OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs

Otherwise, further OSSL_CMP_exec_GENM_ses() calls will go wrong. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19216)
2025-01-18 13:44:20 +08:00 · 2022-09-14 17:37:27 +02:00 · 2022-09-14 17:37:27 +02:00 · 1c04866c67
commit 1c04866c67
parent 7e3034939b
4 changed files with 28 additions and 12 deletions
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c
@ -324,7 +324,7 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
        return 0;
    }
-    if (ctx->sendError) {
+    if (sk_OSSL_CMP_ITAV_num(in) > 1 || ctx->sendError) {
        ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
        return 0;
    }
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@ -148,6 +148,13 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
    return NULL;
 }

+#define OSSL_CMP_ITAVs_free(itavs) \
+    sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+#define X509_EXTENSIONS_free(exts) \
+    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
+#define OSSL_CMP_PKIFREETEXT_free(text) \
+    sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
+
 /* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
 int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
 {
@ -164,6 +171,9 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
    ctx->status = OSSL_CMP_PKISTATUS_unspecified;
    ctx->failInfoCode = -1;

+    OSSL_CMP_ITAVs_free(ctx->genm_ITAVs);
+    ctx->genm_ITAVs = NULL;
+
    return ossl_cmp_ctx_set0_statusString(ctx, NULL)
        && ossl_cmp_ctx_set0_newCert(ctx, NULL)
        && ossl_cmp_ctx_set1_newChain(ctx, NULL)
@ -175,13 +185,6 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
        && ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
 }

-#define OSSL_CMP_ITAVs_free(itavs) \
-    sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
-#define X509_EXTENSIONS_free(exts) \
-    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
-#define OSSL_CMP_PKIFREETEXT_free(text) \
-    sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
-
 /* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
 void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
 {
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@ -188,6 +188,7 @@ OSSL_CMP_CTX_reinit() prepares the given I<ctx> for a further transaction by
 clearing the internal CMP transaction (aka session) status, PKIStatusInfo,
 and any previous results (newCert, newChain, caPubs, and extraCertsIn)
 from the last executed transaction.
+It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV().
 All other field values (i.e., CMP options) are retained for potential re-use.

 OSSL_CMP_CTX_get0_libctx() returns the I<libctx> argument that was used
@ -731,7 +732,8 @@ OSSL_CMP_certConf_cb() returns I<fail_info> if it is not equal to 0,
 else 0 on successful validation,
 or else a bit field with the B<OSSL_CMP_PKIFAILUREINFO_incorrectData> bit set.

-All other functions return 1 on success, 0 on error.
+All other functions, including OSSL_CMP_CTX_reinit(),
+return 1 on success, 0 on error.

 =head1 EXAMPLES

@ -787,7 +789,7 @@ the id-it-signKeyPairTypes OID and prints info on the General Response contents:
    OSSL_CMP_CTX_reinit(cmp_ctx);

    ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1);
-    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new(type, NULL);
+    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, NULL);
    OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav);

    STACK_OF(OSSL_CMP_ITAV) *itavs;
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@ -94,9 +94,13 @@ static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixture)
                       OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == 1);
 }

-static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
+static int execute_exec_GENM_ses_test_single(CMP_SES_TEST_FIXTURE *fixture)
 {
-    STACK_OF(OSSL_CMP_ITAV) *itavs = NULL;
+    ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1);
+    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, NULL);
+    STACK_OF(OSSL_CMP_ITAV) *itavs;
+
+    OSSL_CMP_CTX_push0_genm_ITAV(fixture->cmp_ctx, itav);

    if (!TEST_ptr(itavs = OSSL_CMP_exec_GENM_ses(fixture->cmp_ctx)))
        return 0;
@ -104,6 +108,13 @@ static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
    return 1;
 }

+static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
+{
+    return execute_exec_GENM_ses_test_single(fixture)
+        && OSSL_CMP_CTX_reinit(fixture->cmp_ctx)
+        && execute_exec_GENM_ses_test_single(fixture);
+}
+
 static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture)
 {
    X509 *res = OSSL_CMP_exec_certreq(fixture->cmp_ctx,