[thirdparty/openssl.git] / doc / man3 / OSSL_HTTP_transfer.pod

=pod

=head1 NAME

OSSL_HTTP_open,
OSSL_HTTP_bio_cb_t,
OSSL_HTTP_proxy_connect,
OSSL_HTTP_set1_request,
OSSL_HTTP_exchange,
OSSL_HTTP_get,
OSSL_HTTP_transfer,
OSSL_HTTP_close
-  HTTP client high-level functions

=head1 SYNOPSIS

 #include <openssl/http.h>

 typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg,
                                    int connect, int detail);
 OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port,
                                   const char *proxy, const char *no_proxy,
                                   int use_ssl, BIO *bio, BIO *rbio,
                                   OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                   int buf_size, int overall_timeout);
 int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
                             const char *proxyuser, const char *proxypass,
                             int timeout, BIO *bio_err, const char *prog);
 int OSSL_HTTP_set1_request(OSSL_HTTP_REQ_CTX *rctx, const char *path,
                            const STACK_OF(CONF_VALUE) *headers,
                            const char *content_type, BIO *req,
                            const char *expected_content_type, int expect_asn1,
                            size_t max_resp_len, int timeout, int keep_alive);
 BIO *OSSL_HTTP_exchange(OSSL_HTTP_REQ_CTX *rctx, char **redirection_url);
 BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
                    BIO *bio, BIO *rbio,
                    OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                    int buf_size, const STACK_OF(CONF_VALUE) *headers,
                    const char *expected_content_type, int expect_asn1,
                    size_t max_resp_len, int timeout);
 BIO *OSSL_HTTP_transfer(OSSL_HTTP_REQ_CTX **prctx,
                         const char *server, const char *port,
                         const char *path, int use_ssl,
                         const char *proxy, const char *no_proxy,
                         BIO *bio, BIO *rbio,
                         OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                         int buf_size, const STACK_OF(CONF_VALUE) *headers,
                         const char *content_type, BIO *req,
                         const char *expected_content_type, int expect_asn1,
                         size_t max_resp_len, int timeout, int keep_alive);
 int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok);

=head1 DESCRIPTION

OSSL_HTTP_open() initiates an HTTP session using the I<bio> argument if not
NULL, else by connecting to a given I<server> optionally via a I<proxy>.

Typically the OpenSSL build supports sockets and the I<bio> parameter is NULL.
In this case I<rbio> must be NULL as well and the I<server> must be non-NULL.
The function creates a network BIO internally using L<BIO_new_connect(3)>
for connecting to the given server and the optionally given I<port>,
defaulting to 80 for HTTP or 443 for HTTPS.
Then this internal BIO is used for setting up a connection
and for exchanging one or more request and response.

If I<bio> is given and I<rbio> is NULL then this I<bio> is used instead.
If both I<bio> and I<rbio> are given (which may be memory BIOs for instance)
then no explicit connection is set up, but
I<bio> is used for writing requests and I<rbio> for reading responses.
As soon as the client has flushed I<bio> the server must be ready to provide
a response or indicate a waiting condition via I<rbio>.

If I<bio> is given,
it is an error to provide non-NULL I<proxy> or I<no_proxy> arguments,
while I<server> and I<port> arguments may be given to support diagnostic output.
If I<bio> is NULL the optional I<proxy> parameter can be used to set an
HTTP(S) proxy to use (unless overridden by "no_proxy" settings).
If TLS is not used this defaults to the environment variable C<http_proxy>
if set, else C<HTTP_PROXY>.
If I<use_ssl> != 0 it defaults to C<https_proxy> if set, else C<HTTPS_PROXY>.
An empty proxy string C<""> forbids using a proxy.
Otherwise, the format is
C<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>,
where any userinfo, path, query, and fragment given is ignored.
If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>.
The default proxy port number is 80, or 443 in case "https:" is given.
The HTTP client functions connect via the given proxy unless the I<server>
is found in the optional list I<no_proxy> of proxy hostnames or IP addresses
separated by C<,> and/or whitespace (if not NULL;
default is the environment variable C<no_proxy> if set, else C<NO_PROXY>).
Proxying plain HTTP is supported directly,
while using a proxy for HTTPS connections requires a suitable callback function
such as OSSL_HTTP_proxy_connect(), described below.

If I<use_ssl> is nonzero a TLS connection is requested
and the I<bio_update_fn> parameter must be provided.

The parameter I<bio_update_fn>, which is optional if I<use_ssl> is 0,
may be used to modify the connection BIO used by the HTTP client,
but cannot be used when both I<bio> and I<rbio> are given.
I<bio_update_fn> is a BIO connect/disconnect callback function with prototype

 BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail)

The callback function may modify the BIO provided in the I<bio> argument,
whereby it may use an optional custom defined argument I<arg>,
which can for instance point to an B<SSL_CTX> structure.
During connection establishment, just after calling BIO_do_connect_retry(), the
callback function is invoked with the I<connect> argument being 1 and
I<detail> being 1 if I<use_ssl> is nonzero (i.e., HTTPS is requested), else 0.
On disconnect I<connect> is 0 and I<detail> is 1 if no error occurred, else 0.
For instance, on connect the callback may push an SSL BIO to implement HTTPS;
after disconnect it may do some diagnostic output and pop and free the SSL BIO.

The callback function must return either the potentially modified BIO I<bio>
or NULL to indicate failure, in which case it should not modify the BIO.

Here is a simple example that supports TLS connections (but not via a proxy):

 BIO *http_tls_cb(BIO *bio, void *arg, int connect, int detail)
 {
     if (connect && detail) { /* connecting with TLS */
         SSL_CTX *ctx = (SSL_CTX *)arg;
         BIO *sbio = BIO_new_ssl(ctx, 1);

         bio = sbio != NULL ? BIO_push(sbio, bio) : NULL;
     } else if (!connect) { /* disconnecting */
         BIO *hbio;

         if (!detail) { /* an error has occurred */
             /* optionally add diagnostics here */
         }
         BIO_ssl_shutdown(bio);
         hbio = BIO_pop(bio);
         BIO_free(bio); /* SSL BIO */
         bio = hbio;
     }
     return bio;
 }

After disconnect the modified BIO will be deallocated using BIO_free_all().
The optional callback function argument I<arg> is not consumed,
so must be freed by the caller when not needed any more.

The I<buf_size> parameter specifies the response header maximum line length.
A value <= 0 means that the B<OSSL_HTTP_DEFAULT_MAX_LINE_LEN> (4KiB) is used.
I<buf_size> is also used as the number of content bytes that are read at a time.

If the I<overall_timeout> parameter is > 0 this indicates the maximum number of
seconds the overall HTTP transfer (i.e., connection setup if needed,
sending requests, and receiving responses) is allowed to take until completion.
A value <= 0 enables waiting indefinitely, i.e., no timeout.

OSSL_HTTP_proxy_connect() may be used by an above BIO connect callback function
to set up an SSL/TLS connection via an HTTPS proxy.
It promotes the given BIO I<bio> representing a connection
pre-established with a TLS proxy using the HTTP CONNECT method,
optionally using proxy client credentials I<proxyuser> and I<proxypass>,
to connect with TLS protection ultimately to I<server> and I<port>.
If the I<port> argument is NULL or the empty string it defaults to "443".
If the I<timeout> parameter is > 0 this indicates the maximum number of
seconds the connection setup is allowed to take.
A value <= 0 enables waiting indefinitely, i.e., no timeout.
Since this function is typically called by applications such as
L<openssl-s_client(1)> it uses the I<bio_err> and I<prog> parameters (unless
NULL) to print additional diagnostic information in a user-oriented way.

OSSL_HTTP_set1_request() sets up in I<rctx> the request header and content data
and expectations on the response using the following parameters.
If <rctx> indicates using a proxy for HTTP (but not HTTPS), the server host
(and optionally port) needs to be placed in the header; thus it must be present
in I<rctx>.
For backward compatibility, the server (and optional port) may also be given in
the I<path> argument beginning with C<http://> (thus giving an absoluteURI).
If I<path> is NULL it defaults to "/".
If I<req> is NULL the HTTP GET method will be used to send the request
else HTTP POST with the contents of I<req> and optional I<content_type>, where
the length of the data in I<req> does not need to be determined in advance: the
BIO will be read on-the-fly while sending the request, which supports streaming.
The optional list I<headers> may contain additional custom HTTP header lines.
The I<max_resp_len> parameter specifies the maximum allowed
response content length, where the value 0 indicates no limit.
For the meaning of the I<expected_content_type>, I<expect_asn1>, I<timeout>,
and I<keep_alive> parameters, see L<OSSL_HTTP_REQ_CTX_set_expected(3)>.

OSSL_HTTP_exchange() exchanges any form of HTTP request and response
as specified by I<rctx>, which must include both connection and request data,
typically set up using OSSL_HTTP_open() and OSSL_HTTP_set1_request().
It implements the core of the functions described below.
If the HTTP method is GET and I<redirection_url>
is not NULL the latter pointer is used to provide any new location that
the server may return with HTTP code 301 (MOVED_PERMANENTLY) or 302 (FOUND).
In this case the function returns NULL and the caller is
responsible for deallocating the URL with L<OPENSSL_free(3)>.
If the response header contains one or more C<Content-Length> lines and/or
an ASN.1-encoded response is expected, which should include a total length,
the length indications received are checked for consistency
and for not exceeding any given maximum response length.
If an ASN.1-encoded response is expected, the function returns on success
the contents buffered in a memory BIO, which does not support streaming.
Otherwise it returns directly the read BIO that holds the response contents,
which allows a response of indefinite length and may support streaming.
The caller is responsible for freeing the BIO pointer obtained.

OSSL_HTTP_get() uses HTTP GET to obtain data from I<bio> if non-NULL,
else from the server contained in the I<url>, and returns it as a BIO.
It supports redirection via HTTP status code 301 or 302.  It is meant for
transfers with a single round trip, so does not support persistent connections.
If I<bio> is non-NULL, any host and port components in the I<url> are not used
for connecting but the hostname is used, as usual, for the C<Host> header.
Any userinfo and fragment components in the I<url> are ignored.
Any query component is handled as part of the path component.
If the scheme component of the I<url> is C<https> a TLS connection is requested
and the I<bio_update_fn>, as described for OSSL_HTTP_open(), must be provided.
Also the remaining parameters are interpreted as described for OSSL_HTTP_open()
and OSSL_HTTP_set1_request(), respectively.
The caller is responsible for freeing the BIO pointer obtained.

OSSL_HTTP_transfer() exchanges an HTTP request and response
over a connection managed via I<prctx> without supporting redirection.
It combines OSSL_HTTP_open(), OSSL_HTTP_set1_request(), OSSL_HTTP_exchange(),
and OSSL_HTTP_close().
If I<prctx> is not NULL it reuses any open connection represented by a non-NULL
I<*prctx>.  It keeps the connection open if a persistent connection is requested
or required and this was granted by the server, else it closes the connection
and assigns NULL to I<*prctx>.
The remaining parameters are interpreted as described for OSSL_HTTP_open()
and OSSL_HTTP_set1_request(), respectively.
The caller is responsible for freeing the BIO pointer obtained.

OSSL_HTTP_close() closes the connection and releases I<rctx>.
The I<ok> parameter is passed to any BIO update function
given during setup as described above for OSSL_HTTP_open().
It must be 1 if no error occurred during the HTTP transfer and 0 otherwise.

=head1 NOTES

The names of the environment variables used by this implementation:
C<http_proxy>, C<HTTP_PROXY>, C<https_proxy>, C<HTTPS_PROXY>, C<no_proxy>, and
C<NO_PROXY>, have been chosen for maximal compatibility with
other HTTP client implementations such as wget, curl, and git.

When built with tracing enabled, OSSL_HTTP_transfer() and all functions using it
may be traced using B<OSSL_TRACE_CATEGORY_HTTP>.
See also L<OSSL_trace_enabled(3)> and L<openssl-env(7)>.

=head1 RETURN VALUES

OSSL_HTTP_open() returns on success a B<OSSL_HTTP_REQ_CTX>, else NULL.

OSSL_HTTP_proxy_connect() and OSSL_HTTP_set1_request()
return 1 on success, 0 on error.

On success, OSSL_HTTP_exchange(), OSSL_HTTP_get(), and OSSL_HTTP_transfer()
return a memory BIO that buffers all the data received if an ASN.1-encoded
response is expected, otherwise a BIO that may support streaming.
The BIO must be freed by the caller.
On failure, they return NULL.
Failure conditions include connection/transfer timeout, parse errors, etc.
The caller is responsible for freeing the BIO pointer obtained.

OSSL_HTTP_close() returns 0 if anything went wrong while disconnecting, else 1.

=head1 SEE ALSO

L<OSSL_HTTP_parse_url(3)>, L<BIO_new_connect(3)>,
L<ASN1_item_i2d_mem_bio(3)>, L<ASN1_item_d2i_bio(3)>,
L<OSSL_HTTP_REQ_CTX_set_expected(3)>,
L<OSSL_HTTP_is_alive(3)>,
L<OSSL_trace_enabled(3)>, and L<openssl-env(7)>.

=head1 HISTORY

All the functions described here were added in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
29f178bd DDO	1	=pod
	2
	3	=head1 NAME
	4
8f965908 DDO	5	OSSL_HTTP_open,
	6	OSSL_HTTP_bio_cb_t,
	7	OSSL_HTTP_proxy_connect,
8ccbf00d	8	OSSL_HTTP_set1_request,
8f965908	9	OSSL_HTTP_exchange,
29f178bd	10	OSSL_HTTP_get,
29f178bd	11	OSSL_HTTP_transfer,
8f965908 DDO	12	OSSL_HTTP_close
8f965908 DDO	13	- HTTP client high-level functions
29f178bd DDO	14
	15	=head1 SYNOPSIS
	16
	17	#include <openssl/http.h>
	18
	19	typedef BIO (OSSL_HTTP_bio_cb_t)(BIO bio, void arg,
	20	int connect, int detail);
8f965908 DDO	21	OSSL_HTTP_REQ_CTX OSSL_HTTP_open(const char server, const char *port,
	22	const char proxy, const char no_proxy,
	23	int use_ssl, BIO bio, BIO rbio,
	24	OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
	25	int buf_size, int overall_timeout);
	26	int OSSL_HTTP_proxy_connect(BIO bio, const char server, const char *port,
	27	const char proxyuser, const char proxypass,
	28	int timeout, BIO bio_err, const char prog);
8ccbf00d DDO	29	int OSSL_HTTP_set1_request(OSSL_HTTP_REQ_CTX rctx, const char path,
	30	const STACK_OF(CONF_VALUE) *headers,
	31	const char content_type, BIO req,
	32	const char *expected_content_type, int expect_asn1,
	33	size_t max_resp_len, int timeout, int keep_alive);
8f965908	34	BIO OSSL_HTTP_exchange(OSSL_HTTP_REQ_CTX rctx, char **redirection_url);
afe554c2	35	BIO OSSL_HTTP_get(const char url, const char proxy, const char no_proxy,
29f178bd DDO	36	BIO bio, BIO rbio,
29f178bd DDO	37	OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
8f965908 DDO	38	int buf_size, const STACK_OF(CONF_VALUE) *headers,
	39	const char *expected_content_type, int expect_asn1,
	40	size_t max_resp_len, int timeout);
	41	BIO OSSL_HTTP_transfer(OSSL_HTTP_REQ_CTX *prctx,
	42	const char server, const char port,
	43	const char *path, int use_ssl,
	44	const char proxy, const char no_proxy,
29f178bd DDO	45	BIO bio, BIO rbio,
29f178bd DDO	46	OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
8f965908 DDO	47	int buf_size, const STACK_OF(CONF_VALUE) *headers,
	48	const char content_type, BIO req,
	49	const char *expected_content_type, int expect_asn1,
	50	size_t max_resp_len, int timeout, int keep_alive);
	51	int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok);
29f178bd DDO	52
	53	=head1 DESCRIPTION
	54
82990287 DDO	55	OSSL_HTTP_open() initiates an HTTP session using the I<bio> argument if not
82990287 DDO	56	NULL, else by connecting to a given I<server> optionally via a I<proxy>.
29f178bd	57
8f965908	58	Typically the OpenSSL build supports sockets and the I<bio> parameter is NULL.
119f8145 DDO	59	In this case I<rbio> must be NULL as well and the I<server> must be non-NULL.
	60	The function creates a network BIO internally using L<BIO_new_connect(3)>
	61	for connecting to the given server and the optionally given I<port>,
	62	defaulting to 80 for HTTP or 443 for HTTPS.
8f965908 DDO	63	Then this internal BIO is used for setting up a connection
8f965908 DDO	64	and for exchanging one or more request and response.
1d3da367	65
8f965908	66	If I<bio> is given and I<rbio> is NULL then this I<bio> is used instead.
d7fcee3b	67	If both I<bio> and I<rbio> are given (which may be memory BIOs for instance)
8f965908 DDO	68	then no explicit connection is set up, but
8f965908 DDO	69	I<bio> is used for writing requests and I<rbio> for reading responses.
d7fcee3b DDO	70	As soon as the client has flushed I<bio> the server must be ready to provide
d7fcee3b DDO	71	a response or indicate a waiting condition via I<rbio>.
29f178bd	72
1d3da367 DDO	73	If I<bio> is given,
1d3da367 DDO	74	it is an error to provide non-NULL I<proxy> or I<no_proxy> arguments,
59b6b5a9	75	while I<server> and I<port> arguments may be given to support diagnostic output.
79a2bccd	76	If I<bio> is NULL the optional I<proxy> parameter can be used to set an
4b1fe471	77	HTTP(S) proxy to use (unless overridden by "no_proxy" settings).
d7fcee3b DDO	78	If TLS is not used this defaults to the environment variable C<http_proxy>
	79	if set, else C<HTTP_PROXY>.
	80	If I<use_ssl> != 0 it defaults to C<https_proxy> if set, else C<HTTPS_PROXY>.
79a2bccd	81	An empty proxy string C<""> forbids using a proxy.
ac91bd88	82	Otherwise, the format is
79a2bccd DDO	83	C<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>,
79a2bccd DDO	84	where any userinfo, path, query, and fragment given is ignored.
ac91bd88	85	If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>.
4b1fe471	86	The default proxy port number is 80, or 443 in case "https:" is given.
d7fcee3b	87	The HTTP client functions connect via the given proxy unless the I<server>
ac91bd88 DO	88	is found in the optional list I<no_proxy> of proxy hostnames or IP addresses
ac91bd88 DO	89	separated by C<,> and/or whitespace (if not NULL;
d7fcee3b	90	default is the environment variable C<no_proxy> if set, else C<NO_PROXY>).
4b1fe471 DDO	91	Proxying plain HTTP is supported directly,
4b1fe471 DDO	92	while using a proxy for HTTPS connections requires a suitable callback function
d7fcee3b	93	such as OSSL_HTTP_proxy_connect(), described below.
4b1fe471	94
8f965908 DDO	95	If I<use_ssl> is nonzero a TLS connection is requested
8f965908 DDO	96	and the I<bio_update_fn> parameter must be provided.
29f178bd	97
8f965908 DDO	98	The parameter I<bio_update_fn>, which is optional if I<use_ssl> is 0,
	99	may be used to modify the connection BIO used by the HTTP client,
	100	but cannot be used when both I<bio> and I<rbio> are given.
d7fcee3b	101	I<bio_update_fn> is a BIO connect/disconnect callback function with prototype
29f178bd DDO	102
	103	BIO (OSSL_HTTP_bio_cb_t)(BIO bio, void arg, int connect, int detail)
	104
2080134e	105	The callback function may modify the BIO provided in the I<bio> argument,
2f768882 DDO	106	whereby it may use an optional custom defined argument I<arg>,
2f768882 DDO	107	which can for instance point to an B<SSL_CTX> structure.
2080134e	108	During connection establishment, just after calling BIO_do_connect_retry(), the
35750cb9 DDO	109	callback function is invoked with the I<connect> argument being 1 and
35750cb9 DDO	110	I<detail> being 1 if I<use_ssl> is nonzero (i.e., HTTPS is requested), else 0.
d7fcee3b	111	On disconnect I<connect> is 0 and I<detail> is 1 if no error occurred, else 0.
2080134e DDO	112	For instance, on connect the callback may push an SSL BIO to implement HTTPS;
	113	after disconnect it may do some diagnostic output and pop and free the SSL BIO.
	114
2f768882	115	The callback function must return either the potentially modified BIO I<bio>
2080134e DDO	116	or NULL to indicate failure, in which case it should not modify the BIO.
2080134e DDO	117
29f178bd DDO	118	Here is a simple example that supports TLS connections (but not via a proxy):
29f178bd DDO	119
cdaf072f	120	BIO http_tls_cb(BIO bio, void *arg, int connect, int detail)
29f178bd	121	{
29f178bd	122	if (connect && detail) { /* connecting with TLS */
8f965908	123	SSL_CTX ctx = (SSL_CTX )arg;
29f178bd	124	BIO *sbio = BIO_new_ssl(ctx, 1);
8f965908	125
cdaf072f DDO	126	bio = sbio != NULL ? BIO_push(sbio, bio) : NULL;
	127	} else if (!connect) { /* disconnecting */
	128	BIO *hbio;
	129
	130	if (!detail) { /* an error has occurred */
	131	/* optionally add diagnostics here */
	132	}
	133	BIO_ssl_shutdown(bio);
	134	hbio = BIO_pop(bio);
	135	BIO_free(bio); /* SSL BIO */
	136	bio = hbio;
29f178bd	137	}
cdaf072f	138	return bio;
29f178bd DDO	139	}
	140
	141	After disconnect the modified BIO will be deallocated using BIO_free_all().
2f768882 DDO	142	The optional callback function argument I<arg> is not consumed,
2f768882 DDO	143	so must be freed by the caller when not needed any more.
29f178bd	144
8f965908	145	The I<buf_size> parameter specifies the response header maximum line length.
647a5dbf DDO	146	A value <= 0 means that the B<OSSL_HTTP_DEFAULT_MAX_LINE_LEN> (4KiB) is used.
647a5dbf DDO	147	I<buf_size> is also used as the number of content bytes that are read at a time.
8f965908 DDO	148
	149	If the I<overall_timeout> parameter is > 0 this indicates the maximum number of
	150	seconds the overall HTTP transfer (i.e., connection setup if needed,
	151	sending requests, and receiving responses) is allowed to take until completion.
	152	A value <= 0 enables waiting indefinitely, i.e., no timeout.
	153
29f178bd	154	OSSL_HTTP_proxy_connect() may be used by an above BIO connect callback function
4b1fe471	155	to set up an SSL/TLS connection via an HTTPS proxy.
d7fcee3b	156	It promotes the given BIO I<bio> representing a connection
29f178bd	157	pre-established with a TLS proxy using the HTTP CONNECT method,
d7fcee3b DDO	158	optionally using proxy client credentials I<proxyuser> and I<proxypass>,
	159	to connect with TLS protection ultimately to I<server> and I<port>.
	160	If the I<port> argument is NULL or the empty string it defaults to "443".
8f965908 DDO	161	If the I<timeout> parameter is > 0 this indicates the maximum number of
	162	seconds the connection setup is allowed to take.
	163	A value <= 0 enables waiting indefinitely, i.e., no timeout.
bb361a27	164	Since this function is typically called by applications such as
d7fcee3b	165	L<openssl-s_client(1)> it uses the I<bio_err> and I<prog> parameters (unless
29f178bd DDO	166	NULL) to print additional diagnostic information in a user-oriented way.
29f178bd DDO	167
8ccbf00d	168	OSSL_HTTP_set1_request() sets up in I<rctx> the request header and content data
8f965908	169	and expectations on the response using the following parameters.
45c02183 DDO	170	If <rctx> indicates using a proxy for HTTP (but not HTTPS), the server host
	171	(and optionally port) needs to be placed in the header; thus it must be present
	172	in I<rctx>.
	173	For backward compatibility, the server (and optional port) may also be given in
	174	the I<path> argument beginning with C<http://> (thus giving an absoluteURI).
8f965908	175	If I<path> is NULL it defaults to "/".
82990287 DDO	176	If I<req> is NULL the HTTP GET method will be used to send the request
82990287 DDO	177	else HTTP POST with the contents of I<req> and optional I<content_type>, where
8b5ca511 DDO	178	the length of the data in I<req> does not need to be determined in advance: the
8b5ca511 DDO	179	BIO will be read on-the-fly while sending the request, which supports streaming.
8f965908	180	The optional list I<headers> may contain additional custom HTTP header lines.
be799eb7 DDO	181	The I<max_resp_len> parameter specifies the maximum allowed
be799eb7 DDO	182	response content length, where the value 0 indicates no limit.
153adbc5 DDO	183	For the meaning of the I<expected_content_type>, I<expect_asn1>, I<timeout>,
153adbc5 DDO	184	and I<keep_alive> parameters, see L<OSSL_HTTP_REQ_CTX_set_expected(3)>.
8f965908	185
82990287	186	OSSL_HTTP_exchange() exchanges any form of HTTP request and response
8f965908	187	as specified by I<rctx>, which must include both connection and request data,
8ccbf00d	188	typically set up using OSSL_HTTP_open() and OSSL_HTTP_set1_request().
8f965908 DDO	189	It implements the core of the functions described below.
	190	If the HTTP method is GET and I<redirection_url>
	191	is not NULL the latter pointer is used to provide any new location that
	192	the server may return with HTTP code 301 (MOVED_PERMANENTLY) or 302 (FOUND).
82990287 DDO	193	In this case the function returns NULL and the caller is
82990287 DDO	194	responsible for deallocating the URL with L<OPENSSL_free(3)>.
153adbc5	195	If the response header contains one or more C<Content-Length> lines and/or
8f965908 DDO	196	an ASN.1-encoded response is expected, which should include a total length,
	197	the length indications received are checked for consistency
	198	and for not exceeding any given maximum response length.
a26c089b	199	If an ASN.1-encoded response is expected, the function returns on success
7d5019c1	200	the contents buffered in a memory BIO, which does not support streaming.
a26c089b	201	Otherwise it returns directly the read BIO that holds the response contents,
8f965908	202	which allows a response of indefinite length and may support streaming.
a26c089b	203	The caller is responsible for freeing the BIO pointer obtained.
8f965908 DDO	204
	205	OSSL_HTTP_get() uses HTTP GET to obtain data from I<bio> if non-NULL,
	206	else from the server contained in the I<url>, and returns it as a BIO.
	207	It supports redirection via HTTP status code 301 or 302. It is meant for
	208	transfers with a single round trip, so does not support persistent connections.
	209	If I<bio> is non-NULL, any host and port components in the I<url> are not used
	210	for connecting but the hostname is used, as usual, for the C<Host> header.
	211	Any userinfo and fragment components in the I<url> are ignored.
	212	Any query component is handled as part of the path component.
	213	If the scheme component of the I<url> is C<https> a TLS connection is requested
	214	and the I<bio_update_fn>, as described for OSSL_HTTP_open(), must be provided.
	215	Also the remaining parameters are interpreted as described for OSSL_HTTP_open()
8ccbf00d	216	and OSSL_HTTP_set1_request(), respectively.
a26c089b	217	The caller is responsible for freeing the BIO pointer obtained.
8f965908	218
82990287 DDO	219	OSSL_HTTP_transfer() exchanges an HTTP request and response
82990287 DDO	220	over a connection managed via I<prctx> without supporting redirection.
8ccbf00d	221	It combines OSSL_HTTP_open(), OSSL_HTTP_set1_request(), OSSL_HTTP_exchange(),
82990287 DDO	222	and OSSL_HTTP_close().
	223	If I<prctx> is not NULL it reuses any open connection represented by a non-NULL
	224	I<*prctx>. It keeps the connection open if a persistent connection is requested
	225	or required and this was granted by the server, else it closes the connection
	226	and assigns NULL to I<*prctx>.
	227	The remaining parameters are interpreted as described for OSSL_HTTP_open()
8ccbf00d	228	and OSSL_HTTP_set1_request(), respectively.
a26c089b	229	The caller is responsible for freeing the BIO pointer obtained.
82990287	230
8f965908 DDO	231	OSSL_HTTP_close() closes the connection and releases I<rctx>.
	232	The I<ok> parameter is passed to any BIO update function
	233	given during setup as described above for OSSL_HTTP_open().
4ee464cf	234	It must be 1 if no error occurred during the HTTP transfer and 0 otherwise.
8f965908	235
4b1fe471 DDO	236	=head1 NOTES
	237
	238	The names of the environment variables used by this implementation:
d7fcee3b DDO	239	C<http_proxy>, C<HTTP_PROXY>, C<https_proxy>, C<HTTPS_PROXY>, C<no_proxy>, and
d7fcee3b DDO	240	C<NO_PROXY>, have been chosen for maximal compatibility with
4b1fe471 DDO	241	other HTTP client implementations such as wget, curl, and git.
4b1fe471 DDO	242
e8fdb060 DDO	243	When built with tracing enabled, OSSL_HTTP_transfer() and all functions using it
e8fdb060 DDO	244	may be traced using B<OSSL_TRACE_CATEGORY_HTTP>.
ee0bf38e	245	See also L<OSSL_trace_enabled(3)> and L<openssl-env(7)>.
e8fdb060	246
29f178bd DDO	247	=head1 RETURN VALUES
29f178bd DDO	248
8f965908 DDO	249	OSSL_HTTP_open() returns on success a B<OSSL_HTTP_REQ_CTX>, else NULL.
8f965908 DDO	250
8ccbf00d	251	OSSL_HTTP_proxy_connect() and OSSL_HTTP_set1_request()
8f965908 DDO	252	return 1 on success, 0 on error.
	253
	254	On success, OSSL_HTTP_exchange(), OSSL_HTTP_get(), and OSSL_HTTP_transfer()
7d5019c1 DDO	255	return a memory BIO that buffers all the data received if an ASN.1-encoded
7d5019c1 DDO	256	response is expected, otherwise a BIO that may support streaming.
be799eb7	257	The BIO must be freed by the caller.
8f965908	258	On failure, they return NULL.
6aab42c3	259	Failure conditions include connection/transfer timeout, parse errors, etc.
a26c089b	260	The caller is responsible for freeing the BIO pointer obtained.
29f178bd	261
8f965908	262	OSSL_HTTP_close() returns 0 if anything went wrong while disconnecting, else 1.
29f178bd	263
d7fcee3b DDO	264	=head1 SEE ALSO
d7fcee3b DDO	265
119f8145	266	L<OSSL_HTTP_parse_url(3)>, L<BIO_new_connect(3)>,
8f965908	267	L<ASN1_item_i2d_mem_bio(3)>, L<ASN1_item_d2i_bio(3)>,
153adbc5	268	L<OSSL_HTTP_REQ_CTX_set_expected(3)>,
e8fdb060	269	L<OSSL_HTTP_is_alive(3)>,
ee0bf38e	270	L<OSSL_trace_enabled(3)>, and L<openssl-env(7)>.
d7fcee3b	271
29f178bd DDO	272	=head1 HISTORY
29f178bd DDO	273
8f965908	274	All the functions described here were added in OpenSSL 3.0.
29f178bd DDO	275
	276	=head1 COPYRIGHT
	277
0c679f55	278	Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
29f178bd DDO	279
	280	Licensed under the Apache License 2.0 (the "License"). You may not use
	281	this file except in compliance with the License. You can obtain a copy
	282	in the file LICENSE in the source distribution or at
	283	L<https://www.openssl.org/source/license.html>.
	284
	285	=cut