]> git.ipfire.org Git - thirdparty/squid.git/blame - src/security/PeerOptions.h
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Docs: Copyright updates for 2018 (#114)
[thirdparty/squid.git] / src / security / PeerOptions.h
CommitLineData
9a2f63e7 1/*
5b74111a 2 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
9a2f63e7
AJ		 3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
cdfb670c
AJ		 9#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
10#define SQUID_SRC_SECURITY_PEEROPTIONS_H
11
435c72b0 12#include "base/YesNoNone.h"
195f8adb 13#include "ConfigParser.h"
d1d72d43 14#include "security/KeyData.h"
cdfb670c 15
8250ca31
AJ		 16class Packable;
17
cdfb670c
AJ		 18namespace Security
19{
20
1f1f29e8 21/// TLS squid.conf settings for a remote server peer
cdfb670c
AJ		 22class PeerOptions
23{
24public:
d7208dbc 25 PeerOptions();
3d32a1b2
AJ		 26 PeerOptions(const PeerOptions &) = default;
27 PeerOptions &operator =(const PeerOptions &) = default;
33de409e
AJ		 28 PeerOptions(PeerOptions &&) = default;
29 PeerOptions &operator =(PeerOptions &&) = default;
cc488ec9 30 virtual ~PeerOptions() {}
9a2f63e7 31
0b0e0864 32 /// parse a TLS squid.conf option
474f076e 33 virtual void parse(const char *);
0b0e0864 34
195f8adb 35 /// reset the configuration details to default
104deb98 36 virtual void clear() {*this = PeerOptions();}
195f8adb 37
885f0ecf 38 /// generate an unset security context object
64769c79 39 virtual Security::ContextPointer createBlankContext() const;
885f0ecf 40
a465e144 41 /// generate a security client-context from these configured options
900daee3 42 Security::ContextPointer createClientContext(bool setOptions);
cdfb670c 43
585c27eb
AJ		 44 /// sync the context options with tls-min-version=N configuration
45 void updateTlsVersionLimits();
cdfb670c 46
cf487124
AJ		 47 /// Setup the library specific 'options=' parameters for the given context.
48 void updateContextOptions(Security::ContextPointer &) const;
49
b05d749d 50 /// setup the NPN extension details for the given context
64769c79 51 void updateContextNpn(Security::ContextPointer &);
b05d749d 52
86a84cc0 53 /// setup the CA details for the given context
b23f5f9c 54 void updateContextCa(Security::ContextPointer &);
86a84cc0 55
6b19d1f9 56 /// setup the CRL details for the given context
b23f5f9c 57 void updateContextCrl(Security::ContextPointer &);
6b19d1f9 58
cc488ec9
AJ		 59 /// setup any library-specific options that can be set for the given session
60 void updateSessionOptions(Security::SessionPointer &);
61
8250ca31 62 /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
474f076e 63 virtual void dumpCfg(Packable *, const char *pfx) const;
8250ca31 64
c62717bd 65private:
5badbadf 66 void parseOptions(); ///< parsed value of sslOptions
ec4defdb 67 long parseFlags();
6b19d1f9 68 void loadCrlFile();
c62717bd
AJ		 69
70public:
9a2f63e7 71 SBuf sslOptions; ///< library-specific options string
1f1f29e8 72 SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
9a2f63e7
AJ		 73 SBuf crlFile; ///< path of file containing Certificate Revoke List
74
9a2f63e7 75 SBuf sslCipher;
b24e9ae7 76 SBuf sslFlags; ///< flags defining what TLS operations Squid performs
9a2f63e7 77 SBuf sslDomain;
1f1f29e8 78
1cc44095
AJ		 79 SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
80
5badbadf 81 Security::ParsedOptions parsedOptions; ///< parsed value of sslOptions
cc488ec9 82 long parsedFlags = 0; ///< parsed value of sslFlags
36092741 83
d1d72d43 84 std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
86a84cc0 85 std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
6b19d1f9
AJ		 86 Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
87
435c72b0 88protected:
df473b36
AJ		 89 template<typename T>
90 Security::ContextPointer convertContextFromRawPtr(T ctx) const {
91#if USE_OPENSSL
92 return ContextPointer(ctx, [](SSL_CTX *p) {
93 debugs(83, 5, "SSL_free ctx=" << (void*)p);
94 SSL_CTX_free(p);
95 });
96#elif USE_GNUTLS
97 return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
98 debugs(83, 5, "gnutls_certificate_free_credentials ctx=" << (void*)p);
99 gnutls_certificate_free_credentials(p);
100 });
101#else
102 assert(!ctx);
103 return Security::ContextPointer();
104#endif
105 }
106
cc488ec9 107 int sslVersion = 0;
1f1f29e8 108
8b253b83
AJ		 109 /// flags governing Squid internal TLS operations
110 struct flags_ {
b2cd014b 111 flags_() : tlsDefaultCa(true), tlsNpn(true) {}
c17dcc9a
AJ		 112 flags_(const flags_ &) = default;
113 flags_ &operator =(const flags_ &) = default;
8b253b83 114
b2cd014b 115 /// whether to use the system default Trusted CA when verifying the remote end certificate
435c72b0 116 YesNoNone tlsDefaultCa;
b05d749d
AJ		 117
118 /// whether to use the TLS NPN extension on these connections
119 bool tlsNpn;
8b253b83
AJ		 120 } flags;
121
1cc44095 122public:
1f1f29e8 123 /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
cc488ec9 124 bool encryptTransport = false;
cdfb670c
AJ		 125};
126
195f8adb 127/// configuration options for DIRECT server access
7e62a74f 128extern PeerOptions ProxyOutgoingConfig;
195f8adb 129
cdfb670c
AJ		 130} // namespace Security
131
195f8adb 132// parse the tls_outgoing_options directive
1f1f29e8 133void parse_securePeerOptions(Security::PeerOptions *);
7e62a74f 134#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
8250ca31 135#define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
195f8adb 136
cdfb670c 137#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
be75380c 138
Mirror of https://github.com/squid-cache/squid.git