| 1 | /* |
|---|
| 2 | * Copyright 2016-2018 Fiona Klute |
|---|
| 3 | * |
|---|
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
|---|
| 5 | * you may not use this file except in compliance with the License. |
|---|
| 6 | * You may obtain a copy of the License at |
|---|
| 7 | * |
|---|
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
|---|
| 9 | * |
|---|
| 10 | * Unless required by applicable law or agreed to in writing, software |
|---|
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
|---|
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|---|
| 13 | * See the License for the specific language governing permissions and |
|---|
| 14 | * limitations under the License. |
|---|
| 15 | */ |
|---|
| 16 | |
|---|
| 17 | #ifndef __MOD_GNUTLS_OCSP_H__ |
|---|
| 18 | #define __MOD_GNUTLS_OCSP_H__ |
|---|
| 19 | |
|---|
| 20 | #include "gnutls/gnutls.h" |
|---|
| 21 | #include "gnutls/x509.h" |
|---|
| 22 | #include "httpd.h" |
|---|
| 23 | #include "http_config.h" |
|---|
| 24 | |
|---|
| 25 | #define MGS_OCSP_MUTEX_NAME "gnutls-ocsp" |
|---|
| 26 | #define MGS_OCSP_CACHE_MUTEX_NAME "gnutls-ocsp-cache" |
|---|
| 27 | #define MGS_OCSP_CACHE_NAME "gnutls_ocsp" |
|---|
| 28 | |
|---|
| 29 | /** Default OCSP response cache timeout in seconds */ |
|---|
| 30 | #define MGS_OCSP_CACHE_TIMEOUT 3600 |
|---|
| 31 | /** Default OCSP failure timeout in seconds */ |
|---|
| 32 | #define MGS_OCSP_FAILURE_TIMEOUT 300 |
|---|
| 33 | /** Default socket timeout for OCSP responder connections, in |
|---|
| 34 | * seconds. Note that the timeout applies to "absolutely no data sent |
|---|
| 35 | * or received", not the whole connection. 10 seconds in mod_ssl. */ |
|---|
| 36 | #define MGS_OCSP_SOCKET_TIMEOUT 6 |
|---|
| 37 | |
|---|
| 38 | /** |
|---|
| 39 | * Vhost specific OCSP data structure |
|---|
| 40 | */ |
|---|
| 41 | struct mgs_ocsp_data { |
|---|
| 42 | /** OCSP URI extracted from the server certificate. NULL if |
|---|
| 43 | * unset. */ |
|---|
| 44 | apr_uri_t *uri; |
|---|
| 45 | /** Trust list to verify OCSP responses for stapling. Should |
|---|
| 46 | * usually only contain the CA that signed the server |
|---|
| 47 | * certificate. */ |
|---|
| 48 | gnutls_x509_trust_list_t *trust; |
|---|
| 49 | /** Server certificate fingerprint, used as cache key for the OCSP |
|---|
| 50 | * response */ |
|---|
| 51 | gnutls_datum_t fingerprint; |
|---|
| 52 | }; |
|---|
| 53 | |
|---|
| 54 | const char *mgs_ocsp_stapling_enable(cmd_parms *parms, |
|---|
| 55 | void *dummy __attribute__((unused)), |
|---|
| 56 | const int arg); |
|---|
| 57 | |
|---|
| 58 | const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms, |
|---|
| 59 | void *dummy __attribute__((unused)), |
|---|
| 60 | const int arg); |
|---|
| 61 | |
|---|
| 62 | const char *mgs_set_ocsp_check_nonce(cmd_parms *parms, |
|---|
| 63 | void *dummy __attribute__((unused)), |
|---|
| 64 | const int arg); |
|---|
| 65 | |
|---|
| 66 | const char *mgs_store_ocsp_response_path(cmd_parms * parms, |
|---|
| 67 | void *dummy __attribute__((unused)), |
|---|
| 68 | const char *arg); |
|---|
| 69 | |
|---|
| 70 | /** |
|---|
| 71 | * Create a trust list from a certificate chain (one or more |
|---|
| 72 | * certificates). |
|---|
| 73 | * |
|---|
| 74 | * @param tl This trust list will be initialized and filled with the |
|---|
| 75 | * specified certificate(s) |
|---|
| 76 | * |
|---|
| 77 | * @param chain certificate chain, must contain at least `num` |
|---|
| 78 | * certifictes |
|---|
| 79 | * |
|---|
| 80 | * @param num number of certificates to load from chain |
|---|
| 81 | * |
|---|
| 82 | * Chain is supposed to be static (the trust chain of the server |
|---|
| 83 | * certificate), so when `gnutls_x509_trust_list_deinit()` is called on |
|---|
| 84 | * tl later, the "all" parameter should be zero. |
|---|
| 85 | * |
|---|
| 86 | * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code. In case of error |
|---|
| 87 | * tl will be uninitialized. |
|---|
| 88 | */ |
|---|
| 89 | int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl, |
|---|
| 90 | const gnutls_x509_crt_t *chain, |
|---|
| 91 | const int num); |
|---|
| 92 | |
|---|
| 93 | /** |
|---|
| 94 | * Pool cleanup function that deinits the trust list without |
|---|
| 95 | * deinitializing certificates. |
|---|
| 96 | */ |
|---|
| 97 | apr_status_t mgs_cleanup_trust_list(void *data); |
|---|
| 98 | |
|---|
| 99 | /** |
|---|
| 100 | * Try to generate the OCSP stapling configuration for a (virtual) |
|---|
| 101 | * host. This function must be called in the post_config hook after |
|---|
| 102 | * certificates have been loaded. This method does not actually enable |
|---|
| 103 | * stapling, it only prepares the configuration. The reason for |
|---|
| 104 | * splitting these tasks is that configuration failure may be ignored |
|---|
| 105 | * if stapling is not explicitly enabled but only opportunistically. |
|---|
| 106 | * |
|---|
| 107 | * @return `NULL` on success, a string describing why configuration |
|---|
| 108 | * failed otherwise (static or allocated from ptemp) |
|---|
| 109 | */ |
|---|
| 110 | const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, |
|---|
| 111 | server_rec *server); |
|---|
| 112 | |
|---|
| 113 | /** |
|---|
| 114 | * Enable OCSP stapling for a (virtual) host. Must be called in the |
|---|
| 115 | * post_config hook after mgs_ocsp_configure_stapling has returned |
|---|
| 116 | * successfully for that host. |
|---|
| 117 | * |
|---|
| 118 | * @return OK or DECLINED on success, any other value on error (like |
|---|
| 119 | * the post_config hook) |
|---|
| 120 | */ |
|---|
| 121 | int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, |
|---|
| 122 | server_rec *server); |
|---|
| 123 | |
|---|
| 124 | int mgs_get_ocsp_response(gnutls_session_t session, void *ptr, |
|---|
| 125 | gnutls_datum_t *ocsp_response); |
|---|
| 126 | |
|---|
| 127 | #endif /* __MOD_GNUTLS_OCSP_H__ */ |
|---|
