]> git.ipfire.org Git - thirdparty/squid.git/blob - src/security/PeerOptions.h
projects / thirdparty / squid.git / blob
? search:


e64fccc5930d0c9d134f4bcdeff84b13d36dfca4
[thirdparty/squid.git] / src / security / PeerOptions.h
1 /*
2 * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
11
12 #include "base/YesNoNone.h"
13 #include "ConfigParser.h"
14 #include "security/KeyData.h"
15
16 class Packable;
17
18 namespace Security
19 {
20
21 /// TLS squid.conf settings for a remote server peer
22 class PeerOptions
23 {
24 public:
25 PeerOptions();
26 PeerOptions(const PeerOptions &) = default;
27 PeerOptions &operator =(const PeerOptions &) = default;
28 PeerOptions(PeerOptions &&) = default;
29 PeerOptions &operator =(PeerOptions &&) = default;
30 virtual ~PeerOptions() {}
31
32 /// parse a TLS squid.conf option
33 virtual void parse(const char *);
34
35 /// parse and verify the [tls-]options= string in sslOptions
36 void parseOptions();
37
38 /// reset the configuration details to default
39 virtual void clear() {*this = PeerOptions();}
40
41 /// generate an unset security context object
42 virtual Security::ContextPointer createBlankContext() const;
43
44 /// generate a security client-context from these configured options
45 Security::ContextPointer createClientContext(bool setOptions);
46
47 /// sync the context options with tls-min-version=N configuration
48 void updateTlsVersionLimits();
49
50 /// Setup the library specific 'options=' parameters for the given context.
51 void updateContextOptions(Security::ContextPointer &);
52
53 /// setup the NPN extension details for the given context
54 void updateContextNpn(Security::ContextPointer &);
55
56 /// setup the CA details for the given context
57 void updateContextCa(Security::ContextPointer &);
58
59 /// setup the CRL details for the given context
60 void updateContextCrl(Security::ContextPointer &);
61
62 /// decide which CAs to trust
63 void updateContextTrust(Security::ContextPointer &);
64
65 /// setup any library-specific options that can be set for the given session
66 void updateSessionOptions(Security::SessionPointer &);
67
68 /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
69 virtual void dumpCfg(Packable *, const char *pfx) const;
70
71 private:
72 long parseFlags();
73 void loadCrlFile();
74 void loadKeysFile();
75
76 public:
77 SBuf sslOptions; ///< library-specific options string
78 SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
79 SBuf crlFile; ///< path of file containing Certificate Revoke List
80
81 SBuf sslCipher;
82 SBuf sslFlags; ///< flags defining what TLS operations Squid performs
83 SBuf sslDomain;
84
85 SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
86
87 private:
88 /// Library-specific options string generated from tlsMinVersion.
89 /// Call updateTlsVersionLimits() to regenerate this string.
90 SBuf tlsMinOptions;
91
92 /// Parsed value of sslOptions + tlsMinOptions settings.
93 /// Set optsReparse=true to have this re-parsed before next use.
94 Security::ParsedOptions parsedOptions;
95
96 /// whether parsedOptions content needs to be regenerated
97 bool optsReparse = true;
98
99 public:
100 long parsedFlags = 0; ///< parsed value of sslFlags
101
102 std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
103 std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
104 Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
105
106 protected:
107 template<typename T>
108 Security::ContextPointer convertContextFromRawPtr(T ctx) const {
109 #if USE_OPENSSL
110 debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx);
111 return ContextPointer(ctx, [](SSL_CTX *p) {
112 debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
113 SSL_CTX_free(p);
114 });
115 #elif USE_GNUTLS
116 debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
117 return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
118 debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);
119 gnutls_certificate_free_credentials(p);
120 });
121 #else
122 assert(!ctx);
123 return Security::ContextPointer();
124 #endif
125 }
126
127 int sslVersion = 0;
128
129 /// flags governing Squid internal TLS operations
130 struct flags_ {
131 flags_() : tlsDefaultCa(true), tlsNpn(true) {}
132 flags_(const flags_ &) = default;
133 flags_ &operator =(const flags_ &) = default;
134
135 /// whether to use the system default Trusted CA when verifying the remote end certificate
136 YesNoNone tlsDefaultCa;
137
138 /// whether to use the TLS NPN extension on these connections
139 bool tlsNpn;
140 } flags;
141
142 public:
143 /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
144 bool encryptTransport = false;
145 };
146
147 /// configuration options for DIRECT server access
148 extern PeerOptions ProxyOutgoingConfig;
149
150 } // namespace Security
151
152 // parse the tls_outgoing_options directive
153 void parse_securePeerOptions(Security::PeerOptions *);
154 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
155 #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
156
157 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
158
Mirror of https://github.com/squid-cache/squid.git