]> git.ipfire.org Git - thirdparty/squid.git/blob - src/security/PeerOptions.h
ef114808af42850c132eccdb58de7fc8bdc76bba
[thirdparty/squid.git] / src / security / PeerOptions.h
1 /*
2 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
11
12 #include "base/YesNoNone.h"
13 #include "ConfigParser.h"
14 #include "security/Context.h"
15 #include "security/forward.h"
16 #include "security/KeyData.h"
17 #include "security/Session.h"
18
19 class Packable;
20
21 namespace Security
22 {
23
24 /// TLS squid.conf settings for a remote server peer
25 class PeerOptions
26 {
27 public:
28 PeerOptions();
29 PeerOptions(const PeerOptions &) = default;
30 PeerOptions &operator =(const PeerOptions &) = default;
31 PeerOptions(PeerOptions &&) = default;
32 PeerOptions &operator =(PeerOptions &&) = default;
33 virtual ~PeerOptions() {}
34
35 /// parse a TLS squid.conf option
36 virtual void parse(const char *);
37
38 /// parse and verify the [tls-]options= string in sslOptions
39 void parseOptions();
40
41 /// reset the configuration details to default
42 virtual void clear() {*this = PeerOptions();}
43
44 /// generate an unset security context object
45 virtual Security::ContextPointer createBlankContext() const;
46
47 /// generate a security client-context from these configured options
48 Security::ContextPointer createClientContext(bool setOptions);
49
50 /// sync the context options with tls-min-version=N configuration
51 void updateTlsVersionLimits();
52
53 /// Setup the library specific 'options=' parameters for the given context.
54 void updateContextOptions(Security::ContextPointer &);
55
56 /// setup the NPN extension details for the given context
57 void updateContextNpn(Security::ContextPointer &);
58
59 /// setup the CA details for the given context
60 void updateContextCa(Security::ContextPointer &);
61
62 /// setup the CRL details for the given context
63 void updateContextCrl(Security::ContextPointer &);
64
65 /// decide which CAs to trust
66 void updateContextTrust(Security::ContextPointer &);
67
68 /// setup any library-specific options that can be set for the given session
69 void updateSessionOptions(Security::SessionPointer &);
70
71 /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
72 virtual void dumpCfg(std::ostream &, const char *pfx) const;
73
74 private:
75 ParsedPortFlags parseFlags();
76 void loadCrlFile();
77 void loadKeysFile();
78
79 public:
80 SBuf sslOptions; ///< library-specific options string
81 SBuf caDir; ///< path of directory containing a set of trusted Certificate Authorities
82 SBuf crlFile; ///< path of file containing Certificate Revoke List
83
84 SBuf sslCipher;
85 SBuf sslFlags; ///< flags defining what TLS operations Squid performs
86 SBuf sslDomain;
87
88 SBuf tlsMinVersion; ///< version label for minimum TLS version to permit
89
90 private:
91 /// Library-specific options string generated from tlsMinVersion.
92 /// Call updateTlsVersionLimits() to regenerate this string.
93 SBuf tlsMinOptions;
94
95 /// Parsed value of sslOptions + tlsMinOptions settings.
96 /// Set optsReparse=true to have this re-parsed before next use.
97 Security::ParsedOptions parsedOptions;
98
99 /// whether parsedOptions content needs to be regenerated
100 bool optsReparse = true;
101
102 public:
103 ParsedPortFlags parsedFlags = 0; ///< parsed value of sslFlags
104
105 std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters
106 std::list<SBuf> caFiles; ///< paths of files containing trusted Certificate Authority
107 Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
108
109 protected:
110 template<typename T>
111 Security::ContextPointer convertContextFromRawPtr(T ctx) const {
112 #if USE_OPENSSL
113 debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx);
114 return ContextPointer(ctx, [](SSL_CTX *p) {
115 debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
116 SSL_CTX_free(p);
117 });
118 #elif HAVE_LIBGNUTLS
119 debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
120 return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
121 debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);
122 gnutls_certificate_free_credentials(p);
123 });
124 #else
125 assert(!ctx);
126 return Security::ContextPointer();
127 #endif
128 }
129
130 int sslVersion = 0;
131
132 /// flags governing Squid internal TLS operations
133 struct flags_ {
134 flags_() : tlsDefaultCa(true), tlsNpn(true) {}
135 flags_(const flags_ &) = default;
136 flags_ &operator =(const flags_ &) = default;
137
138 /// whether to use the system default Trusted CA when verifying the remote end certificate
139 YesNoNone tlsDefaultCa;
140
141 /// whether to use the TLS NPN extension on these connections
142 bool tlsNpn;
143 } flags;
144
145 public:
146 /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
147 bool encryptTransport = false;
148 };
149
150 // XXX: Remove this shim after upgrading legacy code to store PeerContext
151 // objects instead of disjoint PeerOptons and Context objects (where PeerContext
152 // is a class that creates and manages {PeerOptions, ContextPointer} pair).
153 /// A combination of PeerOptions and the corresponding Context.
154 class FuturePeerContext
155 {
156 public:
157 FuturePeerContext(PeerOptions &o, const ContextPointer &c): options(o), raw(c) {}
158
159 PeerOptions &options; ///< TLS context configuration
160 const ContextPointer &raw; ///< TLS context configured using options
161 };
162
163 /// configuration options for DIRECT server access
164 PeerOptions &ProxyOutgoingConfig();
165
166 } // namespace Security
167
168 // parse the tls_outgoing_options directive
169 void parse_securePeerOptions(Security::PeerOptions *);
170 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig().clear()
171 #define dump_securePeerOptions(e,n,x) do { PackableStream os_(*(e)); os_ << n; (x).dumpCfg(os_,""); os_ << '\n'; } while (false)
172
173 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
174