Chunk 10 of CMP contribution to OpenSSL: CMP http client and related tests

    Also improve the generic HTTP client w.r.t. proxy and no_proxy options.

    Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
    Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
    Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
    Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11404)

apps/include/apps.h

@@ -233,13 +233,13 @@ BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
                      int connect, int detail);
 # ifndef OPENSSL_NO_SOCK
 ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
-                              const char *proxy_port, SSL_CTX *ssl_ctx,
+                              const char *no_proxy, SSL_CTX *ssl_ctx,
                               const STACK_OF(CONF_VALUE) *headers,
                               long timeout, const char *expected_content_type,
                               const ASN1_ITEM *it);
 ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
                                const char *path, const char *proxy,
-                               const char *proxy_port, SSL_CTX *ctx,
+                               const char *no_proxy, SSL_CTX *ctx,
                                const STACK_OF(CONF_VALUE) *headers,
                                const char *content_type,
                                ASN1_VALUE *req, const ASN1_ITEM *req_it,

apps/lib/apps.c

@@ -1990,7 +1990,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
     } else if (!connect && !detail) { /* disconnecting after error */
         const char *hint = tls_error_hint();
         if (hint != NULL)
-            ERR_add_error_data(1, hint);
+            ERR_add_error_data(2, " : ", hint);
         /*
          * If we pop sbio and BIO_free() it this may lead to libssl double free.
          * Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c
@@ -2000,7 +2000,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
 }
 
 ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
-                              const char *proxy_port, SSL_CTX *ssl_ctx,
+                              const char *no_proxy, SSL_CTX *ssl_ctx,
                               const STACK_OF(CONF_VALUE) *headers,
                               long timeout, const char *expected_content_type,
                               const ASN1_ITEM *it)
@@ -2029,7 +2029,7 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
     info.use_proxy = proxy != NULL;
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
-    resp = OSSL_HTTP_get_asn1(url, proxy, proxy_port,
+    resp = OSSL_HTTP_get_asn1(url, proxy, no_proxy,
                               NULL, NULL, app_http_tls_cb, &info,
                               headers, 0 /* maxline */, 0 /* max_resp_len */,
                               timeout, expected_content_type, it);
@@ -2042,7 +2042,7 @@ ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
 
 ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
                                const char *path, const char *proxy,
-                               const char *proxy_port, SSL_CTX *ssl_ctx,
+                               const char *no_proxy, SSL_CTX *ssl_ctx,
                                const STACK_OF(CONF_VALUE) *headers,
                                const char *content_type,
                                ASN1_VALUE *req, const ASN1_ITEM *req_it,
@@ -2056,7 +2056,7 @@ ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
     info.timeout = timeout;
     info.ssl_ctx = ssl_ctx;
     return OSSL_HTTP_post_asn1(host, port, path, ssl_ctx != NULL,
-                               proxy, proxy_port,
+                               proxy, no_proxy,
                                NULL, NULL, app_http_tls_cb, &info,
                                headers, content_type, req, req_it,
                                0 /* maxline */,

crypto/cmp/build.info

@@ -1,4 +1,4 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]= cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c \
         cmp_status.c cmp_hdr.c cmp_protect.c cmp_msg.c cmp_vfy.c \
-        cmp_server.c cmp_client.c
+        cmp_server.c cmp_client.c cmp_http.c

crypto/cmp/cmp_client.c

@@ -140,7 +140,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
     OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb;
 
     if (transfer_cb == NULL)
-        transfer_cb = NULL; /* TODO: will be OSSL_CMP_MSG_http_perform of chunk 10 */
+        transfer_cb = OSSL_CMP_MSG_http_perform;
 
     *rep = NULL;
     msg_timeout = ctx->msg_timeout; /* backup original value */

crypto/cmp/cmp_ctx.c

@@ -20,9 +20,7 @@
 #include <openssl/crmf.h>
 #include <openssl/err.h>
 
-/*
- * Get current certificate store containing trusted root CA certs
- */
+/* Get current certificate store containing trusted root CA certs */
 X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
 {
     if (ctx == NULL) {
@@ -36,7 +34,6 @@ X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
  * Set certificate store containing trusted (root) CA certs and possibly CRLs
  * and a cert verification callback function used for CMP server authentication.
  * Any already existing store entry is freed. Given NULL, the entry is reset.
- * returns 1 on success, 0 on error
  */
 int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
 {
@@ -49,9 +46,7 @@ int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
     return 1;
 }
 
-/*
- * Get current list of non-trusted intermediate certs
- */
+/* Get current list of non-trusted intermediate certs */
 STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
 {
     if (ctx == NULL) {
@@ -64,7 +59,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
 /*
  * Set untrusted certificates for path construction in authentication of
  * the CMP server and potentially others (TLS server, newly enrolled cert).
- * returns 1 on success, 0 on error
  */
 int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
 {
@@ -102,7 +96,6 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(void)
     ctx->failInfoCode = -1;
 
     ctx->serverPort = OSSL_CMP_DEFAULT_PORT;
-    ctx->proxyPort = OSSL_CMP_DEFAULT_PORT;
     ctx->msg_timeout = 2 * 60;
 
     if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL)
@@ -125,9 +118,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(void)
     return NULL;
 }
 
-/*
- * Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX
- */
+/* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
 int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
 {
     if (ctx == NULL) {
@@ -148,9 +139,7 @@ int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
         && ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
 }
 
-/*
- * Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new()
- */
+/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
 void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
 {
     if (ctx == NULL)
@@ -158,7 +147,8 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
 
     OPENSSL_free(ctx->serverPath);
     OPENSSL_free(ctx->serverName);
-    OPENSSL_free(ctx->proxyName);
+    OPENSSL_free(ctx->proxy);
+    OPENSSL_free(ctx->no_proxy);
 
     X509_free(ctx->srvCert);
     X509_free(ctx->validatedSrvCert);
@@ -252,11 +242,7 @@ int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert)
     return 1;
 }
 
-/*
- * Set callback function for checking if the cert is ok or should
- * it be rejected.
- * Returns 1 on success, 0 on error
- */
+/* Set callback function for checking if the cert is ok or should be rejected */
 int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
 {
     if (ctx == NULL) {
@@ -270,7 +256,6 @@ int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
 /*
  * Set argument, respectively a pointer to a structure containing arguments,
  * optionally to be used by the certConf callback.
- * Returns 1 on success, 0 on error
  */
 int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
 {
@@ -380,10 +365,7 @@ int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
     return res;
 }
 
-/*
- * Set a callback function for error reporting and logging messages.
- * Returns 1 on success, 0 on error
- */
+/* Set a callback function for error reporting and logging messages */
 int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
 {
     if (ctx == NULL) {
@@ -411,7 +393,6 @@ void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx)
 /*
  * Set or clear the reference value to be used for identification
  * (i.e., the user name) when using PBMAC.
- * Returns 1 on success, 0 on error
  */
 int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
                                      const unsigned char *ref, int len)
@@ -424,10 +405,7 @@ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
                                                  len);
 }
 
-/*
- * Set or clear the password to be used for protecting messages with PBMAC.
- * Returns 1 on success, 0 on error
- */
+/* Set or clear the password to be used for protecting messages with PBMAC */
 int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
                                   const int len)
 {
@@ -465,7 +443,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
 /*
  * Copies any given stack of inbound X509 certificates to extraCertsIn
  * of the OSSL_CMP_CTX structure so that they may be retrieved later.
- * Returns 1 on success, 0 on error.
  */
 int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
                                    STACK_OF(X509) *extraCertsIn)
@@ -483,7 +460,6 @@ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
 /*
  * Duplicate and set the given stack as the new stack of X509
  * certificates to send out in the extraCerts field.
- * Returns 1 on success, 0 on error
  */
 int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
                                     STACK_OF(X509) *extraCertsOut)
@@ -503,7 +479,6 @@ int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
 /*
  * Add the given policy info object
  * to the X509_EXTENSIONS of the requested certificate template.
- * Returns 1 on success, 0 on error.
  */
 int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
 {
@@ -519,9 +494,7 @@ int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
     return sk_POLICYINFO_push(ctx->policies, pinfo);
 }
 
-/*
- * Add an ITAV for geninfo of the PKI message header
- */
+/* Add an ITAV for geninfo of the PKI message header */
 int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
 {
     if (ctx == NULL) {
@@ -531,9 +504,7 @@ int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
     return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
 }
 
-/*
- * Add an itav for the body of outgoing general messages
- */
+/* Add an itav for the body of outgoing general messages */
 int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
 {
     if (ctx == NULL) {
@@ -562,7 +533,6 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx)
 /*
  * Duplicate and copy the given stack of certificates to the given
  * OSSL_CMP_CTX structure so that they may be retrieved later.
- * Returns 1 on success, 0 on error
  */
 int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs)
 {
@@ -614,39 +584,25 @@ int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
  * Pins the server certificate to be directly trusted (even if it is expired)
  * for verifying response messages.
  * Cert pointer is not consumed. It may be NULL to clear the entry.
- * Returns 1 on success, 0 on error
  */
 DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509)
 
-/*
- * Set the X509 name of the recipient. Set in the PKIHeader.
- * returns 1 on success, 0 on error
- */
+/* Set the X509 name of the recipient. Set in the PKIHeader */
 DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
 
-/*
- * Store the X509 name of the expected sender in the PKIHeader of responses.
- * Returns 1 on success, 0 on error
- */
+/* Store the X509 name of the expected sender in the PKIHeader of responses */
 DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
 
-/*
- * Set the X509 name of the issuer. Set in the PKIHeader.
- * Returns 1 on success, 0 on error
- */
+/* Set the X509 name of the issuer. Set in the PKIHeader */
 DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
 
 /*
  * Set the subject name that will be placed in the certificate
  * request. This will be the subject name on the received certificate.
- * Returns 1 on success, 0 on error
  */
 DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME)
 
-/*
- * Set the X.509v3 certificate request extensions to be used in IR/CR/KUR.
- * Returns 1 on success, 0 on error
- */
+/* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */
 int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
 {
     if (ctx == NULL) {
@@ -680,7 +636,6 @@ int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx)
 /*
  * Add a GENERAL_NAME structure that will be added to the CRMF
  * request's extensions field to request subject alternative names.
- * Returns 1 on success, 0 on error
  */
 int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
                                       const GENERAL_NAME *name)
@@ -712,7 +667,6 @@ int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
 /*
  * Set our own client certificate, used for example in KUR and when
  * doing the IR with existing certificate.
- * Returns 1 on success, 0 on error
  */
 DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509)
 
@@ -721,19 +675,14 @@ DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509)
  * or the certificate to be revoked in RR, respectively.
  * Also used as reference cert (defaulting to clCert) for deriving subject DN
  * and SANs. Its issuer is used as default recipient in the CMP message header.
- * Returns 1 on success, 0 on error
  */
 DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509)
 
-/*
- * Set the PKCS#10 CSR to be sent in P10CR.
- * Returns 1 on success, 0 on error
- */
+/* Set the PKCS#10 CSR to be sent in P10CR */
 DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
 
 /*
- * Sets the (newly received in IP/KUP/CP) certificate in the context.
- * Returns 1 on success, 0 on error
+ * Set the (newly received in IP/KUP/CP) certificate in the context.
  * TODO: this only permits for one cert to be enrolled at a time.
  */
 int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
@@ -759,16 +708,10 @@ X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx)
     return ctx->newCert;
 }
 
-/*
- * Set the client's current private key.
- * Returns 1 on success, 0 on error
- */
+/* Set the client's current private key */
 DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY)
 
-/*
- * Set new key pair. Used e.g. when doing Key Update.
- * Returns 1 on success, 0 on error
- */
+/* Set new key pair. Used e.g. when doing Key Update */
 int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
 {
     if (ctx == NULL) {
@@ -782,9 +725,7 @@ int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
     return 1;
 }
 
-/*
- * gets the private/public key to use for certificate enrollment, NULL on error
- */
+/* Get the private/public key to use for cert enrollment, or NULL on error */
 EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
 {
     if (ctx == NULL) {
@@ -799,10 +740,7 @@ EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
     return ctx->pkey; /* may be NULL */
 }
 
-/*
- * Sets the given transactionID to the context.
- * Returns 1 on success, 0 on error
- */
+/* Set the given transactionID to the context */
 int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
                                     const ASN1_OCTET_STRING *id)
 {
@@ -813,11 +751,7 @@ int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
     return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id);
 }
 
-/*
- * sets the given nonce to be used for the recipNonce in the next message to be
- * created.
- * returns 1 on success, 0 on error
- */
+/* Set the nonce to be used for the recipNonce in the message created next */
 int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
                                  const ASN1_OCTET_STRING *nonce)
 {
@@ -826,10 +760,7 @@ int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
     return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce);
 }
 
-/*
- * Stores the given nonce as the last senderNonce sent out.
- * Returns 1 on success, 0 on error
- */
+/* Stores the given nonce as the last senderNonce sent out */
 int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
                                   const ASN1_OCTET_STRING *nonce)
 {
@@ -840,36 +771,16 @@ int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
     return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce);
 }
 
-/*
- * Set the host name of the (HTTP) proxy server to use for all connections
- * returns 1 on success, 0 on error
- */
-DEFINE_OSSL_CMP_CTX_set1(proxyName, char)
+/* Set the proxy server to use for HTTP(S) connections */
+DEFINE_OSSL_CMP_CTX_set1(proxy, char)
 
-/*
- * Set the (HTTP) host name of the CA server.
- * Returns 1 on success, 0 on error
- */
+/* Set the (HTTP) host name of the CMP server */
 DEFINE_OSSL_CMP_CTX_set1(serverName, char)
 
-/*
- * Sets the (HTTP) proxy port to be used.
- * Returns 1 on success, 0 on error
- */
-int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port)
-{
-    if (ctx == NULL) {
-        CMPerr(0, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->proxyPort = port;
-    return 1;
-}
+/* Set the server exclusion list of the HTTP proxy server */
+DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
 
-/*
- * sets the http connect/disconnect callback function to be used for HTTP(S)
- * returns 1 on success, 0 on error
- */
+/* Set the http connect/disconnect callback function to be used for HTTP(S) */
 int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
 {
     if (ctx == NULL) {
@@ -880,10 +791,7 @@ int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
     return 1;
 }
 
-/*
- * Set argument optionally to be used by the http connect/disconnect callback.
- * Returns 1 on success, 0 on error
- */
+/* Set argument optionally to be used by the http connect/disconnect callback */
 int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
 {
     if (ctx == NULL) {
@@ -907,10 +815,7 @@ void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx)
     return ctx->http_cb_arg;
 }
 
-/*
- * Set callback function for sending CMP request and receiving response.
- * Returns 1 on success, 0 on error
- */
+/* Set callback function for sending CMP request and receiving response */
 int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
 {
     if (ctx == NULL) {
@@ -921,10 +826,7 @@ int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
     return 1;
 }
 
-/*
- * Set argument optionally to be used by the transfer callback.
- * Returns 1 on success, 0 on error
- */
+/* Set argument optionally to be used by the transfer callback */
 int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
 {
     if (ctx == NULL) {
@@ -948,10 +850,7 @@ void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx)
     return ctx->transfer_cb_arg;
 }
 
-/*
- * Sets the (HTTP) server port to be used.
- * Returns 1 on success, 0 on error
- */
+/** Set the HTTP server port to be used */
 int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
 {
     if (ctx == NULL) {
@@ -962,16 +861,10 @@ int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
     return 1;
 }
 
-/*
- * Sets the HTTP path to be used on the server (e.g "pkix/").
- * Returns 1 on success, 0 on error
- */
+/* Set the HTTP path to be used on the server (e.g "pkix/") */
 DEFINE_OSSL_CMP_CTX_set1(serverPath, char)
 
-/*
- * Set the failInfo error code as bit encoding in OSSL_CMP_CTX.
- * Returns 1 on success, 0 on error
- */
+/* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */
 int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info)
 {
     if (!ossl_assert(ctx != NULL))
@@ -993,10 +886,7 @@ int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx)
     return ctx->failInfoCode;
 }
 
-/*
- * Sets a Boolean or integer option of the context to the "val" arg.
- * Returns 1 on success, 0 on error
- */
+/* Set a Boolean or integer option of the context to the "val" arg */
 int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
 {
     int min_val;

crypto/cmp/cmp_http.c

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <stdio.h>
+
+#include <openssl/asn1t.h>
+#include <openssl/http.h>
+#include "internal/sockets.h"
+
+#include "openssl/cmp.h"
+#include "cmp_local.h"
+
+/* explicit #includes not strictly needed since implied by the above: */
+#include <ctype.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <openssl/bio.h>
+#include <openssl/buffer.h>
+#include <openssl/cmp.h>
+#include <openssl/err.h>
+
+/*
+ * Send the PKIMessage req and on success return the response, else NULL.
+ * Any previous error queue entries will likely be removed by ERR_clear_error().
+ */
+OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
+                                        const OSSL_CMP_MSG *req)
+{
+    char server_port[32];
+    STACK_OF(CONF_VALUE) *headers = NULL;
+    OSSL_CMP_MSG *res = NULL;
+    const char *const content_type_pkix = "application/pkixcmp";
+
+    if (ctx == NULL || req == NULL
+            || ctx->serverName == NULL || ctx->serverPort == 0) {
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+
+    if (!X509V3_add_value("Pragma", "no-cache", &headers))
+        return NULL;
+
+    BIO_snprintf(server_port, sizeof(server_port), "%d", ctx->serverPort);
+
+    res = (OSSL_CMP_MSG *)
+        OSSL_HTTP_post_asn1(ctx->serverName, server_port, ctx->serverPath,
+                            OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL,
+                            ctx->proxy, ctx->no_proxy, NULL, NULL,
+                            ctx->http_cb, OSSL_CMP_CTX_get_http_cb_arg(ctx),
+                            headers, content_type_pkix,
+                            (ASN1_VALUE *)req, ASN1_ITEM_rptr(OSSL_CMP_MSG),
+                            0, 0, ctx->msg_timeout, content_type_pkix,
+                            ASN1_ITEM_rptr(OSSL_CMP_MSG));
+
+    sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
+    return res;
+}

crypto/cmp/cmp_local.h

@@ -38,8 +38,8 @@ struct ossl_cmp_ctx_st {
     char *serverPath;
     char *serverName;
     int serverPort;
-    char *proxyName;
-    int proxyPort;
+    char *proxy;
+    char *no_proxy;
     int msg_timeout; /* max seconds to wait for each CMP message round trip */
     int total_timeout; /* max number of seconds an enrollment may take, incl. */
     /* attempts polling for a response if a 'waiting' PKIStatus is received */

crypto/err/openssl.txt

@@ -2600,12 +2600,12 @@ HTTP_R_MAX_RESP_LEN_EXCEEDED:117:max resp len exceeded
 HTTP_R_MISSING_ASN1_ENCODING:110:missing asn1 encoding
 HTTP_R_MISSING_CONTENT_TYPE:121:missing content type
 HTTP_R_MISSING_REDIRECT_LOCATION:111:missing redirect location
+HTTP_R_RECEIVED_ERROR:105:received error
+HTTP_R_RECEIVED_WRONG_HTTP_VERSION:106:received wrong http version
 HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from https to http
 HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled
 HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long
-HTTP_R_SERVER_RESPONSE_PARSE_ERROR:104:server response parse error
-HTTP_R_SERVER_SENT_ERROR:105:server sent error
-HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION:106:server sent wrong http version
+HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error
 HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported
 HTTP_R_TLS_NOT_ENABLED:107:tls not enabled
 HTTP_R_TOO_MANY_REDIRECTIONS:115:too many redirections

crypto/http/http_client.c

@@ -330,7 +330,7 @@ static int parse_http_line1(char *line)
     for (code = line; *code != '\0' && !ossl_isspace(*code); code++)
         continue;
     if (*code == '\0') {
-        HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+        HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
         return 0;
     }
 
@@ -339,7 +339,7 @@ static int parse_http_line1(char *line)
         code++;
 
     if (*code == '\0') {
-        HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+        HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
         return 0;
     }
 
@@ -348,7 +348,7 @@ static int parse_http_line1(char *line)
         continue;
 
     if (*reason == '\0') {
-        HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+        HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
         return 0;
     }
 
@@ -385,7 +385,7 @@ static int parse_http_line1(char *line)
         if (retcode < 400)
             HTTPerr(0, HTTP_R_STATUS_CODE_UNSUPPORTED);
         else
-            HTTPerr(0, HTTP_R_SERVER_SENT_ERROR);
+            HTTPerr(0, HTTP_R_RECEIVED_ERROR);
         if (*reason == '\0')
             ERR_add_error_data(2, "Code=", code);
         else
@@ -577,12 +577,14 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
                 *line_end = '\0';
         }
         if (value != NULL && line_end != NULL) {
-            if (rctx->state == OHS_REDIRECT && strcmp(key, "Location") == 0) {
+            if (rctx->state == OHS_REDIRECT
+                    && strcasecmp(key, "Location") == 0) {
                 rctx->redirection_url = value;
                 return 0;
             }
-            if (rctx->expected_ct != NULL && strcmp(key, "Content-Type") == 0) {
-                if (strcmp(rctx->expected_ct, value) != 0) {
+            if (rctx->expected_ct != NULL
+                    && strcasecmp(key, "Content-Type") == 0) {
+                if (strcasecmp(rctx->expected_ct, value) != 0) {
                     HTTPerr(0, HTTP_R_UNEXPECTED_CONTENT_TYPE);
                     ERR_add_error_data(4, "expected=", rctx->expected_ct,
                                        ",actual=", value);
@@ -590,7 +592,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
                 }
                 rctx->expected_ct = NULL; /* content-type has been found */
             }
-            if (strcmp(key, "Content-Length") == 0) {
+            if (strcasecmp(key, "Content-Length") == 0) {
                 resp_len = strtoul(value, &line_end, 10);
                 if (line_end == value || *line_end != '\0') {
                     HTTPerr(0, HTTP_R_ERROR_PARSING_CONTENT_LENGTH);
@@ -603,7 +605,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
         }
 
         /* Look for blank line: end of headers */
-        for (p = rctx->iobuf; *p != '\0' ; p++) {
+        for (p = rctx->iobuf; *p != '\0'; p++) {
             if (*p != '\r' && *p != '\n')
                 break;
         }
@@ -690,10 +692,12 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx)
 #ifndef OPENSSL_NO_SOCK
 
 /* set up a new connection BIO, to HTTP server or to HTTP(S) proxy if given */
-static BIO *HTTP_new_bio(const char *server, const char *server_port,
-                         const char *proxy, const char *proxy_port)
+static BIO *HTTP_new_bio(const char *server /* optionally includes ":port" */,
+                         const char *server_port /* explicit server port */,
+                         const char *proxy /* optionally includes ":port" */)
 {
-    const char *host = server;
+    const char *host = server, *host_end;
+    char host_name[100];
     const char *port = server_port;
     BIO *cbio;
 
@@ -704,9 +708,17 @@ static BIO *HTTP_new_bio(const char *server, const char *server_port,
 
     if (proxy != NULL) {
         host = proxy;
-        port = proxy_port;
+        port = NULL;
     }
-    cbio = BIO_new_connect(host);
+
+    host_end = strchr(host, '/');
+    if (host_end != NULL && (size_t)(host_end - host) < sizeof(host_name)) {
+        /* chop trailing string starting with '/' */
+        strncpy(host_name, host, host_end - host);
+        host = host_name;
+    }
+
+    cbio = BIO_new_connect(host /* optionally includes ":port" */);
     if (cbio == NULL)
         goto end;
     if (port != NULL)
@@ -724,7 +736,7 @@ static ASN1_VALUE *BIO_mem_d2i(BIO *mem, const ASN1_ITEM *it)
     ASN1_VALUE *resp = ASN1_item_d2i(NULL, &p, len, it);
 
     if (resp == NULL)
-        HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+        HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
     return resp;
 }
 
@@ -812,7 +824,7 @@ static int update_timeout(int timeout, time_t start_time)
  * After disconnect the modified BIO will be deallocated using BIO_free_all().
  */
 BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
-                        int use_ssl, const char *proxy, const char *proxy_port,
+                        int use_ssl, const char *proxy, const char *no_proxy,
                         BIO *bio, BIO *rbio,
                         OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                         const STACK_OF(CONF_VALUE) *headers,
@@ -839,11 +851,12 @@ BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
     }
     /* remaining parameters are checked indirectly by the functions called */
 
+    proxy = http_adapt_proxy(proxy, no_proxy, server, use_ssl);
     if (bio != NULL)
         cbio = bio;
     else
 #ifndef OPENSSL_NO_SOCK
-        if ((cbio = HTTP_new_bio(server, port, proxy, proxy_port)) == NULL)
+        if ((cbio = HTTP_new_bio(server, port, proxy)) == NULL)
             return NULL;
 #else
         return NULL;
@@ -896,8 +909,10 @@ BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
                 ) {
                 BIO_snprintf(buf, 200, "server=%s:%s", server, port);
                 ERR_add_error_data(1, buf);
+                if (proxy != NULL)
+                    ERR_add_error_data(2, " proxy=", proxy);
                 if (err == 0) {
-                    BIO_snprintf(buf, 200, "server has disconnected%s",
+                    BIO_snprintf(buf, 200, " peer has disconnected%s",
                                  use_ssl ? " violating the protocol" :
                                  ", likely because it requires the use of TLS");
                     ERR_add_error_data(1, buf);
@@ -952,7 +967,7 @@ static int redirection_ok(int n_redir, const char *old_url, const char *new_url)
 }
 
 /* Get data via HTTP from server at given URL, potentially with redirection */
-BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
+BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
                    BIO *bio, BIO *rbio,
                    OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                    const STACK_OF(CONF_VALUE) *headers,
@@ -980,7 +995,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
             break;
 
      new_rpath:
-        resp = OSSL_HTTP_transfer(host, port, path, use_ssl, proxy, proxy_port,
+        resp = OSSL_HTTP_transfer(host, port, path, use_ssl, proxy, no_proxy,
                                   bio, rbio,
                                   bio_update_fn, arg, headers, NULL, NULL,
                                   maxline, max_resp_len,
@@ -1013,7 +1028,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
 
 /* Get ASN.1-encoded data via HTTP from server at given URL */
 ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
-                               const char *proxy, const char *proxy_port,
+                               const char *proxy, const char *no_proxy,
                                BIO *bio, BIO *rbio,
                                OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                const STACK_OF(CONF_VALUE) *headers,
@@ -1028,7 +1043,7 @@ ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
         HTTPerr(0, ERR_R_PASSED_NULL_PARAMETER);
         return NULL;
     }
-    if ((mem = OSSL_HTTP_get(url, proxy, proxy_port, bio, rbio, bio_update_fn,
+    if ((mem = OSSL_HTTP_get(url, proxy, no_proxy, bio, rbio, bio_update_fn,
                              arg, headers, maxline, max_resp_len, timeout,
                              expected_content_type, 1 /* expect_asn1 */))
         != NULL)
@@ -1040,7 +1055,7 @@ ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
 /* Post ASN.1-encoded request via HTTP to server return ASN.1 response */
 ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
                                 const char *path, int use_ssl,
-                                const char *proxy, const char *proxy_port,
+                                const char *proxy, const char *no_proxy,
                                 BIO *bio, BIO *rbio,
                                 OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                 const STACK_OF(CONF_VALUE) *headers,
@@ -1061,7 +1076,7 @@ ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
     /* remaining parameters are checked indirectly */
 
     req_mem = HTTP_asn1_item2bio(req_it, req);
-    res_mem = OSSL_HTTP_transfer(server, port, path, use_ssl, proxy, proxy_port,
+    res_mem = OSSL_HTTP_transfer(server, port, path, use_ssl, proxy, no_proxy,
                                  bio, rbio,
                                  bio_update_fn, arg, headers, content_type,
                                  req_mem /* may be NULL */, maxline,
@@ -1193,7 +1208,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
 
         /* RFC 7231 4.3.6: any 2xx status code is valid */
         if (strncmp(mbuf, HTTP_PREFIX, strlen(HTTP_PREFIX)) != 0) {
-            HTTPerr(0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR);
+            HTTPerr(0, HTTP_R_RESPONSE_PARSE_ERROR);
             BIO_printf(bio_err, "%s: HTTP CONNECT failed, non-HTTP response\n",
                        prog);
             /* Wrong protocol, not even HTTP, so stop reading headers */
@@ -1201,7 +1216,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
         }
         mbufp = mbuf + strlen(HTTP_PREFIX);
         if (strncmp(mbufp, HTTP_VERSION_PATT, strlen(HTTP_VERSION_PATT)) != 0) {
-            HTTPerr(0, HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION);
+            HTTPerr(0, HTTP_R_RECEIVED_WRONG_HTTP_VERSION);
             BIO_printf(bio_err,
                        "%s: HTTP CONNECT failed, bad HTTP version %.*s\n",
                        prog, HTTP_VERSION_STR_LEN, mbufp);

crypto/http/http_err.c

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -34,17 +34,17 @@ static const ERR_STRING_DATA HTTP_str_reasons[] = {
     "missing content type"},
     {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_MISSING_REDIRECT_LOCATION),
     "missing redirect location"},
+    {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RECEIVED_ERROR), "received error"},
+    {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RECEIVED_WRONG_HTTP_VERSION),
+    "received wrong http version"},
     {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP),
     "redirection from https to http"},
     {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_REDIRECTION_NOT_ENABLED),
     "redirection not enabled"},
     {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_LINE_TOO_LONG),
     "response line too long"},
-    {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_RESPONSE_PARSE_ERROR),
-    "server response parse error"},
-    {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_SENT_ERROR), "server sent error"},
-    {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION),
-    "server sent wrong http version"},
+    {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_RESPONSE_PARSE_ERROR),
+    "response parse error"},
     {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_STATUS_CODE_UNSUPPORTED),
     "status code unsupported"},
     {ERR_PACK(ERR_LIB_HTTP, 0, HTTP_R_TLS_NOT_ENABLED), "tls not enabled"},

crypto/http/http_lib.c

@@ -12,6 +12,8 @@
 #include <openssl/err.h>
 #include <string.h>
 
+#include "http_local.h"
+
 /*
  * Parse a URL and split it up into host, port and path components and
  * whether it indicates SSL/TLS. Return 1 on success, 0 on error.
@@ -114,3 +116,39 @@ int OSSL_HTTP_parse_url(const char *url, char **phost, char **pport,
     OPENSSL_free(buf);
     return 0;
 }
+
+int http_use_proxy(const char *no_proxy, const char *server)
+{
+    size_t sl = strlen(server);
+    const char *found = NULL;
+
+    if (no_proxy == NULL)
+        no_proxy = getenv("no_proxy");
+    if (no_proxy == NULL)
+        no_proxy = getenv("NO_PROXY");
+    if (no_proxy != NULL)
+        found = strstr(no_proxy, server);
+    while (found != NULL
+           && ((found != no_proxy && found[-1] != ' ' && found[-1] != ',')
+               || (found[sl] != '\0' && found[sl] != ' ' && found[sl] != ',')))
+        found = strstr(found + 1, server);
+    return found == NULL;
+}
+
+const char *http_adapt_proxy(const char *proxy, const char *no_proxy,
+                             const char *server, int use_ssl)
+{
+    int prefix_len = strlen(HTTP_URL_PREFIX);
+
+    if (proxy == NULL)
+        proxy = getenv(use_ssl ? "https_proxy" : "http_proxy");
+    if (proxy == NULL)
+        proxy = getenv(use_ssl ? "HTTPS_PROXY" : "HTTP_PROXY");
+    if (proxy != NULL && strncmp(proxy, HTTP_URL_PREFIX, prefix_len) == 0)
+        proxy += prefix_len; /* skip any leading "http://" */
+    if (proxy != NULL && *proxy == '\0')
+        proxy = NULL;
+    if (proxy != NULL && !http_use_proxy(no_proxy, server))
+        proxy = NULL;
+    return proxy;
+}

crypto/http/http_local.h

@@ -27,6 +27,8 @@ typedef OCSP_REQ_CTX OSSL_HTTP_REQ_CTX;
 # define OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_REQ_CTX_get0_mem_bio /* undoc'd */
 # define OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_set_max_response_length
 
+# define HTTP_URL_PREFIX "http://"
+
 BIO *HTTP_asn1_item2bio(const ASN1_ITEM *it, ASN1_VALUE *val);
 OSSL_HTTP_REQ_CTX *HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int use_http_proxy,
                                     const char *server, const char *port,
@@ -45,5 +47,8 @@ ASN1_VALUE *HTTP_sendreq_bio(BIO *bio, OSSL_HTTP_bio_cb_t bio_update_fn,
                              ASN1_VALUE *req, const ASN1_ITEM *req_it,
                              int maxline, unsigned long max_resp_len,
                              int timeout, const ASN1_ITEM *rsp_it);
+int http_use_proxy(const char *no_proxy, const char *server);
+const char *http_adapt_proxy(const char *proxy, const char *no_proxy,
+                             const char *server, int use_ssl);
 
 #endif /* !defined(OSSL_CRYPTO_HTTP_LOCAL_H) */

crypto/x509/x_all.c

@@ -121,7 +121,7 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
 static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
                                    int timeout, const ASN1_ITEM *it)
 {
-    return OSSL_HTTP_get_asn1(url, NULL, NULL /* no proxy and port */, bio,
+    return OSSL_HTTP_get_asn1(url, NULL, NULL /* no proxy used */, bio,
                               rbio, NULL /* no callback for SSL/TLS */, NULL,
                               NULL /* headers */, 1024 /* maxline */,
                               0 /* max_resp_len */, timeout,

doc/man3/OSSL_CMP_CTX_new.pod

@@ -13,8 +13,8 @@ OSSL_CMP_CTX_print_errors,
 OSSL_CMP_CTX_set1_serverPath,
 OSSL_CMP_CTX_set1_serverName,
 OSSL_CMP_CTX_set_serverPort,
-OSSL_CMP_CTX_set1_proxyName,
-OSSL_CMP_CTX_set_proxyPort,
+OSSL_CMP_CTX_set1_proxy,
+OSSL_CMP_CTX_set1_no_proxy,
 OSSL_CMP_DEFAULT_PORT,
 OSSL_CMP_CTX_set_http_cb,
 OSSL_CMP_CTX_set_http_cb_arg,
@@ -80,8 +80,8 @@ OSSL_CMP_CTX_set1_senderNonce
  int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
  int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
  int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
- int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
- int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
+ int OSSL_CMP_CTX_set1_proxy(OSSL_CMP_CTX *ctx, const char *name);
+ int OSSL_CMP_CTX_set1_no_proxy(OSSL_CMP_CTX *ctx, const char *names);
  #define OSSL_CMP_DEFAULT_PORT 80
  int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, HTTP_bio_cb_t cb);
  int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
@@ -314,11 +314,15 @@ in the given OSSL_CMP_CTX structure.
 OSSL_CMP_CTX_set_serverPort() sets the port of the CMP server to connect to.
 Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly.
 
-OSSL_CMP_CTX_set1_proxyName() sets the hostname of the HTTP proxy to be used
-for connecting to the CA server.
+OSSL_CMP_CTX_set1_proxy() sets the HTTP proxy to be used for connecting to the
+CMP server.
+Defaults to the environment variable B<http_proxy> if set, else B<HTTP_PROXY>
+in case no TLS is used, otherwise B<https_proxy> if set, else B<HTTPS_PROXY>.
+The format is [http://]address[:port][/path] where the optional path is ignored.
 
-OSSL_CMP_CTX_set_proxyPort() sets the port of the HTTP proxy.
-Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly.
+OSSL_CMP_CTX_set1_no_proxy() sets the list of server hostnames not to use
+an HTTP proxy for. The names may be separated by commas and/or whitespace.
+Defaults to the environment variable B<no_proxy> if set, else B<NO_PROXY>.
 
 OSSL_CMP_CTX_set_http_cb() sets the optional BIO connect/disconnect callback
 function, which has the prototype

doc/man3/OSSL_CMP_MSG_http_perform.pod

@@ -0,0 +1,49 @@
+=pod
+
+=head1 NAME
+
+OSSL_CMP_MSG_http_perform
+- implementation of HTTP transfer for CMP messages
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp.h>
+
+ SSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
+                                        const OSSL_CMP_MSG *req);
+
+=head1 DESCRIPTION
+
+This is the API for creating a BIO for CMP (Certificate Management
+Protocol) over HTTP(S) with OpenSSL.
+
+OSSL_CMP_MSG_http_perform() sends the given PKIMessage req to the CMP server
+specified in ctx. On success it returns the server's response.
+
+=head1 NOTES
+
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
+
+=head1 RETURN VALUES
+
+OSSL_CMP_MSG_http_perform() returns a message on success or else NULL.
+It uses ctx->http_cb if set and respects ctx->msgTimeOut.
+
+=head1 SEE ALSO
+
+L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_IR_ses(3)>
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod

@@ -18,8 +18,7 @@ OSSL_CRMF_MSG_get_certReqId
  OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
  ASN1_INTEGER
      *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *tmpl);
- const X509_NAME
-     *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
+ X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
 
  ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
  const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);

doc/man3/OSSL_HTTP_transfer.pod

@@ -17,14 +17,14 @@ OSSL_HTTP_parse_url
 
  typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg,
                                     int connect, int detail);
- BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
+ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
                     BIO *bio, BIO *rbio,
                     OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                     const STACK_OF(CONF_VALUE) *headers,
                     int maxline, unsigned long max_resp_len, int timeout,
                     const char *expected_content_type, int expect_asn1);
  ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
-                                const char *proxy, const char *proxy_port,
+                                const char *proxy, const char *no_proxy,
                                 BIO *bio, BIO *rbio,
                                 OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                 const STACK_OF(CONF_VALUE) *headers,
@@ -33,7 +33,7 @@ OSSL_HTTP_parse_url
                                 const ASN1_ITEM *it);
  ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
                                  const char *path, int use_ssl,
-                                 const char *proxy, const char *proxy_port,
+                                 const char *proxy, const char *no_proxy,
                                  BIO *bio, BIO *rbio,
                                  OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                  const STACK_OF(CONF_VALUE) *headers,
@@ -43,7 +43,7 @@ OSSL_HTTP_parse_url
                                  int timeout, const char *expected_ct,
                                  const ASN1_ITEM *rsp_it);
  BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
-                         int use_ssl, const char *proxy, const char *proxy_port,
+                         int use_ssl, const char *proxy, const char *no_proxy,
                          BIO *bio, BIO *rbio,
                          OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                          const STACK_OF(CONF_VALUE) *headers,
@@ -91,8 +91,16 @@ L<OPENSSL_free(3)>.
 
 The above functions have the following parameters in common.
 
-If the B<proxy> parameter is not NULL the HTTP client functions connect
-via the given proxy and the optionally given B<proxy_port>.
+If the optional B<proxy> parameter contains a non-empty string or
+it is NULL and one of the environment variables B<http_proxy> and B<HTTP_PROXY>
+(or B<https_proxy> and B<HTTPS_PROXY>, respectively, in case B<use_ssl> != 0)
+is set and contains a non-empty string this is used as the candidate address
+of HTTP(S) proxy to use.
+The address may include a port specification separated by ':'.
+Any prefix "http://" and any trailing string starting with '/' is ignored.
+The HTTP client functions connect via the given proxy unless the B<server>
+is found in the optional list B<no_proxy> of proxy hostnames (if it is not NULL,
+else in the environment variable B<no_proxy> if set or else in B<HTTP_PROXY>).
 Proxying plain HTTP is supported directly,
 while using a proxy for HTTPS connections requires a suitable callback function
 such as OSSL_HTTP_proxy_connect(), described below.

include/openssl/cmp.h

@@ -277,8 +277,8 @@ int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
 int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
 int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
 #  define OSSL_CMP_DEFAULT_PORT 80
-int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
-int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
+int OSSL_CMP_CTX_set1_proxy(OSSL_CMP_CTX *ctx, const char *name);
+int OSSL_CMP_CTX_set1_no_proxy(OSSL_CMP_CTX *ctx, const char *names);
 int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb);
 int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
 void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
@@ -360,6 +360,10 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg);
 int OSSL_CMP_validate_cert_path(OSSL_CMP_CTX *ctx,
                                 X509_STORE *trusted_store, X509 *cert);
 
+/* from cmp_http.c */
+OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
+                                        const OSSL_CMP_MSG *req);
+
 /* from cmp_server.c */
 typedef struct ossl_cmp_srv_ctx_st OSSL_CMP_SRV_CTX;
 OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,

include/openssl/cmp_util.h

@@ -17,7 +17,6 @@
 
 #  include <openssl/macros.h>
 #  include <openssl/trace.h>
-#  include <openssl/x509.h>
 
 #  ifdef __cplusplus
 extern "C" {

include/openssl/http.h

@@ -25,14 +25,14 @@ extern "C" {
 
 typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail);
 
-BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
+BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
                    BIO *bio, BIO *rbio,
                    OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                    const STACK_OF(CONF_VALUE) *headers,
                    int maxline, unsigned long max_resp_len, int timeout,
                    const char *expected_content_type, int expect_asn1);
 ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
-                               const char *proxy, const char *proxy_port,
+                               const char *proxy, const char *no_proxy,
                                BIO *bio, BIO *rbio,
                                OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                const STACK_OF(CONF_VALUE) *headers,
@@ -41,7 +41,7 @@ ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
                                const ASN1_ITEM *it);
 ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
                                 const char *path, int use_ssl,
-                                const char *proxy, const char *proxy_port,
+                                const char *proxy, const char *no_proxy,
                                 BIO *bio, BIO *rbio,
                                 OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                 const STACK_OF(CONF_VALUE) *headers,
@@ -51,7 +51,7 @@ ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
                                 int timeout, const char *expected_ct,
                                 const ASN1_ITEM *rsp_it);
 BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
-                        int use_ssl, const char *proxy, const char *proxy_port,
+                        int use_ssl, const char *proxy, const char *no_proxy,
                         BIO *bio, BIO *rbio,
                         OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                         const STACK_OF(CONF_VALUE) *headers,

include/openssl/httperr.h

@@ -41,12 +41,12 @@ int ERR_load_HTTP_strings(void);
 # define HTTP_R_MISSING_ASN1_ENCODING                     110
 # define HTTP_R_MISSING_CONTENT_TYPE                      121
 # define HTTP_R_MISSING_REDIRECT_LOCATION                 111
+# define HTTP_R_RECEIVED_ERROR                            105
+# define HTTP_R_RECEIVED_WRONG_HTTP_VERSION               106
 # define HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP            112
 # define HTTP_R_REDIRECTION_NOT_ENABLED                   116
 # define HTTP_R_RESPONSE_LINE_TOO_LONG                    113
-# define HTTP_R_SERVER_RESPONSE_PARSE_ERROR               104
-# define HTTP_R_SERVER_SENT_ERROR                         105
-# define HTTP_R_SERVER_SENT_WRONG_HTTP_VERSION            106
+# define HTTP_R_RESPONSE_PARSE_ERROR                      104
 # define HTTP_R_STATUS_CODE_UNSUPPORTED                   114
 # define HTTP_R_TLS_NOT_ENABLED                           107
 # define HTTP_R_TOO_MANY_REDIRECTIONS                     115

test/build.info

@@ -131,11 +131,11 @@ IF[{- !$disabled{tests} -}]
   ENDIF
 
   SOURCE[evp_extra_test]=evp_extra_test.c
-  INCLUDE[evp_extra_test]=../include ../apps/include ../crypto/include
+  INCLUDE[evp_extra_test]=../include ../apps/include
   DEPEND[evp_extra_test]=../libcrypto libtestutil.a
 
   SOURCE[evp_fetch_prov_test]=evp_fetch_prov_test.c
-  INCLUDE[evp_fetch_prov_test]=../include ../apps/include ../crypto/include
+  INCLUDE[evp_fetch_prov_test]=../include ../apps/include
   DEPEND[evp_fetch_prov_test]=../libcrypto libtestutil.a
   IF[{- $disabled{fips} || !$target{dso_scheme} -}]
     DEFINE[evp_extra_test]=NO_FIPS_MODULE
@@ -347,13 +347,13 @@ IF[{- !$disabled{tests} -}]
   DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a
 
   SOURCE[drbgtest]=drbgtest.c
-  INCLUDE[drbgtest]=../include ../apps/include ../crypto/include
+  INCLUDE[drbgtest]=../include ../apps/include
   DEPEND[drbgtest]=../libcrypto.a libtestutil.a
 
   SOURCE[drbg_cavs_test]=drbg_cavs_test.c drbg_cavs_data_ctr.c \
                          drbg_cavs_data_hash.c drbg_cavs_data_hmac.c
 
-  INCLUDE[drbg_cavs_test]=../include ../apps/include . .. ../crypto/include
+  INCLUDE[drbg_cavs_test]=../include ../apps/include . ..
   DEPEND[drbg_cavs_test]=../libcrypto libtestutil.a
 
   SOURCE[drbg_extra_test]=drbg_extra_test.c
@@ -401,7 +401,7 @@ IF[{- !$disabled{tests} -}]
   IF[{- !$disabled{shared} -}]
     PROGRAMS{noinst}=shlibloadtest
     SOURCE[shlibloadtest]=shlibloadtest.c
-    INCLUDE[shlibloadtest]=../include ../apps/include ../crypto/include
+    INCLUDE[shlibloadtest]=../include ../apps/include
   ENDIF
 
   # cipher_overhead_test uses internal symbols, so it must be linked with
@@ -516,19 +516,19 @@ IF[{- !$disabled{tests} -}]
     ENDIF
 
     SOURCE[poly1305_internal_test]=poly1305_internal_test.c
-    INCLUDE[poly1305_internal_test]=.. ../include ../apps/include ../crypto/include
+    INCLUDE[poly1305_internal_test]=.. ../include ../apps/include
     DEPEND[poly1305_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[chacha_internal_test]=chacha_internal_test.c
-    INCLUDE[chacha_internal_test]=.. ../include ../apps/include ../crypto/include
+    INCLUDE[chacha_internal_test]=.. ../include ../apps/include
     DEPEND[chacha_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[asn1_internal_test]=asn1_internal_test.c
-    INCLUDE[asn1_internal_test]=.. ../include ../apps/include ../crypto/include
+    INCLUDE[asn1_internal_test]=.. ../include ../apps/include
     DEPEND[asn1_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[modes_internal_test]=modes_internal_test.c
-    INCLUDE[modes_internal_test]=.. ../include ../apps/include ../crypto/include
+    INCLUDE[modes_internal_test]=.. ../include ../apps/include
     DEPEND[modes_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[x509_internal_test]=x509_internal_test.c
@@ -576,7 +576,7 @@ IF[{- !$disabled{tests} -}]
     DEPEND[ctype_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[sparse_array_test]=sparse_array_test.c
-    INCLUDE[sparse_array_test]=../crypto/include ../include ../apps/include
+    INCLUDE[sparse_array_test]=../include ../apps/include
     DEPEND[sparse_array_test]=../libcrypto.a libtestutil.a
 
     SOURCE[dhtest]=dhtest.c
@@ -588,15 +588,15 @@ IF[{- !$disabled{tests} -}]
     DEPEND[hmactest]=../libcrypto.a libtestutil.a
 
     SOURCE[siphash_internal_test]=siphash_internal_test.c
-    INCLUDE[siphash_internal_test]=.. ../include ../apps/include ../crypto/include
+    INCLUDE[siphash_internal_test]=.. ../include ../apps/include
     DEPEND[siphash_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[sm2_internal_test]=sm2_internal_test.c
-    INCLUDE[sm2_internal_test]=../include ../apps/include ../crypto/include
+    INCLUDE[sm2_internal_test]=../include ../apps/include
     DEPEND[sm2_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[sm4_internal_test]=sm4_internal_test.c
-    INCLUDE[sm4_internal_test]=.. ../include ../apps/include ../crypto/include
+    INCLUDE[sm4_internal_test]=.. ../include ../apps/include
     DEPEND[sm4_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[destest]=destest.c
@@ -616,7 +616,7 @@ IF[{- !$disabled{tests} -}]
     DEPEND[rc5test]=../libcrypto.a libtestutil.a
 
     SOURCE[ec_internal_test]=ec_internal_test.c
-    INCLUDE[ec_internal_test]=../include ../crypto/ec ../apps/include ../crypto/include
+    INCLUDE[ec_internal_test]=../include ../crypto/ec ../apps/include
     DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[curve448_internal_test]=curve448_internal_test.c
@@ -640,7 +640,7 @@ IF[{- !$disabled{tests} -}]
     DEPEND[bn_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[asn1_dsa_internal_test]=asn1_dsa_internal_test.c
-    INCLUDE[asn1_dsa_internal_test]=.. ../include ../apps/include ../crypto/include
+    INCLUDE[asn1_dsa_internal_test]=.. ../include ../apps/include
     DEPEND[asn1_dsa_internal_test]=../libcrypto.a libtestutil.a
 
     SOURCE[keymgmt_internal_test]=keymgmt_internal_test.c

test/cmp_ctx_test.c

@@ -718,8 +718,8 @@ DEFINE_SET_CB_TEST(log_cb)
 DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, serverPath, char, IS_0)
 DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, serverName, char)
 DEFINE_SET_PORT_TEST(serverPort)
-DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, proxyName, char)
-DEFINE_SET_PORT_TEST(proxyPort)
+DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, proxy, char)
+DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, no_proxy, char)
 DEFINE_SET_CB_TEST(http_cb)
 DEFINE_SET_GET_P_VOID_TEST(http_cb_arg)
 DEFINE_SET_CB_TEST(transfer_cb)
@@ -803,8 +803,8 @@ int setup_tests(void)
     ADD_TEST(test_CTX_set1_get0_serverPath);
     ADD_TEST(test_CTX_set1_get0_serverName);
     ADD_TEST(test_CTX_set_get_serverPort);
-    ADD_TEST(test_CTX_set1_get0_proxyName);
-    ADD_TEST(test_CTX_set_get_proxyPort);
+    ADD_TEST(test_CTX_set1_get0_proxy);
+    ADD_TEST(test_CTX_set1_get0_no_proxy);
     ADD_TEST(test_CTX_set_get_http_cb);
     ADD_TEST(test_CTX_set_get_http_cb_arg);
     ADD_TEST(test_CTX_set_get_transfer_cb);

test/http_test.c

@@ -125,14 +125,14 @@ static int test_http_x509(int do_get)
     rcert = (X509 *)
         (do_get ?
          OSSL_HTTP_get_asn1("http://"SERVER":"PORT"/"RPATH,
-                            NULL /* proxy */, NULL /* proxy_port */,
+                            NULL /* proxy */, NULL /* no_proxy */,
                             wbio, rbio, NULL /* bio_update_fn */, NULL,
                             headers, 0 /* maxline */,
                             0 /* max_resp_len */, 0 /* timeout */,
                             "application/x-x509-ca-cert", x509_it)
          :
          OSSL_HTTP_post_asn1(SERVER, PORT, RPATH, 0 /* use_ssl */,
-                             NULL /* proxy */, NULL /* proxy_port */,
+                             NULL /* proxy */, NULL /* no_proxy */,
                              wbio, rbio, NULL /* bio_update_fn */, NULL,
                              headers, "application/x-x509-ca-cert",
                              (ASN1_VALUE *)x509, x509_it, 0 /* maxline */,

util/libcrypto.num

@@ -4757,8 +4757,8 @@ OSSL_CMP_CTX_print_errors               ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set1_serverPath            ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set1_serverName            ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set_serverPort             ?	3_0_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_set1_proxyName             ?	3_0_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_set_proxyPort              ?	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CTX_set1_proxy                 ?	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CTX_set1_no_proxy              ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set_http_cb                ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_set_http_cb_arg            ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_get_http_cb_arg            ?	3_0_0	EXIST::FUNCTION:CMP
@@ -4990,9 +4990,10 @@ OSSL_CMP_exec_CR_ses                    ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_exec_P10CR_ses                 ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_exec_KUR_ses                   ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_try_certreq                    ?	3_0_0	EXIST::FUNCTION:CMP
-OSSL_CMP_certConf_cb                    ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_exec_RR_ses                    ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_exec_GENM_ses                  ?	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_certConf_cb                    ?	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_MSG_http_perform               ?	3_0_0	EXIST::FUNCTION:CMP
 EVP_PKEY_gen                            ?	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_set_rsa_keygen_bits        ?	3_0_0	EXIST::FUNCTION:RSA
 EVP_PKEY_CTX_set_rsa_keygen_pubexp      ?	3_0_0	EXIST::FUNCTION:RSA

util/missingcrypto.txt

@@ -909,7 +909,6 @@ OPENSSL_strnlen(3)
 OPENSSL_uni2asc(3)
 OPENSSL_uni2utf8(3)
 OPENSSL_utf82uni(3)
-OSSL_CMP_MSG_http_perform(3)
 OSSL_SERIALIZER-DH(7)
 OSSL_SERIALIZER-DSA(7)
 OSSL_SERIALIZER-EC(7)