The branch master has been updated via 9498dac4dbda1a4f2eb5e6573df05bc295dc272c (commit) from 276d6c687a89f90c096faf8918681d04a0cea7cf (commit)
- Log ----------------------------------------------------------------- commit 9498dac4dbda1a4f2eb5e6573df05bc295dc272c Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Fri Nov 13 18:47:03 2020 +0100 apps.c: re-enable loading single certs and CRLs over HTTP Fixes #13403 Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13404) ----------------------------------------------------------------------- Summary of changes: apps/lib/apps.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index ab76ed8e7a..766002b6b0 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -28,6 +28,7 @@ #include <openssl/err.h> #include <openssl/x509.h> #include <openssl/x509v3.h> +#include <openssl/http.h> #include <openssl/pem.h> #include <openssl/store.h> #include <openssl/pkcs12.h> @@ -468,6 +469,11 @@ CONF *app_load_config_modules(const char *configfile) return conf; } +#define IS_HTTP(uri) \ + (strncmp(uri, OSSL_HTTP_PREFIX, strlen(OSSL_HTTP_PREFIX)) == 0) +#define IS_HTTPS(uri) \ + (strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0) + X509 *load_cert_pass(const char *uri, int maybe_stdin, const char *pass, const char *desc) { @@ -475,8 +481,13 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin, if (desc == NULL) desc = "certificate"; - (void)load_key_certs_crls(uri, maybe_stdin, pass, desc, - NULL, NULL, NULL, &cert, NULL, NULL, NULL); + if (IS_HTTPS(uri)) + BIO_printf(bio_err, "Loading %s over HTTPS is unsupported\n", desc); + else if (IS_HTTP(uri)) + cert = X509_load_http(uri, NULL, NULL, 0 /* timeout */); + else + (void)load_key_certs_crls(uri, maybe_stdin, pass, desc, + NULL, NULL, NULL, &cert, NULL, NULL, NULL); if (cert == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); @@ -484,15 +495,19 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin, return cert; } -/* the format parameter is meanwhile not needed anymore and thus ignored */ X509_CRL *load_crl(const char *uri, const char *desc) { X509_CRL *crl = NULL; if (desc == NULL) desc = "CRL"; - (void)load_key_certs_crls(uri, 0, NULL, desc, - NULL, NULL, NULL, NULL, NULL, &crl, NULL); + if (IS_HTTPS(uri)) + BIO_printf(bio_err, "Loading %s over HTTPS is unsupported\n", desc); + else if (IS_HTTP(uri)) + crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */); + else + (void)load_key_certs_crls(uri, 0, NULL, desc, + NULL, NULL, NULL, NULL, NULL, &crl, NULL); if (crl == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); @@ -1894,7 +1909,8 @@ static const char *get_dp_url(DIST_POINT *dp) uri = GENERAL_NAME_get0_value(gen, >ype); if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) { const char *uptr = (const char *)ASN1_STRING_get0_data(uri); - if (strncmp(uptr, "http://", 7) == 0) + + if (IS_HTTP(uptr)) /* can/should not use HTTPS here */ return uptr; } }