fixup: update error

crypto/cmp/cmp_asn.c

@@ -384,9 +384,6 @@ OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn,
                                             const GENERAL_NAMES *issuer,
                                             const ASN1_TIME *thisUpdate)
 {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    return dpn == NULL && issuer == NULL && thisUpdate == NULL ? NULL : NULL;
-#else
     OSSL_CMP_CRLSOURCE *crlsource;
     OSSL_CMP_CRLSTATUS *crlstatus;
 
@@ -423,7 +420,6 @@ OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn,
  err:
     OSSL_CMP_CRLSTATUS_free(crlstatus);
     return NULL;
-#endif
 }
 
 static GENERAL_NAMES *gennames_new(const X509_NAME *nm)

crypto/cmp/cmp_err.c

@@ -85,7 +85,10 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
     "failure obtaining random"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_FAIL_INFO_OUT_OF_RANGE),
     "fail info out of range"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_GENERATE_CRLSTATUS),
+    "error creating crlstatus"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_GETTING_GENP), "getting genp"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_GET_ITAV), "get itav"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_ARGS), "invalid args"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_GENP), "invalid genp"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_OPTION), "invalid option"},

crypto/cmp/cmp_genm.c

@@ -344,3 +344,65 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
     X509_free(oldWithOld_copy);
     return res;
 }
+
+int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509_CRL *last_crl,
+                            X509_CRL **crl)
+{
+    OSSL_CMP_CRLSTATUS *status = NULL;
+    STACK_OF(OSSL_CMP_CRLSTATUS) *list = NULL;
+    OSSL_CMP_ITAV *req = NULL, *itav = NULL;
+    STACK_OF(X509_CRL) *crls;
+    int res = 0;
+
+    if (crl == NULL) {
+        ERR_raise_data(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT,
+                       "No crl output parameter given");
+        return 0;
+    }
+    *crl = NULL;
+
+    if ((status = OSSL_CMP_CRLSTATUS_create(last_crl, ctx->oldCert, 1)) == NULL) {
+        ERR_raise_data(ERR_LIB_CMP, CMP_R_GENERATE_CRLSTATUS,
+                       "Cannot set up CRLStatus structure");
+        goto end;
+    }
+    if ((list = sk_OSSL_CMP_CRLSTATUS_new_reserve(NULL, 1)) == NULL) {
+        ERR_raise_data(ERR_LIB_CMP, CMP_R_GENERATE_CRLSTATUS,
+                       "Cannot set up CRLStatus list");
+        goto end;
+    }
+    (void)sk_OSSL_CMP_CRLSTATUS_push(list, status); /* cannot fail */
+
+    if ((req = OSSL_CMP_ITAV_new0_crlStatusList(list)) == NULL)
+        goto end;
+
+    status = NULL;
+    list = NULL;
+
+    itav = get_genm_itav(ctx, req, NID_id_it_crls, "crl");
+    if (itav == NULL)
+        goto end;
+
+    if (!OSSL_CMP_ITAV_get0_crls(itav, &crls))
+        goto end;
+
+    if (crls == NULL) /* no CRL update available */
+        goto end;
+    if (sk_X509_CRL_num(crls) != 1) {
+        ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_GENP,
+                       "Unexpected number of CRLs in genp: %d",
+                       sk_X509_CRL_num(crls));
+        goto end;
+    }
+
+    if ((*crl = sk_X509_CRL_value(crls, 0)) == NULL || !X509_CRL_up_ref(*crl)) {
+        *crl = NULL;
+        goto end;
+    }
+    res = 1;
+ end:
+    OSSL_CMP_CRLSTATUS_free(status);
+    sk_OSSL_CMP_CRLSTATUS_free(list);
+    OSSL_CMP_ITAV_free(itav);
+    return res;
+}

crypto/err/openssl.txt

@@ -232,7 +232,9 @@ CMP_R_FAILED_BUILDING_OWN_CHAIN:164:failed building own chain
 CMP_R_FAILED_EXTRACTING_PUBKEY:141:failed extracting pubkey
 CMP_R_FAILURE_OBTAINING_RANDOM:110:failure obtaining random
 CMP_R_FAIL_INFO_OUT_OF_RANGE:129:fail info out of range
+CMP_R_GENERATE_CRLSTATUS:198:error creating crlstatus
 CMP_R_GETTING_GENP:192:getting genp
+CMP_R_GET_ITAV:199:get itav
 CMP_R_INVALID_ARGS:100:invalid args
 CMP_R_INVALID_GENP:193:invalid genp
 CMP_R_INVALID_OPTION:174:invalid option

include/openssl/cmp.h.in

@@ -592,6 +592,8 @@ int OSSL_CMP_get1_caCerts(OSSL_CMP_CTX *ctx, STACK_OF(X509) **out);
 int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
                                   const X509 *oldWithOld, X509 **newWithNew,
                                   X509 **newWithOld, X509 **oldWithNew);
+int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509_CRL *last_crl,
+                            X509_CRL **crl);
 
 #  ifdef  __cplusplus
 }

include/openssl/cmperr.h

@@ -60,7 +60,9 @@
 #  define CMP_R_FAILED_EXTRACTING_PUBKEY                   141
 #  define CMP_R_FAILURE_OBTAINING_RANDOM                   110
 #  define CMP_R_FAIL_INFO_OUT_OF_RANGE                     129
+#  define CMP_R_GENERATE_CRLSTATUS                         198
 #  define CMP_R_GETTING_GENP                               192
+#  define CMP_R_GET_ITAV                                   199
 #  define CMP_R_INVALID_ARGS                               100
 #  define CMP_R_INVALID_GENP                               193
 #  define CMP_R_INVALID_OPTION                             174

util/libcrypto.num

@@ -5546,3 +5546,13 @@ ERR_pop                                 ?	3_3_0	EXIST::FUNCTION:
 X509_STORE_get1_objects                 ?	3_3_0	EXIST::FUNCTION:
 OPENSSL_LH_set_thunks                   ?	3_3_0	EXIST::FUNCTION:
 OPENSSL_LH_doall_arg_thunk              ?	3_3_0	EXIST::FUNCTION:
+GENERAL_NAME_create                     ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_create               ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_new1                 ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_get0                 ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_free                 ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_new0_crlStatusList        ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_get0_crlStatusList        ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_new0_crls                 ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_get0_crls                 ?	3_3_0	EXIST::FUNCTION:CMP
+OSSL_CMP_get1_crlUpdate                 ?	3_3_0	EXIST::FUNCTION:CMP