source: mod_gnutls/src/gnutls_ocsp.h @ b888e8b

debian/masterdebian/stretch-backportsproxy-ticketupstream
Last change on this file since b888e8b was b888e8b, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

New directive GnuTLSOCSPCheckNonce

Some CAs refuse to send nonces in their OCSP responses, probably
because that way they can cache responses. This makes nonce
verification fail, so give the user an option disable it.

  • Property mode set to 100644
File size: 3.6 KB
Line 
1/**
2 *  Copyright 2016 Thomas Klute
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 */
16
17#ifndef __MOD_GNUTLS_OCSP_H__
18#define __MOD_GNUTLS_OCSP_H__
19
20#include "gnutls/gnutls.h"
21#include "gnutls/x509.h"
22#include "httpd.h"
23#include "http_config.h"
24
25#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
26
27/* Default OCSP response grace time in seconds */
28#define MGS_OCSP_GRACE_TIME 60
29/* Default OCSP failure timeout in seconds */
30#define MGS_OCSP_FAILURE_TIMEOUT 300
31/* Default socket timeout for OCSP responder connections, in
32 * seconds. Note that the timeout applies to "absolutely no data sent
33 * or received", not the whole connection. 10 seconds in mod_ssl. */
34#define MGS_OCSP_SOCKET_TIMEOUT 6
35
36/**
37 * Vhost specific OCSP data structure
38 */
39struct mgs_ocsp_data {
40    /* OCSP URI extracted from the server certificate. NULL if
41     * unset. */
42    apr_uri_t *uri;
43    /* Trust list to verify OCSP responses for stapling. Should
44     * usually only contain the CA that signed the server
45     * certificate. */
46    gnutls_x509_trust_list_t *trust;
47    /* Server certificate fingerprint, used as cache key for the OCSP
48     * response */
49    gnutls_datum_t fingerprint;
50};
51
52const char *mgs_ocsp_stapling_enable(cmd_parms *parms,
53                                     void *dummy __attribute__((unused)),
54                                     const int arg);
55
56const char *mgs_set_ocsp_check_nonce(cmd_parms *parms,
57                                     void *dummy __attribute__((unused)),
58                                     const int arg);
59
60const char *mgs_store_ocsp_response_path(cmd_parms * parms,
61                                         void *dummy __attribute__((unused)),
62                                         const char *arg);
63
64/*
65 * Create a trust list from a certificate chain (one or more
66 * certificates).
67 *
68 * tl: This trust list will be initialized and filled with the
69 * specified certificate(s)
70 *
71 * chain: certificate chain, must contain at least num certifictes
72 *
73 * num: number of certificates to load from chain
74 *
75 * Chain is supposed to be static (the trust chain of the server
76 * certificate), so when gnutls_x509_trust_list_deinit() is called on
77 * tl later, the "all" parameter should be zero.
78 *
79 * Returns GNUTLS_E_SUCCESS or a GnuTLS error code. In case of error
80 * tl will be uninitialized.
81 */
82int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
83                               const gnutls_x509_crt_t *chain,
84                               const int num);
85
86/**
87 * Pool cleanup function that deinits the trust list without
88 * deinitializing certificates.
89 */
90apr_status_t mgs_cleanup_trust_list(void *data);
91
92/**
93 * Initialize server config for OCSP, supposed to be called in the
94 * post_config hook for each server where OCSP stapling is enabled,
95 * after certificates have been loaded.
96 *
97 * @return OK or DECLINED on success, any other value on error (like
98 * the post_config hook itself)
99 */
100int mgs_ocsp_post_config_server(apr_pool_t *pconf, apr_pool_t *ptemp,
101                                server_rec *server);
102
103int mgs_get_ocsp_response(gnutls_session_t session, void *ptr,
104                          gnutls_datum_t *ocsp_response);
105
106#endif /* __MOD_GNUTLS_OCSP_H__ */
Note: See TracBrowser for help on using the repository browser.