From: Dr. David von Oheimb Date: Fri, 27 Sep 2024 05:49:22 +0000 (+0200) Subject: APPS/ocsp: fix case where reqin and outfile are the same X-Git-Tag: openssl-3.5.0-alpha1~1057 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=421e8d7af8bad6a7d11c219fa48cb51fc1b6ffe9;p=thirdparty%2Fopenssl.git APPS/ocsp: fix case where reqin and outfile are the same Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25552) --- diff --git a/apps/ocsp.c b/apps/ocsp.c index 97454a4b81d..bd01cf127df 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -553,10 +553,6 @@ int ocsp_main(int argc, char **argv) && respin == NULL && !(port != NULL && ridx_filename != NULL)) goto opthelp; - out = bio_open_default(outfile, 'w', FORMAT_TEXT); - if (out == NULL) - goto end; - if (req == NULL && (add_nonce != 2)) add_nonce = 0; @@ -709,6 +705,10 @@ redo_accept: } } + out = bio_open_default(outfile, 'w', FORMAT_TEXT); + if (out == NULL) + goto end; + if (req_text && req != NULL) OCSP_REQUEST_print(out, req, 0); diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index b497424ef9b..1d43bc985b7 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -24,10 +24,10 @@ B B [B<-req_text>] [B<-resp_text>] [B<-text>] -[B<-reqout> I] -[B<-respout> I] -[B<-reqin> I] -[B<-respin> I] +[B<-reqout> I] +[B<-respout> I] +[B<-reqin> I] +[B<-respin> I] [B<-url> I] [B<-host> I:I] [B<-path> I] @@ -155,11 +155,14 @@ a nonce is automatically added specifying B<-no_nonce> overrides this. Print out the text form of the OCSP request, response or both respectively. -=item B<-reqout> I, B<-respout> I +=item B<-reqout> I, B<-respout> I -Write out the DER encoded certificate request or response to I. +Write out the DER-encoded OCSP request or response to I. +The output filename can be the same as the input filename, +which leads to replacing the file contents. +Note that file I/O is not atomic. The output file is truncated and then written. -=item B<-reqin> I, B<-respin> I +=item B<-reqin> I, B<-respin> I Read OCSP request or response file from I. These option are ignored if OCSP request or response creation is implied by other options (for example diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t index c2299962523..0539c79d561 100644 --- a/test/recipes/80-test_ocsp.t +++ b/test/recipes/80-test_ocsp.t @@ -14,6 +14,7 @@ use POSIX; use File::Spec::Functions qw/devnull catfile/; use File::Basename; use File::Copy; +use File::Compare qw/compare/; use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; use OpenSSL::Test::Utils; @@ -51,7 +52,7 @@ sub test_ocsp { $title); }); } -plan tests => 11; +plan tests => 12; subtest "=== VALID OCSP RESPONSES ===" => sub { plan tests => 7; @@ -220,9 +221,29 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); }; +my $cert = data_file("cert.pem"); +my $key = data_file("key.pem"); subtest "=== OCSP API TESTS===" => sub { plan tests => 1; - ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])), + ok(run(test(["ocspapitest", $cert, $key])), "running ocspapitest"); -} +}; + +subtest "=== OCSP handling of identical input and output files ===" => sub { + plan tests => 5; + + my $inout1 = "req.der"; + my $backup1 = "backup.der"; + ok(run(app(['openssl', 'ocsp', '-issuer', $cert, '-cert', $cert, + '-reqout', $inout1])), "produce dummy request input"); + copy($inout1, $backup1); + ok(run(app(['openssl', 'ocsp', '-reqin', $inout1, '-reqout', $inout1]))); + ok(!compare($inout1, $backup1), "copied request $inout1 did not change"); + + my $inout2 = "ND1.dat"; + my $backup2 = "backup.dat"; + copy($inout2, $backup2); + ok(run(app(['openssl', 'ocsp', '-respin', $inout2, '-respout', $inout2, '-noverify']))); + ok(!compare($inout2, $backup2), "copied response $inout2 did not change"); +};