apps/cmp.c: must not try acting as server if -reqout_only option is given

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28891)

diff --git a/apps/cmp.c b/apps/cmp.c
index 185210b1271ddd428de1ccd43952daedff01b5b1..404afe232636855d2ffc1de70f7dbb6f640bebad 100644 (file)
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -3607,7 +3607,6 @@ int cmp_main(int argc, char **argv)
     int i;
     X509 *newcert = NULL;
     ENGINE *engine = NULL;
-    OSSL_CMP_CTX *srv_cmp_ctx = NULL;
     int ret = 0; /* default: failure */
 
     if (!handle_opts_upfront(argc, argv))
@@ -3715,10 +3714,16 @@ int cmp_main(int argc, char **argv)
             goto err;
         }
     }
+
     if (opt_server != NULL && opt_use_mock_srv) {
         CMP_err("cannot use both -server and -use_mock_srv options");
         goto err;
     }
+    if ((opt_server == NULL || opt_use_mock_srv) && opt_tls_used) {
+        CMP_warn("ignoring -tls_used option since -server is not given or -use_mock_srv is given");
+        opt_tls_used = 0;
+    }
+
 #endif
 
     if (opt_ignore_keyusage)
@@ -3733,6 +3738,7 @@ int cmp_main(int argc, char **argv)
 #endif
                                     )) {
         OSSL_CMP_SRV_CTX *srv_ctx;
+        OSSL_CMP_CTX *srv_cmp_ctx;
 
         if ((srv_ctx = setup_srv_ctx(engine)) == NULL)
             goto err;
@@ -3744,17 +3750,13 @@ int cmp_main(int argc, char **argv)
             goto err;
         }
         OSSL_CMP_CTX_set_log_verbosity(srv_cmp_ctx, opt_verbosity);
-    }
 
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
-    if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) {
-        CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given");
-        opt_tls_used = 0;
-    }
-
-    if (opt_port != NULL) { /* act as very basic CMP HTTP server */
-        ret = cmp_server(srv_cmp_ctx);
-        goto err;
+        if (opt_port != NULL) { /* act as very basic CMP HTTP server only */
+            ret = cmp_server(srv_cmp_ctx);
+            goto err;
+        }
+#endif
     }
 
     /* act as CMP client, possibly using internal mock server */
@@ -3762,10 +3764,14 @@ int cmp_main(int argc, char **argv)
     if (opt_reqout_only != NULL) {
         const char *msg = "option is ignored since -reqout_only option is given";
 
-# if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+        if (opt_port != NULL) {
+            CMP_err("the -reqout_only client option does not combine with -port implying server behavior");
+            goto err;
+        }
         if (opt_server != NULL)
             CMP_warn1("-server %s", msg);
-# endif
+#endif
         if (opt_use_mock_srv)
             CMP_warn1("-use_mock_srv %s", msg);
         if (opt_reqout != NULL)
@@ -3777,12 +3783,13 @@ int cmp_main(int argc, char **argv)
         opt_reqout = opt_reqout_only;
     }
     if (opt_rspin != NULL) {
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         if (opt_server != NULL)
             CMP_warn("-server option is not used if enough filenames given for -rspin");
+#endif
         if (opt_use_mock_srv)
             CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin");
     }
-#endif
 
     if (!setup_client_ctx(cmp_ctx, engine)) {
         CMP_err("cannot set up CMP context");

diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 9d5af2f42338b4d2d4e48a4094022fd89c56ceac..e7bc672544f1bc4bef3d182bcffa089947bf9044 100644 (file)
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -1113,6 +1113,7 @@ If the transaction contains more requests, the remaining ones are not saved.
 
 Save the first CMP requests created by the client to the given file and exit.
 Any options related to CMP servers and their responses are ignored.
+This option does not combine with the B<-port> option.
 
 This option is useful for supporting offline scenarios where the certificate
 request (or any other CMP request) is produced beforehand and sent out later.

diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv
index cbb806a9c6c884ff2cb7326f1751aea68b49d01d..c6c54239b1d735d995184d93ad3379cc8bec32f8 100644 (file)
--- a/test/recipes/80-test_cmp_http_data/test_commands.csv
+++ b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -132,6 +132,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der _RESULT_DIR/pkiConf.der,,BLANK,,BLANK
 0,rspin too few files - server must reject, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK,-secret,_PBM_SECRET
 0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,""""
+0,reqout_only ir with -port, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir1.der,,BLANK,,BLANK, -server,"""", -port,0
 1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,""""
 0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,""""
 0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET