Add -reqin_new_tid option to apps/cmp.c and OSSL_CMP_MSG_update_transactionID()

Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-04-29 18:06:43 +0200
committer: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-05-13 19:42:00 +0200
commit: 143be4748e49ff0181964affcbf422a895c48e85 (patch)
tree: 5da63b523b5cafbe7a84c26b2edd14e95743622d /apps
parent: 6b326fc396d203d84f5461a0025495dfef88e1e8 (diff)
1 files changed, 24 insertions, 22 deletions
diff --git a/apps/cmp.c b/apps/cmp.c
index 1e4642d466..cf36d67fef 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -314,6 +314,7 @@ static char *opt_tls_host = NULL;
 static int opt_batch = 0;
 static int opt_repeat = 1;
 static char *opt_reqin = NULL;
+static int opt_reqin_new_tid = 0;
 static char *opt_reqout = NULL;
 static char *opt_rspin = NULL;
 static char *opt_rspout = NULL;
@@ -391,7 +392,7 @@ typedef enum OPTION_choice {
     OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
 
     OPT_BATCH, OPT_REPEAT,
-    OPT_REQIN, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
+    OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
 
     OPT_USE_MOCK_SRV, OPT_PORT, OPT_MAX_MSGS,
     OPT_SRV_REF, OPT_SRV_SECRET,
@@ -594,6 +595,8 @@ const OPTIONS cmp_options[] = {
     {"repeat", OPT_REPEAT, 'n',
      "Invoke the transaction the given number of times. Default 1"},
     {"reqin", OPT_REQIN, 's', "Take sequence of CMP requests from file(s)"},
+    {"reqin_new_tid", OPT_REQIN_NEW_TID, '-',
+     "Use fresh transactionID for CMP requests read from -reqin"},
     {"reqout", OPT_REQOUT, 's', "Save sequence of CMP requests to file(s)"},
     {"rspin", OPT_RSPIN, 's',
      "Process sequence of CMP responses provided in file(s), skipping server"},
@@ -706,7 +709,8 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     {&opt_tls_extra}, {&opt_tls_trusted}, {&opt_tls_host},
 
     {(char **)&opt_batch}, {(char **)&opt_repeat},
-    {&opt_reqin}, {&opt_reqout}, {&opt_rspin}, {&opt_rspout},
+    {&opt_reqin}, {(char **)&opt_reqin_new_tid},
+    {&opt_reqout}, {&opt_rspin}, {&opt_rspout},
 
     {(char **)&opt_use_mock_srv}, {&opt_port}, {(char **)&opt_max_msgs},
     {&opt_srv_ref}, {&opt_srv_secret},
@@ -1161,26 +1165,17 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
     if (req != NULL && opt_reqout != NULL
             && !write_PKIMESSAGE(req, &opt_reqout))
         goto err;
-    if (opt_reqin != NULL) {
-        if (opt_rspin != NULL) {
-            CMP_warn("-reqin is ignored since -rspin is present");
-        } else {
-            if ((req_new = read_PKIMESSAGE(&opt_reqin)) == NULL)
-                goto err;
-            /*-
-             * The transaction ID in req_new may not be fresh.
-             * In this case the Insta Demo CA correctly complains:
-             * "Transaction id already in use."
-             * The following workaround unfortunately requires re-protection.
-             * See also https://github.com/mpeylo/cmpossl/issues/8
-             */
-#if defined(USE_TRANSACTIONID_WORKAROUND)
-            hdr = OSSL_CMP_MSG_get0_header(req_new);
-            if (!OSSL_CMP_CTX_set1_transactionID(hdr, NULL)
-                    || !ossl_cmp_msg_protect(ctx, req_new))
-                goto err;
-#endif
-        }
+    if (opt_reqin != NULL && opt_rspin == NULL) {
+        if ((req_new = read_PKIMESSAGE(&opt_reqin)) == NULL)
+            goto err;
+        /*-
+         * The transaction ID in req_new read from opt_reqin may not be fresh.
+         * In this case the server may complain "Transaction id already in use."
+         * The following workaround unfortunately requires re-protection.
+         */
+        if (opt_reqin_new_tid
+                && !OSSL_CMP_MSG_update_transactionID(ctx, req_new))
+            goto err;
     }
 
     if (opt_rspin != NULL) {
@@ -2325,6 +2320,10 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *e)
         (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT,
                                       opt_total_timeout);
 
+    if (opt_reqin != NULL && opt_rspin != NULL)
+        CMP_warn("-reqin is ignored since -rspin is present");
+    if (opt_reqin_new_tid && opt_reqin == NULL)
+        CMP_warn("-reqin_new_tid is ignored since -reqin is not present");
     if (opt_reqin != NULL || opt_reqout != NULL
             || opt_rspin != NULL || opt_rspout != NULL || opt_use_mock_srv)
         (void)OSSL_CMP_CTX_set_transfer_cb(ctx, read_write_req_resp);
@@ -2899,6 +2898,9 @@ static int get_opts(int argc, char **argv)
         case OPT_REQIN:
             opt_reqin = opt_str("reqin");
             break;
+        case OPT_REQIN_NEW_TID:
+            opt_reqin_new_tid = 1;
+            break;
         case OPT_REQOUT:
             opt_reqout = opt_str("reqout");
             break;
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-04-29 18:06:43 +0200
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-05-13 19:42:00 +0200
commit	143be4748e49ff0181964affcbf422a895c48e85 (patch)
tree	5da63b523b5cafbe7a84c26b2edd14e95743622d /apps
parent	6b326fc396d203d84f5461a0025495dfef88e1e8 (diff)