mirror of
https://github.com/openssl/openssl.git
synced 2025-01-06 13:26:43 +08:00
ossl_cmp_msg_check_update(): improve diagnostics of checking expected sender name
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19948)
This commit is contained in:
parent
657109acea
commit
f21409fadf
@ -152,6 +152,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
|
||||
"unexpected pkistatus"},
|
||||
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_POLLREQ), "unexpected pollreq"},
|
||||
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_PVNO), "unexpected pvno"},
|
||||
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_SENDER), "unexpected sender"},
|
||||
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_ALGORITHM_ID),
|
||||
"unknown algorithm id"},
|
||||
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_CERT_TYPE), "unknown cert type"},
|
||||
|
@ -175,8 +175,8 @@ static int check_name(const OSSL_CMP_CTX *ctx, int log_success,
|
||||
str = X509_NAME_oneline(actual_name, NULL, 0);
|
||||
if (X509_NAME_cmp(actual_name, expect_name) == 0) {
|
||||
if (log_success && str != NULL)
|
||||
ossl_cmp_log2(INFO, ctx, " subject matches %s: %s", expect_desc,
|
||||
str);
|
||||
ossl_cmp_log3(INFO, ctx, " %s matches %s: %s",
|
||||
actual_desc, expect_desc, str);
|
||||
OPENSSL_free(str);
|
||||
return 1;
|
||||
}
|
||||
@ -711,22 +711,33 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
|
||||
return 0;
|
||||
hdr = OSSL_CMP_MSG_get0_header(msg);
|
||||
|
||||
/* validate sender name of received msg */
|
||||
if (hdr->sender->type != GEN_DIRNAME) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
|
||||
return 0;
|
||||
}
|
||||
/*
|
||||
* Compare actual sender name of response with expected sender name.
|
||||
* Mitigates risk to accept misused PBM secret
|
||||
* or misused certificate of an unauthorized entity of a trusted hierarchy.
|
||||
*/
|
||||
/* If expected_sender is given, validate sender name of received msg */
|
||||
expected_sender = ctx->expected_sender;
|
||||
if (expected_sender == NULL && ctx->srvCert != NULL)
|
||||
expected_sender = X509_get_subject_name(ctx->srvCert);
|
||||
if (!check_name(ctx, 0, "sender DN field", hdr->sender->d.directoryName,
|
||||
"expected sender", expected_sender))
|
||||
return 0;
|
||||
if (expected_sender != NULL) {
|
||||
const X509_NAME *actual_sender;
|
||||
char *str;
|
||||
|
||||
if (hdr->sender->type != GEN_DIRNAME) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
|
||||
return 0;
|
||||
}
|
||||
actual_sender = hdr->sender->d.directoryName;
|
||||
/*
|
||||
* Compare actual sender name of response with expected sender name.
|
||||
* Mitigates risk of accepting misused PBM secret or
|
||||
* misused certificate of an unauthorized entity of a trusted hierarchy.
|
||||
*/
|
||||
if (!check_name(ctx, 0, "sender DN field", actual_sender,
|
||||
"expected sender", expected_sender)) {
|
||||
str = X509_NAME_oneline(actual_sender, NULL, 0);
|
||||
ERR_raise_data(ERR_LIB_CMP, CMP_R_UNEXPECTED_SENDER,
|
||||
str != NULL ? str : "<unknown>");
|
||||
OPENSSL_free(str);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
/* Note: if recipient was NULL-DN it could be learned here if needed */
|
||||
|
||||
num_added = sk_X509_num(msg->extraCerts);
|
||||
|
@ -278,6 +278,7 @@ CMP_R_UNEXPECTED_PKIBODY:133:unexpected pkibody
|
||||
CMP_R_UNEXPECTED_PKISTATUS:185:unexpected pkistatus
|
||||
CMP_R_UNEXPECTED_POLLREQ:105:unexpected pollreq
|
||||
CMP_R_UNEXPECTED_PVNO:153:unexpected pvno
|
||||
CMP_R_UNEXPECTED_SENDER:104:unexpected sender
|
||||
CMP_R_UNKNOWN_ALGORITHM_ID:134:unknown algorithm id
|
||||
CMP_R_UNKNOWN_CERT_TYPE:135:unknown cert type
|
||||
CMP_R_UNKNOWN_PKISTATUS:186:unknown pkistatus
|
||||
|
@ -104,6 +104,7 @@
|
||||
# define CMP_R_UNEXPECTED_PKISTATUS 185
|
||||
# define CMP_R_UNEXPECTED_POLLREQ 105
|
||||
# define CMP_R_UNEXPECTED_PVNO 153
|
||||
# define CMP_R_UNEXPECTED_SENDER 104
|
||||
# define CMP_R_UNKNOWN_ALGORITHM_ID 134
|
||||
# define CMP_R_UNKNOWN_CERT_TYPE 135
|
||||
# define CMP_R_UNKNOWN_PKISTATUS 186
|
||||
|
Loading…
Reference in New Issue
Block a user