Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL

    Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)

    CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
        Adds extensive man pages and tests.  Integration into build scripts.

    Incremental pull request based on OpenSSL commit 8869ad4a of 2019-04-02

    4th chunk: CMP context/parameters and utilities
    in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9107)

crypto/cmp/build.info

 LIBS=../../libcrypto
-SOURCE[../../libcrypto]= cmp_asn.c cmp_err.c
+SOURCE[../../libcrypto]= cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c

crypto/cmp/cmp_asn.c

@@ -7,8 +7,6 @@
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
- *
- * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
  */
 
 #include <openssl/asn1t.h>
@@ -166,8 +164,10 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
 {
     int created = 0;
 
-    if (itav_sk_p == NULL)
+    if (itav_sk_p == NULL) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
         goto err;
+    }
 
     if (*itav_sk_p == NULL) {
         if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
@@ -187,6 +187,26 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
     return 0;
 }
 
+/* get ASN.1 encoded integer, return -1 on error */
+int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
+{
+    int64_t res;
+
+    if (!ASN1_INTEGER_get_int64(&res, a)) {
+        CMPerr(0, ASN1_R_INVALID_NUMBER);
+        return -1;
+    }
+    if (res < INT_MIN) {
+        CMPerr(0, ASN1_R_TOO_SMALL);
+        return -1;
+    }
+    if (res > INT_MAX) {
+        CMPerr(0, ASN1_R_TOO_LARGE);
+        return -1;
+    }
+    return (int)res;
+}
+
 ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
     /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
     ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),

crypto/cmp/cmp_err.c

 /*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -14,6 +15,11 @@
 #ifndef OPENSSL_NO_ERR
 
 static const ERR_STRING_DATA CMP_str_reasons[] = {
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_ARGS), "invalid args"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MULTIPLE_SAN_SOURCES),
+    "multiple san sources"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NO_STDIO), "no stdio"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NULL_ARGUMENT), "null argument"},
     {0, NULL}
 };
 

crypto/cmp/cmp_int.h

@@ -7,8 +7,6 @@
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
- *
- * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
  */
 
 #ifndef OSSL_HEADER_CMP_INT_H
@@ -26,6 +24,100 @@
 # include <openssl/x509.h>
 # include <openssl/x509v3.h>
 
+/*
+ * this structure is used to store the context for CMP sessions
+ */
+struct ossl_cmp_ctx_st {
+    OSSL_cmp_log_cb_t log_cb; /* log callback for error/debug/etc. output */
+    OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */
+
+    /* message transfer */
+    OSSL_cmp_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */
+    void *transfer_cb_arg; /* allows to store optional argument to cb */
+    /* HTTP-based transfer */
+    char *serverPath;
+    char *serverName;
+    int serverPort;
+    char *proxyName;
+    int proxyPort;
+    int msgtimeout; /* max seconds to wait for each CMP message round trip */
+    int totaltimeout; /* maximum number seconds an enrollment may take, incl. */
+      /* attempts polling for a response if a 'waiting' PKIStatus is received */
+    time_t end_time; /* session start time + totaltimeout */
+    OSSL_cmp_http_cb_t http_cb;
+    void *http_cb_arg; /* allows to store optional argument to cb */
+
+    /* server authentication */
+    int unprotectedErrors; /* accept neg. response with no/invalid protection */
+                           /* to cope with broken server */
+    X509 *srvCert; /* certificate used to identify the server */
+    X509 *validatedSrvCert; /* caches any already validated server cert */
+    X509_NAME *expected_sender; /* expected sender in pkiheader of response */
+    X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
+    STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */
+    int ignore_keyusage; /* ignore key usage entry when validating certs */
+    int permitTAInExtraCertsForIR; /* allow use of root certs in extracerts */
+             /* when validating message protection; used for 3GPP-style E.7 */
+
+    /* client authentication */
+    int unprotectedSend; /* send unprotected PKI messages */
+    X509 *clCert; /* client cert used to identify and sign for MSG_SIG_ALG */
+    EVP_PKEY *pkey; /* the key pair corresponding to clCert */
+    ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
+    ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
+    /* PBMParameters for MSG_MAC_ALG */
+    size_t pbm_slen; /* currently fixed to 16 */
+    int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */
+    int pbm_itercnt; /* currently fixed to 500 */
+    int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */
+
+    /* CMP message header and extra certificates */
+    X509_NAME *recipient; /* to set in recipient in pkiheader */
+    int digest; /* NID of digest used in MSG_SIG_ALG and POPO, default SHA256 */
+    ASN1_OCTET_STRING *transactionID; /* the current transaction ID */
+    ASN1_OCTET_STRING *senderNonce; /* last nonce sent */
+    ASN1_OCTET_STRING *recipNonce; /* last nonce received */
+    STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs;
+    int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */
+    int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */
+    STACK_OF(X509) *extraCertsOut; /* to be included in request messages */
+
+    /* certificate template */
+    EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */
+    int newPkey_priv; /* flag indicating if newPkey contains private key */
+    X509_NAME *issuer; /* issuer name to used in cert template */
+    int days; /* Number of days new certificates are asked to be valid for */
+    X509_NAME *subjectName; /* subject name to be used in the cert template */
+    STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
+    int SubjectAltName_nodefault;
+    int setSubjectAltNameCritical;
+    X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */
+    CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */
+    int setPoliciesCritical;
+    int popoMethod; /* Proof-of-possession mechanism; default: signature */
+    X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */
+    X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */
+
+    /* misc body contents */
+    int revocationReason; /* revocation reason code to be included in RR */
+    STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */
+
+    /* result returned in responses */
+    int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
+    /* TODO: this should be a stack since there could be more than one */
+    OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
+    int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
+    /* TODO: this should be a stack since there could be more than one */
+    X509 *newCert; /* newly enrolled cert received from the CA */
+    /* TODO: this should be a stack since there could be more than one */
+    STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */
+    STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */
+
+    /* certificate confirmation */
+    OSSL_cmp_certConf_cb_t certConf_cb; /* callback for app checking new cert */
+    void *certConf_cb_arg; /* allows to store an argument individual to cb */
+} /* OSSL_CMP_CTX */;
+
 /*
  * ##########################################################################
  * ASN.1 DECLARATIONS
@@ -42,7 +134,7 @@
  *       -- extra CRL details (e.g., crl number, reason, location, etc.)
  *   }
  */
-typedef struct OSSL_cmp_revanncontent_st {
+typedef struct ossl_cmp_revanncontent_st {
     ASN1_INTEGER *status;
     OSSL_CRMF_CERTID *certId;
     ASN1_GENERALIZEDTIME *willBeRevokedAt;
@@ -75,7 +167,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
  *       --   }
  *   }
  */
-typedef struct OSSL_cmp_challenge_st {
+typedef struct ossl_cmp_challenge_st {
     X509_ALGOR *owf;
     ASN1_OCTET_STRING *witness;
     ASN1_OCTET_STRING *challenge;
@@ -89,7 +181,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
  *     newWithNew         Certificate
  *  }
  */
-typedef struct OSSL_cmp_cakeyupdanncontent_st {
+typedef struct ossl_cmp_cakeyupdanncontent_st {
     X509 *oldWithNew;
     X509 *newWithOld;
     X509 *newWithNew;
@@ -109,7 +201,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
  *       infoValue              ANY DEFINED BY infoType  OPTIONAL
  *   }
  */
-struct OSSL_cmp_itav_st {
+struct ossl_cmp_itav_st {
     ASN1_OBJECT *infoType;
     union {
         char *ptr;
@@ -148,8 +240,7 @@ struct OSSL_cmp_itav_st {
 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
 
-
-typedef struct OSSL_cmp_certorenccert_st {
+typedef struct ossl_cmp_certorenccert_st {
     int type;
     union {
         X509 *certificate;
@@ -166,7 +257,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
  *       publicationInfo [1] PKIPublicationInfo  OPTIONAL
  *   }
  */
-typedef struct OSSL_cmp_certifiedkeypair_st {
+typedef struct ossl_cmp_certifiedkeypair_st {
     OSSL_CMP_CERTORENCCERT *certOrEncCert;
     OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
     OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
@@ -180,7 +271,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
  *       failInfo      PKIFailureInfo  OPTIONAL
  *   }
  */
-struct OSSL_cmp_pkisi_st {
+struct ossl_cmp_pkisi_st {
     OSSL_CMP_PKISTATUS *status;
     OSSL_CMP_PKIFREETEXT *statusString;
     OSSL_CMP_PKIFAILUREINFO *failInfo;
@@ -196,7 +287,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
  *      crlEntryDetails     Extensions       OPTIONAL
  *  }
  */
-typedef struct OSSL_cmp_revdetails_st {
+typedef struct ossl_cmp_revdetails_st {
     OSSL_CRMF_CERTTEMPLATE *certDetails;
     X509_EXTENSIONS *crlEntryDetails;
 } OSSL_CMP_REVDETAILS;
@@ -216,7 +307,7 @@ DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
  *       -- the resulting CRLs (there may be more than one)
  *   }
  */
-struct OSSL_cmp_revrepcontent_st {
+struct ossl_cmp_revrepcontent_st {
     STACK_OF(OSSL_CMP_PKISI) *status;
     STACK_OF(OSSL_CRMF_CERTID) *revCerts;
     STACK_OF(X509_CRL) *crls;
@@ -233,7 +324,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
  *                                   CertifiedKeyPair OPTIONAL
  *   }
  */
-typedef struct OSSL_cmp_keyrecrepcontent_st {
+typedef struct ossl_cmp_keyrecrepcontent_st {
     OSSL_CMP_PKISI *status;
     X509 *newSigCert;
     STACK_OF(X509) *caCerts;
@@ -250,7 +341,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
  *       -- implementation-specific error details
  *   }
  */
-typedef struct OSSL_cmp_errormsgcontent_st {
+typedef struct ossl_cmp_errormsgcontent_st {
     OSSL_CMP_PKISI *pKIStatusInfo;
     ASN1_INTEGER *errorCode;
     OSSL_CMP_PKIFREETEXT *errorDetails;
@@ -269,7 +360,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
  *      statusInfo  PKIStatusInfo OPTIONAL
  *   }
  */
-struct OSSL_cmp_certstatus_st {
+struct ossl_cmp_certstatus_st {
     ASN1_OCTET_STRING *certHash;
     ASN1_INTEGER *certReqId;
     OSSL_CMP_PKISI *statusInfo;
@@ -292,7 +383,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
  *       -- for regInfo in CertReqMsg [CRMF]
  *   }
  */
-struct OSSL_cmp_certresponse_st {
+struct ossl_cmp_certresponse_st {
     ASN1_INTEGER *certReqId;
     OSSL_CMP_PKISI *status;
     OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
@@ -307,7 +398,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
  *       response         SEQUENCE OF CertResponse
  *   }
  */
-struct OSSL_cmp_certrepmessage_st {
+struct ossl_cmp_certrepmessage_st {
     STACK_OF(X509) *caPubs;
     STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
 } /* OSSL_CMP_CERTREPMESSAGE */;
@@ -318,7 +409,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
  *         certReqId                              INTEGER
  *   }
  */
-typedef struct OSSL_cmp_pollreq_st {
+typedef struct ossl_cmp_pollreq_st {
     ASN1_INTEGER *certReqId;
 } OSSL_CMP_POLLREQ;
 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
@@ -333,7 +424,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
  *         reason                                 PKIFreeText OPTIONAL
  * }
  */
-struct OSSL_cmp_pollrep_st {
+struct ossl_cmp_pollrep_st {
     ASN1_INTEGER *certReqId;
     ASN1_INTEGER *checkAfter;
     OSSL_CMP_PKIFREETEXT *reason;
@@ -377,7 +468,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
  *     -- (this field not primarily intended for human consumption)
  *   }
  */
-struct OSSL_cmp_pkiheader_st {
+struct ossl_cmp_pkiheader_st {
     ASN1_INTEGER *pvno;
     GENERAL_NAME *sender;
     GENERAL_NAME *recipient;
@@ -435,7 +526,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
  *           pollReq  [25] PollReqContent,             --Polling request
  *           pollRep  [26] PollRepContent              --Polling response
  */
-typedef struct OSSL_cmp_pkibody_st {
+typedef struct ossl_cmp_pkibody_st {
     int type;
     union {
         OSSL_CRMF_MSGS *ir; /* 0 */
@@ -521,7 +612,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
  *                                            OPTIONAL
  *   }
  */
-struct OSSL_cmp_msg_st {
+struct ossl_cmp_msg_st {
     OSSL_CMP_PKIHEADER *header;
     OSSL_CMP_PKIBODY *body;
     ASN1_BIT_STRING *protection; /* 0 */
@@ -529,6 +620,7 @@ struct OSSL_cmp_msg_st {
     STACK_OF(X509) *extraCerts; /* 1 */
 } /* OSSL_CMP_MSG */;
 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
+DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
 
 /*-
  * ProtectedPart ::= SEQUENCE {
@@ -586,4 +678,48 @@ DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
  *   }
  */
 
+/*
+ * functions
+ */
+
+/* from cmp_asn.c */
+int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a);
+
+/* from cmp_util.c */
+const char *ossl_cmp_log_parse_metadata(const char *buf,
+                                        OSSL_CMP_severity *level, char **func,
+                                        char **file, int *line);
+/* workaround for 4096 bytes limitation of ERR_print_errors_cb() */
+void ossl_cmp_add_error_txt(const char *separator, const char *txt);
+# define ossl_cmp_add_error_data(txt) ossl_cmp_add_error_txt(" : ", txt)
+# define ossl_cmp_add_error_line(txt) ossl_cmp_add_error_txt("\n", txt)
+/* functions manipulating lists of certificates etc could be generally useful */
+int ossl_cmp_sk_X509_add1_cert (STACK_OF(X509) *sk, X509 *cert,
+                                int no_dup, int prepend);
+int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
+                                int no_self_signed, int no_dups, int prepend);
+int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
+                                   int only_self_signed);
+STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
+int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
+                                    const ASN1_OCTET_STRING *src);
+int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
+                                          const unsigned char *bytes, int len);
+STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert);
+
+/* from cmp_ctx.c */
+int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
+int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
+                                   OSSL_CMP_PKIFREETEXT *text);
+int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info);
+int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs);
+int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
+                                   STACK_OF(X509) *extraCertsIn);
+int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
+                                 const ASN1_OCTET_STRING *nonce);
+
+#  define OSSL_CMP_TRANSACTIONID_LENGTH 16
+
 #endif /* !defined OSSL_HEADER_CMP_INT_H */

crypto/cmp/cmp_util.c

+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/cmp_util.h>
+#include "cmp_int.h" /* just for decls of internal functions defined here */
+#include <openssl/cmperr.h>
+#include <openssl/err.h> /* should be implied by cmperr.h */
+#include <openssl/x509v3.h>
+
+/*
+ * use trace API for CMP-specific logging, prefixed by "CMP " and severity
+ */
+
+int OSSL_CMP_log_open(void) /* is designed to be idempotent */
+{
+#ifndef OPENSSL_NO_STDIO
+    BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+    if (bio != NULL && OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, bio))
+        return 1;
+    BIO_free(bio);
+#endif
+    CMPerr(0, CMP_R_NO_STDIO);
+    return 0;
+}
+
+void OSSL_CMP_log_close(void) /* is designed to be idempotent */
+{
+    (void)OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, NULL);
+}
+
+/* return >= 0 if level contains logging level, possibly preceded by "CMP " */
+#define max_level_len 5 /* = max length of the below strings, e.g., "EMERG" */
+static OSSL_CMP_severity parse_level(const char *level)
+{
+    const char *end_level = strchr(level, ':');
+    int len;
+    char level_copy[max_level_len + 1];
+
+    if (end_level == NULL)
+        return -1;
+
+    if (strncmp(level, OSSL_CMP_LOG_PREFIX,
+                strlen(OSSL_CMP_LOG_PREFIX)) == 0)
+        level += strlen(OSSL_CMP_LOG_PREFIX);
+    len = end_level - level;
+    if (len > max_level_len)
+        return -1;
+    OPENSSL_strlcpy(level_copy, level, len + 1);
+    return
+        strcmp(level_copy, "EMERG") == 0 ? OSSL_CMP_LOG_EMERG :
+        strcmp(level_copy, "ALERT") == 0 ? OSSL_CMP_LOG_ALERT :
+        strcmp(level_copy, "CRIT") == 0 ? OSSL_CMP_LOG_CRIT :
+        strcmp(level_copy, "ERROR") == 0 ? OSSL_CMP_LOG_ERR :
+        strcmp(level_copy, "WARN") == 0 ? OSSL_CMP_LOG_WARNING :
+        strcmp(level_copy, "NOTE") == 0 ? OSSL_CMP_LOG_NOTICE :
+        strcmp(level_copy, "INFO") == 0 ? OSSL_CMP_LOG_INFO :
+        strcmp(level_copy, "DEBUG") == 0 ? OSSL_CMP_LOG_DEBUG :
+        -1;
+}
+
+const char *ossl_cmp_log_parse_metadata(const char *buf,
+                 OSSL_CMP_severity *level, char **func, char **file, int *line)
+{
+    const char *p_func = buf;
+    const char *p_file = buf == NULL ? NULL : strchr(buf, ':');
+    const char *p_level = buf;
+    const char *msg = buf;
+
+    *level = -1;
+    *func = NULL;
+    *file = NULL;
+    *line = 0;
+
+    if (p_file != NULL) {
+        const char *p_line = strchr(++p_file, ':');
+
+        if ((*level = parse_level(buf)) < 0 && p_line != NULL) {
+            /* check if buf contains location info and logging level */
+            char *p_level_tmp = (char *)p_level;
+            const long line_number = strtol(++p_line, &p_level_tmp, 10);
+
+            p_level = p_level_tmp;
+            if (p_level > p_line && *(p_level++) == ':') {
+                if ((*level = parse_level(p_level)) >= 0) {
+                    *func = OPENSSL_strndup(p_func, p_file - 1 - p_func);
+                    *file = OPENSSL_strndup(p_file, p_line - 1 - p_file);
+                    /* no real problem if OPENSSL_strndup() returns NULL */
+                    *line = (int)line_number;
+                    msg = strchr(p_level, ':') + 1;
+                    if (*msg == ' ')
+                        msg++;
+                }
+            }
+        }
+    }
+    return msg;
+}
+
+
+/*
+ * auxiliary function for incrementally reporting texts via the error queue
+ */
+static void put_error(int lib, const char *func, int reason,
+                      const char *file, int line)
+{
+    ERR_new();
+    ERR_set_debug(file, line, func);
+    ERR_set_error(lib, reason, NULL /* no data here, so fmt is NULL */);
+}
+
+#define ERR_print_errors_cb_LIMIT 4096 /* size of char buf[] variable there */
+#define TYPICAL_MAX_OUTPUT_BEFORE_DATA 100
+#define MAX_DATA_LEN (ERR_print_errors_cb_LIMIT-TYPICAL_MAX_OUTPUT_BEFORE_DATA)
+void ossl_cmp_add_error_txt(const char *separator, const char *txt)
+{
+    const char *file = NULL;
+    int line;
+    const char *func = NULL;
+    const char *data = NULL;
+    int flags;
+    unsigned long err = ERR_peek_last_error();
+
+    if (separator == NULL)
+        separator = "";
+    if (err == 0)
+        put_error(ERR_LIB_CMP, NULL, 0, "", 0);
+
+    do {
+        size_t available_len, data_len;
+        const char *curr = txt, *next = txt;
+        char *tmp;
+
+        ERR_peek_last_error_all(&file, &line, &func, &data, &flags);
+        if ((flags & ERR_TXT_STRING) == 0) {
+            data = "";
+            separator = "";
+        }
+        data_len = strlen(data);
+
+        /* workaround for limit of ERR_print_errors_cb() */
+        if (data_len >= MAX_DATA_LEN
+                || strlen(separator) >= (size_t)(MAX_DATA_LEN - data_len))
+            available_len = 0;
+        else
+            available_len = MAX_DATA_LEN - data_len - strlen(separator) - 1;
+        /* MAX_DATA_LEN > available_len >= 0 */
+
+        if (separator[0] == '\0') {
+            const size_t len_next = strlen(next);
+
+            if (len_next <= available_len) {
+                next += len_next;
+                curr = NULL; /* no need to split */
+            }
+            else {
+                next += available_len;
+                curr = next; /* will split at this point */
+            }
+        } else {
+            while (*next != '\0' && (size_t)(next - txt) <= available_len) {
+                curr = next;
+                next = strstr(curr, separator);
+                if (next != NULL)
+                    next += strlen(separator);
+                else
+                    next = curr + strlen(curr);
+            }
+            if ((size_t)(next - txt) <= available_len)
+                curr = NULL; /* the above loop implies *next == '\0' */
+        }
+        if (curr != NULL) {
+            /* split error msg at curr since error data would get too long */
+            if (curr != txt) {
+                tmp = OPENSSL_strndup(txt, curr - txt);
+                if (tmp == NULL)
+                    return;
+                ERR_add_error_data(2, separator, tmp);
+                OPENSSL_free(tmp);
+            }
+            put_error(ERR_LIB_CMP, func, err, file, line);
+            txt = curr;
+        } else {
+            ERR_add_error_data(2, separator, txt);
+            txt = next; /* finished */
+        }
+    } while (*txt != '\0');
+}
+
+/* this is similar to ERR_print_errors_cb, but uses the CMP-specific cb type */
+void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn)
+{
+    unsigned long err;
+    char msg[ERR_print_errors_cb_LIMIT];
+    const char *file = NULL, *func = NULL, *data = NULL;
+    int line, flags;
+
+    if (log_fn == NULL) {
+#ifndef OPENSSL_NO_STDIO
+        ERR_print_errors_fp(stderr);
+#else
+        /* CMPerr(0, CMP_R_NO_STDIO) makes no sense during error printing */
+#endif
+        return;
+    }
+
+    while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) != 0) {
+        char component[128];
+        const char *func_ = func != NULL && *func != '\0' ? func : "<unknown>";
+
+        if (!(flags & ERR_TXT_STRING))
+            data = NULL;
+#ifdef OSSL_CMP_PRINT_LIBINFO
+        BIO_snprintf(component, sizeof(component), "OpenSSL:%s:%s",
+                     ERR_lib_error_string(err), func_);
+#else
+        BIO_snprintf(component, sizeof(component), "%s",func_);
+#endif
+        BIO_snprintf(msg, sizeof(msg), "%s%s%s", ERR_reason_error_string(err),
+                     data == NULL ? "" : " : ", data == NULL ? "" : data);
+        if (log_fn(component, file, line, OSSL_CMP_LOG_ERR, msg) <= 0)
+            break;              /* abort outputting the error report */
+    }
+}
+
+/*
+ * functions manipulating lists of certificates etc.
+ * these functions could be generally useful.
+ */
+
+int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert,
+                               int no_dup, int prepend)
+{
+    if (sk == NULL) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    if (no_dup) {
+        /*
+         * not using sk_X509_set_cmp_func() and sk_X509_find()
+         * because this re-orders the certs on the stack
+         */
+        int i;
+
+        for (i = 0; i < sk_X509_num(sk); i++) {
+            if (X509_cmp(sk_X509_value(sk, i), cert) == 0)
+                return 1;
+        }
+    }
+    if (!X509_up_ref(cert))
+        return 0;
+    if (!sk_X509_insert(sk, cert, prepend ? 0 : -1)) {
+        X509_free(cert);
+        return 0;
+    }
+    return 1;
+}
+
+int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
+                                int no_self_signed, int no_dups, int prepend)
+/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
+{
+    int i;
+
+    if (sk == NULL) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    for (i = 0; i < sk_X509_num(certs); i++) { /* certs may be NULL */
+        X509 *cert = sk_X509_value(certs, i);
+
+        if (!no_self_signed || X509_check_issued(cert, cert) != X509_V_OK) {
+            if (!ossl_cmp_sk_X509_add1_cert(sk, cert, no_dups, prepend))
+                return 0;
+        }
+    }
+    return 1;
+}
+
+int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
+                                   int only_self_signed)
+{
+    int i;
+
+    if (store == NULL) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    if (certs == NULL)
+        return 1;
+    for (i = 0; i < sk_X509_num(certs); i++) {
+        X509 *cert = sk_X509_value(certs, i);
+
+        if (!only_self_signed || X509_check_issued(cert, cert) == X509_V_OK)
+            if (!X509_STORE_add_cert(store, cert)) /* ups cert ref counter */
+                return 0;
+    }
+    return 1;
+}
+
+STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store)
+{
+    int i;
+    STACK_OF(X509) *sk;
+    STACK_OF(X509_OBJECT) *objs;
+
+    if (store == NULL) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    if ((sk = sk_X509_new_null()) == NULL)
+        return NULL;
+    objs = X509_STORE_get0_objects(store);
+    for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+        X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));
+
+        if (cert != NULL) {
+            if (!sk_X509_push(sk, cert))
+                goto err;
+            if (!X509_up_ref(cert)) {
+                (void)sk_X509_pop(sk);
+                goto err;
+            }
+        }
+    }
+    return sk;
+
+ err:
+    sk_X509_pop_free(sk, X509_free);
+    return NULL;
+}
+
+/*-
+ * Builds up the certificate chain of certs as high up as possible using
+ * the given list of certs containing all possible intermediate certificates and
+ * optionally the (possible) trust anchor(s). See also ssl_add_cert_chain().
+ *
+ * Intended use of this function is to find all the certificates above the trust
+ * anchor needed to verify an EE's own certificate.  Those are supposed to be
+ * included in the ExtraCerts field of every first sent message of a transaction
+ * when MSG_SIG_ALG is utilized.
+ *
+ * NOTE: This allocates a stack and increments the reference count of each cert,
+ * so when not needed any more the stack and all its elements should be freed.
+ * NOTE: in case there is more than one possibility for the chain,
+ * OpenSSL seems to take the first one, check X509_verify_cert() for details.
+ *
+ * returns a pointer to a stack of (up_ref'ed) X509 certificates containing:
+ *      - the EE certificate given in the function arguments (cert)
+ *      - all intermediate certificates up the chain toward the trust anchor
+ *        whereas the (self-signed) trust anchor is not included
+ * returns NULL on error
+ */
+STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert)
+{
+    STACK_OF(X509) *chain = NULL, *result = NULL;
+    X509_STORE *store = X509_STORE_new();
+    X509_STORE_CTX *csc = NULL;
+
+    if (certs == NULL || cert == NULL || store == NULL) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        goto err;
+    }
+
+    csc = X509_STORE_CTX_new();
+    if (csc == NULL)
+        goto err;
+
+    if (!ossl_cmp_X509_STORE_add1_certs(store, certs, 0)
+            || !X509_STORE_CTX_init(csc, store, cert, NULL))
+        goto err;
+
+    (void)ERR_set_mark();
+    /*
+     * ignore return value as it would fail without trust anchor given in store
+     */
+    (void)X509_verify_cert(csc);
+
+    /* don't leave any new errors in the queue */
+    (void)ERR_pop_to_mark();
+
+    chain = X509_STORE_CTX_get0_chain(csc);
+
+    /* result list to store the up_ref'ed not self-signed certificates */
+    if ((result = sk_X509_new_null()) == NULL)
+        goto err;
+    if (!ossl_cmp_sk_X509_add1_certs(result, chain, 1 /* no self-signed */,
+                                     1 /* no duplicates */, 0)) {
+        sk_X509_free(result);
+        result = NULL;
+    }
+
+ err:
+    X509_STORE_free(store);
+    X509_STORE_CTX_free(csc);
+    return result;
+}
+
+int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
+                                    const ASN1_OCTET_STRING *src)
+{
+    if (tgt == NULL) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    if (*tgt == src) /* self-assignment */
+        return 1;
+    ASN1_OCTET_STRING_free(*tgt);
+
+    if (src != NULL) {
+        if ((*tgt = ASN1_OCTET_STRING_dup(src)) == NULL)
+            return 0;
+    } else {
+        *tgt = NULL;
+    }
+
+    return 1;
+}
+
+int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
+                                          const unsigned char *bytes, int len)
+{
+    ASN1_OCTET_STRING *new = NULL;
+
+    if (tgt == NULL) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    if (bytes != NULL) {
+        if ((new =  ASN1_OCTET_STRING_new()) == NULL
+                || !(ASN1_OCTET_STRING_set(new, bytes, len))) {
+            ASN1_OCTET_STRING_free(new);
+            return 0;
+        }
+    }
+
+    ASN1_OCTET_STRING_free(*tgt);
+    *tgt = new;
+    return 1;
+}

crypto/crmf/crmf_int.h

@@ -42,7 +42,7 @@
  *                  -- the encrypted value itself
  * }
  */
-struct OSSL_crmf_encryptedvalue_st {
+struct ossl_crmf_encryptedvalue_st {
     X509_ALGOR *intendedAlg;      /* 0 */
     X509_ALGOR *symmAlg;          /* 1 */
     ASN1_BIT_STRING *encSymmKey;  /* 2 */
@@ -62,7 +62,7 @@ struct OSSL_crmf_encryptedvalue_st {
  *     attributes                    [0] IMPLICIT Attributes OPTIONAL
  *  }
  */
-typedef struct OSSL_crmf_privatekeyinfo_st {
+typedef struct ossl_crmf_privatekeyinfo_st {
     ASN1_INTEGER *version;
     X509_ALGOR *privateKeyAlgorithm;
     ASN1_OCTET_STRING *privateKey;
@@ -82,7 +82,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)
  *                } OPTIONAL
  * }
  */
-typedef struct OSSL_crmf_enckeywithid_identifier_st {
+typedef struct ossl_crmf_enckeywithid_identifier_st {
     int type;
     union {
         ASN1_UTF8STRING *string;
@@ -91,7 +91,7 @@ typedef struct OSSL_crmf_enckeywithid_identifier_st {
 } OSSL_CRMF_ENCKEYWITHID_IDENTIFIER;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
 
-typedef struct OSSL_crmf_enckeywithid_st {
+typedef struct ossl_crmf_enckeywithid_st {
     OSSL_CRMF_PRIVATEKEYINFO *privateKey;
     /* [0] */
     OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier;
@@ -104,7 +104,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)
  *      serialNumber     INTEGER
  * }
  */
-struct OSSL_crmf_certid_st {
+struct ossl_crmf_certid_st {
     GENERAL_NAME *issuer;
     ASN1_INTEGER *serialNumber;
 } /* OSSL_CRMF_CERTID */;
@@ -120,7 +120,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID)
  *  pubLocation  GeneralName OPTIONAL
  * }
  */
-struct OSSL_crmf_singlepubinfo_st {
+struct ossl_crmf_singlepubinfo_st {
     ASN1_INTEGER *pubMethod;
     GENERAL_NAME *pubLocation;
 } /* OSSL_CRMF_SINGLEPUBINFO */;
@@ -139,7 +139,7 @@ typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS;
  *      -- "dontCare" is assumed)
  * }
  */
-struct OSSL_crmf_pkipublicationinfo_st {
+struct ossl_crmf_pkipublicationinfo_st {
     ASN1_INTEGER *action;
     OSSL_CRMF_PUBINFOS *pubInfos;
 } /* OSSL_CRMF_PKIPUBLICATIONINFO */;
@@ -153,7 +153,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)
  * value  BIT STRING
  * }
  */
-typedef struct OSSL_crmf_pkmacvalue_st {
+typedef struct ossl_crmf_pkmacvalue_st {
     X509_ALGOR *algId;
     ASN1_BIT_STRING *value;
 } OSSL_CRMF_PKMACVALUE;
@@ -182,7 +182,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)
  * }
  */
 
-typedef struct OSSL_crmf_popoprivkey_st {
+typedef struct ossl_crmf_popoprivkey_st {
     int type;
     union {
         ASN1_BIT_STRING *thisMessage; /* 0 */     /* Deprecated */
@@ -211,7 +211,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
  *    -- or HMAC [HMAC, RFC2202])
  * }
  */
-struct OSSL_crmf_pbmparameter_st {
+struct ossl_crmf_pbmparameter_st {
     ASN1_OCTET_STRING *salt;
     X509_ALGOR *owf;
     ASN1_INTEGER *iterationCount;
@@ -233,7 +233,7 @@ struct OSSL_crmf_pbmparameter_st {
  * publicKey      SubjectPublicKeyInfo  -- from CertTemplate
  * }
 */
-typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st {
+typedef struct ossl_crmf_poposigningkeyinput_authinfo_st {
     int type;
     union {
         /* 0 */ GENERAL_NAME *sender;
@@ -242,7 +242,7 @@ typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st {
 } OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
 
-typedef struct OSSL_crmf_poposigningkeyinput_st {
+typedef struct ossl_crmf_poposigningkeyinput_st {
     OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo;
     X509_PUBKEY *publicKey;
 } OSSL_CRMF_POPOSIGNINGKEYINPUT;
@@ -255,7 +255,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)
  *  signature             BIT STRING
  * }
  */
-struct OSSL_crmf_poposigningkey_st {
+struct ossl_crmf_poposigningkey_st {
     OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput;
     X509_ALGOR *algorithmIdentifier;
     ASN1_BIT_STRING *signature;
@@ -272,7 +272,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)
  *  keyAgreement      [3] POPOPrivKey
  * }
  */
-typedef struct OSSL_crmf_popo_st {
+typedef struct ossl_crmf_popo_st {
     int type;
     union {
         ASN1_NULL *raVerified; /* 0 */
@@ -289,7 +289,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO)
  *  notAfter       [1] Time OPTIONAL  -- at least one MUST be present
  * }
  */
-struct OSSL_crmf_optionalvalidity_st {
+struct ossl_crmf_optionalvalidity_st {
     /* 0 */ ASN1_TIME *notBefore;
     /* 1 */ ASN1_TIME *notAfter;
 } /* OSSL_CRMF_OPTIONALVALIDITY */;
@@ -309,7 +309,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)
  * extensions       [9] Extensions                OPTIONAL
  * }
  */
-struct OSSL_crmf_certtemplate_st {
+struct ossl_crmf_certtemplate_st {
     ASN1_INTEGER *version;           /* 0 */
     ASN1_INTEGER *serialNumber;      /* 1 */ /* serialNumber MUST be omitted  */
              /* This field is assigned by the CA during certificate creation  */
@@ -333,7 +333,7 @@ struct OSSL_crmf_certtemplate_st {
  *  controls         Controls OPTIONAL -- Attributes affecting issuance
  * }
  */
-struct OSSL_crmf_certrequest_st {
+struct ossl_crmf_certrequest_st {
     ASN1_INTEGER *certReqId;
     OSSL_CRMF_CERTTEMPLATE *certTemplate;
     /* TODO: make OSSL_CRMF_CONTROLS out of that - but only cosmetical */
@@ -343,7 +343,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
 DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
 
 /* TODO: isn't there a better way to have this for ANY type? */
-struct OSSL_crmf_attributetypeandvalue_st {
+struct ossl_crmf_attributetypeandvalue_st {
     ASN1_OBJECT *type;
     union {
         /* NID_id_regCtrl_regToken */
@@ -383,7 +383,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
  *  regInfo   SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL
  * }
  */
-struct OSSL_crmf_msg_st {
+struct ossl_crmf_msg_st {
     OSSL_CRMF_CERTREQUEST *certReq;
     /* 0 */
     OSSL_CRMF_POPO *popo;

crypto/crmf/crmf_lib.c

@@ -82,16 +82,14 @@ static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm,
     if (crm->certReq->controls == NULL) {
         crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
         if (crm->certReq->controls == NULL)
-            goto oom;
+            goto err;
         new = 1;
     }
     if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl))
-        goto oom;
+        goto err;
 
     return 1;
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGCTRL, ERR_R_MALLOC_FAILURE);
-
+ err:
     if (new != 0) {
         sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls);
         crm->certReq->controls = NULL;
@@ -136,16 +134,9 @@ int OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(
     if (pi->pubInfos == NULL)
         pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null();
     if (pi->pubInfos == NULL)
-        goto oom;
-
-    if (!sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi))
-        goto oom;
-    return 1;
-
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_MSG_PKIPUBLICATIONINFO_PUSH0_SINGLEPUBINFO,
-            ERR_R_MALLOC_FAILURE);
         return 0;
+
+    return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi);
 }
 
 int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(
@@ -180,20 +171,19 @@ OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
     }
 
     if ((cid = OSSL_CRMF_CERTID_new()) == NULL)
-        goto oom;
+        goto err;
 
     if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer))
-        goto oom;
+        goto err;
     cid->issuer->type = GEN_DIRNAME;
 
     ASN1_INTEGER_free(cid->serialNumber);
     if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
-        goto oom;
+        goto err;
 
     return cid;
 
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_CERTID_GEN, ERR_R_MALLOC_FAILURE);
+ err:
     OSSL_CRMF_CERTID_free(cid);
     return NULL;
 }
@@ -222,13 +212,12 @@ static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm,
     if (crm->regInfo == NULL)
         crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
     if (crm->regInfo == NULL)
-        goto oom;
+        goto err;
     if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri))
-        goto oom;
+        goto err;
     return 1;
 
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGINFO, ERR_R_MALLOC_FAILURE);
+ err:
     if (info != NULL)
         crm->regInfo = NULL;
     sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info);
@@ -266,11 +255,11 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to)
     }
 
     if (from != 0 && ((from_asn = ASN1_TIME_set(NULL, from)) == NULL))
-        goto oom;
+        goto err;
     if (to != 0 && ((to_asn = ASN1_TIME_set(NULL, to)) == NULL))
-        goto oom;
+        goto err;
     if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL)
-        goto oom;
+        goto err;
 
     vld->notBefore = from_asn;
     vld->notAfter = to_asn;
@@ -278,8 +267,7 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to)
     tmpl->validity = vld;
 
     return 1;
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_MSG_SET_VALIDITY, ERR_R_MALLOC_FAILURE);
+ err:
     ASN1_TIME_free(from_asn);
     ASN1_TIME_free(to_asn);
     return 0;
@@ -348,7 +336,7 @@ int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
 
 
 int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
-                                  const X509_EXTENSION *ext)
+                                  X509_EXTENSION *ext)
 {
     int new = 0;
     OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
@@ -360,16 +348,14 @@ int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
 
     if (tmpl->extensions == NULL) {
         if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL)
-            goto oom;
+            goto err;
         new = 1;
     }
 
-    if (!sk_X509_EXTENSION_push(tmpl->extensions, (X509_EXTENSION *)ext))
-        goto oom;
+    if (!sk_X509_EXTENSION_push(tmpl->extensions, ext))
+        goto err;
     return 1;
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_EXTENSION, ERR_R_MALLOC_FAILURE);
-
+ err:
     if (new != 0) {
         sk_X509_EXTENSION_free(tmpl->extensions);
         tmpl->extensions = NULL;
@@ -428,10 +414,8 @@ static int CRMF_poposigningkey_init(OSSL_CRMF_POPOSIGNINGKEY *ps,
         CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR);
         goto err;
     }
-    if ((sig = OPENSSL_malloc(siglen)) == NULL) {
-        CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, ERR_R_MALLOC_FAILURE);
+    if ((sig = OPENSSL_malloc(siglen)) == NULL)
         goto err;
-    }
     if (EVP_DigestSignFinal(ctx, sig, &siglen) <= 0
             || !ASN1_BIT_STRING_set(ps->signature, sig, siglen)) {
         CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR);
@@ -461,13 +445,13 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
     if (ppmtd == OSSL_CRMF_POPO_NONE)
         goto end;
     if ((pp = OSSL_CRMF_POPO_new()) == NULL)
-        goto oom;
+        goto err;
     pp->type = ppmtd;
 
     switch (ppmtd) {
     case OSSL_CRMF_POPO_RAVERIFIED:
         if ((pp->value.raVerified = ASN1_NULL_new()) == NULL)
-            goto oom;
+            goto err;
         break;
 
     case OSSL_CRMF_POPO_SIGNATURE:
@@ -484,14 +468,14 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
 
     case OSSL_CRMF_POPO_KEYENC:
         if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL)
-            goto oom;
+            goto err;
         tag = ASN1_INTEGER_new();
         pp->value.keyEncipherment->type =
             OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE;
         pp->value.keyEncipherment->value.subsequentMessage = tag;
         if (tag == NULL
                 || !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT))
-            goto oom;
+            goto err;
         break;
 
     default:
@@ -505,8 +489,6 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
     crm->popo = pp;
 
     return 1;
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_MSG_CREATE_POPO, ERR_R_MALLOC_FAILURE);
  err:
     OSSL_CRMF_POPO_free(pp);
     return 0;
@@ -609,7 +591,20 @@ X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl)
     return tmpl != NULL ? tmpl->issuer : NULL;
 }
 
-/*
+/* retrieves the issuer name of the given CertId or NULL on error */
+X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
+{
+    return cid != NULL && cid->issuer->type == GEN_DIRNAME ?
+        cid->issuer->d.directoryName : NULL;
+}
+
+/* retrieves the serialNumber of the given CertId or NULL on error */
+ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid)
+{
+    return cid != NULL ? cid->serialNumber : NULL;
+}
+
+/*-
  * fill in certificate template.
  * Any value argument that is NULL will leave the respective field unchanged.
  */
@@ -624,27 +619,23 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
         return 0;
     }
     if (subject != NULL && !X509_NAME_set(&tmpl->subject, subject))
-        goto oom;
+        return 0;
     if (issuer != NULL && !X509_NAME_set(&tmpl->issuer, issuer))
-        goto oom;
+        return 0;
     if (serial != NULL) {
         ASN1_INTEGER_free(tmpl->serialNumber);
         if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
-            goto oom;
+            return 0;
     }
     if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey))
-        goto oom;
-    return 1;
-
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_CERTTEMPLATE_FILL, ERR_R_MALLOC_FAILURE);
         return 0;
+    return 1;
 }
 
 
 /*-
- * Decrypts the certificate in the given encryptedValue
- * this is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2
+ * Decrypts the certificate in the given encryptedValue using private key pkey.
+ * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
  *
  * returns a pointer to the decrypted certificate
  * returns NULL on error or if no certificate available
@@ -693,7 +684,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
         if (EVP_PKEY_decrypt(pkctx, NULL, &eksize,
                              encKey->data, encKey->length) <= 0
                 || (ek = OPENSSL_malloc(eksize)) == NULL)
-            goto oom;
+            goto end;
         retval = EVP_PKEY_decrypt(pkctx, ek, &eksize,
                                   encKey->data, encKey->length);
         ERR_clear_error(); /* error state may have sensitive information */
@@ -706,10 +697,10 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
             goto end;
         }
     } else {
-        goto oom;
+        goto end;
     }
     if ((iv = OPENSSL_malloc(EVP_CIPHER_iv_length(cipher))) == NULL)
-        goto oom;
+        goto end;
     if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
                                    EVP_CIPHER_iv_length(cipher))
         != EVP_CIPHER_iv_length(cipher)) {
@@ -725,7 +716,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
     if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length +
                                      EVP_CIPHER_block_size(cipher))) == NULL
             || (evp_ctx = EVP_CIPHER_CTX_new()) == NULL)
-        goto oom;
+        goto end;
     EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
 
     if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv)
@@ -744,10 +735,6 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
         CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT,
                 CRMF_R_ERROR_DECODING_CERTIFICATE);
     }
-    goto end;
-
- oom:
-    CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT, ERR_R_MALLOC_FAILURE);
  end:
     EVP_PKEY_CTX_free(pkctx);
     OPENSSL_free(outbuf);

crypto/crmf/crmf_pbm.c

@@ -41,20 +41,16 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
     OSSL_CRMF_PBMPARAMETER *pbm = NULL;
     unsigned char *salt = NULL;
 
-    if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) {
-        CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE);
+    if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
         goto err;
-    }
 
     /*
      * salt contains a randomly generated value used in computing the key
      * of the MAC process.  The salt SHOULD be at least 8 octets (64
      * bits) long.
      */
-    if ((salt = OPENSSL_malloc(slen)) == NULL) {
-        CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE);
+    if ((salt = OPENSSL_malloc(slen)) == NULL)
         goto err;
-    }
     if (RAND_bytes(salt, (int)slen) <= 0) {
         CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
         goto err;
@@ -145,10 +141,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
         CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT);
         goto err;
     }
-    if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) {
-        CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE);
+    if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
         goto err;
-    }
 
     /*
      * owf identifies the hash algorithm and associated parameters used to
@@ -160,10 +154,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
         goto err;
     }
 
-    if ((ctx = EVP_MD_CTX_new()) == NULL) {
-        CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE);
+    if ((ctx = EVP_MD_CTX_new()) == NULL)
         goto err;
-    }
 
     /* compute the basekey of the salted secret */
     if (!EVP_DigestInit_ex(ctx, m, NULL))

crypto/err/openssl.txt

@@ -2063,6 +2063,10 @@ BN_R_PRIVATE_KEY_TOO_LARGE:117:private key too large
 BN_R_P_IS_NOT_PRIME:112:p is not prime
 BN_R_TOO_MANY_ITERATIONS:113:too many iterations
 BN_R_TOO_MANY_TEMPORARY_VARIABLES:109:too many temporary variables
+CMP_R_INVALID_ARGS:100:invalid args
+CMP_R_MULTIPLE_SAN_SOURCES:102:multiple san sources
+CMP_R_NO_STDIO:194:no stdio
+CMP_R_NULL_ARGUMENT:103:null argument
 CMS_R_ADD_SIGNER_ERROR:99:add signer error
 CMS_R_ATTRIBUTE_ERROR:161:attribute error
 CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present

crypto/init.c

@@ -27,6 +27,7 @@
 #include "internal/dso_conf.h"
 #include "internal/dso.h"
 #include "internal/store.h"
+#include <openssl/cmp_util.h> /* for OSSL_CMP_log_close() */
 #include <openssl/trace.h>
 
 static int stopped = 0;
@@ -431,6 +432,11 @@ void OPENSSL_cleanup(void)
     OSSL_TRACE(INIT, "OPENSSL_cleanup: CRYPTO_secure_malloc_done()\n");
     CRYPTO_secure_malloc_done();
 
+#ifndef OPENSSL_NO_CMP
+    OSSL_TRACE(INIT, "OPENSSL_cleanup: OSSL_CMP_log_close()\n");
+    OSSL_CMP_log_close();
+#endif
+
     OSSL_TRACE(INIT, "OPENSSL_cleanup: ossl_trace_cleanup()\n");
     ossl_trace_cleanup();
 

doc/internal/man3/ossl_cmp_asn1_octet_string_set1.pod

+=pod
+
+=head1 NAME
+
+ossl_cmp_log_parse_metadata,
+ossl_cmp_add_error_txt,
+ossl_cmp_add_error_data,
+ossl_cmp_add_error_line,
+ossl_cmp_asn1_octet_string_set1,
+ossl_cmp_asn1_octet_string_set1_bytes,
+ossl_cmp_build_cert_chain
+- misc internal utility functions
+
+=head1 SYNOPSIS
+
+ #include "cmp_int.h"
+
+ const char *ossl_cmp_log_parse_metadata(const char *buf,
+                                         OSSL_CMP_severity *level, char **func,
+                                         char **file, int *line);
+
+ void ossl_cmp_add_error_txt(const char *separator, const char *txt);
+ #define ossl_cmp_add_error_data(txt)
+ #define ossl_cmp_add_error_line(txt)
+
+ int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
+                                     const ASN1_OCTET_STRING *src);
+ int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
+                                           const unsigned char *bytes, int len);
+
+ STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert);
+
+=head1 DESCRIPTION
+
+ossl_cmp_log_parse_metadata() parses the given message buffer C<buf> populated
+by L<OSSL_CMP_log()> etc.
+according to the pattern OSSL_CMP_LOG_START#level ": %s\n", filling in
+the variable pointed to by C<level> with the severity level or -1,
+the variable pointed to by C<func> with the function name string or NULL,
+the variable pointed to by C<file> with the file name string or NULL, and
+the variable pointed to by C<line> with the line number or -1.
+Any string returned via C<*func> and C<*file> must be freeed by the caller.
+
+ossl_cmp_add_error_txt() appends text to the extra data field of the last
+error message in the OpenSSL error queue, after adding the optional separator
+unless data has been empty so far. The text can be of arbitrary length,
+which is not possible when using L<ERR_add_error_data(3)> in conjunction with
+L<ERR_print_errors_cb(3)>.
+
+ossl_cmp_add_error_data() is a macro calling
+B<ossl_cmp_add_error_txt()> with the separator being ":".
+
+ossl_cmp_add_error_line() is a macro calling
+B<ossl_cmp_add_error_txt()> with the separator being "\n".
+
+ossl_cmp_asn1_octet_string_set1() frees any previous value of the variable
+referenced via the C<tgt> argument and assigns either a copy of
+the ASN1_OCTET_STRING given as the C<src> argument or C<NULL>.
+It returns 1 on success, 0 on error.
+
+ossl_cmp_asn1_octet_string_set1_bytes() frees any previous value of the variable
+referenced via the C<tgt> argument and assigns either a copy of the given byte
+string (with the given length) or NULL. It returns 1 on success, 0 on error.
+
+ossl_cmp_build_cert_chain() builds up the certificate chain of cert as high up
+as possible using the given X509_STORE containing all possible intermediate
+certificates and optionally the (possible) trust anchor(s).
+
+=head1 RETURN VALUES
+
+ossl_cmp_log_parse_metadata() returns the pointer to the actual message text
+after the OSSL_CMP_LOG_PREFIX and level and ':' if found in the buffer,
+else the beginning of the buffer.
+
+ossl_cmp_add_error_txt()
+ossl_cmp_add_error_data(), and
+ossl_cmp_add_error_line()
+do not return anything.
+
+ossl_cmp_build_cert_chain()
+returns NULL on error, else a pointer to a stack of (up_ref'ed) certificates
+containing the EE certificate given in the function arguments (cert)
+and all intermediate certificates up the chain toward the trust anchor.
+The (self-signed) trust anchor is not included.
+
+All other functions return 1 on success, 0 on error.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod

+=pod
+
+=head1 NAME
+
+ossl_cmp_ctx_set1_caPubs,
+ossl_cmp_ctx_set0_validatedSrvCert,
+ossl_cmp_ctx_set_status,
+ossl_cmp_ctx_set0_statusString,
+ossl_cmp_ctx_set_failInfoCode,
+ossl_cmp_ctx_set0_newCert,
+ossl_cmp_ctx_set1_extraCertsIn,
+ossl_cmp_ctx_set1_recipNonce
+- internal functions for managing the CMP client context datastructure
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp.h>
+
+ int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs);
+ int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
+ int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
+ int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
+                                    OSSL_CMP_PKIFREETEXT *text);
+ int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info);
+ int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert);
+ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
+                                    STACK_OF(X509) *extraCertsIn);
+ int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
+                                  const ASN1_OCTET_STRING *nonce);
+
+=head1 DESCRIPTION
+
+ossl_cmp_ctx_set1_caPubs() copies the given stack of CA certificates
+to the caPubs field of the context.
+The reference counts of those certificates handled successfully are increased.
+
+ossl_cmp_ctx_set0_validatedSrvCert() sets the validatedSrvCert of the context,
+which caches any already validated server cert, or NULL if not available.
+
+ossl_cmp_ctx_set_status() sets the status field of the context.
+
+ossl_cmp_ctx_set0_statusString() sets the statusString field of the context.
+
+ossl_cmp_ctx_set_failInfoCode() sets the error code bits in the failInfoCode
+field of the context based on the given OSSL_CMP_PKIFAILUREINFO structure.
+
+ossl_cmp_ctx_set0_newCert() sets the given (newly enrolled) certificate
+in the context.
+
+ossl_cmp_ctx_set1_extraCertsIn() sets the extraCertsIn field of the context.
+The reference counts of those certificates handled successfully are increased.
+
+ossl_cmp_ctx_set1_recipNonce() sets the given recipient nonce in the context.
+
+=head1 NOTES
+
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
+
+=head1 RETURN VALUES
+
+All functions return 1 on success, 0 on error.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod

+=pod
+
+=head1 NAME
+
+ossl_cmp_sk_X509_add1_cert,
+ossl_cmp_sk_X509_add1_certs,
+ossl_cmp_X509_STORE_add1_certs,
+ossl_cmp_X509_STORE_get1_certs
+- functions manipulating lists of certificates
+
+=head1 SYNOPSIS
+
+  #include <openssl/cmp_util.h>
+
+  int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert,
+                                 int no_dup, int prepend);
+  int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
+                                  int no_self_signed, int no_dups, int prepend);
+  int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
+                                     int only_self_signed);
+  STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
+
+=head1 DESCRIPTION
+
+ossl_cmp_sk_X509_add1_cert() appends or prepends (depending on the B<prepend>
+argument) a certificate to the given list,
+optionally only if it is not already contained.
+On success the reference count of the certificate is increased.
+
+ossl_cmp_sk_X509_add1_certs() appends or prepends (depending on the B<prepend>
+argument) a list of certificates to the given list,
+optionally only if not self-signed and optionally only if not already contained.
+The reference counts of those certificates appended successfully are increased.
+
+ossl_cmp_X509_STORE_add1_certs() adds all or only self-signed certificates from
+the given stack to given store. The C<certs> parameter may be NULL.
+
+ossl_cmp_X509_STORE_get1_certs() retrieves a copy of all certificates in the
+given store.
+
+=head1 RETURN VALUES
+
+ossl_cmp_X509_STORE_get1_certs() returns a list of certificates, NULL on error.
+
+All other functions return 1 on success, 0 on error.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man3/OSSL_CMP_ITAV_set0.pod

@@ -23,6 +23,8 @@ OSSL_CMP_ITAV_push0_stack_item
 
 =head1 DESCRIPTION
 
+Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
+
 ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210
 section 5.3.19 and Appendix F. It is used at various places in CMP messages,
 e.g., in the generalInfo PKIHeader field, to hold a key-value pair.
@@ -93,6 +95,10 @@ included in the requests' PKIHeader's genInfo field.
 
 L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_CTX_free(3)>, L<ASN1_TYPE_set(3)>
 
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/OSSL_CMP_log_open.pod

+=pod
+
+=head1 NAME
+
+OSSL_CMP_log_open,
+OSSL_CMP_log_close,
+OSSL_CMP_alert,
+OSSL_CMP_err,
+OSSL_CMP_warn,
+OSSL_CMP_info,
+OSSL_CMP_debug,
+OSSL_CMP_log,
+OSSL_CMP_log1,
+OSSL_CMP_log2,
+OSSL_CMP_log3,
+OSSL_CMP_log4,
+OSSL_CMP_severity,
+OSSL_CMP_LOG_EMERG,
+OSSL_CMP_LOG_ALERT,
+OSSL_CMP_LOG_CRIT,
+OSSL_CMP_LOG_ERR,
+OSSL_CMP_LOG_WARNING,
+OSSL_CMP_LOG_NOTICE,
+OSSL_CMP_LOG_INFO,
+OSSL_CMP_LOG_DEBUG,
+OSSL_CMP_print_errors_cb
+- functions for logging and error reporting
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp_util.h>
+
+ int  OSSL_CMP_log_open(void);
+ void OSSL_CMP_log_close(void);
+ #define OSSL_CMP_alert(msg)
+ #define OSSL_CMP_err(msg)
+ #define OSSL_CMP_warn(msg)
+ #define OSSL_CMP_info(msg)
+ #define OSSL_CMP_debug(msg)
+ #define OSSL_CMP_log(level, msg)
+ #define OSSL_CMP_log1(level, fmt, arg1)
+ #define OSSL_CMP_log2(level, fmt, arg1, arg2)
+ #define OSSL_CMP_log3(level, fmt, arg1, arg2, arg3)
+ #define OSSL_CMP_log4(level, fmt, arg1, arg2, arg3, arg4)
+
+ /* severity level declarations resemble those from syslog.h */
+ typedef int OSSL_CMP_severity;
+ #define OSSL_CMP_LOG_EMERG   0
+ #define OSSL_CMP_LOG_ALERT   1
+ #define OSSL_CMP_LOG_CRIT    2
+ #define OSSL_CMP_LOG_ERR     3
+ #define OSSL_CMP_LOG_WARNING 4
+ #define OSSL_CMP_LOG_NOTICE  5
+ #define OSSL_CMP_LOG_INFO    6
+ #define OSSL_CMP_LOG_DEBUG   7
+ typedef int (*OSSL_cmp_log_cb_t) (const char *component,
+                                   const char *file, int line,
+                                   OSSL_CMP_severity level, const char *msg);
+
+ void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn);
+
+=head1 DESCRIPTION
+
+The logging and error reporting facility described here contains
+convenience functions for CMP-specific logging via the trace API,
+including a string prefix mirroring the severity levels of syslog.h,
+and enhancements of the error queue mechanism needed for large diagnostic
+messages produced by the CMP library in case of certificate validation failures.
+
+When an interesting activity is performed or an error occurs, some detail
+should be provided for user information, debugging, and auditing purposes.
+A CMP application can obtain this information by providing a callback function
+with the following type:
+
+ typedef void (*OSSL_cmp_log_cb_t)(const char *component,
+                                   const char *file, int line,
+                                   OSSL_CMP_severity level, const char *msg);
+
+The parameters may provide
+a component identifier (which may be a library name or function name) or NULL,
+a file path name or NULL,
+a line number or 0 indicating the source code location,
+a severity level, and
+a message string describing the nature of the event, terminated by '\n'.
+
+Even when an activity is successful some warnings may be useful and some degree
+of auditing may be required. Therefore the logging facility supports a severity
+level and the callback function has a B<level> parameter indicating such a
+level, such that error, warning, info, debug, etc. can be treated differently.
+The callback is activated only when the severity level is sufficient according
+to the current level of verbosity, which by default is OSSL_CMP_LOG_INFO.
+
+The callback function may itself do non-trivial tasks like writing to
+a log file or remote stream, which in turn may fail.
+Therefore the function should return 1 on success and 0 on failure.
+
+OSSL_CMP_log_open() initializes the CMP-specific logging facility to output
+everything to STDOUT. It fails if the integrated tracing is disabled or STDIO
+is not available. It may be called during application startup.
+Alternatively, L<OSSL_CMP_CTX_set_log_cb(3)> can be used for more flexibility.
+As long as neither if the two is used any logging output is ignored.
+
+OSSL_CMP_log_close() may be called when all activities are finished to flush
+any pending CMP-specific log output and deallocate related resources.
+It may be called multiple times. It does get called at OpenSSL stutdown.
+
+OSSL_CMP_alert() outputs a simple alert message via the trace API.
+OSSL_CMP_err() outputs a simple error message via the trace API.
+OSSL_CMP_warn() outputs a simple warning message via the trace API.
+OSSL_CMP_info() outputs a simple info message via the trace API.
+OSSL_CMP_debug() outputs a simple debug message via the trace API.
+
+Note that due to the design of the trace API used, the log functions have no
+effect unless the B<enable-trace> option is used during build configuration.
+
+OSSL_CMP_print_errors_cb() outputs any entries in the OpenSSL error queue.
+It is similar to B<ERR_print_errors_cb()> but uses the CMP log callback function
+C<log_fn> for uniformity with CMP logging if not B<NULL>. Otherwise it uses
+B<ERR_print_errors(3)> to print to STDERR (unless OPENSSL_NO_STDIO is defined).
+
+=head1 RETURN VALUES
+
+OSSL_CMP_log_close() and OSSL_CMP_print_errors_cb() do not return anything.
+
+All other functions return 1 on success, 0 on error.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod

@@ -5,6 +5,8 @@
 OSSL_CRMF_MSG_get0_tmpl,
 OSSL_CRMF_CERTTEMPLATE_get0_serialNumber,
 OSSL_CRMF_CERTTEMPLATE_get0_issuer,
+OSSL_CRMF_CERTID_get0_serialNumber,
+OSSL_CRMF_CERTID_get0_issuer,
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert,
 OSSL_CRMF_MSG_get_certReqId
 - functions reading from CRMF CertReqMsg structures
@@ -18,6 +20,9 @@ OSSL_CRMF_MSG_get_certReqId
      *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *tmpl);
  X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
 
+ ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
+ X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
+
  X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
                                              EVP_PKEY *pkey);
 
@@ -34,6 +39,12 @@ given certificate template B<tmpl>.
 OSSL_CRMF_CERTTEMPLATE_get0_issuer() retrieves the issuer name of the
 given certificate template B<tmpl>.
 
+OSSL_CRMF_CERTID_get0_serialNumber retrieves the serialNumber
+of the given CertId B<cid>.
+
+OSSL_CRMF_CERTID_get0_issuer retrieves the issuer name
+of the given CertId B<cid>, which must be of ASN.1 type GEN_DIRNAME.
+
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() decrypts the certificate in the given
 encryptedValue B<ecert>, using the private key B<pkey>.
 This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
@@ -54,6 +65,10 @@ All other functions return a pointer with the intended result or NULL on error.
 
 B<RFC 4211>
 
+=head1 HISTORY
+
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod

@@ -69,7 +69,7 @@ control in the given B<msg> copying the given B<tok> as value. See RFC 4211,
 section 6.3.
 
 OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey() sets the protocolEncrKey control in
-the given B<msg> copying the given B<pubkey> as value. See RFC 4211, section 6.6.
+the given B<msg> copying the given B<pubkey> as value. See RFC 4211 section 6.6.
 
 OSSL_CRMF_MSG_set1_regCtrl_oldCertID() sets the oldCertID control in the given
 B<msg> copying the given B<cid> as value. See RFC 4211, section 6.5.
@@ -94,6 +94,10 @@ create the needed OSSL_CRMF_PKIARCHIVEOPTINS content.
 
 RFC 4211
 
+=head1 HISTORY
+
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod

@@ -37,6 +37,10 @@ multiple utf8Pairs in one regInfo structure, it does not allow multiple certReq.
 
 RFC 4211
 
+=head1 HISTORY
+
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/OSSL_CRMF_MSG_set_validity.pod

@@ -25,11 +25,9 @@ OSSL_CRMF_MSGS_verify_popo
                                  const X509_NAME *issuer,
                                  const ASN1_INTEGER *serial);
 
- int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
-                                   X509_EXTENSIONS *exts);
+ int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
 
- int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
-                                   const X509_EXTENSION *ext);
+ int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
 
  int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
                                int dgst, int ppmtd);
@@ -56,9 +54,10 @@ certTemplate of B<crm>. Frees any pre-existing ones and consumes B<exts>.
 OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B<ext> to the
 extensions in the certTemplate of B<crm>.  Consumes B<ext>.
 
-OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POP)
-according to the method B<ppmtd> for B<pkey> to B<crm>. In case the method is
-OSSL_CRMF_POPO_SIGNATURE, POP is calculated using the B<dgst>.
+OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POPO)
+according to the method B<ppmtd> in B<crm>.
+In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated
+using the private B<pkey> and the digest algorithm NID B<dgst>.
 
 B<ppmtd> can be one of the following:
 
@@ -93,6 +92,10 @@ All functions return 1 on success, 0 on error.
 
 RFC 4211
 
+=head1 HISTORY
+
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/OSSL_CRMF_pbmp_new.pod

@@ -66,6 +66,10 @@ structure, or NULL on error.
 
 RFC 4211 section 4.4
 
+=head1 HISTORY
+
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/X509_dup.pod

@@ -123,13 +123,13 @@ OCSP_SIGNATURE_new,
 OCSP_SINGLERESP_free,
 OCSP_SINGLERESP_new,
 OSSL_CMP_ITAV_free,
-OSSL_CMP_MSG_dup,
-OSSL_CMP_MSG_free,
 OSSL_CMP_MSG_it,
+OSSL_CMP_MSG_free,
 OSSL_CMP_PKIHEADER_free,
 OSSL_CMP_PKIHEADER_it,
 OSSL_CMP_PKIHEADER_new,
 OSSL_CMP_PKISI_free,
+OSSL_CMP_PKISI_new,
 OSSL_CMP_PKISTATUS_it,
 OSSL_CRMF_CERTID_free,
 OSSL_CRMF_CERTID_it,
@@ -252,13 +252,10 @@ X509_ALGOR_new,
 X509_ATTRIBUTE_dup,
 X509_ATTRIBUTE_free,
 X509_ATTRIBUTE_new,
-X509_CERT_AUX_dup,
 X509_CERT_AUX_free,
 X509_CERT_AUX_new,
-X509_CINF_dup,
 X509_CINF_free,
 X509_CINF_new,
-X509_CRL_INFO_dup,
 X509_CRL_INFO_free,
 X509_CRL_INFO_new,
 X509_CRL_dup,
@@ -273,7 +270,6 @@ X509_NAME_ENTRY_new,
 X509_NAME_dup,
 X509_NAME_free,
 X509_NAME_new,
-X509_REQ_INFO_dup,
 X509_REQ_INFO_free,
 X509_REQ_INFO_new,
 X509_REQ_dup,
@@ -282,7 +278,6 @@ X509_REQ_new,
 X509_REVOKED_dup,
 X509_REVOKED_free,
 X509_REVOKED_new,
-X509_SIG_dup,
 X509_SIG_free,
 X509_SIG_new,
 X509_VAL_free,

include/openssl/cmp.h

-/*-
+/*
  * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2019
  * Copyright Siemens AG 2015-2019
@@ -7,8 +7,6 @@
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
- *
- * CMP (RFC 4210) implementation by M. Peylo, M. Viljanen, and D. von Oheimb.
  */
 
 #ifndef OSSL_HEADER_CMP_H
@@ -19,6 +17,7 @@
 
 #  include <openssl/crmf.h>
 #  include <openssl/cmperr.h>
+#  include <openssl/cmp_util.h>
 
 /* explicit #includes not strictly needed since implied by the above: */
 #  include <openssl/ossl_typ.h>
@@ -203,26 +202,30 @@ DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
 #  define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1
 
 /* data type declarations */
-typedef struct OSSL_cmp_ctx_st OSSL_CMP_CTX;
-typedef struct OSSL_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
+typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX;
+typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
-typedef struct OSSL_cmp_msg_st OSSL_CMP_MSG;
+typedef struct ossl_cmp_msg_st OSSL_CMP_MSG;
 DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
-typedef struct OSSL_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
+typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
 DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
-typedef struct OSSL_cmp_itav_st OSSL_CMP_ITAV;
+typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV;
 DEFINE_STACK_OF(OSSL_CMP_ITAV)
-typedef struct OSSL_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
-typedef struct OSSL_cmp_pkisi_st OSSL_CMP_PKISI;
+typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
+typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI;
 DEFINE_STACK_OF(OSSL_CMP_PKISI)
-typedef struct OSSL_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
+typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
 DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
-typedef struct OSSL_cmp_pollrep_st OSSL_CMP_POLLREP;
+typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP;
 typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
-typedef struct OSSL_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
+typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
 DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
 typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;
 
+/*
+ * function DECLARATIONS
+ */
+
 /* from cmp_asn.c */
 OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
 void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
@@ -233,8 +236,106 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
                                    OSSL_CMP_ITAV *itav);
 void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav);
 void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
-void OSSL_CMP_PKISI_free(OSSL_CMP_PKISI *si);
-DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
+
+/* from cmp_ctx.c */
+OSSL_CMP_CTX *OSSL_CMP_CTX_new(void);
+void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx);
+/* various CMP options: */
+#  define OSSL_CMP_OPT_LOG_VERBOSITY 0
+#  define OSSL_CMP_OPT_MSGTIMEOUT 1
+#  define OSSL_CMP_OPT_TOTALTIMEOUT 2
+#  define OSSL_CMP_OPT_VALIDITYDAYS 3
+#  define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 4
+#  define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 5
+#  define OSSL_CMP_OPT_POLICIES_CRITICAL 6
+#  define OSSL_CMP_OPT_POPOMETHOD 7
+#  define OSSL_CMP_OPT_DIGEST_ALGNID 8
+#  define OSSL_CMP_OPT_OWF_ALGNID 9
+#  define OSSL_CMP_OPT_MAC_ALGNID 10
+#  define OSSL_CMP_OPT_REVOCATION_REASON 11
+#  define OSSL_CMP_OPT_IMPLICITCONFIRM 12
+#  define OSSL_CMP_OPT_DISABLECONFIRM 13
+#  define OSSL_CMP_OPT_UNPROTECTED_SEND 14
+#  define OSSL_CMP_OPT_UNPROTECTED_ERRORS 15
+#  define OSSL_CMP_OPT_IGNORE_KEYUSAGE 16
+#  define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 17
+int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val);
+int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt);
+/* CMP-specific callback for logging and outputting the error queue: */
+int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb);
+#define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \
+    OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level)
+void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx);
+/* message transfer: */
+int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
+int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
+int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
+int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
+int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
+#  define OSSL_CMP_DEFAULT_PORT 80
+typedef BIO *(*OSSL_cmp_http_cb_t) (OSSL_CMP_CTX *ctx, BIO *hbio,
+                                    unsigned long detail);
+int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb);
+int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
+void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
+typedef int (*OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX *ctx,
+                                       const OSSL_CMP_MSG *req,
+                                       OSSL_CMP_MSG **res);
+int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_transfer_cb_t cb);
+int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
+void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx);
+/* server authentication: */
+int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
+X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
+STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
+/* client authentication: */
+int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
+int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
+                                     const unsigned char *ref, int len);
+int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
+                                  const int len);
+/* CMP message header and extra certificates: */
+int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
+int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
+                                    STACK_OF(X509) *extraCertsOut);
+/* certificate template: */
+int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey);
+EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv);
+int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name);
+int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts);
+int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo);
+int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr);
+/* misc body contents: */
+int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
+/* certificate confirmation: */
+typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert,
+                                       int fail_info, const char **txt);
+int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb);
+int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
+void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx);
+/* result fetching: */
+int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx);
+OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx);
+#  define OSSL_CMP_PKISI_BUFLEN 1024
+X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx);
+STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx);
+STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx);
+/* support application-level CMP debugging in cmp.c: */
+int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
+                                    const ASN1_OCTET_STRING *id);
+int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
+                                  const ASN1_OCTET_STRING *nonce);
 
 #   ifdef  __cplusplus
 }

include/openssl/cmp_util.h

+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_HEADER_CMP_UTIL_H
+# define OSSL_HEADER_CMP_UTIL_H
+
+# include <openssl/opensslconf.h>
+# ifndef OPENSSL_NO_CMP
+
+#  include <openssl/macros.h>
+#  include <openssl/trace.h>
+#  include <openssl/x509.h>
+
+#  ifdef  __cplusplus
+extern "C" {
+#  endif
+
+/*
+ * convenience functions for CMP-specific logging via the trace API
+ */
+
+int  OSSL_CMP_log_open(void);
+void OSSL_CMP_log_close(void);
+#  define OSSL_CMP_LOG_PREFIX "CMP "
+/* in OSSL_CMP_LOG_START, cannot use OPENSSL_FUNC when expands to __func__ */
+#  define OSSL_CMP_LOG_START "%s:" OPENSSL_FILE ":" \
+                             OPENSSL_MSTR(OPENSSL_LINE) ":" OSSL_CMP_LOG_PREFIX
+#  define OSSL_CMP_alert(msg) OSSL_CMP_log(ALERT, msg)
+#  define OSSL_CMP_err(msg)   OSSL_CMP_log(ERROR, msg)
+#  define OSSL_CMP_warn(msg)  OSSL_CMP_log(WARN, msg)
+#  define OSSL_CMP_info(msg)  OSSL_CMP_log(INFO, msg)
+#  define OSSL_CMP_debug(msg) OSSL_CMP_log(DEBUG, msg)
+#  define OSSL_CMP_log(level, msg) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": %s\n", \
+                      OPENSSL_FUNC, msg))
+#  define OSSL_CMP_log1(level, fmt, arg1) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
+                      OPENSSL_FUNC, arg1))
+#  define OSSL_CMP_log2(level, fmt, arg1, arg2) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
+                      OPENSSL_FUNC, arg1, arg2))
+#  define OSSL_CMP_log3(level, fmt, arg1, arg2, arg3) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
+                      OPENSSL_FUNC, arg1, arg2, arg3))
+#  define OSSL_CMP_log4(level, fmt, arg1, arg2, arg3, arg4) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
+                      OPENSSL_FUNC, arg1, arg2, arg3, arg4))
+
+/*
+ * generalized logging/error callback mirroring the severity levels of syslog.h
+ */
+typedef int OSSL_CMP_severity;
+#  define OSSL_CMP_LOG_EMERG   0
+#  define OSSL_CMP_LOG_ALERT   1
+#  define OSSL_CMP_LOG_CRIT    2
+#  define OSSL_CMP_LOG_ERR     3
+#  define OSSL_CMP_LOG_WARNING 4
+#  define OSSL_CMP_LOG_NOTICE  5
+#  define OSSL_CMP_LOG_INFO    6
+#  define OSSL_CMP_LOG_DEBUG   7
+typedef int (*OSSL_cmp_log_cb_t)(const char *func, const char *file, int line,
+                                 OSSL_CMP_severity level, const char *msg);
+
+/* use of the logging callback for outputting error queue */
+void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn);
+
+#   ifdef  __cplusplus
+}
+#   endif
+# endif /* !defined OPENSSL_NO_CMP */
+#endif /* !defined OSSL_HEADER_CMP_UTIL_H */

include/openssl/cmperr.h

@@ -33,6 +33,10 @@ int ERR_load_CMP_strings(void);
 /*
  * CMP reason codes.
  */
+#  define CMP_R_INVALID_ARGS                               100
+#  define CMP_R_MULTIPLE_SAN_SOURCES                       102
+#  define CMP_R_NO_STDIO                                   194
+#  define CMP_R_NULL_ARGUMENT                              103
 
 # endif
 #endif

include/openssl/crmf.h

@@ -39,30 +39,30 @@ extern "C" {
 #  define OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT       0
 #  define OSSL_CRMF_SUBSEQUENTMESSAGE_CHALLENGERESP  1
 
-typedef struct OSSL_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
+typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE)
-typedef struct OSSL_crmf_msg_st OSSL_CRMF_MSG;
+typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
 DEFINE_STACK_OF(OSSL_CRMF_MSG)
-typedef struct OSSL_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
-typedef struct OSSL_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;
+typedef struct ossl_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
+typedef struct ossl_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PBMPARAMETER)
-typedef struct OSSL_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY;
-typedef struct OSSL_crmf_certrequest_st OSSL_CRMF_CERTREQUEST;
-typedef struct OSSL_crmf_certid_st OSSL_CRMF_CERTID;
+typedef struct ossl_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY;
+typedef struct ossl_crmf_certrequest_st OSSL_CRMF_CERTREQUEST;
+typedef struct ossl_crmf_certid_st OSSL_CRMF_CERTID;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTID)
 DEFINE_STACK_OF(OSSL_CRMF_CERTID)
 
-typedef struct OSSL_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO;
+typedef struct ossl_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
-typedef struct OSSL_crmf_singlepubinfo_st OSSL_CRMF_SINGLEPUBINFO;
+typedef struct ossl_crmf_singlepubinfo_st OSSL_CRMF_SINGLEPUBINFO;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_SINGLEPUBINFO)
-typedef struct OSSL_crmf_certtemplate_st OSSL_CRMF_CERTTEMPLATE;
+typedef struct ossl_crmf_certtemplate_st OSSL_CRMF_CERTTEMPLATE;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTTEMPLATE)
 typedef STACK_OF(OSSL_CRMF_MSG) OSSL_CRMF_MSGS;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSGS)
 
-typedef struct OSSL_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY;
+typedef struct ossl_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY;
 
 /* crmf_pbm.c */
 OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
@@ -109,7 +109,7 @@ int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
 int OSSL_CRMF_MSG_get_certReqId(OSSL_CRMF_MSG *crm);
 int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
 
-int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, const X509_EXTENSION *ext);
+int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
 #  define OSSL_CRMF_POPO_NONE      -1
 #  define OSSL_CRMF_POPO_RAVERIFIED 0
 #  define OSSL_CRMF_POPO_SIGNATURE  1
@@ -122,6 +122,8 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
 OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
 ASN1_INTEGER *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *t);
 X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
+X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
+ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
 int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
                                 EVP_PKEY *pubkey,
                                 const X509_NAME *subject,

include/openssl/ocsp.h

@@ -26,7 +26,10 @@
  *        superseded              (4),
  *        cessationOfOperation    (5),
  *        certificateHold         (6),
- *        removeFromCRL           (8) }
+ *        -- value 7 is not used
+ *        removeFromCRL           (8),
+ *        privilegeWithdrawn      (9),
+ *        aACompromise           (10) }
  */
 #  define OCSP_REVOKED_STATUS_NOSTATUS               -1
 #  define OCSP_REVOKED_STATUS_UNSPECIFIED             0
@@ -37,6 +40,8 @@
 #  define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
 #  define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
 #  define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
+#  define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN      9
+#  define OCSP_REVOKED_STATUS_AACOMPROMISE           10
 
 
 # ifndef OPENSSL_NO_OCSP

include/openssl/trace.h

@@ -49,7 +49,8 @@ extern "C" {
 # define OSSL_TRACE_CATEGORY_PKCS12_DECRYPT     10
 # define OSSL_TRACE_CATEGORY_X509V3_POLICY      11
 # define OSSL_TRACE_CATEGORY_BN_CTX             12
-# define OSSL_TRACE_CATEGORY_NUM                13
+# define OSSL_TRACE_CATEGORY_CMP                13
+# define OSSL_TRACE_CATEGORY_NUM                14
 
 /* Returns the trace category number for the given |name| */
 int OSSL_trace_get_category_num(const char *name);

test/build.info

@@ -302,6 +302,7 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[ssl_test_ctx.o]=../include
   INCLUDE[handshake_helper.o]=.. ../include
   INCLUDE[ssltestlib.o]=.. ../include
+  INCLUDE[cmp_testlib.o]=.. ../include ../apps/include
 
   SOURCE[x509aux]=x509aux.c
   INCLUDE[x509aux]=../include ../apps/include
@@ -468,6 +469,18 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[conf_include_test]=../include ../apps/include
   DEPEND[conf_include_test]=../libcrypto libtestutil.a
 
+  IF[{- !$disabled{cmp} -}]
+    PROGRAMS{noinst}=cmp_asn_test cmp_ctx_test
+  ENDIF
+
+  SOURCE[cmp_asn_test]=cmp_asn_test.c cmp_testlib.c
+  INCLUDE[cmp_asn_test]=.. ../include ../apps/include
+  DEPEND[cmp_asn_test]=../libcrypto.a libtestutil.a
+
+  SOURCE[cmp_ctx_test]=cmp_ctx_test.c cmp_testlib.c
+  INCLUDE[cmp_ctx_test]=.. ../include ../apps/include
+  DEPEND[cmp_ctx_test]=../libcrypto.a libtestutil.a
+
   # Internal test programs.  These are essentially a collection of internal
   # test routines.  Some of them need to reach internal symbols that aren't
   # available through the shared library (at least on Linux, Solaris, Windows

test/cmp_asn_test.c

+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "cmp_testlib.h"
+
+static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH];
+
+typedef struct test_fixture {
+    const char *test_case_name;
+    int expected;
+    ASN1_OCTET_STRING *src_string;
+    ASN1_OCTET_STRING *tgt_string;
+
+} CMP_ASN_TEST_FIXTURE;
+
+static CMP_ASN_TEST_FIXTURE *set_up(const char *const test_case_name)
+{
+    CMP_ASN_TEST_FIXTURE *fixture;
+    int setup_ok = 0;
+
+    /* Allocate memory owned by the fixture, exit on error */
+    if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
+        goto err;
+    fixture->test_case_name = test_case_name;
+    setup_ok = 1;
+
+ err:
+    if (!setup_ok) {
+#ifndef OPENSSL_NO_STDIO
+        ERR_print_errors_fp(stderr);
+#endif
+        exit(EXIT_FAILURE);
+    }
+    return fixture;
+}
+
+static void tear_down(CMP_ASN_TEST_FIXTURE *fixture)
+{
+    ASN1_OCTET_STRING_free(fixture->src_string);
+    if (fixture->tgt_string != fixture->src_string)
+        ASN1_OCTET_STRING_free(fixture->tgt_string);
+
+    OPENSSL_free(fixture);
+}
+
+static int execute_cmp_asn1_get_int_test(CMP_ASN_TEST_FIXTURE *
+                                                   fixture)
+{
+    ASN1_INTEGER *asn1integer = ASN1_INTEGER_new();
+    ASN1_INTEGER_set(asn1integer, 77);
+    if (!TEST_int_eq(77, ossl_cmp_asn1_get_int(asn1integer)))
+        return 0;
+    ASN1_INTEGER_free(asn1integer);
+    return 1;
+}
+
+static int test_cmp_asn1_get_int(void)
+{
+    SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up);
+    fixture->expected = 1;
+    EXECUTE_TEST(execute_cmp_asn1_get_int_test, tear_down);
+    return result;
+}
+
+static int execute_CMP_ASN1_OCTET_STRING_set1_test(CMP_ASN_TEST_FIXTURE *
+                                                   fixture)
+{
+    if (!TEST_int_eq(fixture->expected,
+                     ossl_cmp_asn1_octet_string_set1(&fixture->tgt_string,
+                                                     fixture->src_string)))
+        return 0;
+    if (fixture->expected != 0)
+        return TEST_int_eq(0, ASN1_OCTET_STRING_cmp(fixture->tgt_string,
+                                                    fixture->src_string));
+    return 1;
+}
+
+static int test_ASN1_OCTET_STRING_set(void)
+{
+    SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up);
+    fixture->expected = 1;
+    if (!TEST_ptr(fixture->tgt_string = ASN1_OCTET_STRING_new())
+            || !TEST_ptr(fixture->src_string = ASN1_OCTET_STRING_new())
+            || !TEST_true(ASN1_OCTET_STRING_set(fixture->src_string, rand_data,
+                                                sizeof(rand_data)))) {
+        tear_down(fixture);
+        fixture = NULL;
+    }
+    EXECUTE_TEST(execute_CMP_ASN1_OCTET_STRING_set1_test, tear_down);
+    return result;
+}
+
+static int test_ASN1_OCTET_STRING_set_tgt_is_src(void)
+{
+    SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up);
+    fixture->expected = 1;
+    if (!TEST_ptr(fixture->src_string = ASN1_OCTET_STRING_new())
+            || !(fixture->tgt_string = fixture->src_string)
+            || !TEST_true(ASN1_OCTET_STRING_set(fixture->src_string, rand_data,
+                                                sizeof(rand_data)))) {
+        tear_down(fixture);
+        fixture = NULL;
+    }
+    EXECUTE_TEST(execute_CMP_ASN1_OCTET_STRING_set1_test, tear_down);
+    return result;
+}
+
+
+void cleanup_tests(void)
+{
+    return;
+}
+
+int setup_tests(void)
+{
+    /* ASN.1 related tests */
+    ADD_TEST(test_cmp_asn1_get_int);
+    ADD_TEST(test_ASN1_OCTET_STRING_set);
+    ADD_TEST(test_ASN1_OCTET_STRING_set_tgt_is_src);
+    /* TODO make sure that total number of tests (here currently 24) is shown,
+     also for other cmp_*text.c. Currently the test drivers always show 1. */
+
+    return 1;
+}