diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-05-05 00:09:43 +0200 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-05-12 15:11:51 +0200 |
commit | 8f965908a53b4f0c5a735739e8a273a3a33a976e (patch) | |
tree | 9efe89d630473e84898a5a00f2898f9b0f7fbdbd /doc/man3/OSSL_HTTP_transfer.pod | |
parent | 4329f361ce75973ceca9d440e8430580ee515070 (diff) |
HTTP client: Minimal changes that include the improved API
This is a minimal version of pull request #15053 including all the
proposed improvements to the HTTP client API and its documentation
but only those code adaptations strictly needed for it.
The proposed new features include
* support for persistent connections (keep-alive),
* generalization to arbitrary request and response types, and
* support for streaming BIOs for request and response data.
The related API changes include:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15147)
Diffstat (limited to 'doc/man3/OSSL_HTTP_transfer.pod')
-rw-r--r-- | doc/man3/OSSL_HTTP_transfer.pod | 272 |
1 files changed, 153 insertions, 119 deletions
diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index d2ff8eeebc..da84789472 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -2,13 +2,15 @@ =head1 NAME +OSSL_HTTP_open, +OSSL_HTTP_bio_cb_t, +OSSL_HTTP_proxy_connect, +OSSL_HTTP_set_request, +OSSL_HTTP_exchange, OSSL_HTTP_get, -OSSL_HTTP_get_asn1, -OSSL_HTTP_post_asn1, OSSL_HTTP_transfer, -OSSL_HTTP_bio_cb_t, -OSSL_HTTP_proxy_connect -- http client functions +OSSL_HTTP_close +- HTTP client high-level functions =head1 SYNOPSIS @@ -16,91 +18,53 @@ OSSL_HTTP_proxy_connect typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail); + OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port, + const char *proxy, const char *no_proxy, + int use_ssl, BIO *bio, BIO *rbio, + OSSL_HTTP_bio_cb_t bio_update_fn, void *arg, + int buf_size, int overall_timeout); + int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port, + const char *proxyuser, const char *proxypass, + int timeout, BIO *bio_err, const char *prog); + int OSSL_HTTP_set_request(OSSL_HTTP_REQ_CTX *rctx, const char *path, + const STACK_OF(CONF_VALUE) *headers, + const char *content_type, BIO *req, + const char *expected_content_type, int expect_asn1, + size_t max_resp_len, int timeout, int keep_alive); + BIO *OSSL_HTTP_exchange(OSSL_HTTP_REQ_CTX *rctx, char **redirection_url); BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, BIO *bio, BIO *rbio, OSSL_HTTP_bio_cb_t bio_update_fn, void *arg, - const STACK_OF(CONF_VALUE) *headers, - int maxline, unsigned long max_resp_len, int timeout, - const char *expected_ct, int expect_asn1); - ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url, - const char *proxy, const char *no_proxy, - BIO *bio, BIO *rbio, - OSSL_HTTP_bio_cb_t bio_update_fn, void *arg, - const STACK_OF(CONF_VALUE) *headers, - int maxline, unsigned long max_resp_len, - int timeout, const char *expected_ct, - const ASN1_ITEM *rsp_it); - ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port, - const char *path, int use_ssl, - const char *proxy, const char *no_proxy, - BIO *bio, BIO *rbio, - OSSL_HTTP_bio_cb_t bio_update_fn, void *arg, - const STACK_OF(CONF_VALUE) *headers, - const char *content_type, - const ASN1_VALUE *req, const ASN1_ITEM *req_it, - int maxline, unsigned long max_resp_len, - int timeout, const char *expected_ct, - const ASN1_ITEM *rsp_it); - BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path, - int use_ssl, const char *proxy, const char *no_proxy, + int buf_size, const STACK_OF(CONF_VALUE) *headers, + const char *expected_content_type, int expect_asn1, + size_t max_resp_len, int timeout); + BIO *OSSL_HTTP_transfer(OSSL_HTTP_REQ_CTX **prctx, + const char *server, const char *port, + const char *path, int use_ssl, + const char *proxy, const char *no_proxy, BIO *bio, BIO *rbio, OSSL_HTTP_bio_cb_t bio_update_fn, void *arg, - const STACK_OF(CONF_VALUE) *headers, - const char *content_type, BIO *req_mem, - int maxline, unsigned long max_resp_len, int timeout, - const char *expected_ct, int expect_asn1, - char **redirection_url); - int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port, - const char *proxyuser, const char *proxypass, - int timeout, BIO *bio_err, const char *prog); + int buf_size, const STACK_OF(CONF_VALUE) *headers, + const char *content_type, BIO *req, + const char *expected_content_type, int expect_asn1, + size_t max_resp_len, int timeout, int keep_alive); + int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok); =head1 DESCRIPTION -OSSL_HTTP_get() uses HTTP GET to obtain data (of any type) from the given I<url> -and returns it as a memory BIO. -If the schema component of the I<url> is C<https> a TLS connection is requested -and the I<bio_update_fn> parameter, described below, must be provided. -Any userinfo and fragment components in the I<url> are ignored. -Any query component is handled as part of the path component. - -OSSL_HTTP_get_asn1() is like OSSL_HTTP_get() but in addition -parses the received contents (e.g., an X.509 certificate) -as an ASN.1 DER encoded value with the expected structure specified by I<rsp_it> -and returns it on success as a pointer to I<ASN1_VALUE>. - -OSSL_HTTP_post_asn1() is like OSSL_HTTP_get_asn1() but uses the HTTP POST method -to send a request I<req> with the ASN.1 structure defined in I<req_it> and the -given I<content_type> to the given I<server> and optional I<port> and I<path>. -If I<use_ssl> is nonzero a TLS connection is requested and the I<bio_update_fn> -parameter, described below, must be provided. +OSSL_HTTP_open() initiates an HTTP session using the I<bio> argument if not +NULL, else by connecting to a given I<server> optionally via a I<proxy>. -OSSL_HTTP_transfer() exchanges any form of HTTP request and response. -It implements the core of the functions described above. -If I<path> parameter is NULL it defaults to "/". -If I<use_ssl> is nonzero a TLS connection is requested -and the I<bio_update_fn> parameter, described below, must be provided. -If I<req_mem> is NULL it uses the HTTP GET method, else it uses HTTP POST to -send a request with the contents of the memory BIO and optional I<content_type>. -The optional list I<headers> may contain additional custom HTTP header lines. -If I<req_mem> is NULL (i.e., the HTTP method is GET) and I<redirection_url> -is not NULL the latter pointer is used to provide any new location that -the server may return with HTTP code 301 (MOVED_PERMANENTLY) or 302 (FOUND). -In this case the caller is responsible for deallocating this URL with -L<OPENSSL_free(3)>. - -The above functions have the following parameters in common. - -Typically the OpenSSL build supports sockets -and the I<bio> and I<rbio> parameters are both NULL. -In this case the client creates a network BIO internally -for connecting to the given I<server> -at the specified I<port> (if any, defaulting to 80 for HTTP or 443 for HTTPS), -optionally via a I<proxy> (respecting I<no_proxy>) as described below. -Then the client uses this internal BIO for exchanging the request and response. -If I<bio> is given and I<rbio> is NULL then the client uses this I<bio> instead. +Typically the OpenSSL build supports sockets and the I<bio> parameter is NULL. +In this case I<rbio> must be NULL as well, and the +library creates a network BIO internally for connecting to the given I<server> +at the specified I<port> if any, defaulting to 80 for HTTP or 443 for HTTPS. +Then this internal BIO is used for setting up a connection +and for exchanging one or more request and response. +If I<bio> is given and I<rbio> is NULL then this I<bio> is used instead. If both I<bio> and I<rbio> are given (which may be memory BIOs for instance) -then no explicit connection is attempted, -I<bio> is used for writing the request, and I<rbio> for reading the response. +then no explicit connection is set up, but +I<bio> is used for writing requests and I<rbio> for reading responses. As soon as the client has flushed I<bio> the server must be ready to provide a response or indicate a waiting condition via I<rbio>. @@ -121,33 +85,12 @@ Proxying plain HTTP is supported directly, while using a proxy for HTTPS connections requires a suitable callback function such as OSSL_HTTP_proxy_connect(), described below. -The I<maxline> parameter specifies the response header maximum line length, -where a value <= 0 indicates that the B<HTTP_DEFAULT_MAX_LINE_LENGTH> of 4KiB -should be used. -This length is also used as the number of content bytes that are read at a time. -The I<max_resp_len> parameter specifies the maximum response length, -where 0 indicates B<HTTP_DEFAULT_MAX_RESP_LEN>, which currently is 100 KiB. - -An ASN.1-encoded response is expected by OSSL_HTTP_get_asn1() and -OSSL_HTTP_post_asn1(), while for OSSL_HTTP_get() or OSSL_HTTP_transfer() -this is only the case if the I<expect_asn1> parameter is nonzero. -If the response header contains one or more "Content-Length" header lines and/or -an ASN.1-encoded response is expected, which should include a total length, -the length indications received are checked for consistency -and for not exceeding the maximum response length. - -If the parameter I<expected_ct> -is not NULL then the HTTP client checks that the given content type string -is included in the HTTP header of the response and returns an error if not. - -If the I<timeout> parameter is > 0 this indicates the maximum number of seconds -to wait until the transfer is complete. -A value of 0 enables waiting indefinitely, -while a value < 0 immediately leads to a timeout condition. +If I<use_ssl> is nonzero a TLS connection is requested +and the I<bio_update_fn> parameter must be provided. -The optional parameter I<bio_update_fn> with its optional argument I<arg> may -be used to modify the connection BIO used by the HTTP client (and cannot be -used when both I<bio> and I<rbio> are given). +The parameter I<bio_update_fn>, which is optional if I<use_ssl> is 0, +may be used to modify the connection BIO used by the HTTP client, +but cannot be used when both I<bio> and I<rbio> are given. I<bio_update_fn> is a BIO connect/disconnect callback function with prototype BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail) @@ -157,7 +100,7 @@ whereby it may make use of a custom defined argument I<arg>, which may for instance refer to an I<SSL_CTX> structure. During connection establishment, just after calling BIO_do_connect_retry(), the function is invoked with the I<connect> argument being 1 and the I<detail> -argument being 1 if HTTPS is requested, i.e., SSL/TLS should be enabled. +argument being 1 if HTTPS is requested, i.e., SSL/TLS should be enabled, else 0. On disconnect I<connect> is 0 and I<detail> is 1 if no error occurred, else 0. For instance, on connect the function may prepend a TLS BIO to implement HTTPS; after disconnect it may do some diagnostic output and/or specific cleanup. @@ -166,10 +109,10 @@ Here is a simple example that supports TLS connections (but not via a proxy): BIO *http_tls_cb(BIO *hbio, void *arg, int connect, int detail) { - SSL_CTX *ctx = (SSL_CTX *)arg; - if (connect && detail) { /* connecting with TLS */ + SSL_CTX *ctx = (SSL_CTX *)arg; BIO *sbio = BIO_new_ssl(ctx, 1); + hbio = sbio != NULL ? BIO_push(sbio, hbio) : NULL; } else if (!connect && !detail) { /* disconnecting after error */ /* optionally add diagnostics here */ @@ -179,6 +122,16 @@ Here is a simple example that supports TLS connections (but not via a proxy): After disconnect the modified BIO will be deallocated using BIO_free_all(). +The I<buf_size> parameter specifies the response header maximum line length. +A value <= 0 indicates that +the B<HTTP_DEFAULT_MAX_LINE_LENGTH> of 4KiB should be used. +I<buf_size> is also used as the number of content bytes that are read at a time. + +If the I<overall_timeout> parameter is > 0 this indicates the maximum number of +seconds the overall HTTP transfer (i.e., connection setup if needed, +sending requests, and receiving responses) is allowed to take until completion. +A value <= 0 enables waiting indefinitely, i.e., no timeout. + OSSL_HTTP_proxy_connect() may be used by an above BIO connect callback function to set up an SSL/TLS connection via an HTTPS proxy. It promotes the given BIO I<bio> representing a connection @@ -186,11 +139,86 @@ pre-established with a TLS proxy using the HTTP CONNECT method, optionally using proxy client credentials I<proxyuser> and I<proxypass>, to connect with TLS protection ultimately to I<server> and I<port>. If the I<port> argument is NULL or the empty string it defaults to "443". -The I<timeout> parameter is used as described above. +If the I<timeout> parameter is > 0 this indicates the maximum number of +seconds the connection setup is allowed to take. +A value <= 0 enables waiting indefinitely, i.e., no timeout. Since this function is typically called by applications such as L<openssl-s_client(1)> it uses the I<bio_err> and I<prog> parameters (unless NULL) to print additional diagnostic information in a user-oriented way. +OSSL_HTTP_set_request() sets up in I<rctx> the request header and content data +and expectations on the response using the following parameters. +If I<path> is NULL it defaults to "/". +If I<req> is NULL the HTTP GET method will be used to send the request +else HTTP POST with the contents of I<req> and optional I<content_type>, where +the length of the data in I<req> does not need to be determined in advance: the +BIO will be read on-the-fly while sending the request, which supports streaming. +The optional list I<headers> may contain additional custom HTTP header lines. +If the parameter I<expected_content_type> +is not NULL then the client will check that the given content type string +is included in the HTTP header of the response and return an error if not. +If the I<expect_asn1> parameter is nonzero, +a structure in ASN.1 encoding will be expected as response content. +The I<max_resp_len> parameter specifies the maximum allowed +response content length, where the value 0 indicates no limit. +If the I<timeout> parameter is > 0 this indicates the maximum number of seconds +the subsequent HTTP transfer (sending the request and receiving a response) +is allowed to take. +A value of 0 enables waiting indefinitely, i.e., no timeout. +A value < 0 indicates that the I<overall_timeout> parameter value given +when opening the HTTP transfer will be used instead. +If I<keep_alive> is 0 the connection is not kept open +after receiving a response, which is the default behavior for HTTP 1.0. +If the value is 1 or 2 then a persistent connection is requested. +If the value is 2 then a persistent connection is required, +i.e., an error occurs in case the server does not grant it. + +OSSL_HTTP_exchange() exchanges any form of HTTP request and response +as specified by I<rctx>, which must include both connection and request data, +typically set up using OSSL_HTTP_open() and OSSL_HTTP_set_request(). +It implements the core of the functions described below. +If the HTTP method is GET and I<redirection_url> +is not NULL the latter pointer is used to provide any new location that +the server may return with HTTP code 301 (MOVED_PERMANENTLY) or 302 (FOUND). +In this case the function returns NULL and the caller is +responsible for deallocating the URL with L<OPENSSL_free(3)>. +If the response header contains one or more "Content-Length" header lines and/or +an ASN.1-encoded response is expected, which should include a total length, +the length indications received are checked for consistency +and for not exceeding any given maximum response length. +On receiving a response, the function returns the contents as a memory BIO, +which does not support streaming, in case an ASN.1-encoded response is expected. +Else it returns directly the read BIO that holds the response contents, +which allows a response of indefinite length and may support streaming. + +OSSL_HTTP_get() uses HTTP GET to obtain data from I<bio> if non-NULL, +else from the server contained in the I<url>, and returns it as a BIO. +It supports redirection via HTTP status code 301 or 302. It is meant for +transfers with a single round trip, so does not support persistent connections. +If I<bio> is non-NULL, any host and port components in the I<url> are not used +for connecting but the hostname is used, as usual, for the C<Host> header. +Any userinfo and fragment components in the I<url> are ignored. +Any query component is handled as part of the path component. +If the scheme component of the I<url> is C<https> a TLS connection is requested +and the I<bio_update_fn>, as described for OSSL_HTTP_open(), must be provided. +Also the remaining parameters are interpreted as described for OSSL_HTTP_open() +and OSSL_HTTP_set_request(), respectively. + +OSSL_HTTP_transfer() exchanges an HTTP request and response +over a connection managed via I<prctx> without supporting redirection. +It combines OSSL_HTTP_open(), OSSL_HTTP_set_request(), OSSL_HTTP_exchange(), +and OSSL_HTTP_close(). +If I<prctx> is not NULL it reuses any open connection represented by a non-NULL +I<*prctx>. It keeps the connection open if a persistent connection is requested +or required and this was granted by the server, else it closes the connection +and assigns NULL to I<*prctx>. +The remaining parameters are interpreted as described for OSSL_HTTP_open() +and OSSL_HTTP_set_request(), respectively. + +OSSL_HTTP_close() closes the connection and releases I<rctx>. +The I<ok> parameter is passed to any BIO update function +given during setup as described above for OSSL_HTTP_open(). + =head1 NOTES The names of the environment variables used by this implementation: @@ -200,23 +228,29 @@ other HTTP client implementations such as wget, curl, and git. =head1 RETURN VALUES -On success, OSSL_HTTP_get(), OSSL_HTTP_get_asn1(), OSSL_HTTP_post_asn1(), and -OSSL_HTTP_transfer() return a memory BIO containing the data received via HTTP. -This must be freed by the caller. On failure, NULL is returned. +OSSL_HTTP_open() returns on success a B<OSSL_HTTP_REQ_CTX>, else NULL. + +OSSL_HTTP_proxy_connect() and OSSL_HTTP_set_request() +return 1 on success, 0 on error. + +On success, OSSL_HTTP_exchange(), OSSL_HTTP_get(), and OSSL_HTTP_transfer() +return a memory BIO containing the data received if an ASN.1-encoded response +is expected, else a BIO that may support streaming. +The BIO must be freed by the caller. +On failure, they return NULL. Failure conditions include connection/transfer timeout, parse errors, etc. -OSSL_HTTP_proxy_connect() returns 1 on success, 0 on error. +OSSL_HTTP_close() returns 0 if anything went wrong while disconnecting, else 1. =head1 SEE ALSO -L<OSSL_HTTP_parse_url(3)> -L<BIO_set_conn_port(3)> +L<OSSL_HTTP_parse_url(3)>, L<BIO_set_conn_port(3)> +L<ASN1_item_i2d_mem_bio(3)>, L<ASN1_item_d2i_bio(3)>, +L<OSSL_HTTP_is_alive(3)> =head1 HISTORY -OSSL_HTTP_get(), OSSL_HTTP_get_asn1(), OSSL_HTTP_post_asn1(), -OSSL_HTTP_transfer(), and OSSL_HTTP_proxy_connect() -were added in OpenSSL 3.0. +All the functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT |