diff options
| author | Rich Salz <rsalz@akamai.com> | 2020-12-26 10:21:41 -0500 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2021-01-19 11:13:15 +0100 |
| commit | 83b6dc8dc739ce7ca82652461bea92c31e634a57 (patch) | |
| tree | e2bf6b2f26ffbd21f17b5638dc4d3eaf20cb8b49 | |
| parent | fee0af0863dff8d13b09cd59af0afbd7e4ae2d57 (diff) | |
Deprecate OCSP_xxx API for OSSL_HTTP_xxx
Deprecations made:
OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free
OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header
OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header
OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d
OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio
OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length
OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i
OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio
Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES
text inline. Some of the original functions had no documentation:
OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio,
OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts
are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod
Fixes #12234
Co-authored-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13742)
| -rw-r--r-- | CHANGES.md | 15 | ||||
| -rw-r--r-- | crypto/http/http_local.h | 14 | ||||
| -rw-r--r-- | crypto/ocsp/ocsp_http.c | 21 | ||||
| -rw-r--r-- | doc/man3/OCSP_sendreq_new.pod | 134 | ||||
| -rw-r--r-- | doc/man3/OSSL_HTTP_REQ_CTX.pod | 183 | ||||
| -rw-r--r-- | include/openssl/http.h | 21 | ||||
| -rw-r--r-- | include/openssl/ocsp.h.in | 55 | ||||
| -rw-r--r-- | include/openssl/types.h | 2 | ||||
| -rw-r--r-- | util/indent.pro | 2 | ||||
| -rw-r--r-- | util/libcrypto.num | 18 | ||||
| -rw-r--r-- | util/missingcrypto.txt | 10 | ||||
| -rw-r--r-- | util/other.syms | 5 |
12 files changed, 334 insertions, 146 deletions
diff --git a/CHANGES.md b/CHANGES.md index ac0b22c6fb..cd093491be 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,21 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(), + OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(), + OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(), + OCSP_REQ_CTX_get0_mem_bio() and OCSP_set_max_response_length(). These + were used to collect all necessary data to form a HTTP request, and to + perform the HTTP transfer with that request. With OpenSSL 3.0, the + type is OSSL_HTTP_REQ_CTX, and the deprecated functions are replaced + with OSSL_HTTP_REQ_CTX_new(), OSSL_HTTP_REQ_CTX_free(), + OSSL_HTTP_REQ_CTX_header(), OSSL_HTTP_REQ_CTX_add1_header(), + OSSL_HTTP_REQ_CTX_i2d(), OSSL_HTTP_REQ_CTX_nbio(), + OSSL_HTTP_REQ_CTX_sendreq_d2i(), OSSL_HTTP_REQ_CTX_get0_mem_bio() and + OSSL_HTTP_REQ_CTX_set_max_response_length(). + + *Rich Salz and Richard Levitte* + * Validation of SM2 keys has been separated from the validation of regular EC keys, allowing to improve the SM2 validation process to reject loaded private keys that are not conforming to the SM2 ISO standard. diff --git a/crypto/http/http_local.h b/crypto/http/http_local.h index 729d24e47f..d98dc54e1f 100644 --- a/crypto/http/http_local.h +++ b/crypto/http/http_local.h @@ -13,20 +13,6 @@ # include <openssl/ocsp.h> -/* name aliases for legacy names with name prefix "OCSP_" */ -typedef OCSP_REQ_CTX OSSL_HTTP_REQ_CTX; -/* functions meanwhile only used internally */ -# define OSSL_HTTP_REQ_CTX_new OCSP_REQ_CTX_new -# define OSSL_HTTP_REQ_CTX_free OCSP_REQ_CTX_free -# define OSSL_HTTP_REQ_CTX_header OCSP_REQ_CTX_http -# define OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_add1_header -# define OSSL_HTTP_REQ_CTX_i2d OCSP_REQ_CTX_i2d -# define OSSL_HTTP_REQ_CTX_nbio OCSP_REQ_CTX_nbio -# define OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio_d2i -/* functions that are meanwhile unused */ -# define OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_REQ_CTX_get0_mem_bio /* undoc'd */ -# define OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_set_max_response_length - BIO *HTTP_asn1_item2bio(const ASN1_ITEM *it, const ASN1_VALUE *val); OSSL_HTTP_REQ_CTX *HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int use_http_proxy, const char *server, const char *port, diff --git a/crypto/ocsp/ocsp_http.c b/crypto/ocsp/ocsp_http.c index eae6107dff..c5508698c8 100644 --- a/crypto/ocsp/ocsp_http.c +++ b/crypto/ocsp/ocsp_http.c @@ -14,19 +14,20 @@ #ifndef OPENSSL_NO_OCSP # ifndef OPENSSL_NO_DEPRECATED_3_0 -int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req) +int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req) { - return OCSP_REQ_CTX_i2d(rctx, "application/ocsp-request", - ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req); + return OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", + ASN1_ITEM_rptr(OCSP_REQUEST), + (ASN1_VALUE *)req); } # endif -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, - int maxline) +OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, + OCSP_REQUEST *req, int maxline) { BIO *req_mem = HTTP_asn1_item2bio(ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req); - OCSP_REQ_CTX *res = + OSSL_HTTP_REQ_CTX *res = HTTP_REQ_CTX_new(io, io, 0 /* no HTTP proxy used */, NULL, NULL, path, NULL /* headers */, "application/ocsp-request", req_mem /* may be NULL */, @@ -37,17 +38,17 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, return res; } -int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) +int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx) { *presp = (OCSP_RESPONSE *) - OCSP_REQ_CTX_nbio_d2i(rctx, ASN1_ITEM_rptr(OCSP_RESPONSE)); + OSSL_HTTP_REQ_CTX_sendreq_d2i(rctx, ASN1_ITEM_rptr(OCSP_RESPONSE)); return *presp != NULL; } OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) { OCSP_RESPONSE *resp = NULL; - OCSP_REQ_CTX *ctx; + OSSL_HTTP_REQ_CTX *ctx; int rv; ctx = OCSP_sendreq_new(b, path, req, -1 /* default max resp line length */); @@ -57,7 +58,7 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) rv = OCSP_sendreq_nbio(&resp, ctx); /* this indirectly calls ERR_clear_error(): */ - OCSP_REQ_CTX_free(ctx); + OSSL_HTTP_REQ_CTX_free(ctx); return rv == 1 ? resp : NULL; } diff --git a/doc/man3/OCSP_sendreq_new.pod b/doc/man3/OCSP_sendreq_new.pod index 0f9d1339c9..6e346bdd44 100644 --- a/doc/man3/OCSP_sendreq_new.pod +++ b/doc/man3/OCSP_sendreq_new.pod @@ -4,11 +4,11 @@ OCSP_sendreq_new, OCSP_sendreq_nbio, -OCSP_REQ_CTX_free, -OCSP_set_max_response_length, -OCSP_REQ_CTX_add1_header, OCSP_sendreq_bio, OCSP_REQ_CTX_i2d, +OCSP_REQ_CTX_add1_header, +OCSP_REQ_CTX_free, +OCSP_set_max_response_length, OCSP_REQ_CTX_set1_req - OCSP responder query functions @@ -16,104 +16,78 @@ OCSP_REQ_CTX_set1_req #include <openssl/ocsp.h> - OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - OCSP_REQUEST *req, int maxline); - - int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); - - void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); - - void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, - unsigned long len); + OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, + OCSP_REQUEST *req, int maxline); - int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, - const char *name, const char *value); + int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); OCSP_RESPONSE *OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req); - int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const char *content_type, - const ASN1_ITEM *it, ASN1_VALUE *req); - Deprecated since OpenSSL 3.0, can be hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value, see L<openssl_user_macros(7)>: + int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const char *content_type, + const ASN1_ITEM *it, ASN1_VALUE *req); + int OCSP_REQ_CTX_add1_header(OCSP_REQ_CT *rctx, + const char *name, const char *value); + void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); + void OCSP_set_max_response_length(OCSP_REQ_CT *rctx, + unsigned long len); int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req); =head1 DESCRIPTION -The function OCSP_sendreq_new() returns an B<OCSP_CTX> structure using the -responder B<io>, the URL path B<path>, the OCSP request B<req> and with a -response header maximum line length of B<maxline>. If B<maxline> is zero a -default value of 4k is used. The OCSP request B<req> may be set to B<NULL> -and provided later if required. - -OCSP_sendreq_nbio() performs I/O on the OCSP request context B<rctx>. -When the operation is complete it returns the response in B<*presp>. - -OCSP_REQ_CTX_free() frees up the OCSP context B<rctx>. +These functions perform an OCSP request / response transfer over HTTP, using +the HTTP request functions described in L<OSSL_HTTP_REQ_CTX(3)>. -OCSP_set_max_response_length() sets the maximum response length -for B<rctx> to B<len>. If the response exceeds this length an error occurs. -If not set a default value of 100k is used. +The function OCSP_sendreq_new() builds a complete B<OSSL_HTTP_REQ_CTX> +structure using connection B<BIO> I<io>, the URL path I<path>, the OCSP +request I<req> and with a response header maximum line length of I<maxline>. +If I<maxline> is zero a default value of 4k is used. The OCSP request I<req> +may be set to NULL and provided later with L<OSSL_HTTP_REQ_CTX_i2d(3)> if +required. -OCSP_REQ_CTX_add1_header() adds header B<name> with value B<value> to the -context B<rctx>. It can be called more than once to add multiple headers. -It B<MUST> be called before any calls to OCSP_sendreq_nbio(). The B<req> -parameter in the initial to OCSP_sendreq_new() call MUST be set to B<NULL> if -additional headers are set. +The I<io> and I<path> arguments to OCSP_sendreq_new() correspond to the +components of the URL. +For example if the responder URL is C<http://example.com/ocspreq> the BIO +I<io> should be connected to host C<example.com> on port 80 and I<path> +should be set to C</ocspreq>. -OCSP_sendreq_bio() performs an OCSP request using the responder B<io>, the URL -path B<path>, the OCSP request B<req> and with a response header maximum line -length 4k. It waits indefinitely on a response. +OCSP_sendreq_nbio() performs I/O on the OCSP request context I<rctx>. +When the operation is complete it assigns the response, a pointer to a +B<OCSP_RESPONSE> structure, in I<*presp>. -OCSP_REQ_CTX_i2d() sets the request context B<rctx> to have the request -B<req>, which has the ASN.1 type B<it>. -The B<content_type>, if not NULL, will be included in the HTTP request. -The function should be called after all other headers have already been added. +OCSP_sendreq_bio() is the same as a call to OCSP_sendreq_new() followed by +OCSP_sendreq_nbio() and then OCSP_REQ_CTX_free() in a single call, with a +response header maximum line length 4k. It waits indefinitely on a response. +It does not support setting a timeout or adding headers and is retained +for compatibility; use OCSP_sendreq_nbio() instead. OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following: - OCSP_REQ_CTX_i2d(rctx, "application/ocsp-request", - ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req) + OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", + ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req) + +The other deprecated type and functions have been superseded by the +following equivalents: +B<OCSP_REQ_CTX> by L<OSSL_HTTP_REQ_CTX(3)>, +OCSP_REQ_CTX_i2d() by L<OSSL_HTTP_REQ_CTX_i2d(3)>, +OCSP_REQ_CTX_add1_header() by L<OSSL_HTTP_REQ_CTX_add1_header(3)>, +OCSP_REQ_CTX_free() by L<OSSL_HTTP_REQ_CTX_free(3)>, and +OCSP_set_max_response_length() by +L<OSSL_HTTP_REQ_CTX_set_max_response_length(3)>. =head1 RETURN VALUES -OCSP_sendreq_new() returns a valid B<OCSP_REQ_CTX> structure or B<NULL> +OCSP_sendreq_new() returns a valid B<OSSL_HTTP_REQ_CTX> structure or NULL if an error occurred. -OCSP_sendreq_nbio(), OCSP_REQ_CTX_add1_header(), OCSP_REQ_CTX_i2d(), -and OCSP_REQ_CTX_set1_req() -return B<1> for success and B<0> for failure. +OCSP_sendreq_nbio(), OCSP_REQ_CTX_i2d(), and OCSP_REQ_CTX_set1_req() +return 1 for success and 0 for failure. OCSP_sendreq_bio() returns the B<OCSP_RESPONSE> structure sent by the -responder or B<NULL> if an error occurred. - -OCSP_REQ_CTX_free() and OCSP_set_max_response_length() -do not return values. - -=head1 NOTES - -These functions only perform a minimal HTTP query to a responder. If an -application wishes to support more advanced features it should use an -alternative more complete HTTP library. - -Currently only HTTP POST queries to responders are supported. - -The arguments to OCSP_sendreq_new() correspond to the components of the URL. -For example if the responder URL is B<http://ocsp.com/ocspreq> the BIO -B<io> should be connected to host B<ocsp.com> on port 80 and B<path> -should be set to B<"/ocspreq"> - -The headers added with OCSP_REQ_CTX_add1_header() are of the form -"B<name>: B<value>" or just "B<name>" if B<value> is B<NULL>. So to add -a Host header for B<ocsp.com> you would call: - - OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com"); - -OCSP_sendreq_bio() does not support timeout nor setting extra headers. -It is retained for compatibility. -Better use B<OCSP_sendreq_nbio()> instead. +responder or NULL if an error occurred. =head1 SEE ALSO @@ -126,11 +100,17 @@ L<OCSP_response_status(3)> =head1 HISTORY -The OCSP_REQ_CTX_set1_req() function was deprecated in OpenSSL 3.0. +B<OCSP_REQ_CTX>, +OCSP_REQ_CTX_i2d(), +OCSP_REQ_CTX_add1_header(), +OCSP_REQ_CTX_free(), +OCSP_set_max_response_length(), +and OCSP_REQ_CTX_set1_req() +were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod new file mode 100644 index 0000000000..b75bac5f8c --- /dev/null +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -0,0 +1,183 @@ +=pod + +=head1 NAME + +OSSL_HTTP_REQ_CTX, +OSSL_HTTP_REQ_CTX_new, +OSSL_HTTP_REQ_CTX_free, +OSSL_HTTP_REQ_CTX_header, +OSSL_HTTP_REQ_CTX_add1_header, +OSSL_HTTP_REQ_CTX_i2d, +OSSL_HTTP_REQ_CTX_nbio, +OSSL_HTTP_REQ_CTX_sendreq_d2i, +OSSL_HTTP_REQ_CTX_get0_mem_bio, +OSSL_HTTP_REQ_CTX_set_max_response_length +- HTTP request functions + +=head1 SYNOPSIS + + #include <openssl/http.h> + + typedef struct ossl_http_req_ctx_st OSSL_HTTP_REQ_CTX; + + OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, + int method_GET, int maxline, + unsigned long max_resp_len, + int timeout, + const char *expected_content_type, + int expect_asn1); + void OSSL_HTTP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx); + + int OSSL_HTTP_REQ_CTX_header(OSSL_HTTP_REQ_CTX *rctx, + const char *server, + const char *port, const char *path); + int OSSL_HTTP_REQ_CTX_add1_header(OSSL_HTTP_REQ_CTX *rctx, + const char *name, const char *value); + + int OSSL_HTTP_REQ_CTX_i2d(OSSL_HTTP_REQ_CTX *rctx, const char *content_type, + const ASN1_ITEM *it, ASN1_VALUE *req); + int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx); + ASN1_VALUE *OSSL_HTTP_REQ_CTX_sendreq_d2i(OSSL_HTTP_REQ_CTX *rctx, + const ASN1_ITEM *it); + + BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(OSSL_HTTP_REQ_CTX *rctx); + void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx, + unsigned long len); + +=head1 DESCRIPTION + +B<OSSL_HTTP_REQ_CTX> is a context structure for an HTTP request, used to +collect all the necessary data to perform that request. + +This file documents low-level HTTP functions rarely used directly. High-level +HTTP client functions like L<OSSL_HTTP_get(3)> and L<OSSL_HTTP_transfer(3)> +should be preferred. + +OSSL_HTTP_REQ_CTX_new() allocates a new HTTP request context structure, which +gets populated with the B<BIO> to send the request to (I<wbio>), the B<BIO> to +read the response from (I<rbio>, which may be the same as I<wbio>), the +request method (I<method_GET>, which may be 1 to indicate that the C<GET> +method is to be used, or 0 to indicate that the C<POST> method is to be used), +the maximum expected response header length (I<max_resp_len>, where any zero +or less indicates the default of 4KiB), a response timeout measure in seconds +(I<timeout>, where 0 indicates no timeout, i.e., waiting indefinitely), the +expected MIME content type of the response (I<expected_content_type>, which +may be NULL for no expectation), and a flag indicating that the response is +expected to be a DER encoded ASN.1 structure (I<expect_asn1>). +The allocated context structure is also populated with an internal allocated +memory B<BIO>, which collects the HTTP request and additional headers as text. +The returned context should only be used for a single HTTP request/response. + +OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I<rctx>. +The I<wbio> and I<rbio> are not free'd and it is up to the application +to do so. + +OSSL_HTTP_REQ_CTX_header() adds an HTTP request line to the request context. +The request command itself becomes C<GET> or C<POST> depending on the value +of I<method_GET> in the OSSL_HTTP_REQ_CTX_new() call. I<server> and I<port> +may be set to indicate a proxy server and port that the request should go +through, otherwise they should be left NULL. I<path> is the HTTP request path; +if left NULL, C</> is used. + +OSSL_HTTP_REQ_CTX_add1_header() adds header I<name> with value I<value> to the +context I<rctx>. It can be called more than once to add multiple headers. +For example, to add a C<Host> header for C<example.com> you would call: + + OSSL_HTTP_REQ_CTX_add1_header(ctx, "Host", "example.com"); + +OSSL_HTTP_REQ_CTX_i2d() finalizes the HTTP request context by adding the DER +encoding of I<req>, using the ASN.1 template I<it> to do the encoding. The +HTTP header C<Content-Length> is automatically filled out, and if +I<content_type> isn't NULL, the HTTP header C<Content-Type> is also added with +its content as value. All of this ends up in the internal memory B<BIO>. +This requires that the request type be C<POST>, i.e. that I<method_GET> is 0 +in the OSSL_HTTP_REQ_CTX_new() call. + +OSSL_HTTP_REQ_CTX_nbio() attempts the exchange of request and response via HTTP, +using the I<rbio> and I<wbio> that were given in the OSSL_HTTP_REQ_CTX_new() +call. When successful, the contents of the internal memory B<BIO> is replaced +with the contents of the HTTP response, without the response headers. +It may need to be called again if its result is -1, which indicates +L<BIO_should_retry(3)>. In such a case it is advisable to sleep a little in +between to prevent a busy loop. + +OSSL_HTTP_REQ_CTX_sendreq_d2i() calls OSSL_HTTP_REQ_CTX_nbio(), possibly +several times until a timeout is reached, and DER decodes the received +response using the ASN.1 template I<it>. + +OSSL_HTTP_REQ_CTX_set_max_response_length() sets the maximum response length +for I<rctx> to I<len>. If the response exceeds this length an error occurs. +If not set a default value of 100k is used. + +OSSL_HTTP_REQ_CTX_get0_mem_bio() returns the internal memory B<BIO>. This can +be used to affect the HTTP request text. I<Use with caution!> + +=head1 WARNINGS + +The server's response may be unexpected if the hostname that was used to +create the I<wbio>, any C<Host> header, and the host specified in the +request URL do not match. + +Many of these functions must be called in a certain order. + +First, the HTTP request context must be allocated: +OSSL_HTTP_REQ_CTX_new(). + +Then, the HTTP request must be prepared with request data: + +=over 4 + +=item 1. + +Calling OSSL_HTTP_REQ_CTX_header(). This must be done exactly once. + +=item 2. + +Adding extra headers with OSSL_HTTP_REQ_CTX_add1_header(). This is optional. + +=item 3. + +Add C<POST> data with OSSL_HTTP_REQ_CTX_i2d(). This may only be done if +I<method_GET> was 0 in the OSSL_HTTP_REQ_CTX_new() call, and must be done +exactly once in that case. + +=back + +When the request context is fully prepared, the HTTP exchange may be performed +with OSSL_HTTP_REQ_CTX_nbio() or OSSL_HTTP_REQ_CTX_sendreq_d2i(). + +Furthermore, all calls of OSSL_HTTP_REQ_CTX_header() and +OSSL_HTTP_REQ_CTX_add1_header() must be done before any call to +int OSSL_HTTP_REQ_CTX_nbio() or OSSL_HTTP_REQ_CTX_sendreq_d2i(). + +=head1 RETURN VALUES + +OSSL_HTTP_REQ_CTX_new() returns a pointer to a B<OSSL_HTTP_REQ_CTX>, or NULL +on error. + +OSSL_HTTP_REQ_CTX_free() and OSSL_HTTP_REQ_CTX_set_max_response_length() +do not return values. + +OSSL_HTTP_REQ_CTX_header(), OSSL_HTTP_REQ_CTX_add1_header(), +OSSL_HTTP_REQ_CTX_i2d() and OSSL_HTTP_REQ_CTX_nbio return 1 for success and 0 +for failure. + +OSSL_HTTP_REQ_CTX_sendreq_d2i() returns a pointer to an B<ASN1_VALUE> for +success and NULL for failure. + +OSSL_HTTP_REQ_CTX_get0_mem_bio() returns the internal memory B<BIO>. + +=head1 SEE ALSO + +L<OSSL_HTTP_transfer(3)> + +=head1 COPYRIGHT + +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/include/openssl/http.h b/include/openssl/http.h index 2c9ce9d86e..0bd32e514e 100644 --- a/include/openssl/http.h +++ b/include/openssl/http.h @@ -35,6 +35,27 @@ typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail) # define OPENSSL_HTTP_PROXY "HTTP_PROXY" # define OPENSSL_HTTPS_PROXY "HTTPS_PROXY" +OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, + int method_GET, int maxline, + unsigned long max_resp_len, + int timeout, + const char *expected_content_type, + int expect_asn1); +void OSSL_HTTP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx); +int OSSL_HTTP_REQ_CTX_header(OSSL_HTTP_REQ_CTX *rctx, + const char *server, + const char *port, const char *path); +int OSSL_HTTP_REQ_CTX_add1_header(OSSL_HTTP_REQ_CTX *rctx, + const char *name, const char *value); +int OSSL_HTTP_REQ_CTX_i2d(OSSL_HTTP_REQ_CTX *rctx, const char *content_type, + const ASN1_ITEM *it, ASN1_VALUE *req); +int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx); +ASN1_VALUE *OSSL_HTTP_REQ_CTX_sendreq_d2i(OSSL_HTTP_REQ_CTX *rctx, + const ASN1_ITEM *it); +BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(OSSL_HTTP_REQ_CTX *rctx); +void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx, + unsigned long len); + BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, BIO *bio, BIO *rbio, OSSL_HTTP_bio_cb_t bio_update_fn, void *arg, diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in index 8422ecf451..c3a0b0e267 100644 --- a/include/openssl/ocsp.h.in +++ b/include/openssl/ocsp.h.in @@ -23,7 +23,8 @@ use OpenSSL::stackhash qw(generate_stack_macros); # endif # include <openssl/opensslconf.h> -# include <openssl/http.h> /* for OSSL_HTTP_parse_url */ +# include <openssl/http.h> +# include <openssl/asn1.h> /* * These definitions are outside the OPENSSL_NO_OCSP guard because although for @@ -56,30 +57,6 @@ use OpenSSL::stackhash qw(generate_stack_macros); # define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN 9 # define OCSP_REVOKED_STATUS_AACOMPROMISE 10 -/* - * These definitions are outside the OPENSSL_NO_OCSP guard because although for - * historical reasons they have OCSP_* names, they are used for the HTTP client. - */ -# include <openssl/asn1.h> -/* The following functions are used only internally */ -OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *wbio, BIO *rbio, - int method_GET, int maxline, - unsigned long max_resp_len, int timeout, - const char *expected_content_type, - int expect_asn1); -void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); -int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, - const char *server, const char *port, const char *path); -int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, - const char *name, const char *value); -int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const char *content_type, - const ASN1_ITEM *it, ASN1_VALUE *req); -int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx); -ASN1_VALUE *OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it); -BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx); -void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len); -/* End of functions used only internally */ - # ifndef OPENSSL_NO_OCSP @@ -194,13 +171,33 @@ typedef struct ocsp_service_locator_st OCSP_SERVICELOC; DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID) OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req); -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, - int maxline); -int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); +OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, + OCSP_REQUEST *req, int maxline); +int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); # ifndef OPENSSL_NO_DEPRECATED_3_0 +typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; OSSL_DEPRECATEDIN_3_0 -int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req); +int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req); + +# define OCSP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) \ + OSSL_HTTP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) +# define OCSP_REQ_CTX_free(r) \ + OSSL_HTTP_REQ_CTX_free(r) +# define OCSP_REQ_CTX_http(r, s, po, pa) \ + OSSL_HTTP_REQ_CTX_header(r, s, po, pa) +# define OCSP_REQ_CTX_add1_header(r, n, v) \ + OSSL_HTTP_REQ_CTX_add1_header(r, n, v) +# define OCSP_REQ_CTX_i2d(r, c, i, req) \ + OSSL_HTTP_REQ_CTX_i2d(r, c, i, req) +# define OCSP_REQ_CTX_nbio(r) \ + OSSL_HTTP_REQ_CTX_nbio(r) +# define OCSP_REQ_CTX_nbio_d2i(r, i) \ + OSSL_HTTP_REQ_CTX_sendreq_d2i(r, i) +# define OCSP_REQ_CTX_get0_mem_bio(r) \ + OSSL_HTTP_REQ_CTX_get0_mem_bio(r) +# define OCSP_set_max_response_length(r, l) \ + OSSL_HTTP_REQ_CTX_set_max_response_length(r, l) # endif OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, diff --git a/include/openssl/types.h b/include/openssl/types.h index d44eb03a7c..cf11b8549d 100644 --- a/include/openssl/types.h +++ b/include/openssl/types.h @@ -196,7 +196,7 @@ typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS; typedef struct crypto_ex_data_st CRYPTO_EX_DATA; -typedef struct ossl_http_req_ctx_st OCSP_REQ_CTX; /* backward compatibility */ +typedef struct ossl_http_req_ctx_st OSSL_HTTP_REQ_CTX; typedef struct ocsp_response_st OCSP_RESPONSE; typedef struct ocsp_responder_id_st OCSP_RESPID; diff --git a/util/indent.pro b/util/indent.pro index 509377d204..4851c7338a 100644 --- a/util/indent.pro +++ b/util/indent.pro @@ -302,7 +302,7 @@ -T OCSP_ONEREQ -T OCSP_REQINFO -T OCSP_REQUEST --T OCSP_REQ_CTX +-T OSSL_HTTP_REQ_CTX -T OCSP_RESPBYTES -T OCSP_RESPDATA -T OCSP_RESPID diff --git a/util/libcrypto.num b/util/libcrypto.num index 16536b2a6e..a1e9b5cc34 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -133,7 +133,7 @@ d2i_OCSP_BASICRESP 134 3_0_0 EXIST::FUNCTION:OCSP X509v3_add_ext 135 3_0_0 EXIST::FUNCTION: X509v3_addr_subset 136 3_0_0 EXIST::FUNCTION:RFC3779 CRYPTO_strndup 137 3_0_0 EXIST::FUNCTION: -OCSP_REQ_CTX_free 138 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_free 138 3_0_0 EXIST::FUNCTION: X509_STORE_new 140 3_0_0 EXIST::FUNCTION: ASN1_TYPE_free 141 3_0_0 EXIST::FUNCTION: PKCS12_BAGS_new 142 3_0_0 EXIST::FUNCTION: @@ -615,7 +615,7 @@ UI_get0_result_string 629 3_0_0 EXIST::FUNCTION: TS_RESP_CTX_add_policy 630 3_0_0 EXIST::FUNCTION:TS X509_REQ_dup 631 3_0_0 EXIST::FUNCTION: d2i_DSA_PUBKEY_fp 633 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA,STDIO -OCSP_REQ_CTX_nbio_d2i 634 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_sendreq_d2i 634 3_0_0 EXIST::FUNCTION: d2i_X509_REQ_fp 635 3_0_0 EXIST::FUNCTION:STDIO DH_OpenSSL 636 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH BN_get_rfc3526_prime_8192 637 3_0_0 EXIST::FUNCTION: @@ -1115,7 +1115,7 @@ PEM_write_bio_PKCS7 1141 3_0_0 EXIST::FUNCTION: MDC2_Final 1142 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,MDC2 SMIME_crlf_copy 1143 3_0_0 EXIST::FUNCTION: OCSP_REQUEST_get_ext_count 1144 3_0_0 EXIST::FUNCTION:OCSP -OCSP_REQ_CTX_new 1145 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_new 1145 3_0_0 EXIST::FUNCTION: X509_load_cert_crl_file 1146 3_0_0 EXIST::FUNCTION: EVP_PKEY_new_mac_key 1147 3_0_0 EXIST::FUNCTION: DIST_POINT_new 1148 3_0_0 EXIST::FUNCTION: @@ -1379,7 +1379,7 @@ BIO_set_ex_data 1411 3_0_0 EXIST::FUNCTION: SHA512 1412 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509_STORE_CTX_get_explicit_policy 1413 3_0_0 EXIST::FUNCTION: EVP_DecodeBlock 1414 3_0_0 EXIST::FUNCTION: -OCSP_REQ_CTX_http 1415 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_header 1415 3_0_0 EXIST::FUNCTION: EVP_MD_CTX_reset 1416 3_0_0 EXIST::FUNCTION: X509_NAME_new 1417 3_0_0 EXIST::FUNCTION: ASN1_item_pack 1418 3_0_0 EXIST::FUNCTION: @@ -1577,7 +1577,7 @@ BIO_ADDRINFO_address 1613 3_0_0 EXIST::FUNCTION:SOCK ASN1_STRING_print_ex 1614 3_0_0 EXIST::FUNCTION: i2d_CMS_ReceiptRequest 1615 3_0_0 EXIST::FUNCTION:CMS d2i_TS_REQ_fp 1616 3_0_0 EXIST::FUNCTION:STDIO,TS -OCSP_REQ_CTX_i2d 1617 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_i2d 1617 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_default_digest_nid 1618 3_0_0 EXIST::FUNCTION: ASIdOrRange_new 1619 3_0_0 EXIST::FUNCTION:RFC3779 ASN1_SCTX_new 1620 3_0_0 EXIST::FUNCTION: @@ -1593,7 +1593,7 @@ CRYPTO_ocb128_cleanup 1629 3_0_0 EXIST::FUNCTION:OCB EVP_des_ede_cbc 1630 3_0_0 EXIST::FUNCTION:DES i2d_ASN1_TIME 1631 3_0_0 EXIST::FUNCTION: ENGINE_register_all_pkey_asn1_meths 1632 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -OCSP_set_max_response_length 1633 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_set_max_response_length 1633 3_0_0 EXIST::FUNCTION: d2i_ISSUING_DIST_POINT 1634 3_0_0 EXIST::FUNCTION: CMS_RecipientInfo_set0_key 1635 3_0_0 EXIST::FUNCTION:CMS NCONF_new 1636 3_0_0 EXIST::FUNCTION: @@ -1850,7 +1850,7 @@ OCSP_ONEREQ_add_ext 1892 3_0_0 EXIST::FUNCTION:OCSP CMS_uncompress 1893 3_0_0 EXIST::FUNCTION:CMS CRYPTO_mem_debug_pop 1895 3_0_0 EXIST::FUNCTION:CRYPTO_MDEBUG,DEPRECATEDIN_3_0 EVP_aes_192_cfb128 1896 3_0_0 EXIST::FUNCTION: -OCSP_REQ_CTX_nbio 1897 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_nbio 1897 3_0_0 EXIST::FUNCTION: EVP_CIPHER_CTX_copy 1898 3_0_0 EXIST::FUNCTION: CRYPTO_secure_allocated 1899 3_0_0 EXIST::FUNCTION: UI_UTIL_read_pw_string 1900 3_0_0 EXIST::FUNCTION: @@ -2416,7 +2416,7 @@ Camellia_decrypt 2466 3_0_0 EXIST::FUNCTION:CAMELLIA,DEPR X509_signature_print 2467 3_0_0 EXIST::FUNCTION: EVP_camellia_128_ecb 2468 3_0_0 EXIST::FUNCTION:CAMELLIA MD2_Final 2469 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,MD2 -OCSP_REQ_CTX_add1_header 2470 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_add1_header 2470 3_0_0 EXIST::FUNCTION: NETSCAPE_SPKAC_it 2471 3_0_0 EXIST::FUNCTION: ASIdOrRange_free 2472 3_0_0 EXIST::FUNCTION:RFC3779 EC_POINT_get_Jprojective_coordinates_GFp 2473 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC @@ -3762,7 +3762,7 @@ i2d_PrivateKey_bio 3843 3_0_0 EXIST::FUNCTION: RSA_padding_add_PKCS1_type_1 3844 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 i2d_re_X509_tbs 3845 3_0_0 EXIST::FUNCTION: EVP_CIPHER_iv_length 3846 3_0_0 EXIST::FUNCTION: -OCSP_REQ_CTX_get0_mem_bio 3847 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_get0_mem_bio 3847 3_0_0 EXIST::FUNCTION: i2d_PKCS8PrivateKeyInfo_bio 3848 3_0_0 EXIST::FUNCTION: d2i_OCSP_CERTID 3849 3_0_0 EXIST::FUNCTION:OCSP EVP_CIPHER_meth_set_init 3850 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 8b3ebab119..169aab1bd6 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -791,6 +791,11 @@ OCSP_ONEREQ_get_ext_by_critical(3) OCSP_ONEREQ_get_ext_count(3) OCSP_ONEREQ_it(3) OCSP_REQINFO_it(3) +OCSP_REQ_CTX_get0_mem_bio(3) +OCSP_REQ_CTX_http(3) +OCSP_REQ_CTX_new(3) +OCSP_REQ_CTX_nbio(3) +OCSP_REQ_CTX_nbio_d2i(3) OCSP_REQUEST_add1_ext_i2d(3) OCSP_REQUEST_add_ext(3) OCSP_REQUEST_delete_ext(3) @@ -802,11 +807,6 @@ OCSP_REQUEST_get_ext_by_critical(3) OCSP_REQUEST_get_ext_count(3) OCSP_REQUEST_it(3) OCSP_REQUEST_print(3) -OCSP_REQ_CTX_get0_mem_bio(3) -OCSP_REQ_CTX_http(3) |