1 | /* |
---|
2 | * Copyright 2016-2018 Fiona Klute |
---|
3 | * |
---|
4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
5 | * you may not use this file except in compliance with the License. |
---|
6 | * You may obtain a copy of the License at |
---|
7 | * |
---|
8 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
9 | * |
---|
10 | * Unless required by applicable law or agreed to in writing, software |
---|
11 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
13 | * See the License for the specific language governing permissions and |
---|
14 | * limitations under the License. |
---|
15 | */ |
---|
16 | |
---|
17 | #ifndef __MOD_GNUTLS_OCSP_H__ |
---|
18 | #define __MOD_GNUTLS_OCSP_H__ |
---|
19 | |
---|
20 | #include "gnutls/gnutls.h" |
---|
21 | #include "gnutls/x509.h" |
---|
22 | #include "httpd.h" |
---|
23 | #include "http_config.h" |
---|
24 | |
---|
25 | #define MGS_OCSP_MUTEX_NAME "gnutls-ocsp" |
---|
26 | #define MGS_OCSP_CACHE_MUTEX_NAME "gnutls-ocsp-cache" |
---|
27 | #define MGS_OCSP_CACHE_NAME "gnutls_ocsp" |
---|
28 | |
---|
29 | /** Default OCSP response cache timeout in seconds */ |
---|
30 | #define MGS_OCSP_CACHE_TIMEOUT 3600 |
---|
31 | /** Default OCSP failure timeout in seconds */ |
---|
32 | #define MGS_OCSP_FAILURE_TIMEOUT 300 |
---|
33 | /** Default socket timeout for OCSP responder connections, in |
---|
34 | * seconds. Note that the timeout applies to "absolutely no data sent |
---|
35 | * or received", not the whole connection. 10 seconds in mod_ssl. */ |
---|
36 | #define MGS_OCSP_SOCKET_TIMEOUT 6 |
---|
37 | |
---|
38 | /** |
---|
39 | * Vhost specific OCSP data structure |
---|
40 | */ |
---|
41 | struct mgs_ocsp_data { |
---|
42 | /** OCSP URI extracted from the server certificate. NULL if |
---|
43 | * unset. */ |
---|
44 | apr_uri_t *uri; |
---|
45 | /** Trust list to verify OCSP responses for stapling. Should |
---|
46 | * usually only contain the CA that signed the server |
---|
47 | * certificate. */ |
---|
48 | gnutls_x509_trust_list_t *trust; |
---|
49 | /** Server certificate fingerprint, used as cache key for the OCSP |
---|
50 | * response */ |
---|
51 | gnutls_datum_t fingerprint; |
---|
52 | }; |
---|
53 | |
---|
54 | const char *mgs_ocsp_stapling_enable(cmd_parms *parms, |
---|
55 | void *dummy __attribute__((unused)), |
---|
56 | const int arg); |
---|
57 | |
---|
58 | const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms, |
---|
59 | void *dummy __attribute__((unused)), |
---|
60 | const int arg); |
---|
61 | |
---|
62 | const char *mgs_set_ocsp_check_nonce(cmd_parms *parms, |
---|
63 | void *dummy __attribute__((unused)), |
---|
64 | const int arg); |
---|
65 | |
---|
66 | const char *mgs_store_ocsp_response_path(cmd_parms * parms, |
---|
67 | void *dummy __attribute__((unused)), |
---|
68 | const char *arg); |
---|
69 | |
---|
70 | /** |
---|
71 | * Create a trust list from a certificate chain (one or more |
---|
72 | * certificates). |
---|
73 | * |
---|
74 | * @param tl This trust list will be initialized and filled with the |
---|
75 | * specified certificate(s) |
---|
76 | * |
---|
77 | * @param chain certificate chain, must contain at least `num` |
---|
78 | * certifictes |
---|
79 | * |
---|
80 | * @param num number of certificates to load from chain |
---|
81 | * |
---|
82 | * Chain is supposed to be static (the trust chain of the server |
---|
83 | * certificate), so when `gnutls_x509_trust_list_deinit()` is called on |
---|
84 | * tl later, the "all" parameter should be zero. |
---|
85 | * |
---|
86 | * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code. In case of error |
---|
87 | * tl will be uninitialized. |
---|
88 | */ |
---|
89 | int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl, |
---|
90 | const gnutls_x509_crt_t *chain, |
---|
91 | const int num); |
---|
92 | |
---|
93 | /** |
---|
94 | * Pool cleanup function that deinits the trust list without |
---|
95 | * deinitializing certificates. |
---|
96 | */ |
---|
97 | apr_status_t mgs_cleanup_trust_list(void *data); |
---|
98 | |
---|
99 | /** |
---|
100 | * Try to generate the OCSP stapling configuration for a (virtual) |
---|
101 | * host. This function must be called in the post_config hook after |
---|
102 | * certificates have been loaded. This method does not actually enable |
---|
103 | * stapling, it only prepares the configuration. The reason for |
---|
104 | * splitting these tasks is that configuration failure may be ignored |
---|
105 | * if stapling is not explicitly enabled but only opportunistically. |
---|
106 | * |
---|
107 | * @return `NULL` on success, a string describing why configuration |
---|
108 | * failed otherwise (static or allocated from ptemp) |
---|
109 | */ |
---|
110 | const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, |
---|
111 | server_rec *server); |
---|
112 | |
---|
113 | /** |
---|
114 | * Enable OCSP stapling for a (virtual) host. Must be called in the |
---|
115 | * post_config hook after mgs_ocsp_configure_stapling has returned |
---|
116 | * successfully for that host. |
---|
117 | * |
---|
118 | * @return OK or DECLINED on success, any other value on error (like |
---|
119 | * the post_config hook) |
---|
120 | */ |
---|
121 | int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, |
---|
122 | server_rec *server); |
---|
123 | |
---|
124 | int mgs_get_ocsp_response(gnutls_session_t session, void *ptr, |
---|
125 | gnutls_datum_t *ocsp_response); |
---|
126 | |
---|
127 | #endif /* __MOD_GNUTLS_OCSP_H__ */ |
---|