Initial libsecurity definition

* Create libsecurity with namespace Security

* shuffle cache_peer 'ssl' flag into Security::PeerOptions.

* Add a TLS equivalent flag next to it.

diff --git a/configure.ac b/configure.ac
index 51c6f1516bc2c09a4c81fe182d18e68c995e18fb..ef67be05215d8c307955114211c4a89791d918ba 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -3788,6 +3788,7 @@ AC_CONFIG_FILES([
        src/ip/Makefile
        src/log/Makefile
        src/ipc/Makefile
+       src/security/Makefile
        src/ssl/Makefile
        src/mgr/Makefile
        src/parser/Makefile

diff --git a/src/CachePeer.h b/src/CachePeer.h
index 5b7d9105ee5a08d749a328b9380a6c8729ec331b..12033dc23fad92af9747f5457a6ea9766c053f9b 100644 (file)
--- a/src/CachePeer.h
+++ b/src/CachePeer.h
@@ -15,6 +15,9 @@
 #include "icp_opcode.h"
 #include "ip/Address.h"
 
+// XXX: make this security/forward.h instead
+#include "security/PeerOptions.h"
+
 //TODO: remove, it is unconditionally defined and always used.
 #define PEER_MULTICAST_SIBLINGS 1
 
@@ -176,9 +179,11 @@ public:
         bool waitingForClose; ///< a conn must close before we open a standby conn
     } standby; ///< optional "cache_peer standby=limit" feature
     char *domain;       /* Forced domain */
-#if USE_OPENSSL
 
-    int use_ssl;
+    /// security settings for peer connection
+    Security::PeerOptions secure;
+
+#if USE_OPENSSL
     char *sslcert;
     char *sslkey;
     int sslversion;

diff --git a/src/FwdState.cc b/src/FwdState.cc
index fbca17f96884e0ce220a21ac76aa0741f9ede60c..7f54fee0fe16876c08b6805120bea55d58a89026 100644 (file)
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -683,7 +683,7 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, in
 
 #if USE_OPENSSL
     if (!request->flags.pinned) {
-        if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) ||
+        if ((serverConnection()->getPeer() && serverConnection()->getPeer()->secure.ssl) ||
                 (!serverConnection()->getPeer() && request->url.getScheme() == AnyP::PROTO_HTTPS) ||
                 request->flags.sslPeek) {
 

diff --git a/src/Makefile.am b/src/Makefile.am
index b0330acd93e1a7c67abad1533601b75dc67922a8..ab124bd4c1b1d68bd341d6974d8eaff7c1610837 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -58,16 +58,15 @@ check_PROGRAMS+= tests/testACLMaxUserIP
 endif
 DIST_SUBDIRS += auth
 
-SUBDIRS        += http ip icmp ident log ipc mgr
-DIST_SUBDIRS += http ip icmp ident log ipc mgr
+SUBDIRS        += http ip icmp ident log ipc mgr security
+DIST_SUBDIRS += http ip icmp ident log ipc mgr security
 
+SSL_LIBS=
 if ENABLE_SSL
 SUBDIRS += ssl
-SSL_LIBS = \
+SSL_LIBS += \
        ssl/libsslsquid.la \
        ssl/libsslutil.la
-else
-SSL_LOCAL_LIBS =
 endif
 DIST_SUBDIRS += ssl
 

diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc
index e64cd1a7e7445887794ec0f584115bf7c8ffae41..a188960ba29b86c6df59ab7e595282eda1dab2a5 100644 (file)
--- a/src/PeerPoolMgr.cc
+++ b/src/PeerPoolMgr.cc
@@ -113,7 +113,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams &params)
 
 #if USE_OPENSSL
     // Handle SSL peers.
-    if (peer->use_ssl) {
+    if (peer->secure.ssl) {
         typedef CommCbMemFunT<PeerPoolMgr, CommCloseCbParams> CloserDialer;
         closer = JobCallback(48, 3, CloserDialer, this,
                              PeerPoolMgr::handleSecureClosure);

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 52f3fb98282afb52b019461d24c09f0fdddf590c..1d47e53b9a166b7ac367ed20ab0064a3a438b3c1 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -884,7 +884,7 @@ configDoConfigure(void)
     Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile);
 
     for (CachePeer *p = Config.peers; p != NULL; p = p->next) {
-        if (p->use_ssl) {
+        if (p->secure.ssl) {
             debugs(3, DBG_IMPORTANT, "Initializing cache_peer " << p->name << " SSL context");
             p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath, p->sslcrlfile);
         }
@@ -2240,11 +2240,13 @@ parse_peer(CachePeer ** head)
             if (token[13])
                 p->domain = xstrdup(token + 13);
 
-#if USE_OPENSSL
+        } else if (strncmp(token, "ssl", 3) == 0) {
+#if !USE_OPENSSL
+            debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl");
+#else
+            p->secure.ssl = true;
 
-        } else if (strcmp(token, "ssl") == 0) {
-            p->use_ssl = 1;
-        } else if (strncmp(token, "sslcert=", 8) == 0) {
+        if (strncmp(token, "sslcert=", 8) == 0) {
             safe_free(p->sslcert);
             p->sslcert = xstrdup(token + 8);
         } else if (strncmp(token, "sslkey=", 7) == 0) {
@@ -2262,8 +2264,8 @@ parse_peer(CachePeer ** head)
             safe_free(p->sslcafile);
             p->sslcafile = xstrdup(token + 10);
         } else if (strncmp(token, "sslcapath=", 10) == 0) {
-            safe_free(p->sslcapath);
-            p->sslcapath = xstrdup(token + 10);
+            safe_free(p->sslcafile);
+            p->sslcafile = xstrdup(token + 10);
         } else if (strncmp(token, "sslcrlfile=", 11) == 0) {
             safe_free(p->sslcrlfile);
             p->sslcrlfile = xstrdup(token + 11);
@@ -2273,6 +2275,14 @@ parse_peer(CachePeer ** head)
         } else if (strncmp(token, "ssldomain=", 10) == 0) {
             safe_free(p->ssldomain);
             p->ssldomain = xstrdup(token + 10);
+        }
+#endif
+
+        } else if (strncmp(token, "tls", 3) == 0) {
+#if !USE_GNUTLS && !USE_OPENSSL
+            debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-gnutls or --with-openssl");
+#else
+            p->secure.tls = true;
 #endif
 
         } else if (strcmp(token, "front-end-https") == 0) {

diff --git a/src/security/Makefile.am b/src/security/Makefile.am
new file mode 100644 (file)
index 0000000..6ed2aa7
--- /dev/null
+++ b/src/security/Makefile.am
@@ -0,0 +1,7 @@
+include $(top_srcdir)/src/Common.am
+include $(top_srcdir)/src/TestHeaders.am
+
+noinst_LTLIBRARIES = libsecurity.la
+
+libsecurity_la_SOURCES= \
+       PeerOptions.h

diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
new file mode 100644 (file)
index 0000000..25a67d8
--- /dev/null
+++ b/src/security/PeerOptions.h
@@ -0,0 +1,20 @@
+#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
+#define SQUID_SRC_SECURITY_PEEROPTIONS_H
+
+#include "SBuf.h"
+
+namespace Security
+{
+
+class PeerOptions
+{
+public:
+    PeerOptions() : tls(false), ssl(false) {}
+
+    bool tls;   ///< whether TLS is to be used on this connection
+    bool ssl;   ///< whether SSL is to be used on this connection
+};
+
+} // namespace Security
+
+#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 1ca6f853ec3db6a6629e79f3bc97f207808fa1d5..7ddae4e21712230ad93f95ec7f3c15fc3e2a914c 100644 (file)
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -111,7 +111,7 @@ Ssl::PeerConnector::initializeSsl()
     const int fd = serverConnection()->fd;
 
     if (peer) {
-        assert(peer->use_ssl);
+        assert(peer->secure.ssl);
         sslContext = peer->sslContext;
     } else {
         sslContext = ::Config.ssl_client.sslContext;

diff --git a/src/tunnel.cc b/src/tunnel.cc
index a9651e11ec3536983ad9f20f426b1abbe486a18b..fd74e3fb9653dff3e2ea4441fa50765b5756f34a 100644 (file)
--- a/src/tunnel.cc
+++ b/src/tunnel.cc
@@ -952,7 +952,7 @@ TunnelStateData::connectToPeer()
 
 #if USE_OPENSSL
     if (CachePeer *p = srv->getPeer()) {
-        if (p->use_ssl) {
+        if (p->secure.ssl) {
             AsyncCall::Pointer callback = asyncCall(5,4,
                                                     "TunnelStateData::ConnectedToPeer",
                                                     MyAnswerDialer(&TunnelStateData::connectedToPeer, this));