[openssl] master update
dev at ddvo.net
dev at ddvo.net
Tue May 18 09:08:54 UTC 2021
The branch master has been updated
via 80a4ac5783b1cea66983330c65df11611236869e (commit)
via 88d96983d881254d0bcb36d79b32aac08339e0d3 (commit)
from 7d72dc78ee54cc3b9163ef9b23cf22bb85015552 (commit)
- Log -----------------------------------------------------------------
commit 80a4ac5783b1cea66983330c65df11611236869e
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed May 12 14:15:31 2021 +0200
apps/s_server: Add -proxy and -no_proxy options
Strongly related to feature request #6965
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15245)
commit 88d96983d881254d0bcb36d79b32aac08339e0d3
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed May 12 13:58:52 2021 +0200
apps/ocsp: Add -proxy and -no_proxy options
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15245)
-----------------------------------------------------------------------
Summary of changes:
apps/include/apps.h | 8 ++++----
apps/ocsp.c | 37 ++++++++++++++++++++++++++-----------
apps/s_server.c | 27 ++++++++++++++++++++++++---
doc/man1/openssl-ocsp.pod.in | 21 ++++++++++++++++++++-
doc/man1/openssl-s_server.pod.in | 19 +++++++++++++++++++
5 files changed, 93 insertions(+), 19 deletions(-)
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 41178a6e22..829c49e34e 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -175,10 +175,10 @@ const EVP_MD *get_digest_from_engine(const char *name);
const EVP_CIPHER *get_cipher_from_engine(const char *name);
# ifndef OPENSSL_NO_OCSP
-OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
- const char *host, const char *path,
- const char *port, int use_ssl,
- STACK_OF(CONF_VALUE) *headers,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
+ const char *port, const char *path,
+ const char *proxy, const char *no_proxy,
+ int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout);
# endif
diff --git a/apps/ocsp.c b/apps/ocsp.c
index dd816c4221..9b26af8655 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -87,6 +87,7 @@ static int index_changed(CA_DB *);
typedef enum OPTION_choice {
OPT_COMMON,
OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
+ OPT_PROXY, OPT_NO_PROXY,
OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
@@ -158,6 +159,13 @@ const OPTIONS ocsp_options[] = {
{"url", OPT_URL, 's', "Responder URL"},
{"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
{"port", OPT_PORT, 'p', "Port to run responder on"},
+ {"path", OPT_PATH, 's', "Path to use in OCSP request"},
+ {"proxy", OPT_PROXY, 's',
+ "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
+ {"no_proxy", OPT_NO_PROXY, 's',
+ "List of addresses of servers not to use HTTP(S) proxy for"},
+ {OPT_MORE_STR, 0, 0,
+ "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
{"out", OPT_OUTFILE, '>', "Output filename"},
{"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
{"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
@@ -184,7 +192,6 @@ const OPTIONS ocsp_options[] = {
{"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
{"verify_other", OPT_VERIFY_OTHER, '<',
"Additional certificates to search for signer"},
- {"path", OPT_PATH, 's', "Path to use in OCSP request"},
{"cert", OPT_CERT, '<', "Certificate to check"},
{"serial", OPT_SERIAL, 's', "Serial number to check"},
{"validity_period", OPT_VALIDITY_PERIOD, 'u',
@@ -225,6 +232,8 @@ int ocsp_main(int argc, char **argv)
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
char *header, *value, *respdigname = NULL;
char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
+ char *opt_proxy = NULL;
+ char *opt_no_proxy = NULL;
char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
char *rsignfile = NULL, *rkeyfile = NULL;
@@ -287,6 +296,15 @@ int ocsp_main(int argc, char **argv)
case OPT_PORT:
port = opt_arg();
break;
+ case OPT_PATH:
+ path = opt_arg();
+ break;
+ case OPT_PROXY:
+ opt_proxy = opt_arg();
+ break;
+ case OPT_NO_PROXY:
+ opt_no_proxy = opt_arg();
+ break;
case OPT_IGNORE_ERR:
ignore_err = 1;
break;
@@ -398,9 +416,6 @@ int ocsp_main(int argc, char **argv)
case OPT_RESPOUT:
respout = opt_arg();
break;
- case OPT_PATH:
- path = opt_arg();
- break;
case OPT_ISSUER:
issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate");
if (issuer == NULL)
@@ -702,8 +717,8 @@ redo_accept:
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
#ifndef OPENSSL_NO_SOCK
- resp = process_responder(req, host, path,
- port, use_ssl, headers, req_timeout);
+ resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy,
+ use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
#else
@@ -1193,10 +1208,10 @@ static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp)
}
#ifndef OPENSSL_NO_SOCK
-OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
- const char *host, const char *path,
- const char *port, int use_ssl,
- STACK_OF(CONF_VALUE) *headers,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
+ const char *port, const char *path,
+ const char *proxy, const char *no_proxy,
+ int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout)
{
SSL_CTX *ctx = NULL;
@@ -1211,7 +1226,7 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
}
resp = (OCSP_RESPONSE *)
- app_http_post_asn1(host, port, path, NULL, NULL /* no proxy used */,
+ app_http_post_asn1(host, port, path, proxy, no_proxy,
ctx, headers, "application/ocsp-request",
(ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
"application/ocsp-response",
diff --git a/apps/s_server.c b/apps/s_server.c
index 51b5c9d381..80c8a08c01 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -439,6 +439,7 @@ typedef struct tlsextstatusctx_st {
char *respin;
/* Default responder to use */
char *host, *path, *port;
+ char *proxy, *no_proxy;
int use_ssl;
int verbose;
} tlsextstatusctx;
@@ -458,6 +459,7 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
OCSP_RESPONSE **resp)
{
char *host = NULL, *port = NULL, *path = NULL;
+ char *proxy = NULL, *no_proxy = NULL;
int use_ssl;
STACK_OF(OPENSSL_STRING) *aia = NULL;
X509 *x = NULL;
@@ -492,6 +494,8 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
port = srctx->port;
use_ssl = srctx->use_ssl;
}
+ proxy = srctx->proxy;
+ no_proxy = srctx->no_proxy;
inctx = X509_STORE_CTX_new();
if (inctx == NULL)
@@ -523,8 +527,8 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
if (!OCSP_REQUEST_add_ext(req, ext, -1))
goto err;
}
- *resp = process_responder(req, host, path, port, use_ssl, NULL,
- srctx->timeout);
+ *resp = process_responder(req, host, port, path, proxy, no_proxy,
+ use_ssl, NULL /* headers */, srctx->timeout);
if (*resp == NULL) {
BIO_puts(bio_err, "cert_status: error querying responder\n");
goto done;
@@ -687,7 +691,8 @@ typedef enum OPTION_choice {
OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
- OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
+ OPT_STATUS_TIMEOUT, OPT_PROXY, OPT_NO_PROXY, OPT_STATUS_URL,
+ OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,
OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK,
@@ -834,6 +839,12 @@ const OPTIONS s_server_options[] = {
{"status_timeout", OPT_STATUS_TIMEOUT, 'n',
"Status request responder timeout"},
{"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
+ {"proxy", OPT_PROXY, 's',
+ "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
+ {"no_proxy", OPT_NO_PROXY, 's',
+ "List of addresses of servers not to use HTTP(S) proxy for"},
+ {OPT_MORE_STR, 0, 0,
+ "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
{"status_file", OPT_STATUS_FILE, '<',
"File containing DER encoded OCSP Response"},
#endif
@@ -1337,6 +1348,16 @@ int s_server_main(int argc, char *argv[])
#ifndef OPENSSL_NO_OCSP
s_tlsextstatus = 1;
tlscstatp.timeout = atoi(opt_arg());
+#endif
+ break;
+ case OPT_PROXY:
+#ifndef OPENSSL_NO_OCSP
+ tlscstatp.proxy = opt_arg();
+#endif
+ break;
+ case OPT_NO_PROXY:
+#ifndef OPENSSL_NO_OCSP
+ tlscstatp.no_proxy = opt_arg();
#endif
break;
case OPT_STATUS_URL:
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index 9fdb25ba5a..168817f608 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -30,9 +30,11 @@ B<openssl> B<ocsp>
[B<-respin> I<file>]
[B<-url> I<URL>]
[B<-host> I<host>:I<port>]
+[B<-path>]
+[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
+[B<-no_proxy> I<addresses>]
[B<-header>]
[B<-timeout> I<seconds>]
-[B<-path>]
[B<-VAfile> I<file>]
[B<-validity_period> I<n>]
[B<-status_age> I<n>]
@@ -167,6 +169,23 @@ I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname
to use or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
+=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
+
+The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy>
+applies, see below.
+The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
+the optional C<http://> or C<https://> prefix is ignored,
+as well as any userinfo and path components.
+Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
+in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
+
+=item B<-no_proxy> I<addresses>
+
+List of IP addresses and/or DNS names of servers
+not to use an HTTP(S) proxy for, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in "...").
+Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>.
+
=item B<-header> I<name>=I<value>
Adds the header I<name> with the specified I<value> to the OCSP request
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index f07e2ae3b4..b7c3f10336 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -73,6 +73,8 @@ B<openssl> B<s_server>
[B<-status>]
[B<-status_verbose>]
[B<-status_timeout> I<int>]
+[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
+[B<-no_proxy> I<addresses>]
[B<-status_url> I<val>]
[B<-status_file> I<infile>]
[B<-trace>]
@@ -462,6 +464,23 @@ a verbose printout of the OCSP response.
Sets the timeout for OCSP response to I<int> seconds.
+=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
+
+The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy>
+applies, see below.
+The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
+the optional C<http://> or C<https://> prefix is ignored,
+as well as any userinfo and path components.
+Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
+in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
+
+=item B<-no_proxy> I<addresses>
+
+List of IP addresses and/or DNS names of servers
+not to use an HTTP(S) proxy for, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in "...").
+Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>.
+
=item B<-status_url> I<val>
Sets a fallback responder URL to use if no responder URL is present in the
More information about the openssl-commits
mailing list