gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [libmicrohttpd] branch master updated: Add callback to allo

From: gnunet
Subject: [GNUnet-SVN] [libmicrohttpd] branch master updated: Add callback to allow OCSP stapling
Date: Wed, 17 Jul 2019 12:51:51 +0200 
This is an automated email from the git hooks/post-receive script.

tim-ruehsen pushed a commit to branch master
in repository libmicrohttpd.

The following commit(s) were added to refs/heads/master by this push:
     new 3751044d Add callback to allow OCSP stapling
3751044d is described below

commit 3751044dc81a4b37de14b20dfc4cc7902fc36344
Author: Tim Rühsen <address@hidden>
AuthorDate: Tue Jul 16 14:59:30 2019 +0200

    Add callback to allow OCSP stapling
---
 ChangeLog                 |  4 ++++
 doc/libmicrohttpd.texi    | 13 +++++++++++++
 src/include/microhttpd.h  | 23 ++++++++++++++++++++---
 src/microhttpd/daemon.c   | 44 +++++++++++++++++++++++++++++++++++++++++++-
 src/microhttpd/internal.h |  8 ++++++++
 5 files changed, 88 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ce8bff26..6a057b73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Tue Jul 16 19:56:14 CEST 2019
+       Add MHD_OPTION_HTTPS_CERT_CALLBACK2 to allow OCSP stapling
+   and MHD_FEATURE_HTTPS_CERT_CALLBACK2 to check for. -TR
+
 Fri Jul 05 2019 22:30:40 MSK
        Releasing libmicrohttpd 0.9.65. -EG
 
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index c974d98f..6f34d799 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -892,6 +892,19 @@ information provided.  The callback is expected to access 
the SNI data
 using gnutls_server_name_get().  Using this option requires GnuTLS 3.0
 or higher.
 
+@item MHD_OPTION_HTTPS_CERT_CALLBACK2
+@cindex SSL
+@cindex TLS
+@cindex SNI
+@cindex OCSP
+Use a callback to determine which X.509 certificate should be
+used for a given HTTPS connection.  This option should be
+followed by a argument of type `gnutls_certificate_retrieve_function3 *`.
+This option provides an
+alternative/extension to #MHD_OPTION_HTTPS_CERT_CALLBACK.
+You must use this version if you want to use OCSP stapling.
+Using this option requires GnuTLS 3.6.3 or higher.
+
 @item MHD_OPTION_GNUTLS_PSK_CRED_HANDLER
 @cindex SSL
 @cindex TLS
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index cec74683..9d28cdb1 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -132,7 +132,7 @@ typedef intptr_t ssize_t;
  * Current version of the library.
  * 0x01093001 = 1.9.30-1.
  */
-#define MHD_VERSION 0x00096501
+#define MHD_VERSION 0x00096502
 
 /**
  * MHD-internal return code for "YES".
@@ -1646,7 +1646,18 @@ enum MHD_OPTION
    * gnutls_psk_set_server_credentials_function. It is used to
    * retrieve the shared key for a given username.
    */
-  MHD_OPTION_GNUTLS_PSK_CRED_HANDLER = 30
+  MHD_OPTION_GNUTLS_PSK_CRED_HANDLER = 30,
+
+  /**
+   * Use a callback to determine which X.509 certificate should be
+   * used for a given HTTPS connection.  This option should be
+   * followed by a argument of type `gnutls_certificate_retrieve_function3 *`.
+   * This option provides an
+   * alternative/extension to #MHD_OPTION_HTTPS_CERT_CALLBACK.
+       * You must use this version if you want to use OCSP stapling.
+   * Using this option requires GnuTLS 3.6.3 or higher.
+   */
+  MHD_OPTION_HTTPS_CERT_CALLBACK2 = 31
 };
 
 
@@ -3927,7 +3938,13 @@ enum MHD_FEATURE
   /**
    * Get whether MHD supports threads.
    */
-  MHD_FEATURE_THREADS
+  MHD_FEATURE_THREADS = 22,
+
+  /**
+   * Get whether option #MHD_OPTION_HTTPS_CERT_CALLBACK2 is
+   * supported.
+   */
+  MHD_FEATURE_HTTPS_CERT_CALLBACK2 = 23
 };
 
 
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index 8e1a7ab8..d3595fe0 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -546,6 +546,14 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
                                                  daemon->cert_callback);
     }
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+  else if (NULL != daemon->cert_callback2)
+    {
+      gnutls_certificate_set_retrieve_function3 (daemon->x509_cred,
+                                                 daemon->cert_callback2);
+    }
+#endif
+
   if (NULL != daemon->https_mem_trust)
     {
       size_t paramlen;
@@ -634,6 +642,10 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
   if (NULL != daemon->cert_callback)
     return 0;
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+  else if (NULL != daemon->cert_callback2)
+    return 0;
+#endif
 #ifdef HAVE_MESSAGES
   MHD_DLOG (daemon,
             "You need to specify a certificate and key location\n");
@@ -2540,7 +2552,7 @@ internal_add_connection (struct MHD_Daemon *daemon,
 #if (GNUTLS_VERSION_NUMBER+0 >= 0x030605)
       if (0 != (daemon->options & MHD_USE_INSECURE_TLS_EARLY_DATA))
        flags |= GNUTLS_ENABLE_EARLY_DATA;
-#endif      
+#endif
       connection->tls_state = MHD_TLS_CONN_INIT;
       MHD_set_https_callbacks (connection);
       gnutls_init (&connection->tls_session,
@@ -4930,6 +4942,9 @@ parse_options_va (struct MHD_Daemon *daemon,
 #if GNUTLS_VERSION_MAJOR >= 3
   gnutls_certificate_retrieve_function2 *pgcrf;
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+  gnutls_certificate_retrieve_function3 *pgcrf2;
+#endif
 #endif /* HTTPS_SUPPORT */
 
   while (MHD_OPTION_END != (opt = (enum MHD_OPTION) va_arg (ap, int)))
@@ -5195,6 +5210,26 @@ parse_options_va (struct MHD_Daemon *daemon,
                         opt);
 #endif
           break;
+#endif
+        case MHD_OPTION_HTTPS_CERT_CALLBACK2:
+#if GNUTLS_VERSION_NUMBER < 0x030603
+#ifdef HAVE_MESSAGES
+          MHD_DLOG (daemon,
+                    _("MHD_OPTION_HTTPS_CERT_CALLBACK2 requires building MHD 
with GnuTLS >= 3.6.3\n"));
+#endif
+          return MHD_NO;
+#else
+          pgcrf2 = va_arg (ap,
+                          gnutls_certificate_retrieve_function3 *);
+          if (0 != (daemon->options & MHD_USE_TLS))
+            daemon->cert_callback2 = pgcrf2;
+          else
+#ifdef HAVE_MESSAGES
+              MHD_DLOG (daemon,
+                        _("MHD HTTPS option %d passed to MHD but MHD_USE_TLS 
not set\n"),
+                        opt);
+#endif
+          break;
 #endif
 #endif /* HTTPS_SUPPORT */
 #ifdef DAUTH_SUPPORT
@@ -5347,6 +5382,7 @@ parse_options_va (struct MHD_Daemon *daemon,
                case MHD_OPTION_HTTPS_PRIORITIES:
                case MHD_OPTION_ARRAY:
                 case MHD_OPTION_HTTPS_CERT_CALLBACK:
+                case MHD_OPTION_HTTPS_CERT_CALLBACK2:
                  if (MHD_YES != parse_options (daemon,
                                                servaddr,
                                                opt,
@@ -6960,6 +6996,12 @@ MHD_is_feature_supported(enum MHD_FEATURE feature)
 #else  /* !HTTPS_SUPPORT || GNUTLS_VERSION_MAJOR < 3 */
       return MHD_NO;
 #endif /* !HTTPS_SUPPORT || GNUTLS_VERSION_MAJOR < 3 */
+    case MHD_FEATURE_HTTPS_CERT_CALLBACK2:
+#if defined(HTTPS_SUPPORT) && GNUTLS_VERSION_NUMBER >= 0x030603
+      return MHD_YES;
+#else  /* !HTTPS_SUPPORT || GNUTLS_VERSION_NUMBER < 0x030603 */
+      return MHD_NO;
+#endif /* !HTTPS_SUPPORT || GNUTLS_VERSION_NUMBER < 0x030603 */
     case MHD_FEATURE_IPv6:
 #ifdef HAVE_INET6
       return MHD_YES;
diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h
index 8dc813a2..1f5aeaf3 100644
--- a/src/microhttpd/internal.h
+++ b/src/microhttpd/internal.h
@@ -1670,6 +1670,14 @@ struct MHD_Daemon
   void *cred_callback_cls;
 #endif
 
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+  /**
+   * Function that can be used to obtain the certificate.  Needed
+   * for OCSP stapling support.  See #MHD_OPTION_HTTPS_CERT_CALLBACK2.
+   */
+  gnutls_certificate_retrieve_function3 *cert_callback2;
+#endif
+
   /**
    * Pointer to our SSL/TLS key (in ASCII) in memory.
    */

-- 
To stop receiving notification emails like this one, please contact
address@hidden.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]