[104e881] | 1 | /* |
---|
[2246a84] | 2 | * Copyright 2016-2018 Fiona Klute |
---|
[94cb972] | 3 | * |
---|
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
| 5 | * you may not use this file except in compliance with the License. |
---|
| 6 | * You may obtain a copy of the License at |
---|
| 7 | * |
---|
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
| 9 | * |
---|
| 10 | * Unless required by applicable law or agreed to in writing, software |
---|
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
| 13 | * See the License for the specific language governing permissions and |
---|
| 14 | * limitations under the License. |
---|
| 15 | */ |
---|
| 16 | |
---|
| 17 | #ifndef __MOD_GNUTLS_OCSP_H__ |
---|
| 18 | #define __MOD_GNUTLS_OCSP_H__ |
---|
| 19 | |
---|
| 20 | #include "gnutls/gnutls.h" |
---|
[2a1ffd6] | 21 | #include "gnutls/x509.h" |
---|
[94cb972] | 22 | #include "httpd.h" |
---|
| 23 | #include "http_config.h" |
---|
| 24 | |
---|
[d6834e0] | 25 | #define MGS_OCSP_MUTEX_NAME "gnutls-ocsp" |
---|
[babdb29] | 26 | #define MGS_OCSP_CACHE_MUTEX_NAME "gnutls-ocsp-cache" |
---|
| 27 | #define MGS_OCSP_CACHE_NAME "gnutls_ocsp" |
---|
[d6834e0] | 28 | |
---|
[104e881] | 29 | /** Default OCSP response cache timeout in seconds */ |
---|
[e1c094c] | 30 | #define MGS_OCSP_CACHE_TIMEOUT 3600 |
---|
[104e881] | 31 | /** Default OCSP failure timeout in seconds */ |
---|
[333bbc7] | 32 | #define MGS_OCSP_FAILURE_TIMEOUT 300 |
---|
[104e881] | 33 | /** Default socket timeout for OCSP responder connections, in |
---|
[333bbc7] | 34 | * seconds. Note that the timeout applies to "absolutely no data sent |
---|
| 35 | * or received", not the whole connection. 10 seconds in mod_ssl. */ |
---|
| 36 | #define MGS_OCSP_SOCKET_TIMEOUT 6 |
---|
| 37 | |
---|
[cc74801e] | 38 | /** |
---|
| 39 | * Vhost specific OCSP data structure |
---|
| 40 | */ |
---|
| 41 | struct mgs_ocsp_data { |
---|
[104e881] | 42 | /** OCSP URI extracted from the server certificate. NULL if |
---|
[cc74801e] | 43 | * unset. */ |
---|
| 44 | apr_uri_t *uri; |
---|
[104e881] | 45 | /** Trust list to verify OCSP responses for stapling. Should |
---|
[cc74801e] | 46 | * usually only contain the CA that signed the server |
---|
| 47 | * certificate. */ |
---|
| 48 | gnutls_x509_trust_list_t *trust; |
---|
[104e881] | 49 | /** Server certificate fingerprint, used as cache key for the OCSP |
---|
[a372379] | 50 | * response */ |
---|
| 51 | gnutls_datum_t fingerprint; |
---|
[cc74801e] | 52 | }; |
---|
| 53 | |
---|
[4d4a406] | 54 | const char *mgs_ocsp_stapling_enable(cmd_parms *parms, |
---|
| 55 | void *dummy __attribute__((unused)), |
---|
| 56 | const int arg); |
---|
| 57 | |
---|
[2246a84] | 58 | const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms, |
---|
| 59 | void *dummy __attribute__((unused)), |
---|
| 60 | const int arg); |
---|
| 61 | |
---|
[b888e8b] | 62 | const char *mgs_set_ocsp_check_nonce(cmd_parms *parms, |
---|
| 63 | void *dummy __attribute__((unused)), |
---|
| 64 | const int arg); |
---|
| 65 | |
---|
[94cb972] | 66 | const char *mgs_store_ocsp_response_path(cmd_parms * parms, |
---|
| 67 | void *dummy __attribute__((unused)), |
---|
| 68 | const char *arg); |
---|
| 69 | |
---|
[104e881] | 70 | /** |
---|
[2a1ffd6] | 71 | * Create a trust list from a certificate chain (one or more |
---|
| 72 | * certificates). |
---|
| 73 | * |
---|
[104e881] | 74 | * @param tl This trust list will be initialized and filled with the |
---|
[2a1ffd6] | 75 | * specified certificate(s) |
---|
| 76 | * |
---|
[104e881] | 77 | * @param chain certificate chain, must contain at least `num` |
---|
| 78 | * certifictes |
---|
[2a1ffd6] | 79 | * |
---|
[104e881] | 80 | * @param num number of certificates to load from chain |
---|
[2a1ffd6] | 81 | * |
---|
| 82 | * Chain is supposed to be static (the trust chain of the server |
---|
[104e881] | 83 | * certificate), so when `gnutls_x509_trust_list_deinit()` is called on |
---|
[2a1ffd6] | 84 | * tl later, the "all" parameter should be zero. |
---|
| 85 | * |
---|
[104e881] | 86 | * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code. In case of error |
---|
[2a1ffd6] | 87 | * tl will be uninitialized. |
---|
| 88 | */ |
---|
| 89 | int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl, |
---|
| 90 | const gnutls_x509_crt_t *chain, |
---|
| 91 | const int num); |
---|
| 92 | |
---|
[fad7695] | 93 | /** |
---|
| 94 | * Pool cleanup function that deinits the trust list without |
---|
| 95 | * deinitializing certificates. |
---|
| 96 | */ |
---|
| 97 | apr_status_t mgs_cleanup_trust_list(void *data); |
---|
| 98 | |
---|
| 99 | /** |
---|
[efc43b4] | 100 | * Try to generate the OCSP stapling configuration for a (virtual) |
---|
| 101 | * host. This function must be called in the post_config hook after |
---|
| 102 | * certificates have been loaded. This method does not actually enable |
---|
| 103 | * stapling, it only prepares the configuration. The reason for |
---|
| 104 | * splitting these tasks is that configuration failure may be ignored |
---|
| 105 | * if stapling is not explicitly enabled but only opportunistically. |
---|
| 106 | * |
---|
| 107 | * @return `NULL` on success, a string describing why configuration |
---|
| 108 | * failed otherwise (static or allocated from ptemp) |
---|
| 109 | */ |
---|
| 110 | const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, |
---|
| 111 | server_rec *server); |
---|
| 112 | |
---|
| 113 | /** |
---|
| 114 | * Enable OCSP stapling for a (virtual) host. Must be called in the |
---|
| 115 | * post_config hook after mgs_ocsp_configure_stapling has returned |
---|
| 116 | * successfully for that host. |
---|
[fad7695] | 117 | * |
---|
| 118 | * @return OK or DECLINED on success, any other value on error (like |
---|
[efc43b4] | 119 | * the post_config hook) |
---|
[fad7695] | 120 | */ |
---|
[efc43b4] | 121 | int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, |
---|
| 122 | server_rec *server); |
---|
[fad7695] | 123 | |
---|
[94cb972] | 124 | int mgs_get_ocsp_response(gnutls_session_t session, void *ptr, |
---|
| 125 | gnutls_datum_t *ocsp_response); |
---|
| 126 | |
---|
| 127 | #endif /* __MOD_GNUTLS_OCSP_H__ */ |
---|