OCSP HTTP: Restore API of undocumented and recently deprecated functions

Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d().
Fix a bug (wrong HTTP method selected on req == NULL in OCSP_sendreq_new().
Minor further fixes in OSSL_HTTP_REQ_CTX.pod

Fixes #13873

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

crypto/ocsp/ocsp_http.c

@@ -13,29 +13,30 @@
 
 #ifndef OPENSSL_NO_OCSP
 
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req)
-{
-    return OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request",
-                                 ASN1_ITEM_rptr(OCSP_REQUEST),
-                                 (ASN1_VALUE *)req);
-}
-# endif
-
 OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path,
-                                    OCSP_REQUEST *req, int maxline)
+                                    const OCSP_REQUEST *req, int maxline)
 {
-    BIO *req_mem = HTTP_asn1_item2bio(ASN1_ITEM_rptr(OCSP_REQUEST),
-                                      (ASN1_VALUE *)req);
-    OSSL_HTTP_REQ_CTX *res =
-        HTTP_REQ_CTX_new(io, io, 0 /* no HTTP proxy used */, NULL, NULL, path,
-                         NULL /* headers */, "application/ocsp-request",
-                         req_mem /* may be NULL */,
-                         maxline, 0 /* default max_resp_len */,
-                         0 /* no timeout, blocking indefinite */, NULL,
-                         1 /* expect_asn1 */);
-    BIO_free(req_mem);
-    return res;
+    OSSL_HTTP_REQ_CTX *rctx = NULL;
+
+    if ((rctx = OSSL_HTTP_REQ_CTX_new(io, io, 1 /* POST */,
+                                      maxline, 0 /* default max_resp_len */,
+                                      0 /* no timeout, blocking indefinitely */,
+                                      NULL, 1 /* expect_asn1 */)) == NULL)
+        return NULL;
+
+    if (!OSSL_HTTP_REQ_CTX_set_request_line(rctx, NULL, NULL, path))
+        goto err;
+
+    if (req != NULL && !OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request",
+                                              ASN1_ITEM_rptr(OCSP_REQUEST),
+                                              (ASN1_VALUE *)req))
+        goto err;
+
+    return rctx;
+
+ err:
+    OSSL_HTTP_REQ_CTX_free(rctx);
+    return NULL;
 }
 
 int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx)

doc/man3/OCSP_sendreq_new.pod

@@ -17,7 +17,7 @@ OCSP_REQ_CTX_set1_req
  #include <openssl/ocsp.h>
 
  OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path,
-                                     OCSP_REQUEST *req, int maxline);
+                                     const OCSP_REQUEST *req, int maxline);
 
  int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx);
 
@@ -27,26 +27,25 @@ Deprecated since OpenSSL 3.0, can be hidden entirely by defining
 B<OPENSSL_API_COMPAT> with a suitable version value, see
 L<openssl_user_macros(7)>:
 
- int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const char *content_type,
-                      const ASN1_ITEM *it, ASN1_VALUE *req);
+ int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const ASN1_ITEM *it, ASN1_VALUE *req);
  int OCSP_REQ_CTX_add1_header(OCSP_REQ_CT *rctx,
                               const char *name, const char *value);
- void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
+ void OCSP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx);
  void OCSP_set_max_response_length(OCSP_REQ_CT *rctx,
                                    unsigned long len);
- int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req);
+ int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req);
 
 =head1 DESCRIPTION
 
-These functions perform an OCSP request / response transfer over HTTP, using
-the HTTP request functions described in L<OSSL_HTTP_REQ_CTX(3)>.
+These functions perform an OCSP POST request / response transfer over HTTP,
+using the HTTP request functions described in L<OSSL_HTTP_REQ_CTX(3)>.
 
 The function OCSP_sendreq_new() builds a complete B<OSSL_HTTP_REQ_CTX>
 structure using connection B<BIO> I<io>, the URL path I<path>, the OCSP
-request I<req> and with a response header maximum line length of I<maxline>.
-If I<maxline> is zero a default value of 4k is used. The OCSP request I<req>
-may be set to NULL and provided later with L<OSSL_HTTP_REQ_CTX_i2d(3)> if
-required.
+request I<req>, and with a response header maximum line length of I<maxline>.
+If I<maxline> is zero a default value of 4k is used.
+The I<req> may be set to NULL and provided later using OCSP_REQ_CTX_set1_req()
+or L<OSSL_HTTP_REQ_CTX_i2d(3)> .
 
 The I<io> and I<path> arguments to OCSP_sendreq_new() correspond to the
 components of the URL.
@@ -64,6 +63,10 @@ response header maximum line length 4k. It waits indefinitely on a response.
 It does not support setting a timeout or adding headers and is retained
 for compatibility; use OCSP_sendreq_nbio() instead.
 
+OCSP_REQ_CTX_i2d(rctx, it, req) is equivalent to the following:
+
+  OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", it, req)
+
 OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following:
 
  OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request",
@@ -72,7 +75,6 @@ OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following:
 The other deprecated type and functions have been superseded by the
 following equivalents:
 B<OCSP_REQ_CTX> by L<OSSL_HTTP_REQ_CTX(3)>,
-OCSP_REQ_CTX_i2d() by L<OSSL_HTTP_REQ_CTX_i2d(3)>,
 OCSP_REQ_CTX_add1_header() by L<OSSL_HTTP_REQ_CTX_add1_header(3)>,
 OCSP_REQ_CTX_free() by L<OSSL_HTTP_REQ_CTX_free(3)>, and
 OCSP_set_max_response_length() by
@@ -91,7 +93,7 @@ responder or NULL if an error occurred.
 
 =head1 SEE ALSO
 
-L<crypto(7)>,
+L<OSSL_HTTP_REQ_CTX(3)>
 L<OCSP_cert_to_id(3)>,
 L<OCSP_request_add1_nonce(3)>,
 L<OCSP_REQUEST_new(3)>,

doc/man3/OSSL_HTTP_REQ_CTX.pod

@@ -12,7 +12,7 @@ OSSL_HTTP_REQ_CTX_nbio,
 OSSL_HTTP_REQ_CTX_sendreq_d2i,
 OSSL_HTTP_REQ_CTX_get0_mem_bio,
 OSSL_HTTP_REQ_CTX_set_max_response_length
-- HTTP request functions
+- HTTP client low-level functions
 
 =head1 SYNOPSIS
 
@@ -92,8 +92,7 @@ encoding of I<req>, using the ASN.1 template I<it> to do the encoding.  The
 HTTP header C<Content-Length> is automatically filled out, and if
 I<content_type> isn't NULL, the HTTP header C<Content-Type> is also added with
 its content as value.  All of this ends up in the internal memory B<BIO>.
-This requires that the request type be C<POST>,
-i.e., that I<method_POST> is 1 in the OSSL_HTTP_REQ_CTX_new() call.
+This requires that I<method_POST> was 1 in the OSSL_HTTP_REQ_CTX_new() call.
 
 OSSL_HTTP_REQ_CTX_nbio() attempts the exchange of request and response via HTTP,
 using the I<rbio> and I<wbio> that were given in the OSSL_HTTP_REQ_CTX_new()

include/openssl/ocsp.h.in

@@ -172,24 +172,21 @@ DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID)
 
 OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req);
 OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path,
-                                    OCSP_REQUEST *req, int maxline);
+                                    const OCSP_REQUEST *req, int maxline);
 int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx);
 
 #  ifndef OPENSSL_NO_DEPRECATED_3_0
 typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX;
-OSSL_DEPRECATEDIN_3_0
-int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req);
-
-#   define OCSP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) \
-        OSSL_HTTP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea)
+#   define OCSP_REQ_CTX_new(io, maxline) \
+        OSSL_HTTP_REQ_CTX_new(io, io, 1, maxline, 0, 0, NULL, 1)
 #   define OCSP_REQ_CTX_free(r) \
         OSSL_HTTP_REQ_CTX_free(r)
-#   define OCSP_REQ_CTX_http(r, s, p, path) \
-        OSSL_HTTP_REQ_CTX_set_request_line(r, s, p, path)
+#   define OCSP_REQ_CTX_http(rctx, op, path) \
+        OSSL_HTTP_REQ_CTX_set_request_line(rctx, NULL, NULL, path)
 #   define OCSP_REQ_CTX_add1_header(r, n, v) \
         OSSL_HTTP_REQ_CTX_add1_header(r, n, v)
-#   define OCSP_REQ_CTX_i2d(r, c, i, req) \
-        OSSL_HTTP_REQ_CTX_i2d(r, c, i, req)
+#   define OCSP_REQ_CTX_i2d(r, i, req) \
+        OSSL_HTTP_REQ_CTX_i2d(r, "application/ocsp-request", i, req)
 #   define OCSP_REQ_CTX_nbio(r) \
         OSSL_HTTP_REQ_CTX_nbio(r)
 #   define OCSP_REQ_CTX_nbio_d2i(r, i) \
@@ -198,6 +195,8 @@ int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req);
         OSSL_HTTP_REQ_CTX_get0_mem_bio(r)
 #   define OCSP_set_max_response_length(r, l) \
         OSSL_HTTP_REQ_CTX_set_max_response_length(r, l)
+#   define OCSP_REQ_CTX_set1_req(r, req) \
+        OCSP_REQ_CTX_i2d(r, ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)(req))
 #  endif
 
 OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,

util/libcrypto.num

@@ -3334,7 +3334,6 @@ EVP_PKEY_meth_get_verify                3403	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 CRYPTO_128_wrap                         3404	3_0_0	EXIST::FUNCTION:
 X509_STORE_set_lookup_crls              3405	3_0_0	EXIST::FUNCTION:
 EVP_CIPHER_meth_get_ctrl                3406	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
-OCSP_REQ_CTX_set1_req                   3407	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,OCSP
 CONF_imodule_get_usr_data               3408	3_0_0	EXIST::FUNCTION:
 CRYPTO_new_ex_data                      3409	3_0_0	EXIST::FUNCTION:
 PEM_read_PKCS8_PRIV_KEY_INFO            3410	3_0_0	EXIST::FUNCTION:STDIO

util/other.syms

@@ -337,6 +337,7 @@ OCSP_REQ_CTX_add1_header                define deprecated 3.0.0
 OCSP_REQ_CTX_free                       define deprecated 3.0.0
 OCSP_REQ_CTX_i2d                        define deprecated 3.0.0
 OCSP_set_max_response_length            define deprecated 3.0.0
+OCSP_REQ_CTX_set1_req                   define deprecated 3.0.0
 OPENSSL_FILE                            define
 OPENSSL_FUNC                            define
 OPENSSL_LINE                            define