[thirdparty/squid.git] / src / security / PeerOptions.h

/*
 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
#define SQUID_SRC_SECURITY_PEEROPTIONS_H

#include "ConfigParser.h"
#include "SBuf.h"
#include "security/forward.h"

class Packable;

namespace Security
{

/// TLS squid.conf settings for a remote server peer
class PeerOptions
{
public:
    PeerOptions() : parsedOptions(0), parsedFlags(0), sslVersion(0), encryptTransport(false) {}
    PeerOptions(const PeerOptions &);
    virtual ~PeerOptions() = default;

    /// parse a TLS squid.conf option
    virtual void parse(const char *);

    /// reset the configuration details to default
    virtual void clear() {*this = PeerOptions();}

    /// generate an unset security context object
    virtual Security::ContextPtr createBlankContext() const;

    /// generate a security client-context from these configured options
    Security::ContextPtr createClientContext(bool setOptions);

    /// sync the context options with tls-min-version=N configuration
    void updateTlsVersionLimits();

    /// setup the CA details for the given context
    void updateContextCa(Security::ContextPtr &);

    /// setup the CRL details for the given context
    void updateContextCrl(Security::ContextPtr &);

    /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
    virtual void dumpCfg(Packable *, const char *pfx) const;

private:
    long parseOptions();
    long parseFlags();
    void loadCrlFile();

public:
    SBuf certFile;       ///< path of file containing PEM format X509 certificate
    SBuf privateKeyFile; ///< path of file containing private key in PEM format
    SBuf sslOptions;     ///< library-specific options string
    SBuf caDir;          ///< path of directory containing a set of trusted Certificate Authorities
    SBuf crlFile;        ///< path of file containing Certificate Revoke List

    SBuf sslCipher;
    SBuf sslFlags;       ///< flags defining what TLS operations Squid performs
    SBuf sslDomain;

    SBuf tlsMinVersion;  ///< version label for minimum TLS version to permit

    long parsedOptions; ///< parsed value of sslOptions
    long parsedFlags;   ///< parsed value of sslFlags

    std::list<SBuf> caFiles;  ///< paths of files containing trusted Certificate Authority
    Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate

private:
    int sslVersion;

    /// flags governing Squid internal TLS operations
    struct flags_ {
        flags_() : noDefaultCa(false) {}

        /// do not use the system default Trusted CA when verifying the remote end certificate
        bool noDefaultCa;
    } flags;

public:
    /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
    bool encryptTransport;
};

/// configuration options for DIRECT server access
extern PeerOptions ProxyOutgoingConfig;

} // namespace Security

// parse the tls_outgoing_options directive
void parse_securePeerOptions(Security::PeerOptions *);
#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
#define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)

#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
Commit	Line	Data
9a2f63e7	1	/*
be75380c	2	* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
9a2f63e7 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
cdfb670c AJ	9	#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
	10	#define SQUID_SRC_SECURITY_PEEROPTIONS_H
	11
195f8adb	12	#include "ConfigParser.h"
cdfb670c	13	#include "SBuf.h"
fcfdf7f9	14	#include "security/forward.h"
cdfb670c	15
8250ca31 AJ	16	class Packable;
8250ca31 AJ	17
cdfb670c AJ	18	namespace Security
	19	{
	20
1f1f29e8	21	/// TLS squid.conf settings for a remote server peer
cdfb670c AJ	22	class PeerOptions
	23	{
	24	public:
44a5e70a	25	PeerOptions() : parsedOptions(0), parsedFlags(0), sslVersion(0), encryptTransport(false) {}
9a622f3e	26	PeerOptions(const PeerOptions &);
474f076e	27	virtual ~PeerOptions() = default;
9a2f63e7	28
0b0e0864	29	/// parse a TLS squid.conf option
474f076e	30	virtual void parse(const char *);
0b0e0864	31
195f8adb	32	/// reset the configuration details to default
104deb98	33	virtual void clear() {*this = PeerOptions();}
195f8adb	34
885f0ecf AJ	35	/// generate an unset security context object
	36	virtual Security::ContextPtr createBlankContext() const;
	37
a465e144	38	/// generate a security client-context from these configured options
96993ee0	39	Security::ContextPtr createClientContext(bool setOptions);
cdfb670c	40
585c27eb AJ	41	/// sync the context options with tls-min-version=N configuration
585c27eb AJ	42	void updateTlsVersionLimits();
cdfb670c	43
86a84cc0	44	/// setup the CA details for the given context
96993ee0	45	void updateContextCa(Security::ContextPtr &);
86a84cc0	46
6b19d1f9	47	/// setup the CRL details for the given context
96993ee0	48	void updateContextCrl(Security::ContextPtr &);
6b19d1f9	49
8250ca31	50	/// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
474f076e	51	virtual void dumpCfg(Packable , const char pfx) const;
8250ca31	52
c62717bd AJ	53	private:
c62717bd AJ	54	long parseOptions();
ec4defdb	55	long parseFlags();
6b19d1f9	56	void loadCrlFile();
c62717bd AJ	57
c62717bd AJ	58	public:
9a2f63e7 AJ	59	SBuf certFile; ///< path of file containing PEM format X509 certificate
	60	SBuf privateKeyFile; ///< path of file containing private key in PEM format
	61	SBuf sslOptions; ///< library-specific options string
1f1f29e8	62	SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
9a2f63e7 AJ	63	SBuf crlFile; ///< path of file containing Certificate Revoke List
9a2f63e7 AJ	64
9a2f63e7	65	SBuf sslCipher;
b24e9ae7	66	SBuf sslFlags; ///< flags defining what TLS operations Squid performs
9a2f63e7	67	SBuf sslDomain;
1f1f29e8	68
1cc44095 AJ	69	SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
1cc44095 AJ	70
36092741	71	long parsedOptions; ///< parsed value of sslOptions
b24e9ae7	72	long parsedFlags; ///< parsed value of sslFlags
36092741	73
86a84cc0	74	std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
6b19d1f9 AJ	75	Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
6b19d1f9 AJ	76
1cc44095	77	private:
1f1f29e8 AJ	78	int sslVersion;
1f1f29e8 AJ	79
8b253b83 AJ	80	/// flags governing Squid internal TLS operations
	81	struct flags_ {
	82	flags_() : noDefaultCa(false) {}
	83
	84	/// do not use the system default Trusted CA when verifying the remote end certificate
	85	bool noDefaultCa;
	86	} flags;
	87
1cc44095	88	public:
1f1f29e8 AJ	89	/// whether transport encryption (TLS/SSL) is to be used on connections to the peer
1f1f29e8 AJ	90	bool encryptTransport;
cdfb670c AJ	91	};
cdfb670c AJ	92
195f8adb	93	/// configuration options for DIRECT server access
7e62a74f	94	extern PeerOptions ProxyOutgoingConfig;
195f8adb	95
cdfb670c AJ	96	} // namespace Security
cdfb670c AJ	97
195f8adb	98	// parse the tls_outgoing_options directive
1f1f29e8	99	void parse_securePeerOptions(Security::PeerOptions *);
7e62a74f	100	#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
8250ca31	101	#define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
195f8adb	102
cdfb670c	103	#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
be75380c	104