From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Tue, 23 May 2023 19:54:26 +0000 (+0200)
Subject: http_server.c: allow clients to connect with IPv6
X-Git-Tag: openssl-3.2.0-alpha1~208
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=830b6a13f9aecd42da61b79c93f236575cc58793

http_server.c: allow clients to connect with IPv6

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21033)
---

diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c
index 5c26497abc..93f06626fb 100644
--- a/apps/lib/http_server.c
+++ b/apps/lib/http_server.c
@@ -198,7 +198,9 @@ BIO *http_server_init(const char *prog, const char *port, int verb)
     BIO *acbio = NULL, *bufbio;
     int asock;
     int port_num;
+    char name[40];
 
+    snprintf(name, sizeof(name), "[::]:%s", port); /* port may be "0" */
     if (verb >= 0 && !log_set_verbosity(prog, verb))
         return NULL;
     bufbio = BIO_new(BIO_f_buffer());
@@ -207,7 +209,7 @@ BIO *http_server_init(const char *prog, const char *port, int verb)
     acbio = BIO_new(BIO_s_accept());
     if (acbio == NULL
         || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
-        || BIO_set_accept_port(acbio, port /* may be "0" */) < 0) {
+        || BIO_set_accept_name(acbio, name) < 0) {
         log_HTTP(prog, LOG_ERR, "error setting up accept BIO");
         goto err;
     }
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 7c68385f4b..e39c7bede5 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -473,8 +473,10 @@ Reason numbers defined in RFC 5280 are:
 
 =item B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
 
-The DNS hostname or IP address and optionally port
+The I<host> domain name or IP address and optionally I<port>
 of the CMP server to connect to using HTTP(S).
+IP address may be for v4 or v6, such as C<127.0.0.1> or C<[::]> for localhost.
+
 This option excludes I<-port> and I<-use_mock_srv>.
 It is ignored if I<-rspin> is given with enough filename arguments.
 
@@ -1039,8 +1041,9 @@ This excludes the B<-server> and B<-port> options.
 
 =item B<-port> I<number>
 
-Act as HTTP-based CMP server mock-up listening on the given port.
-This excludes the B<-server> and B<-use_mock_srv> options.
+Act as HTTP-based CMP server mock-up listening on the given local port.
+The client may address the server via, e.g., C<127.0.0.1> or C<[::]>.
+This option excludes the B<-server> and B<-use_mock_srv> options.
 The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options
 so far are not supported in this mode.
 
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index 9106a1d349..183a02098b 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -30,7 +30,7 @@ B<openssl> B<ocsp>
 [B<-respin> I<file>]
 [B<-url> I<URL>]
 [B<-host> I<host>:I<port>]
-[B<-path>]
+[B<-path> I<pathname>]
 [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
 [B<-no_proxy> I<addresses>]
 [B<-header>]
@@ -167,16 +167,21 @@ with B<-serial>, B<-cert> and B<-host> options).
 
 =item B<-url> I<responder_url>
 
-Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
+Specify the responder host and optionally port and path via a URL.
+ Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
 The optional userinfo and fragment components are ignored.
 Any given query component is handled as part of the path component.
+For details, see the B<-host> and B<-path> options described next.
 
-=item B<-host> I<hostname>:I<port>, B<-path> I<pathname>
+=item B<-host> I<host>:I<port>, B<-path> I<pathname>
 
 If the B<-host> option is present then the OCSP request is sent to the host
-I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname
-to use or "/" by default.  This is equivalent to specifying B<-url> with scheme
-http:// and the given hostname, port, and pathname.
+I<host> on port I<port>.
+The I<host> may be a domain name or an IP (v4 or v6) address,
+such as C<127.0.0.1> or C<[::]> for localhost.
+The B<-path> option specifies the HTTP pathname to use or "/" by default.
+This is equivalent to specifying B<-url> with scheme
+http:// and the given I<host>, I<port>, and optional I<pathname>.
 
 =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
 
@@ -377,8 +382,8 @@ subject name.
 
 =item B<-port> I<portnum>
 
-Port to listen for OCSP requests on. The port may also be specified
-using the B<url> option.
+Port to listen for OCSP requests on. Both IPv4 and IPv6 are possible.
+The port may also be specified using the B<-url> option.
 A C<0> argument indicates that any available port shall be chosen automatically.
 
 =item B<-ignore_err>
diff --git a/test/recipes/80-test_cmp_http_data/test_connection.csv b/test/recipes/80-test_cmp_http_data/test_connection.csv
index 33a572a29d..52a39383d7 100644
--- a/test/recipes/80-test_cmp_http_data/test_connection.csv
+++ b/test/recipes/80-test_cmp_http_data/test_connection.csv
@@ -2,8 +2,8 @@ expected,description, -section,val, -server,val, -proxy,val, -no_proxy,val, -tls
 ,Message transfer options:,,,,,,,,,,,,,,,,,,
 ,,,,,,,,,,,,,,,,,,,
 1,default config, -section,,,,,,,,BLANK,,,,BLANK,,BLANK,,BLANK,
-TBD,Domain name, -section,, -server,_SERVER_CN:_SERVER_PORT,,,,,,,,,,,,,,
-TBD,IP address, -section,, -server,_SERVER_IP:_SERVER_PORT,,,,,,,,,,,,,,
+1,server domain name, -section,, -server,localhost:_SERVER_PORT,,,,,,,,,,,,,,
+1,server IPv6 address, -section,, -server,[::]:_SERVER_PORT,,,,,,,,,,,,,,
 ,,,,,,,,,,,,,,,,,,,
 0,wrong server, -section,, -server,xn--rksmrgs-5wao1o.example.com:_SERVER_PORT,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK,
 0,wrong server port, -section,, -server,_SERVER_HOST:99,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK,