http_server.c: allow clients to connect with IPv6

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21033)

diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c
index 5c26497abca6be4de26494bde8d87761027a3376..93f06626fba8c67ffec801710666b52139aaf0cb 100644 (file)
--- a/apps/lib/http_server.c
+++ b/apps/lib/http_server.c
@@ -198,7 +198,9 @@ BIO *http_server_init(const char *prog, const char *port, int verb)
     BIO *acbio = NULL, *bufbio;
     int asock;
     int port_num;
     BIO *acbio = NULL, *bufbio;
     int asock;
     int port_num;

+    char name[40];

 
 

+    snprintf(name, sizeof(name), "[::]:%s", port); /* port may be "0" */

     if (verb >= 0 && !log_set_verbosity(prog, verb))
         return NULL;
     bufbio = BIO_new(BIO_f_buffer());
     if (verb >= 0 && !log_set_verbosity(prog, verb))
         return NULL;
     bufbio = BIO_new(BIO_f_buffer());


@@ -207,7 +209,7 @@ BIO *http_server_init(const char *prog, const char *port, int verb)
     acbio = BIO_new(BIO_s_accept());
     if (acbio == NULL
         || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
     acbio = BIO_new(BIO_s_accept());
     if (acbio == NULL
         || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0

-        || BIO_set_accept_port(acbio, port /* may be "0" */) < 0) {
+        || BIO_set_accept_name(acbio, name) < 0) {

         log_HTTP(prog, LOG_ERR, "error setting up accept BIO");
         goto err;
     }
         log_HTTP(prog, LOG_ERR, "error setting up accept BIO");
         goto err;
     }

diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 7c68385f4b768929a18a1bb7257ec65c49b91afb..e39c7bede5aff818b0a057f6f2d4ece50e439c48 100644 (file)
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -473,8 +473,10 @@ Reason numbers defined in RFC 5280 are:
 
 =item B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
 
 
 =item B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
 

-The DNS hostname or IP address and optionally port
+The I<host> domain name or IP address and optionally I<port>

 of the CMP server to connect to using HTTP(S).
 of the CMP server to connect to using HTTP(S).

+IP address may be for v4 or v6, such as C<127.0.0.1> or C<[::]> for localhost.
+

 This option excludes I<-port> and I<-use_mock_srv>.
 It is ignored if I<-rspin> is given with enough filename arguments.
 
 This option excludes I<-port> and I<-use_mock_srv>.
 It is ignored if I<-rspin> is given with enough filename arguments.
 


@@ -1039,8 +1041,9 @@ This excludes the B<-server> and B<-port> options.
 
 =item B<-port> I<number>
 
 
 =item B<-port> I<number>
 

-Act as HTTP-based CMP server mock-up listening on the given port.
-This excludes the B<-server> and B<-use_mock_srv> options.
+Act as HTTP-based CMP server mock-up listening on the given local port.
+The client may address the server via, e.g., C<127.0.0.1> or C<[::]>.
+This option excludes the B<-server> and B<-use_mock_srv> options.

 The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options
 so far are not supported in this mode.
 
 The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options
 so far are not supported in this mode.
 

diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index 9106a1d34949603f4439c3ea87081edf1ba89d35..183a02098b0a476788f4dae1b9d9421ac3fb15dc 100644 (file)
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -30,7 +30,7 @@ B<openssl> B<ocsp>
 [B<-respin> I<file>]
 [B<-url> I<URL>]
 [B<-host> I<host>:I<port>]
 [B<-respin> I<file>]
 [B<-url> I<URL>]
 [B<-host> I<host>:I<port>]

-[B<-path>]
+[B<-path> I<pathname>]

 [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
 [B<-no_proxy> I<addresses>]
 [B<-header>]
 [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
 [B<-no_proxy> I<addresses>]
 [B<-header>]


@@ -167,16 +167,21 @@ with B<-serial>, B<-cert> and B<-host> options).
 
 =item B<-url> I<responder_url>
 
 
 =item B<-url> I<responder_url>
 

-Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
+Specify the responder host and optionally port and path via a URL.
+ Both HTTP and HTTPS (SSL/TLS) URLs can be specified.

 The optional userinfo and fragment components are ignored.
 Any given query component is handled as part of the path component.
 The optional userinfo and fragment components are ignored.
 Any given query component is handled as part of the path component.

+For details, see the B<-host> and B<-path> options described next.

 
 

-=item B<-host> I<hostname>:I<port>, B<-path> I<pathname>
+=item B<-host> I<host>:I<port>, B<-path> I<pathname>

 
 If the B<-host> option is present then the OCSP request is sent to the host
 
 If the B<-host> option is present then the OCSP request is sent to the host

-I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname
-to use or "/" by default.  This is equivalent to specifying B<-url> with scheme
-http:// and the given hostname, port, and pathname.
+I<host> on port I<port>.
+The I<host> may be a domain name or an IP (v4 or v6) address,
+such as C<127.0.0.1> or C<[::]> for localhost.
+The B<-path> option specifies the HTTP pathname to use or "/" by default.
+This is equivalent to specifying B<-url> with scheme
+http:// and the given I<host>, I<port>, and optional I<pathname>.

 
 =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
 
 
 =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
 


@@ -377,8 +382,8 @@ subject name.
 
 =item B<-port> I<portnum>
 
 
 =item B<-port> I<portnum>
 

-Port to listen for OCSP requests on. The port may also be specified
-using the B<url> option.
+Port to listen for OCSP requests on. Both IPv4 and IPv6 are possible.
+The port may also be specified using the B<-url> option.

 A C<0> argument indicates that any available port shall be chosen automatically.
 
 =item B<-ignore_err>
 A C<0> argument indicates that any available port shall be chosen automatically.
 
 =item B<-ignore_err>

diff --git a/test/recipes/80-test_cmp_http_data/test_connection.csv b/test/recipes/80-test_cmp_http_data/test_connection.csv
index 33a572a29da1ad9333d5adee83b8c23e3f2a4e35..52a39383d7442d890e3e79a577f03feb73b4b7fd 100644 (file)
--- a/test/recipes/80-test_cmp_http_data/test_connection.csv
+++ b/test/recipes/80-test_cmp_http_data/test_connection.csv
@@ -2,8 +2,8 @@ expected,description, -section,val, -server,val, -proxy,val, -no_proxy,val, -tls
 ,Message transfer options:,,,,,,,,,,,,,,,,,,
 ,,,,,,,,,,,,,,,,,,,
 1,default config, -section,,,,,,,,BLANK,,,,BLANK,,BLANK,,BLANK,
 ,Message transfer options:,,,,,,,,,,,,,,,,,,
 ,,,,,,,,,,,,,,,,,,,
 1,default config, -section,,,,,,,,BLANK,,,,BLANK,,BLANK,,BLANK,

-TBD,Domain name, -section,, -server,_SERVER_CN:_SERVER_PORT,,,,,,,,,,,,,,
-TBD,IP address, -section,, -server,_SERVER_IP:_SERVER_PORT,,,,,,,,,,,,,,
+1,server domain name, -section,, -server,localhost:_SERVER_PORT,,,,,,,,,,,,,,
+1,server IPv6 address, -section,, -server,[::]:_SERVER_PORT,,,,,,,,,,,,,,

 ,,,,,,,,,,,,,,,,,,,
 0,wrong server, -section,, -server,xn--rksmrgs-5wao1o.example.com:_SERVER_PORT,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK,
 0,wrong server port, -section,, -server,_SERVER_HOST:99,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK,
 ,,,,,,,,,,,,,,,,,,,
 0,wrong server, -section,, -server,xn--rksmrgs-5wao1o.example.com:_SERVER_PORT,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK,
 0,wrong server port, -section,, -server,_SERVER_HOST:99,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK,