]> git.ipfire.org Git - thirdparty/squid.git/blob - src/security/PeerOptions.h
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Source Format Enforcement (#763)
[thirdparty/squid.git] / src / security / PeerOptions.h
1 /*
2 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
11
12 #include "base/YesNoNone.h"
13 #include "ConfigParser.h"
14 #include "security/forward.h"
15 #include "security/KeyData.h"
16
17 class Packable;
18
19 namespace Security
20 {
21
22 /// TLS squid.conf settings for a remote server peer
23 class PeerOptions
24 {
25 public:
26 PeerOptions();
27 PeerOptions(const PeerOptions &) = default;
28 PeerOptions &operator =(const PeerOptions &) = default;
29 PeerOptions(PeerOptions &&) = default;
30 PeerOptions &operator =(PeerOptions &&) = default;
31 virtual ~PeerOptions() {}
32
33 /// parse a TLS squid.conf option
34 virtual void parse(const char *);
35
36 /// parse and verify the [tls-]options= string in sslOptions
37 void parseOptions();
38
39 /// reset the configuration details to default
40 virtual void clear() {*this = PeerOptions();}
41
42 /// generate an unset security context object
43 virtual Security::ContextPointer createBlankContext() const;
44
45 /// generate a security client-context from these configured options
46 Security::ContextPointer createClientContext(bool setOptions);
47
48 /// sync the context options with tls-min-version=N configuration
49 void updateTlsVersionLimits();
50
51 /// Setup the library specific 'options=' parameters for the given context.
52 void updateContextOptions(Security::ContextPointer &);
53
54 /// setup the NPN extension details for the given context
55 void updateContextNpn(Security::ContextPointer &);
56
57 /// setup the CA details for the given context
58 void updateContextCa(Security::ContextPointer &);
59
60 /// setup the CRL details for the given context
61 void updateContextCrl(Security::ContextPointer &);
62
63 /// decide which CAs to trust
64 void updateContextTrust(Security::ContextPointer &);
65
66 /// setup any library-specific options that can be set for the given session
67 void updateSessionOptions(Security::SessionPointer &);
68
69 /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
70 virtual void dumpCfg(Packable *, const char *pfx) const;
71
72 private:
73 ParsedPortFlags parseFlags();
74 void loadCrlFile();
75 void loadKeysFile();
76
77 public:
78 SBuf sslOptions; ///< library-specific options string
79 SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
80 SBuf crlFile; ///< path of file containing Certificate Revoke List
81
82 SBuf sslCipher;
83 SBuf sslFlags; ///< flags defining what TLS operations Squid performs
84 SBuf sslDomain;
85
86 SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
87
88 private:
89 /// Library-specific options string generated from tlsMinVersion.
90 /// Call updateTlsVersionLimits() to regenerate this string.
91 SBuf tlsMinOptions;
92
93 /// Parsed value of sslOptions + tlsMinOptions settings.
94 /// Set optsReparse=true to have this re-parsed before next use.
95 Security::ParsedOptions parsedOptions;
96
97 /// whether parsedOptions content needs to be regenerated
98 bool optsReparse = true;
99
100 public:
101 ParsedPortFlags parsedFlags = 0; ///< parsed value of sslFlags
102
103 std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
104 std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
105 Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
106
107 protected:
108 template<typename T>
109 Security::ContextPointer convertContextFromRawPtr(T ctx) const {
110 #if USE_OPENSSL
111 debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx);
112 return ContextPointer(ctx, [](SSL_CTX *p) {
113 debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
114 SSL_CTX_free(p);
115 });
116 #elif USE_GNUTLS
117 debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
118 return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
119 debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);
120 gnutls_certificate_free_credentials(p);
121 });
122 #else
123 assert(!ctx);
124 return Security::ContextPointer();
125 #endif
126 }
127
128 int sslVersion = 0;
129
130 /// flags governing Squid internal TLS operations
131 struct flags_ {
132 flags_() : tlsDefaultCa(true), tlsNpn(true) {}
133 flags_(const flags_ &) = default;
134 flags_ &operator =(const flags_ &) = default;
135
136 /// whether to use the system default Trusted CA when verifying the remote end certificate
137 YesNoNone tlsDefaultCa;
138
139 /// whether to use the TLS NPN extension on these connections
140 bool tlsNpn;
141 } flags;
142
143 public:
144 /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
145 bool encryptTransport = false;
146 };
147
148 /// configuration options for DIRECT server access
149 extern PeerOptions ProxyOutgoingConfig;
150
151 } // namespace Security
152
153 // parse the tls_outgoing_options directive
154 void parse_securePeerOptions(Security::PeerOptions *);
155 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
156 #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
157
158 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
159
Mirror of https://github.com/squid-cache/squid.git