HTTP client: Work around HTTPS proxy use bug due to callback design flaw

See discussion in #17088, where the real solution was postponed to 4.0.

This preliminarily fixes the issue that the HTTP(S) proxy environment vars
were neglected when determining whether a proxy should be used for HTTPS.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17310)

diff --git a/apps/cmp.c b/apps/cmp.c
index 9d0b11399862aa2b4cdec9ecd7a2344c10f94849..5167446cdef47483e8f1ee42e471465b61ab5cc7 100644 (file)
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1926,15 +1926,18 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
                 goto err;
             }
         }
+
         if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
             goto err;
         (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
         /* info will be freed along with CMP ctx */
         info->server = opt_server;
         info->port = server_port;
-        info->use_proxy = opt_proxy != NULL;
+        /* workaround for callback design flaw, see #17088: */
+        info->use_proxy = proxy_host != NULL;
         info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
         info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+
         if (info->ssl_ctx == NULL)
             goto err;
         (void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 034fd45c4b7b81f9e460da3e9373ddfccfe18a93..328b0addb4e27ab36b13381e6a61ca1a443ea60d 100644 (file)
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2470,6 +2470,7 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
         SSL *ssl;
         BIO *sbio = NULL;
 
+        /* adapt after fixing callback design flaw, see #17088 */
         if ((info->use_proxy
              && !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
                                          NULL, NULL, /* no proxy credentials */
@@ -2482,7 +2483,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
             return NULL;
         }
 
-        SSL_set_tlsext_host_name(ssl, info->server);
+        /* adapt after fixing callback design flaw, see #17088 */
+        SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
 
         SSL_set_connect_state(ssl);
         BIO_set_ssl(sbio, ssl, BIO_CLOSE);
@@ -2545,7 +2547,8 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
 
     info.server = server;
     info.port = port;
-    info.use_proxy = proxy != NULL;
+    info.use_proxy = /* workaround for callback design flaw, see #17088 */
+        OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl) != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
     mem = OSSL_HTTP_get(url, proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
@@ -2571,18 +2574,21 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
                                const char *expected_content_type,
                                long timeout, const ASN1_ITEM *rsp_it)
 {
+    int use_ssl = ssl_ctx != NULL;
     APP_HTTP_TLS_INFO info;
     BIO *rsp, *req_mem = ASN1_item_i2d_mem_bio(req_it, req);
     ASN1_VALUE *res;
 
     if (req_mem == NULL)
         return NULL;
+
     info.server = host;
     info.port = port;
-    info.use_proxy = proxy != NULL;
+    info.use_proxy = /* workaround for callback design flaw, see #17088 */
+        OSSL_HTTP_adapt_proxy(proxy, no_proxy, host, use_ssl) != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
-    rsp = OSSL_HTTP_transfer(NULL, host, port, path, ssl_ctx != NULL,
+    rsp = OSSL_HTTP_transfer(NULL, host, port, path, use_ssl,
                              proxy, no_proxy, NULL /* bio */, NULL /* rbio */,
                              app_http_tls_cb, &info,
                              0 /* buf_size */, headers, content_type, req_mem,

diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index f786f831bf86711bf7218246aeb2c88b43243e75..14c2cbf2b5af8d7d98ae8226b91eb96003cbeca8 100644 (file)
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -946,6 +946,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port,
     }
     /* now overall_timeout is guaranteed to be >= 0 */
 
+    /* adapt in order to fix callback design flaw, see #17088 */
     /* callback can be used to wrap or prepend TLS session */
     if (bio_update_fn != NULL) {
         BIO *orig_bio = cbio;