]>
Commit | Line | Data |
---|---|---|
bbc27441 AJ |
1 | /* |
2 | * Copyright (C) 1996-2014 The Squid Software Foundation and contributors | |
3 | * | |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
f7f3304a | 9 | #include "squid.h" |
65d448bc | 10 | #include "anyp/PortCfg.h" |
cbff89ba | 11 | #include "comm.h" |
eb6ac808 | 12 | #include "fatal.h" |
cb4f4424 | 13 | #if USE_OPENSSL |
f4e4d4d6 CT |
14 | #include "ssl/support.h" |
15 | #endif | |
1b26be8f | 16 | |
eb6ac808 | 17 | #include <cstring> |
eb6ac808 | 18 | #include <limits> |
eb6ac808 | 19 | |
fa720bfb AJ |
20 | AnyP::PortCfgPointer HttpPortList; |
21 | #if USE_OPENSSL | |
22 | AnyP::PortCfgPointer HttpsPortList; | |
23 | #endif | |
8ea0d847 | 24 | AnyP::PortCfgPointer FtpPortList; |
65d448bc AJ |
25 | |
26 | int NHttpSockets = 0; | |
27 | int HttpSockets[MAXTCPLISTENPORTS]; | |
28 | ||
eb6ac808 | 29 | AnyP::PortCfg::PortCfg() : |
f53969cc SM |
30 | next(), |
31 | s(), | |
32 | transport(AnyP::PROTO_HTTP,1,1), // "Squid is an HTTP proxy", etc. | |
33 | name(NULL), | |
34 | defaultsite(NULL), | |
35 | flags(), | |
36 | allow_direct(false), | |
37 | vhost(false), | |
38 | actAsOrigin(false), | |
39 | ignore_cc(false), | |
40 | connection_auth_disabled(false), | |
41 | ftp_track_dirs(false), | |
42 | vport(0), | |
43 | disable_pmtu_discovery(0), | |
44 | listenConn() | |
cb4f4424 | 45 | #if USE_OPENSSL |
f53969cc SM |
46 | ,cert(NULL), |
47 | key(NULL), | |
48 | version(0), | |
49 | cipher(NULL), | |
50 | options(NULL), | |
51 | clientca(NULL), | |
52 | cafile(NULL), | |
53 | capath(NULL), | |
54 | crlfile(NULL), | |
55 | dhfile(NULL), | |
56 | sslflags(NULL), | |
57 | sslContextSessionId(NULL), | |
58 | generateHostCertificates(false), | |
59 | dynamicCertMemCacheSize(std::numeric_limits<size_t>::max()), | |
60 | staticSslContext(), | |
61 | signingCert(), | |
62 | signPkey(), | |
63 | certsToChain(), | |
64 | untrustedSigningCert(), | |
65 | untrustedSignPkey(), | |
66 | clientVerifyCrls(), | |
67 | clientCA(), | |
68 | dhParams(), | |
69 | contextMethod(), | |
70 | sslContextFlags(0), | |
71 | sslOptions(0) | |
1b26be8f | 72 | #endif |
a97126cc AJ |
73 | { |
74 | memset(&tcp_keepalive, 0, sizeof(tcp_keepalive)); | |
75 | } | |
1b26be8f | 76 | |
65d448bc | 77 | AnyP::PortCfg::~PortCfg() |
1b26be8f | 78 | { |
8bbb16e3 | 79 | if (Comm::IsConnOpen(listenConn)) { |
00406b24 | 80 | listenConn->close(); |
8bbb16e3 | 81 | listenConn = NULL; |
cbff89ba | 82 | } |
04f55905 | 83 | |
1b26be8f | 84 | safe_free(name); |
85 | safe_free(defaultsite); | |
1b26be8f | 86 | |
cb4f4424 | 87 | #if USE_OPENSSL |
1b26be8f | 88 | safe_free(cert); |
89 | safe_free(key); | |
1b26be8f | 90 | safe_free(cipher); |
43cc65bb CT |
91 | safe_free(options); |
92 | safe_free(clientca); | |
1b26be8f | 93 | safe_free(cafile); |
94 | safe_free(capath); | |
43cc65bb | 95 | safe_free(crlfile); |
1b26be8f | 96 | safe_free(dhfile); |
97 | safe_free(sslflags); | |
95d2589c | 98 | safe_free(sslContextSessionId); |
1b26be8f | 99 | #endif |
100 | } | |
f4e4d4d6 | 101 | |
fa720bfb | 102 | AnyP::PortCfgPointer |
65d448bc AJ |
103 | AnyP::PortCfg::clone() const |
104 | { | |
fa720bfb | 105 | AnyP::PortCfgPointer b = new AnyP::PortCfg(); |
65d448bc AJ |
106 | b->s = s; |
107 | if (name) | |
108 | b->name = xstrdup(name); | |
109 | if (defaultsite) | |
110 | b->defaultsite = xstrdup(defaultsite); | |
111 | ||
eb6ac808 | 112 | b->transport = transport; |
6a25a046 | 113 | b->flags = flags; |
65d448bc AJ |
114 | b->allow_direct = allow_direct; |
115 | b->vhost = vhost; | |
65d448bc AJ |
116 | b->vport = vport; |
117 | b->connection_auth_disabled = connection_auth_disabled; | |
e7ce227f | 118 | b->ftp_track_dirs = ftp_track_dirs; |
65d448bc | 119 | b->disable_pmtu_discovery = disable_pmtu_discovery; |
86ab7a90 | 120 | b->tcp_keepalive = tcp_keepalive; |
65d448bc AJ |
121 | |
122 | #if 0 | |
e412456e | 123 | // TODO: AYJ: 2009-07-18: for now SSL does not clone. Configure separate ports with IPs and SSL settings |
65d448bc | 124 | |
cb4f4424 | 125 | #if USE_OPENSSL |
65d448bc AJ |
126 | char *cert; |
127 | char *key; | |
128 | int version; | |
129 | char *cipher; | |
130 | char *options; | |
131 | char *clientca; | |
132 | char *cafile; | |
133 | char *capath; | |
134 | char *crlfile; | |
135 | char *dhfile; | |
136 | char *sslflags; | |
137 | char *sslContextSessionId; | |
138 | SSL_CTX *sslContext; | |
139 | #endif | |
140 | ||
141 | #endif /*0*/ | |
142 | ||
143 | return b; | |
144 | } | |
5ae65581 | 145 | |
cb4f4424 | 146 | #if USE_OPENSSL |
04f0004e AJ |
147 | void |
148 | AnyP::PortCfg::configureSslServerContext() | |
f4e4d4d6 | 149 | { |
f4e4d4d6 CT |
150 | if (cert) |
151 | Ssl::readCertChainAndPrivateKeyFromFiles(signingCert, signPkey, certsToChain, cert, key); | |
152 | ||
153 | if (!signingCert) { | |
154 | char buf[128]; | |
eb6ac808 | 155 | fatalf("No valid signing SSL certificate configured for %s_port %s", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf))); |
f4e4d4d6 CT |
156 | } |
157 | ||
158 | if (!signPkey) | |
eb6ac808 | 159 | debugs(3, DBG_IMPORTANT, "No SSL private key configured for " << AnyP::ProtocolType_str[transport.protocol] << "_port " << s); |
f4e4d4d6 CT |
160 | |
161 | Ssl::generateUntrustedCert(untrustedSigningCert, untrustedSignPkey, | |
162 | signingCert, signPkey); | |
163 | ||
164 | if (!untrustedSigningCert) { | |
165 | char buf[128]; | |
eb6ac808 | 166 | fatalf("Unable to generate signing SSL certificate for untrusted sites for %s_port %s", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf))); |
f4e4d4d6 | 167 | } |
86660d64 CT |
168 | |
169 | if (crlfile) | |
170 | clientVerifyCrls.reset(Ssl::loadCrl(crlfile, sslContextFlags)); | |
171 | ||
172 | if (clientca) { | |
173 | clientCA.reset(SSL_load_client_CA_file(clientca)); | |
174 | if (clientCA.get() == NULL) { | |
175 | fatalf("Unable to read client CAs! from %s", clientca); | |
176 | } | |
177 | } | |
178 | ||
179 | contextMethod = Ssl::contextMethod(version); | |
180 | if (!contextMethod) | |
181 | fatalf("Unable to compute context method to use"); | |
182 | ||
183 | if (dhfile) | |
184 | dhParams.reset(Ssl::readDHParams(dhfile)); | |
185 | ||
186 | if (sslflags) | |
187 | sslContextFlags = Ssl::parse_flags(sslflags); | |
188 | ||
189 | sslOptions = Ssl::parse_options(options); | |
190 | ||
191 | staticSslContext.reset(sslCreateServerContext(*this)); | |
192 | ||
193 | if (!staticSslContext) { | |
194 | char buf[128]; | |
eb6ac808 | 195 | fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf))); |
86660d64 | 196 | } |
f4e4d4d6 CT |
197 | } |
198 | #endif | |
f53969cc | 199 |