[openssl] master update
dev at ddvo.net
dev at ddvo.net
Fri Nov 20 11:37:50 UTC 2020
The branch master has been updated
via 9498dac4dbda1a4f2eb5e6573df05bc295dc272c (commit)
from 276d6c687a89f90c096faf8918681d04a0cea7cf (commit)
- Log -----------------------------------------------------------------
commit 9498dac4dbda1a4f2eb5e6573df05bc295dc272c
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Nov 13 18:47:03 2020 +0100
apps.c: re-enable loading single certs and CRLs over HTTP
Fixes #13403
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13404)
-----------------------------------------------------------------------
Summary of changes:
apps/lib/apps.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index ab76ed8e7a..766002b6b0 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -28,6 +28,7 @@
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include <openssl/http.h>
#include <openssl/pem.h>
#include <openssl/store.h>
#include <openssl/pkcs12.h>
@@ -468,6 +469,11 @@ CONF *app_load_config_modules(const char *configfile)
return conf;
}
+#define IS_HTTP(uri) \
+ (strncmp(uri, OSSL_HTTP_PREFIX, strlen(OSSL_HTTP_PREFIX)) == 0)
+#define IS_HTTPS(uri) \
+ (strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0)
+
X509 *load_cert_pass(const char *uri, int maybe_stdin,
const char *pass, const char *desc)
{
@@ -475,8 +481,13 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin,
if (desc == NULL)
desc = "certificate";
- (void)load_key_certs_crls(uri, maybe_stdin, pass, desc,
- NULL, NULL, NULL, &cert, NULL, NULL, NULL);
+ if (IS_HTTPS(uri))
+ BIO_printf(bio_err, "Loading %s over HTTPS is unsupported\n", desc);
+ else if (IS_HTTP(uri))
+ cert = X509_load_http(uri, NULL, NULL, 0 /* timeout */);
+ else
+ (void)load_key_certs_crls(uri, maybe_stdin, pass, desc,
+ NULL, NULL, NULL, &cert, NULL, NULL, NULL);
if (cert == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
@@ -484,15 +495,19 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin,
return cert;
}
-/* the format parameter is meanwhile not needed anymore and thus ignored */
X509_CRL *load_crl(const char *uri, const char *desc)
{
X509_CRL *crl = NULL;
if (desc == NULL)
desc = "CRL";
- (void)load_key_certs_crls(uri, 0, NULL, desc,
- NULL, NULL, NULL, NULL, NULL, &crl, NULL);
+ if (IS_HTTPS(uri))
+ BIO_printf(bio_err, "Loading %s over HTTPS is unsupported\n", desc);
+ else if (IS_HTTP(uri))
+ crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */);
+ else
+ (void)load_key_certs_crls(uri, 0, NULL, desc,
+ NULL, NULL, NULL, NULL, NULL, &crl, NULL);
if (crl == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
ERR_print_errors(bio_err);
@@ -1894,7 +1909,8 @@ static const char *get_dp_url(DIST_POINT *dp)
uri = GENERAL_NAME_get0_value(gen, >ype);
if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
const char *uptr = (const char *)ASN1_STRING_get0_data(uri);
- if (strncmp(uptr, "http://", 7) == 0)
+
+ if (IS_HTTP(uptr)) /* can/should not use HTTPS here */
return uptr;
}
}
More information about the openssl-commits
mailing list