[openssl] openssl-3.0 update

dev at ddvo.net dev at ddvo.net
Tue Jan 4 14:06:30 UTC 2022 

The branch openssl-3.0 has been updated
       via  46ee414f64a846a6a7606b1fba47a084dea172eb (commit)
      from  d65b3db98022257cbf83d7d164bc0a8a9b92c101 (commit)


- Log -----------------------------------------------------------------
commit 46ee414f64a846a6a7606b1fba47a084dea172eb
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Fri Nov 26 16:46:13 2021 +0100

    HTTP client: Work around HTTPS proxy use bug due to callback design flaw
    
    See discussion in #17088, where the real solution was postponed to 4.0.
    
    This preliminarily fixes the issue that the HTTP(S) proxy environment vars
    were neglected when determining whether a proxy should be used for HTTPS.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17310)
    
    (cherry picked from commit 068549f8db6d792a88bb888118001c4582f79074)

-----------------------------------------------------------------------

Summary of changes:
 apps/cmp.c                |  5 ++++-
 apps/lib/apps.c           | 14 ++++++++++----
 crypto/http/http_client.c |  1 +
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index 985d7339a0..6f7e51e9ee 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1919,15 +1919,18 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
                 goto err;
             }
         }
+
         if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
             goto err;
         (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
         /* info will be freed along with CMP ctx */
         info->server = opt_server;
         info->port = server_port;
-        info->use_proxy = opt_proxy != NULL;
+        /* workaround for callback design flaw, see #17088: */
+        info->use_proxy = proxy_host != NULL;
         info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
         info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+
         if (info->ssl_ctx == NULL)
             goto err;
         (void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 6a762b7668..2d3641ea8e 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2450,6 +2450,7 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
         SSL *ssl;
         BIO *sbio = NULL;
 
+        /* adapt after fixing callback design flaw, see #17088 */
         if ((info->use_proxy
              && !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
                                          NULL, NULL, /* no proxy credentials */
@@ -2462,7 +2463,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
             return NULL;
         }
 
-        SSL_set_tlsext_host_name(ssl, info->server);
+        /* adapt after fixing callback design flaw, see #17088 */
+        SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
 
         SSL_set_connect_state(ssl);
         BIO_set_ssl(sbio, ssl, BIO_CLOSE);
@@ -2525,7 +2527,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
 
     info.server = server;
     info.port = port;
-    info.use_proxy = proxy != NULL;
+    info.use_proxy = /* workaround for callback design flaw, see #17088 */
+        OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
     mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
@@ -2551,18 +2554,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
                                const char *expected_content_type,
                                long timeout, const ASN1_ITEM *rsp_it)
 {
+    int use_ssl = ssl_ctx != NULL;
     APP_HTTP_TLS_INFO info;
     BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req);
     ASN1_VALUE *res;
 
     if (req_mem == NULL)
         return NULL;
+
     info.server = host;
     info.port = port;
-    info.use_proxy = proxy != NULL;
+    info.use_proxy = /* workaround for callback design flaw, see #17088 */
+        OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
-    rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL,
+    rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl,
                              proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
                              app_http_tls_cb, &info,
                              0 /* buf_size */, headers, content_type, req_mem,
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index c80d4fe519..4e34d0d3d1 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -947,6 +947,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port,
     }
     /* now overall_timeout is guaranteed to be >= 0 */
 
+    /* adapt in order to fix callback design flaw, see #17088 */
     /* callback can be used to wrap or prepend TLS session */
     if (bio_update_fn != NULL) {
         BIO *orig_bio = cbio;

More information about the openssl-commits mailing list