Add -reqin_new_tid option to apps/cmp.c and OSSL_CMP_MSG_update_transactionID()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)

3 files changed, 21 insertions, 6 deletions

diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod
index a931d3caf2..7c5e10baa7 100644
--- a/doc/internal/man3/ossl_cmp_msg_protect.pod
+++ b/doc/internal/man3/ossl_cmp_msg_protect.pod
@@ -15,9 +15,9 @@ ossl_cmp_msg_add_extraCerts
 
 =head1 DESCRIPTION
 
-ossl_cmp_msg_protect() protects the given message B<msg> using an algorithm
+ossl_cmp_msg_protect() (re-)protects the given message B<msg> using an algorithm
 depending on the available context information given in the B<ctx>.
-If there is a secretValue it selects PBMAC. Else if there is a clCert
+If there is a secretValue it selects PBMAC, else if there is a clCert
 it selects Signature and uses B<ossl_cmp_msg_add_extraCerts()>.
 It also sets the protectionAlg field in the message header accordingly.
 
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index a99391ac6d..cf7f6aa418 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -85,6 +85,7 @@ B<openssl> B<cmp>
 [B<-batch>]
 [B<-repeat> I<number>]
 [B<-reqin>] I<filenames>
+[B<-reqin_new_tid>]
 [B<-reqout>] I<filenames>
 [B<-rspin>] I<filenames>
 [B<-rspout>] I<filenames>
@@ -798,6 +799,13 @@ Multiple filenames may be given, separated by commas and/or whitespace
 (where in the latter case the whole argument must be enclosed in "...").
 As many files are read as needed for a complete transaction.
 
+=item B<-reqin_new_tid>
+
+Use a fresh transactionID for CMP request messages read using B<-reqin>,
+which requires re-protecting them as far as they were protected before.
+This may be needed in case the sequence of requests is reused
+and the CMP server complains that the transaction ID has already been used.
+
 =item B<-reqout> I<filenames>
 
 Save sequence of CMP requests to file(s).
diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod
index bd51eb5598..3ab76c14df 100644
--- a/doc/man3/OSSL_CMP_MSG_get0_header.pod
+++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod
@@ -3,6 +3,7 @@
 =head1 NAME
 
 OSSL_CMP_MSG_get0_header,
+OSSL_CMP_MSG_update_transactionID,
 d2i_OSSL_CMP_MSG_bio,
 i2d_OSSL_CMP_MSG_bio
 - function(s) manipulating CMP messages
@@ -12,17 +13,22 @@ i2d_OSSL_CMP_MSG_bio
   #include <openssl/cmp.h>
 
   OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg);
+  int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
   OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg);
   int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg);
 
 =head1 DESCRIPTION
 
-OSSL_CMP_MSG_get0_header returns the header of the given CMP message.
+OSSL_CMP_MSG_get0_header() returns the header of the given CMP message.
 
-d2i_OSSL_CMP_MSG_bio parses an ASN.1-encoded OSSL_CMP_MSG from the BIO I<bio>.
+OSSL_CMP_MSG_update_transactionID() updates the transactionID field
+in the header of the given message according to the CMP_CTX.
+This requires re-protecting the message (if it was protected).
+
+d2i_OSSL_CMP_MSG_bio() parses an ASN.1-encoded OSSL_CMP_MSG from the BIO I<bio>.
 It assigns a pointer to the new structure to I<*msg> if I<msg> is not NULL.
 
-i2d_OSSL_CMP_MSG_bio writes the OSSL_CMP_MSG I<msg> in ASN.1 encoding
+i2d_OSSL_CMP_MSG_bio() writes the OSSL_CMP_MSG I<msg> in ASN.1 encoding
 to BIO I<bio>.
 
 =head1 NOTES
@@ -36,7 +42,8 @@ or NULL if the respective entry does not exist and on error.
 
 d2i_OSSL_CMP_MSG_bio() returns the parsed message or NULL on error.
 
-i2d_OSSL_CMP_MSG_bio() returns 1 on success or 0 on error.
+i2d_OSSL_CMP_MSG_bio() and OSSL_CMP_MSG_update_transactionID()
+return 1 on success, 0 on error.
 
 =head1 HISTORY