[104e881] | 1 | /* |
---|
[fcb122d] | 2 | * Copyright 2004-2005 Paul Querna |
---|
[e021722] | 3 | * Copyright 2008, 2014 Nikos Mavrogiannopoulos |
---|
[e183628] | 4 | * Copyright 2011 Dash Shendy |
---|
[dcec209] | 5 | * Copyright 2015-2019 Fiona Klute |
---|
[9706fc2] | 6 | * |
---|
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
| 8 | * you may not use this file except in compliance with the License. |
---|
| 9 | * You may obtain a copy of the License at |
---|
| 10 | * |
---|
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
| 12 | * |
---|
| 13 | * Unless required by applicable law or agreed to in writing, software |
---|
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
| 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
| 16 | * See the License for the specific language governing permissions and |
---|
| 17 | * limitations under the License. |
---|
| 18 | */ |
---|
| 19 | |
---|
[7e2b223] | 20 | #include "mod_gnutls.h" |
---|
[0470e44] | 21 | #include "gnutls_config.h" |
---|
[94cb972] | 22 | #include "gnutls_ocsp.h" |
---|
[235e109] | 23 | #include "gnutls_util.h" |
---|
[9706fc2] | 24 | |
---|
[6d8c00c] | 25 | #include <apr_strings.h> |
---|
| 26 | |
---|
[e8acf05] | 27 | #ifdef APLOG_USE_MODULE |
---|
| 28 | APLOG_USE_MODULE(gnutls); |
---|
| 29 | #endif |
---|
[671b64f] | 30 | |
---|
[23e98b3] | 31 | int ssl_engine_set(conn_rec *c, |
---|
| 32 | ap_conf_vector_t *dir_conf __attribute__((unused)), |
---|
| 33 | int proxy, int enable); |
---|
| 34 | |
---|
[4aa63a4] | 35 | #define MOD_HTTP2 "mod_http2.c" |
---|
[3c475e0] | 36 | #define MOD_WATCHDOG "mod_watchdog.c" |
---|
[e7cf823] | 37 | static const char * const mod_proxy[] = { "mod_proxy.c", NULL }; |
---|
[4aa63a4] | 38 | static const char * const mod_http2[] = { MOD_HTTP2, NULL }; |
---|
[3c475e0] | 39 | static const char * const mod_watchdog[] = { MOD_WATCHDOG, NULL }; |
---|
[e7cf823] | 40 | |
---|
[e8acf05] | 41 | static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) |
---|
| 42 | { |
---|
[4aa63a4] | 43 | /* Watchdog callbacks must be configured before post_config of |
---|
[3c475e0] | 44 | * mod_watchdog runs, or the watchdog won't be started. Similarly, |
---|
| 45 | * our child_init hook must run before mod_watchdog's because our |
---|
| 46 | * watchdog threads are started there and need some child-specific |
---|
| 47 | * resources. */ |
---|
[4aa63a4] | 48 | static const char * const post_conf_succ[] = |
---|
[3c475e0] | 49 | { MOD_HTTP2, MOD_WATCHDOG, NULL }; |
---|
[4aa63a4] | 50 | ap_hook_post_config(mgs_hook_post_config, mod_proxy, post_conf_succ, |
---|
[e7cf823] | 51 | APR_HOOK_MIDDLE); |
---|
[33826c5] | 52 | /* HTTP Scheme Hook */ |
---|
| 53 | ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE); |
---|
| 54 | /* Default Port Hook */ |
---|
[accbb83] | 55 | ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE); |
---|
[33826c5] | 56 | /* Pre-Connect Hook */ |
---|
[e7cf823] | 57 | ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL, |
---|
[accbb83] | 58 | APR_HOOK_MIDDLE); |
---|
[e7cf823] | 59 | ap_hook_process_connection(mgs_hook_process_connection, |
---|
| 60 | NULL, mod_http2, APR_HOOK_MIDDLE); |
---|
[33826c5] | 61 | /* Pre-Config Hook */ |
---|
[e183628] | 62 | ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL, |
---|
[accbb83] | 63 | APR_HOOK_MIDDLE); |
---|
[33826c5] | 64 | /* Child-Init Hook */ |
---|
[3c475e0] | 65 | ap_hook_child_init(mgs_hook_child_init, NULL, mod_watchdog, |
---|
[accbb83] | 66 | APR_HOOK_MIDDLE); |
---|
[33826c5] | 67 | /* Authentication Hook */ |
---|
[e183628] | 68 | ap_hook_access_checker(mgs_hook_authz, NULL, NULL, |
---|
[accbb83] | 69 | APR_HOOK_REALLY_FIRST); |
---|
[33826c5] | 70 | /* Fixups Hook */ |
---|
[e183628] | 71 | ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST); |
---|
[e02dd8c] | 72 | |
---|
[de3fad3] | 73 | /* Request hook: Check if TLS connection and request host match */ |
---|
| 74 | ap_hook_post_read_request(mgs_req_vhost_check, NULL, NULL, APR_HOOK_MIDDLE); |
---|
| 75 | |
---|
[e183628] | 76 | /* TODO: HTTP Upgrade Filter */ |
---|
[671b64f] | 77 | /* ap_register_output_filter ("UPGRADE_FILTER", |
---|
[e183628] | 78 | * ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); |
---|
| 79 | */ |
---|
[e02dd8c] | 80 | |
---|
[33826c5] | 81 | /* Input Filter */ |
---|
[accbb83] | 82 | ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input, |
---|
| 83 | NULL, AP_FTYPE_CONNECTION + 5); |
---|
[33826c5] | 84 | /* Output Filter */ |
---|
[accbb83] | 85 | ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output, |
---|
| 86 | NULL, AP_FTYPE_CONNECTION + 5); |
---|
[671b64f] | 87 | |
---|
[33826c5] | 88 | /* mod_proxy calls these functions */ |
---|
| 89 | APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); |
---|
| 90 | APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); |
---|
[23e98b3] | 91 | APR_REGISTER_OPTIONAL_FN(ssl_engine_set); |
---|
[8ac7c0d] | 92 | |
---|
| 93 | /* mod_rewrite calls this function to detect HTTPS */ |
---|
| 94 | APR_REGISTER_OPTIONAL_FN(ssl_is_https); |
---|
[4cdd4fd] | 95 | /* some modules look up TLS-related variables */ |
---|
| 96 | APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); |
---|
| 97 | } |
---|
| 98 | |
---|
| 99 | |
---|
| 100 | |
---|
| 101 | /** |
---|
| 102 | * Get the connection context, resolving to a master connection if |
---|
| 103 | * any. |
---|
| 104 | * |
---|
| 105 | * @param c the connection handle |
---|
| 106 | * |
---|
| 107 | * @return mod_gnutls session context, might be `NULL` |
---|
| 108 | */ |
---|
| 109 | mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c) |
---|
| 110 | { |
---|
| 111 | mgs_handle_t *ctxt = (mgs_handle_t *) |
---|
| 112 | ap_get_module_config(c->conn_config, &gnutls_module); |
---|
| 113 | if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL)) |
---|
| 114 | { |
---|
| 115 | ctxt = (mgs_handle_t *) |
---|
| 116 | ap_get_module_config(c->master->conn_config, &gnutls_module); |
---|
| 117 | } |
---|
| 118 | return ctxt; |
---|
[33826c5] | 119 | } |
---|
| 120 | |
---|
[8ac7c0d] | 121 | |
---|
| 122 | |
---|
[104e881] | 123 | /** |
---|
| 124 | * mod_rewrite calls this function to fill %{HTTPS}. |
---|
| 125 | * |
---|
| 126 | * @param c the connection to check |
---|
| 127 | * @return non-zero value if HTTPS is in use, zero if not |
---|
[8ac7c0d] | 128 | */ |
---|
[accbb83] | 129 | int ssl_is_https(conn_rec *c) |
---|
| 130 | { |
---|
[4cdd4fd] | 131 | mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c); |
---|
[671b64f] | 132 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *) |
---|
[accbb83] | 133 | ap_get_module_config(c->base_server->module_config, &gnutls_module); |
---|
[8ac7c0d] | 134 | |
---|
| 135 | if(sc->enabled == GNUTLS_ENABLED_FALSE |
---|
| 136 | || ctxt == NULL |
---|
| 137 | || ctxt->enabled == GNUTLS_ENABLED_FALSE) |
---|
| 138 | { |
---|
[33826c5] | 139 | /* SSL/TLS Disabled or Plain HTTP Connection Detected */ |
---|
| 140 | return 0; |
---|
| 141 | } |
---|
| 142 | /* Connection is Using SSL/TLS */ |
---|
| 143 | return 1; |
---|
| 144 | } |
---|
| 145 | |
---|
[8ac7c0d] | 146 | |
---|
| 147 | |
---|
[23e98b3] | 148 | /** |
---|
[4cdd4fd] | 149 | * Return variables describing the current TLS session (if any). |
---|
| 150 | * |
---|
| 151 | * mod_ssl doc for this function: "This function must remain safe to |
---|
| 152 | * use for a non-SSL connection." mod_http2 uses it to check if an |
---|
| 153 | * acceptable TLS session is used. |
---|
| 154 | */ |
---|
| 155 | char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)), |
---|
| 156 | conn_rec *c, request_rec *r, char *var) |
---|
| 157 | { |
---|
| 158 | /* |
---|
| 159 | * When no pool is given try to find one |
---|
| 160 | */ |
---|
| 161 | if (p == NULL) { |
---|
| 162 | if (r != NULL) |
---|
| 163 | p = r->pool; |
---|
| 164 | else if (c != NULL) |
---|
| 165 | p = c->pool; |
---|
| 166 | else |
---|
| 167 | return NULL; |
---|
| 168 | } |
---|
| 169 | |
---|
| 170 | if (strcmp(var, "HTTPS") == 0) |
---|
| 171 | { |
---|
| 172 | if (c != NULL && ssl_is_https(c)) |
---|
| 173 | return "on"; |
---|
| 174 | else |
---|
| 175 | return "off"; |
---|
| 176 | } |
---|
| 177 | |
---|
| 178 | mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c); |
---|
| 179 | |
---|
| 180 | /* TLS parameters are empty if there is no session */ |
---|
[dcec209] | 181 | if (ctxt == NULL || ctxt->c == NULL || ctxt->session == NULL) |
---|
[4cdd4fd] | 182 | return NULL; |
---|
| 183 | |
---|
| 184 | if (strcmp(var, "SSL_PROTOCOL") == 0) |
---|
| 185 | return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session))); |
---|
| 186 | |
---|
| 187 | if (strcmp(var, "SSL_CIPHER") == 0) |
---|
| 188 | return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session), |
---|
| 189 | gnutls_cipher_get(ctxt->session), |
---|
| 190 | gnutls_mac_get(ctxt->session))); |
---|
| 191 | |
---|
| 192 | /* mod_ssl supports a LOT more variables */ |
---|
| 193 | ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c, |
---|
| 194 | "unsupported variable requested: '%s'", |
---|
| 195 | var); |
---|
| 196 | |
---|
| 197 | return NULL; |
---|
| 198 | } |
---|
| 199 | |
---|
| 200 | |
---|
| 201 | |
---|
| 202 | /** |
---|
[23e98b3] | 203 | * In Apache versions from 2.4.33 mod_proxy uses this function to set |
---|
| 204 | * up its client connections. Note that mod_gnutls does not (yet) |
---|
| 205 | * implement per directory configuration for such connections. |
---|
| 206 | * |
---|
| 207 | * @param c the connection |
---|
| 208 | * @param dir_conf per directory configuration, unused for now |
---|
| 209 | * @param proxy Is this a proxy connection? |
---|
| 210 | * @param enable Should TLS be enabled on this connection? |
---|
| 211 | * |
---|
| 212 | * @param `true` (1) if successful, `false` (0) otherwise |
---|
| 213 | */ |
---|
| 214 | int ssl_engine_set(conn_rec *c, |
---|
| 215 | ap_conf_vector_t *dir_conf __attribute__((unused)), |
---|
| 216 | int proxy, int enable) |
---|
[e8acf05] | 217 | { |
---|
[235e109] | 218 | mgs_handle_t *ctxt = init_gnutls_ctxt(c); |
---|
[e8acf05] | 219 | |
---|
[23e98b3] | 220 | /* If TLS proxy has been requested, check if support is enabled |
---|
| 221 | * for the server */ |
---|
| 222 | if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE)) |
---|
[07d548d] | 223 | { |
---|
| 224 | ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, |
---|
| 225 | "%s: mod_proxy requested TLS proxy, but not enabled " |
---|
[adceac0] | 226 | "for %s:%d", __func__, |
---|
| 227 | ctxt->c->base_server->server_hostname, |
---|
| 228 | ctxt->c->base_server->addrs->host_port); |
---|
[07d548d] | 229 | return 0; |
---|
| 230 | } |
---|
| 231 | |
---|
[23e98b3] | 232 | if (proxy) |
---|
| 233 | ctxt->is_proxy = GNUTLS_ENABLED_TRUE; |
---|
| 234 | else |
---|
| 235 | ctxt->is_proxy = GNUTLS_ENABLED_FALSE; |
---|
| 236 | |
---|
| 237 | if (enable) |
---|
| 238 | ctxt->enabled = GNUTLS_ENABLED_TRUE; |
---|
| 239 | else |
---|
| 240 | ctxt->enabled = GNUTLS_ENABLED_FALSE; |
---|
| 241 | |
---|
[37f8282] | 242 | return 1; |
---|
[9706fc2] | 243 | } |
---|
| 244 | |
---|
[23e98b3] | 245 | int ssl_engine_disable(conn_rec *c) |
---|
| 246 | { |
---|
| 247 | return ssl_engine_set(c, NULL, 0, 0); |
---|
| 248 | } |
---|
| 249 | |
---|
| 250 | int ssl_proxy_enable(conn_rec *c) |
---|
| 251 | { |
---|
| 252 | return ssl_engine_set(c, NULL, 1, 1); |
---|
| 253 | } |
---|
| 254 | |
---|
[7921dc7] | 255 | #define OPENPGP_REMOVED "OpenPGP support has been removed." |
---|
| 256 | |
---|
[46b85d8] | 257 | static const command_rec mgs_config_cmds[] = { |
---|
[176047e] | 258 | AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine, |
---|
[33826c5] | 259 | NULL, |
---|
| 260 | RSRC_CONF | OR_AUTHCFG, |
---|
[176047e] | 261 | "Enable TLS Proxy Engine"), |
---|
[87f1ed2] | 262 | AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module, |
---|
| 263 | NULL, |
---|
| 264 | RSRC_CONF, |
---|
[f21d2a6] | 265 | "Load this specific PKCS #11 provider library"), |
---|
[031acac] | 266 | AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin, |
---|
| 267 | NULL, |
---|
| 268 | RSRC_CONF, |
---|
| 269 | "The PIN to use in case of encrypted keys or PKCS #11 tokens."), |
---|
| 270 | AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin, |
---|
| 271 | NULL, |
---|
| 272 | RSRC_CONF, |
---|
| 273 | "The SRK PIN to use in case of TPM keys."), |
---|
[e183628] | 274 | AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify, |
---|
| 275 | NULL, |
---|
| 276 | RSRC_CONF | OR_AUTHCFG, |
---|
| 277 | "Set Verification Requirements of the Client Certificate"), |
---|
[cf2b905] | 278 | AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method, |
---|
| 279 | NULL, |
---|
| 280 | RSRC_CONF, |
---|
| 281 | "Set Verification Method of the Client Certificate"), |
---|
[e183628] | 282 | AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file, |
---|
| 283 | NULL, |
---|
| 284 | RSRC_CONF, |
---|
| 285 | "Set the CA File to verify Client Certificates"), |
---|
| 286 | AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file, |
---|
| 287 | NULL, |
---|
| 288 | RSRC_CONF, |
---|
| 289 | "Set the CA File to verify Client Certificates"), |
---|
| 290 | AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file, |
---|
| 291 | NULL, |
---|
| 292 | RSRC_CONF, |
---|
| 293 | "Set the file to read Diffie Hellman parameters from"), |
---|
| 294 | AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file, |
---|
| 295 | NULL, |
---|
| 296 | RSRC_CONF, |
---|
[88df24d] | 297 | "TLS Server X509 Certificate file"), |
---|
[e183628] | 298 | AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file, |
---|
| 299 | NULL, |
---|
| 300 | RSRC_CONF, |
---|
[88df24d] | 301 | "TLS Server X509 Private Key file"), |
---|
[e183628] | 302 | AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file, |
---|
| 303 | NULL, |
---|
| 304 | RSRC_CONF, |
---|
[88df24d] | 305 | "TLS Server X509 Certificate file"), |
---|
[e183628] | 306 | AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file, |
---|
| 307 | NULL, |
---|
| 308 | RSRC_CONF, |
---|
[88df24d] | 309 | "TLS Server X509 Private Key file"), |
---|
[787dab7] | 310 | #ifdef ENABLE_SRP |
---|
[e183628] | 311 | AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file, |
---|
| 312 | NULL, |
---|
| 313 | RSRC_CONF, |
---|
[88df24d] | 314 | "TLS Server SRP Password Conf file"), |
---|
[e183628] | 315 | AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile", |
---|
| 316 | mgs_set_srp_tpasswd_conf_file, |
---|
| 317 | NULL, |
---|
| 318 | RSRC_CONF, |
---|
[88df24d] | 319 | "TLS Server SRP Parameters file"), |
---|
[787dab7] | 320 | #endif |
---|
[70a1e5a] | 321 | AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout, |
---|
[e183628] | 322 | NULL, |
---|
| 323 | RSRC_CONF, |
---|
| 324 | "Cache Timeout"), |
---|
| 325 | AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache, |
---|
| 326 | NULL, |
---|
| 327 | RSRC_CONF, |
---|
[d036f96] | 328 | "Session Cache Configuration"), |
---|
[176047e] | 329 | AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets, |
---|
[e183628] | 330 | NULL, |
---|
| 331 | RSRC_CONF, |
---|
| 332 | "Session Tickets Configuration"), |
---|
| 333 | AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities, |
---|
| 334 | NULL, |
---|
| 335 | RSRC_CONF, |
---|
| 336 | "The priorities to enable (ciphers, Key exchange, macs, compression)."), |
---|
[176047e] | 337 | AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled, |
---|
[e183628] | 338 | NULL, |
---|
| 339 | RSRC_CONF, |
---|
| 340 | "Whether this server has GnuTLS Enabled. Default: Off"), |
---|
[7d1ab49] | 341 | AP_INIT_TAKE1("GnuTLSExportCertificates", |
---|
[2aaf4f5] | 342 | mgs_set_export_certificates_size, |
---|
[7d1ab49] | 343 | NULL, |
---|
| 344 | RSRC_CONF, |
---|
[2aaf4f5] | 345 | "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"), |
---|
[0de1839] | 346 | AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path, |
---|
| 347 | NULL, |
---|
| 348 | RSRC_CONF, |
---|
| 349 | "X509 client private file for proxy connections"), |
---|
| 350 | AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path, |
---|
| 351 | NULL, |
---|
| 352 | RSRC_CONF, |
---|
| 353 | "X509 client certificate file for proxy connections"), |
---|
| 354 | AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path, |
---|
| 355 | NULL, |
---|
| 356 | RSRC_CONF, |
---|
| 357 | "X509 trusted CA file for proxy connections"), |
---|
[809c422] | 358 | AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path, |
---|
| 359 | NULL, |
---|
| 360 | RSRC_CONF, |
---|
| 361 | "X509 CRL file for proxy connections"), |
---|
[f030883] | 362 | AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities, |
---|
| 363 | NULL, |
---|
| 364 | RSRC_CONF, |
---|
| 365 | "The priorities to enable for proxy connections (ciphers, key exchange, " |
---|
| 366 | "MACs, compression)."), |
---|
[4d4a406] | 367 | AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable, |
---|
[78b75b3] | 368 | NULL, RSRC_CONF, |
---|
[3475e62] | 369 | "Enable OCSP stapling"), |
---|
[2246a84] | 370 | AP_INIT_FLAG("GnuTLSOCSPAutoRefresh", mgs_set_ocsp_auto_refresh, |
---|
| 371 | NULL, RSRC_CONF, |
---|
| 372 | "Regularly refresh cached OCSP response independent " |
---|
| 373 | "of TLS handshakes?"), |
---|
[d036f96] | 374 | AP_INIT_TAKE12("GnuTLSOCSPCache", mgs_set_cache, |
---|
| 375 | NULL, |
---|
| 376 | RSRC_CONF, |
---|
| 377 | "OCSP Cache Configuration"), |
---|
[b888e8b] | 378 | AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce, |
---|
| 379 | NULL, RSRC_CONF, |
---|
| 380 | "Check nonce in OCSP responses?"), |
---|
[94cb972] | 381 | AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path, |
---|
[78b75b3] | 382 | NULL, RSRC_CONF, |
---|
[3475e62] | 383 | "Read OCSP response for stapling from this file instead " |
---|
| 384 | "of sending a request over HTTP (must be updated " |
---|
| 385 | "externally)"), |
---|
[e1c094c] | 386 | AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout, |
---|
[78b75b3] | 387 | NULL, RSRC_CONF, |
---|
[e1c094c] | 388 | "Cache timeout for OCSP responses"), |
---|
[c6dda6d] | 389 | AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout, |
---|
| 390 | NULL, RSRC_CONF, |
---|
[3475e62] | 391 | "Wait this many seconds before retrying a failed OCSP " |
---|
| 392 | "request"), |
---|
[2246a84] | 393 | AP_INIT_TAKE1("GnuTLSOCSPFuzzTime", mgs_set_timeout, |
---|
| 394 | NULL, RSRC_CONF, |
---|
| 395 | "Update cached OCSP response up to this many seconds " |
---|
| 396 | "before it expires, if GnuTLSOCSPAutoRefresh is enabled."), |
---|
[333bbc7] | 397 | AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout, |
---|
| 398 | NULL, RSRC_CONF, |
---|
[3475e62] | 399 | "Socket timeout for OCSP requests"), |
---|
[7921dc7] | 400 | AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile", |
---|
| 401 | ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), |
---|
| 402 | AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile", |
---|
| 403 | ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), |
---|
| 404 | AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile", |
---|
| 405 | ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), |
---|
[15b22cb] | 406 | #ifdef __clang__ |
---|
| 407 | /* Workaround for this clang bug: |
---|
| 408 | * https://llvm.org/bugs/show_bug.cgi?id=21689 */ |
---|
| 409 | {}, |
---|
| 410 | #else |
---|
[7d1ab49] | 411 | { NULL }, |
---|
[15b22cb] | 412 | #endif |
---|
[46b85d8] | 413 | }; |
---|
[9706fc2] | 414 | |
---|
| 415 | module AP_MODULE_DECLARE_DATA gnutls_module = { |
---|
[e183628] | 416 | STANDARD20_MODULE_STUFF, |
---|
[2d0f6cf] | 417 | .create_dir_config = mgs_config_dir_create, |
---|
| 418 | .merge_dir_config = mgs_config_dir_merge, |
---|
| 419 | .create_server_config = mgs_config_server_create, |
---|
[040387c] | 420 | .merge_server_config = mgs_config_server_merge, |
---|
[2d0f6cf] | 421 | .cmds = mgs_config_cmds, |
---|
| 422 | .register_hooks = gnutls_hooks |
---|
[9706fc2] | 423 | }; |
---|