diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2023-06-11 17:41:03 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-10-10 20:36:06 +0200 |
commit | ac0677bd2394c04632f7ad526879a866b6ed149f (patch) | |
tree | f39848852a495281b10e6ac0f4e2932e23aa9390 | |
parent | 2f768882e06eb460895ec4836e405e203ed90663 (diff) |
CMP: fix OSSL_CMP_MSG_http_perform() by adding option OSSL_CMP_OPT_USE_TLS
Fixes #21120
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21176)
-rw-r--r-- | apps/cmp.c | 2 | ||||
-rw-r--r-- | crypto/cmp/cmp_ctx.c | 6 | ||||
-rw-r--r-- | crypto/cmp/cmp_http.c | 3 | ||||
-rw-r--r-- | crypto/cmp/cmp_local.h | 1 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 12 | ||||
-rw-r--r-- | include/openssl/cmp.h.in | 5 |
6 files changed, 26 insertions, 3 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index 911d94c198..dd5a69af7c 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1945,6 +1945,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn("assuming -tls_used since -server URL indicates HTTPS"); opt_tls_used = 1; } + if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_USE_TLS, opt_tls_used)) + goto err; BIO_snprintf(server_port, sizeof(server_port), "%s", port); if (opt_path == NULL) diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index b95c540133..947d2ceb8f 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -123,6 +123,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) ctx->keep_alive = 1; ctx->msg_timeout = -1; + ctx->tls_used = -1; /* default for backward compatibility */ if ((ctx->untrusted = sk_X509_new_null()) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB); @@ -949,6 +950,9 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val) case OSSL_CMP_OPT_TOTAL_TIMEOUT: ctx->total_timeout = val; break; + case OSSL_CMP_OPT_USE_TLS: + ctx->tls_used = val; + break; case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: ctx->permitTAInExtraCertsForIR = val; break; @@ -1013,6 +1017,8 @@ int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt) return ctx->msg_timeout; case OSSL_CMP_OPT_TOTAL_TIMEOUT: return ctx->total_timeout; + case OSSL_CMP_OPT_USE_TLS: + return ctx->tls_used; case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: return ctx->permitTAInExtraCertsForIR; case OSSL_CMP_OPT_REVOCATION_REASON: diff --git a/crypto/cmp/cmp_http.c b/crypto/cmp/cmp_http.c index ef77d251ef..d08c362a70 100644 --- a/crypto/cmp/cmp_http.c +++ b/crypto/cmp/cmp_http.c @@ -68,7 +68,8 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx, if (ctx->serverPort != 0) BIO_snprintf(server_port, sizeof(server_port), "%d", ctx->serverPort); - tls_used = OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL; + tls_used = ctx->tls_used >= 0 ? ctx->tls_used != 0 + : OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL; /* backward compat */ if (ctx->http_ctx == NULL) ossl_cmp_log3(DEBUG, ctx, "connecting to CMP server %s:%s%s", ctx->server, server_port, tls_used ? " using TLS" : ""); diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 3fb479ca39..29aa84cd2a 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -49,6 +49,7 @@ struct ossl_cmp_ctx_st { int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */ int msg_timeout; /* max seconds to wait for each CMP message round trip */ int total_timeout; /* max number of seconds an enrollment may take, incl. */ + int tls_used; /* whether to use TLS for client-side HTTP connections */ /* attempts polling for a response if a 'waiting' PKIStatus is received */ time_t end_time; /* session start time + totaltimeout */ # ifndef OPENSSL_NO_HTTP diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 488b22de9b..8109970171 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -237,6 +237,17 @@ The following options can be set: A value <= 0 means no limitation (waiting indefinitely). Default is 0. +=item B<OSSL_CMP_OPT_USE_TLS> + + Use this option to indicate to the HTTP implementation + whether TLS is going to be used for the connection (resulting in HTTPS). + The value 1 indicates that TLS is used for client-side HTTP connections, + which needs to be implemented via a callback function set by + OSSL_CMP_CTX_set_http_cb(). + The value 0 indicates that TLS is not used. + Default is -1 for backward compatibility: TLS is used by the client side + if and only if OSSL_CMP_CTX_set_http_cb_arg() sets a non-NULL I<arg>. + =item B<OSSL_CMP_OPT_VALIDITY_DAYS> Number of days new certificates are asked to be valid for. @@ -384,6 +395,7 @@ as described for the I<bio_update_fn> parameter of L<OSSL_HTTP_open(3)>. The callback may make use of a custom defined argument I<arg>, as described for the I<arg> parameter of L<OSSL_HTTP_open(3)>. The argument is stored in the OSSL_CMP_CTX using OSSL_CMP_CTX_set_http_cb_arg(). +See also the B<OSSL_CMP_OPT_USE_TLS> option described above. OSSL_CMP_CTX_set_http_cb_arg() sets the argument, respectively a pointer to a structure containing arguments such as an B<SSL_CTX> structure, diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index e6af016c7f..5bd8beb57a 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -285,9 +285,10 @@ const char *OSSL_CMP_CTX_get0_propq(const OSSL_CMP_CTX *ctx); /* CMP general options: */ # define OSSL_CMP_OPT_LOG_VERBOSITY 0 /* CMP transfer options: */ -# define OSSL_CMP_OPT_KEEP_ALIVE 10 -# define OSSL_CMP_OPT_MSG_TIMEOUT 11 +# define OSSL_CMP_OPT_KEEP_ALIVE 10 +# define OSSL_CMP_OPT_MSG_TIMEOUT 11 # define OSSL_CMP_OPT_TOTAL_TIMEOUT 12 +# define OSSL_CMP_OPT_USE_TLS 13 /* CMP request options: */ # define OSSL_CMP_OPT_VALIDITY_DAYS 20 # define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 21 |