Security::PeerOptions secure;
#if USE_OPENSSL
- char *sslcert;
- char *sslkey;
- int sslversion;
- char *ssloptions;
- char *sslcipher;
- char *sslcafile;
- char *sslcapath;
- char *sslcrlfile;
- char *sslflags;
- char *ssldomain;
SSL_CTX *sslContext;
SSL_SESSION *sslSession;
#endif
$(ESI_LIBS) \
$(SNMP_LIBS) \
parser/libsquid-parser.la \
+ security/libsecurity.la \
$(top_builddir)/lib/libmisccontainers.la \
$(top_builddir)/lib/libmiscencoding.la \
$(top_builddir)/lib/libmiscutil.la \
int.cc \
internal.h \
internal.cc \
+ tests/stub_libsecurity.cc \
SquidList.h \
SquidList.cc \
MasterXaction.cc \
int.cc \
internal.h \
internal.cc \
+ tests/stub_libsecurity.cc \
SquidList.h \
SquidList.cc \
MasterXaction.cc \
int.cc \
internal.h \
internal.cc \
+ tests/stub_libsecurity.cc \
SquidList.h \
SquidList.cc \
MasterXaction.cc \
internal.cc \
$(IPC_SOURCE) \
ipcache.cc \
+ tests/stub_libsecurity.cc \
SquidList.h \
SquidList.cc \
MasterXaction.cc \
int.cc \
internal.h \
internal.cc \
+ tests/stub_libsecurity.cc \
SquidList.h \
SquidList.cc \
MasterXaction.cc \
int.cc \
internal.h \
internal.cc \
+ tests/stub_libsecurity.cc \
SquidList.h \
SquidList.cc \
MasterXaction.cc \
for (CachePeer *p = Config.peers; p != NULL; p = p->next) {
if (p->secure.ssl) {
debugs(3, DBG_IMPORTANT, "Initializing cache_peer " << p->name << " SSL context");
- p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath, p->sslcrlfile);
+ p->sslContext = p->secure.createContext();
}
}
p->name = xstrdup(token + 5);
} else if (!strncmp(token, "forceddomain=", 13)) {
safe_free(p->domain);
-
if (token[13])
p->domain = xstrdup(token + 13);
p->secure.ssl = true;
if (strncmp(token, "sslcert=", 8) == 0) {
- safe_free(p->sslcert);
- p->sslcert = xstrdup(token + 8);
+ p->secure.certFile = SBuf(token + 8);
} else if (strncmp(token, "sslkey=", 7) == 0) {
- safe_free(p->sslkey);
- p->sslkey = xstrdup(token + 7);
+ p->secure.privateKeyFile = SBuf(token + 7);
+ if (p->secure.certFile.isEmpty()) {
+ debugs(0, DBG_PARSE_NOTE(1), "WARNING: cache_peer 'sslcert=' option needs to be set before 'sslkey=' is used.");
+ p->secure.certFile = p->secure.privateKeyFile;
+ }
} else if (strncmp(token, "sslversion=", 11) == 0) {
- p->sslversion = xatoi(token + 11);
+ p->secure.sslVersion = xatoi(token + 11);
} else if (strncmp(token, "ssloptions=", 11) == 0) {
- safe_free(p->ssloptions);
- p->ssloptions = xstrdup(token + 11);
+ p->secure.sslOptions = SBuf(token + 11);
} else if (strncmp(token, "sslcipher=", 10) == 0) {
- safe_free(p->sslcipher);
- p->sslcipher = xstrdup(token + 10);
+ p->secure.sslCipher = SBuf(token + 10);
} else if (strncmp(token, "sslcafile=", 10) == 0) {
- safe_free(p->sslcafile);
- p->sslcafile = xstrdup(token + 10);
+ p->secure.caFile = SBuf(token + 10);
} else if (strncmp(token, "sslcapath=", 10) == 0) {
- safe_free(p->sslcafile);
- p->sslcafile = xstrdup(token + 10);
+ p->secure.caDir = SBuf(token + 10);
} else if (strncmp(token, "sslcrlfile=", 11) == 0) {
- safe_free(p->sslcrlfile);
- p->sslcrlfile = xstrdup(token + 11);
+ p->secure.crlFile = SBuf(token + 11);
} else if (strncmp(token, "sslflags=", 9) == 0) {
- safe_free(p->sslflags);
- p->sslflags = xstrdup(token + 9);
+ p->secure.sslFlags = SBuf(token + 9);
} else if (strncmp(token, "ssldomain=", 10) == 0) {
- safe_free(p->ssldomain);
- p->ssldomain = xstrdup(token + 10);
+ p->secure.sslDomain = SBuf(token + 10);
}
#endif
- } else if (strncmp(token, "tls", 3) == 0) {
-#if !USE_GNUTLS && !USE_OPENSSL
- debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-gnutls or --with-openssl");
-#else
- p->secure.tls = true;
-#endif
-
} else if (strcmp(token, "front-end-https") == 0) {
p->front_end_https = 1;
} else if (strcmp(token, "front-end-https=on") == 0) {
--- /dev/null
+/*
+ * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#ifndef SQUID_SRC_SECURITY_CONTEXT_H
+#define SQUID_SRC_SECURITY_CONTEXT_H
+
+#if USE_OPENSSL
+#include "ssl/gadgets.h"
+#endif
+
+namespace Security {
+
+#if USE_OPENSSL
+// XXX: make this a SSL_CTX_Pointer
+typedef SSL_CTX* ContextPointer;
+
+#else
+// use void* so we can check against NULL
+typedef void* ContextPointer;
+#endif
+
+} // namespace Security
+
+#endif /* SQUID_SRC_SECURITY_CONTEXT_H */
+## Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
include $(top_srcdir)/src/Common.am
include $(top_srcdir)/src/TestHeaders.am
noinst_LTLIBRARIES = libsecurity.la
libsecurity_la_SOURCES= \
+ Context.h \
+ PeerOptions.cc \
PeerOptions.h
--- /dev/null
+/*
+ * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#include "squid.h"
+#include "security/PeerOptions.h"
+
+#if USE_OPENSSL
+#include "ssl/support.h"
+#endif
+
+// XXX: make a GnuTLS variant
+Security::ContextPointer
+Security::PeerOptions::createContext()
+{
+ Security::ContextPointer t = NULL;
+
+ if (privateKeyFile.isEmpty())
+ privateKeyFile = certFile;
+
+#if USE_OPENSSL
+ t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(),
+ sslOptions.c_str(), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str());
+#endif
+ return t;
+}
+/*
+ * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
#define SQUID_SRC_SECURITY_PEEROPTIONS_H
#include "SBuf.h"
+#include "security/Context.h"
namespace Security
{
class PeerOptions
{
public:
- PeerOptions() : tls(false), ssl(false) {}
+ PeerOptions() : ssl(false), sslVersion(0) {}
+
+ /// generate a security context from the configured options
+ Security::ContextPointer createContext();
- bool tls; ///< whether TLS is to be used on this connection
bool ssl; ///< whether SSL is to be used on this connection
+
+ SBuf certFile; ///< path of file containing PEM format X509 certificate
+ SBuf privateKeyFile; ///< path of file containing private key in PEM format
+ SBuf sslOptions; ///< library-specific options string
+ SBuf caFile; ///< path of file containing trusted Certificate Authority
+ SBuf caDir; ///< path of directory containign a set of trusted Certificate Authorities
+ SBuf crlFile; ///< path of file containing Certificate Revoke List
+
+ int sslVersion;
+ SBuf sslCipher;
+ SBuf sslFlags;
+ SBuf sslDomain;
};
} // namespace Security
}
if (peer) {
- if (peer->ssldomain)
- SSL_set_ex_data(ssl, ssl_ex_index_server, peer->ssldomain);
-
+ if (!peer->secure.sslDomain.isEmpty()) {
+ // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
+ SSL_set_ex_data(ssl, ssl_ex_index_server, const_cast<SBuf*>(&peer->secure.sslDomain));
+ }
#if NOT_YET
else if (peer->name)
SSL_set_ex_data(ssl, ssl_ex_index_server, peer->name);
#endif
-
+#if WHEN_PEER_HOST_IS_SBUF
else
SSL_set_ex_data(ssl, ssl_ex_index_server, peer->host);
+#endif
if (peer->sslSession)
SSL_set_session(ssl, peer->sslSession);
--- /dev/null
+/*
+ * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#include "squid.h"
+
+#define STUB_API "security/libsecurity.la"
+#include "tests/STUB.h"
+
+#include "security/PeerOptions.h"
+Security::ContextPointer Security::PeerOptions::createContext() STUB_RETVAL(NULL)
projects / thirdparty / squid.git / commitdiff
