diff options
| author | Marc <34656315+MarcT512@users.noreply.github.com> | 2020-05-20 02:25:10 +0200 |
|---|---|---|
| committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-05-25 08:17:12 +0200 |
| commit | f7201301ef001b70109d7007a37525e233d30907 (patch) | |
| tree | 1d3a0059d0f0bb490c5a506864dec9b7006e7e47 /apps/s_client.c | |
| parent | Fix coverity issues in EC after #11807 (diff) | |
| download | openssl-f7201301ef001b70109d7007a37525e233d30907.tar.xz openssl-f7201301ef001b70109d7007a37525e233d30907.zip | |
s_client: Fix -proxy flag regression
s_client: connection via an HTTP proxy broke somewhere prior to openssl-3.0.0-alpha2.
openssl s_client -connect <target> -proxy <proxy_host:proxy_port>
Results in s_client making a TCP connection to proxy_host:proxy_port and then issuing an HTTP CONNECT to the proxy, instead of the target.
Fixes https://github.com/openssl/openssl/issues/11879
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11880)
Diffstat (limited to 'apps/s_client.c')
| -rw-r--r-- | apps/s_client.c | 46 |
1 files changed, 31 insertions, 15 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index e21a23da75..886b2cd8d6 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -921,6 +921,7 @@ int s_client_main(int argc, char **argv) char *connectstr = NULL, *bindstr = NULL; char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; char *chCApath = NULL, *chCAfile = NULL, *chCAstore = NULL, *host = NULL; + char *thost = NULL, *tport = NULL; char *port = OPENSSL_strdup(PORT); char *bindhost = NULL, *bindport = NULL; char *passarg = NULL, *pass = NULL; @@ -1599,37 +1600,49 @@ int s_client_main(int argc, char **argv) goto opthelp; } #endif - if (proxystr != NULL) { + + if (connectstr != NULL) { int res; char *tmp_host = host, *tmp_port = port; - if (connectstr == NULL) { - BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog); - goto opthelp; - } - res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST); + + res = BIO_parse_hostserv(connectstr, &host, &port, BIO_PARSE_PRIO_HOST); if (tmp_host != host) OPENSSL_free(tmp_host); if (tmp_port != port) OPENSSL_free(tmp_port); if (!res) { BIO_printf(bio_err, - "%s: -proxy argument malformed or ambiguous\n", prog); + "%s: -connect argument or target parameter malformed or ambiguous\n", + prog); goto end; } - } else { - int res = 1; + } + + if (proxystr != NULL) { + int res; char *tmp_host = host, *tmp_port = port; - if (connectstr != NULL) - res = BIO_parse_hostserv(connectstr, &host, &port, - BIO_PARSE_PRIO_HOST); + + if (host == NULL || port == NULL) { + BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog); + goto opthelp; + } + + /* Retain the original target host:port for use in the HTTP proxy connect string */ + thost = OPENSSL_strdup(host); + tport = OPENSSL_strdup(port); + if (thost == NULL || tport == NULL) { + BIO_printf(bio_err, "%s: out of memory\n", prog); + goto end; + } + + res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST); if (tmp_host != host) OPENSSL_free(tmp_host); if (tmp_port != port) OPENSSL_free(tmp_port); if (!res) { BIO_printf(bio_err, - "%s: -connect argument or target parameter malformed or ambiguous\n", - prog); + "%s: -proxy argument malformed or ambiguous\n", prog); goto end; } } @@ -2389,7 +2402,8 @@ int s_client_main(int argc, char **argv) } break; case PROTO_CONNECT: - if (!OSSL_HTTP_proxy_connect(sbio, host, port, proxyuser, proxypass, + /* Here we must use the connect string target host & port */ + if (!OSSL_HTTP_proxy_connect(sbio, thost, tport, proxyuser, proxypass, 0 /* no timeout */, bio_err, prog)) goto shut; break; @@ -3138,6 +3152,8 @@ int s_client_main(int argc, char **argv) OPENSSL_free(bindstr); OPENSSL_free(host); OPENSSL_free(port); + OPENSSL_free(thost); + OPENSSL_free(tport); X509_VERIFY_PARAM_free(vpm); ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); |