squid/src/security/ServerOptions.h at 9916bdedb9b3c20837644564bc3ef5a1a942ca4c · squid-cache/squid · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
/*
 * Copyright (C) 1996-2026 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
#define SQUID_SRC_SECURITY_SERVEROPTIONS_H

#include "anyp/forward.h"
#include "security/PeerOptions.h"
#if USE_OPENSSL
#include "compat/openssl.h"
#endif

namespace Security
{

/// TLS squid.conf settings for a listening port
class ServerOptions : public PeerOptions
{
public:
#if USE_OPENSSL
    sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free);
    typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
#endif

    ServerOptions() : PeerOptions() {
        // Bug 4005: dynamic contexts use a lot of memory and it
        // is more secure to have only a small set of trusted CA.
        flags.tlsDefaultCa.defaultTo(false);
    }
    ServerOptions(const ServerOptions &o): ServerOptions() { *this = o; }
    ServerOptions &operator =(const ServerOptions &);
    ServerOptions(ServerOptions &&o) { this->operator =(o); }
    ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }
    ~ServerOptions() override = default;

    /* Security::PeerOptions API */
    void parse(const char *) override;
    void clear() override {*this = ServerOptions();}
    Security::ContextPointer createBlankContext() const override;
    void dumpCfg(std::ostream &, const char *pfx) const override;

    /// initialize all server contexts as-needed and load PEM files.
    /// if none can be created this may do nothing.
    void initServerContexts(AnyP::PortCfg &);

    /// update the given TLS security context using squid.conf settings
    bool updateContextConfig(Security::ContextPointer &);

    /// update the context with DH, EDH, EECDH settings
    void updateContextEecdh(Security::ContextPointer &);

    /// update the context with CA details used to verify client certificates
    void updateContextClientCa(Security::ContextPointer &);

    /// update the context with a configured session ID (if any)
    void updateContextSessionId(Security::ContextPointer &);

    /// sync the various sources of CA files to be loaded
    void syncCaFiles();

public:
    /// TLS context to use for HTTPS accelerator or static SSL-Bump
    Security::ContextPointer staticContext;
    SBuf staticContextSessionId; ///< "session id context" for staticContext

#if USE_OPENSSL
    bool generateHostCertificates = true; ///< dynamically make host cert
#elif HAVE_LIBGNUTLS
    // TODO: GnuTLS does implement TLS server connections so the cert
    // generate vs static choice can be reached in the code now.
    // But this feature is not fully working implemented so must not
    // be enabled by default for production installations.
    bool generateHostCertificates = false; ///< dynamically make host cert
#else
    // same as OpenSSL so config errors show up easily
    bool generateHostCertificates = true; ///< dynamically make host cert
#endif

    Security::KeyData signingCa; ///< x509 certificate and key for signing generated certificates
    Security::KeyData untrustedSigningCa; ///< x509 certificate and key for signing untrusted generated certificates

    /// max size of generated certificates memory cache (4 MB default)
    size_t dynamicCertMemCacheSize = 4*1024*1024;

private:
    bool loadClientCaFile();
    void loadDhParams();

    /// generate a security server-context from these configured options
    /// the resulting context is stored in staticContext
    /// \returns true if a context could be created
    bool createStaticServerContext(AnyP::PortCfg &);

    /// initialize contexts for signing dynamic TLS certificates (if needed)
    /// the resulting keys are stored in signingCa and untrustedSigningCa
    void createSigningContexts(const AnyP::PortCfg &);

private:
    SBuf clientCaFile;  ///< name of file to load client CAs from
#if USE_OPENSSL
    /// CA certificate(s) to use when verifying client certificates
    X509_NAME_STACK_Pointer clientCaStack;
#else
    void *clientCaStack = nullptr;
#endif

    SBuf dh;            ///< Diffi-Helman cipher config
    SBuf dhParamsFile;  ///< Diffi-Helman ciphers parameter file
    SBuf eecdhCurve;    ///< Elliptic curve for ephemeral EC-based DH key exchanges

    Security::DhePointer parsedDhParams; ///< DH parameters for temporary/ephemeral DH key exchanges
};

} // namespace Security

#endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */