openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make sense with no-sock 

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17226)
This commit is contained in:
Dr. David von Oheimb 2021-12-07 07:32:12 +01:00 committed by Dr. David von Oheimb
parent c50bf14450
commit 83b424c3f6
2 changed files with 102 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
apps/cmp.c
View File

@ -9,6 +9,8 @@
* https://www.openssl.org/source/license.html
*/
/* This app is disabled when OPENSSL_NO_CMP is defined. */
#include <string.h>
#include <ctype.h>
@ -66,12 +68,13 @@ typedef enum {
} cmp_cmd_t;
/* message transfer */
#ifndef OPENSSL_NO_SOCK
static char *opt_server = NULL;
static char server_port[32] = { '\0' };
static char *opt_path = NULL;
static char *opt_proxy = NULL;
static char *opt_no_proxy = NULL;
#endif
static char *opt_recipient = NULL;
static char *opt_path = NULL;
static int opt_keep_alive = 1;
static int opt_msg_timeout = -1;
static int opt_total_timeout = -1;
@ -137,6 +140,7 @@ static int opt_keyform = FORMAT_UNDEF;
static char *opt_otherpass = NULL;
static char *opt_engine = NULL;
#ifndef OPENSSL_NO_SOCK
/* TLS connection */
static int opt_tls_used = 0;
static char *opt_tls_cert = NULL;
@ -145,6 +149,7 @@ static char *opt_tls_keypass = NULL;
static char *opt_tls_extra = NULL;
static char *opt_tls_trusted = NULL;
static char *opt_tls_host = NULL;
#endif
/* client-side debugging */
static int opt_batch = 0;
@ -157,9 +162,10 @@ static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
/* server-side debugging */
#ifndef OPENSSL_NO_SOCK
static char *opt_port = NULL;
static int opt_max_msgs = 0;
#endif
static char *opt_srv_ref = NULL;
static char *opt_srv_secret = NULL;
static char *opt_srv_cert = NULL;
@ -204,8 +210,10 @@ typedef enum OPTION_choice {
OPT_OLDCERT, OPT_REVREASON,
OPT_SERVER, OPT_PATH, OPT_PROXY, OPT_NO_PROXY,
OPT_RECIPIENT,
#ifndef OPENSSL_NO_SOCK
OPT_SERVER, OPT_PROXY, OPT_NO_PROXY,
#endif
OPT_RECIPIENT, OPT_PATH,
OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT,
OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT,
@ -225,15 +233,19 @@ typedef enum OPTION_choice {
OPT_PROV_ENUM,
OPT_R_ENUM,
#ifndef OPENSSL_NO_SOCK
OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
OPT_TLS_KEYPASS,
OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
#endif
OPT_BATCH, OPT_REPEAT,
OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
OPT_USE_MOCK_SRV,
#ifndef OPENSSL_NO_SOCK
OPT_PORT, OPT_MAX_MSGS,
#endif
OPT_SRV_REF, OPT_SRV_SECRET,
OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
@ -331,20 +343,25 @@ const OPTIONS cmp_options[] = {
"0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
OPT_SECTION("Message transfer"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -server, -proxy, and -no_proxy not supported due to no-sock build"},
#else
{"server", OPT_SERVER, 's',
"[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."},
{OPT_MORE_STR, 0, 0,
"address may be a DNS name or an IP address; path can be overridden by -path"},
{"path", OPT_PATH, 's',
"HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""},
{"proxy", OPT_PROXY, 's',
"[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is ignored"},
{"no_proxy", OPT_NO_PROXY, 's',
"List of addresses of servers not to use HTTP(S) proxy for"},
{OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
#endif
{"recipient", OPT_RECIPIENT, 's',
"DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"},
{"path", OPT_PATH, 's',
"HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""},
{"keep_alive", OPT_KEEP_ALIVE, 'N',
"Persistent HTTP connections. 0: no, 1 (the default): request, 2: require"},
{"msg_timeout", OPT_MSG_TIMEOUT, 'N',
@ -419,6 +436,10 @@ const OPTIONS cmp_options[] = {
OPT_R_OPTIONS,
OPT_SECTION("TLS connection"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -tls_used and all other TLS options not supported due to no-sock build"},
#else
{"tls_used", OPT_TLS_USED, '-',
"Enable using TLS (also when other TLS options are not set)"},
{"tls_cert", OPT_TLS_CERT, 's',
@ -434,6 +455,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0, "this implies host name validation"},
{"tls_host", OPT_TLS_HOST, 's',
"Address to be checked (rather than -server) during TLS host name validation"},
#endif
OPT_SECTION("Client-side debugging"),
{"batch", OPT_BATCH, '-',
@ -451,9 +473,14 @@ const OPTIONS cmp_options[] = {
{"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level, bypassing HTTP"},
OPT_SECTION("Mock server"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -port and -max_msgs not supported due to no-sock build"},
#else
{"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"},
{"max_msgs", OPT_MAX_MSGS, 'N',
"max number of messages handled by HTTP mock server. Default: 0 = unlimited"},
#endif
{"srv_ref", OPT_SRV_REF, 's',
"Reference value to use as senderKID of server in case no -srv_cert is given"},
@ -532,8 +559,10 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
{&opt_oldcert}, {(char **)&opt_revreason},
{&opt_server}, {&opt_path}, {&opt_proxy}, {&opt_no_proxy},
{&opt_recipient}, {(char **)&opt_keep_alive},
#ifndef OPENSSL_NO_SOCK
{&opt_server}, {&opt_proxy}, {&opt_no_proxy},
#endif
{&opt_recipient}, {&opt_path}, {(char **)&opt_keep_alive},
{(char **)&opt_msg_timeout}, {(char **)&opt_total_timeout},
{&opt_trusted}, {&opt_untrusted}, {&opt_srvcert},
@ -552,15 +581,20 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
{&opt_engine},
#endif
#ifndef OPENSSL_NO_SOCK
{(char **)&opt_tls_used}, {&opt_tls_cert}, {&opt_tls_key},
{&opt_tls_keypass},
{&opt_tls_extra}, {&opt_tls_trusted}, {&opt_tls_host},
#endif
{(char **)&opt_batch}, {(char **)&opt_repeat},
{&opt_reqin}, {(char **)&opt_reqin_new_tid},
{&opt_reqout}, {&opt_rspin}, {&opt_rspout},
{(char **)&opt_use_mock_srv}, {&opt_port}, {(char **)&opt_max_msgs},
{(char **)&opt_use_mock_srv},
#ifndef OPENSSL_NO_SOCK
{&opt_port}, {(char **)&opt_max_msgs},
#endif
{&opt_srv_ref}, {&opt_srv_secret},
{&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass},
{&opt_srv_trusted}, {&opt_srv_untrusted},
@ -1326,7 +1360,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
SSL_CTX_free(ssl_ctx);
return NULL;
}
#endif
#endif /* OPENSSL_NO_SOCK */
/*
* set up protection aspects of OSSL_CMP_CTX based on options from config
@ -1765,12 +1799,16 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx)
static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
int ret = 0;
char *host = NULL, *port = NULL, *path = NULL, *used_path;
char *host = NULL, *port = NULL, *path = NULL, *used_path = opt_path;
#ifndef OPENSSL_NO_SOCK
int portnum, ssl;
static char server_port[32] = { '\0' };
const char *proxy_host = NULL;
#endif
char server_buf[200] = { '\0' };
char proxy_buf[200] = { '\0' };
const char *proxy_host = NULL;
#ifndef OPENSSL_NO_SOCK
if (opt_server == NULL) {
CMP_err("missing -server option");
goto err;
@ -1784,11 +1822,12 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
CMP_err("missing -tls_used option since -server URL indicates https");
goto err;
}
BIO_snprintf(server_port, sizeof(server_port), "%s", port);
used_path = opt_path != NULL ? opt_path : path;
if (opt_path == NULL)
used_path = path;
if (!OSSL_CMP_CTX_set1_server(ctx, host)
|| !OSSL_CMP_CTX_set_serverPort(ctx, portnum)
|| !OSSL_CMP_CTX_set1_serverPath(ctx, used_path))
|| !OSSL_CMP_CTX_set_serverPort(ctx, portnum))
goto oom;
if (opt_proxy != NULL && !OSSL_CMP_CTX_set1_proxy(ctx, opt_proxy))
goto oom;
@ -1802,6 +1841,10 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (proxy_host != NULL)
(void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", proxy_host);
#endif
if (!OSSL_CMP_CTX_set1_serverPath(ctx, used_path))
goto oom;
if (!transform_opts())
goto err;
@ -1842,16 +1885,13 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|| opt_rspin != NULL || opt_rspout != NULL || opt_use_mock_srv)
(void)OSSL_CMP_CTX_set_transfer_cb(ctx, read_write_req_resp);
#ifndef OPENSSL_NO_SOCK
if ((opt_tls_cert != NULL || opt_tls_key != NULL
|| opt_tls_keypass != NULL || opt_tls_extra != NULL
|| opt_tls_trusted != NULL || opt_tls_host != NULL)
&& !opt_tls_used)
CMP_warn("TLS options(s) given but not -tls_used");
if (opt_tls_used) {
#ifdef OPENSSL_NO_SOCK
BIO_printf(bio_err, "Cannot use TLS - sockets not supported\n");
goto err;
#else
APP_HTTP_TLS_INFO *info;
if (opt_tls_cert != NULL
@ -1880,8 +1920,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (info->ssl_ctx == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
#endif
}
#endif
if (!setup_protection_ctx(ctx, engine))
goto err;
@ -2237,6 +2277,7 @@ static int get_opts(int argc, char **argv)
if (!set_verbosity(opt_int_arg()))
goto opthelp;
break;
#ifndef OPENSSL_NO_SOCK
case OPT_SERVER:
opt_server = opt_str();
break;
@ -2246,12 +2287,13 @@ static int get_opts(int argc, char **argv)
case OPT_NO_PROXY:
opt_no_proxy = opt_str();
break;
case OPT_PATH:
opt_path = opt_str();
break;
#endif
case OPT_RECIPIENT:
opt_recipient = opt_str();
break;
case OPT_PATH:
opt_path = opt_str();
break;
case OPT_KEEP_ALIVE:
opt_keep_alive = opt_int_arg();
if (opt_keep_alive > 2) {
@ -2265,6 +2307,7 @@ static int get_opts(int argc, char **argv)
case OPT_TOTAL_TIMEOUT:
opt_total_timeout = opt_int_arg();
break;
#ifndef OPENSSL_NO_SOCK
case OPT_TLS_USED:
opt_tls_used = 1;
break;
@ -2286,6 +2329,8 @@ static int get_opts(int argc, char **argv)
case OPT_TLS_HOST:
opt_tls_host = opt_str();
break;
#endif
case OPT_REF:
opt_ref = opt_str();
break;
@ -2474,12 +2519,15 @@ static int get_opts(int argc, char **argv)
case OPT_USE_MOCK_SRV:
opt_use_mock_srv = 1;
break;
#ifndef OPENSSL_NO_SOCK
case OPT_PORT:
opt_port = opt_str();
break;
case OPT_MAX_MSGS:
opt_max_msgs = opt_int_arg();
break;
#endif
case OPT_SRV_REF:
opt_srv_ref = opt_str();
break;
@ -2642,7 +2690,9 @@ int cmp_main(int argc, char **argv)
int i;
X509 *newcert = NULL;
ENGINE *engine = NULL;
#ifndef OPENSSL_NO_SOCK
char mock_server[] = "mock server:1";
#endif
OSSL_CMP_CTX *srv_cmp_ctx = NULL;
int ret = 0; /* default: failure */
@ -2733,6 +2783,7 @@ int cmp_main(int argc, char **argv)
}
}
#ifndef OPENSSL_NO_SOCK
if (opt_port != NULL) {
if (opt_use_mock_srv) {
CMP_err("cannot use both -port and -use_mock_srv options");
@ -2743,6 +2794,7 @@ int cmp_main(int argc, char **argv)
goto err;
}
}
#endif
cmp_ctx = OSSL_CMP_CTX_new(app_get0_libctx(), app_get0_propq());
if (cmp_ctx == NULL)
@ -2752,7 +2804,11 @@ int cmp_main(int argc, char **argv)
CMP_err1("cannot set up error reporting and logging for %s", prog);
goto err;
}
if ((opt_use_mock_srv || opt_port != NULL)) {
if (opt_use_mock_srv
#ifndef OPENSSL_NO_SOCK
|| opt_port != NULL
#endif
) {
OSSL_CMP_SRV_CTX *srv_ctx;
if ((srv_ctx = setup_srv_ctx(engine)) == NULL)
@ -2767,17 +2823,16 @@ int cmp_main(int argc, char **argv)
}
#ifndef OPENSSL_NO_SOCK
if (opt_port != NULL) { /* act as very basic CMP HTTP server */
#ifdef OPENSSL_NO_SOCK
BIO_printf(bio_err, "Cannot act as server - sockets not supported\n");
#else
ret = cmp_server(srv_cmp_ctx);
#endif
goto err;
}
#endif
/* else act as CMP client */
if (opt_use_mock_srv) {
#ifndef OPENSSL_NO_SOCK
if (opt_server != NULL) {
CMP_err("cannot use both -use_mock_srv and -server options");
goto err;
@ -2788,6 +2843,7 @@ int cmp_main(int argc, char **argv)
}
opt_server = mock_server;
opt_proxy = "API";
#endif
}
if (!setup_client_ctx(cmp_ctx, engine)) {
@ -2852,7 +2908,14 @@ int cmp_main(int argc, char **argv)
const char *string =
OSSL_CMP_CTX_snprint_PKIStatus(cmp_ctx, buf,
OSSL_CMP_PKISI_BUFLEN);
const char *from = "", *server = "";
#ifndef OPENSSL_NO_SOCK
if (opt_server != NULL) {
from = " from ";
server = opt_server;
}
#endif
CMP_print(bio_err,
status == OSSL_CMP_PKISTATUS_accepted
? OSSL_CMP_LOG_INFO :
@ -2863,8 +2926,8 @@ int cmp_main(int argc, char **argv)
status == OSSL_CMP_PKISTATUS_rejection ? "server error" :
status == OSSL_CMP_PKISTATUS_waiting ? "internal error"
: "warning",
"received from %s %s %s", opt_server,
string != NULL ? string : "<unknown PKIStatus>", "");
"received%s%s %s", from, server,
string != NULL ? string : "<unknown PKIStatus>");
OPENSSL_free(buf);
}
@ -2901,7 +2964,9 @@ int cmp_main(int argc, char **argv)
cleanse(opt_keypass);
cleanse(opt_newkeypass);
cleanse(opt_otherpass);
#ifndef OPENSSL_NO_SOCK
cleanse(opt_tls_keypass);
#endif
cleanse(opt_secret);
cleanse(opt_srv_keypass);
cleanse(opt_srv_secret);

12
doc/man1/openssl-cmp.pod.in
View File

@ -48,10 +48,10 @@ Certificate enrollment and revocation options:
Message transfer options:
[B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
[B<-path> I<remote_path>]
[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
[B<-no_proxy> I<addresses>]
[B<-recipient> I<name>]
[B<-path> I<remote_path>]
[B<-keep_alive> I<value>]
[B<-msg_timeout> I<seconds>]
[B<-total_timeout> I<seconds>]
@ -449,11 +449,6 @@ The optional userinfo and fragment components are ignored.
Any given query component is handled as part of the path component.
If a path is included it provides the default value for the B<-path> option.
=item B<-path> I<remote_path>
HTTP path at the CMP server (aka CMP alias) to use for POST requests.
Defaults to any path given with B<-server>, else C<"/">.
=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy>
@ -488,6 +483,11 @@ as far as any of those is present, else the NULL-DN as last resort.
The argument must be formatted as I</type0=value0/type1=value1/type2=...>.
For details see the description of the B<-subject> option.
=item B<-path> I<remote_path>
HTTP path at the CMP server (aka CMP alias) to use for POST requests.
Defaults to any path given with B<-server>, else C<"/">.
=item B<-keep_alive> I<value>
If the given value is 0 then HTTP connections are not kept open