Don't exclude quite so much in a no-sock build

We were excluding more code than we needed to in the OCSP/HTTP code in
the event of no-sock. We should also not assume that a BIO passed to our
API is socket based.

This fixes the no-sock build
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11134)

crypto/bio/b_sock.c

@@ -397,93 +397,8 @@ int BIO_socket_wait(int fd, int for_read, time_t max_time)
     FD_ZERO(&confds);
     openssl_fdset(fd, &confds);
     tv.tv_usec = 0;
-    tv.tv_sec = (long)(max_time - now); /* this might overflow */
+    tv.tv_sec = (long)(max_time - now); /* might overflow */
     return select(fd + 1, for_read ? &confds : NULL,
                   for_read ? NULL : &confds, NULL, &tv);
 }
-
-/*
- * Wait on BIO at most until max_time; succeed immediately if max_time == 0.
- * Returns -1 on error, 0 on timeout, and 1 on success.
- */
-static int bio_wait(BIO *bio, time_t max_time)
-{
-    int fd;
-
-    if (BIO_get_fd(bio, &fd) <= 0)
-        return -1;
-    return BIO_socket_wait(fd, BIO_should_read(bio), max_time);
-}
-
-/*
- * Wait on BIO at most until max_time; succeed immediately if max_time == 0.
- * Call BIOerr(...) unless success.
- * Returns -1 on error, 0 on timeout, and 1 on success.
- */
-int BIO_wait(BIO *bio, time_t max_time)
-{
-    int rv = bio_wait(bio, max_time);
-
-    if (rv <= 0)
-        BIOerr(0, rv == 0 ? BIO_R_TRANSFER_TIMEOUT : BIO_R_TRANSFER_ERROR);
-    return rv;
-}
-
-/*
- * Connect via the given BIO using BIO_do_connect() until success/timeout/error.
- * Parameter timeout == 0 means infinite, < 0 leads to immediate timeout error.
- * Returns -1 on error, 0 on timeout, and 1 on success.
- */
-int BIO_connect_retry(BIO *bio, int timeout)
-{
-    int blocking = timeout == 0;
-    time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
-    int rv;
-
-    if (bio == NULL) {
-        BIOerr(0, ERR_R_PASSED_NULL_PARAMETER);
-        return -1;
-    }
-
-    if (timeout < 0) {
-        BIOerr(0, BIO_R_CONNECT_TIMEOUT);
-        return 0;
-    }
-
-    if (!blocking)
-        BIO_set_nbio(bio, 1);
-
- retry: /* it does not help here to set SSL_MODE_AUTO_RETRY */
-    rv = BIO_do_connect(bio); /* This indirectly calls ERR_clear_error(); */
-
-    if (rv <= 0) {
-        if (get_last_sys_error() == ETIMEDOUT) {
-            /*
-             * if blocking, despite blocking BIO, BIO_do_connect() timed out
-             * when non-blocking, BIO_do_connect() timed out early
-             * with rv == -1 and get_last_sys_error() == 0
-             */
-            ERR_clear_error();
-            (void)BIO_reset(bio);
-            /*
-             * unless using BIO_reset(), blocking next connect() may crash and
-             * non-blocking next BIO_do_connect() will fail
-             */
-            goto retry;
-        } else if (BIO_should_retry(bio)) {
-            /* will not actually wait if timeout == 0 (i.e., blocking BIO) */
-            rv = bio_wait(bio, max_time);
-            if (rv > 0)
-                goto retry;
-            BIOerr(0, rv == 0 ? BIO_R_CONNECT_TIMEOUT : BIO_R_CONNECT_ERROR);
-        } else {
-            rv = -1;
-            if (ERR_peek_error() == 0) /* missing error queue entry */
-                BIOerr(0, BIO_R_CONNECT_ERROR); /* workaround: general error */
-        }
-    }
-
-    return rv;
-}
-
 #endif /* !defined(OPENSSL_NO_SOCK) */

crypto/bio/bio_lib.c

@@ -784,3 +784,100 @@ void bio_cleanup(void)
     CRYPTO_THREAD_lock_free(bio_type_lock);
     bio_type_lock = NULL;
 }
+
+/* Internal variant of the below BIO_wait() not calling BIOerr() */
+static int bio_wait(BIO *bio, time_t max_time, unsigned int milliseconds)
+{
+    int fd;
+
+    if (max_time == 0)
+        return 1;
+
+#ifndef OPENSSL_NO_SOCK
+    if (BIO_get_fd(bio, &fd) > 0)
+        return BIO_socket_wait(fd, BIO_should_read(bio), max_time);
+#endif
+    if (milliseconds > 1000) {
+        long sec_diff = (long)(max_time - time(NULL)); /* might overflow */
+
+        if (sec_diff <= 0)
+            return 0; /* timeout */
+        if ((unsigned long)sec_diff < milliseconds / 1000)
+            milliseconds = (unsigned long)sec_diff * 1000;
+    }
+    ossl_sleep(milliseconds);
+    return 1;
+}
+
+/*
+ * Wait on (typically socket-based) BIO at most until max_time.
+ * Succeed immediately if max_time == 0. If sockets are not available succeed
+ * after waiting at most given milliseconds in order to avoid a tight busy loop.
+ * Call BIOerr(...) unless success.
+ * Returns -1 on error, 0 on timeout, and 1 on success.
+ */
+int BIO_wait(BIO *bio, time_t max_time, unsigned int milliseconds)
+{
+    int rv = bio_wait(bio, max_time, milliseconds);
+
+    if (rv <= 0)
+        BIOerr(0, rv == 0 ? BIO_R_TRANSFER_TIMEOUT : BIO_R_TRANSFER_ERROR);
+    return rv;
+}
+
+/*
+ * Connect via given BIO using BIO_do_handshake() until success/timeout/error.
+ * Parameter timeout == 0 means infinite, < 0 leads to immediate timeout error.
+ * Returns -1 on error, 0 on timeout, and 1 on success.
+ */
+int BIO_connect_retry(BIO *bio, int timeout)
+{
+    int blocking = timeout == 0;
+    time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
+    int rv;
+
+    if (bio == NULL) {
+        BIOerr(0, ERR_R_PASSED_NULL_PARAMETER);
+        return -1;
+    }
+
+    if (timeout < 0) {
+        BIOerr(0, BIO_R_CONNECT_TIMEOUT);
+        return 0;
+    }
+
+    if (!blocking)
+        BIO_set_nbio(bio, 1);
+
+ retry: /* it does not help here to set SSL_MODE_AUTO_RETRY */
+    rv = BIO_do_handshake(bio); /* This indirectly calls ERR_clear_error(); */
+
+    if (rv <= 0) {
+        if (get_last_sys_error() == ETIMEDOUT) {
+            /*
+             * if blocking, despite blocking BIO, BIO_do_handshake() timed out
+             * when non-blocking, BIO_do_handshake() timed out early
+             * with rv == -1 and get_last_sys_error() == 0
+             */
+            ERR_clear_error();
+            (void)BIO_reset(bio);
+            /*
+             * unless using BIO_reset(), blocking next connect() may crash and
+             * non-blocking next BIO_do_handshake() will fail
+             */
+            goto retry;
+        } else if (BIO_should_retry(bio)) {
+            /* will not actually wait if timeout == 0 (i.e., blocking BIO) */
+            rv = bio_wait(bio, max_time, 100 /* milliseconds */);
+            if (rv > 0)
+                goto retry;
+            BIOerr(0, rv == 0 ? BIO_R_CONNECT_TIMEOUT : BIO_R_CONNECT_ERROR);
+        } else {
+            rv = -1;
+            if (ERR_peek_error() == 0) /* missing error queue entry */
+                BIOerr(0, BIO_R_CONNECT_ERROR); /* workaround: general error */
+        }
+    }
+
+    return rv;
+}

crypto/http/http_client.c

@@ -715,6 +715,7 @@ static BIO *HTTP_new_bio(const char *server, const char *server_port,
  end:
     return cbio;
 }
+#endif /* OPENSSL_NO_SOCK */
 
 static ASN1_VALUE *BIO_mem_d2i(BIO *mem, const ASN1_ITEM *it)
 {
@@ -744,7 +745,7 @@ static BIO *OSSL_HTTP_REQ_CTX_transfer(OSSL_HTTP_REQ_CTX *rctx)
         /* BIO_should_retry was true */
         sending = 0;
         /* will not actually wait if rctx->max_time == 0 */
-        if (BIO_wait(rctx->rbio, rctx->max_time) <= 0)
+        if (BIO_wait(rctx->rbio, rctx->max_time, 100 /* milliseconds */) <= 0)
             return NULL;
     }
 
@@ -840,8 +841,13 @@ BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
 
     if (bio != NULL)
         cbio = bio;
-    else if ((cbio = HTTP_new_bio(server, port, proxy, proxy_port)) == NULL)
+    else
+#ifndef OPENSSL_NO_SOCK
+        if ((cbio = HTTP_new_bio(server, port, proxy, proxy_port)) == NULL)
+            return NULL;
+#else
         return NULL;
+#endif
 
     (void)ERR_set_mark(); /* prepare removing any spurious libssl errors */
     if (rbio == NULL && BIO_connect_retry(cbio, timeout) <= 0)
@@ -1106,9 +1112,9 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
     char *mbuf = OPENSSL_malloc(BUF_SIZE);
     char *mbufp;
     int read_len = 0;
-    int rv;
     int ret = 0;
     BIO *fbio = BIO_new(BIO_f_buffer());
+    int rv;
     time_t max_time = timeout > 0 ? time(NULL) + timeout : 0;
 
     if (bio == NULL || server == NULL || port == NULL
@@ -1168,7 +1174,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
 
     for (;;) {
         /* will not actually wait if timeout == 0 */
-        rv = BIO_wait(fbio, max_time);
+        rv = BIO_wait(fbio, max_time, 100 /* milliseconds */);
         if (rv <= 0) {
             BIO_printf(bio_err, "%s: HTTP CONNECT %s\n", prog,
                        rv == 0 ? "timed out" : "failed waiting for data");
@@ -1238,4 +1244,3 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
 # undef BUF_SIZE
 }
 
-#endif /* !defined(OPENSSL_NO_SOCK) */

crypto/http/http_local.h

@@ -22,9 +22,7 @@ typedef OCSP_REQ_CTX OSSL_HTTP_REQ_CTX;
 # define OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_add1_header
 # define OSSL_HTTP_REQ_CTX_i2d         OCSP_REQ_CTX_i2d
 # define OSSL_HTTP_REQ_CTX_nbio        OCSP_REQ_CTX_nbio
-# ifndef OPENSSL_NO_SOCK
-#  define OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio_d2i
-# endif
+# define OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio_d2i
 /* functions that are meanwhile unused */
 # define OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_REQ_CTX_get0_mem_bio /* undoc'd */
 # define OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_set_max_response_length

crypto/ocsp/ocsp_http.c

@@ -35,7 +35,6 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
     return res;
 }
 
-# ifndef OPENSSL_NO_SOCK
 int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
 {
     *presp = (OCSP_RESPONSE *)
@@ -60,6 +59,4 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req)
 
     return rv == 1 ? resp : NULL;
 }
-# endif /* !defined(OPENSSL_NO_SOCK) */
-
 #endif /* !defined(OPENSSL_NO_OCSP) */

doc/man3/BIO_socket_wait.pod

@@ -11,8 +11,10 @@ BIO_connect_retry
 
  #include <openssl/bio.h>
 
+ #ifndef OPENSSL_NO_SOCK
  int BIO_socket_wait(int fd, int for_read, time_t max_time);
- int BIO_wait(BIO *bio, time_t max_time);
+ #endif
+ int BIO_wait(BIO *bio, time_t max_time, unsigned int milliseconds);
  int BIO_connect_retry(BIO *bio, long timeout);
 
 =head1 DESCRIPTION
@@ -21,9 +23,12 @@ BIO_socket_wait() waits on the socket B<fd> for reading if B<for_read> is not 0,
 else for writing, at most until B<max_time>.
 It succeeds immediately if B<max_time> == 0 (which means no timeout given).
 
-BIO_wait() waits on the socket underlying the given B<bio>, for reading if
-B<bio> is supposed to read, else for writing, at most until B<max_time>.
+BIO_wait() waits at most until B<max_time> on the given B<bio>,
+which is typically socket-based,
+for reading if B<bio> is supposed to read, else for writing.
 It succeeds immediately if B<max_time> == 0 (which means no timeout given).
+If sockets are not available it succeeds after waiting at most given
+B<milliseconds> in order to help avoiding a tight busy loop at the caller.
 
 BIO_connect_retry() connects via the given B<bio>, retrying BIO_do_connect()
 until success or a timeout or error condition is reached.

include/internal/cryptlib.h

@@ -198,4 +198,41 @@ const void *ossl_bsearch(const void *key, const void *base, int num,
                          int size, int (*cmp) (const void *, const void *),
                          int flags);
 
+/* system-specific variants defining ossl_sleep() */
+#ifdef OPENSSL_SYS_UNIX
+# include <unistd.h>
+static ossl_inline void ossl_sleep(unsigned long millis)
+{
+# ifdef OPENSSL_SYS_VXWORKS
+    struct timespec ts;
+    ts.tv_sec = (long int) (millis / 1000);
+    ts.tv_nsec = (long int) (millis % 1000) * 1000000ul;
+    nanosleep(&ts, NULL);
+# else
+    usleep(millis * 1000);
+# endif
+}
+#elif defined(_WIN32)
+# include <windows.h>
+static ossl_inline void ossl_sleep(unsigned long millis)
+{
+    Sleep(millis);
+}
+#else
+/* Fallback to a busy wait */
+static ossl_inline void ossl_sleep(unsigned long millis)
+{
+    struct timeval start, now;
+    unsigned long elapsedms;
+
+    gettimeofday(&start, NULL);
+    do {
+        gettimeofday(&now, NULL);
+        elapsedms = (((now.tv_sec - start.tv_sec) * 1000000)
+                     + now.tv_usec - start.tv_usec) / 1000;
+    } while (elapsedms < millis);
+}
+#endif /* defined OPENSSL_SYS_UNIX */
+
+
 #endif

include/openssl/bio.h

@@ -662,9 +662,9 @@ int BIO_dgram_sctp_msg_waiting(BIO *b);
 int BIO_sock_should_retry(int i);
 int BIO_sock_non_fatal_error(int error);
 int BIO_socket_wait(int fd, int for_read, time_t max_time);
-int BIO_wait(BIO *bio, time_t max_time);
-int BIO_connect_retry(BIO *bio, int timeout);
 # endif
+int BIO_wait(BIO *bio, time_t max_time, unsigned int milliseconds);
+int BIO_connect_retry(BIO *bio, int timeout);
 
 int BIO_fd_should_retry(int i);
 int BIO_fd_non_fatal_error(int error);

include/openssl/http.h

@@ -24,7 +24,7 @@ extern "C" {
 # endif
 
 typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail);
-# ifndef OPENSSL_NO_SOCK
+
 BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
                    BIO *bio, BIO *rbio,
                    OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
@@ -62,7 +62,7 @@ BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
 int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
                             const char *proxyuser, const char *proxypass,
                             int timeout, BIO *bio_err, const char *prog);
-# endif
+
 int OSSL_HTTP_parse_url(const char *url, char **phost, char **pport,
                         char **ppath, int *pssl);
 

include/openssl/ocsp.h

@@ -68,9 +68,7 @@ int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
 int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const char *content_type,
                      const ASN1_ITEM *it, ASN1_VALUE *req);
 int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx);
-# ifndef OPENSSL_NO_SOCK
 ASN1_VALUE *OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it);
-# endif
 BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx);
 void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len);
 /* End of functions used only internally */
@@ -187,9 +185,7 @@ DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID)
 OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req);
 OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
                                int maxline);
-#  ifndef OPENSSL_NO_SOCK
 int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
-#  endif
 
 /* TODO: remove this (documented but) meanwhile obsolete function? */
 int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req);

test/ssltestlib.c

@@ -10,53 +10,21 @@
 #include <string.h>
 
 #include "internal/nelem.h"
+#include "internal/cryptlib.h" /* for ossl_sleep() */
 #include "ssltestlib.h"
 #include "testutil.h"
 #include "e_os.h"
 
 #ifdef OPENSSL_SYS_UNIX
 # include <unistd.h>
-#ifndef OPENSSL_NO_KTLS
-# include <netinet/in.h>
-# include <netinet/in.h>
-# include <arpa/inet.h>
-# include <sys/socket.h>
-# include <unistd.h>
-# include <fcntl.h>
-#endif
-
-static ossl_inline void ossl_sleep(unsigned int millis)
-{
-# ifdef OPENSSL_SYS_VXWORKS
-    struct timespec ts;
-    ts.tv_sec = (long int) (millis / 1000);
-    ts.tv_nsec = (long int) (millis % 1000) * 1000000ul;
-    nanosleep(&ts, NULL);
-# else
-    usleep(millis * 1000);
+# ifndef OPENSSL_NO_KTLS
+#  include <netinet/in.h>
+#  include <netinet/in.h>
+#  include <arpa/inet.h>
+#  include <sys/socket.h>
+#  include <unistd.h>
+#  include <fcntl.h>
 # endif
-}
-#elif defined(_WIN32)
-# include <windows.h>
-
-static ossl_inline void ossl_sleep(unsigned int millis)
-{
-    Sleep(millis);
-}
-#else
-/* Fallback to a busy wait */
-static ossl_inline void ossl_sleep(unsigned int millis)
-{
-    struct timeval start, now;
-    unsigned int elapsedms;
-
-    gettimeofday(&start, NULL);
-    do {
-        gettimeofday(&now, NULL);
-        elapsedms = (((now.tv_sec - start.tv_sec) * 1000000)
-                     + now.tv_usec - start.tv_usec) / 1000;
-    } while (elapsedms < millis);
-}
 #endif
 
 static int tls_dump_new(BIO *bi);

util/libcrypto.num

@@ -615,7 +615,7 @@ UI_get0_result_string                   629	3_0_0	EXIST::FUNCTION:
 TS_RESP_CTX_add_policy                  630	3_0_0	EXIST::FUNCTION:TS
 X509_REQ_dup                            631	3_0_0	EXIST::FUNCTION:
 d2i_DSA_PUBKEY_fp                       633	3_0_0	EXIST::FUNCTION:DSA,STDIO
-OCSP_REQ_CTX_nbio_d2i                   634	3_0_0	EXIST::FUNCTION:SOCK
+OCSP_REQ_CTX_nbio_d2i                   634	3_0_0	EXIST::FUNCTION:
 d2i_X509_REQ_fp                         635	3_0_0	EXIST::FUNCTION:STDIO
 DH_OpenSSL                              636	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 BN_get_rfc3526_prime_8192               637	3_0_0	EXIST::FUNCTION:DH
@@ -3615,7 +3615,7 @@ EVP_CIPHER_CTX_encrypting               3694	3_0_0	EXIST::FUNCTION:
 EC_KEY_can_sign                         3695	3_0_0	EXIST::FUNCTION:EC
 PEM_write_bio_RSAPublicKey              3696	3_0_0	EXIST::FUNCTION:RSA
 X509_CRL_set1_lastUpdate                3697	3_0_0	EXIST::FUNCTION:
-OCSP_sendreq_nbio                       3698	3_0_0	EXIST::FUNCTION:OCSP,SOCK
+OCSP_sendreq_nbio                       3698	3_0_0	EXIST::FUNCTION:OCSP
 PKCS8_encrypt                           3699	3_0_0	EXIST::FUNCTION:
 i2d_PKCS7_fp                            3700	3_0_0	EXIST::FUNCTION:STDIO
 i2d_X509_REQ                            3701	3_0_0	EXIST::FUNCTION:
@@ -4919,15 +4919,15 @@ EVP_PKEY_pairwise_check                 ?	3_0_0	EXIST::FUNCTION:
 ASN1_item_verify_ctx                    ?	3_0_0	EXIST::FUNCTION:
 RAND_DRBG_set_callback_data             ?	3_0_0	EXIST::FUNCTION:
 RAND_DRBG_get_callback_data             ?	3_0_0	EXIST::FUNCTION:
-BIO_wait                                ?	3_0_0	EXIST::FUNCTION:SOCK
 BIO_socket_wait                         ?	3_0_0	EXIST::FUNCTION:SOCK
-BIO_connect_retry                       ?	3_0_0	EXIST::FUNCTION:SOCK
+BIO_wait                                ?	3_0_0	EXIST::FUNCTION:
+BIO_connect_retry                       ?	3_0_0	EXIST::FUNCTION:
 ERR_load_HTTP_strings                   ?	3_0_0	EXIST::FUNCTION:
-OSSL_HTTP_get                           ?	3_0_0	EXIST::FUNCTION:SOCK
-OSSL_HTTP_get_asn1                      ?	3_0_0	EXIST::FUNCTION:SOCK
-OSSL_HTTP_post_asn1                     ?	3_0_0	EXIST::FUNCTION:SOCK
-OSSL_HTTP_transfer                      ?	3_0_0	EXIST::FUNCTION:SOCK
-OSSL_HTTP_proxy_connect                 ?	3_0_0	EXIST::FUNCTION:SOCK
+OSSL_HTTP_get                           ?	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_get_asn1                      ?	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_post_asn1                     ?	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_transfer                      ?	3_0_0	EXIST::FUNCTION:
+OSSL_HTTP_proxy_connect                 ?	3_0_0	EXIST::FUNCTION:
 ERR_add_error_txt                       ?	3_0_0	EXIST::FUNCTION:
 ERR_add_error_mem_bio                   ?	3_0_0	EXIST::FUNCTION:
 X509_STORE_CTX_print_verify_cb          ?	3_0_0	EXIST::FUNCTION: