apps/ocsp: Add -proxy and -no_proxy options

Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15245)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-05-12 13:58:52 +0200
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-05-18 11:08:10 +0200
commit: 88d96983d881254d0bcb36d79b32aac08339e0d3 (patch)
tree: 5a6eb427697f5802e8017feab1c832edf5d33593 /apps/ocsp.c
parent: 7d72dc78ee54cc3b9163ef9b23cf22bb85015552 (diff)
1 files changed, 26 insertions, 11 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c
index dd816c4221..9b26af8655 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -87,6 +87,7 @@ static int index_changed(CA_DB *);
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
+    OPT_PROXY, OPT_NO_PROXY,
     OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
     OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
     OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
@@ -158,6 +159,13 @@ const OPTIONS ocsp_options[] = {
     {"url", OPT_URL, 's', "Responder URL"},
     {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
     {"port", OPT_PORT, 'p', "Port to run responder on"},
+    {"path", OPT_PATH, 's', "Path to use in OCSP request"},
+    {"proxy", OPT_PROXY, 's',
+     "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
+    {"no_proxy", OPT_NO_PROXY, 's',
+     "List of addresses of servers not to use HTTP(S) proxy for"},
+    {OPT_MORE_STR, 0, 0,
+     "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
     {"out", OPT_OUTFILE, '>', "Output filename"},
     {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
     {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
@@ -184,7 +192,6 @@ const OPTIONS ocsp_options[] = {
     {"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
     {"verify_other", OPT_VERIFY_OTHER, '<',
      "Additional certificates to search for signer"},
-    {"path", OPT_PATH, 's', "Path to use in OCSP request"},
     {"cert", OPT_CERT, '<', "Certificate to check"},
     {"serial", OPT_SERIAL, 's', "Serial number to check"},
     {"validity_period", OPT_VALIDITY_PERIOD, 'u',
@@ -225,6 +232,8 @@ int ocsp_main(int argc, char **argv)
     const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
     char *header, *value, *respdigname = NULL;
     char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
+    char *opt_proxy = NULL;
+    char *opt_no_proxy = NULL;
     char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
     char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
     char *rsignfile = NULL, *rkeyfile = NULL;
@@ -287,6 +296,15 @@ int ocsp_main(int argc, char **argv)
         case OPT_PORT:
             port = opt_arg();
             break;
+        case OPT_PATH:
+            path = opt_arg();
+            break;
+        case OPT_PROXY:
+            opt_proxy = opt_arg();
+            break;
+        case OPT_NO_PROXY:
+            opt_no_proxy = opt_arg();
+            break;
         case OPT_IGNORE_ERR:
             ignore_err = 1;
             break;
@@ -398,9 +416,6 @@ int ocsp_main(int argc, char **argv)
         case OPT_RESPOUT:
             respout = opt_arg();
             break;
-        case OPT_PATH:
-            path = opt_arg();
-            break;
         case OPT_ISSUER:
             issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate");
             if (issuer == NULL)
@@ -702,8 +717,8 @@ redo_accept:
             send_ocsp_response(cbio, resp);
     } else if (host != NULL) {
 #ifndef OPENSSL_NO_SOCK
-        resp = process_responder(req, host, path,
-                                 port, use_ssl, headers, req_timeout);
+        resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy,
+                                 use_ssl, headers, req_timeout);
         if (resp == NULL)
             goto end;
 #else
@@ -1193,10 +1208,10 @@ static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp)
 }
 
 #ifndef OPENSSL_NO_SOCK
-OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
-                                 const char *host, const char *path,
-                                 const char *port, int use_ssl,
-                                 STACK_OF(CONF_VALUE) *headers,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
+                                 const char *port, const char *path,
+                                 const char *proxy, const char *no_proxy,
+                                 int use_ssl, STACK_OF(CONF_VALUE) *headers,
                                  int req_timeout)
 {
     SSL_CTX *ctx = NULL;
@@ -1211,7 +1226,7 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
     }
 
     resp = (OCSP_RESPONSE *)
-        app_http_post_asn1(host, port, path, NULL, NULL /* no proxy used */,
+        app_http_post_asn1(host, port, path, proxy, no_proxy,
                            ctx, headers, "application/ocsp-request",
                            (ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
                            "application/ocsp-response",
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-05-12 13:58:52 +0200
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-05-18 11:08:10 +0200
commit	88d96983d881254d0bcb36d79b32aac08339e0d3 (patch)
tree	5a6eb427697f5802e8017feab1c832edf5d33593 /apps/ocsp.c
parent	7d72dc78ee54cc3b9163ef9b23cf22bb85015552 (diff)