mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-03 05:41:46 +08:00
Code Issues Packages Projects Releases Wiki Activity

APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make sense with no-sock

Browse Source 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17226)
This commit is contained in:
Dr. David von Oheimb 2021-12-07 07:32:12 +01:00 committed by Dr. David von Oheimb
parent c50bf14450
commit 83b424c3f6
2 changed files with 102 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
apps/cmp.c
View File

@ -9,6 +9,8 @@
* https://www.openssl.org/source/license.html * https://www.openssl.org/source/license.html
*/ */
/* This app is disabled when OPENSSL_NO_CMP is defined. */
#include <string.h> #include <string.h>
#include <ctype.h> #include <ctype.h>
@ -66,12 +68,13 @@ typedef enum {
} cmp_cmd_t; } cmp_cmd_t;
/* message transfer */ /* message transfer */
#ifndef OPENSSL_NO_SOCK
static char *opt_server = NULL; static char *opt_server = NULL;
static char server_port[32] = { '\0' };
static char *opt_path = NULL;
static char *opt_proxy = NULL; static char *opt_proxy = NULL;
static char *opt_no_proxy = NULL; static char *opt_no_proxy = NULL;
#endif
static char *opt_recipient = NULL; static char *opt_recipient = NULL;
static char *opt_path = NULL;
static int opt_keep_alive = 1; static int opt_keep_alive = 1;
static int opt_msg_timeout = -1; static int opt_msg_timeout = -1;
static int opt_total_timeout = -1; static int opt_total_timeout = -1;
@ -137,6 +140,7 @@ static int opt_keyform = FORMAT_UNDEF;
static char *opt_otherpass = NULL; static char *opt_otherpass = NULL;
static char *opt_engine = NULL; static char *opt_engine = NULL;
#ifndef OPENSSL_NO_SOCK
/* TLS connection */ /* TLS connection */
static int opt_tls_used = 0; static int opt_tls_used = 0;
static char *opt_tls_cert = NULL; static char *opt_tls_cert = NULL;
@ -145,6 +149,7 @@ static char *opt_tls_keypass = NULL;
static char *opt_tls_extra = NULL; static char *opt_tls_extra = NULL;
static char *opt_tls_trusted = NULL; static char *opt_tls_trusted = NULL;
static char *opt_tls_host = NULL; static char *opt_tls_host = NULL;
#endif
/* client-side debugging */ /* client-side debugging */
static int opt_batch = 0; static int opt_batch = 0;
@ -157,9 +162,10 @@ static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0; static int opt_use_mock_srv = 0;
/* server-side debugging */ /* server-side debugging */
#ifndef OPENSSL_NO_SOCK
static char *opt_port = NULL; static char *opt_port = NULL;
static int opt_max_msgs = 0; static int opt_max_msgs = 0;
#endif
static char *opt_srv_ref = NULL; static char *opt_srv_ref = NULL;
static char *opt_srv_secret = NULL; static char *opt_srv_secret = NULL;
static char *opt_srv_cert = NULL; static char *opt_srv_cert = NULL;
@ -204,8 +210,10 @@ typedef enum OPTION_choice {
OPT_OLDCERT, OPT_REVREASON, OPT_OLDCERT, OPT_REVREASON,
OPT_SERVER, OPT_PATH, OPT_PROXY, OPT_NO_PROXY, #ifndef OPENSSL_NO_SOCK
OPT_RECIPIENT, OPT_SERVER, OPT_PROXY, OPT_NO_PROXY,
#endif
OPT_RECIPIENT, OPT_PATH,
OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT, OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT,
OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT, OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT,
@ -225,15 +233,19 @@ typedef enum OPTION_choice {
OPT_PROV_ENUM, OPT_PROV_ENUM,
OPT_R_ENUM, OPT_R_ENUM,
#ifndef OPENSSL_NO_SOCK
OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY, OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
OPT_TLS_KEYPASS, OPT_TLS_KEYPASS,
OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST, OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
#endif
OPT_BATCH, OPT_REPEAT, OPT_BATCH, OPT_REPEAT,
OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT, OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
OPT_USE_MOCK_SRV, OPT_USE_MOCK_SRV,
#ifndef OPENSSL_NO_SOCK
OPT_PORT, OPT_MAX_MSGS, OPT_PORT, OPT_MAX_MSGS,
#endif
OPT_SRV_REF, OPT_SRV_SECRET, OPT_SRV_REF, OPT_SRV_SECRET,
OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS, OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED, OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
@ -331,20 +343,25 @@ const OPTIONS cmp_options[] = {
"0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"}, "0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
OPT_SECTION("Message transfer"), OPT_SECTION("Message transfer"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -server, -proxy, and -no_proxy not supported due to no-sock build"},
#else
{"server", OPT_SERVER, 's', {"server", OPT_SERVER, 's',
"[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."}, "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."},
{OPT_MORE_STR, 0, 0, {OPT_MORE_STR, 0, 0,
"address may be a DNS name or an IP address; path can be overridden by -path"}, "address may be a DNS name or an IP address; path can be overridden by -path"},
{"path", OPT_PATH, 's',
"HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""},
{"proxy", OPT_PROXY, 's', {"proxy", OPT_PROXY, 's',
"[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is ignored"}, "[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is ignored"},
{"no_proxy", OPT_NO_PROXY, 's', {"no_proxy", OPT_NO_PROXY, 's',
"List of addresses of servers not to use HTTP(S) proxy for"}, "List of addresses of servers not to use HTTP(S) proxy for"},
{OPT_MORE_STR, 0, 0, {OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else none"}, "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
#endif
{"recipient", OPT_RECIPIENT, 's', {"recipient", OPT_RECIPIENT, 's',
"DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"}, "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"},
{"path", OPT_PATH, 's',
"HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""},
{"keep_alive", OPT_KEEP_ALIVE, 'N', {"keep_alive", OPT_KEEP_ALIVE, 'N',
"Persistent HTTP connections. 0: no, 1 (the default): request, 2: require"}, "Persistent HTTP connections. 0: no, 1 (the default): request, 2: require"},
{"msg_timeout", OPT_MSG_TIMEOUT, 'N', {"msg_timeout", OPT_MSG_TIMEOUT, 'N',
@ -419,6 +436,10 @@ const OPTIONS cmp_options[] = {
OPT_R_OPTIONS, OPT_R_OPTIONS,
OPT_SECTION("TLS connection"), OPT_SECTION("TLS connection"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -tls_used and all other TLS options not supported due to no-sock build"},
#else
{"tls_used", OPT_TLS_USED, '-', {"tls_used", OPT_TLS_USED, '-',
"Enable using TLS (also when other TLS options are not set)"}, "Enable using TLS (also when other TLS options are not set)"},
{"tls_cert", OPT_TLS_CERT, 's', {"tls_cert", OPT_TLS_CERT, 's',
@ -434,6 +455,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0, "this implies host name validation"}, {OPT_MORE_STR, 0, 0, "this implies host name validation"},
{"tls_host", OPT_TLS_HOST, 's', {"tls_host", OPT_TLS_HOST, 's',
"Address to be checked (rather than -server) during TLS host name validation"}, "Address to be checked (rather than -server) during TLS host name validation"},
#endif
OPT_SECTION("Client-side debugging"), OPT_SECTION("Client-side debugging"),
{"batch", OPT_BATCH, '-', {"batch", OPT_BATCH, '-',
@ -451,9 +473,14 @@ const OPTIONS cmp_options[] = {
{"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level, bypassing HTTP"}, {"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level, bypassing HTTP"},
OPT_SECTION("Mock server"), OPT_SECTION("Mock server"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -port and -max_msgs not supported due to no-sock build"},
#else
{"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"}, {"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"},
{"max_msgs", OPT_MAX_MSGS, 'N', {"max_msgs", OPT_MAX_MSGS, 'N',
"max number of messages handled by HTTP mock server. Default: 0 = unlimited"}, "max number of messages handled by HTTP mock server. Default: 0 = unlimited"},
#endif
{"srv_ref", OPT_SRV_REF, 's', {"srv_ref", OPT_SRV_REF, 's',
"Reference value to use as senderKID of server in case no -srv_cert is given"}, "Reference value to use as senderKID of server in case no -srv_cert is given"},
@ -532,8 +559,10 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
{&opt_oldcert}, {(char **)&opt_revreason}, {&opt_oldcert}, {(char **)&opt_revreason},
{&opt_server}, {&opt_path}, {&opt_proxy}, {&opt_no_proxy}, #ifndef OPENSSL_NO_SOCK
{&opt_recipient}, {(char **)&opt_keep_alive}, {&opt_server}, {&opt_proxy}, {&opt_no_proxy},
#endif
{&opt_recipient}, {&opt_path}, {(char **)&opt_keep_alive},
{(char **)&opt_msg_timeout}, {(char **)&opt_total_timeout}, {(char **)&opt_msg_timeout}, {(char **)&opt_total_timeout},
{&opt_trusted}, {&opt_untrusted}, {&opt_srvcert}, {&opt_trusted}, {&opt_untrusted}, {&opt_srvcert},
@ -552,15 +581,20 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
{&opt_engine}, {&opt_engine},
#endif #endif
#ifndef OPENSSL_NO_SOCK
{(char **)&opt_tls_used}, {&opt_tls_cert}, {&opt_tls_key}, {(char **)&opt_tls_used}, {&opt_tls_cert}, {&opt_tls_key},
{&opt_tls_keypass}, {&opt_tls_keypass},
{&opt_tls_extra}, {&opt_tls_trusted}, {&opt_tls_host}, {&opt_tls_extra}, {&opt_tls_trusted}, {&opt_tls_host},
#endif
{(char **)&opt_batch}, {(char **)&opt_repeat}, {(char **)&opt_batch}, {(char **)&opt_repeat},
{&opt_reqin}, {(char **)&opt_reqin_new_tid}, {&opt_reqin}, {(char **)&opt_reqin_new_tid},
{&opt_reqout}, {&opt_rspin}, {&opt_rspout}, {&opt_reqout}, {&opt_rspin}, {&opt_rspout},
{(char **)&opt_use_mock_srv}, {&opt_port}, {(char **)&opt_max_msgs}, {(char **)&opt_use_mock_srv},
#ifndef OPENSSL_NO_SOCK
{&opt_port}, {(char **)&opt_max_msgs},
#endif
{&opt_srv_ref}, {&opt_srv_secret}, {&opt_srv_ref}, {&opt_srv_secret},
{&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass}, {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass},
{&opt_srv_trusted}, {&opt_srv_untrusted}, {&opt_srv_trusted}, {&opt_srv_untrusted},
@ -1326,7 +1360,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
SSL_CTX_free(ssl_ctx); SSL_CTX_free(ssl_ctx);
return NULL; return NULL;
} }
#endif #endif /* OPENSSL_NO_SOCK */
/* /*
* set up protection aspects of OSSL_CMP_CTX based on options from config * set up protection aspects of OSSL_CMP_CTX based on options from config
@ -1765,12 +1799,16 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx)
static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{ {
int ret = 0; int ret = 0;
char *host = NULL, *port = NULL, *path = NULL, *used_path; char *host = NULL, *port = NULL, *path = NULL, *used_path = opt_path;
#ifndef OPENSSL_NO_SOCK
int portnum, ssl; int portnum, ssl;
static char server_port[32] = { '\0' };
const char *proxy_host = NULL;
#endif
char server_buf[200] = { '\0' }; char server_buf[200] = { '\0' };
char proxy_buf[200] = { '\0' }; char proxy_buf[200] = { '\0' };
const char *proxy_host = NULL;
#ifndef OPENSSL_NO_SOCK
if (opt_server == NULL) { if (opt_server == NULL) {
CMP_err("missing -server option"); CMP_err("missing -server option");
goto err; goto err;
@ -1784,11 +1822,12 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
CMP_err("missing -tls_used option since -server URL indicates https"); CMP_err("missing -tls_used option since -server URL indicates https");
goto err; goto err;
} }
BIO_snprintf(server_port, sizeof(server_port), "%s", port); BIO_snprintf(server_port, sizeof(server_port), "%s", port);
used_path = opt_path != NULL ? opt_path : path; if (opt_path == NULL)
used_path = path;
if (!OSSL_CMP_CTX_set1_server(ctx, host) if (!OSSL_CMP_CTX_set1_server(ctx, host)
|| !OSSL_CMP_CTX_set_serverPort(ctx, portnum) || !OSSL_CMP_CTX_set_serverPort(ctx, portnum))
|| !OSSL_CMP_CTX_set1_serverPath(ctx, used_path))
goto oom; goto oom;
if (opt_proxy != NULL && !OSSL_CMP_CTX_set1_proxy(ctx, opt_proxy)) if (opt_proxy != NULL && !OSSL_CMP_CTX_set1_proxy(ctx, opt_proxy))
goto oom; goto oom;
@ -1802,6 +1841,10 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (proxy_host != NULL) if (proxy_host != NULL)
(void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", proxy_host); (void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", proxy_host);
#endif
if (!OSSL_CMP_CTX_set1_serverPath(ctx, used_path))
goto oom;
if (!transform_opts()) if (!transform_opts())
goto err; goto err;
@ -1842,16 +1885,13 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|| opt_rspin != NULL || opt_rspout != NULL || opt_use_mock_srv) || opt_rspin != NULL || opt_rspout != NULL || opt_use_mock_srv)
(void)OSSL_CMP_CTX_set_transfer_cb(ctx, read_write_req_resp); (void)OSSL_CMP_CTX_set_transfer_cb(ctx, read_write_req_resp);
#ifndef OPENSSL_NO_SOCK
if ((opt_tls_cert != NULL || opt_tls_key != NULL if ((opt_tls_cert != NULL || opt_tls_key != NULL
|| opt_tls_keypass != NULL || opt_tls_extra != NULL || opt_tls_keypass != NULL || opt_tls_extra != NULL
|| opt_tls_trusted != NULL || opt_tls_host != NULL) || opt_tls_trusted != NULL || opt_tls_host != NULL)
&& !opt_tls_used) && !opt_tls_used)
CMP_warn("TLS options(s) given but not -tls_used"); CMP_warn("TLS options(s) given but not -tls_used");
if (opt_tls_used) { if (opt_tls_used) {
#ifdef OPENSSL_NO_SOCK
BIO_printf(bio_err, "Cannot use TLS - sockets not supported\n");
goto err;
#else
APP_HTTP_TLS_INFO *info; APP_HTTP_TLS_INFO *info;
if (opt_tls_cert != NULL if (opt_tls_cert != NULL
@ -1880,8 +1920,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (info->ssl_ctx == NULL) if (info->ssl_ctx == NULL)
goto err; goto err;
(void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb); (void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
#endif
} }
#endif
if (!setup_protection_ctx(ctx, engine)) if (!setup_protection_ctx(ctx, engine))
goto err; goto err;
@ -2237,6 +2277,7 @@ static int get_opts(int argc, char **argv)
if (!set_verbosity(opt_int_arg())) if (!set_verbosity(opt_int_arg()))
goto opthelp; goto opthelp;
break; break;
#ifndef OPENSSL_NO_SOCK
case OPT_SERVER: case OPT_SERVER:
opt_server = opt_str(); opt_server = opt_str();
break; break;
@ -2246,12 +2287,13 @@ static int get_opts(int argc, char **argv)
case OPT_NO_PROXY: case OPT_NO_PROXY:
opt_no_proxy = opt_str(); opt_no_proxy = opt_str();
break; break;
case OPT_PATH: #endif
opt_path = opt_str();
break;
case OPT_RECIPIENT: case OPT_RECIPIENT:
opt_recipient = opt_str(); opt_recipient = opt_str();
break; break;
case OPT_PATH:
opt_path = opt_str();
break;
case OPT_KEEP_ALIVE: case OPT_KEEP_ALIVE:
opt_keep_alive = opt_int_arg(); opt_keep_alive = opt_int_arg();
if (opt_keep_alive > 2) { if (opt_keep_alive > 2) {
@ -2265,6 +2307,7 @@ static int get_opts(int argc, char **argv)
case OPT_TOTAL_TIMEOUT: case OPT_TOTAL_TIMEOUT:
opt_total_timeout = opt_int_arg(); opt_total_timeout = opt_int_arg();
break; break;
#ifndef OPENSSL_NO_SOCK
case OPT_TLS_USED: case OPT_TLS_USED:
opt_tls_used = 1; opt_tls_used = 1;
break; break;
@ -2286,6 +2329,8 @@ static int get_opts(int argc, char **argv)
case OPT_TLS_HOST: case OPT_TLS_HOST:
opt_tls_host = opt_str(); opt_tls_host = opt_str();
break; break;
#endif
case OPT_REF: case OPT_REF:
opt_ref = opt_str(); opt_ref = opt_str();
break; break;
@ -2474,12 +2519,15 @@ static int get_opts(int argc, char **argv)
case OPT_USE_MOCK_SRV: case OPT_USE_MOCK_SRV:
opt_use_mock_srv = 1; opt_use_mock_srv = 1;
break; break;
#ifndef OPENSSL_NO_SOCK
case OPT_PORT: case OPT_PORT:
opt_port = opt_str(); opt_port = opt_str();
break; break;
case OPT_MAX_MSGS: case OPT_MAX_MSGS:
opt_max_msgs = opt_int_arg(); opt_max_msgs = opt_int_arg();
break; break;
#endif
case OPT_SRV_REF: case OPT_SRV_REF:
opt_srv_ref = opt_str(); opt_srv_ref = opt_str();
break; break;
@ -2642,7 +2690,9 @@ int cmp_main(int argc, char **argv)
int i; int i;
X509 *newcert = NULL; X509 *newcert = NULL;
ENGINE *engine = NULL; ENGINE *engine = NULL;
#ifndef OPENSSL_NO_SOCK
char mock_server[] = "mock server:1"; char mock_server[] = "mock server:1";
#endif
OSSL_CMP_CTX *srv_cmp_ctx = NULL; OSSL_CMP_CTX *srv_cmp_ctx = NULL;
int ret = 0; /* default: failure */ int ret = 0; /* default: failure */
@ -2733,6 +2783,7 @@ int cmp_main(int argc, char **argv)
} }
} }
#ifndef OPENSSL_NO_SOCK
if (opt_port != NULL) { if (opt_port != NULL) {
if (opt_use_mock_srv) { if (opt_use_mock_srv) {
CMP_err("cannot use both -port and -use_mock_srv options"); CMP_err("cannot use both -port and -use_mock_srv options");
@ -2743,6 +2794,7 @@ int cmp_main(int argc, char **argv)
goto err; goto err;
} }
} }
#endif
cmp_ctx = OSSL_CMP_CTX_new(app_get0_libctx(), app_get0_propq()); cmp_ctx = OSSL_CMP_CTX_new(app_get0_libctx(), app_get0_propq());
if (cmp_ctx == NULL) if (cmp_ctx == NULL)
@ -2752,7 +2804,11 @@ int cmp_main(int argc, char **argv)
CMP_err1("cannot set up error reporting and logging for %s", prog); CMP_err1("cannot set up error reporting and logging for %s", prog);
goto err; goto err;
} }
if ((opt_use_mock_srv || opt_port != NULL)) { if (opt_use_mock_srv
#ifndef OPENSSL_NO_SOCK
|| opt_port != NULL
#endif
) {
OSSL_CMP_SRV_CTX *srv_ctx; OSSL_CMP_SRV_CTX *srv_ctx;
if ((srv_ctx = setup_srv_ctx(engine)) == NULL) if ((srv_ctx = setup_srv_ctx(engine)) == NULL)
@ -2767,17 +2823,16 @@ int cmp_main(int argc, char **argv)
} }
#ifndef OPENSSL_NO_SOCK
if (opt_port != NULL) { /* act as very basic CMP HTTP server */ if (opt_port != NULL) { /* act as very basic CMP HTTP server */
#ifdef OPENSSL_NO_SOCK
BIO_printf(bio_err, "Cannot act as server - sockets not supported\n");
#else
ret = cmp_server(srv_cmp_ctx); ret = cmp_server(srv_cmp_ctx);
#endif
goto err; goto err;
} }
#endif
/* else act as CMP client */ /* else act as CMP client */
if (opt_use_mock_srv) { if (opt_use_mock_srv) {
#ifndef OPENSSL_NO_SOCK
if (opt_server != NULL) { if (opt_server != NULL) {
CMP_err("cannot use both -use_mock_srv and -server options"); CMP_err("cannot use both -use_mock_srv and -server options");
goto err; goto err;
@ -2788,6 +2843,7 @@ int cmp_main(int argc, char **argv)
} }
opt_server = mock_server; opt_server = mock_server;
opt_proxy = "API"; opt_proxy = "API";
#endif
} }
if (!setup_client_ctx(cmp_ctx, engine)) { if (!setup_client_ctx(cmp_ctx, engine)) {
@ -2852,7 +2908,14 @@ int cmp_main(int argc, char **argv)
const char *string = const char *string =
OSSL_CMP_CTX_snprint_PKIStatus(cmp_ctx, buf, OSSL_CMP_CTX_snprint_PKIStatus(cmp_ctx, buf,
OSSL_CMP_PKISI_BUFLEN); OSSL_CMP_PKISI_BUFLEN);
const char *from = "", *server = "";
#ifndef OPENSSL_NO_SOCK
if (opt_server != NULL) {
from = " from ";
server = opt_server;
}
#endif
CMP_print(bio_err, CMP_print(bio_err,
status == OSSL_CMP_PKISTATUS_accepted status == OSSL_CMP_PKISTATUS_accepted
? OSSL_CMP_LOG_INFO : ? OSSL_CMP_LOG_INFO :
@ -2863,8 +2926,8 @@ int cmp_main(int argc, char **argv)
status == OSSL_CMP_PKISTATUS_rejection ? "server error" : status == OSSL_CMP_PKISTATUS_rejection ? "server error" :
status == OSSL_CMP_PKISTATUS_waiting ? "internal error" status == OSSL_CMP_PKISTATUS_waiting ? "internal error"
: "warning", : "warning",
"received from %s %s %s", opt_server, "received%s%s %s", from, server,
string != NULL ? string : "<unknown PKIStatus>", ""); string != NULL ? string : "<unknown PKIStatus>");
OPENSSL_free(buf); OPENSSL_free(buf);
} }
@ -2901,7 +2964,9 @@ int cmp_main(int argc, char **argv)
cleanse(opt_keypass); cleanse(opt_keypass);
cleanse(opt_newkeypass); cleanse(opt_newkeypass);
cleanse(opt_otherpass); cleanse(opt_otherpass);
#ifndef OPENSSL_NO_SOCK
cleanse(opt_tls_keypass); cleanse(opt_tls_keypass);
#endif
cleanse(opt_secret); cleanse(opt_secret);
cleanse(opt_srv_keypass); cleanse(opt_srv_keypass);
cleanse(opt_srv_secret); cleanse(opt_srv_secret);

12
doc/man1/openssl-cmp.pod.in
View File

@ -48,10 +48,10 @@ Certificate enrollment and revocation options:
Message transfer options: Message transfer options:
[B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] [B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
[B<-path> I<remote_path>]
[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
[B<-no_proxy> I<addresses>] [B<-no_proxy> I<addresses>]
[B<-recipient> I<name>] [B<-recipient> I<name>]
[B<-path> I<remote_path>]
[B<-keep_alive> I<value>] [B<-keep_alive> I<value>]
[B<-msg_timeout> I<seconds>] [B<-msg_timeout> I<seconds>]
[B<-total_timeout> I<seconds>] [B<-total_timeout> I<seconds>]
@ -449,11 +449,6 @@ The optional userinfo and fragment components are ignored.
Any given query component is handled as part of the path component. Any given query component is handled as part of the path component.
If a path is included it provides the default value for the B<-path> option. If a path is included it provides the default value for the B<-path> option.
=item B<-path> I<remote_path>
HTTP path at the CMP server (aka CMP alias) to use for POST requests.
Defaults to any path given with B<-server>, else C<"/">.
=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy> The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy>
@ -488,6 +483,11 @@ as far as any of those is present, else the NULL-DN as last resort.
The argument must be formatted as I</type0=value0/type1=value1/type2=...>. The argument must be formatted as I</type0=value0/type1=value1/type2=...>.
For details see the description of the B<-subject> option. For details see the description of the B<-subject> option.
=item B<-path> I<remote_path>
HTTP path at the CMP server (aka CMP alias) to use for POST requests.
Defaults to any path given with B<-server>, else C<"/">.
=item B<-keep_alive> I<value> =item B<-keep_alive> I<value>
If the given value is 0 then HTTP connections are not kept open If the given value is 0 then HTTP connections are not kept open