src/security/PeerOptions.h

   1 /*
   2  * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
  10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
  11
  12 #include "base/YesNoNone.h"
  13 #include "ConfigParser.h"
  14 #include "security/KeyData.h"
  15
  16 class Packable;
  17
  18 namespace Security
  19 {
  20
  21 /// TLS squid.conf settings for a remote server peer
  22 class PeerOptions
  23 {
  24 public:
  25     PeerOptions();
  26     PeerOptions(const PeerOptions &) = default;
  27     PeerOptions &operator =(const PeerOptions &) = default;
  28     PeerOptions(PeerOptions &&) = default;
  29     PeerOptions &operator =(PeerOptions &&) = default;
  30     virtual ~PeerOptions() {}
  31
  32     /// parse a TLS squid.conf option
  33     virtual void parse(const char *);
  34
  35     /// reset the configuration details to default
  36     virtual void clear() {*this = PeerOptions();}
  37
  38     /// generate an unset security context object
  39     virtual Security::ContextPointer createBlankContext() const;
  40
  41     /// generate a security client-context from these configured options
  42     Security::ContextPointer createClientContext(bool setOptions);
  43
  44     /// sync the context options with tls-min-version=N configuration
  45     void updateTlsVersionLimits();
  46
  47     /// Setup the library specific 'options=' parameters for the given context.
  48     void updateContextOptions(Security::ContextPointer &) const;
  49
  50     /// setup the NPN extension details for the given context
  51     void updateContextNpn(Security::ContextPointer &);
  52
  53     /// setup the CA details for the given context
  54     void updateContextCa(Security::ContextPointer &);
  55
  56     /// setup the CRL details for the given context
  57     void updateContextCrl(Security::ContextPointer &);
  58
  59     /// setup any library-specific options that can be set for the given session
  60     void updateSessionOptions(Security::SessionPointer &);
  61
  62     /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
  63     virtual void dumpCfg(Packable *, const char *pfx) const;
  64
  65 private:
  66     void parseOptions(); ///< parsed value of sslOptions
  67     long parseFlags();
  68     void loadCrlFile();
  69
  70 public:
  71     SBuf sslOptions;     ///< library-specific options string
  72     SBuf caDir;          ///< path of directory containing a set of trusted Certificate Authorities
  73     SBuf crlFile;        ///< path of file containing Certificate Revoke List
  74
  75     SBuf sslCipher;
  76     SBuf sslFlags;       ///< flags defining what TLS operations Squid performs
  77     SBuf sslDomain;
  78
  79     SBuf tlsMinVersion;  ///< version label for minimum TLS version to permit
  80
  81     Security::ParsedOptions parsedOptions; ///< parsed value of sslOptions
  82     long parsedFlags = 0;   ///< parsed value of sslFlags
  83
  84     std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
  85     std::list<SBuf> caFiles;  ///< paths of files containing trusted Certificate Authority
  86     Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
  87
  88 protected:
  89     template<typename T>
  90     Security::ContextPointer convertContextFromRawPtr(T ctx) const {
  91 #if USE_OPENSSL
  92         return ContextPointer(ctx, [](SSL_CTX *p) {
  93             debugs(83, 5, "SSL_free ctx=" << (void*)p);
  94             SSL_CTX_free(p);
  95         });
  96 #elif USE_GNUTLS
  97         return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
  98             debugs(83, 5, "gnutls_certificate_free_credentials ctx=" << (void*)p);
  99             gnutls_certificate_free_credentials(p);
 100         });
 101 #else
 102         assert(!ctx);
 103         return Security::ContextPointer();
 104 #endif
 105     }
 106
 107     int sslVersion = 0;
 108
 109     /// flags governing Squid internal TLS operations
 110     struct flags_ {
 111         flags_() : tlsDefaultCa(true), tlsNpn(true) {}
 112         flags_(const flags_ &) = default;
 113         flags_ &operator =(const flags_ &) = default;
 114
 115         /// whether to use the system default Trusted CA when verifying the remote end certificate
 116         YesNoNone tlsDefaultCa;
 117
 118         /// whether to use the TLS NPN extension on these connections
 119         bool tlsNpn;
 120     } flags;
 121
 122 public:
 123     /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
 124     bool encryptTransport = false;
 125 };
 126
 127 /// configuration options for DIRECT server access
 128 extern PeerOptions ProxyOutgoingConfig;
 129
 130 } // namespace Security
 131
 132 // parse the tls_outgoing_options directive
 133 void parse_securePeerOptions(Security::PeerOptions *);
 134 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
 135 #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
 136
 137 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
 138