src/anyp/PortCfg.cc

   1 /*
   2  * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #include "squid.h"
  10 #include "anyp/PortCfg.h"
  11 #include "comm.h"
  12 #include "fatal.h"
  13 #if USE_OPENSSL
  14 #include "ssl/support.h"
  15 #endif
  16
  17 #include <cstring>
  18 #include <limits>
  19
  20 AnyP::PortCfgPointer HttpPortList;
  21 #if USE_OPENSSL
  22 AnyP::PortCfgPointer HttpsPortList;
  23 #endif
  24 AnyP::PortCfgPointer FtpPortList;
  25
  26 int NHttpSockets = 0;
  27 int HttpSockets[MAXTCPLISTENPORTS];
  28
  29 AnyP::PortCfg::PortCfg() :
  30         next(),
  31         s(),
  32         transport(AnyP::PROTO_HTTP,1,1), // "Squid is an HTTP proxy", etc.
  33         name(NULL),
  34         defaultsite(NULL),
  35         flags(),
  36         allow_direct(false),
  37         vhost(false),
  38         actAsOrigin(false),
  39         ignore_cc(false),
  40         connection_auth_disabled(false),
  41         ftp_track_dirs(false),
  42         vport(0),
  43         disable_pmtu_discovery(0),
  44         listenConn()
  45 #if USE_OPENSSL
  46         ,cert(NULL),
  47         key(NULL),
  48         version(0),
  49         cipher(NULL),
  50         options(NULL),
  51         clientca(NULL),
  52         cafile(NULL),
  53         capath(NULL),
  54         crlfile(NULL),
  55         dhfile(NULL),
  56         sslflags(NULL),
  57         sslContextSessionId(NULL),
  58         generateHostCertificates(false),
  59         dynamicCertMemCacheSize(std::numeric_limits<size_t>::max()),
  60         staticSslContext(),
  61         signingCert(),
  62         signPkey(),
  63         certsToChain(),
  64         untrustedSigningCert(),
  65         untrustedSignPkey(),
  66         clientVerifyCrls(),
  67         clientCA(),
  68         dhParams(),
  69         contextMethod(),
  70         sslContextFlags(0),
  71         sslOptions(0)
  72 #endif
  73 {
  74     memset(&tcp_keepalive, 0, sizeof(tcp_keepalive));
  75 }
  76
  77 AnyP::PortCfg::~PortCfg()
  78 {
  79     if (Comm::IsConnOpen(listenConn)) {
  80         listenConn->close();
  81         listenConn = NULL;
  82     }
  83
  84     safe_free(name);
  85     safe_free(defaultsite);
  86
  87 #if USE_OPENSSL
  88     safe_free(cert);
  89     safe_free(key);
  90     safe_free(cipher);
  91     safe_free(options);
  92     safe_free(clientca);
  93     safe_free(cafile);
  94     safe_free(capath);
  95     safe_free(crlfile);
  96     safe_free(dhfile);
  97     safe_free(sslflags);
  98     safe_free(sslContextSessionId);
  99 #endif
 100 }
 101
 102 AnyP::PortCfgPointer
 103 AnyP::PortCfg::clone() const
 104 {
 105     AnyP::PortCfgPointer b = new AnyP::PortCfg();
 106     b->s = s;
 107     if (name)
 108         b->name = xstrdup(name);
 109     if (defaultsite)
 110         b->defaultsite = xstrdup(defaultsite);
 111
 112     b->transport = transport;
 113     b->flags = flags;
 114     b->allow_direct = allow_direct;
 115     b->vhost = vhost;
 116     b->vport = vport;
 117     b->connection_auth_disabled = connection_auth_disabled;
 118     b->ftp_track_dirs = ftp_track_dirs;
 119     b->disable_pmtu_discovery = disable_pmtu_discovery;
 120     b->tcp_keepalive = tcp_keepalive;
 121
 122 #if 0
 123     // TODO: AYJ: 2009-07-18: for now SSL does not clone. Configure separate ports with IPs and SSL settings
 124
 125 #if USE_OPENSSL
 126     char *cert;
 127     char *key;
 128     int version;
 129     char *cipher;
 130     char *options;
 131     char *clientca;
 132     char *cafile;
 133     char *capath;
 134     char *crlfile;
 135     char *dhfile;
 136     char *sslflags;
 137     char *sslContextSessionId;
 138     SSL_CTX *sslContext;
 139 #endif
 140
 141 #endif /*0*/
 142
 143     return b;
 144 }
 145
 146 #if USE_OPENSSL
 147 void
 148 AnyP::PortCfg::configureSslServerContext()
 149 {
 150     if (cert)
 151         Ssl::readCertChainAndPrivateKeyFromFiles(signingCert, signPkey, certsToChain, cert, key);
 152
 153     if (!signingCert) {
 154         char buf[128];
 155         fatalf("No valid signing SSL certificate configured for %s_port %s", AnyP::ProtocolType_str[transport.protocol],  s.toUrl(buf, sizeof(buf)));
 156     }
 157
 158     if (!signPkey)
 159         debugs(3, DBG_IMPORTANT, "No SSL private key configured for  " << AnyP::ProtocolType_str[transport.protocol] << "_port " << s);
 160
 161     Ssl::generateUntrustedCert(untrustedSigningCert, untrustedSignPkey,
 162                                signingCert, signPkey);
 163
 164     if (!untrustedSigningCert) {
 165         char buf[128];
 166         fatalf("Unable to generate signing SSL certificate for untrusted sites for %s_port %s", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
 167     }
 168
 169     if (crlfile)
 170         clientVerifyCrls.reset(Ssl::loadCrl(crlfile, sslContextFlags));
 171
 172     if (clientca) {
 173         clientCA.reset(SSL_load_client_CA_file(clientca));
 174         if (clientCA.get() == NULL) {
 175             fatalf("Unable to read client CAs! from %s", clientca);
 176         }
 177     }
 178
 179     contextMethod = Ssl::contextMethod(version);
 180     if (!contextMethod)
 181         fatalf("Unable to compute context method to use");
 182
 183     if (dhfile)
 184         dhParams.reset(Ssl::readDHParams(dhfile));
 185
 186     if (sslflags)
 187         sslContextFlags = Ssl::parse_flags(sslflags);
 188
 189     sslOptions = Ssl::parse_options(options);
 190
 191     staticSslContext.reset(sslCreateServerContext(*this));
 192
 193     if (!staticSslContext) {
 194         char buf[128];
 195         fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol],  s.toUrl(buf, sizeof(buf)));
 196     }
 197 }
 198 #endif