source: mod_gnutls/src/gnutls_ocsp.h @ a3e0f7b

asyncioproxy-ticket
Last change on this file since a3e0f7b was a3e0f7b, checked in by Fiona Klute <fiona.klute@…>, 18 months ago

Support a list of files for the GnuTLSOCSPResponseFile option

This allows users to specify multiple responses for multi-staple. Note
that mod_gnutls will try to send its own requests for certificates
without a matching response.

  • Property mode set to 100644
File size: 4.9 KB
RevLine 
[104e881]1/*
[cf6f974]2 *  Copyright 2016-2020 Fiona Klute
[94cb972]3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 */
16
17#ifndef __MOD_GNUTLS_OCSP_H__
18#define __MOD_GNUTLS_OCSP_H__
19
[cf6f974]20#include "mod_gnutls.h"
21
22#include <gnutls/gnutls.h>
23#include <gnutls/x509.h>
24#include <httpd.h>
25#include <http_config.h>
[94cb972]26
[d6834e0]27#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
[babdb29]28#define MGS_OCSP_CACHE_MUTEX_NAME "gnutls-ocsp-cache"
29#define MGS_OCSP_CACHE_NAME "gnutls_ocsp"
[d6834e0]30
[104e881]31/** Default OCSP response cache timeout in seconds */
[e1c094c]32#define MGS_OCSP_CACHE_TIMEOUT 3600
[104e881]33/** Default OCSP failure timeout in seconds */
[333bbc7]34#define MGS_OCSP_FAILURE_TIMEOUT 300
[104e881]35/** Default socket timeout for OCSP responder connections, in
[333bbc7]36 * seconds. Note that the timeout applies to "absolutely no data sent
37 * or received", not the whole connection. 10 seconds in mod_ssl. */
38#define MGS_OCSP_SOCKET_TIMEOUT 6
39
[cc74801e]40/**
41 * Vhost specific OCSP data structure
42 */
43struct mgs_ocsp_data {
[a8374f7]44    /** The certificate the following elements refer to. */
45    gnutls_x509_crt_t cert;
46    /** OCSP URI extracted from the certificate. NULL if unset. */
[cc74801e]47    apr_uri_t *uri;
[a3e0f7b]48    /** OCSP response file for the certificate. NULL if unset. Takes
49     * precedence over uri. */
50    char *response_file;
[104e881]51    /** Trust list to verify OCSP responses for stapling. Should
[a8374f7]52     * usually only contain the CA that signed the certificate. */
[cc74801e]53    gnutls_x509_trust_list_t *trust;
[a8374f7]54    /** Certificate fingerprint, used as cache key for the OCSP
55     * response. */
[a372379]56    gnutls_datum_t fingerprint;
[845c112]57    /** Server (virtual host) that uses the certificate */
58    server_rec *server;
[cc74801e]59};
60
[4d4a406]61const char *mgs_ocsp_stapling_enable(cmd_parms *parms,
62                                     void *dummy __attribute__((unused)),
63                                     const int arg);
64
[2246a84]65const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms,
66                                      void *dummy __attribute__((unused)),
67                                      const int arg);
68
[b888e8b]69const char *mgs_set_ocsp_check_nonce(cmd_parms *parms,
70                                     void *dummy __attribute__((unused)),
71                                     const int arg);
72
[94cb972]73const char *mgs_store_ocsp_response_path(cmd_parms * parms,
74                                         void *dummy __attribute__((unused)),
[a3e0f7b]75                                         int argc, char *const *argv);
[94cb972]76
[104e881]77/**
[2a1ffd6]78 * Create a trust list from a certificate chain (one or more
79 * certificates).
80 *
[104e881]81 * @param tl This trust list will be initialized and filled with the
[2a1ffd6]82 * specified certificate(s)
83 *
[104e881]84 * @param chain certificate chain, must contain at least `num`
85 * certifictes
[2a1ffd6]86 *
[104e881]87 * @param num number of certificates to load from chain
[2a1ffd6]88 *
89 * Chain is supposed to be static (the trust chain of the server
[104e881]90 * certificate), so when `gnutls_x509_trust_list_deinit()` is called on
[2a1ffd6]91 * tl later, the "all" parameter should be zero.
92 *
[104e881]93 * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code. In case of error
[2a1ffd6]94 * tl will be uninitialized.
95 */
96int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
97                               const gnutls_x509_crt_t *chain,
98                               const int num);
99
[fad7695]100/**
101 * Pool cleanup function that deinits the trust list without
102 * deinitializing certificates.
103 */
104apr_status_t mgs_cleanup_trust_list(void *data);
105
106/**
[efc43b4]107 * Try to generate the OCSP stapling configuration for a (virtual)
108 * host. This function must be called in the post_config hook after
109 * certificates have been loaded. This method does not actually enable
110 * stapling, it only prepares the configuration. The reason for
111 * splitting these tasks is that configuration failure may be ignored
112 * if stapling is not explicitly enabled but only opportunistically.
113 *
114 * @return `NULL` on success, a string describing why configuration
115 * failed otherwise (static or allocated from ptemp)
116 */
117const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp,
118                                        server_rec *server);
119
120/**
121 * Enable OCSP stapling for a (virtual) host. Must be called in the
122 * post_config hook after mgs_ocsp_configure_stapling has returned
123 * successfully for that host.
[fad7695]124 *
125 * @return OK or DECLINED on success, any other value on error (like
[efc43b4]126 * the post_config hook)
[fad7695]127 */
[efc43b4]128int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp,
129                             server_rec *server);
[fad7695]130
[cf6f974]131int mgs_get_ocsp_response(mgs_handle_t *ctxt,
132                          struct mgs_ocsp_data *req_data,
[94cb972]133                          gnutls_datum_t *ocsp_response);
134
135#endif /* __MOD_GNUTLS_OCSP_H__ */
Note: See TracBrowser for help on using the repository browser.