Browse Source

Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c

The new client has become an independent libcrpyto module in crypto/http/ and
* can handle any types of requests and responses (ASN.1-encoded and plain)
* does not include potentially busy loops when waiting for responses but
* makes use of a new timeout mechanism integrated with socket-based BIO
* supports the use of HTTP proxies and TLS, including HTTPS over proxies
* supports HTTP redirection via codes 301 and 302 for GET requests
* returns more useful diagnostics in various error situations
Also adapts - and strongly simplifies - hitherto uses of HTTP in crypto/ocsp/,
crypto/x509/x_all.c, apps/lib/apps.c, and apps/{ocsp,s_client,s_server}.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10667)
master
Dr. David von Oheimb 3 years ago
parent
commit
29f178bddf
45 changed files with 2495 additions and 1016 deletions
  1. +26
    -0
      apps/include/apps.h
  2. +135
    -52
      apps/lib/apps.c
  3. +9
    -114
      apps/ocsp.c
  4. +16
    -114
      apps/s_client.c
  5. +6
    -7
      apps/s_server.c
  6. +1
    -1
      crypto/build.info
  7. +1
    -1
      crypto/cmp/cmp_ctx.c
  8. +2
    -0
      crypto/cmp/cmp_err.c
  9. +1
    -1
      crypto/cmp/cmp_local.h
  10. +1
    -0
      crypto/err/err.c
  11. +2
    -0
      crypto/err/err_all.c
  12. +1
    -0
      crypto/err/openssl.ec
  13. +23
    -5
      crypto/err/openssl.txt
  14. +2
    -0
      crypto/http/build.info
  15. +1238
    -0
      crypto/http/http_client.c
  16. +67
    -0
      crypto/http/http_err.c
  17. +116
    -0
      crypto/http/http_lib.c
  18. +51
    -0
      crypto/http/http_local.h
  19. +1
    -1
      crypto/ocsp/build.info
  20. +0
    -5
      crypto/ocsp/ocsp_err.c
  21. +0
    -502
      crypto/ocsp/ocsp_ht.c
  22. +65
    -0
      crypto/ocsp/ocsp_http.c
  23. +0
    -107
      crypto/ocsp/ocsp_lib.c
  24. +19
    -10
      crypto/x509/x_all.c
  25. +21
    -28
      doc/man3/OCSP_sendreq_new.pod
  26. +21
    -26
      doc/man3/OSSL_CMP_CTX_new.pod
  27. +210
    -0
      doc/man3/OSSL_HTTP_transfer.pod
  28. +63
    -0
      doc/man3/X509_load_http.pod
  29. +4
    -6
      include/openssl/cmp.h
  30. +1
    -0
      include/openssl/cmperr.h
  31. +2
    -0
      include/openssl/err.h
  32. +72
    -0
      include/openssl/http.h
  33. +55
    -0
      include/openssl/httperr.h
  34. +23
    -12
      include/openssl/ocsp.h
  35. +0
    -5
      include/openssl/ocsperr.h
  36. +1
    -1
      include/openssl/types.h
  37. +7
    -6
      include/openssl/x509.h
  38. +8
    -0
      test/build.info
  39. +5
    -4
      test/cmp_ctx_test.c
  40. +181
    -0
      test/http_test.c
  41. +21
    -0
      test/recipes/80-test_http.t
  42. +1
    -0
      util/err-to-raise
  43. +11
    -5
      util/libcrypto.num
  44. +1
    -2
      util/missingcrypto.txt
  45. +4
    -1
      util/other.syms

+ 26
- 0
apps/include/apps.h View File

@ -28,12 +28,14 @@
# include <openssl/txt_db.h>
# include <openssl/engine.h>
# include <openssl/ocsp.h>
# include <openssl/http.h>
# include <signal.h>
# include "apps_ui.h"
# include "opt.h"
# include "fmt.h"
# include "platform.h"
/* also in include/internal/sockets.h */
# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
# define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
# else
@ -215,6 +217,30 @@ void print_cert_checks(BIO *bio, X509 *x,
void store_setup_crl_download(X509_STORE *st);
typedef struct app_http_tls_info_st {
const char *server;
const char *port;
int use_proxy;
long timeout;
SSL_CTX *ssl_ctx;
} APP_HTTP_TLS_INFO;
BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
int connect, int detail);
# ifndef OPENSSL_NO_SOCK
ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
const char *proxy_port, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
long timeout, const char *expected_content_type,
const ASN1_ITEM *it);
ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
const char *path, const char *proxy,
const char *proxy_port, SSL_CTX *ctx,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
long timeout, const ASN1_ITEM *rsp_it);
# endif
# define EXT_COPY_NONE 0
# define EXT_COPY_ADD 1
# define EXT_COPY_ALL 2


+ 135
- 52
apps/lib/apps.c View File

@ -441,62 +441,14 @@ static int load_pkcs12(BIO *in, const char *desc,
return ret;
}
#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
{
char *host = NULL, *port = NULL, *path = NULL;
BIO *bio = NULL;
OCSP_REQ_CTX *rctx = NULL;
int use_ssl, rv = 0;
if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
goto err;
if (use_ssl) {
BIO_puts(bio_err, "https not supported\n");
goto err;
}
bio = BIO_new_connect(host);
if (!bio || !BIO_set_conn_port(bio, port))
goto err;
rctx = OCSP_REQ_CTX_new(bio, 1024);
if (rctx == NULL)
goto err;
if (!OCSP_REQ_CTX_http(rctx, "GET", path))
goto err;
if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
goto err;
if (pcert) {
do {
rv = X509_http_nbio(rctx, pcert);
} while (rv == -1);
} else {
do {
rv = X509_CRL_http_nbio(rctx, pcrl);
} while (rv == -1);
}
err:
OPENSSL_free(host);
OPENSSL_free(path);
OPENSSL_free(port);
BIO_free_all(bio);
OCSP_REQ_CTX_free(rctx);
if (rv != 1) {
BIO_printf(bio_err, "Error loading %s from %s\n",
pcert ? "certificate" : "CRL", url);
ERR_print_errors(bio_err);
}
return rv;
}
#endif
X509 *load_cert(const char *file, int format, const char *cert_descrip)
{
X509 *x = NULL;
BIO *cert;
if (format == FORMAT_HTTP) {
#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
load_cert_crl_http(file, &x, NULL);
#if !defined(OPENSSL_NO_SOCK)
x = X509_load_http(file, NULL, NULL, 0 /* timeout */);
#endif
return x;
}
@ -537,8 +489,8 @@ X509_CRL *load_crl(const char *infile, int format)
BIO *in = NULL;
if (format == FORMAT_HTTP) {
#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
load_cert_crl_http(infile, NULL, &x);
#if !defined(OPENSSL_NO_SOCK)
x = X509_CRL_load_http(infile, NULL, NULL, 0 /* timeout */);
#endif
return x;
}
@ -1981,6 +1933,137 @@ void store_setup_crl_download(X509_STORE *st)
X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
}
#ifndef OPENSSL_NO_SOCK
static const char *tls_error_hint(void)
{
unsigned long err = ERR_peek_error();
if (ERR_GET_LIB(err) != ERR_LIB_SSL)
err = ERR_peek_last_error();
if (ERR_GET_LIB(err) != ERR_LIB_SSL)
return NULL;
switch (ERR_GET_REASON(err)) {
case SSL_R_WRONG_VERSION_NUMBER:
return "The server does not support (a suitable version of) TLS";
case SSL_R_UNKNOWN_PROTOCOL:
return "The server does not support HTTPS";
case SSL_R_CERTIFICATE_VERIFY_FAILED:
return "Cannot authenticate server via its TLS certificate, likely due to mismatch with our trusted TLS certs or missing revocation status";
case SSL_AD_REASON_OFFSET + TLS1_AD_UNKNOWN_CA:
return "Server did not accept our TLS certificate, likely due to mismatch with server's trust anchor or missing revocation status";
case SSL_AD_REASON_OFFSET + SSL3_AD_HANDSHAKE_FAILURE:
return "TLS handshake failure. Possibly the server requires our TLS certificate but did not receive it";
default: /* no error or no hint available for error */
return NULL;
}
}
/* HTTP callback function that supports TLS connection also via HTTPS proxy */
BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
{
APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
SSL_CTX *ssl_ctx = info->ssl_ctx;
SSL *ssl;
BIO *sbio = NULL;
if (connect && detail) { /* connecting with TLS */
if ((info->use_proxy
&& !OSSL_HTTP_proxy_connect(hbio, info->server, info->port,
NULL, NULL, /* no proxy credentials */
info->timeout, bio_err, opt_getprog()))
|| (sbio = BIO_new(BIO_f_ssl())) == NULL) {
return NULL;
}
if (ssl_ctx == NULL || (ssl = SSL_new(ssl_ctx)) == NULL) {
BIO_free(sbio);
return NULL;
}
SSL_set_tlsext_host_name(ssl, info->server);
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
hbio = BIO_push(sbio, hbio);
} else if (!connect && !detail) { /* disconnecting after error */
const char *hint = tls_error_hint();
if (hint != NULL)
ERR_add_error_data(1, hint);
/*
* If we pop sbio and BIO_free() it this may lead to libssl double free.
* Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c
*/
}
return hbio;
}
ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
const char *proxy_port, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
long timeout, const char *expected_content_type,
const ASN1_ITEM *it)
{
APP_HTTP_TLS_INFO info;
char *server;
char *port;
int use_ssl;
ASN1_VALUE *resp = NULL;
if (url == NULL || it == NULL) {
HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
if (!OSSL_HTTP_parse_url(url, &server, &port, NULL /* ppath */, &use_ssl))
return NULL;
if (use_ssl && ssl_ctx == NULL) {
HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
ERR_add_error_data(1, "missing SSL_CTX");
goto end;
}
info.server = server;
info.port = port;
info.use_proxy = proxy != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
resp = OSSL_HTTP_get_asn1(url, proxy, proxy_port,
NULL, NULL, app_http_tls_cb, &info,
headers, 0 /* maxline */, 0 /* max_resp_len */,
timeout, expected_content_type, it);
end:
OPENSSL_free(server);
OPENSSL_free(port);
return resp;
}
ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
const char *path, const char *proxy,
const char *proxy_port, SSL_CTX *ssl_ctx,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
long timeout, const ASN1_ITEM *rsp_it)
{
APP_HTTP_TLS_INFO info;
info.server = host;
info.port = port;
info.use_proxy = proxy != NULL;
info.timeout = timeout;
info.ssl_ctx = ssl_ctx;
return OSSL_HTTP_post_asn1(host, port, path, ssl_ctx != NULL,
proxy, proxy_port,
NULL, NULL, app_http_tls_cb, &info,
headers, content_type, req, req_it,
0 /* maxline */,
0 /* max_resp_len */, timeout, NULL, rsp_it);
}
#endif
/*
* Platform-specific sections
*/


+ 9
- 114
apps/ocsp.c View File

@ -118,13 +118,6 @@ static int print_syslog(const char *str, size_t len, void *levPtr);
static void socket_timeout(int signum);
# endif
# ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
# endif
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
@ -315,7 +308,8 @@ int ocsp_main(int argc, char **argv)
OPENSSL_free(tport);
OPENSSL_free(tpath);
thost = tport = tpath = NULL;
if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) {
if (!OSSL_HTTP_parse_url(opt_arg(),
&host, &port, &path, &use_ssl)) {
BIO_printf(bio_err, "%s Error parsing URL\n", prog);
goto end;
}
@ -1541,133 +1535,34 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
}
# ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout)
{
int fd;
int rv;
int i;
int add_host = 1;
OCSP_REQ_CTX *ctx = NULL;
OCSP_RESPONSE *rsp = NULL;
fd_set confds;
struct timeval tv;
if (req_timeout != -1)
BIO_set_nbio(cbio, 1);
rv = BIO_do_connect(cbio);
if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
BIO_puts(bio_err, "Error connecting BIO\n");
return NULL;
}
if (BIO_get_fd(cbio, &fd) < 0) {
BIO_puts(bio_err, "Can't get connection fd\n");
goto err;
}
if (req_timeout != -1 && rv <= 0) {
FD_ZERO(&confds);
openssl_fdset(fd, &confds);
tv.tv_usec = 0;
tv.tv_sec = req_timeout;
rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
if (rv == 0) {
BIO_puts(bio_err, "Timeout on connect\n");
return NULL;
}
}
ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
if (ctx == NULL)
return NULL;
for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
if (add_host == 1 && strcasecmp("host", hdr->name) == 0)
add_host = 0;
if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
goto err;
}
if (add_host == 1 && OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0)
goto err;
if (!OCSP_REQ_CTX_set1_req(ctx, req))
goto err;
for (;;) {
rv = OCSP_sendreq_nbio(&rsp, ctx);
if (rv != -1)
break;
if (req_timeout == -1)
continue;
FD_ZERO(&confds);
openssl_fdset(fd, &confds);
tv.tv_usec = 0;
tv.tv_sec = req_timeout;
if (BIO_should_read(cbio)) {
rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
} else if (BIO_should_write(cbio)) {
rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
} else {
BIO_puts(bio_err, "Unexpected retry condition\n");
goto err;
}
if (rv == 0) {
BIO_puts(bio_err, "Timeout on request\n");
break;
}
if (rv == -1) {
BIO_puts(bio_err, "Select error\n");
break;
}
}
err:
OCSP_REQ_CTX_free(ctx);
return rsp;
}
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
const char *host, const char *path,
const char *port, int use_ssl,
STACK_OF(CONF_VALUE) *headers,
int req_timeout)
{
BIO *cbio = NULL;
SSL_CTX *ctx = NULL;
OCSP_RESPONSE *resp = NULL;
cbio = BIO_new_connect(host);
if (cbio == NULL) {
BIO_printf(bio_err, "Error creating connect BIO\n");
goto end;
}
if (port != NULL)
BIO_set_conn_port(cbio, port);
if (use_ssl == 1) {
BIO *sbio;
ctx = SSL_CTX_new(TLS_client_method());
if (ctx == NULL) {
BIO_printf(bio_err, "Error creating SSL context.\n");
goto end;
}
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
sbio = BIO_new_ssl(ctx, 1);
cbio = BIO_push(sbio, cbio);
}
resp = query_responder(cbio, host, path, headers, req, req_timeout);
resp = (OCSP_RESPONSE *)
app_http_post_asn1(host, port, path, NULL, NULL /* no proxy used */,
ctx, headers, "application/ocsp-request",
(ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
req_timeout, ASN1_ITEM_rptr(OCSP_RESPONSE));
if (resp == NULL)
BIO_printf(bio_err, "Error querying OCSP responder\n");
end:
BIO_free_all(cbio);
SSL_CTX_free(ctx);
return resp;
}


+ 16
- 114
apps/s_client.c View File

@ -75,7 +75,6 @@ static void print_stuff(BIO *berr, SSL *con, int full);
static int ocsp_resp_cb(SSL *s, void *arg);
#endif
static int ldap_ExtendedResponse_parse(const char *buf, long rem);
static char *base64encode (const void *buf, size_t len);
static int is_dNS_name(const char *host);
static int saved_errno;
@ -949,7 +948,7 @@ int s_client_main(int argc, char **argv)
int prexit = 0;
int sdebug = 0;
int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0;
int ret = 1, in_init = 1, i, nbio_test = 0, sock = -1, k, width, state = 0;
int sbuf_len, sbuf_off, cmdletters = 1;
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
@ -2095,16 +2094,16 @@ int s_client_main(int argc, char **argv)
}
re_start:
if (init_client(&s, host, port, bindhost, bindport, socket_family,
if (init_client(&sock, host, port, bindhost, bindport, socket_family,
socket_type, protocol) == 0) {
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
BIO_closesocket(s);
BIO_closesocket(sock);
goto end;
}
BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
BIO_printf(bio_c_out, "CONNECTED(%08X)\n", sock);
if (c_nbio) {
if (!BIO_socket_nbio(s, 1)) {
if (!BIO_socket_nbio(sock, 1)) {
ERR_print_errors(bio_err);
goto end;
}
@ -2116,21 +2115,21 @@ int s_client_main(int argc, char **argv)
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP)
sbio = BIO_new_dgram_sctp(s, BIO_NOCLOSE);
sbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE);
else
#endif
sbio = BIO_new_dgram(s, BIO_NOCLOSE);
sbio = BIO_new_dgram(sock, BIO_NOCLOSE);
if ((peer_info.addr = BIO_ADDR_new()) == NULL) {
BIO_printf(bio_err, "memory allocation failure\n");
BIO_closesocket(s);
BIO_closesocket(sock);
goto end;
}
if (!BIO_sock_info(s, BIO_SOCK_INFO_ADDRESS, &peer_info)) {
if (!BIO_sock_info(sock, BIO_SOCK_INFO_ADDRESS, &peer_info)) {
BIO_printf(bio_err, "getsockname:errno=%d\n",
get_last_socket_error());
BIO_ADDR_free(peer_info.addr);
BIO_closesocket(s);
BIO_closesocket(sock);
goto end;
}
@ -2167,7 +2166,7 @@ int s_client_main(int argc, char **argv)
}
} else
#endif /* OPENSSL_NO_DTLS */
sbio = BIO_new_socket(s, BIO_NOCLOSE);
sbio = BIO_new_socket(sock, BIO_NOCLOSE);
if (nbio_test) {
BIO *test;
@ -2398,83 +2397,9 @@ int s_client_main(int argc, char **argv)
}
break;
case PROTO_CONNECT:
{
enum {
error_proto, /* Wrong protocol, not even HTTP */
error_connect, /* CONNECT failed */
success
} foundit = error_connect;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n", connectstr);
/*
* Workaround for broken proxies which would otherwise close
* the connection when entering tunnel mode (eg Squid 2.6)
*/
BIO_printf(fbio, "Proxy-Connection: Keep-Alive\r\n");
/* Support for basic (base64) proxy authentication */
if (proxyuser != NULL) {
size_t l;
char *proxyauth, *proxyauthenc;
l = strlen(proxyuser);
if (proxypass != NULL)
l += strlen(proxypass);
proxyauth = app_malloc(l + 2, "Proxy auth string");
BIO_snprintf(proxyauth, l + 2, "%s:%s", proxyuser,
(proxypass != NULL) ? proxypass : "");
proxyauthenc = base64encode(proxyauth, strlen(proxyauth));
BIO_printf(fbio, "Proxy-Authorization: Basic %s\r\n",
proxyauthenc);
OPENSSL_clear_free(proxyauth, strlen(proxyauth));
OPENSSL_clear_free(proxyauthenc, strlen(proxyauthenc));
}
/* Terminate the HTTP CONNECT request */
BIO_printf(fbio, "\r\n");
(void)BIO_flush(fbio);
/*
* The first line is the HTTP response. According to RFC 7230,
* it's formatted exactly like this:
*
* HTTP/d.d ddd Reason text\r\n
*/
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
if (mbuf_len < (int)strlen("HTTP/1.0 200")) {
BIO_printf(bio_err,
"%s: HTTP CONNECT failed, insufficient response "
"from proxy (got %d octets)\n", prog, mbuf_len);
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
goto shut;
}
if (mbuf[8] != ' ') {
BIO_printf(bio_err,
"%s: HTTP CONNECT failed, incorrect response "
"from proxy\n", prog);
foundit = error_proto;
} else if (mbuf[9] != '2') {
BIO_printf(bio_err, "%s: HTTP CONNECT failed: %s ", prog,
&mbuf[9]);
} else {
foundit = success;
}
if (foundit != error_proto) {
/* Read past all following headers */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
} while (mbuf_len > 2);
}
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (foundit != success) {
goto shut;
}
}
if (!OSSL_HTTP_proxy_connect(sbio, host, port, proxyuser, proxypass,
0 /* no timeout */, bio_err, prog))
goto shut;
break;
case PROTO_IRC:
{
@ -3192,8 +3117,8 @@ int s_client_main(int argc, char **argv)
timeout.tv_usec = 500000; /* some extreme round-trip */
do {
FD_ZERO(&readfds);
openssl_fdset(s, &readfds);
} while (select(s + 1, &readfds, NULL, NULL, &timeout) > 0
openssl_fdset(sock, &readfds);
} while (select(sock + 1, &readfds, NULL, NULL, &timeout) > 0
&& BIO_read(sbio, sbuf, BUFSIZZ) > 0);
BIO_closesocket(SSL_get_fd(con));
@ -3570,29 +3495,6 @@ static int ldap_ExtendedResponse_parse(const char *buf, long rem)
return ret;
}
/*
* BASE64 encoder: used only for encoding basic proxy authentication credentials
*/
static char *base64encode (const void *buf, size_t len)
{
int i;
size_t outl;
char *out;
/* Calculate size of encoded data */
outl = (len / 3);
if (len % 3 > 0)
outl++;
outl <<= 2;
out = app_malloc(outl + 1, "base64 encode buffer");
i = EVP_EncodeBlock((unsigned char *)out, buf, len);
assert(i <= (int)outl);
if (i < 0)
*out = '\0';
return out;
}
/*
* Host dNS Name verifier: used for checking that the hostname is in dNS format
* before setting it as SNI


+ 6
- 7
apps/s_server.c View File

@ -526,8 +526,8 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
x = SSL_get_certificate(s);
aia = X509_get1_ocsp(x);
if (aia != NULL) {
if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
&host, &port, &path, &use_ssl)) {
if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
&host, &port, &path, &use_ssl)) {
BIO_puts(bio_err, "cert_status: can't parse AIA URL\n");
goto err;
}
@ -1387,10 +1387,9 @@ int s_server_main(int argc, char *argv[])
case OPT_STATUS_URL:
#ifndef OPENSSL_NO_OCSP
s_tlsextstatus = 1;
if (!OCSP_parse_url(opt_arg(),
&tlscstatp.host,
&tlscstatp.port,
&tlscstatp.path, &tlscstatp.use_ssl)) {
if (!OSSL_HTTP_parse_url(opt_arg(),
&tlscstatp.host, &tlscstatp.port,
&tlscstatp.path, &tlscstatp.use_ssl)) {
BIO_printf(bio_err, "Error parsing URL\n");
goto end;
}
@ -3545,7 +3544,7 @@ static int generate_session_id(SSL *ssl, unsigned char *id,
{
unsigned int count = 0;
unsigned int session_id_prefix_len = strlen(session_id_prefix);
do {
if (RAND_bytes(id, *id_len) <= 0)
return 0;


+ 1
- 1
crypto/build.info View File

@ -5,7 +5,7 @@ SUBDIRS=objects buffer bio stack lhash rand evp asn1 pem x509 conf \
md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 \
siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \
seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \
err comp ocsp cms ts srp cmac ct async ess crmf cmp serializer \
err comp http ocsp cms ts srp cmac ct async ess crmf cmp serializer \
ffc
LIBS=../libcrypto


+ 1
- 1
crypto/cmp/cmp_ctx.c View File

@ -819,7 +819,7 @@ int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port)
* sets the http connect/disconnect callback function to be used for HTTP(S)
* returns 1 on success, 0 on error
*/
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb)
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
{
if (ctx == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);


+ 2
- 0
crypto/cmp/cmp_err.c View File

@ -67,6 +67,8 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NULL_ARGUMENT), "null argument"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_PKISTATUSINFO_NOT_FOUND),
"pkistatusinfo not found"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_POTENTIALLY_INVALID_CERTIFICATE),
"potentially invalid certificate"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_PKIBODY), "unexpected pkibody"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_ALGORITHM_ID),
"unknown algorithm id"},


+ 1
- 1
crypto/cmp/cmp_local.h View File

@ -44,7 +44,7 @@ struct ossl_cmp_ctx_st {
int totaltimeout; /* maximum number seconds an enrollment may take, incl. */
/* attempts polling for a response if a 'waiting' PKIStatus is received */
time_t end_time; /* session start time + totaltimeout */
OSSL_cmp_http_cb_t http_cb;
OSSL_HTTP_bio_cb_t http_cb;
void *http_cb_arg; /* allows to store optional argument to cb */
/* server authentication */


+ 1
- 0
crypto/err/err.c View File

@ -76,6 +76,7 @@ static ERR_STRING_DATA ERR_str_libraries[] = {
{ERR_PACK(ERR_LIB_ESS, 0, 0), "ESS routines"},
{ERR_PACK(ERR_LIB_PROV, 0, 0), "Provider routines"},
{ERR_PACK(ERR_LIB_OSSL_SERIALIZER, 0, 0), "SERIALIZER routines"},
{ERR_PACK(ERR_LIB_HTTP, 0, 0), "HTTP routines"},
{0, NULL},
};


+ 2
- 0
crypto/err/err_all.c View File

@ -30,6 +30,7 @@
#include "internal/dso.h"
#include <openssl/engineerr.h>
#include <openssl/uierr.h>
#include <openssl/httperr.h>
#include <openssl/ocsperr.h>
#include <openssl/err.h>
#include <openssl/tserr.h>
@ -85,6 +86,7 @@ int err_load_crypto_strings_int(void)
# ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings() == 0 ||
# endif
ERR_load_HTTP_strings() == 0 ||
# ifndef OPENSSL_NO_OCSP
ERR_load_OCSP_strings() == 0 ||
# endif


+ 1
- 0
crypto/err/openssl.ec View File

@ -41,6 +41,7 @@ L ESS include/openssl/ess.h crypto/ess/ess_err.c
L PROP include/internal/property.h crypto/property/property_err.c
L PROV providers/common/include/prov/providercommon.h providers/common/provider_err.c
L OSSL_SERIALIZER include/openssl/serializer.h crypto/serializer/serializer_err.c
L HTTP include/openssl/http.h crypto/http/http_err.c
# additional header files to be scanned for function names
L NONE include/openssl/x509_vfy.h NONE


+ 23
- 5
crypto/err/openssl.txt View File

@ -940,11 +940,9 @@ OCSP_F_OCSP_CHECK_IDS:107:ocsp_check_ids
OCSP_F_OCSP_CHECK_ISSUER:108:ocsp_check_issuer
OCSP_F_OCSP_CHECK_VALIDITY:115:OCSP_check_validity
OCSP_F_OCSP_MATCH_ISSUERID:109:ocsp_match_issuerid
OCSP_F_OCSP_PARSE_URL:114:OCSP_parse_url
OCSP_F_OCSP_REQUEST_SIGN:110:OCSP_request_sign
OCSP_F_OCSP_REQUEST_VERIFY:116:OCSP_request_verify
OCSP_F_OCSP_RESPONSE_GET1_BASIC:111:OCSP_response_get1_basic
OCSP_F_PARSE_HTTP_LINE1:118:parse_http_line1
OSSL_STORE_F_FILE_CTRL:129:file_ctrl
OSSL_STORE_F_FILE_FIND:138:file_find
OSSL_STORE_F_FILE_GET_PASS:118:file_get_pass
@ -2100,6 +2098,7 @@ CMP_R_MULTIPLE_SAN_SOURCES:102:multiple san sources
CMP_R_NO_STDIO:194:no stdio
CMP_R_NULL_ARGUMENT:103:null argument
CMP_R_PKISTATUSINFO_NOT_FOUND:132:pkistatusinfo not found
CMP_R_POTENTIALLY_INVALID_CERTIFICATE:139:potentially invalid certificate
CMP_R_UNEXPECTED_PKIBODY:133:unexpected pkibody
CMP_R_UNKNOWN_ALGORITHM_ID:134:unknown algorithm id
CMP_R_UNKNOWN_CERT_TYPE:135:unknown cert type
@ -2527,6 +2526,28 @@ EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE:191:xts data unit is too large
EVP_R_XTS_DUPLICATED_KEYS:192:xts duplicated keys
HTTP_R_ASN1_LEN_EXCEEDS_MAX_RESP_LEN:108:asn1 len exceeds max resp len
HTTP_R_CONNECT_FAILURE:100:connect failure
HTTP_R_ERROR_PARSING_ASN1_LENGTH:109:error parsing asn1 length
HTTP_R_ERROR_PARSING_CONTENT_LENGTH:119:error parsing content length
HTTP_R_ERROR_PARSING_URL:101:error parsing url
HTTP_R_ERROR_RECEIVING:103:error receiving
HTTP_R_ERROR_SENDING:102:error sending
HTTP_R_INCONSISTENT_CONTENT_LENGTH:120:inconsistent content length
HTTP_R_MAX_RESP_LEN_EXCEEDED:117:max resp len exceeded
HTTP_R_MISSING_ASN1_ENCODING:110:missing asn1 encoding
HTTP_R_MISSING_CONTENT_TYPE:121:missing content type
HTTP_R_MISSING_REDIRECT_LOCATION:111:missing redirect location
HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from https to http
HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled
HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long
HTTP_R_SERVER_RESPONSE_PARSE_ERROR:104:server response parse error
HTTP_R_SERVER_SENT_ERROR:105:server sent error
HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION:106:server sent wrong http version
HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported
HTTP_R_TLS_NOT_ENABLED:107:tls not enabled
HTTP_R_TOO_MANY_REDIRECTIONS:115:too many redirections
HTTP_R_UNEXPECTED_CONTENT_TYPE:118:unexpected content type
KDF_R_BAD_ENCODING:122:bad encoding
KDF_R_BAD_LENGTH:123:bad length
KDF_R_BOTH_MODE_AND_MODE_INT:127:both mode and mode int
@ -2561,7 +2582,6 @@ OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
OCSP_R_DIGEST_ERR:102:digest err
OCSP_R_ERROR_IN_NEXTUPDATE_FIELD:122:error in nextupdate field
OCSP_R_ERROR_IN_THISUPDATE_FIELD:123:error in thisupdate field
OCSP_R_ERROR_PARSING_URL:121:error parsing url
OCSP_R_MISSING_OCSPSIGNING_USAGE:103:missing ocspsigning usage
OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE:124:nextupdate before thisupdate
OCSP_R_NOT_BASIC_RESPONSE:104:not basic response
@ -2575,8 +2595,6 @@ OCSP_R_REQUEST_NOT_SIGNED:128:request not signed
OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA:111:\
response contains no revocation data
OCSP_R_ROOT_CA_NOT_TRUSTED:112:root ca not trusted
OCSP_R_SERVER_RESPONSE_ERROR:114:server response error
OCSP_R_SERVER_RESPONSE_PARSE_ERROR:115:server response parse error
OCSP_R_SIGNATURE_FAILURE:117:signature failure
OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND:118:signer certificate not found
OCSP_R_STATUS_EXPIRED:125:status expired


+ 2
- 0
crypto/http/build.info View File

@ -0,0 +1,2 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=http_client.c http_err.c http_lib.c

+ 1238
- 0
crypto/http/http_client.c
File diff suppressed because it is too large
View File


+ 67
- 0
crypto/http/http_err.c View File

@ -0,0 +1,67 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/err.h>
#include <openssl/httperr.h>
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA HTTP_str_reasons[] = {
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ASN1_LEN_EXCEEDS_MAX_RESP_LEN),
"asn1 len exceeds max resp len"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_CONNECT_FAILURE), "connect failure"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ERROR_PARSING_ASN1_LENGTH),
"error parsing asn1 length"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ERROR_PARSING_CONTENT_LENGTH),
"error parsing content length"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ERROR_PARSING_URL), "error parsing url"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ERROR_RECEIVING), "error receiving"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_ERROR_SENDING), "error sending"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_INCONSISTENT_CONTENT_LENGTH),
"inconsistent content length"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_MAX_RESP_LEN_EXCEEDED),
"max resp len exceeded"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_MISSING_ASN1_ENCODING),
"missing asn1 encoding"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_MISSING_CONTENT_TYPE),
"missing content type"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_MISSING_REDIRECT_LOCATION),
"missing redirect location"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP),
"redirection from https to http"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_REDIRECTION_NOT_ENABLED),
"redirection not enabled"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_LINE_TOO_LONG),
"response line too long"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR),
"server response parse error"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_SENT_ERROR), "server sent error"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION),
"server sent wrong http version"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_STATUS_CODE_UNSUPPORTED),
"status code unsupported"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_TLS_NOT_ENABLED), "tls not enabled"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_TOO_MANY_REDIRECTIONS),
"too many redirections"},
{ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_UNEXPECTED_CONTENT_TYPE),
"unexpected content type"},
{0, NULL}
};
#endif
int ERR_load_HTTP_strings(void)
{
#ifndef OPENSSL_NO_ERR
if (ERR_reason_error_string(HTTP_str_reasons[0].error) == NULL)
ERR_load_strings_const(HTTP_str_reasons);
#endif
return 1;
}

+ 116
- 0
crypto/http/http_lib.c View File

@ -0,0 +1,116 @@
/*
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/http.h>
#include <openssl/httperr.h>
#include <openssl/err.h>
#include <string.h>
/*
* Parse a URL and split it up into host, port and path components and
* whether it indicates SSL/TLS. Return 1 on success, 0 on error.
*/
int OSSL_HTTP_parse_url(const char *url, char **phost, char **pport,
char **ppath, int *pssl)
{
char *p, *buf;
char *host;
char *port = "80";
if (url == NULL) {
HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (phost != NULL)
*phost = NULL;
if (pport != NULL)
*pport = NULL;
if (ppath != NULL)
*ppath = NULL;
if (pssl != NULL)
*pssl = 0;
/* dup the buffer since we are going to mess with it */
if ((buf = OPENSSL_strdup(url)) == NULL)
goto err;
/* Check for initial colon */
p = strchr(buf, ':');
if (p == NULL || p - buf > 5 /* strlen("https") */) {
p = buf;
} else {
*(p++) = '\0';
if (strcmp(buf, "https") == 0) {
if (pssl != NULL)
*pssl = 1;
port = "443";
} else if (strcmp(buf, "http") != 0) {
goto parse_err;
}
/* Check for double slash */
if ((p[0] != '/') || (p[1] != '/'))
goto parse_err;
p += 2;
}
host = p;
/* Check for trailing part of path */
p = strchr(p, '/');
if (ppath != NULL && (*ppath = OPENSSL_strdup(p == NULL ? "/" : p)) == NULL)
goto err;
if (p != NULL)
*p = '\0'; /* Set start of path to 0 so hostname[:port] is valid */
p = host;
if (host[0] == '[') {
/* ipv6 literal */
host++;
p = strchr(host, ']');
if (p == NULL)
goto parse_err;
*p = '\0';
p++;
}
/* Look for optional ':' for port number */
if ((p = strchr(p, ':'))) {
*p = '\0';
port = p + 1;
}
if (phost != NULL && (*phost = OPENSSL_strdup(host)) == NULL)
goto err;
if (pport != NULL && (*pport = OPENSSL_strdup(port)) == NULL)
goto err;
OPENSSL_free(buf);
return 1;
parse_err:
HTTPerr(0, HTTP_R_ERROR_PARSING_URL);
err:
if (ppath != NULL) {
OPENSSL_free(*ppath);
*ppath = NULL;
}
if (pport != NULL) {
OPENSSL_free(*pport);
*pport = NULL;
}
if (phost != NULL) {
OPENSSL_free(*phost);
*phost = NULL;
}
OPENSSL_free(buf);
return 0;
}

+ 51
- 0
crypto/http/http_local.h View File

@ -0,0 +1,51 @@
/*
* Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Siemens AG 2018-2020
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef OSSL_CRYPTO_HTTP_LOCAL_H
# define OSSL_CRYPTO_HTTP_LOCAL_H
# include <openssl/ocsp.h>
/* name aliases for legacy names with name prefix "OCSP_" */
typedef OCSP_REQ_CTX OSSL_HTTP_REQ_CTX;
/* functions meanwhile only used internally */
# define OSSL_HTTP_REQ_CTX_new OCSP_REQ_CTX_new
# define OSSL_HTTP_REQ_CTX_free OCSP_REQ_CTX_free
# define OSSL_HTTP_REQ_CTX_header OCSP_REQ_CTX_http
# define OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_add1_header
# define OSSL_HTTP_REQ_CTX_i2d OCSP_REQ_CTX_i2d
# define OSSL_HTTP_REQ_CTX_nbio OCSP_REQ_CTX_nbio
# ifndef OPENSSL_NO_SOCK
# define OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio_d2i
# endif
/* functions that are meanwhile unused */
# define OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_REQ_CTX_get0_mem_bio /* undoc'd */
# define OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_set_max_response_length
BIO *HTTP_asn1_item2bio(const ASN1_ITEM *it, ASN1_VALUE *val);
OSSL_HTTP_REQ_CTX *HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int use_http_proxy,
const char *server, const char *port,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type, BIO *req_mem,
int maxline, unsigned long max_resp_len,
int timeout,
const char *expected_content_type,
int expect_asn1);
ASN1_VALUE *HTTP_sendreq_bio(BIO *bio, OSSL_HTTP_bio_cb_t bio_update_fn,
void *arg, const char *server, const char *port,
const char *path, int use_ssl, int use_proxy,
const STACK_OF(CONF_VALUE) *headers,
const char *content_type,
ASN1_VALUE *req, const ASN1_ITEM *req_it,
int maxline, unsigned long max_resp_len,
int timeout, const ASN1_ITEM *rsp_it);
#endif /* !defined OSSL_CRYPTO_HTTP_LOCAL_H */

+ 1
- 1
crypto/ocsp/build.info View File

@ -1,4 +1,4 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c \
ocsp_asn.c ocsp_ext.c ocsp_http.c ocsp_lib.c ocsp_cl.c \
ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c v3_ocsp.c

+ 0
- 5
crypto/ocsp/ocsp_err.c View File

@ -21,7 +21,6 @@ static const ERR_STRING_DATA OCSP_str_reasons[] = {
"error in nextupdate field"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_ERROR_IN_THISUPDATE_FIELD),
"error in thisupdate field"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_ERROR_PARSING_URL), "error parsing url"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_MISSING_OCSPSIGNING_USAGE),
"missing ocspsigning usage"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE),
@ -41,10 +40,6 @@ static const ERR_STRING_DATA OCSP_str_reasons[] = {
"response contains no revocation data"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_ROOT_CA_NOT_TRUSTED),
"root ca not trusted"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_SERVER_RESPONSE_ERROR),
"server response error"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_SERVER_RESPONSE_PARSE_ERROR),
"server response parse error"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_SIGNATURE_FAILURE), "signature failure"},
{ERR_PACK(ERR_LIB_OCSP, 0, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),
"signer certificate not found"},


+ 0
- 502
crypto/ocsp/ocsp_ht.c View File

@ -1,502 +0,0 @@
/*
* Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "e_os.h"
#include <stdio.h>
#include <stdlib.h>
#include "crypto/ctype.h"
#include <string.h>
#include <openssl/asn1.h>
#include <openssl/ocsp.h>
#include <openssl/err.h>
#include <openssl/buffer.h>
/* Stateful OCSP request code, supporting non-blocking I/O */
/* Opaque OCSP request status structure */
struct ocsp_req_ctx_st {
int state; /* Current I/O state */
unsigned char *iobuf; /* Line buffer */
int iobuflen; /* Line buffer length */
BIO *io; /* BIO to perform I/O with */
BIO *mem; /* Memory BIO response is built into */
unsigned long asn1_len; /* ASN1 length of response */
unsigned long max_resp_len; /* Maximum length of response */
};
#define OCSP_MAX_RESP_LENGTH (100 * 1024)
#define OCSP_MAX_LINE_LEN 4096;
/* OCSP states */
/* If set no reading should be performed */
#define OHS_NOREAD 0x1000
/* Error condition */
#define OHS_ERROR (0 | OHS_NOREAD)
/* First line being read */
#define OHS_FIRSTLINE 1
/* MIME headers being read */
#define OHS_HEADERS 2
/* OCSP initial header (tag + length) being read */
#define OHS_ASN1_HEADER 3
/* OCSP content octets being read */
#define OHS_ASN1_CONTENT 4
/* First call: ready to start I/O */
#define OHS_ASN1_WRITE_INIT (5 | OHS_NOREAD)
/* Request being sent */
#define OHS_ASN1_WRITE (6 | OHS_NOREAD)
/* Request being flushed */
#define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
/* Completed */
#define OHS_DONE (8 | OHS_NOREAD)
/* Headers set, no final \r\n included */
#define OHS_HTTP_HEADER (9 | OHS_NOREAD)
static int parse_http_line1(char *line);
OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline)
{
OCSP_REQ_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
if (rctx == NULL)
return NULL;
rctx->state = OHS_ERROR;
rctx->max_resp_len = OCSP_MAX_RESP_LENGTH;
rctx->mem = BIO_new(BIO_s_mem());
rctx->io = io;
if (maxline > 0)
rctx->iobuflen = maxline;
else
rctx->iobuflen = OCSP_MAX_LINE_LEN;
rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
if (rctx->iobuf == NULL || rctx->mem == NULL) {
OCSP_REQ_CTX_free(rctx);
return NULL;
}
return rctx;
}
void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
{
if (!rctx)
return;
BIO_free(rctx->mem);
OPENSSL_free(rctx->iobuf);
OPENSSL_free(rctx);
}
BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx)
{
return rctx->mem;
}
void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len)
{
if (len == 0)
rctx->max_resp_len = OCSP_MAX_RESP_LENGTH;
else
rctx->max_resp_len = len;
}
int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it, ASN1_VALUE *val)
{
static const char req_hdr[] =
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n\r\n";
int reqlen = ASN1_item_i2d(val, NULL, it);
if (BIO_printf(rctx->mem, req_hdr, reqlen) <= 0)
return 0;
if (ASN1_item_i2d_bio(it, rctx->mem, val) <= 0)
return 0;
rctx->state = OHS_ASN1_WRITE_INIT;
return 1;
}
int OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx,
ASN1_VALUE **pval, const ASN1_ITEM *it)
{
int rv, len;
const unsigned char *p;
rv = OCSP_REQ_CTX_nbio(rctx);
if (rv != 1)
return rv;
len = BIO_get_mem_data(rctx->mem, &p);
*pval = ASN1_item_d2i(NULL, &p, len, it);
if (*pval == NULL) {
rctx->state = OHS_ERROR;
return 0;
}
return 1;
}
int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, const char *op, const char *path)
{
static const char http_hdr[] = "%s %s HTTP/1.0\r\n";
if (path == NULL)
path = "/";
if (BIO_printf(rctx->mem, http_hdr, op, path) <= 0)
return 0;
rctx->state = OHS_HTTP_HEADER;
return 1;
}
int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
{
return OCSP_REQ_CTX_i2d(rctx, ASN1_ITEM_rptr(OCSP_REQUEST),
(ASN1_VALUE *)req);
}
int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
const char *name, const char *value)
{
if (!name)
return 0;
if (BIO_puts(rctx->mem, name) <= 0)
return 0;
if (value) {
if (BIO_write(rctx->mem, ": ", 2) != 2)
return 0;
if (BIO_puts(rctx->mem, value) <= 0)
return 0;
}
if (BIO_write(rctx->mem, "\r\n", 2) != 2)
return 0;
rctx->state = OHS_HTTP_HEADER;
return 1;
}
OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
int maxline)
{
OCSP_REQ_CTX *rctx = NULL;
rctx = OCSP_REQ_CTX_new(io, maxline);
if (rctx == NULL)
return NULL;
if (!OCSP_REQ_CTX_http(rctx, "POST", path))
goto err;
if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
goto err;
return rctx;
err:
OCSP_REQ_CTX_free(rctx);
return NULL;
}
/*
* Parse the HTTP response. This will look like this: "HTTP/1.0 200 OK". We
* need to obtain the numeric code and (optional) informational message.
*/
static int parse_http_line1(char *line)
{
int retcode;
char *p, *q, *r;
/* Skip to first white space (passed protocol info) */
for (p = line; *p && !ossl_isspace(*p); p++)
continue;
if (*p == '\0') {
OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
return 0;
}
/* Skip past white space to start of response code */
while (*p && ossl_isspace(*p))
p++;
if (*p == '\0') {
OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
return 0;
}
/* Find end of response code: first whitespace after start of code */
for (q = p; *q && !ossl_isspace(*q); q++)
continue;
if (*q == '\0') {
OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
return 0;
}
/* Set end of response code and start of message */
*q++ = 0;
/* Attempt to parse numeric code */
retcode = strtoul(p, &r, 10);
if (*r)
return 0;
/* Skip over any leading white space in message */
while (*q && ossl_isspace(*q))
q++;
if (*q) {
/*
* Finally zap any trailing white space in message (include CRLF)
*/
/* We know q has a non white space character so this is OK */
for (r = q + strlen(q) - 1; ossl_isspace(*r); r--)
*r = 0;
}
if (retcode != 200) {
OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
if (*q == '\0')
ERR_add_error_data(2, "Code=", p);
else
ERR_add_error_data(4, "Code=", p, ",Reason=", q);
return 0;
}
return 1;
}
int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx)
{
int i, n;
const unsigned char *p;
next_io:
if (!(rctx->state & OHS_NOREAD)) {
n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
if (n <= 0) {
if (BIO_should_retry(rctx->io))
return -1;
return 0;
}
/* Write data to memory BIO */
if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
return 0;
}
switch (rctx->state) {
case OHS_HTTP_HEADER:
/* Last operation was adding headers: need a final \r\n */
if (BIO_write(rctx->mem, "\r\n", 2) != 2) {
rctx->state = OHS_ERROR;
return 0;
}
rctx->state = OHS_ASN1_WRITE_INIT;
/* fall thru */
case OHS_ASN1_WRITE_INIT:
rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
rctx->state = OHS_ASN1_WRITE;
/* fall thru */
case OHS_ASN1_WRITE:
n = BIO_get_mem_data(rctx->mem, &p);
i = BIO_write(rctx->io, p + (n - rctx->asn1_len), rctx->asn1_len);
if (i <= 0) {
if (BIO_should_retry(rctx->io))
return -1;
rctx->state = OHS_ERROR;
return 0;
}
rctx->asn1_len -= i;
if (rctx->asn1_len > 0)
goto next_io;
rctx->state = OHS_ASN1_FLUSH;
(void)BIO_reset(rctx->mem);
/* fall thru */
case OHS_ASN1_FLUSH:
i = BIO_flush(rctx->io);
if (i > 0) {
rctx->state = OHS_FIRSTLINE;
goto next_io;
}
if (BIO_should_retry(rctx->io))
return -1;
rctx->state = OHS_ERROR;
return 0;
case OHS_ERROR:
return 0;
case OHS_FIRSTLINE:
case OHS_HEADERS:
/* Attempt to read a line in */
next_line:
/*
* Due to &%^*$" memory BIO behaviour with BIO_gets we have to check
* there's a complete line in there before calling BIO_gets or we'll
* just get a partial read.
*/
n = BIO_get_mem_data(rctx->mem, &p);
if ((n <= 0) || !memchr(p, '\n', n)) {
if (n >= rctx->iobuflen) {
rctx->state = OHS_ERROR;
return 0;
}
goto next_io;
}
n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
if (n <= 0) {
if (BIO_should_retry(rctx->mem))
goto next_io;
rctx->state = OHS_ERROR;
return 0;
}
/* Don't allow excessive lines */
if (n == rctx->iobuflen) {
rctx->state = OHS_ERROR;
return 0;
}
/* First line */
if (rctx->state == OHS_FIRSTLINE) {
if (parse_http_line1((char *)rctx->iobuf)) {
rctx->state = OHS_HEADERS;
goto next_line;
} else {