[thirdparty/squid.git] / src / security / ServerOptions.h

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
#define SQUID_SRC_SECURITY_SERVEROPTIONS_H

#include "anyp/forward.h"
#include "security/PeerOptions.h"
#if USE_OPENSSL
#include "compat/openssl.h"
#if HAVE_OPENSSL_X509_H
#include <openssl/x509.h>
#endif
#endif

namespace Security
{

/// TLS squid.conf settings for a listening port
class ServerOptions : public PeerOptions
{
public:
#if USE_OPENSSL
    sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free);
    typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
#endif

    ServerOptions() : PeerOptions() {
        // Bug 4005: dynamic contexts use a lot of memory and it
        // is more secure to have only a small set of trusted CA.
        flags.tlsDefaultCa.defaultTo(false);
    }
    ServerOptions(const ServerOptions &o): ServerOptions() { *this = o; }
    ServerOptions &operator =(const ServerOptions &);
    ServerOptions(ServerOptions &&o) { this->operator =(o); }
    ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }
    ~ServerOptions() override = default;

    /* Security::PeerOptions API */
    void parse(const char *) override;
    void clear() override {*this = ServerOptions();}
    Security::ContextPointer createBlankContext() const override;
    void dumpCfg(Packable *, const char *pfx) const override;

    /// initialize all server contexts as-needed and load PEM files.
    /// if none can be created this may do nothing.
    void initServerContexts(AnyP::PortCfg &);

    /// update the given TLS security context using squid.conf settings
    bool updateContextConfig(Security::ContextPointer &);

    /// update the context with DH, EDH, EECDH settings
    void updateContextEecdh(Security::ContextPointer &);

    /// update the context with CA details used to verify client certificates
    void updateContextClientCa(Security::ContextPointer &);

    /// update the context with a configured session ID (if any)
    void updateContextSessionId(Security::ContextPointer &);

    /// sync the various sources of CA files to be loaded
    void syncCaFiles();

public:
    /// TLS context to use for HTTPS accelerator or static SSL-Bump
    Security::ContextPointer staticContext;
    SBuf staticContextSessionId; ///< "session id context" for staticContext

#if USE_OPENSSL
    bool generateHostCertificates = true; ///< dynamically make host cert
#elif USE_GNUTLS
    // TODO: GnuTLS does implement TLS server connections so the cert
    // generate vs static choice can be reached in the code now.
    // But this feature is not fully working implemented so must not
    // be enabled by default for production installations.
    bool generateHostCertificates = false; ///< dynamically make host cert
#else
    // same as OpenSSL so config errors show up easily
    bool generateHostCertificates = true; ///< dynamically make host cert
#endif

    Security::KeyData signingCa; ///< x509 certificate and key for signing generated certificates
    Security::KeyData untrustedSigningCa; ///< x509 certificate and key for signing untrusted generated certificates

    /// max size of generated certificates memory cache (4 MB default)
    size_t dynamicCertMemCacheSize = 4*1024*1024;

private:
    bool loadClientCaFile();
    void loadDhParams();

    /// generate a security server-context from these configured options
    /// the resulting context is stored in staticContext
    /// \returns true if a context could be created
    bool createStaticServerContext(AnyP::PortCfg &);

    /// initialize contexts for signing dynamic TLS certificates (if needed)
    /// the resulting keys are stored in signingCa and untrustedSigningCa
    void createSigningContexts(const AnyP::PortCfg &);

private:
    SBuf clientCaFile;  ///< name of file to load client CAs from
#if USE_OPENSSL
    /// CA certificate(s) to use when verifying client certificates
    X509_NAME_STACK_Pointer clientCaStack;
#else
    void *clientCaStack = nullptr;
#endif

    SBuf dh;            ///< Diffi-Helman cipher config
    SBuf dhParamsFile;  ///< Diffi-Helman ciphers parameter file
    SBuf eecdhCurve;    ///< Elliptic curve for ephemeral EC-based DH key exchanges

    Security::DhePointer parsedDhParams; ///< DH parameters for temporary/ephemeral DH key exchanges
};

} // namespace Security

#endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */
Commit	Line	Data
474f076e	1	/*
b8ae064d	2	* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
474f076e AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
	10	#define SQUID_SRC_SECURITY_SERVEROPTIONS_H
	11
c75aba02	12	#include "anyp/forward.h"
474f076e	13	#include "security/PeerOptions.h"
24b30fdc EQ	14	#if USE_OPENSSL
	15	#include "compat/openssl.h"
	16	#if HAVE_OPENSSL_X509_H
	17	#include <openssl/x509.h>
	18	#endif
	19	#endif
474f076e AJ	20
	21	namespace Security
	22	{
	23
	24	/// TLS squid.conf settings for a listening port
	25	class ServerOptions : public PeerOptions
	26	{
	27	public:
621f4299 AJ	28	#if USE_OPENSSL
	29	sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free);
	30	typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
	31	#endif
	32
435c72b0 AJ	33	ServerOptions() : PeerOptions() {
	34	// Bug 4005: dynamic contexts use a lot of memory and it
	35	// is more secure to have only a small set of trusted CA.
	36	flags.tlsDefaultCa.defaultTo(false);
	37	}
ff3763e9	38	ServerOptions(const ServerOptions &o): ServerOptions() { *this = o; }
621f4299 AJ	39	ServerOptions &operator =(const ServerOptions &);
	40	ServerOptions(ServerOptions &&o) { this->operator =(o); }
	41	ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }
337b9aa4	42	~ServerOptions() override = default;
474f076e AJ	43
474f076e AJ	44	/* Security::PeerOptions API */
337b9aa4 AR	45	void parse(const char *) override;
	46	void clear() override {*this = ServerOptions();}
	47	Security::ContextPointer createBlankContext() const override;
	48	void dumpCfg(Packable , const char pfx) const override;
474f076e	49
1700fab7 AJ	50	/// initialize all server contexts as-needed and load PEM files.
1700fab7 AJ	51	/// if none can be created this may do nothing.
51e09c08	52	void initServerContexts(AnyP::PortCfg &);
cf487124 AJ	53
	54	/// update the given TLS security context using squid.conf settings
	55	bool updateContextConfig(Security::ContextPointer &);
	56
474f076e	57	/// update the context with DH, EDH, EECDH settings
b23f5f9c	58	void updateContextEecdh(Security::ContextPointer &);
474f076e	59
621f4299 AJ	60	/// update the context with CA details used to verify client certificates
	61	void updateContextClientCa(Security::ContextPointer &);
	62
cf487124 AJ	63	/// update the context with a configured session ID (if any)
	64	void updateContextSessionId(Security::ContextPointer &);
	65
621f4299 AJ	66	/// sync the various sources of CA files to be loaded
	67	void syncCaFiles();
	68
80b5995a AJ	69	public:
	70	/// TLS context to use for HTTPS accelerator or static SSL-Bump
	71	Security::ContextPointer staticContext;
cf487124 AJ	72	SBuf staticContextSessionId; ///< "session id context" for staticContext
cf487124 AJ	73
51e09c08 AJ	74	#if USE_OPENSSL
	75	bool generateHostCertificates = true; ///< dynamically make host cert
	76	#elif USE_GNUTLS
	77	// TODO: GnuTLS does implement TLS server connections so the cert
	78	// generate vs static choice can be reached in the code now.
	79	// But this feature is not fully working implemented so must not
	80	// be enabled by default for production installations.
	81	bool generateHostCertificates = false; ///< dynamically make host cert
	82	#else
	83	// same as OpenSSL so config errors show up easily
cf487124	84	bool generateHostCertificates = true; ///< dynamically make host cert
51e09c08	85	#endif
cf487124	86
51e09c08 AJ	87	Security::KeyData signingCa; ///< x509 certificate and key for signing generated certificates
51e09c08 AJ	88	Security::KeyData untrustedSigningCa; ///< x509 certificate and key for signing untrusted generated certificates
cf487124 AJ	89
	90	/// max size of generated certificates memory cache (4 MB default)
	91	size_t dynamicCertMemCacheSize = 410241024;
80b5995a	92
104deb98	93	private:
621f4299	94	bool loadClientCaFile();
104deb98 AJ	95	void loadDhParams();
104deb98 AJ	96
51e09c08 AJ	97	/// generate a security server-context from these configured options
	98	/// the resulting context is stored in staticContext
	99	/// \returns true if a context could be created
	100	bool createStaticServerContext(AnyP::PortCfg &);
	101
	102	/// initialize contexts for signing dynamic TLS certificates (if needed)
	103	/// the resulting keys are stored in signingCa and untrustedSigningCa
	104	void createSigningContexts(const AnyP::PortCfg &);
	105
104deb98	106	private:
621f4299 AJ	107	SBuf clientCaFile; ///< name of file to load client CAs from
	108	#if USE_OPENSSL
	109	/// CA certificate(s) to use when verifying client certificates
	110	X509_NAME_STACK_Pointer clientCaStack;
	111	#else
	112	void *clientCaStack = nullptr;
	113	#endif
	114
80b5995a	115	SBuf dh; ///< Diffi-Helman cipher config
474f076e AJ	116	SBuf dhParamsFile; ///< Diffi-Helman ciphers parameter file
474f076e AJ	117	SBuf eecdhCurve; ///< Elliptic curve for ephemeral EC-based DH key exchanges
104deb98 AJ	118
104deb98 AJ	119	Security::DhePointer parsedDhParams; ///< DH parameters for temporary/ephemeral DH key exchanges
474f076e AJ	120	};
	121
	122	} // namespace Security
	123
	124	#endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */
3736fdd6	125