]>
Commit | Line | Data |
---|---|---|
474f076e | 1 | /* |
bf95c10a | 2 | * Copyright (C) 1996-2022 The Squid Software Foundation and contributors |
474f076e AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
9 | #ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H | |
10 | #define SQUID_SRC_SECURITY_SERVEROPTIONS_H | |
11 | ||
c75aba02 | 12 | #include "anyp/forward.h" |
474f076e | 13 | #include "security/PeerOptions.h" |
24b30fdc EQ |
14 | #if USE_OPENSSL |
15 | #include "compat/openssl.h" | |
16 | #if HAVE_OPENSSL_X509_H | |
17 | #include <openssl/x509.h> | |
18 | #endif | |
19 | #endif | |
474f076e AJ |
20 | |
21 | namespace Security | |
22 | { | |
23 | ||
24 | /// TLS squid.conf settings for a listening port | |
25 | class ServerOptions : public PeerOptions | |
26 | { | |
27 | public: | |
621f4299 AJ |
28 | #if USE_OPENSSL |
29 | sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free); | |
30 | typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer; | |
31 | #endif | |
32 | ||
435c72b0 AJ |
33 | ServerOptions() : PeerOptions() { |
34 | // Bug 4005: dynamic contexts use a lot of memory and it | |
35 | // is more secure to have only a small set of trusted CA. | |
36 | flags.tlsDefaultCa.defaultTo(false); | |
37 | } | |
ff3763e9 | 38 | ServerOptions(const ServerOptions &o): ServerOptions() { *this = o; } |
621f4299 AJ |
39 | ServerOptions &operator =(const ServerOptions &); |
40 | ServerOptions(ServerOptions &&o) { this->operator =(o); } | |
41 | ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; } | |
474f076e AJ |
42 | virtual ~ServerOptions() = default; |
43 | ||
44 | /* Security::PeerOptions API */ | |
45 | virtual void parse(const char *); | |
46 | virtual void clear() {*this = ServerOptions();} | |
64769c79 | 47 | virtual Security::ContextPointer createBlankContext() const; |
474f076e AJ |
48 | virtual void dumpCfg(Packable *, const char *pfx) const; |
49 | ||
1700fab7 AJ |
50 | /// initialize all server contexts as-needed and load PEM files. |
51 | /// if none can be created this may do nothing. | |
51e09c08 | 52 | void initServerContexts(AnyP::PortCfg &); |
cf487124 AJ |
53 | |
54 | /// update the given TLS security context using squid.conf settings | |
55 | bool updateContextConfig(Security::ContextPointer &); | |
56 | ||
474f076e | 57 | /// update the context with DH, EDH, EECDH settings |
b23f5f9c | 58 | void updateContextEecdh(Security::ContextPointer &); |
474f076e | 59 | |
621f4299 AJ |
60 | /// update the context with CA details used to verify client certificates |
61 | void updateContextClientCa(Security::ContextPointer &); | |
62 | ||
cf487124 AJ |
63 | /// update the context with a configured session ID (if any) |
64 | void updateContextSessionId(Security::ContextPointer &); | |
65 | ||
621f4299 AJ |
66 | /// sync the various sources of CA files to be loaded |
67 | void syncCaFiles(); | |
68 | ||
80b5995a AJ |
69 | public: |
70 | /// TLS context to use for HTTPS accelerator or static SSL-Bump | |
71 | Security::ContextPointer staticContext; | |
cf487124 AJ |
72 | SBuf staticContextSessionId; ///< "session id context" for staticContext |
73 | ||
51e09c08 AJ |
74 | #if USE_OPENSSL |
75 | bool generateHostCertificates = true; ///< dynamically make host cert | |
76 | #elif USE_GNUTLS | |
77 | // TODO: GnuTLS does implement TLS server connections so the cert | |
78 | // generate vs static choice can be reached in the code now. | |
79 | // But this feature is not fully working implemented so must not | |
80 | // be enabled by default for production installations. | |
81 | bool generateHostCertificates = false; ///< dynamically make host cert | |
82 | #else | |
83 | // same as OpenSSL so config errors show up easily | |
cf487124 | 84 | bool generateHostCertificates = true; ///< dynamically make host cert |
51e09c08 | 85 | #endif |
cf487124 | 86 | |
51e09c08 AJ |
87 | Security::KeyData signingCa; ///< x509 certificate and key for signing generated certificates |
88 | Security::KeyData untrustedSigningCa; ///< x509 certificate and key for signing untrusted generated certificates | |
cf487124 AJ |
89 | |
90 | /// max size of generated certificates memory cache (4 MB default) | |
91 | size_t dynamicCertMemCacheSize = 4*1024*1024; | |
80b5995a | 92 | |
104deb98 | 93 | private: |
621f4299 | 94 | bool loadClientCaFile(); |
104deb98 AJ |
95 | void loadDhParams(); |
96 | ||
51e09c08 AJ |
97 | /// generate a security server-context from these configured options |
98 | /// the resulting context is stored in staticContext | |
99 | /// \returns true if a context could be created | |
100 | bool createStaticServerContext(AnyP::PortCfg &); | |
101 | ||
102 | /// initialize contexts for signing dynamic TLS certificates (if needed) | |
103 | /// the resulting keys are stored in signingCa and untrustedSigningCa | |
104 | void createSigningContexts(const AnyP::PortCfg &); | |
105 | ||
104deb98 | 106 | private: |
621f4299 AJ |
107 | SBuf clientCaFile; ///< name of file to load client CAs from |
108 | #if USE_OPENSSL | |
109 | /// CA certificate(s) to use when verifying client certificates | |
110 | X509_NAME_STACK_Pointer clientCaStack; | |
111 | #else | |
112 | void *clientCaStack = nullptr; | |
113 | #endif | |
114 | ||
80b5995a | 115 | SBuf dh; ///< Diffi-Helman cipher config |
474f076e AJ |
116 | SBuf dhParamsFile; ///< Diffi-Helman ciphers parameter file |
117 | SBuf eecdhCurve; ///< Elliptic curve for ephemeral EC-based DH key exchanges | |
104deb98 AJ |
118 | |
119 | Security::DhePointer parsedDhParams; ///< DH parameters for temporary/ephemeral DH key exchanges | |
474f076e AJ |
120 | }; |
121 | ||
122 | } // namespace Security | |
123 | ||
124 | #endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */ | |
3736fdd6 | 125 |