[thirdparty/squid.git] / src / security / PeerOptions.h

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
#define SQUID_SRC_SECURITY_PEEROPTIONS_H

#include "base/YesNoNone.h"
#include "ConfigParser.h"
#include "security/Context.h"
#include "security/forward.h"
#include "security/KeyData.h"
#include "security/Session.h"

class Packable;

namespace Security
{

/// TLS squid.conf settings for a remote server peer
class PeerOptions
{
public:
    PeerOptions();
    PeerOptions(const PeerOptions &) = default;
    PeerOptions &operator =(const PeerOptions &) = default;
    PeerOptions(PeerOptions &&) = default;
    PeerOptions &operator =(PeerOptions &&) = default;
    virtual ~PeerOptions() {}

    /// parse a TLS squid.conf option
    virtual void parse(const char *);

    /// parse and verify the [tls-]options= string in sslOptions
    void parseOptions();

    /// reset the configuration details to default
    virtual void clear() {*this = PeerOptions();}

    /// generate an unset security context object
    virtual Security::ContextPointer createBlankContext() const;

    /// generate a security client-context from these configured options
    Security::ContextPointer createClientContext(bool setOptions);

    /// sync the context options with tls-min-version=N configuration
    void updateTlsVersionLimits();

    /// Setup the library specific 'options=' parameters for the given context.
    void updateContextOptions(Security::ContextPointer &);

    /// setup the NPN extension details for the given context
    void updateContextNpn(Security::ContextPointer &);

    /// setup the CA details for the given context
    void updateContextCa(Security::ContextPointer &);

    /// setup the CRL details for the given context
    void updateContextCrl(Security::ContextPointer &);

    /// decide which CAs to trust
    void updateContextTrust(Security::ContextPointer &);

    /// setup any library-specific options that can be set for the given session
    void updateSessionOptions(Security::SessionPointer &);

    /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
    virtual void dumpCfg(std::ostream &, const char *pfx) const;

private:
    ParsedPortFlags parseFlags();
    void loadCrlFile();
    void loadKeysFile();

public:
    SBuf sslOptions;     ///< library-specific options string
    SBuf caDir;          ///< path of directory containing a set of trusted Certificate Authorities
    SBuf crlFile;        ///< path of file containing Certificate Revoke List

    SBuf sslCipher;
    SBuf sslFlags;       ///< flags defining what TLS operations Squid performs
    SBuf sslDomain;

    SBuf tlsMinVersion;  ///< version label for minimum TLS version to permit

private:
    /// Library-specific options string generated from tlsMinVersion.
    /// Call updateTlsVersionLimits() to regenerate this string.
    SBuf tlsMinOptions;

    /// Parsed value of sslOptions + tlsMinOptions settings.
    /// Set optsReparse=true to have this re-parsed before next use.
    Security::ParsedOptions parsedOptions;

    /// whether parsedOptions content needs to be regenerated
    bool optsReparse = true;

public:
    ParsedPortFlags parsedFlags = 0; ///< parsed value of sslFlags

    std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
    std::list<SBuf> caFiles;  ///< paths of files containing trusted Certificate Authority
    Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate

protected:
    template<typename T>
    Security::ContextPointer convertContextFromRawPtr(T ctx) const {
#if USE_OPENSSL
        debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx);
        return ContextPointer(ctx, [](SSL_CTX *p) {
            debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
            SSL_CTX_free(p);
        });
#elif HAVE_LIBGNUTLS
        debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
        return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
            debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);
            gnutls_certificate_free_credentials(p);
        });
#else
        assert(!ctx);
        return Security::ContextPointer();
#endif
    }

    int sslVersion = 0;

    /// flags governing Squid internal TLS operations
    struct flags_ {
        flags_() : tlsDefaultCa(true), tlsNpn(true) {}
        flags_(const flags_ &) = default;
        flags_ &operator =(const flags_ &) = default;

        /// whether to use the system default Trusted CA when verifying the remote end certificate
        YesNoNone tlsDefaultCa;

        /// whether to use the TLS NPN extension on these connections
        bool tlsNpn;
    } flags;

public:
    /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
    bool encryptTransport = false;
};

// XXX: Remove this shim after upgrading legacy code to store PeerContext
// objects instead of disjoint PeerOptons and Context objects (where PeerContext
// is a class that creates and manages {PeerOptions, ContextPointer} pair).
/// A combination of PeerOptions and the corresponding Context.
class FuturePeerContext
{
public:
    FuturePeerContext(PeerOptions &o, const ContextPointer &c): options(o), raw(c) {}

    PeerOptions &options; ///< TLS context configuration
    const ContextPointer &raw; ///< TLS context configured using options
};

/// configuration options for DIRECT server access
PeerOptions &ProxyOutgoingConfig();

} // namespace Security

// parse the tls_outgoing_options directive
void parse_securePeerOptions(Security::PeerOptions *);
#define free_securePeerOptions(x) Security::ProxyOutgoingConfig().clear()
#define dump_securePeerOptions(e,n,x) do { PackableStream os_(*(e)); os_ << n; (x).dumpCfg(os_,""); os_ << '\n'; } while (false)

#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
Commit	Line	Data
	1	/*
	2	* Copyright (C) 1996-2025 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
	10	#define SQUID_SRC_SECURITY_PEEROPTIONS_H
	11
	12	#include "base/YesNoNone.h"
	13	#include "ConfigParser.h"
	14	#include "security/Context.h"
	15	#include "security/forward.h"
	16	#include "security/KeyData.h"
	17	#include "security/Session.h"
	18
	19	class Packable;
	20
	21	namespace Security
	22	{
	23
	24	/// TLS squid.conf settings for a remote server peer
	25	class PeerOptions
	26	{
	27	public:
	28	PeerOptions();
	29	PeerOptions(const PeerOptions &) = default;
	30	PeerOptions &operator =(const PeerOptions &) = default;
	31	PeerOptions(PeerOptions &&) = default;
	32	PeerOptions &operator =(PeerOptions &&) = default;
	33	virtual ~PeerOptions() {}
	34
	35	/// parse a TLS squid.conf option
	36	virtual void parse(const char *);
	37
	38	/// parse and verify the [tls-]options= string in sslOptions
	39	void parseOptions();
	40
	41	/// reset the configuration details to default
	42	virtual void clear() {*this = PeerOptions();}
	43
	44	/// generate an unset security context object
	45	virtual Security::ContextPointer createBlankContext() const;
	46
	47	/// generate a security client-context from these configured options
	48	Security::ContextPointer createClientContext(bool setOptions);
	49
	50	/// sync the context options with tls-min-version=N configuration
	51	void updateTlsVersionLimits();
	52
	53	/// Setup the library specific 'options=' parameters for the given context.
	54	void updateContextOptions(Security::ContextPointer &);
	55
	56	/// setup the NPN extension details for the given context
	57	void updateContextNpn(Security::ContextPointer &);
	58
	59	/// setup the CA details for the given context
	60	void updateContextCa(Security::ContextPointer &);
	61
	62	/// setup the CRL details for the given context
	63	void updateContextCrl(Security::ContextPointer &);
	64
	65	/// decide which CAs to trust
	66	void updateContextTrust(Security::ContextPointer &);
	67
	68	/// setup any library-specific options that can be set for the given session
	69	void updateSessionOptions(Security::SessionPointer &);
	70
	71	/// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
	72	virtual void dumpCfg(std::ostream &, const char *pfx) const;
	73
	74	private:
	75	ParsedPortFlags parseFlags();
	76	void loadCrlFile();
	77	void loadKeysFile();
	78
	79	public:
	80	SBuf sslOptions; ///< library-specific options string
	81	SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
	82	SBuf crlFile; ///< path of file containing Certificate Revoke List
	83
	84	SBuf sslCipher;
	85	SBuf sslFlags; ///< flags defining what TLS operations Squid performs
	86	SBuf sslDomain;
	87
	88	SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
	89
	90	private:
	91	/// Library-specific options string generated from tlsMinVersion.
	92	/// Call updateTlsVersionLimits() to regenerate this string.
	93	SBuf tlsMinOptions;
	94
	95	/// Parsed value of sslOptions + tlsMinOptions settings.
	96	/// Set optsReparse=true to have this re-parsed before next use.
	97	Security::ParsedOptions parsedOptions;
	98
	99	/// whether parsedOptions content needs to be regenerated
	100	bool optsReparse = true;
	101
	102	public:
	103	ParsedPortFlags parsedFlags = 0; ///< parsed value of sslFlags
	104
	105	std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
	106	std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
	107	Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
	108
	109	protected:
	110	template<typename T>
	111	Security::ContextPointer convertContextFromRawPtr(T ctx) const {
	112	#if USE_OPENSSL
	113	debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx);
	114	return ContextPointer(ctx, [](SSL_CTX *p) {
	115	debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
	116	SSL_CTX_free(p);
	117	});
	118	#elif HAVE_LIBGNUTLS
	119	debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
	120	return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
	121	debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);
	122	gnutls_certificate_free_credentials(p);
	123	});
	124	#else
	125	assert(!ctx);
	126	return Security::ContextPointer();
	127	#endif
	128	}
	129
	130	int sslVersion = 0;
	131
	132	/// flags governing Squid internal TLS operations
	133	struct flags_ {
	134	flags_() : tlsDefaultCa(true), tlsNpn(true) {}
	135	flags_(const flags_ &) = default;
	136	flags_ &operator =(const flags_ &) = default;
	137
	138	/// whether to use the system default Trusted CA when verifying the remote end certificate
	139	YesNoNone tlsDefaultCa;
	140
	141	/// whether to use the TLS NPN extension on these connections
	142	bool tlsNpn;
	143	} flags;
	144
	145	public:
	146	/// whether transport encryption (TLS/SSL) is to be used on connections to the peer
	147	bool encryptTransport = false;
	148	};
	149
	150	// XXX: Remove this shim after upgrading legacy code to store PeerContext
	151	// objects instead of disjoint PeerOptons and Context objects (where PeerContext
	152	// is a class that creates and manages {PeerOptions, ContextPointer} pair).
	153	/// A combination of PeerOptions and the corresponding Context.
	154	class FuturePeerContext
	155	{
	156	public:
	157	FuturePeerContext(PeerOptions &o, const ContextPointer &c): options(o), raw(c) {}
	158
	159	PeerOptions &options; ///< TLS context configuration
	160	const ContextPointer &raw; ///< TLS context configured using options
	161	};
	162
	163	/// configuration options for DIRECT server access
	164	PeerOptions &ProxyOutgoingConfig();
	165
	166	} // namespace Security
	167
	168	// parse the tls_outgoing_options directive
	169	void parse_securePeerOptions(Security::PeerOptions *);
	170	#define free_securePeerOptions(x) Security::ProxyOutgoingConfig().clear()
	171	#define dump_securePeerOptions(e,n,x) do { PackableStream os_(*(e)); os_ << n; (x).dumpCfg(os_,""); os_ << '\n'; } while (false)
	172
	173	#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
	174