source: mod_gnutls/src/gnutls_ocsp.h @ 845c112

proxy-ticket
Last change on this file since 845c112 was 845c112, checked in by Fiona Klute <fiona.klute@…>, 9 months ago

Async OCSP updates for multi-stapling

There's now one mod_watchdog callback per certificate with stapling
enabled, so they all get updated independently. Adding "server" to the
OCSP data structure is necessary because the async update function
needs access to the virtual host configuration.

  • Property mode set to 100644
File size: 4.8 KB
Line 
1/*
2 *  Copyright 2016-2020 Fiona Klute
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 */
16
17#ifndef __MOD_GNUTLS_OCSP_H__
18#define __MOD_GNUTLS_OCSP_H__
19
20#include "mod_gnutls.h"
21
22#include <gnutls/gnutls.h>
23#include <gnutls/x509.h>
24#include <httpd.h>
25#include <http_config.h>
26
27#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
28#define MGS_OCSP_CACHE_MUTEX_NAME "gnutls-ocsp-cache"
29#define MGS_OCSP_CACHE_NAME "gnutls_ocsp"
30
31/** Default OCSP response cache timeout in seconds */
32#define MGS_OCSP_CACHE_TIMEOUT 3600
33/** Default OCSP failure timeout in seconds */
34#define MGS_OCSP_FAILURE_TIMEOUT 300
35/** Default socket timeout for OCSP responder connections, in
36 * seconds. Note that the timeout applies to "absolutely no data sent
37 * or received", not the whole connection. 10 seconds in mod_ssl. */
38#define MGS_OCSP_SOCKET_TIMEOUT 6
39
40/**
41 * Vhost specific OCSP data structure
42 */
43struct mgs_ocsp_data {
44    /** The certificate the following elements refer to. */
45    gnutls_x509_crt_t cert;
46    /** OCSP URI extracted from the certificate. NULL if unset. */
47    apr_uri_t *uri;
48    /** Trust list to verify OCSP responses for stapling. Should
49     * usually only contain the CA that signed the certificate. */
50    gnutls_x509_trust_list_t *trust;
51    /** Certificate fingerprint, used as cache key for the OCSP
52     * response. */
53    gnutls_datum_t fingerprint;
54    /** Server (virtual host) that uses the certificate */
55    server_rec *server;
56};
57
58const char *mgs_ocsp_stapling_enable(cmd_parms *parms,
59                                     void *dummy __attribute__((unused)),
60                                     const int arg);
61
62const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms,
63                                      void *dummy __attribute__((unused)),
64                                      const int arg);
65
66const char *mgs_set_ocsp_check_nonce(cmd_parms *parms,
67                                     void *dummy __attribute__((unused)),
68                                     const int arg);
69
70const char *mgs_store_ocsp_response_path(cmd_parms * parms,
71                                         void *dummy __attribute__((unused)),
72                                         const char *arg);
73
74/**
75 * Create a trust list from a certificate chain (one or more
76 * certificates).
77 *
78 * @param tl This trust list will be initialized and filled with the
79 * specified certificate(s)
80 *
81 * @param chain certificate chain, must contain at least `num`
82 * certifictes
83 *
84 * @param num number of certificates to load from chain
85 *
86 * Chain is supposed to be static (the trust chain of the server
87 * certificate), so when `gnutls_x509_trust_list_deinit()` is called on
88 * tl later, the "all" parameter should be zero.
89 *
90 * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code. In case of error
91 * tl will be uninitialized.
92 */
93int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
94                               const gnutls_x509_crt_t *chain,
95                               const int num);
96
97/**
98 * Pool cleanup function that deinits the trust list without
99 * deinitializing certificates.
100 */
101apr_status_t mgs_cleanup_trust_list(void *data);
102
103/**
104 * Try to generate the OCSP stapling configuration for a (virtual)
105 * host. This function must be called in the post_config hook after
106 * certificates have been loaded. This method does not actually enable
107 * stapling, it only prepares the configuration. The reason for
108 * splitting these tasks is that configuration failure may be ignored
109 * if stapling is not explicitly enabled but only opportunistically.
110 *
111 * @return `NULL` on success, a string describing why configuration
112 * failed otherwise (static or allocated from ptemp)
113 */
114const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp,
115                                        server_rec *server);
116
117/**
118 * Enable OCSP stapling for a (virtual) host. Must be called in the
119 * post_config hook after mgs_ocsp_configure_stapling has returned
120 * successfully for that host.
121 *
122 * @return OK or DECLINED on success, any other value on error (like
123 * the post_config hook)
124 */
125int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp,
126                             server_rec *server);
127
128int mgs_get_ocsp_response(mgs_handle_t *ctxt,
129                          struct mgs_ocsp_data *req_data,
130                          gnutls_datum_t *ocsp_response);
131
132#endif /* __MOD_GNUTLS_OCSP_H__ */
Note: See TracBrowser for help on using the repository browser.