src/security/ServerOptions.h

   1 /*
   2  * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
  10 #define SQUID_SRC_SECURITY_SERVEROPTIONS_H
  11
  12 #include "anyp/forward.h"
  13 #include "security/PeerOptions.h"
  14
  15 namespace Security
  16 {
  17
  18 /// TLS squid.conf settings for a listening port
  19 class ServerOptions : public PeerOptions
  20 {
  21 public:
  22 #if USE_OPENSSL
  23     sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free);
  24     typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
  25 #endif
  26
  27     ServerOptions() : PeerOptions() {
  28         // Bug 4005: dynamic contexts use a lot of memory and it
  29         // is more secure to have only a small set of trusted CA.
  30         flags.tlsDefaultCa.defaultTo(false);
  31     }
  32     ServerOptions(const ServerOptions &) = default;
  33     ServerOptions &operator =(const ServerOptions &);
  34     ServerOptions(ServerOptions &&o) { this->operator =(o); }
  35     ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }
  36     virtual ~ServerOptions() = default;
  37
  38     /* Security::PeerOptions API */
  39     virtual void parse(const char *);
  40     virtual void clear() {*this = ServerOptions();}
  41     virtual Security::ContextPointer createBlankContext() const;
  42     virtual void dumpCfg(Packable *, const char *pfx) const;
  43
  44     /// initialize all server contexts as-needed
  45     void initServerContexts(AnyP::PortCfg &);
  46
  47     /// update the given TLS security context using squid.conf settings
  48     bool updateContextConfig(Security::ContextPointer &);
  49
  50     /// update the context with DH, EDH, EECDH settings
  51     void updateContextEecdh(Security::ContextPointer &);
  52
  53     /// update the context with CA details used to verify client certificates
  54     void updateContextClientCa(Security::ContextPointer &);
  55
  56     /// update the context with a configured session ID (if any)
  57     void updateContextSessionId(Security::ContextPointer &);
  58
  59     /// sync the various sources of CA files to be loaded
  60     void syncCaFiles();
  61
  62 public:
  63     /// TLS context to use for HTTPS accelerator or static SSL-Bump
  64     Security::ContextPointer staticContext;
  65     SBuf staticContextSessionId; ///< "session id context" for staticContext
  66
  67 #if USE_OPENSSL
  68     bool generateHostCertificates = true; ///< dynamically make host cert
  69 #elif USE_GNUTLS
  70     // TODO: GnuTLS does implement TLS server connections so the cert
  71     // generate vs static choice can be reached in the code now.
  72     // But this feature is not fully working implemented so must not
  73     // be enabled by default for production installations.
  74     bool generateHostCertificates = false; ///< dynamically make host cert
  75 #else
  76     // same as OpenSSL so config errors show up easily
  77     bool generateHostCertificates = true; ///< dynamically make host cert
  78 #endif
  79
  80     Security::KeyData signingCa; ///< x509 certificate and key for signing generated certificates
  81     Security::KeyData untrustedSigningCa; ///< x509 certificate and key for signing untrusted generated certificates
  82
  83     /// max size of generated certificates memory cache (4 MB default)
  84     size_t dynamicCertMemCacheSize = 4*1024*1024;
  85
  86 private:
  87     bool loadClientCaFile();
  88     void loadDhParams();
  89
  90     /// generate a security server-context from these configured options
  91     /// the resulting context is stored in staticContext
  92     /// \returns true if a context could be created
  93     bool createStaticServerContext(AnyP::PortCfg &);
  94
  95     /// initialize contexts for signing dynamic TLS certificates (if needed)
  96     /// the resulting keys are stored in signingCa and untrustedSigningCa
  97     void createSigningContexts(const AnyP::PortCfg &);
  98
  99 private:
 100     SBuf clientCaFile;  ///< name of file to load client CAs from
 101 #if USE_OPENSSL
 102     /// CA certificate(s) to use when verifying client certificates
 103     X509_NAME_STACK_Pointer clientCaStack;
 104 #else
 105     void *clientCaStack = nullptr;
 106 #endif
 107
 108     SBuf dh;            ///< Diffi-Helman cipher config
 109     SBuf dhParamsFile;  ///< Diffi-Helman ciphers parameter file
 110     SBuf eecdhCurve;    ///< Elliptic curve for ephemeral EC-based DH key exchanges
 111
 112     Security::DhePointer parsedDhParams; ///< DH parameters for temporary/ephemeral DH key exchanges
 113 };
 114
 115 } // namespace Security
 116
 117 #endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */
 118