Commit Graph

94 Commits

Author SHA1 Message Date
Matt Caswell
c631378058 Use the new ASN.1 libctx aware capabilities in CMP
Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Pauli
db70dc2cda apps: remove TODOs
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15539)
2021-06-02 16:30:15 +10:00
Dr. David von Oheimb
a37dbb466c apps/cmp.c: Move CMP server code portion to separate function
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15343)
2021-05-20 16:23:26 +02:00
Dr. David von Oheimb
9be5f9a869 Move ossl_sleep() to e_os.h and use it in apps
Fixes #15304

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15308)
2021-05-18 14:49:33 +02:00
Dr. David von Oheimb
e2c38c1a4e http_client.c: Rename internal fields and functions for consistency
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
19f97fe6f1 HTTP: Implement persistent connections (keep-alive)
Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.

For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.

If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.

This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
  OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.

Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.

Update the documentation and extend the tests accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
cc1af4dbfe HTTP test server: Improve connection management and logging
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Tomas Mraz
d382e79632 Make the -inform option to be respected if possible
Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.

The input type format is enforced only in case the file
type file store is used.

By default we use FORMAT_UNDEF meaning the input type
is not enforced.

Fixes #14569

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
2021-05-06 11:43:32 +01:00
Dr. David von Oheimb
b0f960189b APPS: Replace 'OPT_ERR = -1, OPT_EOF = 0, OPT_HELP' by OPT_COMMON macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)
2021-05-05 20:48:20 +02:00
Dr. David von Oheimb
284076982d APPS: Slightly extend and improve documentation of the opt_ API
Also remove redundant opt_name() and make names of opt_{i,u}ntmax() consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)
2021-05-05 20:48:20 +02:00
Pauli
f4585aeca9 runchecker: fix no-sock build by conditioning clean up on the NO_SOCK symbol.
Fixes #15054

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15055)
2021-04-29 17:41:20 +10:00
Dr. David von Oheimb
d830526c71 APPS: Improve diagnostics for string options and options expecting int >= 0
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14970)
2021-04-24 18:54:32 +02:00
Dr. David von Oheimb
ef203432f7 apps/cmp.c and APP_HTTP_TLS_INFO: Fix use-after-free and add proper free() function
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14971)
2021-04-22 20:39:00 +02:00
Dr. David von Oheimb
4e030ed45d apps/cmp.c: Fix double free on OSSL_CMP_CTX_set1_p10CSR() failure
Fixes #14910
Also slightly improve further error handling of setup_request_ctx().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14929)
2021-04-21 07:23:20 +02:00
Tanzinul Islam
96d4ec6724 Avoid more MSVC-specific C runtime library functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:54 +02:00
Dr. David von Oheimb
44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14889)
2021-04-17 11:39:12 +02:00
Dr. David von Oheimb
aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14842)
2021-04-14 17:03:11 +02:00
Dr. David von Oheimb
f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14841)
2021-04-14 16:51:11 +02:00
Dr. David von Oheimb
3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14840)
2021-04-14 16:48:27 +02:00
Nan Xiao
1ac64327df Remove unnecessary setting SSL_MODE_AUTO_RETRY
Since SSL_MODE_AUTO_RETRY is enabled by default, no need to set
it explicitly.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14742)
2021-04-07 13:02:37 +02:00
Dr. David von Oheimb
f62846b703 apps/ts.c: Allow -untrusted arg to refer to multiple sources
This requires moving generally useful functions from apps/cmp.c to apps/lib/apps.c

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)
2021-03-13 11:16:13 +01:00
Dr. David von Oheimb
6bbff162f1 openssl-cmp.pod.in and apps/cmp.c: Various minor do improvements
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14493)
2021-03-11 15:28:05 +01:00
Dr. David von Oheimb
dd5fa5f5af CMP: On NULL-DN subject or issuer input omit field in cert template
Also improve diagnostics on inconsistent cert request input in apps/cmp.c,
add trace output for transactionIDs on new sessions,
and update the documentation in openssl-cmp.pod.in.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14018)
2021-03-02 11:05:34 +01:00
Dr. David von Oheimb
7932982b88 OSSL_HTTP_parse_url(): Handle any userinfo, query, and fragment components
Now handle [http[s]://][userinfo@]host[:port][/path][?query][#frag]
by optionally providing any userinfo, query, and frag components.

All usages of this function, which are client-only,
silently ignore userinfo and frag components,
while the query component is taken as part of the path.
Update and extend the unit tests and all affected documentation.
Document and deprecat OCSP_parse_url().

Fixes an issue that came up when discussing FR #14001.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14009)
2021-03-01 10:30:43 +01:00
Dr. David von Oheimb
5e128ed120 CMP: Fix total_timeout behavior; small doc and diagnostic improvements
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14019)
2021-02-19 16:58:22 +01:00
Dr. David von Oheimb
b51bed05c2 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR
Also improve doc how the -reqexts option affects the CSR given with the -csr option.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14181)
2021-02-17 17:13:32 +01:00
Dr. David von Oheimb
03da39a768 apps/cmp.c: check and exit on engine load error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13551)
2021-02-04 07:25:14 +01:00
Richard Levitte
4333b89f50 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)
2021-01-28 13:54:57 +01:00
Dr. David von Oheimb
3d46c81a7d CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages
Also update documentation regarding sources of certs and keys,
improve type of OSSL_CMP_exec_RR_ses(),
add tests for CSR-based cert revocation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
2021-01-21 17:53:26 +01:00
Dr. David von Oheimb
6b63b7b61e apps/cmp.c: Check self-signature on CSR input and warn on failure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
2021-01-21 17:53:26 +01:00
Dr. David von Oheimb
92d619450a apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
2021-01-21 17:53:26 +01:00
Dr. David von Oheimb
3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13799)
2021-01-11 19:39:49 +01:00
Dr. David von Oheimb
b36d6a5ef8 apps/cmp.c: Correct -keyform option range w.r.t engine
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13690)
2020-12-17 21:06:10 +01:00
Dr. David von Oheimb
f6d3359d65 apps/cmp.c: Fix bug on -path option introduced in commit 3c9d6266ed
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13690)
2020-12-17 21:06:10 +01:00
Rich Salz
021410ea3f Check non-option arguments
Make sure all commands check to see if there are any "extra" arguments
after the options, and print an error if so.

Made all error messages consistent (which is to say, minimal).

Fixes: #13527

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13563)
2020-12-15 11:47:17 +01:00
Richard Levitte
f91d003a0e APPS: Adapt load_key() and load_pubkey() for the engine: loader
These two functions react when the FORMAT_ENGINE format is given, and
use the passed ENGINE |e| and the passed key argument to form a URI
suitable for the engine: loader.

Co-authored-by: David von Oheimb <david.von.oheimb@siemens.com>

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13570)
2020-12-02 20:19:31 +01:00
Richard Levitte
467f441bc6 APPS: Modify apps/cmp.c to use set_base_ui_method() for its -batch option
Fixes #13511

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13512)
2020-11-26 17:04:21 +01:00
Dr. David von Oheimb
931d5b4b27 apps/cmp.c: fix crash with -batch option on OPENSSL_NO_UI_CONSOLE
Also make clear we cannot use get_ui_method() at this point.

Fixes #13494

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13497)
2020-11-25 13:33:50 +01:00
Dr. David von Oheimb
68f9d9223b apps/cmp.c: Improve description of key loaded due to -newkew option
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13497)
2020-11-25 13:33:50 +01:00
Dr. David von Oheimb
8c5c2fa544 CMP: prevent misleading PKIStatusInfo output if not response available
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13409)
2020-11-20 13:36:30 +01:00
Dr. David von Oheimb
6fd8313589 apps/cmp.c: Improve diagnostics on -server URL parse error
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13409)
2020-11-20 13:36:30 +01:00
Dr. David von Oheimb
0e7bc901bf apps/cmp.c: Add diagnostics on config file section(s) used
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13409)
2020-11-20 13:36:30 +01:00
Dr. David von Oheimb
3c9d6266ed apps/cmp.c: Improve order of -path option: just after -server
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12932)
2020-11-10 13:25:45 +01:00
Richard Levitte
b78c777ee3 APPS: Implement load_keyparams() to load key parameters
'openssl dsaparam' is affected as an obvious usage example.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13191)
2020-10-22 12:14:32 +10:00
Dr. David von Oheimb
55c61473b5 Correct and simplify use of ERR_clear_error() etc. for loading DSO libs
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13045)
2020-10-08 16:57:34 +02:00
Xiaofei Bai
ebcae87f6b FIX strncpy warning in apps/cmp.c.
bugfix: #12872

strncpy here has compiling warning of -Wstringop-truncation, change
into BIO_snprintf as before.

Change-Id: I362872c4ad328cadd4c7a5a5da3165655fa26c0d

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12889)
2020-09-17 14:19:09 +02:00
Matt Caswell
798f932980 Fix safestack issues in cmp.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:40 +01:00
Matt Caswell
e6623cfbff Fix safestack issues in x509.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:09:45 +01:00
Dr. David von Oheimb
5ea4c6e553 apps/cmp.c: Improve example given for -geninfo option (also in man page)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
62261446b2 apps/cmp.c: Improve user guidance on missing -subject etc. options
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00