From f7201301ef001b70109d7007a37525e233d30907 Mon Sep 17 00:00:00 2001 From: Marc <34656315+MarcT512@users.noreply.github.com> Date: Wed, 20 May 2020 01:25:10 +0100 Subject: [PATCH] s_client: Fix -proxy flag regression s_client: connection via an HTTP proxy broke somewhere prior to openssl-3.0.0-alpha2. openssl s_client -connect -proxy Results in s_client making a TCP connection to proxy_host:proxy_port and then issuing an HTTP CONNECT to the proxy, instead of the target. Fixes https://github.com/openssl/openssl/issues/11879 Reviewed-by: David von Oheimb Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11880) --- apps/s_client.c | 46 +++++++++++++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 15 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index e21a23da75..886b2cd8d6 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -921,6 +921,7 @@ int s_client_main(int argc, char **argv) char *connectstr = NULL, *bindstr = NULL; char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; char *chCApath = NULL, *chCAfile = NULL, *chCAstore = NULL, *host = NULL; + char *thost = NULL, *tport = NULL; char *port = OPENSSL_strdup(PORT); char *bindhost = NULL, *bindport = NULL; char *passarg = NULL, *pass = NULL; @@ -1599,37 +1600,49 @@ int s_client_main(int argc, char **argv) goto opthelp; } #endif - if (proxystr != NULL) { + + if (connectstr != NULL) { int res; char *tmp_host = host, *tmp_port = port; - if (connectstr == NULL) { - BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog); - goto opthelp; - } - res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST); + + res = BIO_parse_hostserv(connectstr, &host, &port, BIO_PARSE_PRIO_HOST); if (tmp_host != host) OPENSSL_free(tmp_host); if (tmp_port != port) OPENSSL_free(tmp_port); if (!res) { BIO_printf(bio_err, - "%s: -proxy argument malformed or ambiguous\n", prog); + "%s: -connect argument or target parameter malformed or ambiguous\n", + prog); goto end; } - } else { - int res = 1; + } + + if (proxystr != NULL) { + int res; char *tmp_host = host, *tmp_port = port; - if (connectstr != NULL) - res = BIO_parse_hostserv(connectstr, &host, &port, - BIO_PARSE_PRIO_HOST); + + if (host == NULL || port == NULL) { + BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog); + goto opthelp; + } + + /* Retain the original target host:port for use in the HTTP proxy connect string */ + thost = OPENSSL_strdup(host); + tport = OPENSSL_strdup(port); + if (thost == NULL || tport == NULL) { + BIO_printf(bio_err, "%s: out of memory\n", prog); + goto end; + } + + res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST); if (tmp_host != host) OPENSSL_free(tmp_host); if (tmp_port != port) OPENSSL_free(tmp_port); if (!res) { BIO_printf(bio_err, - "%s: -connect argument or target parameter malformed or ambiguous\n", - prog); + "%s: -proxy argument malformed or ambiguous\n", prog); goto end; } } @@ -2389,7 +2402,8 @@ int s_client_main(int argc, char **argv) } break; case PROTO_CONNECT: - if (!OSSL_HTTP_proxy_connect(sbio, host, port, proxyuser, proxypass, + /* Here we must use the connect string target host & port */ + if (!OSSL_HTTP_proxy_connect(sbio, thost, tport, proxyuser, proxypass, 0 /* no timeout */, bio_err, prog)) goto shut; break; @@ -3138,6 +3152,8 @@ int s_client_main(int argc, char **argv) OPENSSL_free(bindstr); OPENSSL_free(host); OPENSSL_free(port); + OPENSSL_free(thost); + OPENSSL_free(tport); X509_VERIFY_PARAM_free(vpm); ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); -- 2.25.1