source: mod_gnutls/src/gnutls_ocsp.h @ 68b5156

debian/masterproxy-ticket
Last change on this file since 68b5156 was efc43b4, checked in by Fiona Klute <fiona.klute@…>, 2 years ago

Split per-vhost post config for OCSP stapling into configuring and enabling

This is preparation for enabling stapling by default: Configuration
failure may be ignored if stapling is not explicitly enabled by the
user (at the cost of not stapling).
  • Property mode set to 100644
File size: 4.6 KB
RevLine 
[104e881]1/*
[2246a84]2 *  Copyright 2016-2018 Fiona Klute
[94cb972]3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 */
16
17#ifndef __MOD_GNUTLS_OCSP_H__
18#define __MOD_GNUTLS_OCSP_H__
19
20#include "gnutls/gnutls.h"
[2a1ffd6]21#include "gnutls/x509.h"
[94cb972]22#include "httpd.h"
23#include "http_config.h"
24
[d6834e0]25#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
[babdb29]26#define MGS_OCSP_CACHE_MUTEX_NAME "gnutls-ocsp-cache"
27#define MGS_OCSP_CACHE_NAME "gnutls_ocsp"
[d6834e0]28
[104e881]29/** Default OCSP response cache timeout in seconds */
[e1c094c]30#define MGS_OCSP_CACHE_TIMEOUT 3600
[104e881]31/** Default OCSP failure timeout in seconds */
[333bbc7]32#define MGS_OCSP_FAILURE_TIMEOUT 300
[104e881]33/** Default socket timeout for OCSP responder connections, in
[333bbc7]34 * seconds. Note that the timeout applies to "absolutely no data sent
35 * or received", not the whole connection. 10 seconds in mod_ssl. */
36#define MGS_OCSP_SOCKET_TIMEOUT 6
37
[cc74801e]38/**
39 * Vhost specific OCSP data structure
40 */
41struct mgs_ocsp_data {
[104e881]42    /** OCSP URI extracted from the server certificate. NULL if
[cc74801e]43     * unset. */
44    apr_uri_t *uri;
[104e881]45    /** Trust list to verify OCSP responses for stapling. Should
[cc74801e]46     * usually only contain the CA that signed the server
47     * certificate. */
48    gnutls_x509_trust_list_t *trust;
[104e881]49    /** Server certificate fingerprint, used as cache key for the OCSP
[a372379]50     * response */
51    gnutls_datum_t fingerprint;
[cc74801e]52};
53
[4d4a406]54const char *mgs_ocsp_stapling_enable(cmd_parms *parms,
55                                     void *dummy __attribute__((unused)),
56                                     const int arg);
57
[2246a84]58const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms,
59                                      void *dummy __attribute__((unused)),
60                                      const int arg);
61
[b888e8b]62const char *mgs_set_ocsp_check_nonce(cmd_parms *parms,
63                                     void *dummy __attribute__((unused)),
64                                     const int arg);
65
[94cb972]66const char *mgs_store_ocsp_response_path(cmd_parms * parms,
67                                         void *dummy __attribute__((unused)),
68                                         const char *arg);
69
[104e881]70/**
[2a1ffd6]71 * Create a trust list from a certificate chain (one or more
72 * certificates).
73 *
[104e881]74 * @param tl This trust list will be initialized and filled with the
[2a1ffd6]75 * specified certificate(s)
76 *
[104e881]77 * @param chain certificate chain, must contain at least `num`
78 * certifictes
[2a1ffd6]79 *
[104e881]80 * @param num number of certificates to load from chain
[2a1ffd6]81 *
82 * Chain is supposed to be static (the trust chain of the server
[104e881]83 * certificate), so when `gnutls_x509_trust_list_deinit()` is called on
[2a1ffd6]84 * tl later, the "all" parameter should be zero.
85 *
[104e881]86 * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code. In case of error
[2a1ffd6]87 * tl will be uninitialized.
88 */
89int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
90                               const gnutls_x509_crt_t *chain,
91                               const int num);
92
[fad7695]93/**
94 * Pool cleanup function that deinits the trust list without
95 * deinitializing certificates.
96 */
97apr_status_t mgs_cleanup_trust_list(void *data);
98
99/**
[efc43b4]100 * Try to generate the OCSP stapling configuration for a (virtual)
101 * host. This function must be called in the post_config hook after
102 * certificates have been loaded. This method does not actually enable
103 * stapling, it only prepares the configuration. The reason for
104 * splitting these tasks is that configuration failure may be ignored
105 * if stapling is not explicitly enabled but only opportunistically.
106 *
107 * @return `NULL` on success, a string describing why configuration
108 * failed otherwise (static or allocated from ptemp)
109 */
110const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp,
111                                        server_rec *server);
112
113/**
114 * Enable OCSP stapling for a (virtual) host. Must be called in the
115 * post_config hook after mgs_ocsp_configure_stapling has returned
116 * successfully for that host.
[fad7695]117 *
118 * @return OK or DECLINED on success, any other value on error (like
[efc43b4]119 * the post_config hook)
[fad7695]120 */
[efc43b4]121int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp,
122                             server_rec *server);
[fad7695]123
[94cb972]124int mgs_get_ocsp_response(gnutls_session_t session, void *ptr,
125                          gnutls_datum_t *ocsp_response);
126
127#endif /* __MOD_GNUTLS_OCSP_H__ */
Note: See TracBrowser for help on using the repository browser.