[openssl] master update
dev at ddvo.net
dev at ddvo.net
Thu Apr 2 16:32:57 UTC 2020
The branch master has been updated
via 4b1fe471ac99b9f8692be85dcbcbf6977eb35c78 (commit)
via afe554c2d244b4e7fc8c1b14acef806a2a581a8d (commit)
from 98278b963171ece10a42d18594045b875103115b (commit)
- Log -----------------------------------------------------------------
commit 4b1fe471ac99b9f8692be85dcbcbf6977eb35c78
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Mar 25 13:46:02 2020 +0100
HTTP client: make server/proxy and port params more consistent; minor other improvements
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11404)
commit afe554c2d244b4e7fc8c1b14acef806a2a581a8d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Feb 19 18:00:26 2020 +0100
Chunk 10 of CMP contribution to OpenSSL: CMP http client and related tests
Also improve the generic HTTP client w.r.t. proxy and no_proxy options.
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11404)
-----------------------------------------------------------------------
Summary of changes:
apps/include/apps.h | 4 +-
apps/lib/apps.c | 10 +-
crypto/cmp/build.info | 2 +-
crypto/cmp/cmp_client.c | 2 +-
crypto/cmp/cmp_ctx.c | 187 +++++++--------------------------
crypto/cmp/cmp_http.c | 66 ++++++++++++
crypto/cmp/cmp_local.h | 6 +-
crypto/err/openssl.txt | 7 +-
crypto/http/http_client.c | 113 ++++++++++++--------
crypto/http/http_err.c | 14 +--
crypto/http/http_lib.c | 71 ++++++++++++-
crypto/http/http_local.h | 3 +
crypto/x509/x_all.c | 2 +-
doc/man3/OSSL_CMP_CTX_new.pod | 53 ++++++----
doc/man3/OSSL_CMP_MSG_http_perform.pod | 60 +++++++++++
doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod | 3 +-
doc/man3/OSSL_HTTP_transfer.pod | 65 ++++++++----
include/openssl/cmp.h | 11 +-
include/openssl/cmp_util.h | 1 -
include/openssl/http.h | 18 +++-
include/openssl/httperr.h | 9 +-
test/build.info | 36 ++++---
test/cmp_ctx_test.c | 19 ++--
test/http_test.c | 4 +-
util/libcrypto.num | 7 +-
util/missingcrypto.txt | 1 -
util/other.syms | 1 -
27 files changed, 463 insertions(+), 312 deletions(-)
create mode 100644 crypto/cmp/cmp_http.c
create mode 100644 doc/man3/OSSL_CMP_MSG_http_perform.pod
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 2d22192925..90f9c2bbe6 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -233,13 +233,13 @@ BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
int connect, int detail);
# ifndef OPENSSL_NO_SOCK
ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
- const char *proxy_port, SSL_CTX *ssl_ctx,
+ const char *no_proxy, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
long timeout, const char *expected_content_type,
const ASN1_ITEM *it);
ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
const char *path, const char *proxy,
- const char *proxy_port, SSL_CTX *ctx,
+ const char *no_proxy, SSL_CTX *ctx,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 7c2a5ea5e7..7b400a413d 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -1990,7 +1990,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
} else if (!connect && !detail) { /* disconnecting after error */
const char *hint = tls_error_hint();
if (hint != NULL)
- ERR_add_error_data(1, hint);
+ ERR_add_error_data(2, " : ", hint);
/*
* If we pop sbio and BIO_free() it this may lead to libssl double free.
* Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c
@@ -2000,7 +2000,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
}
ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
- const char *proxy_port, SSL_CTX *ssl_ctx,
+ const char *no_proxy, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
long timeout, const char *expected_content_type,
const ASN1_ITEM *it)
@@ -2029,7 +2029,7 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
info.use_proxy = proxy != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
- resp = OSSL_HTTP_get_asn1(url, proxy, proxy_port,
+ resp = OSSL_HTTP_get_asn1(url, proxy, no_proxy,
NULL, NULL, app_http_tls_cb, &info,
headers, 0 /* maxline */, 0 /* max_resp_len */,
timeout, expected_content_type, it);
@@ -2042,7 +2042,7 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
const char *path, const char *proxy,
- const char *proxy_port, SSL_CTX *ssl_ctx,
+ const char *no_proxy, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
@@ -2056,7 +2056,7 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
return OSSL_HTTP_post_asn1(host, port, path, ssl_ctx != NULL,
- proxy, proxy_port,
+ proxy, no_proxy,
NULL, NULL, app_http_tls_cb, &info,
headers, content_type, req, req_it,
0 /* maxline */,
diff --git a/crypto/cmp/build.info b/crypto/cmp/build.info
index d3fbae2452..a2a57c14ec 100644
--- a/crypto/cmp/build.info
+++ b/crypto/cmp/build.info
@@ -1,4 +1,4 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]= cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c \
cmp_status.c cmp_hdr.c cmp_protect.c cmp_msg.c cmp_vfy.c \
- cmp_server.c cmp_client.c
+ cmp_server.c cmp_client.c cmp_http.c
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index eedabc59d2..604b4ce9a1 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -140,7 +140,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb;
if (transfer_cb == NULL)
- transfer_cb = NULL; /* TODO: will be OSSL_CMP_MSG_http_perform of chunk 10 */
+ transfer_cb = OSSL_CMP_MSG_http_perform;
*rep = NULL;
msg_timeout = ctx->msg_timeout; /* backup original value */
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 873d69320e..9a252cca79 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -20,9 +20,7 @@
#include <openssl/crmf.h>
#include <openssl/err.h>
-/*
- * Get current certificate store containing trusted root CA certs
- */
+/* Get current certificate store containing trusted root CA certs */
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
@@ -36,7 +34,6 @@ X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
* Set certificate store containing trusted (root) CA certs and possibly CRLs
* and a cert verification callback function used for CMP server authentication.
* Any already existing store entry is freed. Given NULL, the entry is reset.
- * returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
{
@@ -49,9 +46,7 @@ int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
return 1;
}
-/*
- * Get current list of non-trusted intermediate certs
- */
+/* Get current list of non-trusted intermediate certs */
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
@@ -64,7 +59,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
/*
* Set untrusted certificates for path construction in authentication of
* the CMP server and potentially others (TLS server, newly enrolled cert).
- * returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
{
@@ -101,8 +95,6 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(void)
ctx->status = -1;
ctx->failInfoCode = -1;
- ctx->serverPort = OSSL_CMP_DEFAULT_PORT;
- ctx->proxyPort = OSSL_CMP_DEFAULT_PORT;
ctx->msg_timeout = 2 * 60;
if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL)
@@ -125,9 +117,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(void)
return NULL;
}
-/*
- * Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX
- */
+/* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
@@ -148,17 +138,16 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
&& ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
}
-/*
- * Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new()
- */
+/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL)
return;
OPENSSL_free(ctx->serverPath);
- OPENSSL_free(ctx->serverName);
- OPENSSL_free(ctx->proxyName);
+ OPENSSL_free(ctx->server);
+ OPENSSL_free(ctx->proxy);
+ OPENSSL_free(ctx->no_proxy);
X509_free(ctx->srvCert);
X509_free(ctx->validatedSrvCert);
@@ -252,11 +241,7 @@ int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert)
return 1;
}
-/*
- * Set callback function for checking if the cert is ok or should
- * it be rejected.
- * Returns 1 on success, 0 on error
- */
+/* Set callback function for checking if the cert is ok or should be rejected */
int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
{
if (ctx == NULL) {
@@ -270,7 +255,6 @@ int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
/*
* Set argument, respectively a pointer to a structure containing arguments,
* optionally to be used by the certConf callback.
- * Returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
@@ -380,10 +364,7 @@ int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
return res;
}
-/*
- * Set a callback function for error reporting and logging messages.
- * Returns 1 on success, 0 on error
- */
+/* Set a callback function for error reporting and logging messages */
int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
{
if (ctx == NULL) {
@@ -411,7 +392,6 @@ void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx)
/*
* Set or clear the reference value to be used for identification
* (i.e., the user name) when using PBMAC.
- * Returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
const unsigned char *ref, int len)
@@ -424,10 +404,7 @@ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
len);
}
-/*
- * Set or clear the password to be used for protecting messages with PBMAC.
- * Returns 1 on success, 0 on error
- */
+/* Set or clear the password to be used for protecting messages with PBMAC */
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
const int len)
{
@@ -465,7 +442,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
/*
* Copies any given stack of inbound X509 certificates to extraCertsIn
* of the OSSL_CMP_CTX structure so that they may be retrieved later.
- * Returns 1 on success, 0 on error.
*/
int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsIn)
@@ -483,7 +459,6 @@ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
/*
* Duplicate and set the given stack as the new stack of X509
* certificates to send out in the extraCerts field.
- * Returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsOut)
@@ -503,7 +478,6 @@ int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
/*
* Add the given policy info object
* to the X509_EXTENSIONS of the requested certificate template.
- * Returns 1 on success, 0 on error.
*/
int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
{
@@ -519,9 +493,7 @@ int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
return sk_POLICYINFO_push(ctx->policies, pinfo);
}
-/*
- * Add an ITAV for geninfo of the PKI message header
- */
+/* Add an ITAV for geninfo of the PKI message header */
int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
if (ctx == NULL) {
@@ -531,9 +503,7 @@ int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
}
-/*
- * Add an itav for the body of outgoing general messages
- */
+/* Add an itav for the body of outgoing general messages */
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
if (ctx == NULL) {
@@ -562,7 +532,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx)
/*
* Duplicate and copy the given stack of certificates to the given
* OSSL_CMP_CTX structure so that they may be retrieved later.
- * Returns 1 on success, 0 on error
*/
int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs)
{
@@ -614,39 +583,25 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
* Pins the server certificate to be directly trusted (even if it is expired)
* for verifying response messages.
* Cert pointer is not consumed. It may be NULL to clear the entry.
- * Returns 1 on success, 0 on error
*/
DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509)
-/*
- * Set the X509 name of the recipient. Set in the PKIHeader.
- * returns 1 on success, 0 on error
- */
+/* Set the X509 name of the recipient. Set in the PKIHeader */
DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
-/*
- * Store the X509 name of the expected sender in the PKIHeader of responses.
- * Returns 1 on success, 0 on error
- */
+/* Store the X509 name of the expected sender in the PKIHeader of responses */
DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
-/*
- * Set the X509 name of the issuer. Set in the PKIHeader.
- * Returns 1 on success, 0 on error
- */
+/* Set the X509 name of the issuer. Set in the PKIHeader */
DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
/*
* Set the subject name that will be placed in the certificate
* request. This will be the subject name on the received certificate.
- * Returns 1 on success, 0 on error
*/
DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME)
-/*
- * Set the X.509v3 certificate request extensions to be used in IR/CR/KUR.
- * Returns 1 on success, 0 on error
- */
+/* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */
int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
{
if (ctx == NULL) {
@@ -680,7 +635,6 @@ int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx)
/*
* Add a GENERAL_NAME structure that will be added to the CRMF
* request's extensions field to request subject alternative names.
- * Returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
const GENERAL_NAME *name)
@@ -712,7 +666,6 @@ int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
/*
* Set our own client certificate, used for example in KUR and when
* doing the IR with existing certificate.
- * Returns 1 on success, 0 on error
*/
DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509)
@@ -721,19 +674,14 @@ DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509)
* or the certificate to be revoked in RR, respectively.
* Also used as reference cert (defaulting to clCert) for deriving subject DN
* and SANs. Its issuer is used as default recipient in the CMP message header.
- * Returns 1 on success, 0 on error
*/
DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509)
-/*
- * Set the PKCS#10 CSR to be sent in P10CR.
- * Returns 1 on success, 0 on error
- */
+/* Set the PKCS#10 CSR to be sent in P10CR */
DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
/*
- * Sets the (newly received in IP/KUP/CP) certificate in the context.
- * Returns 1 on success, 0 on error
+ * Set the (newly received in IP/KUP/CP) certificate in the context.
* TODO: this only permits for one cert to be enrolled at a time.
*/
int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
@@ -759,16 +707,10 @@ X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx)
return ctx->newCert;
}
-/*
- * Set the client's current private key.
- * Returns 1 on success, 0 on error
- */
+/* Set the client's current private key */
DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY)
-/*
- * Set new key pair. Used e.g. when doing Key Update.
- * Returns 1 on success, 0 on error
- */
+/* Set new key pair. Used e.g. when doing Key Update */
int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
{
if (ctx == NULL) {
@@ -782,9 +724,7 @@ int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
return 1;
}
-/*
- * gets the private/public key to use for certificate enrollment, NULL on error
- */
+/* Get the private/public key to use for cert enrollment, or NULL on error */
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
{
if (ctx == NULL) {
@@ -799,10 +739,7 @@ EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
return ctx->pkey; /* may be NULL */
}
-/*
- * Sets the given transactionID to the context.
- * Returns 1 on success, 0 on error
- */
+/* Set the given transactionID to the context */
int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *id)
{
@@ -813,11 +750,7 @@ int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id);
}
-/*
- * sets the given nonce to be used for the recipNonce in the next message to be
- * created.
- * returns 1 on success, 0 on error
- */
+/* Set the nonce to be used for the recipNonce in the message created next */
int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce)
{
@@ -826,10 +759,7 @@ int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce);
}
-/*
- * Stores the given nonce as the last senderNonce sent out.
- * Returns 1 on success, 0 on error
- */
+/* Stores the given nonce as the last senderNonce sent out */
int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce)
{
@@ -840,36 +770,16 @@ int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce);
}
-/*
- * Set the host name of the (HTTP) proxy server to use for all connections
- * returns 1 on success, 0 on error
- */
-DEFINE_OSSL_CMP_CTX_set1(proxyName, char)
+/* Set the proxy server to use for HTTP(S) connections */
+DEFINE_OSSL_CMP_CTX_set1(proxy, char)
-/*
- * Set the (HTTP) host name of the CA server.
- * Returns 1 on success, 0 on error
- */
-DEFINE_OSSL_CMP_CTX_set1(serverName, char)
+/* Set the (HTTP) host name of the CMP server */
+DEFINE_OSSL_CMP_CTX_set1(server, char)
-/*
- * Sets the (HTTP) proxy port to be used.
- * Returns 1 on success, 0 on error
- */
-int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->proxyPort = port;
- return 1;
-}
+/* Set the server exclusion list of the HTTP proxy server */
+DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
-/*
- * sets the http connect/disconnect callback function to be used for HTTP(S)
- * returns 1 on success, 0 on error
- */
+/* Set the http connect/disconnect callback function to be used for HTTP(S) */
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
{
if (ctx == NULL) {
@@ -880,10 +790,7 @@ int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
return 1;
}
-/*
- * Set argument optionally to be used by the http connect/disconnect callback.
- * Returns 1 on success, 0 on error
- */
+/* Set argument optionally to be used by the http connect/disconnect callback */
int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
if (ctx == NULL) {
@@ -907,10 +814,7 @@ void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx)
return ctx->http_cb_arg;
}
-/*
- * Set callback function for sending CMP request and receiving response.
- * Returns 1 on success, 0 on error
- */
+/* Set callback function for sending CMP request and receiving response */
int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
{
if (ctx == NULL) {
@@ -921,10 +825,7 @@ int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
return 1;
}
-/*
- * Set argument optionally to be used by the transfer callback.
- * Returns 1 on success, 0 on error
- */
+/* Set argument optionally to be used by the transfer callback */
int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
{
if (ctx == NULL) {
@@ -948,10 +849,7 @@ void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx)
return ctx->transfer_cb_arg;
}
-/*
- * Sets the (HTTP) server port to be used.
- * Returns 1 on success, 0 on error
- */
+/** Set the HTTP server port to be used */
int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
{
if (ctx == NULL) {
@@ -962,16 +860,10 @@ int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
return 1;
}
-/*
- * Sets the HTTP path to be used on the server (e.g "pkix/").
- * Returns 1 on success, 0 on error
- */
+/* Set the HTTP path to be used on the server (e.g "pkix/") */
DEFINE_OSSL_CMP_CTX_set1(serverPath, char)
-/*
- * Set the failInfo error code as bit encoding in OSSL_CMP_CTX.
- * Returns 1 on success, 0 on error
- */
+/* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */
int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info)
{
if (!ossl_assert(ctx != NULL))
@@ -993,10 +885,7 @@ int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx)
return ctx->failInfoCode;
}
-/*
- * Sets a Boolean or integer option of the context to the "val" arg.
- * Returns 1 on success, 0 on error
- */
+/* Set a Boolean or integer option of the context to the "val" arg */
int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
{
int min_val;
diff --git a/crypto/cmp/cmp_http.c b/crypto/cmp/cmp_http.c
new file mode 100644
index 0000000000..20164944e2
--- /dev/null
+++ b/crypto/cmp/cmp_http.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <stdio.h>
+
+#include <openssl/asn1t.h>
+#include <openssl/http.h>
+#include "internal/sockets.h"
+
+#include "openssl/cmp.h"
+#include "cmp_local.h"
+
+/* explicit #includes not strictly needed since implied by the above: */
+#include <ctype.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <openssl/bio.h>
+#include <openssl/buffer.h>
+#include <openssl/cmp.h>
+#include <openssl/err.h>
+
+/*
+ * Send the PKIMessage req and on success return the response, else NULL.
+ * Any previous error queue entries will likely be removed by ERR_clear_error().
+ */
+OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
+ const OSSL_CMP_MSG *req)
+{
+ char server_port[32] = { '\0' };
+ STACK_OF(CONF_VALUE) *headers = NULL;
+ const char *const content_type_pkix = "application/pkixcmp";
+ OSSL_CMP_MSG *res;
+
+ if (ctx == NULL || req == NULL) {
+ CMPerr(0, CMP_R_NULL_ARGUMENT);
+ return NULL;
+ }
+
+ if (!X509V3_add_value("Pragma", "no-cache", &headers))
+ return NULL;
+
+ if (ctx->serverPort != 0)
+ BIO_snprintf(server_port, sizeof(server_port), "%d", ctx->serverPort);
+
+ res = (OSSL_CMP_MSG *)
+ OSSL_HTTP_post_asn1(ctx->server, server_port, ctx->serverPath,
+ OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL,
+ ctx->proxy, ctx->no_proxy, NULL, NULL,
+ ctx->http_cb, OSSL_CMP_CTX_get_http_cb_arg(ctx),
+ headers, content_type_pkix,
+ (ASN1_VALUE *)req, ASN1_ITEM_rptr(OSSL_CMP_MSG),
+ 0, 0, ctx->msg_timeout, content_type_pkix,
+ ASN1_ITEM_rptr(OSSL_CMP_MSG));
+
+ sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
+ return res;
+}
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 220e93e2ce..c3a080f2bd 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -36,10 +36,10 @@ struct ossl_cmp_ctx_st {
void *transfer_cb_arg; /* allows to store optional argument to cb */
/* HTTP-based transfer */
char *serverPath;
- char *serverName;
+ char *server;
int serverPort;
- char *proxyName;
- int proxyPort;
+ char *proxy;
+ char *no_proxy;
int msg_timeout; /* max seconds to wait for each CMP message round trip */
int total_timeout; /* max number of seconds an enrollment may take, incl. */
/* attempts polling for a response if a 'waiting' PKIStatus is received */
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 1a21faa1e1..f467ea909f 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2600,12 +2600,13 @@ HTTP_R_MAX_RESP_LEN_EXCEEDED:117:max resp len exceeded
HTTP_R_MISSING_ASN1_ENCODING:110:missing asn1 encoding
HTTP_R_MISSING_CONTENT_TYPE:121:missing content type
HTTP_R_MISSING_REDIRECT_LOCATION:111:missing redirect location
+HTTP_R_RECEIVED_ERROR:105:received error
+HTTP_R_RECEIVED_WRONG_HTTP_VERSION:106:received wrong http version
HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from https to http
HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled
HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long
-HTTP_R_SERVER_RESPONSE_PARSE_ERROR:104:server response parse error
-HTTP_R_SERVER_SENT_ERROR:105:server sent error
-HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION:106:server sent wrong http version
+HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error
+HTTP_R_SOCK_NOT_SUPPORTED:122:sock not supported
HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported
HTTP_R_TLS_NOT_ENABLED:107:tls not enabled
HTTP_R_TOO_MANY_REDIRECTIONS:115:too many redirections
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 124fed0c9d..4c123f81d3 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -21,7 +21,7 @@
#include <openssl/buffer.h>
#include <openssl/http.h>
#include "internal/sockets.h"
-#include "internal/cryptlib.h"
+#include "internal/cryptlib.h" /* for ossl_assert() */
#include "http_local.h"
@@ -157,7 +157,7 @@ int OSSL_HTTP_REQ_CTX_header(OSSL_HTTP_REQ_CTX *rctx, const char *server,
* Section 5.1.2 of RFC 1945 states that the absoluteURI form is only
* allowed when using a proxy
*/
- if (BIO_printf(rctx->mem, "http://%s", server) <= 0)
+ if (BIO_printf(rctx->mem, OSSL_HTTP_PREFIX"%s", server) <= 0)
return 0;
if (port != NULL && BIO_printf(rctx->mem, ":%s", port) <= 0)
return 0;
@@ -330,7 +330,7 @@ static int parse_http_line1(char *line)
for (code = line; *code != '\0' && !ossl_isspace(*code); code++)
continue;
if (*code == '\0') {
- HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+ HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
return 0;
}
@@ -339,7 +339,7 @@ static int parse_http_line1(char *line)
code++;
if (*code == '\0') {
- HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+ HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
return 0;
}
@@ -348,7 +348,7 @@ static int parse_http_line1(char *line)
continue;
if (*reason == '\0') {
- HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+ HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
return 0;
}
@@ -385,7 +385,7 @@ static int parse_http_line1(char *line)
if (retcode < 400)
HTTPerr(0, HTTP_R_STATUS_CODE_UNSUPPORTED);
else
- HTTPerr(0, HTTP_R_SERVER_SENT_ERROR);
+ HTTPerr(0, HTTP_R_RECEIVED_ERROR);
if (*reason == '\0')
ERR_add_error_data(2, "Code=", code);
else
@@ -577,12 +577,14 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
*line_end = '\0';
}
if (value != NULL && line_end != NULL) {
- if (rctx->state == OHS_REDIRECT && strcmp(key, "Location") == 0) {
+ if (rctx->state == OHS_REDIRECT
+ && strcasecmp(key, "Location") == 0) {
rctx->redirection_url = value;
return 0;
}
- if (rctx->expected_ct != NULL && strcmp(key, "Content-Type") == 0) {
- if (strcmp(rctx->expected_ct, value) != 0) {
+ if (rctx->expected_ct != NULL
+ && strcasecmp(key, "Content-Type") == 0) {
+ if (strcasecmp(rctx->expected_ct, value) != 0) {
HTTPerr(0, HTTP_R_UNEXPECTED_CONTENT_TYPE);
ERR_add_error_data(4, "expected=", rctx->expected_ct,
",actual=", value);
@@ -590,7 +592,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
}
rctx->expected_ct = NULL; /* content-type has been found */
}
- if (strcmp(key, "Content-Length") == 0) {
+ if (strcasecmp(key, "Content-Length") == 0) {
resp_len = strtoul(value, &line_end, 10);
if (line_end == value || *line_end != '\0') {
HTTPerr(0, HTTP_R_ERROR_PARSING_CONTENT_LENGTH);
@@ -603,7 +605,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
}
/* Look for blank line: end of headers */
- for (p = rctx->iobuf; *p != '\0' ; p++) {
+ for (p = rctx->iobuf; *p != '\0'; p++) {
if (*p != '\r' && *p != '\n')
break;
}
@@ -690,23 +692,31 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
#ifndef OPENSSL_NO_SOCK
/* set up a new connection BIO, to HTTP server or to HTTP(S) proxy if given */
-static BIO *HTTP_new_bio(const char *server, const char *server_port,
- const char *proxy, const char *proxy_port)
+static BIO *HTTP_new_bio(const char *server /* optionally includes ":port" */,
+ const char *server_port /* explicit server port */,
+ const char *proxy /* optionally includes ":port" */)
{
- const char *host = server;
+ const char *host = server, *host_end;
+ char host_name[100];
const char *port = server_port;
BIO *cbio;
- if (server == NULL) {
- HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
+ if (!ossl_assert(server != NULL))
return NULL;
- }
if (proxy != NULL) {
host = proxy;
- port = proxy_port;
+ port = NULL;
+ }
+
+ host_end = strchr(host, '/');
+ if (host_end != NULL && (size_t)(host_end - host) < sizeof(host_name)) {
+ /* chop trailing string starting with '/' */
+ strncpy(host_name, host, host_end - host + 1);
+ host = host_name;
}
- cbio = BIO_new_connect(host);
+
+ cbio = BIO_new_connect(host /* optionally includes ":port" */);
if (cbio == NULL)
goto end;
if (port != NULL)
@@ -724,7 +734,7 @@ static ASN1_VALUE *BIO_mem_d2i(BIO *mem, const ASN1_ITEM *it)
ASN1_VALUE *resp = ASN1_item_d2i(NULL, &p, len, it);
if (resp == NULL)
- HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+ HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
return resp;
}
@@ -812,7 +822,7 @@ static int update_timeout(int timeout, time_t start_time)
* After disconnect the modified BIO will be deallocated using BIO_free_all().
*/
BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
- int use_ssl, const char *proxy, const char *proxy_port,
+ int use_ssl, const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -837,17 +847,28 @@ BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
HTTPerr(0, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
}
- /* remaining parameters are checked indirectly by the functions called */
- if (bio != NULL)
+ if (bio != NULL) {
cbio = bio;
- else
+ } else {
#ifndef OPENSSL_NO_SOCK
- if ((cbio = HTTP_new_bio(server, port, proxy, proxy_port)) == NULL)
+ if (server == NULL) {
+ HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+ if (*port == '\0')
+ port = NULL;
+ if (port == NULL && strchr(server, ':') == NULL)
+ port = use_ssl ? OSSL_HTTPS_PORT : OSSL_HTTP_PORT;
+ proxy = http_adapt_proxy(proxy, no_proxy, server, use_ssl);
+ if ((cbio = HTTP_new_bio(server, port, proxy)) == NULL)
return NULL;
#else
+ HTTPerr(0, HTTP_R_SOCK_NOT_SUPPORTED);
return NULL;
#endif
+ }
+ /* remaining parameters are checked indirectly by the functions called */
(void)ERR_set_mark(); /* prepare removing any spurious libssl errors */
if (rbio == NULL && BIO_connect_retry(cbio, timeout) <= 0)
@@ -889,15 +910,17 @@ BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
if (lib == ERR_LIB_SSL || lib == ERR_LIB_HTTP
|| (lib == ERR_LIB_BIO && reason == BIO_R_CONNECT_TIMEOUT)
|| (lib == ERR_LIB_BIO && reason == BIO_R_CONNECT_ERROR)
-# ifndef OPENSSL_NO_CMP
+#ifndef OPENSSL_NO_CMP
|| (lib == ERR_LIB_CMP
&& reason == CMP_R_POTENTIALLY_INVALID_CERTIFICATE)
-# endif
+#endif
) {
BIO_snprintf(buf, 200, "server=%s:%s", server, port);
ERR_add_error_data(1, buf);
+ if (proxy != NULL)
+ ERR_add_error_data(2, " proxy=", proxy);
if (err == 0) {
- BIO_snprintf(buf, 200, "server has disconnected%s",
+ BIO_snprintf(buf, 200, " peer has disconnected%s",
use_ssl ? " violating the protocol" :
", likely because it requires the use of TLS");
ERR_add_error_data(1, buf);
@@ -934,8 +957,7 @@ BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
static int redirection_ok(int n_redir, const char *old_url, const char *new_url)
{
- static const char https[] = "https:";
- int https_len = 6; /* strlen(https) */
+ size_t https_len = strlen(OSSL_HTTPS_NAME":");
if (n_redir >= HTTP_VERSION_MAX_REDIRECTIONS) {
HTTPerr(0, HTTP_R_TOO_MANY_REDIRECTIONS);
@@ -943,8 +965,8 @@ static int redirection_ok(int n_redir, const char *old_url, const char *new_url)
}
if (*new_url == '/') /* redirection to same server => same protocol */
return 1;
- if (strncmp(old_url, https, https_len) == 0 &&
- strncmp(new_url, https, https_len) != 0) {
+ if (strncmp(old_url, OSSL_HTTPS_NAME":", https_len) == 0 &&
+ strncmp(new_url, OSSL_HTTPS_NAME":", https_len) != 0) {
HTTPerr(0, HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP);
return 0;
}
@@ -952,7 +974,7 @@ static int redirection_ok(int n_redir, const char *old_url, const char *new_url)
}
/* Get data via HTTP from server at given URL, potentially with redirection */
-BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
+BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -980,7 +1002,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
break;
new_rpath:
- resp = OSSL_HTTP_transfer(host, port, path, use_ssl, proxy, proxy_port,
+ resp = OSSL_HTTP_transfer(host, port, path, use_ssl, proxy, no_proxy,
bio, rbio,
bio_update_fn, arg, headers, NULL, NULL,
maxline, max_resp_len,
@@ -1013,7 +1035,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
/* Get ASN.1-encoded data via HTTP from server at given URL */
ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
- const char *proxy, const char *proxy_port,
+ const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -1028,7 +1050,7 @@ ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
- if ((mem = OSSL_HTTP_get(url, proxy, proxy_port, bio, rbio, bio_update_fn,
+ if ((mem = OSSL_HTTP_get(url, proxy, no_proxy, bio, rbio, bio_update_fn,
arg, headers, maxline, max_resp_len, timeout,
expected_content_type, 1 /* expect_asn1 */))
!= NULL)
@@ -1040,7 +1062,7 @@ ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
/* Post ASN.1-encoded request via HTTP to server return ASN.1 response */
ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
const char *path, int use_ssl,
- const char *proxy, const char *proxy_port,
+ const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -1061,7 +1083,7 @@ ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
/* remaining parameters are checked indirectly */
req_mem = HTTP_asn1_item2bio(req_it, req);
- res_mem = OSSL_HTTP_transfer(server, port, path, use_ssl, proxy, proxy_port,
+ res_mem = OSSL_HTTP_transfer(server, port, path, use_ssl, proxy, no_proxy,
bio, rbio,
bio_update_fn, arg, headers, content_type,
req_mem /* may be NULL */, maxline,
@@ -1107,8 +1129,8 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
const char *proxyuser, const char *proxypass,
int timeout, BIO *bio_err, const char *prog)
{
-# undef BUF_SIZE
-# define BUF_SIZE (8 * 1024)
+#undef BUF_SIZE
+#define BUF_SIZE (8 * 1024)
char *mbuf = OPENSSL_malloc(BUF_SIZE);
char *mbufp;
int read_len = 0;
@@ -1117,11 +1139,13 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
int rv;
time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
- if (bio == NULL || server == NULL || port == NULL
+ if (bio == NULL || server == NULL
|| (bio_err != NULL && prog == NULL)) {
HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
goto end;
}
+ if (port == NULL || *port == '\0')
+ port = OSSL_HTTPS_PORT;
if (mbuf == NULL || fbio == NULL) {
BIO_printf(bio_err /* may be NULL */, "%s: out of memory", prog);
@@ -1193,7 +1217,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
/* RFC 7231 4.3.6: any 2xx status code is valid */
if (strncmp(mbuf, HTTP_PREFIX, strlen(HTTP_PREFIX)) != 0) {
- HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+ HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
BIO_printf(bio_err, "%s: HTTP CONNECT failed, non-HTTP response\n",
prog);
/* Wrong protocol, not even HTTP, so stop reading headers */
@@ -1201,7 +1225,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
}
mbufp = mbuf + strlen(HTTP_PREFIX);
if (strncmp(mbufp, HTTP_VERSION_PATT, strlen(HTTP_VERSION_PATT)) != 0) {
- HTTPerr(0, HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION);
+ HTTPerr(0, HTTP_R_RECEIVED_WRONG_HTTP_VERSION);
BIO_printf(bio_err,
"%s: HTTP CONNECT failed, bad HTTP version %.*s\n",
prog, HTTP_VERSION_STR_LEN, mbufp);
@@ -1241,6 +1265,5 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
}
OPENSSL_free(mbuf);
return ret;
-# undef BUF_SIZE
+#undef BUF_SIZE
}
-
diff --git a/crypto/http/http_err.c b/crypto/http/http_err.c
index 8618539365..7b6f295170 100644
--- a/crypto/http/http_err.c
+++ b/crypto/http/http_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -34,17 +34,19 @@ static const ERR_STRING_DATA HTTP_str_reasons[] = {
"missing content type"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_MISSING_REDIRECT_LOCATION),
"missing redirect location"},
+ {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RECEIVED_ERROR), "received error"},
+ {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RECEIVED_WRONG_HTTP_VERSION),
+ "received wrong http version"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP),
"redirection from https to http"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_REDIRECTION_NOT_ENABLED),
"redirection not enabled"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_LINE_TOO_LONG),
"response line too long"},
- {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR),
- "server response parse error"},
- {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_SENT_ERROR), "server sent error"},
- {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION),
- "server sent wrong http version"},
+ {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_PARSE_ERROR),
+ "response parse error"},
+ {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SOCK_NOT_SUPPORTED),
+ "sock not supported"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_STATUS_CODE_UNSUPPORTED),
"status code unsupported"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_TLS_NOT_ENABLED), "tls not enabled"},
diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c
index 1d7ad0422a..5da5b1e724 100644
--- a/crypto/http/http_lib.c
+++ b/crypto/http/http_lib.c
@@ -11,6 +11,9 @@
#include <openssl/httperr.h>
#include <openssl/err.h>
#include <string.h>
+#include "internal/cryptlib.h" /* for ossl_assert() */
+
+#include "http_local.h"
/*
* Parse a URL and split it up into host, port and path components and
@@ -22,8 +25,11 @@ int OSSL_HTTP_parse_url(const char *url, char **phost, char **pport,
{
char *p, *buf;
char *host;
- char *port = "80";
+ const char *port = OSSL_HTTP_PORT;
+ size_t https_len = strlen(OSSL_HTTPS_NAME);
+ if (!ossl_assert(https_len >= strlen(OSSL_HTTP_NAME)))
+ return 0;
if (url == NULL) {
HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
return 0;
@@ -44,16 +50,16 @@ int OSSL_HTTP_parse_url(const char *url, char **phost, char **pport,
/* Check for initial colon */
p = strchr(buf, ':');
- if (p == NULL || p - buf > 5 /* strlen("https") */) {
+ if (p == NULL || (size_t)(p - buf) > https_len) {
p = buf;
} else {
*(p++) = '\0';
- if (strcmp(buf, "https") == 0) {
+ if (strcmp(buf, OSSL_HTTPS_NAME) == 0) {
if (pssl != NULL)
*pssl = 1;
- port = "443";
- } else if (strcmp(buf, "http") != 0) {
+ port = OSSL_HTTPS_PORT;
+ } else if (strcmp(buf, OSSL_HTTP_NAME) != 0) {
goto parse_err;
}
@@ -114,3 +120,58 @@ int OSSL_HTTP_parse_url(const char *url, char **phost, char **pport,
OPENSSL_free(buf);
return 0;
}
+
+int http_use_proxy(const char *no_proxy, const char *server)
+{
+ size_t sl;
+ const char *found = NULL;
+
+ if (!ossl_assert(server != NULL))
+ return 0;
+ sl = strlen(server);
+
+ /*
+ * using environment variable names, both lowercase and uppercase variants,
+ * compatible with other HTTP client implementations like wget, curl and git
+ */
+ if (no_proxy == NULL)
+ no_proxy = getenv("no_proxy");
+ if (no_proxy == NULL)
+ no_proxy = getenv(OPENSSL_NO_PROXY);
+ if (no_proxy != NULL)
+ found = strstr(no_proxy, server);
+ while (found != NULL
+ && ((found != no_proxy && found[-1] != ' ' && found[-1] != ',')
+ || (found[sl] != '\0' && found[sl] != ' ' && found[sl] != ',')))
+ found = strstr(found + 1, server);
+ return found == NULL;
+}
+
+const char *http_adapt_proxy(const char *proxy, const char *no_proxy,
+ const char *server, int use_ssl)
+{
+ const int http_len = strlen(OSSL_HTTP_PREFIX);
+ const int https_len = strlen(OSSL_HTTPS_PREFIX);
+
+ /*
+ * using environment variable names, both lowercase and uppercase variants,
+ * compatible with other HTTP client implementations like wget, curl and git
+ */
+ if (proxy == NULL)
+ proxy = getenv(use_ssl ? "https_proxy" : "http_proxy");
+ if (proxy == NULL)
+ proxy = getenv(use_ssl ? OPENSSL_HTTP_PROXY :
+ OPENSSL_HTTPS_PROXY);
+ if (proxy == NULL)
+ return NULL;
+
+ /* skip any leading "http://" or "https://" */
+ if (strncmp(proxy, OSSL_HTTP_PREFIX, http_len) == 0)
+ proxy += http_len;
+ else if (strncmp(proxy, OSSL_HTTPS_PREFIX, https_len) == 0)
+ proxy += https_len;
+
+ if (*proxy == '\0' || !http_use_proxy(no_proxy, server))
+ return NULL;
+ return proxy;
+}
diff --git a/crypto/http/http_local.h b/crypto/http/http_local.h
index 4722750018..64b475b818 100644
--- a/crypto/http/http_local.h
+++ b/crypto/http/http_local.h
@@ -45,5 +45,8 @@ ASN1_VALUE *HTTP_sendreq_bio(BIO *bio, OSSL_HTTP_bio_cb_t bio_update_fn,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
int maxline, unsigned long max_resp_len,
int timeout, const ASN1_ITEM *rsp_it);
+int http_use_proxy(const char *no_proxy, const char *server);
+const char *http_adapt_proxy(const char *proxy, const char *no_proxy,
+ const char *server, int use_ssl);
#endif /* !defined(OSSL_CRYPTO_HTTP_LOCAL_H) */
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 00b45ffdd8..ce8c23b654 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -121,7 +121,7 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
int timeout, const ASN1_ITEM *it)
{
- return OSSL_HTTP_get_asn1(url, NULL, NULL /* no proxy and port */, bio,
+ return OSSL_HTTP_get_asn1(url, NULL, NULL /* no proxy used */, bio,
rbio, NULL /* no callback for SSL/TLS */, NULL,
NULL /* headers */, 1024 /* maxline */,
0 /* max_resp_len */, timeout,
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index 016d851ddc..d070a59b0b 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -11,11 +11,10 @@ OSSL_CMP_CTX_set_log_cb,
OSSL_CMP_CTX_set_log_verbosity,
OSSL_CMP_CTX_print_errors,
OSSL_CMP_CTX_set1_serverPath,
-OSSL_CMP_CTX_set1_serverName,
+OSSL_CMP_CTX_set1_server,
OSSL_CMP_CTX_set_serverPort,
-OSSL_CMP_CTX_set1_proxyName,
-OSSL_CMP_CTX_set_proxyPort,
-OSSL_CMP_DEFAULT_PORT,
+OSSL_CMP_CTX_set1_proxy,
+OSSL_CMP_CTX_set1_no_proxy,
OSSL_CMP_CTX_set_http_cb,
OSSL_CMP_CTX_set_http_cb_arg,
OSSL_CMP_CTX_get_http_cb_arg,
@@ -78,11 +77,10 @@ OSSL_CMP_CTX_set1_senderNonce
/* message transfer: */
int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
- int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
+ int OSSL_CMP_CTX_set1_server(OSSL_CMP_CTX *ctx, const char *address);
int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
- int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
- int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
- #define OSSL_CMP_DEFAULT_PORT 80
+ int OSSL_CMP_CTX_set1_proxy(OSSL_CMP_CTX *ctx, const char *name);
+ int OSSL_CMP_CTX_set1_no_proxy(OSSL_CMP_CTX *ctx, const char *names);
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, HTTP_bio_cb_t cb);
int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
@@ -306,19 +304,30 @@ It is similar to B<ERR_print_errors_cb()> but uses the CMP log callback function
if set in the C<ctx> for uniformity with CMP logging if given. Otherwise it uses
B<ERR_print_errors(3)> to print to STDERR (unless OPENSSL_NO_STDIO is defined).
-OSSL_CMP_CTX_set1_serverPath() sets the HTTP path of the CMP server on the host.
+OSSL_CMP_CTX_set1_serverPath() sets the HTTP path of the CMP server on the host,
+also known as "CMP alias".
+The default is "/".
-OSSL_CMP_CTX_set1_serverName() sets the given server Address (as IP or name)
-in the given OSSL_CMP_CTX structure.
+OSSL_CMP_CTX_set1_server() sets the given server B<address>
+(which may be a hostname or IP address or NULL) in the given B<ctx>.
OSSL_CMP_CTX_set_serverPort() sets the port of the CMP server to connect to.
-Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly.
-
-OSSL_CMP_CTX_set1_proxyName() sets the hostname of the HTTP proxy to be used
-for connecting to the CA server.
-
-OSSL_CMP_CTX_set_proxyPort() sets the port of the HTTP proxy.
-Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly.
+If not used or the B<port> argument is 0
+the default port applies, which is 80 for HTTP and 443 for HTTPS.
+
+OSSL_CMP_CTX_set1_proxy() sets the HTTP proxy to be used for connecting to
+the given CMP server unless overruled by any "no_proxy" settings (see below).
+If TLS is not used this defaults to the value of
+the environment variable B<http_proxy> if set, else B<HTTP_PROXY>.
+Otherwise defaults to the value of B<https_proxy> if set, else B<HTTPS_PROXY>.
+An empty proxy string specifies not to use a proxy.
+Else the format is I<[http[s]://]address[:port][/path]>,
+where any path given is ignored.
+The default port number is 80, or 443 in case "https:" is given.
+
+OSSL_CMP_CTX_set1_no_proxy() sets the list of server hostnames not to use
+an HTTP proxy for. The names may be separated by commas and/or whitespace.
+Defaults to the environment variable B<no_proxy> if set, else B<NO_PROXY>.
OSSL_CMP_CTX_set_http_cb() sets the optional BIO connect/disconnect callback
function, which has the prototype
@@ -602,7 +611,7 @@ All other functions return 1 on success, 0 on error.
The following code does an Initialization Request:
cmp_ctx = OSSL_CMP_CTX_new();
- OSSL_CMP_CTX_set1_serverName(cmp_ctx, opt_serverName);
+ OSSL_CMP_CTX_set1_server(cmp_ctx, address);
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len);
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
@@ -614,7 +623,7 @@ The following code does an Initialization Request using an
external identity certificate (RFC 4210, Appendix E.7):
cmp_ctx = OSSL_CMP_CTX_new();
- OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname);
+ OSSL_CMP_CTX_set1_server(cmp_ctx, sname);
OSSL_CMP_CTX_set1_clCert(cmp_ctx, cl_cert);
OSSL_CMP_CTX_set1_pkey(cmp_ctx, pkey);
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
@@ -629,7 +638,7 @@ which is trusted by the current CA the code will connect to.
The following code does a Key Update Request:
cmp_ctx = OSSL_CMP_CTX_new();
- OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname);
+ OSSL_CMP_CTX_set1_server(cmp_ctx, url);
OSSL_CMP_CTX_set1_pkey(cmp_ctx, pkey);
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
OSSL_CMP_CTX_set1_clCert(cmp_ctx, cl_cert);
@@ -642,7 +651,7 @@ including, as an example, the id-it-signKeyPairTypes OID and prints info on
the General Response contents.
cmp_ctx = OSSL_CMP_CTX_new();
- OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname);
+ OSSL_CMP_CTX_set1_server(cmp_ctx, sname);
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len);
diff --git a/doc/man3/OSSL_CMP_MSG_http_perform.pod b/doc/man3/OSSL_CMP_MSG_http_perform.pod
new file mode 100644
index 0000000000..6582d4413b
--- /dev/null
+++ b/doc/man3/OSSL_CMP_MSG_http_perform.pod
@@ -0,0 +1,60 @@
+=pod
+
+=head1 NAME
+
+OSSL_CMP_MSG_http_perform
+- client-side HTTP(S) transfer of a CMP request-response pair
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp.h>
+
+ OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
+ const OSSL_CMP_MSG *req);
+
+=head1 DESCRIPTION
+
+OSSL_CMP_MSG_http_perform() sends the given PKIMessage B<req>
+to the CMP server specified in B<ctx> via L<OSSL_CMP_CTX_set1_server(3)>
+and optionally L<OSSL_CMP_CTX_set_serverPort(3)>, using
+any "CMP alias" optionally specified via L<OSSL_CMP_CTX_set1_serverPath(3)>.
+The default port is 80 for HTTP and 443 for HTTPS; the default path is "/".
+On success the function returns the server's response PKIMessage.
+
+The function makes use of any HTTP callback function
+set via L<OSSL_CMP_CTX_set_http_cb(3)>.
+It respects any timeout value set via L<OSSL_CMP_CTX_set_option(3)>
+with an B<OSSL_CMP_OPT_MSG_TIMEOUT> argument.
+It also respects any HTTP(S) proxy options set via L<OSSL_CMP_CTX_set1_proxy(3)>
+and L<OSSL_CMP_CTX_set1_no_proxy(3)> and the respective environment variables.
+Proxying plain HTTP is supported directly,
+while using a proxy for HTTPS connections requires a suitable callback function
+such as L<OSSL_HTTP_proxy_connect(3)>.
+
+=head1 NOTES
+
+CMP is defined in RFC 4210.
+HTTP transfer for CMP is defined in RFC 6712.
+
+=head1 RETURN VALUES
+
+OSSL_CMP_MSG_http_perform() returns a CMP message on success, else NULL.
+
+=head1 SEE ALSO
+
+L<OSSL_CMP_CTX_new(3)>, L<OSSL_HTTP_proxy_connect(3)>.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
index c9d6d95a1b..eaebce8864 100644
--- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
+++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
@@ -18,8 +18,7 @@ OSSL_CRMF_MSG_get_certReqId
OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
ASN1_INTEGER
*OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *tmpl);
- const X509_NAME
- *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
+ X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod
index 68010cb6bd..632f48dbe8 100644
--- a/doc/man3/OSSL_HTTP_transfer.pod
+++ b/doc/man3/OSSL_HTTP_transfer.pod
@@ -17,14 +17,14 @@ OSSL_HTTP_parse_url
typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg,
int connect, int detail);
- BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
+ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
int maxline, unsigned long max_resp_len, int timeout,
const char *expected_content_type, int expect_asn1);
ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
- const char *proxy, const char *proxy_port,
+ const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -33,7 +33,7 @@ OSSL_HTTP_parse_url
const ASN1_ITEM *it);
ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
const char *path, int use_ssl,
- const char *proxy, const char *proxy_port,
+ const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -43,7 +43,7 @@ OSSL_HTTP_parse_url
int timeout, const char *expected_ct,
const ASN1_ITEM *rsp_it);
BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
- int use_ssl, const char *proxy, const char *proxy_port,
+ int use_ssl, const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -69,17 +69,18 @@ and returns it on success as a pointer to I<ASN1_VALUE>.
OSSL_HTTP_post_asn1() uses the HTTP POST method to send a request B<req>
with the ASN.1 structure defined in B<req_it> and the given B<content_type> to
-the given B<server> and optional B<port> and B<path>, which defaults to "/".
+the given B<server> and optional B<port> and B<path>.
If B<use_ssl> is nonzero a TLS connection is requested and the B<bio_update_fn>
parameter, described below, must be provided.
The optional list B<headers> may contain additional custom HTTP header lines.
The expected structure of the response is specified by B<rsp_it>.
On success it returns the response as a pointer to B<ASN1_VALUE>.
-OSSL_HTTP_transfer() exchanges an HTTP request and response with
-the given B<server> and optional B<port> and B<path>, which defaults to "/".
-If B<use_ssl> is nonzero a TLS connection is requested and the B<bio_update_fn>
-parameter, described below, must be provided.
+OSSL_HTTP_transfer() exchanges any form of HTTP request and response.
+It implements the core of the functions described above.
+If B<path> parameter is NULL it defaults to "/".
+If B<use_ssl> is nonzero a TLS connection is requested
+and the B<bio_update_fn> parameter, described below, must be provided.
If B<req_mem> is NULL it uses the HTTP GET method, else it uses HTTP POST to
send a request with the contents of the memory BIO and optional B<content_type>.
The optional list B<headers> may contain additional custom HTTP header lines.
@@ -91,22 +92,36 @@ L<OPENSSL_free(3)>.
The above functions have the following parameters in common.
-If the B<proxy> parameter is not NULL the HTTP client functions connect
-via the given proxy and the optionally given B<proxy_port>.
-Proxying plain HTTP is supported directly,
-while using a proxy for HTTPS connections requires a suitable callback function
-such as OSSL_HTTP_proxy_connect(), described below.
-
-Typically the B<bio> and B<rbio> parameters are NULL and the client creates a
-network BIO internally for connecting to the given server and port (optionally
-via a proxy and its port), and uses it for exchanging the request and response.
-If B<bio> is given and B<rbio> is NULL then the client uses this BIO instead.
+Typically the OpenSSL build supports sockets
+and the B<bio> and B<rbio> parameters are both NULL.
+In this case the client creates a network BIO internally
+for connecting to the given B<server>
+at the specified B<port> (if any, defaulting to 80 for HTTP or 443 for HTTPS),
+optionally via a B<proxy> (respecting B<no_proxy>) as described below.
+Then the client uses this internal BIO for exchanging the request and response.
+If B<bio> is given and B<rbio> is NULL then the client uses this B<bio> instead.
If both B<bio> and B<rbio> are given (which may be memory BIOs for instance)
then no explicit connection is attempted,
B<bio> is used for writing the request, and B<rbio> for reading the response.
As soon as the client has flushed B<bio> the server must be ready to provide
a response or indicate a waiting condition via B<rbio>.
+The optional B<proxy> parameter can be used to set the address of the an
+HTTP(S) proxy to use (unless overridden by "no_proxy" settings).
+If TLS is not used this defaults to the environment variable B<http_proxy>
+if set, else B<HTTP_PROXY>.
+If B<use_ssl> != 0 it defaults to B<https_proxy> if set, else B<HTTPS_PROXY>.
+An empty proxy string specifies not to use a proxy.
+Else the format is I<[http[s]://]address[:port][/path]>,
+where any path given is ignored.
+The default proxy port number is 80, or 443 in case "https:" is given.
+The HTTP client functions connect via the given proxy unless the B<server>
+is found in the optional list B<no_proxy> of proxy hostnames (if not NULL;
+default is the environment variable B<no_proxy> if set, else B<NO_PROXY>).
+Proxying plain HTTP is supported directly,
+while using a proxy for HTTPS connections requires a suitable callback function
+such as B<OSSL_HTTP_proxy_connect()>, described below.
+
The B<maxline> parameter specifies the response header maximum line length,
where 0 indicates the default value, which currently is 4k.
The B<max_resp_len> parameter specifies the maximum response length,
@@ -115,7 +130,7 @@ where 0 indicates the default value, which currently is 100k.
An ASN.1-encoded response is expected by OSSL_HTTP_get_asn1() and
OSSL_HTTP_post_asn1(), while for OSSL_HTTP_get() or OSSL_HTTP_transfer()
this is only the case if the B<expect_asn1> parameter is nonzero.
-If the response header contains one or more Content-Length header lines and/or
+If the response header contains one or more "Content-Length" header lines and/or
an ASN.1-encoded response is expected, which should include a total length,
the length indications received are checked for consistency
and for not exceeding the maximum response length.
@@ -164,11 +179,12 @@ Here is a simple example that supports TLS connections (but not via a proxy):
After disconnect the modified BIO will be deallocated using BIO_free_all().
OSSL_HTTP_proxy_connect() may be used by an above BIO connect callback function
-to set up an SSL/TLS connection via an HTTP proxy.
+to set up an SSL/TLS connection via an HTTPS proxy.
It promotes the given BIO B<bio> representing a connection
pre-established with a TLS proxy using the HTTP CONNECT method,
optionally using proxy client credentials B<proxyuser> and B<proxypass>,
to connect with TLS protection ultimately to B<server> and B<port>.
+If the B<port> argument is NULL or the empty string it defaults to "443".
The B<timeout> parameter is used as described above.
Since this function is typically called by appplications such as
L<openssl-s_client(1)> it uses the B<bio_err> and B<prog> parameters (unless
@@ -184,6 +200,13 @@ them copies of the respective string components.
The strings returned this way must be deallocated by the caller using
L<OPENSSL_free(3)> unless they are NULL, which is their default value on error.
+=head1 NOTES
+
+The names of the environment variables used by this implementation:
+B<http_proxy>, B<HTTP_PROXY>, B<https_proxy>, B<HTTPS_PROXY>, B<no_proxy>, and
+B<NO_PROXY>, have been chosen for maximal compatibility with
+other HTTP client implementations such as wget, curl, and git.
+
=head1 RETURN VALUES
OSSL_HTTP_get(), OSSL_HTTP_get_asn1(), OSSL_HTTP_post_asn1(), and
diff --git a/include/openssl/cmp.h b/include/openssl/cmp.h
index 21d16cc94d..b594296565 100644
--- a/include/openssl/cmp.h
+++ b/include/openssl/cmp.h
@@ -274,11 +274,10 @@ int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb);
void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx);
/* message transfer: */
int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
-int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
+int OSSL_CMP_CTX_set1_server(OSSL_CMP_CTX *ctx, const char *address);
int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
-# define OSSL_CMP_DEFAULT_PORT 80
-int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
-int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
+int OSSL_CMP_CTX_set1_proxy(OSSL_CMP_CTX *ctx, const char *name);
+int OSSL_CMP_CTX_set1_no_proxy(OSSL_CMP_CTX *ctx, const char *names);
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb);
int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
@@ -360,6 +359,10 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg);
int OSSL_CMP_validate_cert_path(OSSL_CMP_CTX *ctx,
X509_STORE *trusted_store, X509 *cert);
+/* from cmp_http.c */
+OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
+ const OSSL_CMP_MSG *req);
+
/* from cmp_server.c */
typedef struct ossl_cmp_srv_ctx_st OSSL_CMP_SRV_CTX;
OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
diff --git a/include/openssl/cmp_util.h b/include/openssl/cmp_util.h
index 831b65ec1c..2bfe2ec2a0 100644
--- a/include/openssl/cmp_util.h
+++ b/include/openssl/cmp_util.h
@@ -17,7 +17,6 @@
# include <openssl/macros.h>
# include <openssl/trace.h>
-# include <openssl/x509.h>
# ifdef __cplusplus
extern "C" {
diff --git a/include/openssl/http.h b/include/openssl/http.h
index 950acf1408..4dff008801 100644
--- a/include/openssl/http.h
+++ b/include/openssl/http.h
@@ -25,14 +25,24 @@ extern "C" {
typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail);
-BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
+# define OSSL_HTTP_NAME "http"
+# define OSSL_HTTPS_NAME "https"
+# define OSSL_HTTP_PREFIX OSSL_HTTP_NAME"://"
+# define OSSL_HTTPS_PREFIX OSSL_HTTPS_NAME"://"
+# define OSSL_HTTP_PORT "80"
+# define OSSL_HTTPS_PORT "443"
+# define OPENSSL_NO_PROXY "NO_PROXY"
+# define OPENSSL_HTTP_PROXY "HTTP_PROXY"
+# define OPENSSL_HTTPS_PROXY "HTTPS_PROXY"
+
+BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
int maxline, unsigned long max_resp_len, int timeout,
const char *expected_content_type, int expect_asn1);
ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
- const char *proxy, const char *proxy_port,
+ const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -41,7 +51,7 @@ ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
const ASN1_ITEM *it);
ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
const char *path, int use_ssl,
- const char *proxy, const char *proxy_port,
+ const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
@@ -51,7 +61,7 @@ ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
int timeout, const char *expected_ct,
const ASN1_ITEM *rsp_it);
BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
- int use_ssl, const char *proxy, const char *proxy_port,
+ int use_ssl, const char *proxy, const char *no_proxy,
BIO *bio, BIO *rbio,
OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
const STACK_OF(CONF_VALUE) *headers,
diff --git a/include/openssl/httperr.h b/include/openssl/httperr.h
index 36dd7cb067..e4acb1df8c 100644
--- a/include/openssl/httperr.h
+++ b/include/openssl/httperr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -41,12 +41,13 @@ int ERR_load_HTTP_strings(void);
# define HTTP_R_MISSING_ASN1_ENCODING 110
# define HTTP_R_MISSING_CONTENT_TYPE 121
# define HTTP_R_MISSING_REDIRECT_LOCATION 111
+# define HTTP_R_RECEIVED_ERROR 105
+# define HTTP_R_RECEIVED_WRONG_HTTP_VERSION 106
# define HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP 112
# define HTTP_R_REDIRECTION_NOT_ENABLED 116
# define HTTP_R_RESPONSE_LINE_TOO_LONG 113
-# define HTTP_R_SERVER_RESPONSE_PARSE_ERROR 104
-# define HTTP_R_SERVER_SENT_ERROR 105
-# define HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION 106
+# define HTTP_R_RESPONSE_PARSE_ERROR 104
+# define HTTP_R_SOCK_NOT_SUPPORTED 122
# define HTTP_R_STATUS_CODE_UNSUPPORTED 114
# define HTTP_R_TLS_NOT_ENABLED 107
# define HTTP_R_TOO_MANY_REDIRECTIONS 115
diff --git a/test/build.info b/test/build.info
index bc1f3f2f86..6d670ea175 100644
--- a/test/build.info
+++ b/test/build.info
@@ -51,7 +51,7 @@ IF[{- !$disabled{tests} -}]
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
recordlentest drbgtest drbg_cavs_test drbg_extra_test sslbuffertest \
time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
- servername_test ocspapitest fatalerrtest tls13ccstest \
+ http_test servername_test ocspapitest fatalerrtest tls13ccstest \
sysdefaulttest errtest ssl_ctx_test gosttest \
context_internal_test aesgcmtest params_test evp_pkey_dparams_test \
keymgmt_internal_test
@@ -131,11 +131,11 @@ IF[{- !$disabled{tests} -}]
ENDIF
SOURCE[evp_extra_test]=evp_extra_test.c
- INCLUDE[evp_extra_test]=../include ../apps/include ../crypto/include
+ INCLUDE[evp_extra_test]=../include ../apps/include
DEPEND[evp_extra_test]=../libcrypto libtestutil.a
SOURCE[evp_fetch_prov_test]=evp_fetch_prov_test.c
- INCLUDE[evp_fetch_prov_test]=../include ../apps/include ../crypto/include
+ INCLUDE[evp_fetch_prov_test]=../include ../apps/include
DEPEND[evp_fetch_prov_test]=../libcrypto libtestutil.a
IF[{- $disabled{fips} || !$target{dso_scheme} -}]
DEFINE[evp_extra_test]=NO_FIPS_MODULE
@@ -347,13 +347,13 @@ IF[{- !$disabled{tests} -}]
DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a
SOURCE[drbgtest]=drbgtest.c
- INCLUDE[drbgtest]=../include ../apps/include ../crypto/include
+ INCLUDE[drbgtest]=../include ../apps/include
DEPEND[drbgtest]=../libcrypto.a libtestutil.a
SOURCE[drbg_cavs_test]=drbg_cavs_test.c drbg_cavs_data_ctr.c \
drbg_cavs_data_hash.c drbg_cavs_data_hmac.c
- INCLUDE[drbg_cavs_test]=../include ../apps/include . .. ../crypto/include
+ INCLUDE[drbg_cavs_test]=../include ../apps/include . ..
DEPEND[drbg_cavs_test]=../libcrypto libtestutil.a
SOURCE[drbg_extra_test]=drbg_extra_test.c
@@ -380,6 +380,10 @@ IF[{- !$disabled{tests} -}]
INCLUDE[ciphername_test]=../include ../apps/include
DEPEND[ciphername_test]=../libcrypto ../libssl libtestutil.a
+ SOURCE[http_test]=http_test.c
+ INCLUDE[http_test]=../include ../apps/include
+ DEPEND[http_test]=../libcrypto libtestutil.a
+
SOURCE[servername_test]=servername_test.c ssltestlib.c
INCLUDE[servername_test]=../include ../apps/include
DEPEND[servername_test]=../libcrypto ../libssl libtestutil.a
@@ -401,7 +405,7 @@ IF[{- !$disabled{tests} -}]
IF[{- !$disabled{shared} -}]
PROGRAMS{noinst}=shlibloadtest
SOURCE[shlibloadtest]=shlibloadtest.c
- INCLUDE[shlibloadtest]=../include ../apps/include ../crypto/include
+ INCLUDE[shlibloadtest]=../include ../apps/include
ENDIF
# cipher_overhead_test uses internal symbols, so it must be linked with
@@ -516,19 +520,19 @@ IF[{- !$disabled{tests} -}]
ENDIF
SOURCE[poly1305_internal_test]=poly1305_internal_test.c
- INCLUDE[poly1305_internal_test]=.. ../include ../apps/include ../crypto/include
+ INCLUDE[poly1305_internal_test]=.. ../include ../apps/include
DEPEND[poly1305_internal_test]=../libcrypto.a libtestutil.a
SOURCE[chacha_internal_test]=chacha_internal_test.c
- INCLUDE[chacha_internal_test]=.. ../include ../apps/include ../crypto/include
+ INCLUDE[chacha_internal_test]=.. ../include ../apps/include
DEPEND[chacha_internal_test]=../libcrypto.a libtestutil.a
SOURCE[asn1_internal_test]=asn1_internal_test.c
- INCLUDE[asn1_internal_test]=.. ../include ../apps/include ../crypto/include
+ INCLUDE[asn1_internal_test]=.. ../include ../apps/include
DEPEND[asn1_internal_test]=../libcrypto.a libtestutil.a
SOURCE[modes_internal_test]=modes_internal_test.c
- INCLUDE[modes_internal_test]=.. ../include ../apps/include ../crypto/include
+ INCLUDE[modes_internal_test]=.. ../include ../apps/include
DEPEND[modes_internal_test]=../libcrypto.a libtestutil.a
SOURCE[x509_internal_test]=x509_internal_test.c
@@ -576,7 +580,7 @@ IF[{- !$disabled{tests} -}]
DEPEND[ctype_internal_test]=../libcrypto.a libtestutil.a
SOURCE[sparse_array_test]=sparse_array_test.c
- INCLUDE[sparse_array_test]=../crypto/include ../include ../apps/include
+ INCLUDE[sparse_array_test]=../include ../apps/include
DEPEND[sparse_array_test]=../libcrypto.a libtestutil.a
SOURCE[dhtest]=dhtest.c
@@ -588,15 +592,15 @@ IF[{- !$disabled{tests} -}]
DEPEND[hmactest]=../libcrypto.a libtestutil.a
SOURCE[siphash_internal_test]=siphash_internal_test.c
- INCLUDE[siphash_internal_test]=.. ../include ../apps/include ../crypto/include
+ INCLUDE[siphash_internal_test]=.. ../include ../apps/include
DEPEND[siphash_internal_test]=../libcrypto.a libtestutil.a
SOURCE[sm2_internal_test]=sm2_internal_test.c
- INCLUDE[sm2_internal_test]=../include ../apps/include ../crypto/include
+ INCLUDE[sm2_internal_test]=../include ../apps/include
DEPEND[sm2_internal_test]=../libcrypto.a libtestutil.a
SOURCE[sm4_internal_test]=sm4_internal_test.c
- INCLUDE[sm4_internal_test]=.. ../include ../apps/include ../crypto/include
+ INCLUDE[sm4_internal_test]=.. ../include ../apps/include
DEPEND[sm4_internal_test]=../libcrypto.a libtestutil.a
SOURCE[destest]=destest.c
@@ -616,7 +620,7 @@ IF[{- !$disabled{tests} -}]
DEPEND[rc5test]=../libcrypto.a libtestutil.a
SOURCE[ec_internal_test]=ec_internal_test.c
- INCLUDE[ec_internal_test]=../include ../crypto/ec ../apps/include ../crypto/include
+ INCLUDE[ec_internal_test]=../include ../crypto/ec ../apps/include
DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a
SOURCE[curve448_internal_test]=curve448_internal_test.c
@@ -640,7 +644,7 @@ IF[{- !$disabled{tests} -}]
DEPEND[bn_internal_test]=../libcrypto.a libtestutil.a
SOURCE[asn1_dsa_internal_test]=asn1_dsa_internal_test.c
- INCLUDE[asn1_dsa_internal_test]=.. ../include ../apps/include ../crypto/include
+ INCLUDE[asn1_dsa_internal_test]=.. ../include ../apps/include
DEPEND[asn1_dsa_internal_test]=../libcrypto.a libtestutil.a
SOURCE[keymgmt_internal_test]=keymgmt_internal_test.c
diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c
index bbbd056ba5..e6b42db11b 100644
--- a/test/cmp_ctx_test.c
+++ b/test/cmp_ctx_test.c
@@ -492,7 +492,6 @@ static X509_STORE *X509_STORE_new_1(void)
#define IS_NEG(x) ((x) < 0)
#define IS_0(x) ((x) == 0) /* for any type */
-#define IS_DEFAULT_PORT(x) ((x) == OSSL_CMP_DEFAULT_PORT)
#define DROP(x) (void)(x) /* dummy free() for non-pointer and function types */
#define ERR(x) (CMPerr(0, CMP_R_NULL_ARGUMENT), x)
@@ -555,12 +554,12 @@ typedef OSSL_HTTP_bio_cb_t OSSL_CMP_http_cb_t;
DEFAULT, 1, DROP)
#define DEFINE_SET_GET_INT_TEST(OSSL_CMP, CTX, FIELD) \
DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, IS_NEG)
-#define DEFINE_SET_PORT_TEST(FIELD) \
+#define DEFINE_SET_INT_TEST(FIELD) \
static int OSSL_CMP_CTX_get_##FIELD(const CMP_CTX *ctx) \
{ \
return ctx == NULL ? ERR(-1) : ctx->FIELD; \
} \
- DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, IS_DEFAULT_PORT)
+ DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, IS_0)
#define DEFINE_SET_GET_ARG_FN(SETN, GETN, FIELD, ARG, T) \
static int OSSL_CMP_CTX_##SETN##_##FIELD##_##ARG(CMP_CTX *ctx, T val) \
@@ -716,10 +715,10 @@ DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set, get, 0, option_16, int, -1, IS_0, \
DEFINE_SET_CB_TEST(log_cb)
DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, serverPath, char, IS_0)
-DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, serverName, char)
-DEFINE_SET_PORT_TEST(serverPort)
-DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, proxyName, char)
-DEFINE_SET_PORT_TEST(proxyPort)
+DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, server, char)
+DEFINE_SET_INT_TEST(serverPort)
+DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, proxy, char)
+DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, no_proxy, char)
DEFINE_SET_CB_TEST(http_cb)
DEFINE_SET_GET_P_VOID_TEST(http_cb_arg)
DEFINE_SET_CB_TEST(transfer_cb)
@@ -801,10 +800,10 @@ int setup_tests(void)
#endif
/* message transfer: */
ADD_TEST(test_CTX_set1_get0_serverPath);
- ADD_TEST(test_CTX_set1_get0_serverName);
+ ADD_TEST(test_CTX_set1_get0_server);
ADD_TEST(test_CTX_set_get_serverPort);
- ADD_TEST(test_CTX_set1_get0_proxyName);
- ADD_TEST(test_CTX_set_get_proxyPort);
+ ADD_TEST(test_CTX_set1_get0_proxy);
+ ADD_TEST(test_CTX_set1_get0_no_proxy);
ADD_TEST(test_CTX_set_get_http_cb);
ADD_TEST(test_CTX_set_get_http_cb_arg);
ADD_TEST(test_CTX_set_get_transfer_cb);
diff --git a/test/http_test.c b/test/http_test.c
index 80e26459c0..6449c6f61e 100644
--- a/test/http_test.c
+++ b/test/http_test.c
@@ -125,14 +125,14 @@ static int test_http_x509(int do_get)
rcert = (X509 *)
(do_get ?
OSSL_HTTP_get_asn1("http://"SERVER":"PORT"/"RPATH,
- NULL /* proxy */, NULL /* proxy_port */,
+ NULL /* proxy */, NULL /* no_proxy */,
wbio, rbio, NULL /* bio_update_fn */, NULL,
headers, 0 /* maxline */,
0 /* max_resp_len */, 0 /* timeout */,
"application/x-x509-ca-cert", x509_it)
:
OSSL_HTTP_post_asn1(SERVER, PORT, RPATH, 0 /* use_ssl */,
- NULL /* proxy */, NULL /* proxy_port */,
+ NULL /* proxy */, NULL /* no_proxy */,
wbio, rbio, NULL /* bio_update_fn */, NULL,
headers, "application/x-x509-ca-cert",
(ASN1_VALUE *)x509, x509_it, 0 /* maxline */,
diff --git a/util/libcrypto.num b/util/libcrypto.num
index cd0a7d806e..12761e4adc 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4755,10 +4755,10 @@ OSSL_CMP_CTX_get_option ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_log_cb ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_print_errors ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_serverPath ? 3_0_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_set1_serverName ? 3_0_0 EXIST::FUNCTION:CMP
+OSSL_CMP_CTX_set1_server ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_serverPort ? 3_0_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_set1_proxyName ? 3_0_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_set_proxyPort ? 3_0_0 EXIST::FUNCTION:CMP
+OSSL_CMP_CTX_set1_proxy ? 3_0_0 EXIST::FUNCTION:CMP
+OSSL_CMP_CTX_set1_no_proxy ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_http_cb ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_http_cb_arg ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get_http_cb_arg ? 3_0_0 EXIST::FUNCTION:CMP
@@ -4993,6 +4993,7 @@ OSSL_CMP_try_certreq ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_certConf_cb ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_exec_RR_ses ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_exec_GENM_ses ? 3_0_0 EXIST::FUNCTION:CMP
+OSSL_CMP_MSG_http_perform ? 3_0_0 EXIST::FUNCTION:CMP
EVP_PKEY_gen ? 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_set_rsa_keygen_bits ? 3_0_0 EXIST::FUNCTION:RSA
EVP_PKEY_CTX_set_rsa_keygen_pubexp ? 3_0_0 EXIST::FUNCTION:RSA
diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt
index e27adb6da1..dbe4ef55f9 100644
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -909,7 +909,6 @@ OPENSSL_strnlen(3)
OPENSSL_uni2asc(3)
OPENSSL_uni2utf8(3)
OPENSSL_utf82uni(3)
-OSSL_CMP_MSG_http_perform(3)
OSSL_SERIALIZER-DH(7)
OSSL_SERIALIZER-DSA(7)
OSSL_SERIALIZER-EC(7)
diff --git a/util/other.syms b/util/other.syms
index 508653f86b..90fba73ca9 100644
--- a/util/other.syms
+++ b/util/other.syms
@@ -353,7 +353,6 @@ OpenSSL_add_all_digests define deprecated 1.1.0
OpenSSL_add_ssl_algorithms define
OSSL_CMP_CTX_set_log_verbosity define
OSSL_CMP_CR define
-OSSL_CMP_DEFAULT_PORT define
OSSL_CMP_IR define
OSSL_CMP_KUR define
OSSL_CMP_LOG_ALERT define
More information about the openssl-commits
mailing list