]>
Commit | Line | Data |
---|---|---|
9a2f63e7 | 1 | /* |
be75380c | 2 | * Copyright (C) 1996-2015 The Squid Software Foundation and contributors |
9a2f63e7 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
cdfb670c AJ |
9 | #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H |
10 | #define SQUID_SRC_SECURITY_PEEROPTIONS_H | |
11 | ||
195f8adb | 12 | #include "ConfigParser.h" |
cdfb670c | 13 | #include "SBuf.h" |
fcfdf7f9 | 14 | #include "security/forward.h" |
cdfb670c | 15 | |
8250ca31 AJ |
16 | class Packable; |
17 | ||
cdfb670c AJ |
18 | namespace Security |
19 | { | |
20 | ||
1f1f29e8 | 21 | /// TLS squid.conf settings for a remote server peer |
cdfb670c AJ |
22 | class PeerOptions |
23 | { | |
24 | public: | |
44a5e70a | 25 | PeerOptions() : parsedOptions(0), parsedFlags(0), sslVersion(0), encryptTransport(false) {} |
9a622f3e | 26 | PeerOptions(const PeerOptions &); |
474f076e | 27 | virtual ~PeerOptions() = default; |
9a2f63e7 | 28 | |
0b0e0864 | 29 | /// parse a TLS squid.conf option |
474f076e | 30 | virtual void parse(const char *); |
0b0e0864 | 31 | |
195f8adb | 32 | /// reset the configuration details to default |
104deb98 | 33 | virtual void clear() {*this = PeerOptions();} |
195f8adb | 34 | |
885f0ecf AJ |
35 | /// generate an unset security context object |
36 | virtual Security::ContextPtr createBlankContext() const; | |
37 | ||
a465e144 | 38 | /// generate a security client-context from these configured options |
96993ee0 | 39 | Security::ContextPtr createClientContext(bool setOptions); |
cdfb670c | 40 | |
585c27eb AJ |
41 | /// sync the context options with tls-min-version=N configuration |
42 | void updateTlsVersionLimits(); | |
cdfb670c | 43 | |
86a84cc0 | 44 | /// setup the CA details for the given context |
96993ee0 | 45 | void updateContextCa(Security::ContextPtr &); |
86a84cc0 | 46 | |
6b19d1f9 | 47 | /// setup the CRL details for the given context |
96993ee0 | 48 | void updateContextCrl(Security::ContextPtr &); |
6b19d1f9 | 49 | |
8250ca31 | 50 | /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings |
474f076e | 51 | virtual void dumpCfg(Packable *, const char *pfx) const; |
8250ca31 | 52 | |
c62717bd AJ |
53 | private: |
54 | long parseOptions(); | |
ec4defdb | 55 | long parseFlags(); |
6b19d1f9 | 56 | void loadCrlFile(); |
c62717bd AJ |
57 | |
58 | public: | |
9a2f63e7 AJ |
59 | SBuf certFile; ///< path of file containing PEM format X509 certificate |
60 | SBuf privateKeyFile; ///< path of file containing private key in PEM format | |
61 | SBuf sslOptions; ///< library-specific options string | |
1f1f29e8 | 62 | SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities |
9a2f63e7 AJ |
63 | SBuf crlFile; ///< path of file containing Certificate Revoke List |
64 | ||
9a2f63e7 | 65 | SBuf sslCipher; |
b24e9ae7 | 66 | SBuf sslFlags; ///< flags defining what TLS operations Squid performs |
9a2f63e7 | 67 | SBuf sslDomain; |
1f1f29e8 | 68 | |
1cc44095 AJ |
69 | SBuf tlsMinVersion; ///< version label for minimum TLS version to permit |
70 | ||
36092741 | 71 | long parsedOptions; ///< parsed value of sslOptions |
b24e9ae7 | 72 | long parsedFlags; ///< parsed value of sslFlags |
36092741 | 73 | |
86a84cc0 | 74 | std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority |
6b19d1f9 AJ |
75 | Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate |
76 | ||
1cc44095 | 77 | private: |
1f1f29e8 AJ |
78 | int sslVersion; |
79 | ||
8b253b83 AJ |
80 | /// flags governing Squid internal TLS operations |
81 | struct flags_ { | |
82 | flags_() : noDefaultCa(false) {} | |
83 | ||
84 | /// do not use the system default Trusted CA when verifying the remote end certificate | |
85 | bool noDefaultCa; | |
86 | } flags; | |
87 | ||
1cc44095 | 88 | public: |
1f1f29e8 AJ |
89 | /// whether transport encryption (TLS/SSL) is to be used on connections to the peer |
90 | bool encryptTransport; | |
cdfb670c AJ |
91 | }; |
92 | ||
195f8adb | 93 | /// configuration options for DIRECT server access |
7e62a74f | 94 | extern PeerOptions ProxyOutgoingConfig; |
195f8adb | 95 | |
cdfb670c AJ |
96 | } // namespace Security |
97 | ||
195f8adb | 98 | // parse the tls_outgoing_options directive |
1f1f29e8 | 99 | void parse_securePeerOptions(Security::PeerOptions *); |
7e62a74f | 100 | #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear() |
8250ca31 | 101 | #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false) |
195f8adb | 102 | |
cdfb670c | 103 | #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */ |
be75380c | 104 |