Import OCSP documentation from OpenSSL, leaving out some stuff

that we don't have, fixing some bugs and tweaking some parts for
readability.

P.S.
Why did some people write a HTTP client implementation and then
decide that the best place to publish it might be a crypto(3)
library?  Oh never mind, to go easy on my sanity, i should probably
stop asking such questions and just document what i find.

1 files changed, 245 insertions, 0 deletions

diff --git a/lib/libcrypto/man/OCSP_sendreq_new.3 b/lib/libcrypto/man/OCSP_sendreq_new.3
new file mode 100644
index 00000000000..994ce9cc2ae
--- /dev/null
+++ b/lib/libcrypto/man/OCSP_sendreq_new.3
@@ -0,0 +1,245 @@
+.\"	$OpenBSD: OCSP_sendreq_new.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $
+.\"	OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 27 2016 $
+.Dt OCSP_SENDREQ_NEW 3
+.Os
+.Sh NAME
+.Nm OCSP_sendreq_new ,
+.Nm OCSP_sendreq_nbio ,
+.Nm OCSP_REQ_CTX_free ,
+.Nm OCSP_REQ_CTX_add1_header ,
+.Nm OCSP_REQ_CTX_set1_req ,
+.Nm OCSP_sendreq_bio
+.Nd OCSP responder query functions
+.Sh SYNOPSIS
+.In openssl/ocsp.h
+.Ft OCSP_REQ_CTX *
+.Fo OCSP_sendreq_new
+.Fa "BIO *io"
+.Fa "const char *path"
+.Fa "OCSP_REQUEST *req"
+.Fa "int maxline"
+.Fc
+.Ft int
+.Fo OCSP_sendreq_nbio
+.Fa "OCSP_RESPONSE **presp"
+.Fa "OCSP_REQ_CTX *rctx"
+.Fc
+.Ft void
+.Fo OCSP_REQ_CTX_free
+.Fa "OCSP_REQ_CTX *rctx"
+.Fc
+.Ft int
+.Fo OCSP_REQ_CTX_add1_header
+.Fa "OCSP_REQ_CTX *rctx"
+.Fa "const char *name"
+.Fa "const char *value"
+.Fc
+.Ft int
+.Fo OCSP_REQ_CTX_set1_req
+.Fa "OCSP_REQ_CTX *rctx"
+.Fa "OCSP_REQUEST *req"
+.Fc
+.Ft OCSP_RESPONSE *
+.Fo OCSP_sendreq_bio
+.Fa "BIO *io"
+.Fa "const char *path"
+.Fa "OCSP_REQUEST *req"
+.Fc
+.Sh DESCRIPTION
+The function
+.Fn OCSP_sendreq_new
+returns an
+.Vt OCSP_REQ_CTX
+structure using the responder
+.Fa io ,
+the URI path
+.Fa path ,
+the OCSP request
+.Fa req
+and with a response header maximum line length of
+.Fa maxline .
+If
+.Fa maxline
+is zero, a default value of 4k is used.
+The OCSP request
+.Fa req
+may be set to
+.Dv NULL
+and provided later if required.
+.Pp
+The arguments to
+.Fn OCSP_sendreq_new
+correspond to the components of the URI.
+For example, if the responder URI is
+.Pa http://ocsp.com/ocspreq ,
+the BIO
+.Fa io
+should be connected to host
+.Pa ocsp.com
+on port 80 and
+.Fa path
+should be set to
+.Qq /ocspreq .
+.Pp
+.Fn OCSP_sendreq_nbio
+performs non-blocking I/O on the OCSP request context
+.Fa rctx .
+When the operation is complete it returns the response in
+.Pf * Fa presp .
+If
+.Fn OCSP_sendreq_nbio
+indicates an operation should be retried, the corresponding BIO can
+be examined to determine which operation (read or write) should be
+retried and appropriate action can be taken, for example a
+.Xr select 3
+call on the underlying socket.
+.Pp
+.Fn OCSP_REQ_CTX_free
+frees up the OCSP context
+.Fa rctx .
+.Pp
+.Fn OCSP_REQ_CTX_add1_header
+adds header
+.Fa name
+with value
+.Fa value
+to the context
+.Fa rctx .
+The added headers are of the form
+.Qq Fa name : value
+or just
+.Qq Fa name
+if
+.Fa value
+is
+.Dv NULL .
+.Fn OCSP_REQ_CTX_add1_header
+can be called more than once to add multiple headers.
+It must be called before any calls to
+.Fn OCSP_sendreq_nbio .
+The
+.Fa req
+parameter in the initial to
+.Fn OCSP_sendreq_new
+call must be set to
+.Dv NULL
+if additional headers are set.
+.Pp
+.Fn OCSP_REQ_CTX_set1_req
+sets the OCSP request in
+.Fa rctx
+to
+.Fa req .
+This function should be called after any calls to
+.Fn OCSP_REQ_CTX_add1_header .
+.Pp
+.Fn OCSP_sendreq_bio
+performs an OCSP request using the responder
+.Fa io ,
+the URI path
+.Fa path ,
+the OCSP request
+.Fa req .
+It does not support retries and so cannot handle non-blocking I/O
+efficiently.
+It is retained for compatibility and its use in new applications
+is not recommended.
+.Sh RETURN VALUES
+.Fn OCSP_sendreq_new
+returns a valid
+.Vt OCSP_REQ_CTX
+structure or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn OCSP_sendreq_nbio
+returns
+.Sy 1
+if the operation was completed successfully,
+.Sy -1
+if the operation should be retried, or
+.Sy 0
+if an error occurred.
+.Pp
+.Fn OCSP_REQ_CTX_add1_header
+and
+.Fn OCSP_REQ_CTX_set1_req
+return
+.Sy 1
+for success or
+.Sy 0
+for failure.
+.Pp
+.Fn OCSP_sendreq_bio
+returns the
+.Vt OCSP_RESPONSE
+structure sent by the responder or
+.Dv NULL
+if an error occurred.
+.Sh EXAMPLES
+Add a Host header for
+.Pa ocsp.com :
+.Pp
+.Dl OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com");
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr OCSP_cert_to_id 3 ,
+.Xr OCSP_request_add1_nonce 3 ,
+.Xr OCSP_REQUEST_new 3 ,
+.Xr OCSP_resp_find_status 3 ,
+.Xr OCSP_response_status 3
+.Sh CAVEATS
+These functions only perform a minimal HTTP query to a responder.
+If an application wishes to support more advanced features, it
+should use an alternative more complete HTTP library.
+.Pp
+Currently only HTTP POST queries to responders are supported.