From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 14 Nov 2014 13:48:26 +0000 (-0800)
Subject: Shuffle cache_peer ssl*= options to libsecurity
X-Git-Tag: merge-candidate-3-v1~242^2~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9a2f63e7c777ebcad6b0508d1c42c1cef900cc69;p=thirdparty%2Fsquid.git

Shuffle cache_peer ssl*= options to libsecurity
---

diff --git a/src/CachePeer.h b/src/CachePeer.h
index 12033dc23f..66232de6b7 100644
--- a/src/CachePeer.h
+++ b/src/CachePeer.h
@@ -184,16 +184,6 @@ public:
     Security::PeerOptions secure;
 
 #if USE_OPENSSL
-    char *sslcert;
-    char *sslkey;
-    int sslversion;
-    char *ssloptions;
-    char *sslcipher;
-    char *sslcafile;
-    char *sslcapath;
-    char *sslcrlfile;
-    char *sslflags;
-    char *ssldomain;
     SSL_CTX *sslContext;
     SSL_SESSION *sslSession;
 #endif
diff --git a/src/Makefile.am b/src/Makefile.am
index ab124bd4c1..c83c20efb8 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -643,6 +643,7 @@ squid_LDADD = \
 	$(ESI_LIBS) \
 	$(SNMP_LIBS) \
 	parser/libsquid-parser.la \
+	security/libsecurity.la \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
@@ -1496,6 +1497,7 @@ tests_testCacheManager_SOURCES = \
 	int.cc \
 	internal.h \
 	internal.cc \
+	tests/stub_libsecurity.cc \
 	SquidList.h \
 	SquidList.cc \
 	MasterXaction.cc \
@@ -1920,6 +1922,7 @@ tests_testEvent_SOURCES = \
 	int.cc \
 	internal.h \
 	internal.cc \
+	tests/stub_libsecurity.cc \
 	SquidList.h \
 	SquidList.cc \
 	MasterXaction.cc \
@@ -2168,6 +2171,7 @@ tests_testEventLoop_SOURCES = \
 	int.cc \
 	internal.h \
 	internal.cc \
+	tests/stub_libsecurity.cc \
 	SquidList.h \
 	SquidList.cc \
 	MasterXaction.cc \
@@ -2412,6 +2416,7 @@ tests_test_http_range_SOURCES = \
 	internal.cc \
 	$(IPC_SOURCE) \
 	ipcache.cc \
+	tests/stub_libsecurity.cc \
 	SquidList.h \
 	SquidList.cc \
 	MasterXaction.cc \
@@ -2710,6 +2715,7 @@ tests_testHttpRequest_SOURCES = \
 	int.cc \
 	internal.h \
 	internal.cc \
+	tests/stub_libsecurity.cc \
 	SquidList.h \
 	SquidList.cc \
 	MasterXaction.cc \
@@ -3536,6 +3542,7 @@ tests_testURL_SOURCES = \
 	int.cc \
 	internal.h \
 	internal.cc \
+	tests/stub_libsecurity.cc \
 	SquidList.h \
 	SquidList.cc \
 	MasterXaction.cc \
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 1d47e53b9a..74c60b5b4e 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -886,7 +886,7 @@ configDoConfigure(void)
     for (CachePeer *p = Config.peers; p != NULL; p = p->next) {
         if (p->secure.ssl) {
             debugs(3, DBG_IMPORTANT, "Initializing cache_peer " << p->name << " SSL context");
-            p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath, p->sslcrlfile);
+            p->sslContext = p->secure.createContext();
         }
     }
 
@@ -2236,7 +2236,6 @@ parse_peer(CachePeer ** head)
                 p->name = xstrdup(token + 5);
         } else if (!strncmp(token, "forceddomain=", 13)) {
             safe_free(p->domain);
-
             if (token[13])
                 p->domain = xstrdup(token + 13);
 
@@ -2247,44 +2246,32 @@ parse_peer(CachePeer ** head)
             p->secure.ssl = true;
 
         if (strncmp(token, "sslcert=", 8) == 0) {
-            safe_free(p->sslcert);
-            p->sslcert = xstrdup(token + 8);
+            p->secure.certFile = SBuf(token + 8);
         } else if (strncmp(token, "sslkey=", 7) == 0) {
-            safe_free(p->sslkey);
-            p->sslkey = xstrdup(token + 7);
+            p->secure.privateKeyFile = SBuf(token + 7);
+            if (p->secure.certFile.isEmpty()) {
+                debugs(0, DBG_PARSE_NOTE(1), "WARNING: cache_peer 'sslcert=' option needs to be set before 'sslkey=' is used.");
+                p->secure.certFile = p->secure.privateKeyFile;
+            }
         } else if (strncmp(token, "sslversion=", 11) == 0) {
-            p->sslversion = xatoi(token + 11);
+            p->secure.sslVersion = xatoi(token + 11);
         } else if (strncmp(token, "ssloptions=", 11) == 0) {
-            safe_free(p->ssloptions);
-            p->ssloptions = xstrdup(token + 11);
+            p->secure.sslOptions = SBuf(token + 11);
         } else if (strncmp(token, "sslcipher=", 10) == 0) {
-            safe_free(p->sslcipher);
-            p->sslcipher = xstrdup(token + 10);
+            p->secure.sslCipher = SBuf(token + 10);
         } else if (strncmp(token, "sslcafile=", 10) == 0) {
-            safe_free(p->sslcafile);
-            p->sslcafile = xstrdup(token + 10);
+            p->secure.caFile = SBuf(token + 10);
         } else if (strncmp(token, "sslcapath=", 10) == 0) {
-            safe_free(p->sslcafile);
-            p->sslcafile = xstrdup(token + 10);
+            p->secure.caDir = SBuf(token + 10);
         } else if (strncmp(token, "sslcrlfile=", 11) == 0) {
-            safe_free(p->sslcrlfile);
-            p->sslcrlfile = xstrdup(token + 11);
+            p->secure.crlFile = SBuf(token + 11);
         } else if (strncmp(token, "sslflags=", 9) == 0) {
-            safe_free(p->sslflags);
-            p->sslflags = xstrdup(token + 9);
+            p->secure.sslFlags = SBuf(token + 9);
         } else if (strncmp(token, "ssldomain=", 10) == 0) {
-            safe_free(p->ssldomain);
-            p->ssldomain = xstrdup(token + 10);
+            p->secure.sslDomain = SBuf(token + 10);
         }
 #endif
 
-        } else if (strncmp(token, "tls", 3) == 0) {
-#if !USE_GNUTLS && !USE_OPENSSL
-            debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-gnutls or --with-openssl");
-#else
-            p->secure.tls = true;
-#endif
-
         } else if (strcmp(token, "front-end-https") == 0) {
             p->front_end_https = 1;
         } else if (strcmp(token, "front-end-https=on") == 0) {
diff --git a/src/security/Context.h b/src/security/Context.h
new file mode 100644
index 0000000000..8aef5a7878
--- /dev/null
+++ b/src/security/Context.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#ifndef SQUID_SRC_SECURITY_CONTEXT_H
+#define SQUID_SRC_SECURITY_CONTEXT_H
+
+#if USE_OPENSSL
+#include "ssl/gadgets.h"
+#endif
+
+namespace Security {
+
+#if USE_OPENSSL
+// XXX: make this a SSL_CTX_Pointer
+typedef SSL_CTX* ContextPointer;
+
+#else
+// use void* so we can check against NULL
+typedef void* ContextPointer;
+#endif
+
+} // namespace Security
+
+#endif /* SQUID_SRC_SECURITY_CONTEXT_H */
diff --git a/src/security/Makefile.am b/src/security/Makefile.am
index 6ed2aa7173..6876db9c00 100644
--- a/src/security/Makefile.am
+++ b/src/security/Makefile.am
@@ -1,7 +1,16 @@
+## Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
 include $(top_srcdir)/src/Common.am
 include $(top_srcdir)/src/TestHeaders.am
 
 noinst_LTLIBRARIES = libsecurity.la
 
 libsecurity_la_SOURCES= \
+	Context.h \
+	PeerOptions.cc \
 	PeerOptions.h
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
new file mode 100644
index 0000000000..8f989a236b
--- /dev/null
+++ b/src/security/PeerOptions.cc
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#include "squid.h"
+#include "security/PeerOptions.h"
+
+#if USE_OPENSSL
+#include "ssl/support.h"
+#endif
+
+// XXX: make a GnuTLS variant
+Security::ContextPointer
+Security::PeerOptions::createContext()
+{
+    Security::ContextPointer t = NULL;
+
+    if (privateKeyFile.isEmpty())
+        privateKeyFile = certFile;
+
+#if USE_OPENSSL
+    t = sslCreateClientContext(certFile.c_str(), privateKeyFile.c_str(), sslVersion, sslCipher.c_str(),
+                           sslOptions.c_str(), sslFlags.c_str(), caFile.c_str(), caDir.c_str(), crlFile.c_str());
+#endif
+    return t;
+}
diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index 25a67d8538..fba2758a04 100644
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -1,7 +1,16 @@
+/*
+ * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
 
 #include "SBuf.h"
+#include "security/Context.h"
 
 namespace Security
 {
@@ -9,10 +18,24 @@ namespace Security
 class PeerOptions
 {
 public:
-    PeerOptions() : tls(false), ssl(false) {}
+    PeerOptions() : ssl(false), sslVersion(0) {}
+
+    /// generate a security context from the configured options
+    Security::ContextPointer createContext();
 
-    bool tls;   ///< whether TLS is to be used on this connection
     bool ssl;   ///< whether SSL is to be used on this connection
+
+    SBuf certFile;       ///< path of file containing PEM format X509 certificate
+    SBuf privateKeyFile; ///< path of file containing private key in PEM format
+    SBuf sslOptions;     ///< library-specific options string
+    SBuf caFile;         ///< path of file containing trusted Certificate Authority
+    SBuf caDir;          ///< path of directory containign a set of trusted Certificate Authorities
+    SBuf crlFile;        ///< path of file containing Certificate Revoke List
+
+    int sslVersion;
+    SBuf sslCipher;
+    SBuf sslFlags;
+    SBuf sslDomain;
 };
 
 } // namespace Security
diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 7ddae4e217..0ae5b4b610 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -129,18 +129,20 @@ Ssl::PeerConnector::initializeSsl()
     }
 
     if (peer) {
-        if (peer->ssldomain)
-            SSL_set_ex_data(ssl, ssl_ex_index_server, peer->ssldomain);
-
+        if (!peer->secure.sslDomain.isEmpty()) {
+            // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
+            SSL_set_ex_data(ssl, ssl_ex_index_server, const_cast<SBuf*>(&peer->secure.sslDomain));
+        }
 #if NOT_YET
 
         else if (peer->name)
             SSL_set_ex_data(ssl, ssl_ex_index_server, peer->name);
 
 #endif
-
+#if WHEN_PEER_HOST_IS_SBUF
         else
             SSL_set_ex_data(ssl, ssl_ex_index_server, peer->host);
+#endif
 
         if (peer->sslSession)
             SSL_set_session(ssl, peer->sslSession);
diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc
new file mode 100644
index 0000000000..a6b586ff68
--- /dev/null
+++ b/src/tests/stub_libsecurity.cc
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#include "squid.h"
+
+#define STUB_API "security/libsecurity.la"
+#include "tests/STUB.h"
+
+#include "security/PeerOptions.h"
+Security::ContextPointer Security::PeerOptions::createContext() STUB_RETVAL(NULL)