2 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
12 #include "base/YesNoNone.h"
13 #include "ConfigParser.h"
14 #include "security/Context.h"
15 #include "security/forward.h"
16 #include "security/KeyData.h"
17 #include "security/Session.h"
24 /// TLS squid.conf settings for a remote server peer
29 PeerOptions(const PeerOptions
&) = default;
30 PeerOptions
&operator =(const PeerOptions
&) = default;
31 PeerOptions(PeerOptions
&&) = default;
32 PeerOptions
&operator =(PeerOptions
&&) = default;
33 virtual ~PeerOptions() {}
35 /// parse a TLS squid.conf option
36 virtual void parse(const char *);
38 /// parse and verify the [tls-]options= string in sslOptions
41 /// reset the configuration details to default
42 virtual void clear() {*this = PeerOptions();}
44 /// generate an unset security context object
45 virtual Security::ContextPointer
createBlankContext() const;
47 /// generate a security client-context from these configured options
48 Security::ContextPointer
createClientContext(bool setOptions
);
50 /// sync the context options with tls-min-version=N configuration
51 void updateTlsVersionLimits();
53 /// Setup the library specific 'options=' parameters for the given context.
54 void updateContextOptions(Security::ContextPointer
&);
56 /// setup the NPN extension details for the given context
57 void updateContextNpn(Security::ContextPointer
&);
59 /// setup the CA details for the given context
60 void updateContextCa(Security::ContextPointer
&);
62 /// setup the CRL details for the given context
63 void updateContextCrl(Security::ContextPointer
&);
65 /// decide which CAs to trust
66 void updateContextTrust(Security::ContextPointer
&);
68 /// setup any library-specific options that can be set for the given session
69 void updateSessionOptions(Security::SessionPointer
&);
71 /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
72 virtual void dumpCfg(std::ostream
&, const char *pfx
) const;
75 ParsedPortFlags
parseFlags();
80 SBuf sslOptions
; ///< library-specific options string
81 SBuf caDir
; ///< path of directory containing a set of trusted Certificate Authorities
82 SBuf crlFile
; ///< path of file containing Certificate Revoke List
85 SBuf sslFlags
; ///< flags defining what TLS operations Squid performs
88 SBuf tlsMinVersion
; ///< version label for minimum TLS version to permit
91 /// Library-specific options string generated from tlsMinVersion.
92 /// Call updateTlsVersionLimits() to regenerate this string.
95 /// Parsed value of sslOptions + tlsMinOptions settings.
96 /// Set optsReparse=true to have this re-parsed before next use.
97 Security::ParsedOptions parsedOptions
;
99 /// whether parsedOptions content needs to be regenerated
100 bool optsReparse
= true;
103 ParsedPortFlags parsedFlags
= 0; ///< parsed value of sslFlags
105 std::list
<Security::KeyData
> certs
; ///< details from the cert= and file= config parameters
106 std::list
<SBuf
> caFiles
; ///< paths of files containing trusted Certificate Authority
107 Security::CertRevokeList parsedCrl
; ///< CRL to use when verifying the remote end certificate
111 Security::ContextPointer
convertContextFromRawPtr(T ctx
) const {
113 debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx
);
114 return ContextPointer(ctx
, [](SSL_CTX
*p
) {
115 debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p
);
119 debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx
);
120 return Security::ContextPointer(ctx
, [](gnutls_certificate_credentials_t p
) {
121 debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p
);
122 gnutls_certificate_free_credentials(p
);
126 return Security::ContextPointer();
132 /// flags governing Squid internal TLS operations
134 flags_() : tlsDefaultCa(true), tlsNpn(true) {}
135 flags_(const flags_
&) = default;
136 flags_
&operator =(const flags_
&) = default;
138 /// whether to use the system default Trusted CA when verifying the remote end certificate
139 YesNoNone tlsDefaultCa
;
141 /// whether to use the TLS NPN extension on these connections
146 /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
147 bool encryptTransport
= false;
150 // XXX: Remove this shim after upgrading legacy code to store PeerContext
151 // objects instead of disjoint PeerOptons and Context objects (where PeerContext
152 // is a class that creates and manages {PeerOptions, ContextPointer} pair).
153 /// A combination of PeerOptions and the corresponding Context.
154 class FuturePeerContext
157 FuturePeerContext(PeerOptions
&o
, const ContextPointer
&c
): options(o
), raw(c
) {}
159 PeerOptions
&options
; ///< TLS context configuration
160 const ContextPointer
&raw
; ///< TLS context configured using options
163 /// configuration options for DIRECT server access
164 PeerOptions
&ProxyOutgoingConfig();
166 } // namespace Security
168 // parse the tls_outgoing_options directive
169 void parse_securePeerOptions(Security::PeerOptions
*);
170 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig().clear()
171 #define dump_securePeerOptions(e,n,x) do { PackableStream os_(*(e)); os_ << n; (x).dumpCfg(os_,""); os_ << '\n'; } while (false)
173 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */