diff options
author | Tim Rühsen <tim.ruehsen@gmx.de> | 2019-07-16 14:59:30 +0200 |
---|---|---|
committer | Tim Rühsen <tim.ruehsen@gmx.de> | 2019-07-17 12:50:15 +0200 |
commit | 3751044dc81a4b37de14b20dfc4cc7902fc36344 (patch) | |
tree | b55476e19c631607e821d6ea0fcc833b70100002 | |
parent | 90eb831b28e9d3554f6a0c8637f0b405f6d16641 (diff) | |
download | libmicrohttpd-3751044dc81a4b37de14b20dfc4cc7902fc36344.tar.gz libmicrohttpd-3751044dc81a4b37de14b20dfc4cc7902fc36344.zip |
Add callback to allow OCSP stapling
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | doc/libmicrohttpd.texi | 13 | ||||
-rw-r--r-- | src/include/microhttpd.h | 23 | ||||
-rw-r--r-- | src/microhttpd/daemon.c | 44 | ||||
-rw-r--r-- | src/microhttpd/internal.h | 8 |
5 files changed, 88 insertions, 4 deletions
@@ -1,3 +1,7 @@ | |||
1 | Tue Jul 16 19:56:14 CEST 2019 | ||
2 | Add MHD_OPTION_HTTPS_CERT_CALLBACK2 to allow OCSP stapling | ||
3 | and MHD_FEATURE_HTTPS_CERT_CALLBACK2 to check for. -TR | ||
4 | |||
1 | Fri Jul 05 2019 22:30:40 MSK | 5 | Fri Jul 05 2019 22:30:40 MSK |
2 | Releasing libmicrohttpd 0.9.65. -EG | 6 | Releasing libmicrohttpd 0.9.65. -EG |
3 | 7 | ||
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi index c974d98f..6f34d799 100644 --- a/doc/libmicrohttpd.texi +++ b/doc/libmicrohttpd.texi | |||
@@ -892,6 +892,19 @@ information provided. The callback is expected to access the SNI data | |||
892 | using gnutls_server_name_get(). Using this option requires GnuTLS 3.0 | 892 | using gnutls_server_name_get(). Using this option requires GnuTLS 3.0 |
893 | or higher. | 893 | or higher. |
894 | 894 | ||
895 | @item MHD_OPTION_HTTPS_CERT_CALLBACK2 | ||
896 | @cindex SSL | ||
897 | @cindex TLS | ||
898 | @cindex SNI | ||
899 | @cindex OCSP | ||
900 | Use a callback to determine which X.509 certificate should be | ||
901 | used for a given HTTPS connection. This option should be | ||
902 | followed by a argument of type `gnutls_certificate_retrieve_function3 *`. | ||
903 | This option provides an | ||
904 | alternative/extension to #MHD_OPTION_HTTPS_CERT_CALLBACK. | ||
905 | You must use this version if you want to use OCSP stapling. | ||
906 | Using this option requires GnuTLS 3.6.3 or higher. | ||
907 | |||
895 | @item MHD_OPTION_GNUTLS_PSK_CRED_HANDLER | 908 | @item MHD_OPTION_GNUTLS_PSK_CRED_HANDLER |
896 | @cindex SSL | 909 | @cindex SSL |
897 | @cindex TLS | 910 | @cindex TLS |
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h index cec74683..9d28cdb1 100644 --- a/src/include/microhttpd.h +++ b/src/include/microhttpd.h | |||
@@ -132,7 +132,7 @@ typedef intptr_t ssize_t; | |||
132 | * Current version of the library. | 132 | * Current version of the library. |
133 | * 0x01093001 = 1.9.30-1. | 133 | * 0x01093001 = 1.9.30-1. |
134 | */ | 134 | */ |
135 | #define MHD_VERSION 0x00096501 | 135 | #define MHD_VERSION 0x00096502 |
136 | 136 | ||
137 | /** | 137 | /** |
138 | * MHD-internal return code for "YES". | 138 | * MHD-internal return code for "YES". |
@@ -1646,7 +1646,18 @@ enum MHD_OPTION | |||
1646 | * gnutls_psk_set_server_credentials_function. It is used to | 1646 | * gnutls_psk_set_server_credentials_function. It is used to |
1647 | * retrieve the shared key for a given username. | 1647 | * retrieve the shared key for a given username. |
1648 | */ | 1648 | */ |
1649 | MHD_OPTION_GNUTLS_PSK_CRED_HANDLER = 30 | 1649 | MHD_OPTION_GNUTLS_PSK_CRED_HANDLER = 30, |
1650 | |||
1651 | /** | ||
1652 | * Use a callback to determine which X.509 certificate should be | ||
1653 | * used for a given HTTPS connection. This option should be | ||
1654 | * followed by a argument of type `gnutls_certificate_retrieve_function3 *`. | ||
1655 | * This option provides an | ||
1656 | * alternative/extension to #MHD_OPTION_HTTPS_CERT_CALLBACK. | ||
1657 | * You must use this version if you want to use OCSP stapling. | ||
1658 | * Using this option requires GnuTLS 3.6.3 or higher. | ||
1659 | */ | ||
1660 | MHD_OPTION_HTTPS_CERT_CALLBACK2 = 31 | ||
1650 | }; | 1661 | }; |
1651 | 1662 | ||
1652 | 1663 | ||
@@ -3927,7 +3938,13 @@ enum MHD_FEATURE | |||
3927 | /** | 3938 | /** |
3928 | * Get whether MHD supports threads. | 3939 | * Get whether MHD supports threads. |
3929 | */ | 3940 | */ |
3930 | MHD_FEATURE_THREADS | 3941 | MHD_FEATURE_THREADS = 22, |
3942 | |||
3943 | /** | ||
3944 | * Get whether option #MHD_OPTION_HTTPS_CERT_CALLBACK2 is | ||
3945 | * supported. | ||
3946 | */ | ||
3947 | MHD_FEATURE_HTTPS_CERT_CALLBACK2 = 23 | ||
3931 | }; | 3948 | }; |
3932 | 3949 | ||
3933 | 3950 | ||
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c index 8e1a7ab8..d3595fe0 100644 --- a/src/microhttpd/daemon.c +++ b/src/microhttpd/daemon.c | |||
@@ -546,6 +546,14 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon) | |||
546 | daemon->cert_callback); | 546 | daemon->cert_callback); |
547 | } | 547 | } |
548 | #endif | 548 | #endif |
549 | #if GNUTLS_VERSION_NUMBER >= 0x030603 | ||
550 | else if (NULL != daemon->cert_callback2) | ||
551 | { | ||
552 | gnutls_certificate_set_retrieve_function3 (daemon->x509_cred, | ||
553 | daemon->cert_callback2); | ||
554 | } | ||
555 | #endif | ||
556 | |||
549 | if (NULL != daemon->https_mem_trust) | 557 | if (NULL != daemon->https_mem_trust) |
550 | { | 558 | { |
551 | size_t paramlen; | 559 | size_t paramlen; |
@@ -634,6 +642,10 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon) | |||
634 | if (NULL != daemon->cert_callback) | 642 | if (NULL != daemon->cert_callback) |
635 | return 0; | 643 | return 0; |
636 | #endif | 644 | #endif |
645 | #if GNUTLS_VERSION_NUMBER >= 0x030603 | ||
646 | else if (NULL != daemon->cert_callback2) | ||
647 | return 0; | ||
648 | #endif | ||
637 | #ifdef HAVE_MESSAGES | 649 | #ifdef HAVE_MESSAGES |
638 | MHD_DLOG (daemon, | 650 | MHD_DLOG (daemon, |
639 | "You need to specify a certificate and key location\n"); | 651 | "You need to specify a certificate and key location\n"); |
@@ -2540,7 +2552,7 @@ internal_add_connection (struct MHD_Daemon *daemon, | |||
2540 | #if (GNUTLS_VERSION_NUMBER+0 >= 0x030605) | 2552 | #if (GNUTLS_VERSION_NUMBER+0 >= 0x030605) |
2541 | if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA)) | 2553 | if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA)) |
2542 | flags |= GNUTLS_ENABLE_EARLY_DATA; | 2554 | flags |= GNUTLS_ENABLE_EARLY_DATA; |
2543 | #endif | 2555 | #endif |
2544 | connection->tls_state = MHD_TLS_CONN_INIT; | 2556 | connection->tls_state = MHD_TLS_CONN_INIT; |
2545 | MHD_set_https_callbacks (connection); | 2557 | MHD_set_https_callbacks (connection); |
2546 | gnutls_init (&connection->tls_session, | 2558 | gnutls_init (&connection->tls_session, |
@@ -4930,6 +4942,9 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
4930 | #if GNUTLS_VERSION_MAJOR >= 3 | 4942 | #if GNUTLS_VERSION_MAJOR >= 3 |
4931 | gnutls_certificate_retrieve_function2 *pgcrf; | 4943 | gnutls_certificate_retrieve_function2 *pgcrf; |
4932 | #endif | 4944 | #endif |
4945 | #if GNUTLS_VERSION_NUMBER >= 0x030603 | ||
4946 | gnutls_certificate_retrieve_function3 *pgcrf2; | ||
4947 | #endif | ||
4933 | #endif /* HTTPS_SUPPORT */ | 4948 | #endif /* HTTPS_SUPPORT */ |
4934 | 4949 | ||
4935 | while (MHD_OPTION_END != (opt = (enum MHD_OPTION) va_arg (ap, int))) | 4950 | while (MHD_OPTION_END != (opt = (enum MHD_OPTION) va_arg (ap, int))) |
@@ -5196,6 +5211,26 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
5196 | #endif | 5211 | #endif |
5197 | break; | 5212 | break; |
5198 | #endif | 5213 | #endif |
5214 | case MHD_OPTION_HTTPS_CERT_CALLBACK2: | ||
5215 | #if GNUTLS_VERSION_NUMBER < 0x030603 | ||
5216 | #ifdef HAVE_MESSAGES | ||
5217 | MHD_DLOG (daemon, | ||
5218 | _("MHD_OPTION_HTTPS_CERT_CALLBACK2 requires building MHD with GnuTLS >= 3.6.3\n")); | ||
5219 | #endif | ||
5220 | return MHD_NO; | ||
5221 | #else | ||
5222 | pgcrf2 = va_arg (ap, | ||
5223 | gnutls_certificate_retrieve_function3 *); | ||
5224 | if (0 != (daemon->options & MHD_USE_TLS)) | ||
5225 | daemon->cert_callback2 = pgcrf2; | ||
5226 | else | ||
5227 | #ifdef HAVE_MESSAGES | ||
5228 | MHD_DLOG (daemon, | ||
5229 | _("MHD HTTPS option %d passed to MHD but MHD_USE_TLS not set\n"), | ||
5230 | opt); | ||
5231 | #endif | ||
5232 | break; | ||
5233 | #endif | ||
5199 | #endif /* HTTPS_SUPPORT */ | 5234 | #endif /* HTTPS_SUPPORT */ |
5200 | #ifdef DAUTH_SUPPORT | 5235 | #ifdef DAUTH_SUPPORT |
5201 | case MHD_OPTION_DIGEST_AUTH_RANDOM: | 5236 | case MHD_OPTION_DIGEST_AUTH_RANDOM: |
@@ -5347,6 +5382,7 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
5347 | case MHD_OPTION_HTTPS_PRIORITIES: | 5382 | case MHD_OPTION_HTTPS_PRIORITIES: |
5348 | case MHD_OPTION_ARRAY: | 5383 | case MHD_OPTION_ARRAY: |
5349 | case MHD_OPTION_HTTPS_CERT_CALLBACK: | 5384 | case MHD_OPTION_HTTPS_CERT_CALLBACK: |
5385 | case MHD_OPTION_HTTPS_CERT_CALLBACK2: | ||
5350 | if (MHD_YES != parse_options (daemon, | 5386 | if (MHD_YES != parse_options (daemon, |
5351 | servaddr, | 5387 | servaddr, |
5352 | opt, | 5388 | opt, |
@@ -6960,6 +6996,12 @@ MHD_is_feature_supported(enum MHD_FEATURE feature) | |||
6960 | #else /* !HTTPS_SUPPORT || GNUTLS_VERSION_MAJOR < 3 */ | 6996 | #else /* !HTTPS_SUPPORT || GNUTLS_VERSION_MAJOR < 3 */ |
6961 | return MHD_NO; | 6997 | return MHD_NO; |
6962 | #endif /* !HTTPS_SUPPORT || GNUTLS_VERSION_MAJOR < 3 */ | 6998 | #endif /* !HTTPS_SUPPORT || GNUTLS_VERSION_MAJOR < 3 */ |
6999 | case MHD_FEATURE_HTTPS_CERT_CALLBACK2: | ||
7000 | #if defined(HTTPS_SUPPORT) && GNUTLS_VERSION_NUMBER >= 0x030603 | ||
7001 | return MHD_YES; | ||
7002 | #else /* !HTTPS_SUPPORT || GNUTLS_VERSION_NUMBER < 0x030603 */ | ||
7003 | return MHD_NO; | ||
7004 | #endif /* !HTTPS_SUPPORT || GNUTLS_VERSION_NUMBER < 0x030603 */ | ||
6963 | case MHD_FEATURE_IPv6: | 7005 | case MHD_FEATURE_IPv6: |
6964 | #ifdef HAVE_INET6 | 7006 | #ifdef HAVE_INET6 |
6965 | return MHD_YES; | 7007 | return MHD_YES; |
diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h index 8dc813a2..1f5aeaf3 100644 --- a/src/microhttpd/internal.h +++ b/src/microhttpd/internal.h | |||
@@ -1670,6 +1670,14 @@ struct MHD_Daemon | |||
1670 | void *cred_callback_cls; | 1670 | void *cred_callback_cls; |
1671 | #endif | 1671 | #endif |
1672 | 1672 | ||
1673 | #if GNUTLS_VERSION_NUMBER >= 0x030603 | ||
1674 | /** | ||
1675 | * Function that can be used to obtain the certificate. Needed | ||
1676 | * for OCSP stapling support. See #MHD_OPTION_HTTPS_CERT_CALLBACK2. | ||
1677 | */ | ||
1678 | gnutls_certificate_retrieve_function3 *cert_callback2; | ||
1679 | #endif | ||
1680 | |||
1673 | /** | 1681 | /** |
1674 | * Pointer to our SSL/TLS key (in ASCII) in memory. | 1682 | * Pointer to our SSL/TLS key (in ASCII) in memory. |
1675 | */ | 1683 | */ |