]>
Commit | Line | Data |
---|---|---|
9a2f63e7 | 1 | /* |
be75380c | 2 | * Copyright (C) 1996-2015 The Squid Software Foundation and contributors |
9a2f63e7 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
9 | #include "squid.h" | |
0b0e0864 AJ |
10 | #include "Debug.h" |
11 | #include "globals.h" | |
12 | #include "Parsing.h" | |
9a2f63e7 AJ |
13 | #include "security/PeerOptions.h" |
14 | ||
15 | #if USE_OPENSSL | |
16 | #include "ssl/support.h" | |
17 | #endif | |
18 | ||
7e62a74f | 19 | Security::PeerOptions Security::ProxyOutgoingConfig; |
195f8adb | 20 | |
0b0e0864 AJ |
21 | void |
22 | Security::PeerOptions::parse(const char *token) | |
23 | { | |
24 | if (strncmp(token, "cert=", 5) == 0) { | |
25 | certFile = SBuf(token + 5); | |
1f1f29e8 AJ |
26 | if (privateKeyFile.isEmpty()) |
27 | privateKeyFile = certFile; | |
0b0e0864 AJ |
28 | } else if (strncmp(token, "key=", 4) == 0) { |
29 | privateKeyFile = SBuf(token + 4); | |
30 | if (certFile.isEmpty()) { | |
31 | debugs(0, DBG_PARSE_NOTE(1), "WARNING: cert= option needs to be set before key= is used."); | |
32 | certFile = privateKeyFile; | |
33 | } | |
34 | } else if (strncmp(token, "version=", 8) == 0) { | |
35 | sslVersion = xatoi(token + 8); | |
36 | } else if (strncmp(token, "options=", 8) == 0) { | |
37 | sslOptions = SBuf(token + 8); | |
36092741 AJ |
38 | #if USE_OPENSSL |
39 | // Pre-parse SSL client options to be applied when the client SSL objects created. | |
40 | // Options must not used in the case of peek or stare bump mode. | |
41 | // XXX: performance regression. c_str() can reallocate | |
42 | parsedOptions = Ssl::parse_options(sslOptions.c_str()); | |
43 | #endif | |
0b0e0864 AJ |
44 | } else if (strncmp(token, "cipher=", 7) == 0) { |
45 | sslCipher = SBuf(token + 7); | |
46 | } else if (strncmp(token, "cafile=", 7) == 0) { | |
47 | caFile = SBuf(token + 7); | |
48 | } else if (strncmp(token, "capath=", 7) == 0) { | |
49 | caDir = SBuf(token + 7); | |
50 | } else if (strncmp(token, "crlfile=", 8) == 0) { | |
51 | crlFile = SBuf(token + 8); | |
52 | } else if (strncmp(token, "flags=", 6) == 0) { | |
53 | sslFlags = SBuf(token + 6); | |
54 | } else if (strncmp(token, "domain=", 7) == 0) { | |
55 | sslDomain = SBuf(token + 7); | |
56 | } | |
57 | } | |
58 | ||
9a2f63e7 AJ |
59 | // XXX: make a GnuTLS variant |
60 | Security::ContextPointer | |
36092741 | 61 | Security::PeerOptions::createContext(bool setOptions) |
9a2f63e7 AJ |
62 | { |
63 | Security::ContextPointer t = NULL; | |
64 | ||
9a2f63e7 | 65 | #if USE_OPENSSL |
1f1f29e8 | 66 | // XXX: temporary performance regression. c_str() data copies and prevents this being a const method |
9a2f63e7 | 67 | t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(), |
be75380c | 68 | (setOptions ? sslOptions.c_str() : NULL), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str()); |
9a2f63e7 | 69 | #endif |
36092741 | 70 | |
9a2f63e7 AJ |
71 | return t; |
72 | } | |
1f1f29e8 AJ |
73 | |
74 | void | |
75 | parse_securePeerOptions(Security::PeerOptions *opt) | |
76 | { | |
77 | while(const char *token = ConfigParser::NextToken()) | |
78 | opt->parse(token); | |
79 | } | |
80 |