ServerOptions.h

Go to the documentation of this file.

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */
 
#ifndef SQUID_SRC_SECURITY_SERVEROPTIONS_H
#define SQUID_SRC_SECURITY_SERVEROPTIONS_H
 
#include "anyp/forward.h"
#include "security/PeerOptions.h"
#if USE_OPENSSL
#include "compat/openssl.h"
#if HAVE_OPENSSL_X509_H
#include <openssl/x509.h>
#endif
#endif
 
namespace Security
{
 
class ServerOptions : public PeerOptions
{
public:
#if USE_OPENSSL
    sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free);
    typedef std::unique_ptr<STACK_OF(X509_NAME), Security::ServerOptions::sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
#endif
 
    ServerOptions() : PeerOptions() {
        // Bug 4005: dynamic contexts use a lot of memory and it
        // is more secure to have only a small set of trusted CA.
        flags.tlsDefaultCa.defaultTo(false);
    }
    ServerOptions(const ServerOptions &o): ServerOptions() { *this = o; }
    ServerOptions &operator =(const ServerOptions &);
    ServerOptions(ServerOptions &&o) { this->operator =(o); }
    ServerOptions &operator =(ServerOptions &&o) { this->operator =(o); return *this; }
    ~ServerOptions() override = default;
 
    /* Security::PeerOptions API */
    void parse(const char *) override;
    void clear() override {*this = ServerOptions();}
    Security::ContextPointer createBlankContext() const override;
    void dumpCfg(std::ostream &, const char *pfx) const override;
 
    void initServerContexts(AnyP::PortCfg &);
 
    bool updateContextConfig(Security::ContextPointer &);
 
    void updateContextEecdh(Security::ContextPointer &);
 
    void updateContextClientCa(Security::ContextPointer &);
 
    void updateContextSessionId(Security::ContextPointer &);
 
    void syncCaFiles();
 
public:
    Security::ContextPointer staticContext;
    SBuf staticContextSessionId; 
 
#if USE_OPENSSL
    bool generateHostCertificates = true; 
#elif HAVE_LIBGNUTLS
    // TODO: GnuTLS does implement TLS server connections so the cert
    // generate vs static choice can be reached in the code now.
    // But this feature is not fully working implemented so must not
    // be enabled by default for production installations.
    bool generateHostCertificates = false; 
#else
    // same as OpenSSL so config errors show up easily
    bool generateHostCertificates = true; 
#endif
 
    Security::KeyData signingCa; 
    Security::KeyData untrustedSigningCa; 
 
    size_t dynamicCertMemCacheSize = 4*1024*1024;
 
private:
    bool loadClientCaFile();
    void loadDhParams();
 
    bool createStaticServerContext(AnyP::PortCfg &);
 
    void createSigningContexts(const AnyP::PortCfg &);
 
private:
    SBuf clientCaFile;  
#if USE_OPENSSL
    X509_NAME_STACK_Pointer clientCaStack;
#else
    void *clientCaStack = nullptr;
#endif
 
    SBuf dh;            
    SBuf dhParamsFile;  
    SBuf eecdhCurve;    
 
    Security::DhePointer parsedDhParams; 
};
 
} // namespace Security
 
#endif /* SQUID_SRC_SECURITY_SERVEROPTIONS_H */