The branch master has been updated via 068549f8db6d792a88bb888118001c4582f79074 (commit) from a8251a32a0dc449fc39f44a1768e091fcc077227 (commit)
- Log ----------------------------------------------------------------- commit 068549f8db6d792a88bb888118001c4582f79074 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Fri Nov 26 16:46:13 2021 +0100 HTTP client: Work around HTTPS proxy use bug due to callback design flaw See discussion in #17088, where the real solution was postponed to 4.0. This preliminarily fixes the issue that the HTTP(S) proxy environment vars were neglected when determining whether a proxy should be used for HTTPS. Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17310) ----------------------------------------------------------------------- Summary of changes: apps/cmp.c | 5 ++++- apps/lib/apps.c | 14 ++++++++++---- crypto/http/http_client.c | 1 + 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 9d0b113998..5167446cde 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1926,15 +1926,18 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) goto err; } } + if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL) goto err; (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info); /* info will be freed along with CMP ctx */ info->server = opt_server; info->port = server_port; - info->use_proxy = opt_proxy != NULL; + /* workaround for callback design flaw, see #17088: */ + info->use_proxy = proxy_host != NULL; info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT); info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); + if (info->ssl_ctx == NULL) goto err; (void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 034fd45c4b..328b0addb4 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2470,6 +2470,7 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail) SSL *ssl; BIO *sbio = NULL; + /* adapt after fixing callback design flaw, see #17088 */ if ((info->use_proxy && !OSSL_HTTP_proxy_connect(bio, info->server, info->port, NULL, NULL, /* no proxy credentials */ @@ -2482,7 +2483,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail) return NULL; } - SSL_set_tlsext_host_name(ssl, info->server); + /* adapt after fixing callback design flaw, see #17088 */ + SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */ SSL_set_connect_state(ssl); BIO_set_ssl(sbio, ssl, BIO_CLOSE); @@ -2545,7 +2547,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy, info.server = server; info.port = port; - info.use_proxy = proxy != NULL; + info.use_proxy = /* workaround for callback design flaw, see #17088 */ + OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL; info.timeout = timeout; info.ssl_ctx = ssl_ctx; mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */, @@ -2571,18 +2574,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port, const char *expected_content_type, long timeout, const ASN1_ITEM *rsp_it) { + int use_ssl = ssl_ctx != NULL; APP_HTTP_TLS_INFO info; BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req); ASN1_VALUE *res; if (req_mem == NULL) return NULL; + info.server = host; info.port = port; - info.use_proxy = proxy != NULL; + info.use_proxy = /* workaround for callback design flaw, see #17088 */ + OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL; info.timeout = timeout; info.ssl_ctx = ssl_ctx; - rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL, + rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl, proxy, no_proxy, NULL /* bio */, NULL /* rbio */, app_http_tls_cb, &info, 0 /* buf_size */, headers, content_type, req_mem, diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index f786f831bf..14c2cbf2b5 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -946,6 +946,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port, } /* now overall_timeout is guaranteed to be >= 0 */ + /* adapt in order to fix callback design flaw, see #17088 */ /* callback can be used to wrap or prepend TLS session */ if (bio_update_fn != NULL) { BIO *orig_bio = cbio;