src/anyp/PortCfg.cc

   1 /*
   2  * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #include "squid.h"
  10 #include "anyp/PortCfg.h"
  11 #include "comm.h"
  12 #include "fatal.h"
  13 #include "security/PeerOptions.h"
  14 #if USE_OPENSSL
  15 #include "ssl/support.h"
  16 #endif
  17
  18 #include <cstring>
  19 #include <limits>
  20
  21 AnyP::PortCfgPointer HttpPortList;
  22 AnyP::PortCfgPointer FtpPortList;
  23
  24 int NHttpSockets = 0;
  25 int HttpSockets[MAXTCPLISTENPORTS];
  26
  27 AnyP::PortCfg::PortCfg() :
  28     next(),
  29     s(),
  30     transport(AnyP::PROTO_HTTP,1,1), // "Squid is an HTTP proxy", etc.
  31     name(NULL),
  32     defaultsite(NULL),
  33     flags(),
  34     allow_direct(false),
  35     vhost(false),
  36     actAsOrigin(false),
  37     ignore_cc(false),
  38     connection_auth_disabled(false),
  39     ftp_track_dirs(false),
  40     vport(0),
  41     disable_pmtu_discovery(0),
  42     listenConn()
  43 #if USE_OPENSSL
  44     ,
  45     clientca(NULL),
  46     sslContextSessionId(NULL),
  47     generateHostCertificates(true),
  48     dynamicCertMemCacheSize(4*1024*1024), // 4 MB
  49     signingCert(),
  50     signPkey(),
  51     certsToChain(),
  52     untrustedSigningCert(),
  53     untrustedSignPkey(),
  54     clientCA()
  55 #endif
  56 {
  57     memset(&tcp_keepalive, 0, sizeof(tcp_keepalive));
  58 }
  59
  60 AnyP::PortCfg::~PortCfg()
  61 {
  62     if (Comm::IsConnOpen(listenConn)) {
  63         listenConn->close();
  64         listenConn = NULL;
  65     }
  66
  67     safe_free(name);
  68     safe_free(defaultsite);
  69
  70 #if USE_OPENSSL
  71     safe_free(clientca);
  72     safe_free(sslContextSessionId);
  73 #endif
  74 }
  75
  76 AnyP::PortCfgPointer
  77 AnyP::PortCfg::clone() const
  78 {
  79     AnyP::PortCfgPointer b = new AnyP::PortCfg();
  80     b->s = s;
  81     if (name)
  82         b->name = xstrdup(name);
  83     if (defaultsite)
  84         b->defaultsite = xstrdup(defaultsite);
  85
  86     b->transport = transport;
  87     b->flags = flags;
  88     b->allow_direct = allow_direct;
  89     b->vhost = vhost;
  90     b->vport = vport;
  91     b->connection_auth_disabled = connection_auth_disabled;
  92     b->ftp_track_dirs = ftp_track_dirs;
  93     b->disable_pmtu_discovery = disable_pmtu_discovery;
  94     b->tcp_keepalive = tcp_keepalive;
  95     b->secure = secure;
  96
  97 #if USE_OPENSSL
  98     if (clientca)
  99         b->clientca = xstrdup(clientca);
 100     if (sslContextSessionId)
 101         b->sslContextSessionId = xstrdup(sslContextSessionId);
 102
 103 #if 0
 104     // TODO: AYJ: 2015-01-15: for now SSL does not clone the context object.
 105     // cloning should only be done before the PortCfg is post-configure initialized and opened
 106     Security::ContextPointer sslContext;
 107 #endif
 108
 109 #endif /*0*/
 110
 111     return b;
 112 }
 113
 114 #if USE_OPENSSL
 115 void
 116 AnyP::PortCfg::configureSslServerContext()
 117 {
 118     if (!secure.certs.empty()) {
 119         Security::KeyData &keys = secure.certs.front();
 120         Ssl::readCertChainAndPrivateKeyFromFiles(signingCert, signPkey, certsToChain, keys.certFile.c_str(), keys.privateKeyFile.c_str());
 121     }
 122
 123     if (!signingCert) {
 124         char buf[128];
 125         fatalf("No valid signing SSL certificate configured for %s_port %s", AnyP::ProtocolType_str[transport.protocol],  s.toUrl(buf, sizeof(buf)));
 126     }
 127
 128     if (!signPkey)
 129         debugs(3, DBG_IMPORTANT, "No SSL private key configured for  " << AnyP::ProtocolType_str[transport.protocol] << "_port " << s);
 130
 131     Ssl::generateUntrustedCert(untrustedSigningCert, untrustedSignPkey,
 132                                signingCert, signPkey);
 133
 134     if (!untrustedSigningCert) {
 135         char buf[128];
 136         fatalf("Unable to generate signing SSL certificate for untrusted sites for %s_port %s", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
 137     }
 138
 139     if (clientca) {
 140         clientCA.reset(SSL_load_client_CA_file(clientca));
 141         if (clientCA.get() == NULL) {
 142             fatalf("Unable to read client CAs! from %s", clientca);
 143         }
 144     }
 145
 146     if (!secure.createStaticServerContext(*this)) {
 147         char buf[128];
 148         fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf)));
 149     }
 150 }
 151 #endif
 152