KEYUPDATEWARNING 176 # define CMP_R_ENCOUNTERED_WAITING 162 # define CMP_R_ERROR_CALCULATING_PROTECTION 115 -- 2.25.1