OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs

Otherwise, further OSSL_CMP_exec_GENM_ses() calls will go wrong. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19216) (cherry picked from commit 1c04866c67)
2022-09-14 17:37:27 +02:00 · 2022-09-14 17:37:27 +02:00 · b3d29175f7
parent f494a5c2fe
commit b3d29175f7
4 changed files with 29 additions and 5 deletions
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c
@ -301,7 +301,7 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
        return 0;
    }
-    if (ctx->sendError) {
+    if (sk_OSSL_CMP_ITAV_num(in) > 1 || ctx->sendError) {
        ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
        return 0;
    }
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@ -142,6 +142,13 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
    return NULL;
 }

+#define OSSL_CMP_ITAVs_free(itavs) \
+    sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+#define X509_EXTENSIONS_free(exts) \
+    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
+#define OSSL_CMP_PKIFREETEXT_free(text) \
+    sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
+
 /* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
 int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
 {
@ -158,6 +165,9 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
    ctx->status = OSSL_CMP_PKISTATUS_unspecified;
    ctx->failInfoCode = -1;

+    OSSL_CMP_ITAVs_free(ctx->genm_ITAVs);
+    ctx->genm_ITAVs = NULL;
+
    return ossl_cmp_ctx_set0_statusString(ctx, NULL)
        && ossl_cmp_ctx_set0_newCert(ctx, NULL)
        && ossl_cmp_ctx_set1_newChain(ctx, NULL)
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@ -179,6 +179,7 @@ OSSL_CMP_CTX_reinit() prepares the given I<ctx> for a further transaction by
 clearing the internal CMP transaction (aka session) status, PKIStatusInfo,
 and any previous results (newCert, newChain, caPubs, and extraCertsIn)
 from the last executed transaction.
+It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV().
 All other field values (i.e., CMP options) are retained for potential re-use.

 OSSL_CMP_CTX_set_option() sets the given value for the given option
@ -702,7 +703,8 @@ OSSL_CMP_certConf_cb() returns I<fail_info> if it is not equal to 0,
 else 0 on successful validation,
 or else a bit field with the B<OSSL_CMP_PKIFAILUREINFO_incorrectData> bit set.

-All other functions return 1 on success, 0 on error.
+All other functions, including OSSL_CMP_CTX_reinit(),
+return 1 on success, 0 on error.

 =head1 EXAMPLES

@ -758,7 +760,7 @@ the id-it-signKeyPairTypes OID and prints info on the General Response contents:
    OSSL_CMP_CTX_reinit(cmp_ctx);

    ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1);
-    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new(type, NULL);
+    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, NULL);
    OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav);

    STACK_OF(OSSL_CMP_ITAV) *itavs;
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@ -95,15 +95,27 @@ static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixture)
                       OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == 1);
 }

-static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
+static int execute_exec_GENM_ses_test_single(CMP_SES_TEST_FIXTURE *fixture)
 {
-    STACK_OF(OSSL_CMP_ITAV) *itavs = NULL;
+    ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1);
+    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, NULL);
+    STACK_OF(OSSL_CMP_ITAV) *itavs;
+
+    OSSL_CMP_CTX_push0_genm_ITAV(fixture->cmp_ctx, itav);
+
    if (!TEST_ptr(itavs = OSSL_CMP_exec_GENM_ses(fixture->cmp_ctx)))
        return 0;
    sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
    return 1;
 }

+static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
+{
+    return execute_exec_GENM_ses_test_single(fixture)
+        && OSSL_CMP_CTX_reinit(fixture->cmp_ctx)
+        && execute_exec_GENM_ses_test_single(fixture);
+}
+
 static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture)
 {
    X509 *res = OSSL_CMP_exec_certreq(fixture->cmp_ctx,