From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 20 Oct 2014 06:20:07 +0000 (-0700)
Subject: Initial libsecurity definition
X-Git-Tag: merge-candidate-3-v1~242^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cdfb670cce2937ceacc26eab95d5e7f9820879a7;p=thirdparty%2Fsquid.git

Initial libsecurity definition

* Create libsecurity with namespace Security

* shuffle cache_peer 'ssl' flag into Security::PeerOptions.

* Add a TLS equivalent flag next to it.
---

diff --git a/configure.ac b/configure.ac
index 51c6f1516b..ef67be0521 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3788,6 +3788,7 @@ AC_CONFIG_FILES([
 	src/ip/Makefile
 	src/log/Makefile
 	src/ipc/Makefile
+	src/security/Makefile
 	src/ssl/Makefile
 	src/mgr/Makefile
 	src/parser/Makefile
diff --git a/src/CachePeer.h b/src/CachePeer.h
index 5b7d9105ee..12033dc23f 100644
--- a/src/CachePeer.h
+++ b/src/CachePeer.h
@@ -15,6 +15,9 @@
 #include "icp_opcode.h"
 #include "ip/Address.h"
 
+// XXX: make this security/forward.h instead
+#include "security/PeerOptions.h"
+
 //TODO: remove, it is unconditionally defined and always used.
 #define PEER_MULTICAST_SIBLINGS 1
 
@@ -176,9 +179,11 @@ public:
         bool waitingForClose; ///< a conn must close before we open a standby conn
     } standby; ///< optional "cache_peer standby=limit" feature
     char *domain;       /* Forced domain */
-#if USE_OPENSSL
 
-    int use_ssl;
+    /// security settings for peer connection
+    Security::PeerOptions secure;
+
+#if USE_OPENSSL
     char *sslcert;
     char *sslkey;
     int sslversion;
diff --git a/src/FwdState.cc b/src/FwdState.cc
index fbca17f968..7f54fee0fe 100644
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -683,7 +683,7 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, in
 
 #if USE_OPENSSL
     if (!request->flags.pinned) {
-        if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) ||
+        if ((serverConnection()->getPeer() && serverConnection()->getPeer()->secure.ssl) ||
                 (!serverConnection()->getPeer() && request->url.getScheme() == AnyP::PROTO_HTTPS) ||
                 request->flags.sslPeek) {
 
diff --git a/src/Makefile.am b/src/Makefile.am
index b0330acd93..ab124bd4c1 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -58,16 +58,15 @@ check_PROGRAMS+= tests/testACLMaxUserIP
 endif
 DIST_SUBDIRS += auth
 
-SUBDIRS	+= http ip icmp ident log ipc mgr
-DIST_SUBDIRS += http ip icmp ident log ipc mgr
+SUBDIRS	+= http ip icmp ident log ipc mgr security
+DIST_SUBDIRS += http ip icmp ident log ipc mgr security
 
+SSL_LIBS=
 if ENABLE_SSL
 SUBDIRS += ssl
-SSL_LIBS = \
+SSL_LIBS += \
 	ssl/libsslsquid.la \
 	ssl/libsslutil.la
-else
-SSL_LOCAL_LIBS =
 endif
 DIST_SUBDIRS += ssl
 
diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc
index e64cd1a7e7..a188960ba2 100644
--- a/src/PeerPoolMgr.cc
+++ b/src/PeerPoolMgr.cc
@@ -113,7 +113,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams &params)
 
 #if USE_OPENSSL
     // Handle SSL peers.
-    if (peer->use_ssl) {
+    if (peer->secure.ssl) {
         typedef CommCbMemFunT<PeerPoolMgr, CommCloseCbParams> CloserDialer;
         closer = JobCallback(48, 3, CloserDialer, this,
                              PeerPoolMgr::handleSecureClosure);
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 52f3fb9828..1d47e53b9a 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -884,7 +884,7 @@ configDoConfigure(void)
     Config.ssl_client.sslContext = sslCreateClientContext(Config.ssl_client.cert, Config.ssl_client.key, Config.ssl_client.version, Config.ssl_client.cipher, Config.ssl_client.options, Config.ssl_client.flags, Config.ssl_client.cafile, Config.ssl_client.capath, Config.ssl_client.crlfile);
 
     for (CachePeer *p = Config.peers; p != NULL; p = p->next) {
-        if (p->use_ssl) {
+        if (p->secure.ssl) {
             debugs(3, DBG_IMPORTANT, "Initializing cache_peer " << p->name << " SSL context");
             p->sslContext = sslCreateClientContext(p->sslcert, p->sslkey, p->sslversion, p->sslcipher, p->ssloptions, p->sslflags, p->sslcafile, p->sslcapath, p->sslcrlfile);
         }
@@ -2240,11 +2240,13 @@ parse_peer(CachePeer ** head)
             if (token[13])
                 p->domain = xstrdup(token + 13);
 
-#if USE_OPENSSL
+        } else if (strncmp(token, "ssl", 3) == 0) {
+#if !USE_OPENSSL
+            debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl");
+#else
+            p->secure.ssl = true;
 
-        } else if (strcmp(token, "ssl") == 0) {
-            p->use_ssl = 1;
-        } else if (strncmp(token, "sslcert=", 8) == 0) {
+        if (strncmp(token, "sslcert=", 8) == 0) {
             safe_free(p->sslcert);
             p->sslcert = xstrdup(token + 8);
         } else if (strncmp(token, "sslkey=", 7) == 0) {
@@ -2262,8 +2264,8 @@ parse_peer(CachePeer ** head)
             safe_free(p->sslcafile);
             p->sslcafile = xstrdup(token + 10);
         } else if (strncmp(token, "sslcapath=", 10) == 0) {
-            safe_free(p->sslcapath);
-            p->sslcapath = xstrdup(token + 10);
+            safe_free(p->sslcafile);
+            p->sslcafile = xstrdup(token + 10);
         } else if (strncmp(token, "sslcrlfile=", 11) == 0) {
             safe_free(p->sslcrlfile);
             p->sslcrlfile = xstrdup(token + 11);
@@ -2273,6 +2275,14 @@ parse_peer(CachePeer ** head)
         } else if (strncmp(token, "ssldomain=", 10) == 0) {
             safe_free(p->ssldomain);
             p->ssldomain = xstrdup(token + 10);
+        }
+#endif
+
+        } else if (strncmp(token, "tls", 3) == 0) {
+#if !USE_GNUTLS && !USE_OPENSSL
+            debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-gnutls or --with-openssl");
+#else
+            p->secure.tls = true;
 #endif
 
         } else if (strcmp(token, "front-end-https") == 0) {
diff --git a/src/security/Makefile.am b/src/security/Makefile.am
new file mode 100644
index 0000000000..6ed2aa7173
--- /dev/null
+++ b/src/security/Makefile.am
@@ -0,0 +1,7 @@
+include $(top_srcdir)/src/Common.am
+include $(top_srcdir)/src/TestHeaders.am
+
+noinst_LTLIBRARIES = libsecurity.la
+
+libsecurity_la_SOURCES= \
+	PeerOptions.h
diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
new file mode 100644
index 0000000000..25a67d8538
--- /dev/null
+++ b/src/security/PeerOptions.h
@@ -0,0 +1,20 @@
+#ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
+#define SQUID_SRC_SECURITY_PEEROPTIONS_H
+
+#include "SBuf.h"
+
+namespace Security
+{
+
+class PeerOptions
+{
+public:
+    PeerOptions() : tls(false), ssl(false) {}
+
+    bool tls;   ///< whether TLS is to be used on this connection
+    bool ssl;   ///< whether SSL is to be used on this connection
+};
+
+} // namespace Security
+
+#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 1ca6f853ec..7ddae4e217 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -111,7 +111,7 @@ Ssl::PeerConnector::initializeSsl()
     const int fd = serverConnection()->fd;
 
     if (peer) {
-        assert(peer->use_ssl);
+        assert(peer->secure.ssl);
         sslContext = peer->sslContext;
     } else {
         sslContext = ::Config.ssl_client.sslContext;
diff --git a/src/tunnel.cc b/src/tunnel.cc
index a9651e11ec..fd74e3fb96 100644
--- a/src/tunnel.cc
+++ b/src/tunnel.cc
@@ -952,7 +952,7 @@ TunnelStateData::connectToPeer()
 
 #if USE_OPENSSL
     if (CachePeer *p = srv->getPeer()) {
-        if (p->use_ssl) {
+        if (p->secure.ssl) {
             AsyncCall::Pointer callback = asyncCall(5,4,
                                                     "TunnelStateData::ConnectedToPeer",
                                                     MyAnswerDialer(&TunnelStateData::connectedToPeer, this));