]>
Commit | Line | Data |
---|---|---|
9a2f63e7 | 1 | /* |
5b74111a | 2 | * Copyright (C) 1996-2018 The Squid Software Foundation and contributors |
9a2f63e7 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
cdfb670c AJ |
9 | #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H |
10 | #define SQUID_SRC_SECURITY_PEEROPTIONS_H | |
11 | ||
435c72b0 | 12 | #include "base/YesNoNone.h" |
195f8adb | 13 | #include "ConfigParser.h" |
d1d72d43 | 14 | #include "security/KeyData.h" |
cdfb670c | 15 | |
8250ca31 AJ |
16 | class Packable; |
17 | ||
cdfb670c AJ |
18 | namespace Security |
19 | { | |
20 | ||
1f1f29e8 | 21 | /// TLS squid.conf settings for a remote server peer |
cdfb670c AJ |
22 | class PeerOptions |
23 | { | |
24 | public: | |
d7208dbc | 25 | PeerOptions(); |
3d32a1b2 AJ |
26 | PeerOptions(const PeerOptions &) = default; |
27 | PeerOptions &operator =(const PeerOptions &) = default; | |
33de409e AJ |
28 | PeerOptions(PeerOptions &&) = default; |
29 | PeerOptions &operator =(PeerOptions &&) = default; | |
cc488ec9 | 30 | virtual ~PeerOptions() {} |
9a2f63e7 | 31 | |
0b0e0864 | 32 | /// parse a TLS squid.conf option |
474f076e | 33 | virtual void parse(const char *); |
0b0e0864 | 34 | |
195f8adb | 35 | /// reset the configuration details to default |
104deb98 | 36 | virtual void clear() {*this = PeerOptions();} |
195f8adb | 37 | |
885f0ecf | 38 | /// generate an unset security context object |
64769c79 | 39 | virtual Security::ContextPointer createBlankContext() const; |
885f0ecf | 40 | |
a465e144 | 41 | /// generate a security client-context from these configured options |
900daee3 | 42 | Security::ContextPointer createClientContext(bool setOptions); |
cdfb670c | 43 | |
585c27eb AJ |
44 | /// sync the context options with tls-min-version=N configuration |
45 | void updateTlsVersionLimits(); | |
cdfb670c | 46 | |
cf487124 AJ |
47 | /// Setup the library specific 'options=' parameters for the given context. |
48 | void updateContextOptions(Security::ContextPointer &) const; | |
49 | ||
b05d749d | 50 | /// setup the NPN extension details for the given context |
64769c79 | 51 | void updateContextNpn(Security::ContextPointer &); |
b05d749d | 52 | |
86a84cc0 | 53 | /// setup the CA details for the given context |
b23f5f9c | 54 | void updateContextCa(Security::ContextPointer &); |
86a84cc0 | 55 | |
6b19d1f9 | 56 | /// setup the CRL details for the given context |
b23f5f9c | 57 | void updateContextCrl(Security::ContextPointer &); |
6b19d1f9 | 58 | |
cc488ec9 AJ |
59 | /// setup any library-specific options that can be set for the given session |
60 | void updateSessionOptions(Security::SessionPointer &); | |
61 | ||
8250ca31 | 62 | /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings |
474f076e | 63 | virtual void dumpCfg(Packable *, const char *pfx) const; |
8250ca31 | 64 | |
c62717bd | 65 | private: |
5badbadf | 66 | void parseOptions(); ///< parsed value of sslOptions |
ec4defdb | 67 | long parseFlags(); |
6b19d1f9 | 68 | void loadCrlFile(); |
c62717bd AJ |
69 | |
70 | public: | |
9a2f63e7 | 71 | SBuf sslOptions; ///< library-specific options string |
1f1f29e8 | 72 | SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities |
9a2f63e7 AJ |
73 | SBuf crlFile; ///< path of file containing Certificate Revoke List |
74 | ||
9a2f63e7 | 75 | SBuf sslCipher; |
b24e9ae7 | 76 | SBuf sslFlags; ///< flags defining what TLS operations Squid performs |
9a2f63e7 | 77 | SBuf sslDomain; |
1f1f29e8 | 78 | |
1cc44095 AJ |
79 | SBuf tlsMinVersion; ///< version label for minimum TLS version to permit |
80 | ||
5badbadf | 81 | Security::ParsedOptions parsedOptions; ///< parsed value of sslOptions |
cc488ec9 | 82 | long parsedFlags = 0; ///< parsed value of sslFlags |
36092741 | 83 | |
d1d72d43 | 84 | std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters |
86a84cc0 | 85 | std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority |
6b19d1f9 AJ |
86 | Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate |
87 | ||
435c72b0 | 88 | protected: |
df473b36 AJ |
89 | template<typename T> |
90 | Security::ContextPointer convertContextFromRawPtr(T ctx) const { | |
91 | #if USE_OPENSSL | |
92 | return ContextPointer(ctx, [](SSL_CTX *p) { | |
93 | debugs(83, 5, "SSL_free ctx=" << (void*)p); | |
94 | SSL_CTX_free(p); | |
95 | }); | |
96 | #elif USE_GNUTLS | |
97 | return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) { | |
98 | debugs(83, 5, "gnutls_certificate_free_credentials ctx=" << (void*)p); | |
99 | gnutls_certificate_free_credentials(p); | |
100 | }); | |
101 | #else | |
102 | assert(!ctx); | |
103 | return Security::ContextPointer(); | |
104 | #endif | |
105 | } | |
106 | ||
cc488ec9 | 107 | int sslVersion = 0; |
1f1f29e8 | 108 | |
8b253b83 AJ |
109 | /// flags governing Squid internal TLS operations |
110 | struct flags_ { | |
b2cd014b | 111 | flags_() : tlsDefaultCa(true), tlsNpn(true) {} |
c17dcc9a AJ |
112 | flags_(const flags_ &) = default; |
113 | flags_ &operator =(const flags_ &) = default; | |
8b253b83 | 114 | |
b2cd014b | 115 | /// whether to use the system default Trusted CA when verifying the remote end certificate |
435c72b0 | 116 | YesNoNone tlsDefaultCa; |
b05d749d AJ |
117 | |
118 | /// whether to use the TLS NPN extension on these connections | |
119 | bool tlsNpn; | |
8b253b83 AJ |
120 | } flags; |
121 | ||
1cc44095 | 122 | public: |
1f1f29e8 | 123 | /// whether transport encryption (TLS/SSL) is to be used on connections to the peer |
cc488ec9 | 124 | bool encryptTransport = false; |
cdfb670c AJ |
125 | }; |
126 | ||
195f8adb | 127 | /// configuration options for DIRECT server access |
7e62a74f | 128 | extern PeerOptions ProxyOutgoingConfig; |
195f8adb | 129 | |
cdfb670c AJ |
130 | } // namespace Security |
131 | ||
195f8adb | 132 | // parse the tls_outgoing_options directive |
1f1f29e8 | 133 | void parse_securePeerOptions(Security::PeerOptions *); |
7e62a74f | 134 | #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear() |
8250ca31 | 135 | #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false) |
195f8adb | 136 | |
cdfb670c | 137 | #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */ |
be75380c | 138 |