[thirdparty/squid.git] / src / security / PeerOptions.cc

/*
 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
#include "Debug.h"
#include "globals.h"
#include "Parsing.h"
#include "security/PeerOptions.h"

#if USE_OPENSSL
#include "ssl/support.h"
#endif

Security::PeerOptions Security::ProxyOutgoingConfig;

void
Security::PeerOptions::parse(const char *token)
{
    if (strncmp(token, "cert=", 5) == 0) {
        certFile = SBuf(token + 5);
        if (privateKeyFile.isEmpty())
            privateKeyFile = certFile;
    } else if (strncmp(token, "key=", 4) == 0) {
        privateKeyFile = SBuf(token + 4);
        if (certFile.isEmpty()) {
            debugs(0, DBG_PARSE_NOTE(1), "WARNING: cert= option needs to be set before key= is used.");
            certFile = privateKeyFile;
        }
    } else if (strncmp(token, "version=", 8) == 0) {
        sslVersion = xatoi(token + 8);
    } else if (strncmp(token, "options=", 8) == 0) {
        sslOptions = SBuf(token + 8);
#if USE_OPENSSL
        // Pre-parse SSL client options to be applied when the client SSL objects created.
        // Options must not used in the case of peek or stare bump mode.
        // XXX: performance regression. c_str() can reallocate
        parsedOptions = Ssl::parse_options(sslOptions.c_str());
#endif
    } else if (strncmp(token, "cipher=", 7) == 0) {
        sslCipher = SBuf(token + 7);
    } else if (strncmp(token, "cafile=", 7) == 0) {
        caFile = SBuf(token + 7);
    } else if (strncmp(token, "capath=", 7) == 0) {
        caDir = SBuf(token + 7);
    } else if (strncmp(token, "crlfile=", 8) == 0) {
        crlFile = SBuf(token + 8);
    } else if (strncmp(token, "flags=", 6) == 0) {
        sslFlags = SBuf(token + 6);
    } else if (strncmp(token, "domain=", 7) == 0) {
        sslDomain = SBuf(token + 7);
    }
}

// XXX: make a GnuTLS variant
Security::ContextPointer
Security::PeerOptions::createContext(bool setOptions)
{
    Security::ContextPointer t = NULL;

#if USE_OPENSSL
    // XXX: temporary performance regression. c_str() data copies and prevents this being a const method
    t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(),
                               (setOptions ? sslOptions.c_str() : NULL), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str());
#endif

    return t;
}

void
parse_securePeerOptions(Security::PeerOptions *opt)
{
    while(const char *token = ConfigParser::NextToken())
        opt->parse(token);
}
Commit	Line	Data
9a2f63e7	1	/*
be75380c	2	* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
9a2f63e7 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#include "squid.h"
0b0e0864 AJ	10	#include "Debug.h"
	11	#include "globals.h"
	12	#include "Parsing.h"
9a2f63e7 AJ	13	#include "security/PeerOptions.h"
	14
	15	#if USE_OPENSSL
	16	#include "ssl/support.h"
	17	#endif
	18
7e62a74f	19	Security::PeerOptions Security::ProxyOutgoingConfig;
195f8adb	20
0b0e0864 AJ	21	void
	22	Security::PeerOptions::parse(const char *token)
	23	{
	24	if (strncmp(token, "cert=", 5) == 0) {
	25	certFile = SBuf(token + 5);
1f1f29e8 AJ	26	if (privateKeyFile.isEmpty())
1f1f29e8 AJ	27	privateKeyFile = certFile;
0b0e0864 AJ	28	} else if (strncmp(token, "key=", 4) == 0) {
	29	privateKeyFile = SBuf(token + 4);
	30	if (certFile.isEmpty()) {
	31	debugs(0, DBG_PARSE_NOTE(1), "WARNING: cert= option needs to be set before key= is used.");
	32	certFile = privateKeyFile;
	33	}
	34	} else if (strncmp(token, "version=", 8) == 0) {
	35	sslVersion = xatoi(token + 8);
	36	} else if (strncmp(token, "options=", 8) == 0) {
	37	sslOptions = SBuf(token + 8);
36092741 AJ	38	#if USE_OPENSSL
	39	// Pre-parse SSL client options to be applied when the client SSL objects created.
	40	// Options must not used in the case of peek or stare bump mode.
	41	// XXX: performance regression. c_str() can reallocate
	42	parsedOptions = Ssl::parse_options(sslOptions.c_str());
	43	#endif
0b0e0864 AJ	44	} else if (strncmp(token, "cipher=", 7) == 0) {
	45	sslCipher = SBuf(token + 7);
	46	} else if (strncmp(token, "cafile=", 7) == 0) {
	47	caFile = SBuf(token + 7);
	48	} else if (strncmp(token, "capath=", 7) == 0) {
	49	caDir = SBuf(token + 7);
	50	} else if (strncmp(token, "crlfile=", 8) == 0) {
	51	crlFile = SBuf(token + 8);
	52	} else if (strncmp(token, "flags=", 6) == 0) {
	53	sslFlags = SBuf(token + 6);
	54	} else if (strncmp(token, "domain=", 7) == 0) {
	55	sslDomain = SBuf(token + 7);
	56	}
	57	}
	58
9a2f63e7 AJ	59	// XXX: make a GnuTLS variant
9a2f63e7 AJ	60	Security::ContextPointer
36092741	61	Security::PeerOptions::createContext(bool setOptions)
9a2f63e7 AJ	62	{
	63	Security::ContextPointer t = NULL;
	64
9a2f63e7	65	#if USE_OPENSSL
1f1f29e8	66	// XXX: temporary performance regression. c_str() data copies and prevents this being a const method
9a2f63e7	67	t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(),
be75380c	68	(setOptions ? sslOptions.c_str() : NULL), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str());
9a2f63e7	69	#endif
36092741	70
9a2f63e7 AJ	71	return t;
9a2f63e7 AJ	72	}
1f1f29e8 AJ	73
	74	void
	75	parse_securePeerOptions(Security::PeerOptions *opt)
	76	{
	77	while(const char *token = ConfigParser::NextToken())
	78	opt->parse(token);
	79	}
	80