Streamline the approach to set CMP message recipient and expected sender

Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11998)
2024-11-27 05:21:51 +08:00 · 2020-05-19 12:30:11 +02:00 · 2020-05-19 12:30:11 +02:00 · b27ff9b87c
commit b27ff9b87c
parent ce0465edc7
3 changed files with 16 additions and 13 deletions
--- a/crypto/cmp/cmp_hdr.c
+++ b/crypto/cmp/cmp_hdr.c
@ -309,23 +309,22 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr)
        return 0;

    /* determine recipient entry in PKIHeader */
-    if (ctx->srvCert != NULL) {
-        rcp = X509_get_subject_name(ctx->srvCert);
-        /* set also as expected_sender of responses unless set explicitly */
-        if (ctx->expected_sender == NULL && rcp != NULL
-                && !OSSL_CMP_CTX_set1_expected_sender(ctx, rcp))
-            return 0;
-    } else if (ctx->recipient != NULL) {
+    if (ctx->recipient != NULL)
        rcp = ctx->recipient;
-    } else if (ctx->issuer != NULL) {
+    else if (ctx->srvCert != NULL)
+        rcp = X509_get_subject_name(ctx->srvCert);
+    else if (ctx->issuer != NULL)
        rcp = ctx->issuer;
-    } else if (ctx->oldCert != NULL) {
+    else if (ctx->oldCert != NULL)
        rcp = X509_get_issuer_name(ctx->oldCert);
-    } else if (ctx->cert != NULL) {
+    else if (ctx->cert != NULL)
        rcp = X509_get_issuer_name(ctx->cert);
-    }
    if (!ossl_cmp_hdr_set1_recipient(hdr, rcp))
        return 0;
+    /* set also as expected_sender of responses unless set explicitly */
+    if (ctx->expected_sender == NULL && rcp != NULL
+        && !OSSL_CMP_CTX_set1_expected_sender(ctx, rcp))
+        return 0;

    /* set current time as message time */
    if (!ossl_cmp_hdr_update_messageTime(hdr))
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@ -228,7 +228,7 @@ static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
    X509_EXTENSIONS *exts = NULL;

    if (rkey == NULL)
-        rkey = ctx->pkey; /* default is independent of ctx->oldClCert */
+        rkey = ctx->pkey; /* default is independent of ctx->oldCert */
    if (rkey == NULL) {
 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
        CMPerr(0, CMP_R_NULL_ARGUMENT);
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@ -559,6 +559,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
    int nid = NID_undef, pk_nid = NID_undef;
    const ASN1_OBJECT *algorOID = NULL;
    X509 *scrt;
+    const X509_NAME *expected_sender;

    if (ctx == NULL || msg == NULL
            || msg->header == NULL || msg->body == NULL) {
@ -642,9 +643,12 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
         * Mitigates risk to accept misused certificate of an unauthorized
         * entity of a trusted hierarchy.
         */
+        expected_sender = ctx->expected_sender;
+        if (expected_sender == NULL && ctx->srvCert != NULL)
+            expected_sender = X509_get_subject_name(ctx->srvCert);
        if (!check_name(ctx, "sender DN field",
                        msg->header->sender->d.directoryName,
-                        "expected sender", ctx->expected_sender))
+                        "expected sender", expected_sender))
            break;
        /* Note: if recipient was NULL-DN it could be learned here if needed */