From 84c526862104eac3ed8f715d212070b00bf0cc6d Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Mon, 2 Jun 2025 20:58:01 +0200 Subject: [PATCH] crmf_lib.c create_popo_signature(): add error queue entry on signature failure Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/28482) --- crypto/cmp/cmp_protect.c | 2 +- crypto/crmf/crmf_err.c | 2 ++ crypto/crmf/crmf_lib.c | 11 +++++++---- crypto/err/openssl.txt | 1 + include/openssl/crmferr.h | 1 + 5 files changed, 12 insertions(+), 5 deletions(-) diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 173b9ac55a..6078a61b24 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -116,7 +116,7 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART), msg->header->protectionAlg, /* sets X509_ALGOR */ NULL, prot, &prot_part, NULL, ctx->pkey, md, - ctx->libctx, ctx->propq)) + ctx->libctx, ctx->propq) != 0) return prot; ASN1_BIT_STRING_free(prot); return NULL; diff --git a/crypto/crmf/crmf_err.c b/crypto/crmf/crmf_err.c index 4727c83353..55c543d563 100644 --- a/crypto/crmf/crmf_err.c +++ b/crypto/crmf/crmf_err.c @@ -36,6 +36,8 @@ static const ERR_STRING_DATA CRMF_str_reasons[] = { "error decrypting symmetric key"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_SETTING_PURPOSE), "error setting purpose"}, + {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_SIGNING_POPO), + "error signing popo"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY), "error verifying encryptedkey"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_FAILURE_OBTAINING_RANDOM), diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 68432e5300..ecdd3526e3 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -379,10 +379,13 @@ static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps, && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */ digest = NULL; - return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), - ps->algorithmIdentifier, /* sets this X509_ALGOR */ - NULL, ps->signature, /* sets the ASN1_BIT_STRING */ - cr, NULL, pkey, digest, libctx, propq); + if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), + ps->algorithmIdentifier, /* sets this X509_ALGOR */ + NULL, ps->signature, /* sets the ASN1_BIT_STRING */ + cr, NULL, pkey, digest, libctx, propq) != 0) + return 1; + ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_SIGNING_POPO); + return 0; } int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index e819a808ca..f47bc5ae75 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -464,6 +464,7 @@ CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY:124:error decrypting encryptedkey CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE:125:error decrypting encryptedvalue CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY:106:error decrypting symmetric key CRMF_R_ERROR_SETTING_PURPOSE:126:error setting purpose +CRMF_R_ERROR_SIGNING_POPO:129:error signing popo CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY:127:error verifying encryptedkey CRMF_R_FAILURE_OBTAINING_RANDOM:107:failure obtaining random CRMF_R_ITERATIONCOUNT_BELOW_100:108:iterationcount below 100 diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h index a9b04e0ebb..9269006c46 100644 --- a/include/openssl/crmferr.h +++ b/include/openssl/crmferr.h @@ -34,6 +34,7 @@ # define CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE 125 # define CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY 106 # define CRMF_R_ERROR_SETTING_PURPOSE 126 +# define CRMF_R_ERROR_SIGNING_POPO 129 # define CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY 127 # define CRMF_R_FAILURE_OBTAINING_RANDOM 107 # define CRMF_R_ITERATIONCOUNT_BELOW_100 108