Add callback to allow OCSP stapling

author: Tim Rühsen <tim.ruehsen@gmx.de> 2019-07-16 14:59:30 +0200
committer: Tim Rühsen <tim.ruehsen@gmx.de> 2019-07-17 12:50:15 +0200
commit: 3751044dc81a4b37de14b20dfc4cc7902fc36344 (patch)
tree: b55476e19c631607e821d6ea0fcc833b70100002
parent: 90eb831b28e9d3554f6a0c8637f0b405f6d16641 (diff)
download: libmicrohttpd-3751044dc81a4b37de14b20dfc4cc7902fc36344.tar.gz
libmicrohttpd-3751044dc81a4b37de14b20dfc4cc7902fc36344.zip
5 files changed, 88 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index ce8bff26..6a057b73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Tue Jul 16 19:56:14 CEST 2019
+        Add MHD_OPTION_HTTPS_CERT_CALLBACK2 to allow OCSP stapling
+   and MHD_FEATURE_HTTPS_CERT_CALLBACK2 to check for. -TR
 Fri Jul 05 2019 22:30:40 MSK
        Releasing libmicrohttpd 0.9.65. -EG
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index c974d98f..6f34d799 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -892,6 +892,19 @@ information provided.  The callback is expected to access the SNI data
 using gnutls_server_name_get().  Using this option requires GnuTLS 3.0
 or higher.
+@item MHD_OPTION_HTTPS_CERT_CALLBACK2
+@cindex SSL
+@cindex TLS
+@cindex SNI
+@cindex OCSP
+Use a callback to determine which X.509 certificate should be
+used for a given HTTPS connection.  This option should be
+followed by a argument of type `gnutls_certificate_retrieve_function3 *`.
+This option provides an
+alternative/extension to #MHD_OPTION_HTTPS_CERT_CALLBACK.
+You must use this version if you want to use OCSP stapling.
+Using this option requires GnuTLS 3.6.3 or higher.
 @item MHD_OPTION_GNUTLS_PSK_CRED_HANDLER
 @cindex SSL
 @cindex TLS
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index cec74683..9d28cdb1 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -132,7 +132,7 @@ typedef intptr_t ssize_t;
 * Current version of the library.
 * 0x01093001 = 1.9.30-1.
 */
-#define MHD_VERSION 0x00096501
+#define MHD_VERSION 0x00096502
 /**
 * MHD-internal return code for "YES".
@@ -1646,7 +1646,18 @@ enum MHD_OPTION
   * gnutls_psk_set_server_credentials_function. It is used to
   * retrieve the shared key for a given username.
   */
-  MHD_OPTION_GNUTLS_PSK_CRED_HANDLER = 30
+  MHD_OPTION_GNUTLS_PSK_CRED_HANDLER = 30,
+  /**
+   * Use a callback to determine which X.509 certificate should be
+   * used for a given HTTPS connection.  This option should be
+   * followed by a argument of type `gnutls_certificate_retrieve_function3 *`.
+   * This option provides an
+   * alternative/extension to #MHD_OPTION_HTTPS_CERT_CALLBACK.
+        * You must use this version if you want to use OCSP stapling.
+   * Using this option requires GnuTLS 3.6.3 or higher.
+   */
+  MHD_OPTION_HTTPS_CERT_CALLBACK2 = 31
 };
@@ -3927,7 +3938,13 @@ enum MHD_FEATURE
  /**
   * Get whether MHD supports threads.
   */
-  MHD_FEATURE_THREADS
+  MHD_FEATURE_THREADS = 22,
+  /**
+   * Get whether option #MHD_OPTION_HTTPS_CERT_CALLBACK2 is
+   * supported.
+   */
+  MHD_FEATURE_HTTPS_CERT_CALLBACK2 = 23
 };
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index 8e1a7ab8..d3595fe0 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -546,6 +546,14 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
                                                 daemon->cert_callback);
    }
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+  else if (NULL != daemon->cert_callback2)
+    {
+      gnutls_certificate_set_retrieve_function3 (daemon->x509_cred,
+                                                 daemon->cert_callback2);
+    }
+#endif
  if (NULL != daemon->https_mem_trust)
    {
      size_t paramlen;
@@ -634,6 +642,10 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
  if (NULL != daemon->cert_callback)
    return 0;
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+  else if (NULL != daemon->cert_callback2)
+    return 0;
+#endif
 #ifdef HAVE_MESSAGES
  MHD_DLOG (daemon,
            "You need to specify a certificate and key location\n");
@@ -2540,7 +2552,7 @@ internal_add_connection (struct MHD_Daemon *daemon,
 #if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
      if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
        flags |= GNUTLS_ENABLE_EARLY_DATA;
-#endif      
+#endif
      connection->tls_state = MHD_TLS_CONN_INIT;
      MHD_set_https_callbacks (connection);
      gnutls_init (&connection->tls_session,
@@ -4930,6 +4942,9 @@ parse_options_va (struct MHD_Daemon *daemon,
 #if GNUTLS_VERSION_MAJOR >= 3
  gnutls_certificate_retrieve_function2 *pgcrf;
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+  gnutls_certificate_retrieve_function3 *pgcrf2;
+#endif
 #endif /* HTTPS_SUPPORT */
  while (MHD_OPTION_END != (opt = (enum MHD_OPTION) va_arg (ap, int)))
@@ -5196,6 +5211,26 @@ parse_options_va (struct MHD_Daemon *daemon,
 #endif
          break;
 #endif
+        case MHD_OPTION_HTTPS_CERT_CALLBACK2:
+#if GNUTLS_VERSION_NUMBER < 0x030603
+#ifdef HAVE_MESSAGES
+          MHD_DLOG (daemon,
+                    _("MHD_OPTION_HTTPS_CERT_CALLBACK2 requires building MHD with GnuTLS >= 3.6.3\n"));
+#endif
+          return MHD_NO;
+#else
+          pgcrf2 = va_arg (ap,
+                          gnutls_certificate_retrieve_function3 *);
+          if (0 != (daemon->options & MHD_USE_TLS))
+            daemon->cert_callback2 = pgcrf2;
+          else
+#ifdef HAVE_MESSAGES
+              MHD_DLOG (daemon,
+                        _("MHD HTTPS option %d passed to MHD but MHD_USE_TLS not set\n"),
+                        opt);
+#endif
+          break;
+#endif
 #endif /* HTTPS_SUPPORT */
 #ifdef DAUTH_SUPPORT
        case MHD_OPTION_DIGEST_AUTH_RANDOM:
@@ -5347,6 +5382,7 @@ parse_options_va (struct MHD_Daemon *daemon,
                case MHD_OPTION_HTTPS_PRIORITIES:
                case MHD_OPTION_ARRAY:
                case MHD_OPTION_HTTPS_CERT_CALLBACK:
+                case MHD_OPTION_HTTPS_CERT_CALLBACK2:
                  if (MHD_YES != parse_options (daemon,
                                                servaddr,
                                                opt,
@@ -6960,6 +6996,12 @@ MHD_is_feature_supported(enum MHD_FEATURE feature)
 #else  /* !HTTPS_SUPPORT || GNUTLS_VERSION_MAJOR < 3 */
      return MHD_NO;
 #endif /* !HTTPS_SUPPORT || GNUTLS_VERSION_MAJOR < 3 */
+    case MHD_FEATURE_HTTPS_CERT_CALLBACK2:
+#if defined(HTTPS_SUPPORT) && GNUTLS_VERSION_NUMBER >= 0x030603
+      return MHD_YES;
+#else  /* !HTTPS_SUPPORT || GNUTLS_VERSION_NUMBER < 0x030603 */
+      return MHD_NO;
+#endif /* !HTTPS_SUPPORT || GNUTLS_VERSION_NUMBER < 0x030603 */
    case MHD_FEATURE_IPv6:
 #ifdef HAVE_INET6
      return MHD_YES;
diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h
index 8dc813a2..1f5aeaf3 100644
--- a/src/microhttpd/internal.h
+++ b/src/microhttpd/internal.h
@@ -1670,6 +1670,14 @@ struct MHD_Daemon
  void *cred_callback_cls;
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+  /**
+   * Function that can be used to obtain the certificate.  Needed
+   * for OCSP stapling support.  See #MHD_OPTION_HTTPS_CERT_CALLBACK2.
+   */
+  gnutls_certificate_retrieve_function3 *cert_callback2;
+#endif
  /**
   * Pointer to our SSL/TLS key (in ASCII) in memory.
   */
author	Tim Rühsen <tim.ruehsen@gmx.de>	2019-07-16 14:59:30 +0200
committer	Tim Rühsen <tim.ruehsen@gmx.de>	2019-07-17 12:50:15 +0200
commit	3751044dc81a4b37de14b20dfc4cc7902fc36344 (patch)
tree	b55476e19c631607e821d6ea0fcc833b70100002
parent	90eb831b28e9d3554f6a0c8637f0b405f6d16641 (diff)
download	libmicrohttpd-3751044dc81a4b37de14b20dfc4cc7902fc36344.tar.gz libmicrohttpd-3751044dc81a4b37de14b20dfc4cc7902fc36344.zip

diff --git a/ChangeLog b/ChangeLog index ce8bff26..6a057b73 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,3 +1,7 @@
		1	Tue Jul 16 19:56:14 CEST 2019
		2	Add MHD_OPTION_HTTPS_CERT_CALLBACK2 to allow OCSP stapling
		3	and MHD_FEATURE_HTTPS_CERT_CALLBACK2 to check for. -TR
		4
1	Fri Jul 05 2019 22:30:40 MSK	5	Fri Jul 05 2019 22:30:40 MSK
2	Releasing libmicrohttpd 0.9.65. -EG	6	Releasing libmicrohttpd 0.9.65. -EG
3		7


diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi index c974d98f..6f34d799 100644 --- a/doc/libmicrohttpd.texi +++ b/doc/libmicrohttpd.texi
@@ -892,6 +892,19 @@ information provided. The callback is expected to access the SNI data
892	using gnutls_server_name_get(). Using this option requires GnuTLS 3.0	892	using gnutls_server_name_get(). Using this option requires GnuTLS 3.0
893	or higher.	893	or higher.
894		894
		895	@item MHD_OPTION_HTTPS_CERT_CALLBACK2
		896	@cindex SSL
		897	@cindex TLS
		898	@cindex SNI
		899	@cindex OCSP
		900	Use a callback to determine which X.509 certificate should be
		901	used for a given HTTPS connection. This option should be
		902	followed by a argument of type `gnutls_certificate_retrieve_function3 *`.
		903	This option provides an
		904	alternative/extension to #MHD_OPTION_HTTPS_CERT_CALLBACK.
		905	You must use this version if you want to use OCSP stapling.
		906	Using this option requires GnuTLS 3.6.3 or higher.
		907
895	@item MHD_OPTION_GNUTLS_PSK_CRED_HANDLER	908	@item MHD_OPTION_GNUTLS_PSK_CRED_HANDLER
896	@cindex SSL	909	@cindex SSL
897	@cindex TLS	910	@cindex TLS


diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h index cec74683..9d28cdb1 100644 --- a/src/include/microhttpd.h +++ b/src/include/microhttpd.h
@@ -132,7 +132,7 @@ typedef intptr_t ssize_t;
132	* Current version of the library.	132	* Current version of the library.
133	* 0x01093001 = 1.9.30-1.	133	* 0x01093001 = 1.9.30-1.
134	*/	134	*/
135	#define MHD_VERSION 0x00096501	135	#define MHD_VERSION 0x00096502
136		136
137	/**	137	/**
138	* MHD-internal return code for "YES".	138	* MHD-internal return code for "YES".
@@ -1646,7 +1646,18 @@ enum MHD_OPTION
1646	* gnutls_psk_set_server_credentials_function. It is used to	1646	* gnutls_psk_set_server_credentials_function. It is used to
1647	* retrieve the shared key for a given username.	1647	* retrieve the shared key for a given username.
1648	*/	1648	*/
1649	MHD_OPTION_GNUTLS_PSK_CRED_HANDLER = 30	1649	MHD_OPTION_GNUTLS_PSK_CRED_HANDLER = 30,
		1650
		1651	/**
		1652	* Use a callback to determine which X.509 certificate should be
		1653	* used for a given HTTPS connection. This option should be
		1654	* followed by a argument of type `gnutls_certificate_retrieve_function3 *`.
		1655	* This option provides an
		1656	* alternative/extension to #MHD_OPTION_HTTPS_CERT_CALLBACK.
		1657	* You must use this version if you want to use OCSP stapling.
		1658	* Using this option requires GnuTLS 3.6.3 or higher.
		1659	*/
		1660	MHD_OPTION_HTTPS_CERT_CALLBACK2 = 31
1650	};	1661	};
1651		1662
1652		1663
@@ -3927,7 +3938,13 @@ enum MHD_FEATURE
3927	/**	3938	/**
3928	* Get whether MHD supports threads.	3939	* Get whether MHD supports threads.
3929	*/	3940	*/
3930	MHD_FEATURE_THREADS	3941	MHD_FEATURE_THREADS = 22,
		3942
		3943	/**
		3944	* Get whether option #MHD_OPTION_HTTPS_CERT_CALLBACK2 is
		3945	* supported.
		3946	*/
		3947	MHD_FEATURE_HTTPS_CERT_CALLBACK2 = 23
3931	};	3948	};
3932		3949
3933		3950


diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c index 8e1a7ab8..d3595fe0 100644 --- a/src/microhttpd/daemon.c +++ b/src/microhttpd/daemon.c
@@ -546,6 +546,14 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
546	daemon->cert_callback);	546	daemon->cert_callback);
547	}	547	}
548	#endif	548	#endif
		549	#if GNUTLS_VERSION_NUMBER >= 0x030603
		550	else if (NULL != daemon->cert_callback2)
		551	{
		552	gnutls_certificate_set_retrieve_function3 (daemon->x509_cred,
		553	daemon->cert_callback2);
		554	}
		555	#endif
		556
549	if (NULL != daemon->https_mem_trust)	557	if (NULL != daemon->https_mem_trust)
550	{	558	{
551	size_t paramlen;	559	size_t paramlen;
@@ -634,6 +642,10 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
634	if (NULL != daemon->cert_callback)	642	if (NULL != daemon->cert_callback)
635	return 0;	643	return 0;
636	#endif	644	#endif
		645	#if GNUTLS_VERSION_NUMBER >= 0x030603
		646	else if (NULL != daemon->cert_callback2)
		647	return 0;
		648	#endif
637	#ifdef HAVE_MESSAGES	649	#ifdef HAVE_MESSAGES
638	MHD_DLOG (daemon,	650	MHD_DLOG (daemon,
639	"You need to specify a certificate and key location\n");	651	"You need to specify a certificate and key location\n");
@@ -2540,7 +2552,7 @@ internal_add_connection (struct MHD_Daemon *daemon,
2540	#if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)	2552	#if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
2541	if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))	2553	if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
2542	flags \|= GNUTLS_ENABLE_EARLY_DATA;	2554	flags \|= GNUTLS_ENABLE_EARLY_DATA;
2543	#endif	2555	#endif
2544	connection->tls_state = MHD_TLS_CONN_INIT;	2556	connection->tls_state = MHD_TLS_CONN_INIT;
2545	MHD_set_https_callbacks (connection);	2557	MHD_set_https_callbacks (connection);
2546	gnutls_init (&connection->tls_session,	2558	gnutls_init (&connection->tls_session,
@@ -4930,6 +4942,9 @@ parse_options_va (struct MHD_Daemon *daemon,
4930	#if GNUTLS_VERSION_MAJOR >= 3	4942	#if GNUTLS_VERSION_MAJOR >= 3
4931	gnutls_certificate_retrieve_function2 *pgcrf;	4943	gnutls_certificate_retrieve_function2 *pgcrf;
4932	#endif	4944	#endif
		4945	#if GNUTLS_VERSION_NUMBER >= 0x030603
		4946	gnutls_certificate_retrieve_function3 *pgcrf2;
		4947	#endif
4933	#endif /* HTTPS_SUPPORT */	4948	#endif /* HTTPS_SUPPORT */
4934		4949
4935	while (MHD_OPTION_END != (opt = (enum MHD_OPTION) va_arg (ap, int)))	4950	while (MHD_OPTION_END != (opt = (enum MHD_OPTION) va_arg (ap, int)))
@@ -5196,6 +5211,26 @@ parse_options_va (struct MHD_Daemon *daemon,
5196	#endif	5211	#endif
5197	break;	5212	break;
5198	#endif	5213	#endif
		5214	case MHD_OPTION_HTTPS_CERT_CALLBACK2:
		5215	#if GNUTLS_VERSION_NUMBER < 0x030603
		5216	#ifdef HAVE_MESSAGES
		5217	MHD_DLOG (daemon,
		5218	_("MHD_OPTION_HTTPS_CERT_CALLBACK2 requires building MHD with GnuTLS >= 3.6.3\n"));
		5219	#endif
		5220	return MHD_NO;
		5221	#else
		5222	pgcrf2 = va_arg (ap,
		5223	gnutls_certificate_retrieve_function3 *);
		5224	if (0 != (daemon->options & MHD_USE_TLS))
		5225	daemon->cert_callback2 = pgcrf2;
		5226	else
		5227	#ifdef HAVE_MESSAGES
		5228	MHD_DLOG (daemon,
		5229	_("MHD HTTPS option %d passed to MHD but MHD_USE_TLS not set\n"),
		5230	opt);
		5231	#endif
		5232	break;
		5233	#endif
5199	#endif /* HTTPS_SUPPORT */	5234	#endif /* HTTPS_SUPPORT */
5200	#ifdef DAUTH_SUPPORT	5235	#ifdef DAUTH_SUPPORT
5201	case MHD_OPTION_DIGEST_AUTH_RANDOM:	5236	case MHD_OPTION_DIGEST_AUTH_RANDOM:
@@ -5347,6 +5382,7 @@ parse_options_va (struct MHD_Daemon *daemon,
5347	case MHD_OPTION_HTTPS_PRIORITIES:	5382	case MHD_OPTION_HTTPS_PRIORITIES:
5348	case MHD_OPTION_ARRAY:	5383	case MHD_OPTION_ARRAY:
5349	case MHD_OPTION_HTTPS_CERT_CALLBACK:	5384	case MHD_OPTION_HTTPS_CERT_CALLBACK:
		5385	case MHD_OPTION_HTTPS_CERT_CALLBACK2:
5350	if (MHD_YES != parse_options (daemon,	5386	if (MHD_YES != parse_options (daemon,
5351	servaddr,	5387	servaddr,
5352	opt,	5388	opt,
@@ -6960,6 +6996,12 @@ MHD_is_feature_supported(enum MHD_FEATURE feature)
6960	#else /* !HTTPS_SUPPORT \|\| GNUTLS_VERSION_MAJOR < 3 */	6996	#else /* !HTTPS_SUPPORT \|\| GNUTLS_VERSION_MAJOR < 3 */
6961	return MHD_NO;	6997	return MHD_NO;
6962	#endif /* !HTTPS_SUPPORT \|\| GNUTLS_VERSION_MAJOR < 3 */	6998	#endif /* !HTTPS_SUPPORT \|\| GNUTLS_VERSION_MAJOR < 3 */
		6999	case MHD_FEATURE_HTTPS_CERT_CALLBACK2:
		7000	#if defined(HTTPS_SUPPORT) && GNUTLS_VERSION_NUMBER >= 0x030603
		7001	return MHD_YES;
		7002	#else /* !HTTPS_SUPPORT \|\| GNUTLS_VERSION_NUMBER < 0x030603 */
		7003	return MHD_NO;
		7004	#endif /* !HTTPS_SUPPORT \|\| GNUTLS_VERSION_NUMBER < 0x030603 */
6963	case MHD_FEATURE_IPv6:	7005	case MHD_FEATURE_IPv6:
6964	#ifdef HAVE_INET6	7006	#ifdef HAVE_INET6
6965	return MHD_YES;	7007	return MHD_YES;


diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h index 8dc813a2..1f5aeaf3 100644 --- a/src/microhttpd/internal.h +++ b/src/microhttpd/internal.h
@@ -1670,6 +1670,14 @@ struct MHD_Daemon
1670	void *cred_callback_cls;	1670	void *cred_callback_cls;
1671	#endif	1671	#endif
1672		1672
		1673	#if GNUTLS_VERSION_NUMBER >= 0x030603
		1674	/**
		1675	* Function that can be used to obtain the certificate. Needed
		1676	* for OCSP stapling support. See #MHD_OPTION_HTTPS_CERT_CALLBACK2.
		1677	*/
		1678	gnutls_certificate_retrieve_function3 *cert_callback2;
		1679	#endif
		1680
1673	/**	1681	/**
1674	* Pointer to our SSL/TLS key (in ASCII) in memory.	1682	* Pointer to our SSL/TLS key (in ASCII) in memory.
1675	*/	1683	*/