apps/cmp.c: must not try acting as server if -reqout_only option is given

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28891)

(cherry picked from commit 82fb46debc1b059fb876d0ba3f5594e8135f6ccb)

diff --git a/apps/cmp.c b/apps/cmp.c
index 837231a0abad4ebb207249eb128003238980c8d3..8ec937a4b770a2405835551f36ea6fcd5105e144 100644 (file)
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -3607,7 +3607,6 @@ int cmp_main(int argc, char **argv)
     int i;
     X509 *newcert = NULL;
     ENGINE *engine = NULL;
-    OSSL_CMP_CTX *srv_cmp_ctx = NULL;
     int ret = 0; /* default: failure */
 
     if (!handle_opts_upfront(argc, argv))
@@ -3715,10 +3714,16 @@ int cmp_main(int argc, char **argv)
             goto err;
         }
     }
+
     if (opt_server != NULL && opt_use_mock_srv) {
         CMP_err("cannot use both -server and -use_mock_srv options");
         goto err;
     }
+    if ((opt_server == NULL || opt_use_mock_srv) && opt_tls_used) {
+        CMP_warn("ignoring -tls_used option since -server is not given or -use_mock_srv is given");
+        opt_tls_used = 0;
+    }
+
 #endif
 
     if (opt_ignore_keyusage)
@@ -3733,6 +3738,7 @@ int cmp_main(int argc, char **argv)
 #endif
                                     )) {
         OSSL_CMP_SRV_CTX *srv_ctx;
+        OSSL_CMP_CTX *srv_cmp_ctx;
 
         if ((srv_ctx = setup_srv_ctx(engine)) == NULL)
             goto err;
@@ -3744,17 +3750,13 @@ int cmp_main(int argc, char **argv)
             goto err;
         }
         OSSL_CMP_CTX_set_log_verbosity(srv_cmp_ctx, opt_verbosity);
-    }
 
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
-    if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) {
-        CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given");
-        opt_tls_used = 0;
-    }
-
-    if (opt_port != NULL) { /* act as very basic CMP HTTP server */
-        ret = cmp_server(srv_cmp_ctx);
-        goto err;
+        if (opt_port != NULL) { /* act as very basic CMP HTTP server only */
+            ret = cmp_server(srv_cmp_ctx);
+            goto err;
+        }
+#endif
     }
 
     /* act as CMP client, possibly using internal mock server */
@@ -3762,10 +3764,14 @@ int cmp_main(int argc, char **argv)
     if (opt_reqout_only != NULL) {
         const char *msg = "option is ignored since -reqout_only option is given";
 
-# if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+        if (opt_port != NULL) {
+            CMP_err("the -reqout_only client option does not combine with -port implying server behavior");
+            goto err;
+        }
         if (opt_server != NULL)
             CMP_warn1("-server %s", msg);
-# endif
+#endif
         if (opt_use_mock_srv)
             CMP_warn1("-use_mock_srv %s", msg);
         if (opt_reqout != NULL)
@@ -3777,12 +3783,13 @@ int cmp_main(int argc, char **argv)
         opt_reqout = opt_reqout_only;
     }
     if (opt_rspin != NULL) {
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         if (opt_server != NULL)
             CMP_warn("-server option is not used if enough filenames given for -rspin");
+#endif
         if (opt_use_mock_srv)
             CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin");
     }
-#endif
 
     if (!setup_client_ctx(cmp_ctx, engine)) {
         CMP_err("cannot set up CMP context");

diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index f44615d1fc186ce4a1b190b43ad9215ad032186b..7e69b5ccb82dca4fdb2ac1417fd7e1452fedfb36 100644 (file)
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -1113,6 +1113,7 @@ If the transaction contains more requests, the remaining ones are not saved.
 
 Save the first CMP requests created by the client to the given file and exit.
 Any options related to CMP servers and their responses are ignored.
+This option does not combine with the B<-port> option.
 
 This option is useful for supporting offline scenarios where the certificate
 request (or any other CMP request) is produced beforehand and sent out later.

diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv
index cbb806a9c6c884ff2cb7326f1751aea68b49d01d..c6c54239b1d735d995184d93ad3379cc8bec32f8 100644 (file)
--- a/test/recipes/80-test_cmp_http_data/test_commands.csv
+++ b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -132,6 +132,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der _RESULT_DIR/pkiConf.der,,BLANK,,BLANK
 0,rspin too few files - server must reject, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK,-secret,_PBM_SECRET
 0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,""""
+0,reqout_only ir with -port, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir1.der,,BLANK,,BLANK, -server,"""", -port,0
 1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,""""
 0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,""""
 0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET