[openssl] master update
dev at ddvo.net
dev at ddvo.net
Tue Jan 4 14:05:49 UTC 2022
The branch master has been updated
via 068549f8db6d792a88bb888118001c4582f79074 (commit)
from a8251a32a0dc449fc39f44a1768e091fcc077227 (commit)
- Log -----------------------------------------------------------------
commit 068549f8db6d792a88bb888118001c4582f79074
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Nov 26 16:46:13 2021 +0100
HTTP client: Work around HTTPS proxy use bug due to callback design flaw
See discussion in #17088, where the real solution was postponed to 4.0.
This preliminarily fixes the issue that the HTTP(S) proxy environment vars
were neglected when determining whether a proxy should be used for HTTPS.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17310)
-----------------------------------------------------------------------
Summary of changes:
apps/cmp.c | 5 ++++-
apps/lib/apps.c | 14 ++++++++++----
crypto/http/http_client.c | 1 +
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 9d0b113998..5167446cde 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1926,15 +1926,18 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
goto err;
}
}
+
if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
/* info will be freed along with CMP ctx */
info->server = opt_server;
info->port = server_port;
- info->use_proxy = opt_proxy != NULL;
+ /* workaround for callback design flaw, see #17088: */
+ info->use_proxy = proxy_host != NULL;
info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+
if (info->ssl_ctx == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 034fd45c4b..328b0addb4 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2470,6 +2470,7 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
SSL *ssl;
BIO *sbio = NULL;
+ /* adapt after fixing callback design flaw, see #17088 */
if ((info->use_proxy
&& !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
NULL, NULL, /* no proxy credentials */
@@ -2482,7 +2483,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
return NULL;
}
- SSL_set_tlsext_host_name(ssl, info->server);
+ /* adapt after fixing callback design flaw, see #17088 */
+ SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
@@ -2545,7 +2547,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
info.server = server;
info.port = port;
- info.use_proxy = proxy != NULL;
+ info.use_proxy = /* workaround for callback design flaw, see #17088 */
+ OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
@@ -2571,18 +2574,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
const char *expected_content_type,
long timeout, const ASN1_ITEM *rsp_it)
{
+ int use_ssl = ssl_ctx != NULL;
APP_HTTP_TLS_INFO info;
BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req);
ASN1_VALUE *res;
if (req_mem == NULL)
return NULL;
+
info.server = host;
info.port = port;
- info.use_proxy = proxy != NULL;
+ info.use_proxy = /* workaround for callback design flaw, see #17088 */
+ OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
- rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL,
+ rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl,
proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
app_http_tls_cb, &info,
0 /* buf_size */, headers, content_type, req_mem,
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index f786f831bf..14c2cbf2b5 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -946,6 +946,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port,
}
/* now overall_timeout is guaranteed to be >= 0 */
+ /* adapt in order to fix callback design flaw, see #17088 */
/* callback can be used to wrap or prepend TLS session */
if (bio_update_fn != NULL) {
BIO *orig_bio = cbio;
More information about the openssl-commits
mailing list