[openssl] master update

dev at ddvo.net dev at ddvo.net
Tue Jan 4 14:05:49 UTC 2022


The branch master has been updated
       via  068549f8db6d792a88bb888118001c4582f79074 (commit)
      from  a8251a32a0dc449fc39f44a1768e091fcc077227 (commit)


- Log -----------------------------------------------------------------
commit 068549f8db6d792a88bb888118001c4582f79074
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Fri Nov 26 16:46:13 2021 +0100

    HTTP client: Work around HTTPS proxy use bug due to callback design flaw
    
    See discussion in #17088, where the real solution was postponed to 4.0.
    
    This preliminarily fixes the issue that the HTTP(S) proxy environment vars
    were neglected when determining whether a proxy should be used for HTTPS.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17310)

-----------------------------------------------------------------------

Summary of changes:
 apps/cmp.c                |  5 ++++-
 apps/lib/apps.c           | 14 ++++++++++----
 crypto/http/http_client.c |  1 +
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index 9d0b113998..5167446cde 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1926,15 +1926,18 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
                 goto err;
             }
         }
+
         if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
             goto err;
         (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
         /* info will be freed along with CMP ctx */
         info->server = opt_server;
         info->port = server_port;
-        info->use_proxy = opt_proxy != NULL;
+        /* workaround for callback design flaw, see #17088: */
+        info->use_proxy = proxy_host != NULL;
         info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
         info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+
         if (info->ssl_ctx == NULL)
             goto err;
         (void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 034fd45c4b..328b0addb4 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2470,6 +2470,7 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
         SSL *ssl;
         BIO *sbio = NULL;
 
+        /* adapt after fixing callback design flaw, see #17088 */
         if ((info->use_proxy
              && !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
                                          NULL, NULL, /* no proxy credentials */
@@ -2482,7 +2483,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
             return NULL;
         }
 
-        SSL_set_tlsext_host_name(ssl, info->server);
+        /* adapt after fixing callback design flaw, see #17088 */
+        SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
 
         SSL_set_connect_state(ssl);
         BIO_set_ssl(sbio, ssl, BIO_CLOSE);
@@ -2545,7 +2547,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
 
     info.server = server;
     info.port = port;
-    info.use_proxy = proxy != NULL;
+    info.use_proxy = /* workaround for callback design flaw, see #17088 */
+        OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
     mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
@@ -2571,18 +2574,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
                                const char *expected_content_type,
                                long timeout, const ASN1_ITEM *rsp_it)
 {
+    int use_ssl = ssl_ctx != NULL;
     APP_HTTP_TLS_INFO info;
     BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req);
     ASN1_VALUE *res;
 
     if (req_mem == NULL)
         return NULL;
+
     info.server = host;
     info.port = port;
-    info.use_proxy = proxy != NULL;
+    info.use_proxy = /* workaround for callback design flaw, see #17088 */
+        OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
-    rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL,
+    rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl,
                              proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
                              app_http_tls_cb, &info,
                              0 /* buf_size */, headers, content_type, req_mem,
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index f786f831bf..14c2cbf2b5 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -946,6 +946,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port,
     }
     /* now overall_timeout is guaranteed to be >= 0 */
 
+    /* adapt in order to fix callback design flaw, see #17088 */
     /* callback can be used to wrap or prepend TLS session */
     if (bio_update_fn != NULL) {
         BIO *orig_bio = cbio;


More information about the openssl-commits mailing list