CMP add: fix -reqin option, which requires adding OSSL_CMP_MSG_update_recipNonce()

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20204) (cherry picked from commit b75d56dee09ac6f1fdb75169da891668cf181066)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2023-02-03 10:31:19 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2023-03-25 10:23:29 +0100
commit: 92a8c9d86f9d5bb5587711d8b9239aabbaddf89c (patch)
tree: 9034312622cc59dc915d5f48c01ad9a12ed0aee5 /apps
parent: bf1f609e5f763ce34e53b0c482322e0bfe38b7a6 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/apps/cmp.c b/apps/cmp.c
index 50f87d97db..c8394cbb6e 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -810,6 +810,13 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
         if (opt_reqin_new_tid
                 && !OSSL_CMP_MSG_update_transactionID(ctx, req_new))
             goto err;
+
+        /*
+         * Except for first request, need to satisfy recipNonce check by server.
+         * Unfortunately requires re-protection if protection is required.
+         */
+        if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new))
+            goto err;
     }
 
     if (opt_rspin != NULL) {
@@ -825,7 +832,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
         goto err;
 
     if (req_new != NULL || prev_opt_rspin != NULL) {
-        /* need to satisfy nonce and transactionID checks */
+        /* need to satisfy nonce and transactionID checks by client */
         ASN1_OCTET_STRING *nonce;
         ASN1_OCTET_STRING *tid;
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2023-02-03 10:31:19 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2023-03-25 10:23:29 +0100
commit	92a8c9d86f9d5bb5587711d8b9239aabbaddf89c (patch)
tree	9034312622cc59dc915d5f48c01ad9a12ed0aee5 /apps
parent	bf1f609e5f763ce34e53b0c482322e0bfe38b7a6 (diff)