HTTP client: Work around HTTPS proxy use bug due to callback design flaw

See discussion in #17088, where the real solution was postponed to 4.0. This preliminarily fixes the issue that the HTTP(S) proxy environment vars were neglected when determining whether a proxy should be used for HTTPS. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17310) (cherry picked from commit 068549f8db6d792a88bb888118001c4582f79074)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-11-26 16:46:13 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2022-01-04 15:06:18 +0100
commit: 46ee414f64a846a6a7606b1fba47a084dea172eb (patch)
tree: 8836f7516eb3f39476002b821f47056a49a3c920 /apps/lib/apps.c
parent: d65b3db98022257cbf83d7d164bc0a8a9b92c101 (diff)
1 files changed, 10 insertions, 4 deletions
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 6a762b7668..2d3641ea8e 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2450,6 +2450,7 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
         SSL *ssl;
         BIO *sbio = NULL;
 
+        /* adapt after fixing callback design flaw, see #17088 */
         if ((info->use_proxy
              && !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
                                          NULL, NULL, /* no proxy credentials */
@@ -2462,7 +2463,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
             return NULL;
         }
 
-        SSL_set_tlsext_host_name(ssl, info->server);
+        /* adapt after fixing callback design flaw, see #17088 */
+        SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
 
         SSL_set_connect_state(ssl);
         BIO_set_ssl(sbio, ssl, BIO_CLOSE);
@@ -2525,7 +2527,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
 
     info.server = server;
     info.port = port;
-    info.use_proxy = proxy != NULL;
+    info.use_proxy = /* workaround for callback design flaw, see #17088 */
+        OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
     mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
@@ -2551,18 +2554,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
                                const char *expected_content_type,
                                long timeout, const ASN1_ITEM *rsp_it)
 {
+    int use_ssl = ssl_ctx != NULL;
     APP_HTTP_TLS_INFO info;
     BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req);
     ASN1_VALUE *res;
 
     if (req_mem == NULL)
         return NULL;
+
     info.server = host;
     info.port = port;
-    info.use_proxy = proxy != NULL;
+    info.use_proxy = /* workaround for callback design flaw, see #17088 */
+        OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
-    rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL,
+    rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl,
                              proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
                              app_http_tls_cb, &info,
                              0 /* buf_size */, headers, content_type, req_mem,
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-11-26 16:46:13 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2022-01-04 15:06:18 +0100
commit	46ee414f64a846a6a7606b1fba47a084dea172eb (patch)
tree	8836f7516eb3f39476002b821f47056a49a3c920 /apps/lib/apps.c
parent	d65b3db98022257cbf83d7d164bc0a8a9b92c101 (diff)