APPS/ocsp: fix case where reqin and outfile are the same

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25552)

apps/ocsp.c

@@ -553,10 +553,6 @@ int ocsp_main(int argc, char **argv)
         && respin == NULL && !(port != NULL && ridx_filename != NULL))
         goto opthelp;
 
-    out = bio_open_default(outfile, 'w', FORMAT_TEXT);
-    if (out == NULL)
-        goto end;
-
     if (req == NULL && (add_nonce != 2))
         add_nonce = 0;
 
@@ -709,6 +705,10 @@ redo_accept:
         }
     }
 
+    out = bio_open_default(outfile, 'w', FORMAT_TEXT);
+    if (out == NULL)
+        goto end;
+
     if (req_text && req != NULL)
         OCSP_REQUEST_print(out, req, 0);
 

doc/man1/openssl-ocsp.pod.in

@@ -24,10 +24,10 @@ B<openssl> B<ocsp>
 [B<-req_text>]
 [B<-resp_text>]
 [B<-text>]
-[B<-reqout> I<file>]
+[B<-reqout> I<filename>]
-[B<-respout> I<file>]
+[B<-respout> I<filename>]
-[B<-reqin> I<file>]
+[B<-reqin> I<filename>]
-[B<-respin> I<file>]
+[B<-respin> I<filename>]
 [B<-url> I<URL>]
 [B<-host> I<host>:I<port>]
 [B<-path> I<pathname>]
@@ -155,11 +155,14 @@ a nonce is automatically added specifying B<-no_nonce> overrides this.
 
 Print out the text form of the OCSP request, response or both respectively.
 
-=item B<-reqout> I<file>, B<-respout> I<file>
+=item B<-reqout> I<file>, B<-respout> I<filename>
 
-Write out the DER encoded certificate request or response to I<file>.
+Write out the DER-encoded OCSP request or response to I<filename>.
+The output filename can be the same as the input filename,
+which leads to replacing the file contents.
+Note that file I/O is not atomic. The output file is truncated and then written.
 
-=item B<-reqin> I<file>, B<-respin> I<file>
+=item B<-reqin> I<file>, B<-respin> I<filename>
 
 Read OCSP request or response file from I<file>. These option are ignored
 if OCSP request or response creation is implied by other options (for example

test/recipes/80-test_ocsp.t

@@ -14,6 +14,7 @@ use POSIX;
 use File::Spec::Functions qw/devnull catfile/;
 use File::Basename;
 use File::Copy;
+use File::Compare qw/compare/;
 use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
 use OpenSSL::Test::Utils;
 
@@ -51,7 +52,7 @@ sub test_ocsp {
                   $title); });
 }
 
-plan tests => 11;
+plan tests => 12;
 
 subtest "=== VALID OCSP RESPONSES ===" => sub {
     plan tests => 7;
@@ -220,9 +221,29 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
               "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0);
 };
 
+my $cert = data_file("cert.pem");
+my $key = data_file("key.pem");
 subtest "=== OCSP API TESTS===" => sub {
     plan tests => 1;
 
-    ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
+    ok(run(test(["ocspapitest", $cert, $key])),
                  "running ocspapitest");
-}
+};
+
+subtest "=== OCSP handling of identical input and output files ===" => sub {
+    plan tests => 5;
+
+    my $inout1 = "req.der";
+    my $backup1 = "backup.der";
+    ok(run(app(['openssl', 'ocsp', '-issuer', $cert, '-cert', $cert,
+                '-reqout', $inout1])), "produce dummy request input");
+    copy($inout1, $backup1);
+    ok(run(app(['openssl', 'ocsp', '-reqin', $inout1, '-reqout', $inout1])));
+    ok(!compare($inout1, $backup1), "copied request $inout1 did not change");
+
+    my $inout2 = "ND1.dat";
+    my $backup2 = "backup.dat";
+    copy($inout2, $backup2);
+    ok(run(app(['openssl', 'ocsp', '-respin', $inout2, '-respout', $inout2, '-noverify'])));
+    ok(!compare($inout2, $backup2), "copied response $inout2 did not change");
+};