From c9603dfa42d0643a6c8cac3e14364d9fd63303c4 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Mon, 18 Jan 2021 12:53:55 +0100 Subject: [PATCH] OCSP HTTP: Restore API of undocumented and recently deprecated functions Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d(). Fix a bug (wrong HTTP method selected on req == NULL in OCSP_sendreq_new(). Minor further fixes in OSSL_HTTP_REQ_CTX.pod Fixes #13873 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13898) --- crypto/ocsp/ocsp_http.c | 43 +++++++++++++++++----------------- doc/man3/OCSP_sendreq_new.pod | 28 ++++++++++++---------- doc/man3/OSSL_HTTP_REQ_CTX.pod | 5 ++-- include/openssl/ocsp.h.in | 19 +++++++-------- util/libcrypto.num | 1 - util/other.syms | 1 + 6 files changed, 49 insertions(+), 48 deletions(-) diff --git a/crypto/ocsp/ocsp_http.c b/crypto/ocsp/ocsp_http.c index c5508698c8..e7f1b5a509 100644 --- a/crypto/ocsp/ocsp_http.c +++ b/crypto/ocsp/ocsp_http.c @@ -13,29 +13,30 @@ #ifndef OPENSSL_NO_OCSP -# ifndef OPENSSL_NO_DEPRECATED_3_0 -int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req) -{ - return OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", - ASN1_ITEM_rptr(OCSP_REQUEST), - (ASN1_VALUE *)req); -} -# endif - OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - OCSP_REQUEST *req, int maxline) + const OCSP_REQUEST *req, int maxline) { - BIO *req_mem = HTTP_asn1_item2bio(ASN1_ITEM_rptr(OCSP_REQUEST), - (ASN1_VALUE *)req); - OSSL_HTTP_REQ_CTX *res = - HTTP_REQ_CTX_new(io, io, 0 /* no HTTP proxy used */, NULL, NULL, path, - NULL /* headers */, "application/ocsp-request", - req_mem /* may be NULL */, - maxline, 0 /* default max_resp_len */, - 0 /* no timeout, blocking indefinite */, NULL, - 1 /* expect_asn1 */); - BIO_free(req_mem); - return res; + OSSL_HTTP_REQ_CTX *rctx = NULL; + + if ((rctx = OSSL_HTTP_REQ_CTX_new(io, io, 1 /* POST */, + maxline, 0 /* default max_resp_len */, + 0 /* no timeout, blocking indefinitely */, + NULL, 1 /* expect_asn1 */)) == NULL) + return NULL; + + if (!OSSL_HTTP_REQ_CTX_set_request_line(rctx, NULL, NULL, path)) + goto err; + + if (req != NULL && !OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", + ASN1_ITEM_rptr(OCSP_REQUEST), + (ASN1_VALUE *)req)) + goto err; + + return rctx; + + err: + OSSL_HTTP_REQ_CTX_free(rctx); + return NULL; } int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx) diff --git a/doc/man3/OCSP_sendreq_new.pod b/doc/man3/OCSP_sendreq_new.pod index 6e346bdd44..2333ac24d7 100644 --- a/doc/man3/OCSP_sendreq_new.pod +++ b/doc/man3/OCSP_sendreq_new.pod @@ -17,7 +17,7 @@ OCSP_REQ_CTX_set1_req #include OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - OCSP_REQUEST *req, int maxline); + const OCSP_REQUEST *req, int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); @@ -27,26 +27,25 @@ Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see L: - int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const char *content_type, - const ASN1_ITEM *it, ASN1_VALUE *req); + int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const ASN1_ITEM *it, ASN1_VALUE *req); int OCSP_REQ_CTX_add1_header(OCSP_REQ_CT *rctx, const char *name, const char *value); - void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); + void OCSP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx); void OCSP_set_max_response_length(OCSP_REQ_CT *rctx, unsigned long len); - int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req); + int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req); =head1 DESCRIPTION -These functions perform an OCSP request / response transfer over HTTP, using -the HTTP request functions described in L. +These functions perform an OCSP POST request / response transfer over HTTP, +using the HTTP request functions described in L. The function OCSP_sendreq_new() builds a complete B structure using connection B I, the URL path I, the OCSP -request I and with a response header maximum line length of I. -If I is zero a default value of 4k is used. The OCSP request I -may be set to NULL and provided later with L if -required. +request I, and with a response header maximum line length of I. +If I is zero a default value of 4k is used. +The I may be set to NULL and provided later using OCSP_REQ_CTX_set1_req() +or L . The I and I arguments to OCSP_sendreq_new() correspond to the components of the URL. @@ -64,6 +63,10 @@ response header maximum line length 4k. It waits indefinitely on a response. It does not support setting a timeout or adding headers and is retained for compatibility; use OCSP_sendreq_nbio() instead. +OCSP_REQ_CTX_i2d(rctx, it, req) is equivalent to the following: + + OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", it, req) + OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following: OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", @@ -72,7 +75,6 @@ OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following: The other deprecated type and functions have been superseded by the following equivalents: B by L, -OCSP_REQ_CTX_i2d() by L, OCSP_REQ_CTX_add1_header() by L, OCSP_REQ_CTX_free() by L, and OCSP_set_max_response_length() by @@ -91,7 +93,7 @@ responder or NULL if an error occurred. =head1 SEE ALSO -L, +L L, L, L, diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index 4e30088de7..3955359978 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -12,7 +12,7 @@ OSSL_HTTP_REQ_CTX_nbio, OSSL_HTTP_REQ_CTX_sendreq_d2i, OSSL_HTTP_REQ_CTX_get0_mem_bio, OSSL_HTTP_REQ_CTX_set_max_response_length -- HTTP request functions +- HTTP client low-level functions =head1 SYNOPSIS @@ -92,8 +92,7 @@ encoding of I, using the ASN.1 template I to do the encoding. The HTTP header C is automatically filled out, and if I isn't NULL, the HTTP header C is also added with its content as value. All of this ends up in the internal memory B. -This requires that the request type be C, -i.e., that I is 1 in the OSSL_HTTP_REQ_CTX_new() call. +This requires that I was 1 in the OSSL_HTTP_REQ_CTX_new() call. OSSL_HTTP_REQ_CTX_nbio() attempts the exchange of request and response via HTTP, using the I and I that were given in the OSSL_HTTP_REQ_CTX_new() diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in index 76f7c1602a..bfd6aa8cc6 100644 --- a/include/openssl/ocsp.h.in +++ b/include/openssl/ocsp.h.in @@ -172,24 +172,21 @@ DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID) OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req); OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - OCSP_REQUEST *req, int maxline); + const OCSP_REQUEST *req, int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); # ifndef OPENSSL_NO_DEPRECATED_3_0 typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; -OSSL_DEPRECATEDIN_3_0 -int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req); - -# define OCSP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) \ - OSSL_HTTP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) +# define OCSP_REQ_CTX_new(io, maxline) \ + OSSL_HTTP_REQ_CTX_new(io, io, 1, maxline, 0, 0, NULL, 1) # define OCSP_REQ_CTX_free(r) \ OSSL_HTTP_REQ_CTX_free(r) -# define OCSP_REQ_CTX_http(r, s, p, path) \ - OSSL_HTTP_REQ_CTX_set_request_line(r, s, p, path) +# define OCSP_REQ_CTX_http(rctx, op, path) \ + OSSL_HTTP_REQ_CTX_set_request_line(rctx, NULL, NULL, path) # define OCSP_REQ_CTX_add1_header(r, n, v) \ OSSL_HTTP_REQ_CTX_add1_header(r, n, v) -# define OCSP_REQ_CTX_i2d(r, c, i, req) \ - OSSL_HTTP_REQ_CTX_i2d(r, c, i, req) +# define OCSP_REQ_CTX_i2d(r, i, req) \ + OSSL_HTTP_REQ_CTX_i2d(r, "application/ocsp-request", i, req) # define OCSP_REQ_CTX_nbio(r) \ OSSL_HTTP_REQ_CTX_nbio(r) # define OCSP_REQ_CTX_nbio_d2i(r, i) \ @@ -198,6 +195,8 @@ int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req); OSSL_HTTP_REQ_CTX_get0_mem_bio(r) # define OCSP_set_max_response_length(r, l) \ OSSL_HTTP_REQ_CTX_set_max_response_length(r, l) +# define OCSP_REQ_CTX_set1_req(r, req) \ + OCSP_REQ_CTX_i2d(r, ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)(req)) # endif OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, diff --git a/util/libcrypto.num b/util/libcrypto.num index be5bed741a..ffc423953a 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -3334,7 +3334,6 @@ EVP_PKEY_meth_get_verify 3403 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_ CRYPTO_128_wrap 3404 3_0_0 EXIST::FUNCTION: X509_STORE_set_lookup_crls 3405 3_0_0 EXIST::FUNCTION: EVP_CIPHER_meth_get_ctrl 3406 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -OCSP_REQ_CTX_set1_req 3407 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,OCSP CONF_imodule_get_usr_data 3408 3_0_0 EXIST::FUNCTION: CRYPTO_new_ex_data 3409 3_0_0 EXIST::FUNCTION: PEM_read_PKCS8_PRIV_KEY_INFO 3410 3_0_0 EXIST::FUNCTION:STDIO diff --git a/util/other.syms b/util/other.syms index 9644d3d02d..b6974b5f01 100644 --- a/util/other.syms +++ b/util/other.syms @@ -337,6 +337,7 @@ OCSP_REQ_CTX_add1_header define deprecated 3.0.0 OCSP_REQ_CTX_free define deprecated 3.0.0 OCSP_REQ_CTX_i2d define deprecated 3.0.0 OCSP_set_max_response_length define deprecated 3.0.0 +OCSP_REQ_CTX_set1_req define deprecated 3.0.0 OPENSSL_FILE define OPENSSL_FUNC define OPENSSL_LINE define -- 2.34.1