From: Dr. David von Oheimb <dev@ddvo.net>
Date: Fri, 10 Oct 2025 17:42:23 +0000 (+0200)
Subject: apps/cmp.c: must not try acting as server if -reqout_only option is given
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=82fb46debc1b059fb876d0ba3f5594e8135f6ccb;p=thirdparty%2Fopenssl.git

apps/cmp.c: must not try acting as server if -reqout_only option is given

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28891)
---

diff --git a/apps/cmp.c b/apps/cmp.c
index 185210b1271..404afe23263 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -3607,7 +3607,6 @@ int cmp_main(int argc, char **argv)
     int i;
     X509 *newcert = NULL;
     ENGINE *engine = NULL;
-    OSSL_CMP_CTX *srv_cmp_ctx = NULL;
     int ret = 0; /* default: failure */
 
     if (!handle_opts_upfront(argc, argv))
@@ -3715,10 +3714,16 @@ int cmp_main(int argc, char **argv)
             goto err;
         }
     }
+
     if (opt_server != NULL && opt_use_mock_srv) {
         CMP_err("cannot use both -server and -use_mock_srv options");
         goto err;
     }
+    if ((opt_server == NULL || opt_use_mock_srv) && opt_tls_used) {
+        CMP_warn("ignoring -tls_used option since -server is not given or -use_mock_srv is given");
+        opt_tls_used = 0;
+    }
+
 #endif
 
     if (opt_ignore_keyusage)
@@ -3733,6 +3738,7 @@ int cmp_main(int argc, char **argv)
 #endif
                                     )) {
         OSSL_CMP_SRV_CTX *srv_ctx;
+        OSSL_CMP_CTX *srv_cmp_ctx;
 
         if ((srv_ctx = setup_srv_ctx(engine)) == NULL)
             goto err;
@@ -3744,17 +3750,13 @@ int cmp_main(int argc, char **argv)
             goto err;
         }
         OSSL_CMP_CTX_set_log_verbosity(srv_cmp_ctx, opt_verbosity);
-    }
 
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
-    if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) {
-        CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given");
-        opt_tls_used = 0;
-    }
-
-    if (opt_port != NULL) { /* act as very basic CMP HTTP server */
-        ret = cmp_server(srv_cmp_ctx);
-        goto err;
+        if (opt_port != NULL) { /* act as very basic CMP HTTP server only */
+            ret = cmp_server(srv_cmp_ctx);
+            goto err;
+        }
+#endif
     }
 
     /* act as CMP client, possibly using internal mock server */
@@ -3762,10 +3764,14 @@ int cmp_main(int argc, char **argv)
     if (opt_reqout_only != NULL) {
         const char *msg = "option is ignored since -reqout_only option is given";
 
-# if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+        if (opt_port != NULL) {
+            CMP_err("the -reqout_only client option does not combine with -port implying server behavior");
+            goto err;
+        }
         if (opt_server != NULL)
             CMP_warn1("-server %s", msg);
-# endif
+#endif
         if (opt_use_mock_srv)
             CMP_warn1("-use_mock_srv %s", msg);
         if (opt_reqout != NULL)
@@ -3777,12 +3783,13 @@ int cmp_main(int argc, char **argv)
         opt_reqout = opt_reqout_only;
     }
     if (opt_rspin != NULL) {
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         if (opt_server != NULL)
             CMP_warn("-server option is not used if enough filenames given for -rspin");
+#endif
         if (opt_use_mock_srv)
             CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin");
     }
-#endif
 
     if (!setup_client_ctx(cmp_ctx, engine)) {
         CMP_err("cannot set up CMP context");
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 9d5af2f4233..e7bc672544f 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -1113,6 +1113,7 @@ If the transaction contains more requests, the remaining ones are not saved.
 
 Save the first CMP requests created by the client to the given file and exit.
 Any options related to CMP servers and their responses are ignored.
+This option does not combine with the B<-port> option.
 
 This option is useful for supporting offline scenarios where the certificate
 request (or any other CMP request) is produced beforehand and sent out later.
diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv
index cbb806a9c6c..c6c54239b1d 100644
--- a/test/recipes/80-test_cmp_http_data/test_commands.csv
+++ b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -132,6 +132,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der _RESULT_DIR/pkiConf.der,,BLANK,,BLANK
 0,rspin too few files - server must reject, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK,-secret,_PBM_SECRET
 0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,""""
+0,reqout_only ir with -port, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir1.der,,BLANK,,BLANK, -server,"""", -port,0
 1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,""""
 0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,""""
 0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET