allow to disable http

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21108)

.github/workflows/run-checker-ci.yml

@@ -23,9 +23,9 @@ jobs:
           no-dtls,
           no-ec,
           no-ec2m,
+          no-http,
           no-siv,
           no-legacy,
-          no-rfc3779,
           no-sock,
           no-srp,
           no-srtp,

Configure

@@ -459,6 +459,7 @@ my @disablables = (
     "fuzz-afl",
     "fuzz-libfuzzer",
     "gost",
+    "http",
     "idea",
     "ktls",
     "legacy",
@@ -672,7 +673,9 @@ my @disable_cascades = (
 
     "blake2"            => [ "argon2" ],
 
-    "deprecated-3.0"    => [ "engine", "srp" ]
+    "deprecated-3.0"    => [ "engine", "srp" ],
+
+    "http"              => [ "ocsp" ]
     );
 
 # Avoid protocol support holes.  Also disable all versions below N, if version

apps/cmp.c

@@ -68,7 +68,7 @@ typedef enum {
 } cmp_cmd_t;
 
 /* message transfer */
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
 static char *opt_server = NULL;
 static char *opt_proxy = NULL;
 static char *opt_no_proxy = NULL;
@@ -141,7 +141,7 @@ static int opt_keyform = FORMAT_UNDEF;
 static char *opt_otherpass = NULL;
 static char *opt_engine = NULL;
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
 /* TLS connection */
 static int opt_tls_used = 0;
 static char *opt_tls_cert = NULL;
@@ -164,7 +164,7 @@ static char *opt_rspout = NULL;
 static int opt_use_mock_srv = 0;
 
 /* mock server */
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
 static char *opt_port = NULL;
 static int opt_max_msgs = 0;
 #endif
@@ -213,7 +213,7 @@ typedef enum OPTION_choice {
 
     OPT_OLDCERT, OPT_REVREASON,
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     OPT_SERVER, OPT_PROXY, OPT_NO_PROXY,
 #endif
     OPT_RECIPIENT, OPT_PATH,
@@ -236,7 +236,7 @@ typedef enum OPTION_choice {
     OPT_PROV_ENUM,
     OPT_R_ENUM,
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
     OPT_TLS_KEYPASS,
     OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
@@ -246,7 +246,7 @@ typedef enum OPTION_choice {
     OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
     OPT_USE_MOCK_SRV,
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     OPT_PORT, OPT_MAX_MSGS,
 #endif
     OPT_SRV_REF, OPT_SRV_SECRET,
@@ -346,9 +346,9 @@ const OPTIONS cmp_options[] = {
      "0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
 
     OPT_SECTION("Message transfer"),
-#ifdef OPENSSL_NO_SOCK
+#if defined(OPENSSL_NO_SOCK) || defined(OPENSSL_NO_HTTP)
     {OPT_MORE_STR, 0, 0,
-     "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock build"},
+     "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock/no-http build"},
 #else
     {"server", OPT_SERVER, 's',
      "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."},
@@ -441,9 +441,9 @@ const OPTIONS cmp_options[] = {
     OPT_R_OPTIONS,
 
     OPT_SECTION("TLS connection"),
-#ifdef OPENSSL_NO_SOCK
+#if defined(OPENSSL_NO_SOCK) || defined(OPENSSL_NO_HTTP)
     {OPT_MORE_STR, 0, 0,
-     "NOTE: -tls_used and all other TLS options not supported due to no-sock build"},
+     "NOTE: -tls_used and all other TLS options not supported due to no-sock/no-http build"},
 #else
     {"tls_used", OPT_TLS_USED, '-',
      "Enable using TLS (also when other TLS options are not set)"},
@@ -482,9 +482,9 @@ const OPTIONS cmp_options[] = {
      "Use internal mock server at API level, bypassing socket-based HTTP"},
 
     OPT_SECTION("Mock server"),
-#ifdef OPENSSL_NO_SOCK
+#if defined(OPENSSL_NO_SOCK) || defined(OPENSSL_NO_HTTP)
     {OPT_MORE_STR, 0, 0,
-     "NOTE: -port and -max_msgs not supported due to no-sock build"},
+     "NOTE: -port and -max_msgs not supported due to no-sock/no-http build"},
 #else
     {"port", OPT_PORT, 's',
      "Act as HTTP-based mock server listening on given port"},
@@ -571,7 +571,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
 
     {&opt_oldcert}, {(char **)&opt_revreason},
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     {&opt_server}, {&opt_proxy}, {&opt_no_proxy},
 #endif
     {&opt_recipient}, {&opt_path}, {(char **)&opt_keep_alive},
@@ -593,7 +593,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     {&opt_engine},
 #endif
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     {(char **)&opt_tls_used}, {&opt_tls_cert}, {&opt_tls_key},
     {&opt_tls_keypass},
     {&opt_tls_extra}, {&opt_tls_trusted}, {&opt_tls_host},
@@ -604,7 +604,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     {&opt_reqout}, {&opt_rspin}, {&opt_rspout},
 
     {(char **)&opt_use_mock_srv},
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     {&opt_port}, {(char **)&opt_max_msgs},
 #endif
     {&opt_srv_ref}, {&opt_srv_secret},
@@ -807,7 +807,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
                 CMP_warn("too few -rspin filename arguments; resorting to using mock server");
             res = OSSL_CMP_CTX_server_perform(ctx, actual_req);
         } else {
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
             if (opt_server == NULL) {
                 CMP_err("missing -server or -use_mock_srv option, or too few -rspin filename arguments");
                 goto err;
@@ -816,7 +816,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
                 CMP_warn("too few -rspin filename arguments; resorting to contacting server");
             res = OSSL_CMP_MSG_http_perform(ctx, actual_req);
 #else
-            CMP_err("-server not supported on no-sock build; missing -use_mock_srv option or too few -rspin filename arguments");
+            CMP_err("-server not supported on no-sock/no-http build; missing -use_mock_srv option or too few -rspin filename arguments");
 #endif
         }
         rspin_in_use = 0;
@@ -1232,7 +1232,7 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
     return 1;
 }
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
 /*
  * set up ssl_ctx for the OSSL_CMP_CTX based on options from config file/CLI.
  * Returns pointer on success, NULL on error
@@ -1854,7 +1854,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
 {
     int ret = 0;
     char *host = NULL, *port = NULL, *path = NULL, *used_path = opt_path;
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     int portnum, use_ssl;
     static char server_port[32] = { '\0' };
     const char *proxy_host = NULL;
@@ -1863,7 +1863,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
     char proxy_buf[200] = "";
 
     if (!opt_use_mock_srv && opt_rspin == NULL) { /* note: -port is not given */
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         if (opt_server == NULL) {
             CMP_err("missing -server or -use_mock_srv or -rspin option");
             goto err;
@@ -1873,7 +1873,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         goto err;
 #endif
     }
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     if (opt_server == NULL) {
         if (opt_proxy != NULL)
             CMP_warn("ignoring -proxy option since -server is not given");
@@ -1967,7 +1967,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
             || opt_rspin != NULL || opt_rspout != NULL || opt_use_mock_srv)
         (void)OSSL_CMP_CTX_set_transfer_cb(ctx, read_write_req_resp);
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     if (opt_tls_used) {
         APP_HTTP_TLS_INFO *info;
 
@@ -2404,7 +2404,7 @@ static int get_opts(int argc, char **argv)
             if (!set_verbosity(opt_int_arg()))
                 goto opthelp;
             break;
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         case OPT_SERVER:
             opt_server = opt_str();
             break;
@@ -2434,7 +2434,7 @@ static int get_opts(int argc, char **argv)
         case OPT_TOTAL_TIMEOUT:
             opt_total_timeout = opt_int_arg();
             break;
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         case OPT_TLS_USED:
             opt_tls_used = 1;
             break;
@@ -2650,7 +2650,7 @@ static int get_opts(int argc, char **argv)
             opt_use_mock_srv = 1;
             break;
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         case OPT_PORT:
             opt_port = opt_str();
             break;
@@ -2739,7 +2739,7 @@ static int get_opts(int argc, char **argv)
     return 1;
 }
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
 static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx)
 {
     BIO *acbio;
@@ -2827,7 +2827,7 @@ static void print_status(void)
         OSSL_CMP_CTX_snprint_PKIStatus(cmp_ctx, buf, OSSL_CMP_PKISI_BUFLEN);
     const char *from = "", *server = "";
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     if (opt_server != NULL) {
         from = " from ";
         server = opt_server;
@@ -3006,7 +3006,7 @@ int cmp_main(int argc, char **argv)
         goto err;
     }
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     if (opt_tls_cert == NULL && opt_tls_key == NULL && opt_tls_keypass == NULL
             && opt_tls_extra == NULL && opt_tls_trusted == NULL
             && opt_tls_host == NULL) {
@@ -3040,7 +3040,7 @@ int cmp_main(int argc, char **argv)
 #endif
 
     if (opt_use_mock_srv
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         || opt_port != NULL
 #endif
         ) {
@@ -3057,7 +3057,7 @@ int cmp_main(int argc, char **argv)
         OSSL_CMP_CTX_set_log_verbosity(srv_cmp_ctx, opt_verbosity);
     }
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) {
         CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given");
         opt_tls_used = 0;
@@ -3145,7 +3145,7 @@ int cmp_main(int argc, char **argv)
     cleanse(opt_keypass);
     cleanse(opt_newkeypass);
     cleanse(opt_otherpass);
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
     cleanse(opt_tls_keypass);
 #endif
     cleanse(opt_secret);
@@ -3156,7 +3156,7 @@ int cmp_main(int argc, char **argv)
         OSSL_CMP_CTX_print_errors(cmp_ctx);
 
     if (cmp_ctx != NULL) {
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         APP_HTTP_TLS_INFO *info = OSSL_CMP_CTX_get_http_cb_arg(cmp_ctx);
 
         (void)OSSL_CMP_CTX_set_http_cb_arg(cmp_ctx, NULL);
@@ -3165,7 +3165,7 @@ int cmp_main(int argc, char **argv)
         X509_STORE_free(OSSL_CMP_CTX_get_certConf_cb_arg(cmp_ctx));
         /* cannot free info already here, as it may be used indirectly by: */
         OSSL_CMP_CTX_free(cmp_ctx);
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         if (info != NULL) {
             OPENSSL_free((char *)info->server);
             OPENSSL_free((char *)info->port);

apps/lib/apps.c

@@ -2499,7 +2499,7 @@ void store_setup_crl_download(X509_STORE *st)
     X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
 }
 
-#ifndef OPENSSL_NO_SOCK
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
 static const char *tls_error_hint(void)
 {
     unsigned long err = ERR_peek_error();

apps/s_client.c

@@ -1654,6 +1654,7 @@ int s_client_main(int argc, char **argv)
     }
 
     if (proxystr != NULL) {
+#ifndef OPENSSL_NO_HTTP
         int res;
         char *tmp_host = host, *tmp_port = port;
 
@@ -1688,8 +1689,14 @@ int s_client_main(int argc, char **argv)
                        "%s: -proxy argument malformed or ambiguous\n", prog);
             goto end;
         }
+#else
+        BIO_printf(bio_err,
+                   "%s: -proxy not supported in no-http build\n", prog);
+	goto end;
+#endif
     }
 
+
     if (bindstr != NULL) {
         int res;
         res = BIO_parse_hostserv(bindstr, &bindhost, &bindport,
@@ -2341,12 +2348,14 @@ int s_client_main(int argc, char **argv)
     sbuf_len = 0;
     sbuf_off = 0;
 
+#ifndef OPENSSL_NO_HTTP
     if (proxystr != NULL) {
         /* Here we must use the connect string target host & port */
         if (!OSSL_HTTP_proxy_connect(sbio, thost, tport, proxyuser, proxypass,
                                      0 /* no timeout */, bio_err, prog))
             goto shut;
     }
+#endif
 
     switch ((PROTOCOL_CHOICE) starttls_proto) {
     case PROTO_OFF:

crypto/cmp/build.info

@@ -1,4 +1,11 @@
 LIBS=../../libcrypto
-SOURCE[../../libcrypto]= cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c \
+$OPENSSLSRC=\
+        cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c \
         cmp_status.c cmp_hdr.c cmp_protect.c cmp_msg.c cmp_vfy.c \
-        cmp_server.c cmp_client.c cmp_genm.c cmp_http.c
+        cmp_server.c cmp_client.c cmp_genm.c
+
+IF[{- !$disabled{'http'} -}]
+  $OPENSSLSRC=$OPENSSLSRC cmp_http.c
+ENDIF
+
+SOURCE[../../libcrypto]=$OPENSSLSRC

crypto/cmp/cmp_client.c

@@ -134,8 +134,10 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
     int time_left;
     OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb;
 
+#ifndef OPENSSL_NO_HTTP
     if (transfer_cb == NULL)
         transfer_cb = OSSL_CMP_MSG_http_perform;
+#endif
     *rep = NULL;
 
     if (ctx->total_timeout != 0 /* not waiting indefinitely */) {

crypto/cmp/cmp_ctx.c

@@ -163,11 +163,13 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
         return 0;
     }
 
+#ifndef OPENSSL_NO_HTTP
     if (ctx->http_ctx != NULL) {
         (void)OSSL_HTTP_close(ctx->http_ctx, 1);
         ossl_cmp_debug(ctx, "disconnected from CMP server");
         ctx->http_ctx = NULL;
     }
+#endif
     ctx->status = OSSL_CMP_PKISTATUS_unspecified;
     ctx->failInfoCode = -1;
 
@@ -191,10 +193,12 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
     if (ctx == NULL)
         return;
 
+#ifndef OPENSSL_NO_HTTP
     if (ctx->http_ctx != NULL) {
         (void)OSSL_HTTP_close(ctx->http_ctx, 1);
         ossl_cmp_debug(ctx, "disconnected from CMP server");
     }
+#endif
     OPENSSL_free(ctx->propq);
     OPENSSL_free(ctx->serverPath);
     OPENSSL_free(ctx->server);
@@ -813,6 +817,7 @@ DEFINE_OSSL_CMP_CTX_set1(server, char)
 /* Set the server exclusion list of the HTTP proxy server */
 DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
 
+#ifndef OPENSSL_NO_HTTP
 /* Set the http connect/disconnect callback function to be used for HTTP(S) */
 DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb, OSSL_HTTP_bio_cb_t)
 
@@ -824,6 +829,7 @@ DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb_arg, void *)
  * Returns callback argument set previously (NULL if not set or on error)
  */
 DEFINE_OSSL_get(OSSL_CMP_CTX, http_cb_arg, void *, NULL)
+#endif
 
 /* Set callback function for sending CMP request and receiving response */
 DEFINE_OSSL_set(OSSL_CMP_CTX, transfer_cb, OSSL_CMP_transfer_cb_t)

crypto/cmp/cmp_local.h

@@ -51,8 +51,10 @@ struct ossl_cmp_ctx_st {
     int total_timeout; /* max number of seconds an enrollment may take, incl. */
     /* attempts polling for a response if a 'waiting' PKIStatus is received */
     time_t end_time; /* session start time + totaltimeout */
+# ifndef OPENSSL_NO_HTTP
     OSSL_HTTP_bio_cb_t http_cb;
     void *http_cb_arg; /* allows to store optional argument to cb */
+# endif
 
     /* server authentication */
     /*

crypto/err/err_all.c

@@ -85,7 +85,9 @@ int ossl_err_load_crypto_strings(void)
 # ifndef OPENSSL_NO_ENGINE
         || ossl_err_load_ENGINE_strings() == 0
 # endif
+# ifndef OPENSSL_NO_HTTP
         || ossl_err_load_HTTP_strings() == 0
+# endif
 # ifndef OPENSSL_NO_OCSP
         || ossl_err_load_OCSP_strings() == 0
 # endif

crypto/x509/x_all.c

@@ -98,6 +98,7 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
 static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
                                    int timeout, const ASN1_ITEM *it)
 {
+#ifndef OPENSSL_NO_HTTP
     BIO *mem = OSSL_HTTP_get(url, NULL /* proxy */, NULL /* no_proxy */,
                              bio, rbio, NULL /* cb */, NULL /* arg */,
                              1024 /* buf_size */, NULL /* headers */,
@@ -107,6 +108,9 @@ static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
 
     BIO_free(mem);
     return res;
+#else
+    return 0;
+#endif
 }
 
 X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)

include/openssl/cmp.h.in

@@ -308,9 +308,11 @@ int OSSL_CMP_CTX_set1_server(OSSL_CMP_CTX *ctx, const char *address);
 int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
 int OSSL_CMP_CTX_set1_proxy(OSSL_CMP_CTX *ctx, const char *name);
 int OSSL_CMP_CTX_set1_no_proxy(OSSL_CMP_CTX *ctx, const char *names);
+#   ifndef OPENSSL_NO_HTTP
 int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb);
 int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
 void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
+#   endif
 typedef OSSL_CMP_MSG *(*OSSL_CMP_transfer_cb_t) (OSSL_CMP_CTX *ctx,
                                                  const OSSL_CMP_MSG *req);
 int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb);
@@ -408,8 +410,10 @@ int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
                                 X509_STORE *trusted_store, X509 *cert);
 
 /* from cmp_http.c */
+#   ifndef OPENSSL_NO_HTTP
 OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
                                         const OSSL_CMP_MSG *req);
+#   endif
 
 /* from cmp_server.c */
 typedef struct ossl_cmp_srv_ctx_st OSSL_CMP_SRV_CTX;

include/openssl/http.h

@@ -33,6 +33,8 @@ extern "C" {
 # define OPENSSL_HTTP_PROXY "HTTP_PROXY"
 # define OPENSSL_HTTPS_PROXY "HTTPS_PROXY"
 
+# ifndef OPENSSL_NO_HTTP
+
 #define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024)
 #define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024)
 
@@ -103,6 +105,8 @@ int OSSL_HTTP_parse_url(const char *url, int *pssl, char **puser, char **phost,
 const char *OSSL_HTTP_adapt_proxy(const char *proxy, const char *no_proxy,
                                   const char *server, int use_ssl);
 
+
+# endif /* !defined(OPENSSL_NO_HTTP) */
 # ifdef  __cplusplus
 }
 # endif

test/build.info

@@ -57,7 +57,7 @@ IF[{- !$disabled{tests} -}]
           x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
           recordlentest drbgtest rand_status_test sslbuffertest \
           time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
-          http_test servername_test ocspapitest fatalerrtest tls13ccstest \
+          servername_test ocspapitest fatalerrtest tls13ccstest \
           sysdefaulttest errtest ssl_ctx_test build_wincrypt_test \
           context_internal_test aesgcmtest params_test evp_pkey_dparams_test \
           keymgmt_internal_test hexstr_test provider_status_test defltfips_test \
@@ -515,12 +515,14 @@ IF[{- !$disabled{tests} -}]
   DEPEND[ocspapitest]=../libcrypto libtestutil.a
 
   IF[{- !$disabled{sock} -}]
-    PROGRAMS{noinst}=http_test
-  ENDIF
+    IF[{- !$disabled{http} -}]
+      PROGRAMS{noinst}=http_test
 
-  SOURCE[http_test]=http_test.c
-  INCLUDE[http_test]=../include ../apps/include
-  DEPEND[http_test]=../libcrypto libtestutil.a
+      SOURCE[http_test]=http_test.c
+      INCLUDE[http_test]=../include ../apps/include
+      DEPEND[http_test]=../libcrypto libtestutil.a
+    ENDIF
+  ENDIF
 
   SOURCE[dtlstest]=dtlstest.c helpers/ssltestlib.c
   INCLUDE[dtlstest]=../include ../apps/include
@@ -590,10 +592,6 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[ciphername_test]=../include ../apps/include
   DEPEND[ciphername_test]=../libcrypto ../libssl libtestutil.a
 
-  SOURCE[http_test]=http_test.c
-  INCLUDE[http_test]=../include ../apps/include
-  DEPEND[http_test]=../libcrypto libtestutil.a
-
   SOURCE[servername_test]=servername_test.c helpers/ssltestlib.c
   INCLUDE[servername_test]=../include ../apps/include
   DEPEND[servername_test]=../libcrypto ../libssl libtestutil.a

test/cmp_ctx_test.c

@@ -318,10 +318,12 @@ static int test_cmp_ctx_log_cb(void)
     return result;
 }
 
+#ifndef OPENSSL_NO_HTTP
 static BIO *test_http_cb(BIO *bio, void *arg, int use_ssl, int detail)
 {
     return NULL;
 }
+#endif
 
 static OSSL_CMP_MSG *test_transfer_cb(OSSL_CMP_CTX *ctx,
                                       const OSSL_CMP_MSG *req)
@@ -560,7 +562,9 @@ static X509_STORE *X509_STORE_new_1(void)
                              STACK_OF(TYPE)*, NULL, IS_0, \
                              sk_##TYPE##_new_null(), sk_##TYPE##_free)
 
+#ifndef OPENSSL_NO_HTTP
 typedef OSSL_HTTP_bio_cb_t OSSL_CMP_http_cb_t;
+#endif
 #define DEFINE_SET_CB_TEST(FIELD) \
     static OSSL_CMP_##FIELD##_t OSSL_CMP_CTX_get_##FIELD(const CMP_CTX *ctx) \
     { \
@@ -746,8 +750,10 @@ DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, server, char)
 DEFINE_SET_INT_TEST(serverPort)
 DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, proxy, char)
 DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, no_proxy, char)
+#ifndef OPENSSL_NO_HTTP
 DEFINE_SET_CB_TEST(http_cb)
 DEFINE_SET_GET_P_VOID_TEST(http_cb_arg)
+#endif
 DEFINE_SET_CB_TEST(transfer_cb)
 DEFINE_SET_GET_P_VOID_TEST(transfer_cb_arg)
 
@@ -837,8 +843,10 @@ int setup_tests(void)
     ADD_TEST(test_CTX_set_get_serverPort);
     ADD_TEST(test_CTX_set1_get0_proxy);
     ADD_TEST(test_CTX_set1_get0_no_proxy);
+#ifndef OPENSSL_NO_HTTP
     ADD_TEST(test_CTX_set_get_http_cb);
     ADD_TEST(test_CTX_set_get_http_cb_arg);
+#endif
     ADD_TEST(test_CTX_set_get_transfer_cb);
     ADD_TEST(test_CTX_set_get_transfer_cb_arg);
     /* server authentication: */

test/recipes/79-test_http.t

@@ -12,11 +12,16 @@ use OpenSSL::Test::Utils;
 
 setup("test_http");
 
+plan skip_all => "HTTP protocol is not supported by this OpenSSL build"
+    if disabled('http');
+plan skip_all => "not supported by no-sock build" if disabled('sock');
+
 plan tests => 2;
 
 SKIP: {
     skip "sockets disabled", 1 if disabled("sock");
     skip "OCSP disabled", 1 if disabled("ocsp");
+    skip "HTTP disabled", 1 if disabled("http");
     my $cmd = [qw{openssl ocsp -index any -port 0}];
     my @output = run(app($cmd), capture => 1);
     $output[0] =~ s/\r\n/\n/g;

test/recipes/80-test_cmp_http.t

@@ -30,6 +30,8 @@ plan skip_all => "These tests are not supported in a no-ec build"
     if disabled("ec");
 plan skip_all => "These tests are not supported in a no-sock build"
     if disabled("sock");
+plan skip_all => "These tests are not supported in a no-http build"
+    if disabled("http");
 
 plan skip_all => "Tests involving local HTTP server not available on Windows or VMS"
     if $^O =~ /^(VMS|MSWin32|msys)$/;

util/libcrypto.num

@@ -133,7 +133,7 @@ d2i_OCSP_BASICRESP                      134	3_0_0	EXIST::FUNCTION:OCSP
 X509v3_add_ext                          135	3_0_0	EXIST::FUNCTION:
 X509v3_addr_subset                      136	3_0_0	EXIST::FUNCTION:RFC3779
 CRYPTO_strndup                          137	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_REQ_CTX_free                  138	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_free                  138	3_0_0	EXIST::FUNCTION:HTTP
 X509_STORE_new                          140	3_0_0	EXIST::FUNCTION:
 ASN1_TYPE_free                          141	3_0_0	EXIST::FUNCTION:
 PKCS12_BAGS_new                         142	3_0_0	EXIST::FUNCTION:
@@ -266,7 +266,7 @@ WHIRLPOOL_Init                          271	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3
 EVP_OpenInit                            272	3_0_0	EXIST::FUNCTION:
 OCSP_response_get1_basic                273	3_0_0	EXIST::FUNCTION:OCSP
 CRYPTO_gcm128_tag                       274	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_parse_url                     275	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_parse_url                     275	3_0_0	EXIST::FUNCTION:HTTP
 UI_get0_test_string                     276	3_0_0	EXIST::FUNCTION:
 CRYPTO_secure_free                      277	3_0_0	EXIST::FUNCTION:
 DSA_print_fp                            278	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA,STDIO
@@ -614,7 +614,7 @@ UI_get0_result_string                   629	3_0_0	EXIST::FUNCTION:
 TS_RESP_CTX_add_policy                  630	3_0_0	EXIST::FUNCTION:TS
 X509_REQ_dup                            631	3_0_0	EXIST::FUNCTION:
 d2i_DSA_PUBKEY_fp                       633	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA,STDIO
-OSSL_HTTP_REQ_CTX_exchange              634	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_exchange              634	3_0_0	EXIST::FUNCTION:HTTP
 d2i_X509_REQ_fp                         635	3_0_0	EXIST::FUNCTION:STDIO
 DH_OpenSSL                              636	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 BN_get_rfc3526_prime_8192               637	3_0_0	EXIST::FUNCTION:
@@ -1114,7 +1114,7 @@ PEM_write_bio_PKCS7                     1141	3_0_0	EXIST::FUNCTION:
 MDC2_Final                              1142	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MDC2
 SMIME_crlf_copy                         1143	3_0_0	EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_count              1144	3_0_0	EXIST::FUNCTION:OCSP
-OSSL_HTTP_REQ_CTX_new                   1145	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_new                   1145	3_0_0	EXIST::FUNCTION:HTTP
 X509_load_cert_crl_file                 1146	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_new_mac_key                    1147	3_0_0	EXIST::FUNCTION:
 DIST_POINT_new                          1148	3_0_0	EXIST::FUNCTION:
@@ -1378,7 +1378,7 @@ BIO_set_ex_data                         1411	3_0_0	EXIST::FUNCTION:
 SHA512                                  1412	3_0_0	EXIST::FUNCTION:
 X509_STORE_CTX_get_explicit_policy      1413	3_0_0	EXIST::FUNCTION:
 EVP_DecodeBlock                         1414	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_REQ_CTX_set_request_line      1415	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_set_request_line      1415	3_0_0	EXIST::FUNCTION:HTTP
 EVP_MD_CTX_reset                        1416	3_0_0	EXIST::FUNCTION:
 X509_NAME_new                           1417	3_0_0	EXIST::FUNCTION:
 ASN1_item_pack                          1418	3_0_0	EXIST::FUNCTION:
@@ -1576,7 +1576,7 @@ BIO_ADDRINFO_address                    1613	3_0_0	EXIST::FUNCTION:SOCK
 ASN1_STRING_print_ex                    1614	3_0_0	EXIST::FUNCTION:
 i2d_CMS_ReceiptRequest                  1615	3_0_0	EXIST::FUNCTION:CMS
 d2i_TS_REQ_fp                           1616	3_0_0	EXIST::FUNCTION:STDIO,TS
-OSSL_HTTP_REQ_CTX_set1_req              1617	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_set1_req              1617	3_0_0	EXIST::FUNCTION:HTTP
 EVP_PKEY_get_default_digest_nid         1618	3_0_0	EXIST::FUNCTION:
 ASIdOrRange_new                         1619	3_0_0	EXIST::FUNCTION:RFC3779
 ASN1_SCTX_new                           1620	3_0_0	EXIST::FUNCTION:
@@ -1592,7 +1592,7 @@ CRYPTO_ocb128_cleanup                   1629	3_0_0	EXIST::FUNCTION:OCB
 EVP_des_ede_cbc                         1630	3_0_0	EXIST::FUNCTION:DES
 i2d_ASN1_TIME                           1631	3_0_0	EXIST::FUNCTION:
 ENGINE_register_all_pkey_asn1_meths     1632	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
-OSSL_HTTP_REQ_CTX_set_max_response_length 1633	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_set_max_response_length 1633	3_0_0	EXIST::FUNCTION:HTTP
 d2i_ISSUING_DIST_POINT                  1634	3_0_0	EXIST::FUNCTION:
 CMS_RecipientInfo_set0_key              1635	3_0_0	EXIST::FUNCTION:CMS
 NCONF_new                               1636	3_0_0	EXIST::FUNCTION:
@@ -1849,7 +1849,7 @@ OCSP_ONEREQ_add_ext                     1892	3_0_0	EXIST::FUNCTION:OCSP
 CMS_uncompress                          1893	3_0_0	EXIST::FUNCTION:CMS
 CRYPTO_mem_debug_pop                    1895	3_0_0	EXIST::FUNCTION:CRYPTO_MDEBUG,DEPRECATEDIN_3_0
 EVP_aes_192_cfb128                      1896	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_REQ_CTX_nbio                  1897	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_nbio                  1897	3_0_0	EXIST::FUNCTION:HTTP
 EVP_CIPHER_CTX_copy                     1898	3_0_0	EXIST::FUNCTION:
 CRYPTO_secure_allocated                 1899	3_0_0	EXIST::FUNCTION:
 UI_UTIL_read_pw_string                  1900	3_0_0	EXIST::FUNCTION:
@@ -2415,7 +2415,7 @@ Camellia_decrypt                        2466	3_0_0	EXIST::FUNCTION:CAMELLIA,DEPR
 X509_signature_print                    2467	3_0_0	EXIST::FUNCTION:
 EVP_camellia_128_ecb                    2468	3_0_0	EXIST::FUNCTION:CAMELLIA
 MD2_Final                               2469	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD2
-OSSL_HTTP_REQ_CTX_add1_header           2470	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_add1_header           2470	3_0_0	EXIST::FUNCTION:HTTP
 NETSCAPE_SPKAC_it                       2471	3_0_0	EXIST::FUNCTION:
 ASIdOrRange_free                        2472	3_0_0	EXIST::FUNCTION:RFC3779
 EC_POINT_get_Jprojective_coordinates_GFp 2473	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
@@ -3612,7 +3612,7 @@ EVP_CIPHER_CTX_is_encrypting            3694	3_0_0	EXIST::FUNCTION:
 EC_KEY_can_sign                         3695	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PEM_write_bio_RSAPublicKey              3696	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_CRL_set1_lastUpdate                3697	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_REQ_CTX_nbio_d2i              3698	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_nbio_d2i              3698	3_0_0	EXIST::FUNCTION:HTTP
 PKCS8_encrypt                           3699	3_0_0	EXIST::FUNCTION:
 i2d_PKCS7_fp                            3700	3_0_0	EXIST::FUNCTION:STDIO
 i2d_X509_REQ                            3701	3_0_0	EXIST::FUNCTION:
@@ -3759,7 +3759,7 @@ i2d_PrivateKey_bio                      3843	3_0_0	EXIST::FUNCTION:
 RSA_padding_add_PKCS1_type_1            3844	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 i2d_re_X509_tbs                         3845	3_0_0	EXIST::FUNCTION:
 EVP_CIPHER_get_iv_length                3846	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_REQ_CTX_get0_mem_bio          3847	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_REQ_CTX_get0_mem_bio          3847	3_0_0	EXIST::FUNCTION:HTTP
 i2d_PKCS8PrivateKeyInfo_bio             3848	3_0_0	EXIST::FUNCTION:
 d2i_OCSP_CERTID                         3849	3_0_0	EXIST::FUNCTION:OCSP
 EVP_CIPHER_meth_set_init                3850	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -4725,9 +4725,9 @@ OSSL_CMP_CTX_set1_server                4852	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set_serverPort             4853	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set1_proxy                 4854	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set1_no_proxy              4855	3_0_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_set_http_cb                4856	3_0_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_set_http_cb_arg            4857	3_0_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_get_http_cb_arg            4858	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CTX_set_http_cb                4856	3_0_0	EXIST::FUNCTION:CMP,HTTP
+OSSL_CMP_CTX_set_http_cb_arg            4857	3_0_0	EXIST::FUNCTION:CMP,HTTP
+OSSL_CMP_CTX_get_http_cb_arg            4858	3_0_0	EXIST::FUNCTION:CMP,HTTP
 OSSL_CMP_CTX_set_transfer_cb            4859	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set_transfer_cb_arg        4860	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_get_transfer_cb_arg        4861	3_0_0	EXIST::FUNCTION:CMP
@@ -4882,18 +4882,18 @@ ASN1_item_verify_ex                     5009	3_0_0	EXIST::FUNCTION:
 BIO_socket_wait                         5010	3_0_0	EXIST::FUNCTION:SOCK
 BIO_wait                                5011	3_0_0	EXIST::FUNCTION:
 BIO_do_connect_retry                    5012	3_0_0	EXIST::FUNCTION:
-OSSL_parse_url                          5013	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_adapt_proxy                   5014	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_REQ_CTX_get_resp_len          5015	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_REQ_CTX_set_expected          5016	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_is_alive                      5017	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_open                          5018	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_proxy_connect                 5019	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_set1_request                  5020	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_exchange                      5021	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_get                           5022	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_transfer                      5023	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_close                         5024	3_0_0	EXIST::FUNCTION:
+OSSL_parse_url                          5013	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_adapt_proxy                   5014	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_REQ_CTX_get_resp_len          5015	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_REQ_CTX_set_expected          5016	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_is_alive                      5017	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_open                          5018	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_proxy_connect                 5019	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_set1_request                  5020	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_exchange                      5021	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_get                           5022	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_transfer                      5023	3_0_0	EXIST::FUNCTION:HTTP
+OSSL_HTTP_close                         5024	3_0_0	EXIST::FUNCTION:HTTP
 ASN1_item_i2d_mem_bio                   5025	3_0_0	EXIST::FUNCTION:
 ERR_add_error_txt                       5026	3_0_0	EXIST::FUNCTION:
 ERR_add_error_mem_bio                   5027	3_0_0	EXIST::FUNCTION:
@@ -4953,7 +4953,7 @@ OSSL_CMP_try_certreq                    5080	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_certConf_cb                    5081	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_exec_RR_ses                    5082	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_exec_GENM_ses                  5083	3_0_0	EXIST::FUNCTION:CMP
-OSSL_CMP_MSG_http_perform               5084	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_MSG_http_perform               5084	3_0_0	EXIST::FUNCTION:CMP,HTTP
 OSSL_CMP_MSG_read                       5085	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_MSG_write                      5086	3_0_0	EXIST::FUNCTION:CMP
 EVP_PKEY_Q_keygen                       5087	3_0_0	EXIST::FUNCTION: