2 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
12 #include "base/YesNoNone.h"
13 #include "ConfigParser.h"
14 #include "security/KeyData.h"
21 /// TLS squid.conf settings for a remote server peer
26 PeerOptions(const PeerOptions
&) = default;
27 PeerOptions
&operator =(const PeerOptions
&) = default;
28 PeerOptions(PeerOptions
&&) = default;
29 PeerOptions
&operator =(PeerOptions
&&) = default;
30 virtual ~PeerOptions() {}
32 /// parse a TLS squid.conf option
33 virtual void parse(const char *);
35 /// reset the configuration details to default
36 virtual void clear() {*this = PeerOptions();}
38 /// generate an unset security context object
39 virtual Security::ContextPointer
createBlankContext() const;
41 /// generate a security client-context from these configured options
42 Security::ContextPointer
createClientContext(bool setOptions
);
44 /// sync the context options with tls-min-version=N configuration
45 void updateTlsVersionLimits();
47 /// Setup the library specific 'options=' parameters for the given context.
48 void updateContextOptions(Security::ContextPointer
&) const;
50 /// setup the NPN extension details for the given context
51 void updateContextNpn(Security::ContextPointer
&);
53 /// setup the CA details for the given context
54 void updateContextCa(Security::ContextPointer
&);
56 /// setup the CRL details for the given context
57 void updateContextCrl(Security::ContextPointer
&);
59 /// setup any library-specific options that can be set for the given session
60 void updateSessionOptions(Security::SessionPointer
&);
62 /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
63 virtual void dumpCfg(Packable
*, const char *pfx
) const;
66 void parseOptions(); ///< parsed value of sslOptions
71 SBuf sslOptions
; ///< library-specific options string
72 SBuf caDir
; ///< path of directory containing a set of trusted Certificate Authorities
73 SBuf crlFile
; ///< path of file containing Certificate Revoke List
76 SBuf sslFlags
; ///< flags defining what TLS operations Squid performs
79 SBuf tlsMinVersion
; ///< version label for minimum TLS version to permit
81 Security::ParsedOptions parsedOptions
; ///< parsed value of sslOptions
82 long parsedFlags
= 0; ///< parsed value of sslFlags
84 std::list
<Security::KeyData
> certs
; ///< details from the cert= and file= config parameters
85 std::list
<SBuf
> caFiles
; ///< paths of files containing trusted Certificate Authority
86 Security::CertRevokeList parsedCrl
; ///< CRL to use when verifying the remote end certificate
90 Security::ContextPointer
convertContextFromRawPtr(T ctx
) const {
92 return ContextPointer(ctx
, [](SSL_CTX
*p
) {
93 debugs(83, 5, "SSL_free ctx=" << (void*)p
);
97 return Security::ContextPointer(ctx
, [](gnutls_certificate_credentials_t p
) {
98 debugs(83, 5, "gnutls_certificate_free_credentials ctx=" << (void*)p
);
99 gnutls_certificate_free_credentials(p
);
103 return Security::ContextPointer();
109 /// flags governing Squid internal TLS operations
111 flags_() : tlsDefaultCa(true), tlsNpn(true) {}
112 flags_(const flags_
&) = default;
113 flags_
&operator =(const flags_
&) = default;
115 /// whether to use the system default Trusted CA when verifying the remote end certificate
116 YesNoNone tlsDefaultCa
;
118 /// whether to use the TLS NPN extension on these connections
123 /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
124 bool encryptTransport
= false;
127 /// configuration options for DIRECT server access
128 extern PeerOptions ProxyOutgoingConfig
;
130 } // namespace Security
132 // parse the tls_outgoing_options directive
133 void parse_securePeerOptions(Security::PeerOptions
*);
134 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
135 #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
137 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */