diff options
| -rw-r--r-- | apps/include/apps.h | 4 | ||||
| -rw-r--r-- | apps/lib/apps.c | 10 | ||||
| -rw-r--r-- | crypto/cmp/build.info | 2 | ||||
| -rw-r--r-- | crypto/cmp/cmp_client.c | 2 | ||||
| -rw-r--r-- | crypto/cmp/cmp_ctx.c | 182 | ||||
| -rw-r--r-- | crypto/cmp/cmp_http.c | 66 | ||||
| -rw-r--r-- | crypto/cmp/cmp_local.h | 4 | ||||
| -rw-r--r-- | crypto/err/openssl.txt | 6 | ||||
| -rw-r--r-- | crypto/http/http_client.c | 67 | ||||
| -rw-r--r-- | crypto/http/http_err.c | 12 | ||||
| -rw-r--r-- | crypto/http/http_lib.c | 38 | ||||
| -rw-r--r-- | crypto/http/http_local.h | 5 | ||||
| -rw-r--r-- | crypto/x509/x_all.c | 2 | ||||
| -rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 20 | ||||
| -rw-r--r-- | doc/man3/OSSL_CMP_MSG_http_perform.pod | 49 | ||||
| -rw-r--r-- | doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod | 3 | ||||
| -rw-r--r-- | doc/man3/OSSL_HTTP_transfer.pod | 20 | ||||
| -rw-r--r-- | include/openssl/cmp.h | 8 | ||||
| -rw-r--r-- | include/openssl/cmp_util.h | 1 | ||||
| -rw-r--r-- | include/openssl/http.h | 8 | ||||
| -rw-r--r-- | include/openssl/httperr.h | 6 | ||||
| -rw-r--r-- | test/build.info | 30 | ||||
| -rw-r--r-- | test/cmp_ctx_test.c | 8 | ||||
| -rw-r--r-- | test/http_test.c | 4 | ||||
| -rw-r--r-- | util/libcrypto.num | 7 | ||||
| -rw-r--r-- | util/missingcrypto.txt | 1 |
26 files changed, 321 insertions, 244 deletions
diff --git a/apps/include/apps.h b/apps/include/apps.h index 2d22192925..90f9c2bbe6 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -233,13 +233,13 @@ BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg, int connect, int detail); # ifndef OPENSSL_NO_SOCK ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy, - const char *proxy_port, SSL_CTX *ssl_ctx, + const char *no_proxy, SSL_CTX *ssl_ctx, const STACK_OF(CONF_VALUE) *headers, long timeout, const char *expected_content_type, const ASN1_ITEM *it); ASN1_VALUE *app_http_post_asn1(const char *host, const char *port, const char *path, const char *proxy, - const char *proxy_port, SSL_CTX *ctx, + const char *no_proxy, SSL_CTX *ctx, const STACK_OF(CONF_VALUE) *headers, const char *content_type, ASN1_VALUE *req, const ASN1_ITEM *req_it, diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 7c2a5ea5e7..7b400a413d 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1990,7 +1990,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail) } else if (!connect && !detail) { /* disconnecting after error */ const char *hint = tls_error_hint(); if (hint != NULL) - ERR_add_error_data(1, hint); + ERR_add_error_data(2, " : ", hint); /* * If we pop sbio and BIO_free() it this may lead to libssl double free. * Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c @@ -2000,7 +2000,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail) } ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy, - const char *proxy_port, SSL_CTX *ssl_ctx, + const char *no_proxy, SSL_CTX *ssl_ctx, const STACK_OF(CONF_VALUE) *headers, long timeout, const char *expected_content_type, const ASN1_ITEM *it) @@ -2029,7 +2029,7 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy, info.use_proxy = proxy != NULL; info.timeout = timeout; info.ssl_ctx = ssl_ctx; - resp = OSSL_HTTP_get_asn1(url, proxy, proxy_port, + resp = OSSL_HTTP_get_asn1(url, proxy, no_proxy, NULL, NULL, app_http_tls_cb, &info, headers, 0 /* maxline */, 0 /* max_resp_len */, timeout, expected_content_type, it); @@ -2042,7 +2042,7 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy, ASN1_VALUE *app_http_post_asn1(const char *host, const char *port, const char *path, const char *proxy, - const char *proxy_port, SSL_CTX *ssl_ctx, + const char *no_proxy, SSL_CTX *ssl_ctx, const STACK_OF(CONF_VALUE) *headers, const char *content_type, ASN1_VALUE *req, const ASN1_ITEM *req_it, @@ -2056,7 +2056,7 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port, info.timeout = timeout; info.ssl_ctx = ssl_ctx; return OSSL_HTTP_post_asn1(host, port, path, ssl_ctx != NULL, - proxy, proxy_port, + proxy, no_proxy, NULL, NULL, app_http_tls_cb, &info, headers, content_type, req, req_it, 0 /* maxline */, diff --git a/crypto/cmp/build.info b/crypto/cmp/build.info index d3fbae2452..a2a57c14ec 100644 --- a/crypto/cmp/build.info +++ b/crypto/cmp/build.info @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]= cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c \ cmp_status.c cmp_hdr.c cmp_protect.c cmp_msg.c cmp_vfy.c \ - cmp_server.c cmp_client.c + cmp_server.c cmp_client.c cmp_http.c diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index eedabc59d2..604b4ce9a1 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -140,7 +140,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb; if (transfer_cb == NULL) - transfer_cb = NULL; /* TODO: will be OSSL_CMP_MSG_http_perform of chunk 10 */ + transfer_cb = OSSL_CMP_MSG_http_perform; *rep = NULL; msg_timeout = ctx->msg_timeout; /* backup original value */ diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 873d69320e..eb799b103c 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -20,9 +20,7 @@ #include <openssl/crmf.h> #include <openssl/err.h> -/* - * Get current certificate store containing trusted root CA certs - */ +/* Get current certificate store containing trusted root CA certs */ X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx) { if (ctx == NULL) { @@ -36,7 +34,6 @@ X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx) * Set certificate store containing trusted (root) CA certs and possibly CRLs * and a cert verification callback function used for CMP server authentication. * Any already existing store entry is freed. Given NULL, the entry is reset. - * returns 1 on success, 0 on error */ int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store) { @@ -49,9 +46,7 @@ int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store) return 1; } -/* - * Get current list of non-trusted intermediate certs - */ +/* Get current list of non-trusted intermediate certs */ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx) { if (ctx == NULL) { @@ -64,7 +59,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx) /* * Set untrusted certificates for path construction in authentication of * the CMP server and potentially others (TLS server, newly enrolled cert). - * returns 1 on success, 0 on error */ int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) { @@ -102,7 +96,6 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(void) ctx->failInfoCode = -1; ctx->serverPort = OSSL_CMP_DEFAULT_PORT; - ctx->proxyPort = OSSL_CMP_DEFAULT_PORT; ctx->msg_timeout = 2 * 60; if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL) @@ -125,9 +118,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(void) return NULL; } -/* - * Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX - */ +/* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) { if (ctx == NULL) { @@ -148,9 +139,7 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) && ossl_cmp_ctx_set1_recipNonce(ctx, NULL); } -/* - * Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() - */ +/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx) { if (ctx == NULL) @@ -158,7 +147,8 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx) OPENSSL_free(ctx->serverPath); OPENSSL_free(ctx->serverName); - OPENSSL_free(ctx->proxyName); + OPENSSL_free(ctx->proxy); + OPENSSL_free(ctx->no_proxy); X509_free(ctx->srvCert); X509_free(ctx->validatedSrvCert); @@ -252,11 +242,7 @@ int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert) return 1; } -/* - * Set callback function for checking if the cert is ok or should - * it be rejected. - * Returns 1 on success, 0 on error - */ +/* Set callback function for checking if the cert is ok or should be rejected */ int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb) { if (ctx == NULL) { @@ -270,7 +256,6 @@ int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb) /* * Set argument, respectively a pointer to a structure containing arguments, * optionally to be used by the certConf callback. - * Returns 1 on success, 0 on error */ int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg) { @@ -380,10 +365,7 @@ int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx, return res; } -/* - * Set a callback function for error reporting and logging messages. - * Returns 1 on success, 0 on error - */ +/* Set a callback function for error reporting and logging messages */ int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb) { if (ctx == NULL) { @@ -411,7 +393,6 @@ void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx) /* * Set or clear the reference value to be used for identification * (i.e., the user name) when using PBMAC. - * Returns 1 on success, 0 on error */ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, const unsigned char *ref, int len) @@ -424,10 +405,7 @@ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, len); } -/* - * Set or clear the password to be used for protecting messages with PBMAC. - * Returns 1 on success, 0 on error - */ +/* Set or clear the password to be used for protecting messages with PBMAC */ int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, const int len) { @@ -465,7 +443,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx) /* * Copies any given stack of inbound X509 certificates to extraCertsIn * of the OSSL_CMP_CTX structure so that they may be retrieved later. - * Returns 1 on success, 0 on error. */ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, STACK_OF(X509) *extraCertsIn) @@ -483,7 +460,6 @@ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, /* * Duplicate and set the given stack as the new stack of X509 * certificates to send out in the extraCerts field. - * Returns 1 on success, 0 on error */ int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, STACK_OF(X509) *extraCertsOut) @@ -503,7 +479,6 @@ int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, /* * Add the given policy info object * to the X509_EXTENSIONS of the requested certificate template. - * Returns 1 on success, 0 on error. */ int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo) { @@ -519,9 +494,7 @@ int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo) return sk_POLICYINFO_push(ctx->policies, pinfo); } -/* - * Add an ITAV for geninfo of the PKI message header - */ +/* Add an ITAV for geninfo of the PKI message header */ int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) { if (ctx == NULL) { @@ -531,9 +504,7 @@ int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav); } -/* - * Add an itav for the body of outgoing general messages - */ +/* Add an itav for the body of outgoing general messages */ int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) { if (ctx == NULL) { @@ -562,7 +533,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx) /* * Duplicate and copy the given stack of certificates to the given * OSSL_CMP_CTX structure so that they may be retrieved later. - * Returns 1 on success, 0 on error */ int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs) { @@ -614,39 +584,25 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \ * Pins the server certificate to be directly trusted (even if it is expired) * for verifying response messages. * Cert pointer is not consumed. It may be NULL to clear the entry. - * Returns 1 on success, 0 on error */ DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509) -/* - * Set the X509 name of the recipient. Set in the PKIHeader. - * returns 1 on success, 0 on error - */ +/* Set the X509 name of the recipient. Set in the PKIHeader */ DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME) -/* - * Store the X509 name of the expected sender in the PKIHeader of responses. - * Returns 1 on success, 0 on error - */ +/* Store the X509 name of the expected sender in the PKIHeader of responses */ DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME) -/* - * Set the X509 name of the issuer. Set in the PKIHeader. - * Returns 1 on success, 0 on error - */ +/* Set the X509 name of the issuer. Set in the PKIHeader */ DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME) /* * Set the subject name that will be placed in the certificate * request. This will be the subject name on the received certificate. - * Returns 1 on success, 0 on error */ DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME) -/* - * Set the X.509v3 certificate request extensions to be used in IR/CR/KUR. - * Returns 1 on success, 0 on error - */ +/* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */ int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts) { if (ctx == NULL) { @@ -680,7 +636,6 @@ int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx) /* * Add a GENERAL_NAME structure that will be added to the CRMF * request's extensions field to request subject alternative names. - * Returns 1 on success, 0 on error */ int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name) @@ -712,7 +667,6 @@ int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, /* * Set our own client certificate, used for example in KUR and when * doing the IR with existing certificate. - * Returns 1 on success, 0 on error */ DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509) @@ -721,19 +675,14 @@ DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509) * or the certificate to be revoked in RR, respectively. * Also used as reference cert (defaulting to clCert) for deriving subject DN * and SANs. Its issuer is used as default recipient in the CMP message header. - * Returns 1 on success, 0 on error */ DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509) -/* - * Set the PKCS#10 CSR to be sent in P10CR. - * Returns 1 on success, 0 on error - */ +/* Set the PKCS#10 CSR to be sent in P10CR */ DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ) /* - * Sets the (newly received in IP/KUP/CP) certificate in the context. - * Returns 1 on success, 0 on error + * Set the (newly received in IP/KUP/CP) certificate in the context. * TODO: this only permits for one cert to be enrolled at a time. */ int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert) @@ -759,16 +708,10 @@ X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx) return ctx->newCert; } -/* - * Set the client's current private key. - * Returns 1 on success, 0 on error - */ +/* Set the client's current private key */ DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY) -/* - * Set new key pair. Used e.g. when doing Key Update. - * Returns 1 on success, 0 on error - */ +/* Set new key pair. Used e.g. when doing Key Update */ int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey) { if (ctx == NULL) { @@ -782,9 +725,7 @@ int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey) return 1; } -/* - * gets the private/public key to use for certificate enrollment, NULL on error - */ +/* Get the private/public key to use for cert enrollment, or NULL on error */ EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv) { if (ctx == NULL) { @@ -799,10 +740,7 @@ EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv) return ctx->pkey; /* may be NULL */ } -/* - * Sets the given transactionID to the context. - * Returns 1 on success, 0 on error - */ +/* Set the given transactionID to the context */ int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) { @@ -813,11 +751,7 @@ int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id); } -/* - * sets the given nonce to be used for the recipNonce in the next message to be - * created. - * returns 1 on success, 0 on error - */ +/* Set the nonce to be used for the recipNonce in the message created next */ int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *nonce) { @@ -826,10 +760,7 @@ int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce); } -/* - * Stores the given nonce as the last senderNonce sent out. - * Returns 1 on success, 0 on error - */ +/* Stores the given nonce as the last senderNonce sent out */ int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *nonce) { @@ -840,36 +771,16 @@ int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx, return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce); } -/* - * Set the host name of the (HTTP) proxy server to use for all connections - * returns 1 on success, 0 on error - */ -DEFINE_OSSL_CMP_CTX_set1(proxyName, char) +/* Set the proxy server to use for HTTP(S) connections */ +DEFINE_OSSL_CMP_CTX_set1(proxy, char) -/* - * Set the (HTTP) host name of the CA server. - * Returns 1 on success, 0 on error - */ +/* Set the (HTTP) host name of the CMP server */ DEFINE_OSSL_CMP_CTX_set1(serverName, char) -/* - * Sets the (HTTP) proxy port to be used. - * Returns 1 on success, 0 on error - */ -int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port) -{ - if (ctx == NULL) { - CMPerr(0, CMP_R_NULL_ARGUMENT); - return 0; - } - ctx->proxyPort = port; - return 1; -} +/* Set the server exclusion list of the HTTP proxy server */ +DEFINE_OSSL_CMP_CTX_set1(no_proxy, char) -/* - * sets the http connect/disconnect callback function to be used for HTTP(S) - * returns 1 on success, 0 on error - */ +/* Set the http connect/disconnect callback function to be used for HTTP(S) */ int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb) { if (ctx == NULL) { @@ -880,10 +791,7 @@ int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb) return 1; } -/* - * Set argument optionally to be used by the http connect/disconnect callback. - * Returns 1 on success, 0 on error - */ +/* Set argument optionally to be used by the http connect/disconnect callback */ int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg) { if (ctx == NULL) { @@ -907,10 +815,7 @@ void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx) return ctx->http_cb_arg; } -/* - * Set callback function for sending CMP request and receiving response. - * Returns 1 on success, 0 on error - */ +/* Set callback function for sending CMP request and receiving response */ int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb) { if (ctx == NULL) { @@ -921,10 +826,7 @@ int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb) return 1; } -/* - * Set argument optionally to be used by the transfer callback. - * Returns 1 on success, 0 on error - */ +/* Set argument optionally to be used by the transfer callback */ int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg) { if (ctx == NULL) { @@ -948,10 +850,7 @@ void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx) return ctx->transfer_cb_arg; } -/* - * Sets the (HTTP) server port to be used. - * Returns 1 on success, 0 on error - */ +/** Set the HTTP server port to be used */ int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port) { if (ctx == NULL) { @@ -962,16 +861,10 @@ int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port) return 1; } -/* - * Sets the HTTP path to be used on the server (e.g "pkix/"). - * Returns 1 on success, 0 on error - */ +/* Set the HTTP path to be used on the server (e.g "pkix/") */ DEFINE_OSSL_CMP_CTX_set1(serverPath, char) -/* - * Set the failInfo error code as bit encoding in OSSL_CMP_CTX. - * Returns 1 on success, 0 on error - */ +/* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */ int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info) { if (!ossl_assert(ctx != NULL)) @@ -993,10 +886,7 @@ int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx) return ctx->failInfoCode; } -/* - * Sets a Boolean or integer option of the context to the "val" arg. - * Returns 1 on success, 0 on error - */ +/* Set a Boolean or integer option of the context to the "val" arg */ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val) { int min_val; diff --git a/crypto/cmp/cmp_http.c b/crypto/cmp/cmp_http.c new file mode 100644 index 0000000000..be78d95577 --- /dev/null +++ b/crypto/cmp/cmp_http.c @@ -0,0 +1,66 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <stdio.h> + +#include <openssl/asn1t.h> +#include <openssl/http.h> +#include "internal/sockets.h" + +#include "openssl/cmp.h" +#include "cmp_local.h" + +/* explicit #includes not strictly needed since implied by the above: */ +#include <ctype.h> +#include <fcntl.h> +#include <stdlib.h> +#include <openssl/bio.h> +#include <openssl/buffer.h> +#include <openssl/cmp.h> +#include <openssl/err.h> + +/* + * Send the PKIMessage req and on success return the response, else NULL. + * Any previous error queue entries will likely be removed by ERR_clear_error(). + */ +OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx, + const OSSL_CMP_MSG *req) +{ + char server_port[32]; + STACK_OF(CONF_VALUE) *headers = NULL; + OSSL_CMP_MSG *res = NULL; + const char *const content_type_pkix = "application/pkixcmp"; + + if (ctx == NULL || req == NULL + || ctx->serverName == NULL || ctx->serverPort == 0) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + + if (!X509V3_add_value("Pragma", "no-cache", &headers)) + return NULL; + + BIO_snprintf(server_port, sizeof(server_port), "%d", ctx->serverPort); + + res = (OSSL_CMP_MSG *) + OSSL_HTTP_post_asn1(ctx->serverName, server_port, ctx->serverPath, + OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL, + ctx->proxy, ctx->no_proxy, NULL, NULL, + ctx->http_cb, OSSL_CMP_CTX_get_http_cb_arg(ctx), + headers, content_type_pkix, + (ASN1_VALUE *)req, ASN1_ITEM_rptr(OSSL_CMP_MSG), + 0, 0, ctx->msg_timeout, content_type_pkix, + ASN1_ITEM_rptr(OSSL_CMP_MSG)); + + sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); + return res; +} diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 220e93e2ce..3017d1910b 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -38,8 +38,8 @@ struct ossl_cmp_ctx_st { char *serverPath; char *serverName; int serverPort; - char *proxyName; - int proxyPort; + char *proxy; + char *no_proxy; int msg_timeout; /* max seconds to wait for each CMP message round trip */ int total_timeout; /* max number of seconds an enrollment may take, incl. */ /* attempts polling for a response if a 'waiting' PKIStatus is received */ diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 1a21faa1e1..3ee5c31d99 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2600,12 +2600,12 @@ HTTP_R_MAX_RESP_LEN_EXCEEDED:117:max resp len exceeded HTTP_R_MISSING_ASN1_ENCODING:110:missing asn1 encoding HTTP_R_MISSING_CONTENT_TYPE:121:missing content type HTTP_R_MISSING_REDIRECT_LOCATION:111:missing redirect location +HTTP_R_RECEIVED_ERROR:105:received error +HTTP_R_RECEIVED_WRONG_HTTP_VERSION:106:received wrong http version HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from https to http HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long -HTTP_R_SERVER_RESPONSE_PARSE_ERROR:104:server response parse error -HTTP_R_SERVER_SENT_ERROR:105:server sent error -HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION:106:server sent wrong http version +HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported HTTP_R_TLS_NOT_ENABLED:107:tls not enabled HTTP_R_TOO_MANY_REDIRECTIONS:115:too many redirections diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index 124fed0c9d..0fa1939a02 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -330,7 +330,7 @@ static int parse_http_line1(char *line) for (code = line; *code != '\0' && !ossl_isspace(*code); code++) continue; if (*code == '\0') { - HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR); + HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR); return 0; } @@ -339,7 +339,7 @@ static int parse_http_line1(char *line) code++; if (*code == '\0') { - HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR); + HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR); return 0; } @@ -348,7 +348,7 @@ static int parse_http_line1(char *line) continue; if (*reason == '\0') { - HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR); + HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR); return 0; } @@ -385,7 +385,7 @@ static int parse_http_line1(char *line) if (retcode < 400) HTTPerr(0, HTTP_R_STATUS_CODE_UNSUPPORTED); else - HTTPerr(0, HTTP_R_SERVER_SENT_ERROR); + HTTPerr(0, HTTP_R_RECEIVED_ERROR); if (*reason == '\0') ERR_add_error_data(2, "Code=", code); else @@ -577,12 +577,14 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) *line_end = '\0'; } if (value != NULL && line_end != NULL) { - if (rctx->state == OHS_REDIRECT && strcmp(key, "Location") == 0) { + if (rctx->state == OHS_REDIRECT + && strcasecmp(key, "Location") == 0) { rctx->redirection_url = value; return 0; } - if (rctx->expected_ct != NULL && strcmp(key, "Content-Type") == 0) { - if (strcmp(rctx->expected_ct, value) != 0) { + if (rctx->expected_ct != NULL + && strcasecmp(key, "Content-Type") == 0) { + if (strcasecmp(rctx->expected_ct, value) != 0) { HTTPerr(0, HTTP_R_UNEXPECTED_CONTENT_TYPE); ERR_add_error_data(4, "expected=", rctx->expected_ct, ",actual=", value); @@ -590,7 +592,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) } rctx->expected_ct = NULL; /* content-type has been found */ } - if (strcmp(key, "Content-Length") == 0) { + if (strcasecmp(key, "Content-Length") == 0) { resp_len = strtoul(value, &line_end, 10); if (line_end == value || *line_end != '\0') { HTTPerr(0, HTTP_R_ERROR_PARSING_CONTENT_LENGTH); @@ -603,7 +605,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) } /* Look for blank line: end of headers */ - for (p = rctx->iobuf; *p != '\0' ; p++) { + for (p = rctx->iobuf; *p != '\0'; p++) { if (*p != '\r' && *p != '\n') break; } @@ -690,10 +692,12 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) #ifndef OPENSSL_NO_SOCK /* set up a new connection BIO, to HTTP server or to HTTP(S) proxy if given */ -static BIO *HTTP_new_bio(const char *server, const char *server_port, - const char *proxy, const char *proxy_port) +static BIO *HTTP_new_bio(const char *server /* optionally includes ":port" */, + const char *server_port /* explicit server port */, + const char *proxy /* optionally includes ":port" */) { - const char *host = server; + const char *host = server, *host_end; + char host_name[100]; const char *port = server_port; BIO *cbio; @@ -704,9 +708,17 @@ static BIO *HTTP_new_bio(const char *server, const char *server_port, if (proxy != NULL) { host = proxy; - port = proxy_port; + port = NULL; } - cbio = BIO_new_connect(host); + + host_end = strchr(host, '/'); + if (host_end != NULL && (size_t)(host_end - host) < sizeof(host_name)) { + /* chop trailing string starting with '/' |