[thirdparty/squid.git] / src / security / PeerOptions.h

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
#define SQUID_SRC_SECURITY_PEEROPTIONS_H

#include "base/YesNoNone.h"
#include "ConfigParser.h"
#include "security/Context.h"
#include "security/forward.h"
#include "security/KeyData.h"
#include "security/Session.h"

class Packable;

namespace Security
{

/// TLS squid.conf settings for a remote server peer
class PeerOptions
{
public:
    PeerOptions();
    PeerOptions(const PeerOptions &) = default;
    PeerOptions &operator =(const PeerOptions &) = default;
    PeerOptions(PeerOptions &&) = default;
    PeerOptions &operator =(PeerOptions &&) = default;
    virtual ~PeerOptions() {}

    /// parse a TLS squid.conf option
    virtual void parse(const char *);

    /// parse and verify the [tls-]options= string in sslOptions
    void parseOptions();

    /// reset the configuration details to default
    virtual void clear() {*this = PeerOptions();}

    /// generate an unset security context object
    virtual Security::ContextPointer createBlankContext() const;

    /// generate a security client-context from these configured options
    Security::ContextPointer createClientContext(bool setOptions);

    /// sync the context options with tls-min-version=N configuration
    void updateTlsVersionLimits();

    /// Setup the library specific 'options=' parameters for the given context.
    void updateContextOptions(Security::ContextPointer &);

    /// setup the NPN extension details for the given context
    void updateContextNpn(Security::ContextPointer &);

    /// setup the CA details for the given context
    void updateContextCa(Security::ContextPointer &);

    /// setup the CRL details for the given context
    void updateContextCrl(Security::ContextPointer &);

    /// decide which CAs to trust
    void updateContextTrust(Security::ContextPointer &);

    /// setup any library-specific options that can be set for the given session
    void updateSessionOptions(Security::SessionPointer &);

    /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
    virtual void dumpCfg(std::ostream &, const char *pfx) const;

private:
    ParsedPortFlags parseFlags();
    void loadCrlFile();
    void loadKeysFile();

public:
    SBuf sslOptions;     ///< library-specific options string
    SBuf caDir;          ///< path of directory containing a set of trusted Certificate Authorities
    SBuf crlFile;        ///< path of file containing Certificate Revoke List

    SBuf sslCipher;
    SBuf sslFlags;       ///< flags defining what TLS operations Squid performs
    SBuf sslDomain;

    SBuf tlsMinVersion;  ///< version label for minimum TLS version to permit

private:
    /// Library-specific options string generated from tlsMinVersion.
    /// Call updateTlsVersionLimits() to regenerate this string.
    SBuf tlsMinOptions;

    /// Parsed value of sslOptions + tlsMinOptions settings.
    /// Set optsReparse=true to have this re-parsed before next use.
    Security::ParsedOptions parsedOptions;

    /// whether parsedOptions content needs to be regenerated
    bool optsReparse = true;

public:
    ParsedPortFlags parsedFlags = 0; ///< parsed value of sslFlags

    std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
    std::list<SBuf> caFiles;  ///< paths of files containing trusted Certificate Authority
    Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate

protected:
    template<typename T>
    Security::ContextPointer convertContextFromRawPtr(T ctx) const {
#if USE_OPENSSL
        debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx);
        return ContextPointer(ctx, [](SSL_CTX *p) {
            debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
            SSL_CTX_free(p);
        });
#elif HAVE_LIBGNUTLS
        debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
        return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
            debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);
            gnutls_certificate_free_credentials(p);
        });
#else
        assert(!ctx);
        return Security::ContextPointer();
#endif
    }

    int sslVersion = 0;

    /// flags governing Squid internal TLS operations
    struct flags_ {
        flags_() : tlsDefaultCa(true), tlsNpn(true) {}
        flags_(const flags_ &) = default;
        flags_ &operator =(const flags_ &) = default;

        /// whether to use the system default Trusted CA when verifying the remote end certificate
        YesNoNone tlsDefaultCa;

        /// whether to use the TLS NPN extension on these connections
        bool tlsNpn;
    } flags;

public:
    /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
    bool encryptTransport = false;
};

// XXX: Remove this shim after upgrading legacy code to store PeerContext
// objects instead of disjoint PeerOptons and Context objects (where PeerContext
// is a class that creates and manages {PeerOptions, ContextPointer} pair).
/// A combination of PeerOptions and the corresponding Context.
class FuturePeerContext
{
public:
    FuturePeerContext(PeerOptions &o, const ContextPointer &c): options(o), raw(c) {}

    PeerOptions &options; ///< TLS context configuration
    const ContextPointer &raw; ///< TLS context configured using options
};

/// configuration options for DIRECT server access
PeerOptions &ProxyOutgoingConfig();

} // namespace Security

// parse the tls_outgoing_options directive
void parse_securePeerOptions(Security::PeerOptions *);
#define free_securePeerOptions(x) Security::ProxyOutgoingConfig().clear()
#define dump_securePeerOptions(e,n,x) do { PackableStream os_(*(e)); os_ << n; (x).dumpCfg(os_,""); os_ << '\n'; } while (false)

#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
Commit	Line	Data
9a2f63e7	1	/*
1f7b830e	2	* Copyright (C) 1996-2025 The Squid Software Foundation and contributors
9a2f63e7 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
cdfb670c AJ	9	#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
	10	#define SQUID_SRC_SECURITY_PEEROPTIONS_H
	11
435c72b0	12	#include "base/YesNoNone.h"
195f8adb	13	#include "ConfigParser.h"
a7b75c64	14	#include "security/Context.h"
983fab6e	15	#include "security/forward.h"
d1d72d43	16	#include "security/KeyData.h"
a7b75c64	17	#include "security/Session.h"
cdfb670c	18
8250ca31 AJ	19	class Packable;
8250ca31 AJ	20
cdfb670c AJ	21	namespace Security
	22	{
	23
1f1f29e8	24	/// TLS squid.conf settings for a remote server peer
cdfb670c AJ	25	class PeerOptions
	26	{
	27	public:
d7208dbc	28	PeerOptions();
3d32a1b2 AJ	29	PeerOptions(const PeerOptions &) = default;
3d32a1b2 AJ	30	PeerOptions &operator =(const PeerOptions &) = default;
33de409e AJ	31	PeerOptions(PeerOptions &&) = default;
33de409e AJ	32	PeerOptions &operator =(PeerOptions &&) = default;
cc488ec9	33	virtual ~PeerOptions() {}
9a2f63e7	34
0b0e0864	35	/// parse a TLS squid.conf option
474f076e	36	virtual void parse(const char *);
0b0e0864	37
151644b7 AJ	38	/// parse and verify the [tls-]options= string in sslOptions
	39	void parseOptions();
	40
195f8adb	41	/// reset the configuration details to default
104deb98	42	virtual void clear() {*this = PeerOptions();}
195f8adb	43
885f0ecf	44	/// generate an unset security context object
64769c79	45	virtual Security::ContextPointer createBlankContext() const;
885f0ecf	46
a465e144	47	/// generate a security client-context from these configured options
900daee3	48	Security::ContextPointer createClientContext(bool setOptions);
cdfb670c	49
585c27eb AJ	50	/// sync the context options with tls-min-version=N configuration
585c27eb AJ	51	void updateTlsVersionLimits();
cdfb670c	52
cf487124	53	/// Setup the library specific 'options=' parameters for the given context.
2aa5a7d3	54	void updateContextOptions(Security::ContextPointer &);
cf487124	55
b05d749d	56	/// setup the NPN extension details for the given context
64769c79	57	void updateContextNpn(Security::ContextPointer &);
b05d749d	58
86a84cc0	59	/// setup the CA details for the given context
b23f5f9c	60	void updateContextCa(Security::ContextPointer &);
86a84cc0	61
6b19d1f9	62	/// setup the CRL details for the given context
b23f5f9c	63	void updateContextCrl(Security::ContextPointer &);
6b19d1f9	64
98f951b7 AR	65	/// decide which CAs to trust
	66	void updateContextTrust(Security::ContextPointer &);
	67
cc488ec9 AJ	68	/// setup any library-specific options that can be set for the given session
	69	void updateSessionOptions(Security::SessionPointer &);
	70
8250ca31	71	/// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
90153ed6	72	virtual void dumpCfg(std::ostream &, const char *pfx) const;
8250ca31	73
c62717bd	74	private:
983fab6e	75	ParsedPortFlags parseFlags();
6b19d1f9	76	void loadCrlFile();
51e09c08	77	void loadKeysFile();
c62717bd AJ	78
c62717bd AJ	79	public:
9a2f63e7	80	SBuf sslOptions; ///< library-specific options string
1f1f29e8	81	SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
9a2f63e7 AJ	82	SBuf crlFile; ///< path of file containing Certificate Revoke List
9a2f63e7 AJ	83
9a2f63e7	84	SBuf sslCipher;
b24e9ae7	85	SBuf sslFlags; ///< flags defining what TLS operations Squid performs
9a2f63e7	86	SBuf sslDomain;
1f1f29e8	87
1cc44095 AJ	88	SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
1cc44095 AJ	89
b491f761	90	private:
5dc9fd64 AJ	91	/// Library-specific options string generated from tlsMinVersion.
	92	/// Call updateTlsVersionLimits() to regenerate this string.
	93	SBuf tlsMinOptions;
	94
	95	/// Parsed value of sslOptions + tlsMinOptions settings.
	96	/// Set optsReparse=true to have this re-parsed before next use.
2aa5a7d3 AJ	97	Security::ParsedOptions parsedOptions;
	98
	99	/// whether parsedOptions content needs to be regenerated
	100	bool optsReparse = true;
	101
b491f761	102	public:
983fab6e	103	ParsedPortFlags parsedFlags = 0; ///< parsed value of sslFlags
36092741	104
d1d72d43	105	std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
86a84cc0	106	std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
6b19d1f9 AJ	107	Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
6b19d1f9 AJ	108
435c72b0	109	protected:
df473b36 AJ	110	template<typename T>
	111	Security::ContextPointer convertContextFromRawPtr(T ctx) const {
	112	#if USE_OPENSSL
60fcfadf	113	debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx);
df473b36	114	return ContextPointer(ctx, [](SSL_CTX *p) {
60fcfadf	115	debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
df473b36 AJ	116	SSL_CTX_free(p);
df473b36 AJ	117	});
c813943d	118	#elif HAVE_LIBGNUTLS
60fcfadf	119	debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
df473b36	120	return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
be3d8bb0	121	debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);
df473b36 AJ	122	gnutls_certificate_free_credentials(p);
	123	});
	124	#else
	125	assert(!ctx);
	126	return Security::ContextPointer();
	127	#endif
	128	}
	129
cc488ec9	130	int sslVersion = 0;
1f1f29e8	131
8b253b83 AJ	132	/// flags governing Squid internal TLS operations
8b253b83 AJ	133	struct flags_ {
b2cd014b	134	flags_() : tlsDefaultCa(true), tlsNpn(true) {}
c17dcc9a AJ	135	flags_(const flags_ &) = default;
c17dcc9a AJ	136	flags_ &operator =(const flags_ &) = default;
8b253b83	137
b2cd014b	138	/// whether to use the system default Trusted CA when verifying the remote end certificate
435c72b0	139	YesNoNone tlsDefaultCa;
b05d749d AJ	140
	141	/// whether to use the TLS NPN extension on these connections
	142	bool tlsNpn;
8b253b83 AJ	143	} flags;
8b253b83 AJ	144
1cc44095	145	public:
1f1f29e8	146	/// whether transport encryption (TLS/SSL) is to be used on connections to the peer
cc488ec9	147	bool encryptTransport = false;
cdfb670c AJ	148	};
cdfb670c AJ	149
908634e8 AR	150	// XXX: Remove this shim after upgrading legacy code to store PeerContext
	151	// objects instead of disjoint PeerOptons and Context objects (where PeerContext
	152	// is a class that creates and manages {PeerOptions, ContextPointer} pair).
	153	/// A combination of PeerOptions and the corresponding Context.
	154	class FuturePeerContext
	155	{
	156	public:
	157	FuturePeerContext(PeerOptions &o, const ContextPointer &c): options(o), raw(c) {}
	158
	159	PeerOptions &options; ///< TLS context configuration
	160	const ContextPointer &raw; ///< TLS context configured using options
	161	};
	162
195f8adb	163	/// configuration options for DIRECT server access
9e779e40	164	PeerOptions &ProxyOutgoingConfig();
195f8adb	165
cdfb670c AJ	166	} // namespace Security
cdfb670c AJ	167
195f8adb	168	// parse the tls_outgoing_options directive
1f1f29e8	169	void parse_securePeerOptions(Security::PeerOptions *);
9e779e40	170	#define free_securePeerOptions(x) Security::ProxyOutgoingConfig().clear()
90153ed6	171	#define dump_securePeerOptions(e,n,x) do { PackableStream os_(*(e)); os_ << n; (x).dumpCfg(os_,""); os_ << '\n'; } while (false)
195f8adb	172
cdfb670c	173	#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
be75380c	174