[thirdparty/squid.git] / src / anyp / PortCfg.cc

/*
 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
#include "anyp/PortCfg.h"
#include "comm.h"
#include "fatal.h"
#if USE_OPENSSL
#include "ssl/support.h"
#endif

#include <cstring>
#include <limits>

AnyP::PortCfgPointer HttpPortList;
#if USE_OPENSSL
AnyP::PortCfgPointer HttpsPortList;
#endif
AnyP::PortCfgPointer FtpPortList;

int NHttpSockets = 0;
int HttpSockets[MAXTCPLISTENPORTS];

AnyP::PortCfg::PortCfg() :
    next(),
    s(),
    transport(AnyP::PROTO_HTTP,1,1), // "Squid is an HTTP proxy", etc.
    name(NULL),
    defaultsite(NULL),
    flags(),
    allow_direct(false),
    vhost(false),
    actAsOrigin(false),
    ignore_cc(false),
    connection_auth_disabled(false),
    ftp_track_dirs(false),
    vport(0),
    disable_pmtu_discovery(0),
    listenConn()
#if USE_OPENSSL
    ,cert(NULL),
    key(NULL),
    version(0),
    cipher(NULL),
    options(NULL),
    clientca(NULL),
    cafile(NULL),
    capath(NULL),
    crlfile(NULL),
    dhfile(NULL),
    sslflags(NULL),
    sslContextSessionId(NULL),
    generateHostCertificates(false),
    dynamicCertMemCacheSize(std::numeric_limits<size_t>::max()),
    staticSslContext(),
    signingCert(),
    signPkey(),
    certsToChain(),
    untrustedSigningCert(),
    untrustedSignPkey(),
    clientVerifyCrls(),
    clientCA(),
    dhParams(),
    contextMethod(),
    sslContextFlags(0),
    sslOptions(0)
#endif
{
    memset(&tcp_keepalive, 0, sizeof(tcp_keepalive));
}

AnyP::PortCfg::~PortCfg()
{
    if (Comm::IsConnOpen(listenConn)) {
        listenConn->close();
        listenConn = NULL;
    }

    safe_free(name);
    safe_free(defaultsite);

#if USE_OPENSSL
    safe_free(cert);
    safe_free(key);
    safe_free(cipher);
    safe_free(options);
    safe_free(clientca);
    safe_free(cafile);
    safe_free(capath);
    safe_free(crlfile);
    safe_free(dhfile);
    safe_free(sslflags);
    safe_free(sslContextSessionId);
#endif
}

AnyP::PortCfgPointer
AnyP::PortCfg::clone() const
{
    AnyP::PortCfgPointer b = new AnyP::PortCfg();
    b->s = s;
    if (name)
        b->name = xstrdup(name);
    if (defaultsite)
        b->defaultsite = xstrdup(defaultsite);

    b->transport = transport;
    b->flags = flags;
    b->allow_direct = allow_direct;
    b->vhost = vhost;
    b->vport = vport;
    b->connection_auth_disabled = connection_auth_disabled;
    b->ftp_track_dirs = ftp_track_dirs;
    b->disable_pmtu_discovery = disable_pmtu_discovery;
    b->tcp_keepalive = tcp_keepalive;

#if 0
    // TODO: AYJ: 2009-07-18: for now SSL does not clone. Configure separate ports with IPs and SSL settings

#if USE_OPENSSL
    char *cert;
    char *key;
    int version;
    char *cipher;
    char *options;
    char *clientca;
    char *cafile;
    char *capath;
    char *crlfile;
    char *dhfile;
    char *sslflags;
    char *sslContextSessionId;
    SSL_CTX *sslContext;
#endif

#endif /*0*/

    return b;
}

#if USE_OPENSSL
void
AnyP::PortCfg::configureSslServerContext()
{
    if (cert)
        Ssl::readCertChainAndPrivateKeyFromFiles(signingCert, signPkey, certsToChain, cert, key);

    if (!signingCert) {
        char buf[128];
        fatalf("No valid signing SSL certificate configured for %s_port %s", AnyP::ProtocolType_str[transport.protocol],  s.toUrl(buf, sizeof(buf)));
    }

    if (!signPkey)
        debugs(3, DBG_IMPORTANT, "No SSL private key configured for  " << AnyP::ProtocolType_str[transport.protocol] << "_port " << s);

    Ssl::generateUntrustedCert(untrustedSigningCert, untrustedSignPkey,
                               signingCert, signPkey);

    if (!untrustedSigningCert) {
        char buf[128];
        fatalf("Unable to generate signing SSL certificate for untrusted sites for %s_port %s", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
    }

    if (crlfile)
        clientVerifyCrls.reset(Ssl::loadCrl(crlfile, sslContextFlags));

    if (clientca) {
        clientCA.reset(SSL_load_client_CA_file(clientca));
        if (clientCA.get() == NULL) {
            fatalf("Unable to read client CAs! from %s", clientca);
        }
    }

    contextMethod = Ssl::contextMethod(version);
    if (!contextMethod)
        fatalf("Unable to compute context method to use");

    if (dhfile)
        dhParams.reset(Ssl::readDHParams(dhfile));

    if (sslflags)
        sslContextFlags = Ssl::parse_flags(sslflags);

    sslOptions = Ssl::parse_options(options);

    staticSslContext.reset(sslCreateServerContext(*this));

    if (!staticSslContext) {
        char buf[128];
        fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol],  s.toUrl(buf, sizeof(buf)));
    }
}
#endif
Commit	Line	Data
bbc27441 AJ	1	/*
	2	* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
f7f3304a	9	#include "squid.h"
65d448bc	10	#include "anyp/PortCfg.h"
cbff89ba	11	#include "comm.h"
eb6ac808	12	#include "fatal.h"
cb4f4424	13	#if USE_OPENSSL
f4e4d4d6 CT	14	#include "ssl/support.h"
f4e4d4d6 CT	15	#endif
1b26be8f	16
eb6ac808	17	#include <cstring>
eb6ac808	18	#include <limits>
eb6ac808	19
fa720bfb AJ	20	AnyP::PortCfgPointer HttpPortList;
	21	#if USE_OPENSSL
	22	AnyP::PortCfgPointer HttpsPortList;
	23	#endif
8ea0d847	24	AnyP::PortCfgPointer FtpPortList;
65d448bc AJ	25
	26	int NHttpSockets = 0;
	27	int HttpSockets[MAXTCPLISTENPORTS];
	28
eb6ac808	29	AnyP::PortCfg::PortCfg() :
f53969cc SM	30	next(),
	31	s(),
	32	transport(AnyP::PROTO_HTTP,1,1), // "Squid is an HTTP proxy", etc.
	33	name(NULL),
	34	defaultsite(NULL),
	35	flags(),
	36	allow_direct(false),
	37	vhost(false),
	38	actAsOrigin(false),
	39	ignore_cc(false),
	40	connection_auth_disabled(false),
	41	ftp_track_dirs(false),
	42	vport(0),
	43	disable_pmtu_discovery(0),
	44	listenConn()
cb4f4424	45	#if USE_OPENSSL
f53969cc SM	46	,cert(NULL),
	47	key(NULL),
	48	version(0),
	49	cipher(NULL),
	50	options(NULL),
	51	clientca(NULL),
	52	cafile(NULL),
	53	capath(NULL),
	54	crlfile(NULL),
	55	dhfile(NULL),
	56	sslflags(NULL),
	57	sslContextSessionId(NULL),
	58	generateHostCertificates(false),
	59	dynamicCertMemCacheSize(std::numeric_limits<size_t>::max()),
	60	staticSslContext(),
	61	signingCert(),
	62	signPkey(),
	63	certsToChain(),
	64	untrustedSigningCert(),
	65	untrustedSignPkey(),
	66	clientVerifyCrls(),
	67	clientCA(),
	68	dhParams(),
	69	contextMethod(),
	70	sslContextFlags(0),
	71	sslOptions(0)
1b26be8f	72	#endif
a97126cc AJ	73	{
	74	memset(&tcp_keepalive, 0, sizeof(tcp_keepalive));
	75	}
1b26be8f	76
65d448bc	77	AnyP::PortCfg::~PortCfg()
1b26be8f	78	{
8bbb16e3	79	if (Comm::IsConnOpen(listenConn)) {
00406b24	80	listenConn->close();
8bbb16e3	81	listenConn = NULL;
cbff89ba	82	}
04f55905	83
1b26be8f	84	safe_free(name);
1b26be8f	85	safe_free(defaultsite);
1b26be8f	86
cb4f4424	87	#if USE_OPENSSL
1b26be8f	88	safe_free(cert);
1b26be8f	89	safe_free(key);
1b26be8f	90	safe_free(cipher);
43cc65bb CT	91	safe_free(options);
43cc65bb CT	92	safe_free(clientca);
1b26be8f	93	safe_free(cafile);
1b26be8f	94	safe_free(capath);
43cc65bb	95	safe_free(crlfile);
1b26be8f	96	safe_free(dhfile);
1b26be8f	97	safe_free(sslflags);
95d2589c	98	safe_free(sslContextSessionId);
1b26be8f	99	#endif
1b26be8f	100	}
f4e4d4d6	101
fa720bfb	102	AnyP::PortCfgPointer
65d448bc AJ	103	AnyP::PortCfg::clone() const
65d448bc AJ	104	{
fa720bfb	105	AnyP::PortCfgPointer b = new AnyP::PortCfg();
65d448bc AJ	106	b->s = s;
	107	if (name)
	108	b->name = xstrdup(name);
	109	if (defaultsite)
	110	b->defaultsite = xstrdup(defaultsite);
	111
eb6ac808	112	b->transport = transport;
6a25a046	113	b->flags = flags;
65d448bc AJ	114	b->allow_direct = allow_direct;
65d448bc AJ	115	b->vhost = vhost;
65d448bc AJ	116	b->vport = vport;
65d448bc AJ	117	b->connection_auth_disabled = connection_auth_disabled;
e7ce227f	118	b->ftp_track_dirs = ftp_track_dirs;
65d448bc	119	b->disable_pmtu_discovery = disable_pmtu_discovery;
86ab7a90	120	b->tcp_keepalive = tcp_keepalive;
65d448bc AJ	121
65d448bc AJ	122	#if 0
e412456e	123	// TODO: AYJ: 2009-07-18: for now SSL does not clone. Configure separate ports with IPs and SSL settings
65d448bc	124
cb4f4424	125	#if USE_OPENSSL
65d448bc AJ	126	char *cert;
	127	char *key;
	128	int version;
	129	char *cipher;
	130	char *options;
	131	char *clientca;
	132	char *cafile;
	133	char *capath;
	134	char *crlfile;
	135	char *dhfile;
	136	char *sslflags;
	137	char *sslContextSessionId;
	138	SSL_CTX *sslContext;
	139	#endif
	140
	141	#endif /0/
	142
	143	return b;
	144	}
5ae65581	145
cb4f4424	146	#if USE_OPENSSL
04f0004e AJ	147	void
04f0004e AJ	148	AnyP::PortCfg::configureSslServerContext()
f4e4d4d6	149	{
f4e4d4d6 CT	150	if (cert)
	151	Ssl::readCertChainAndPrivateKeyFromFiles(signingCert, signPkey, certsToChain, cert, key);
	152
	153	if (!signingCert) {
	154	char buf[128];
eb6ac808	155	fatalf("No valid signing SSL certificate configured for %s_port %s", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
f4e4d4d6 CT	156	}
	157
	158	if (!signPkey)
eb6ac808	159	debugs(3, DBG_IMPORTANT, "No SSL private key configured for " << AnyP::ProtocolType_str[transport.protocol] << "_port " << s);
f4e4d4d6 CT	160
	161	Ssl::generateUntrustedCert(untrustedSigningCert, untrustedSignPkey,
	162	signingCert, signPkey);
	163
	164	if (!untrustedSigningCert) {
	165	char buf[128];
eb6ac808	166	fatalf("Unable to generate signing SSL certificate for untrusted sites for %s_port %s", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
f4e4d4d6	167	}
86660d64 CT	168
	169	if (crlfile)
	170	clientVerifyCrls.reset(Ssl::loadCrl(crlfile, sslContextFlags));
	171
	172	if (clientca) {
	173	clientCA.reset(SSL_load_client_CA_file(clientca));
	174	if (clientCA.get() == NULL) {
	175	fatalf("Unable to read client CAs! from %s", clientca);
	176	}
	177	}
	178
	179	contextMethod = Ssl::contextMethod(version);
	180	if (!contextMethod)
	181	fatalf("Unable to compute context method to use");
	182
	183	if (dhfile)
	184	dhParams.reset(Ssl::readDHParams(dhfile));
	185
	186	if (sslflags)
	187	sslContextFlags = Ssl::parse_flags(sslflags);
	188
	189	sslOptions = Ssl::parse_options(options);
	190
	191	staticSslContext.reset(sslCreateServerContext(*this));
	192
	193	if (!staticSslContext) {
	194	char buf[128];
eb6ac808	195	fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
86660d64	196	}
f4e4d4d6 CT	197	}
f4e4d4d6 CT	198	#endif
f53969cc	199