Changeset 19e80a5 in mod_gnutls for include/mod_gnutls.h.in


Ignore:
Timestamp:
Jan 28, 2019, 2:50:38 PM (13 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master
Children:
102aa67
Parents:
0931b35 (diff), ea9c699 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Update upstream source from tag 'upstream/0.9.0'

Update to upstream version '0.9.0'
with Debian dir 619b546038886b240d2c8e61ee1a1b13ce0867d7

File:
1 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r0931b35 r19e80a5  
    2626#include "http_log.h"
    2727#include "apr_buckets.h"
    28 #include "apr_strings.h"
    2928#include "apr_tables.h"
    3029#include "ap_release.h"
    31 #include "apr_fnmatch.h"
    3230/* GnuTLS Library Headers */
    3331#include <gnutls/gnutls.h>
    3432#include <gnutls/abstract.h>
    35 #include <gnutls/openpgp.h>
    3633#include <gnutls/x509.h>
    3734
    3835#ifndef __mod_gnutls_h_inc
    3936#define __mod_gnutls_h_inc
    40 
    41 #define HAVE_APR_MEMCACHE    @have_apr_memcache@
    4237
    4338extern module AP_MODULE_DECLARE_DATA gnutls_module;
     
    5651#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
    5752
    58 /* mod_gnutls Cache Types */
    59 typedef enum {
    60         /* No Cache */
    61     mgs_cache_none,
    62         /* Use Old Berkley DB */
    63     mgs_cache_dbm,
    64         /* Use Gnu's version of Berkley DB */
    65     mgs_cache_gdbm,
    66 #if HAVE_APR_MEMCACHE
    67         /* Use Memcache */
    68     mgs_cache_memcache,
     53/* Compile support for early SNI? */
     54#if @ENABLE_EARLY_SNI@ == 1
     55#define ENABLE_EARLY_SNI
    6956#endif
    70     mgs_cache_unset
    71 } mgs_cache_e;
     57
     58/** Name of the module-wide singleton watchdog */
     59#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
     60
    7261
    7362/* Internal cache data, defined in gnutls_cache.h */
     
    9382/* The maximum number of certificates to send in a chain */
    9483#define MAX_CHAIN_SIZE 8
    95 /* The maximum number of SANs to read from a x509 certificate */
    96 #define MAX_CERT_SAN 5
    97 
    98 /* Server Configuration Record */
     84
     85/** Server Configuration Record */
    9986typedef struct {
     87    /** Server this mod_gnutls configuration is for */
     88    server_rec* s;
     89
    10090    /* --- Configuration values --- */
    10191        /* Is the module enabled? */
     
    10393        /* Is mod_proxy enabled? */
    10494    int proxy_enabled;
    105         /* A Plain HTTP request */
    106     int non_ssl_request;
    10795
    10896    /* List of PKCS #11 provider modules to load, only valid in the
     
    120108    char *x509_ca_file;
    121109
    122     char *pgp_cert_file;
    123     char *pgp_key_file;
    124     char *pgp_ring_file;
    125 
    126110    char *dh_file;
    127111
     
    134118        /* Cache timeout value */
    135119    int cache_timeout;
    136         /* Chose Cache Type */
    137     mgs_cache_e cache_type;
    138     const char* cache_config;
     120    /* Enable cache */
     121    unsigned char cache_enable : 2;
    139122    /* Internal cache data */
    140123    mgs_cache_t cache;
     
    142125        /* GnuTLS uses Session Tickets */
    143126    int tickets;
    144 
    145     /* --- Things initialized at _child_init --- */
    146127
    147128    /* x509 Certificate Structure */
     
    164145     * connections */
    165146    gnutls_anon_client_credentials_t anon_client_creds;
    166         /* Current x509 Certificate CN [Common Name] */
    167     char* cert_cn;
    168         /* Current x509 Certificate SAN [Subject Alternate Name]s*/
    169     char* cert_san[MAX_CERT_SAN];
    170147        /* An x509 Certificate Chain */
    171148    gnutls_pcert_st *certs_x509_chain;
     
    176153        /* Current x509 Certificate Private Key */
    177154    gnutls_privkey_t privkey_x509;
    178 
    179         /* OpenPGP Certificate */
    180     gnutls_pcert_st *cert_pgp;
    181     gnutls_openpgp_crt_t *cert_crt_pgp;
    182 
    183         /* OpenPGP Certificate Private Key */
    184     gnutls_privkey_t privkey_pgp;
    185 #if GNUTLS_VERSION_NUMBER < 0x030312
    186     /* Internal structure for the OpenPGP private key, used in the
    187      * workaround for a bug in gnutls_privkey_import_openpgp_raw that
    188      * frees memory that is still needed. DO NOT USE for any other
    189      * purpose. */
    190     gnutls_openpgp_privkey_t privkey_pgp_internal;
    191 #endif
    192155
    193156    /* Export full certificates to CGI environment: */
     
    199162        /* A list of CA Certificates */
    200163    gnutls_x509_crt_t *ca_list;
    201         /* OpenPGP Key Ring */
    202     gnutls_openpgp_keyring_t pgp_list;
    203164        /* CA Certificate list size */
    204165    unsigned int ca_list_size;
     
    207168        /* Client Certificate Verification Method */
    208169    mgs_client_verification_method_e client_verify_method;
    209         /* Last Cache timestamp */
    210     apr_time_t last_cache_check;
    211170
    212171    /* Enable OCSP stapling */
    213172    unsigned char ocsp_staple;
     173    /* Automatically refresh cached OCSP response? */
     174    unsigned char ocsp_auto_refresh;
    214175    /* Check nonce in OCSP responses? */
    215176    unsigned char ocsp_check_nonce;
     
    221182    /* Mutex to prevent parallel OCSP requests */
    222183    apr_global_mutex_t *ocsp_mutex;
     184    /* Internal OCSP cache data */
     185    mgs_cache_t ocsp_cache;
    223186    /* Cache timeout for OCSP responses. Note that the nextUpdate
    224187     * field of the response takes precedence if shorter. */
     
    226189    /* If an OCSP request fails wait this long before trying again. */
    227190    apr_interval_time_t ocsp_failure_timeout;
     191    /** How long before a cached OCSP response expires should it be
     192     * updated? During configuration parsing this is set to the
     193     * maximum, during post configuration the value will be set to
     194     * half that. After each update the interval to for the next one
     195     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
     196     * RANDOM` with `0 <= RANDOM <= 1`. */
     197    apr_interval_time_t ocsp_fuzz_time;
    228198    /* Socket timeout for OCSP requests */
    229199    apr_interval_time_t ocsp_socket_timeout;
     200
     201    /** This module's singleton watchdog, used for async OCSP cache
     202     * updates. */
     203    struct mgs_watchdog *singleton_wd;
    230204} mgs_srvconf_rec;
    231205
     
    236210} mgs_char_buffer_t;
    237211
    238 /* GnuTLS Handle */
     212/** GnuTLS connection handle */
    239213typedef struct {
    240214        /* Server configuration record */
     
    248222        /* GnuTLS Session handle */
    249223    gnutls_session_t session;
     224    /** Server name requested via SNI if any, or NULL. */
     225    const char *sni_name;
    250226        /* module input status */
    251227    apr_status_t input_rc;
     
    274250        /* Output length */
    275251    apr_size_t output_length;
    276         /* General Status */
     252    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
     253     * error (checks use status < 0 or status > 0) */
    277254    int status;
    278255} mgs_handle_t;
     
    286263
    287264/* Proxy Support */
    288 /** mod_proxy adds a note with this key to the connection->notes table
    289  * for client connections */
    290 #define PROXY_SNI_NOTE "proxy-request-hostname"
    291265/* An optional function which returns non-zero if the given connection
    292266is using SSL/TLS. */
     
    398372                             const char *arg);
    399373
    400 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
    401                                         const char *arg);
    402 
    403 const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
    404                              const char *arg);
    405 
    406 const char *mgs_set_cache(cmd_parms * parms, void *dummy,
    407                           const char *type, const char* arg);
    408 
    409374const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
    410375
     
    425390
    426391const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
    427                                    const char *arg);
    428 
    429 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
    430392                                   const char *arg);
    431393
     
    446408void *mgs_config_dir_create(apr_pool_t *p, char *dir);
    447409
    448 mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
    449 
    450410const char *mgs_store_cred_path(cmd_parms * parms,
    451411                                void *dummy __attribute__((unused)),
     
    474434int mgs_hook_fixups(request_rec *r);
    475435
     436/** Post request hook, checks if TLS connection and vhost match */
     437int mgs_req_vhost_check(request_rec *r);
     438
    476439int mgs_hook_authz(request_rec *r);
    477440
Note: See TracChangeset for help on using the changeset viewer.