X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=project.h;h=39fd39ec6d885009bd7bb040b053690b410fb36b;hp=78d53ce3dca5a2e6cb4dfe9e152cc362c948e4ca;hb=960ae61d1bce3289d3a79290a3d0c583620c2414;hpb=9fd58c0d3a56323ce94837f217e6609e9c7b2402 diff --git a/project.h b/project.h index 78d53ce3..39fd39ec 100644 --- a/project.h +++ b/project.h @@ -9,7 +9,7 @@ * (though it does declare some macros). * * Copyright : Written by and Copyright (C) 2001-2014 the - * Privoxy team. http://www.privoxy.org/ + * Privoxy team. https://www.privoxy.org/ * * Based on the Internet Junkbuster originally written * by and Copyright (C) 1997 Anonymous Coders and @@ -44,6 +44,37 @@ /* Needed for pcre choice */ #include "config.h" +#ifdef FEATURE_HTTPS_INSPECTION +/* +* Macros for SSL structures +*/ +#define CERT_INFO_BUF_SIZE 4096 +#define CERT_FILE_BUF_SIZE 16384 +#define ISSUER_NAME_BUF_SIZE 2048 +#define HASH_OF_HOST_BUF_SIZE 16 +#endif /* FEATURE_HTTPS_INSPECTION */ + +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS +#include "mbedtls/net_sockets.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" + +#if defined(MBEDTLS_SSL_CACHE_C) +#include "mbedtls/ssl_cache.h" +#endif +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ + +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +#ifdef _WIN32 +#include +#undef X509_NAME +#undef X509_EXTENSIONS +#endif +#include +#include +#include +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ + /* Need for struct sockaddr_storage */ #ifdef HAVE_RFC2553 # ifndef _WIN32 @@ -147,7 +178,7 @@ typedef enum privoxy_err jb_err; /** * This macro is used to free a pointer that may be NULL. * It also sets the variable to NULL after it's been freed. - * The paramater should be a simple variable without side effects. + * The parameter should be a simple variable without side effects. */ #define freez(X) { if(X) { free((void*)X); X = NULL ; } } @@ -248,7 +279,7 @@ struct map_entry /** * A map from a string to another string. - * This is used for the paramaters passed in a HTTP GET request, and + * This is used for the parameters passed in a HTTP GET request, and * to store the exports when the CGI interface is filling in a template. */ struct map @@ -259,7 +290,34 @@ struct map struct map_entry *last; }; - +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS +/* + * Struct of attributes necessary for TLS/SSL connection + */ +typedef struct { + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_net_context socket_fd; + mbedtls_x509_crt server_cert; + mbedtls_x509_crt ca_cert; + mbedtls_pk_context prim_key; + int *ciphersuites_list; + + #if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_cache_context cache; + #endif +} mbedtls_connection_attr; +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ + +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +/* + * Struct of attributes necessary for TLS/SSL connection + */ +typedef struct { + SSL_CTX *ctx; + BIO *bio; +} openssl_connection_attr; +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ /** * A HTTP request. This includes the method (GET, POST) and * the parsed URL. @@ -274,7 +332,7 @@ struct http_request char *ocmd; /**< Backup of original cmd for CLF logging */ char *gpc; /**< HTTP method: GET, POST, ... */ char *url; /**< The URL */ - char *ver; /**< Protocol version */ + char *version; /**< Protocol version */ int status; /**< HTTP Status */ char *host; /**< Host part of URL */ @@ -286,13 +344,30 @@ struct http_request char *host_ip_addr_str; /**< String with dotted decimal representation of host's IP. NULL before connect_to() */ -#ifndef FEATURE_EXTENDED_HOST_PATTERNS char *dbuffer; /**< Buffer with '\0'-delimited domain name. */ char **dvec; /**< List of pointers to the strings in dbuffer. */ int dcount; /**< How many parts to this domain? (length of dvec) */ -#endif /* ndef FEATURE_EXTENDED_HOST_PATTERNS */ + +#ifdef FEATURE_HTTPS_INSPECTION + int client_ssl; /**< Flag if we should communicate with client over ssl */ + int server_ssl; /**< Flag if we should communicate with server over ssl */ + unsigned char hash_of_host_hex[(HASH_OF_HOST_BUF_SIZE * 2) + 1]; /**< chars for hash in hex string and one for '\0' */ + unsigned char hash_of_host[HASH_OF_HOST_BUF_SIZE+1]; /**< chars for bytes of hash and one for '\0' */ +#endif }; + +#ifdef FEATURE_HTTPS_INSPECTION +/* + * Struct for linked list containing certificates + */ +typedef struct certs_chain { + char info_buf[CERT_INFO_BUF_SIZE]; /* text info about properties of certificate */ + char file_buf[CERT_FILE_BUF_SIZE]; /* buffer for whole certificate - format to save in file */ + struct certs_chain *next; /* next certificate in chain of trust */ +} certs_chain_t; +#endif + /** * Reasons for generating a http_response instead of delivering * the requested resource. Mostly ordered the way they are checked @@ -332,14 +407,14 @@ struct http_response struct url_spec { -#ifdef FEATURE_EXTENDED_HOST_PATTERNS +#ifdef FEATURE_PCRE_HOST_PATTERNS regex_t *host_regex;/**< Regex for host matching */ -#else + enum host_regex_type { VANILLA_HOST_PATTERN, PCRE_HOST_PATTERN } host_regex_type; +#endif /* defined FEATURE_PCRE_HOST_PATTERNS */ char *dbuffer; /**< Buffer with '\0'-delimited domain name, or NULL to match all hosts. */ char **dvec; /**< List of pointers to the strings in dbuffer. */ int dcount; /**< How many parts to this domain? (length of dvec) */ int unanchored; /**< Bitmap - flags are ANCHOR_LEFT and ANCHOR_RIGHT. */ -#endif /* defined FEATURE_EXTENDED_HOST_PATTERNS */ char *port_list; /**< List of acceptable ports, or NULL to match all ports */ @@ -409,13 +484,6 @@ struct iob }; -/** - * Return the number of bytes in the I/O buffer associated with the passed - * I/O buffer. May be zero. - */ -#define IOB_PEEK(IOB) ((IOB->cur > IOB->eod) ? (IOB->eod - IOB->cur) : 0) - - /* Bits for csp->content_type bitmask: */ #define CT_TEXT 0x0001U /**< Suitable for pcrs filtering. */ #define CT_GIF 0x0002U /**< Suitable for GIF filtering. */ @@ -427,13 +495,14 @@ struct iob */ #define CT_GZIP 0x0010U /**< gzip-compressed data. */ #define CT_DEFLATE 0x0020U /**< zlib-compressed data. */ +#define CT_BROTLI 0x0040U /**< Brotli-compressed data. */ /** * Flag to signal that the server declared the content type, * so we can differentiate between unknown and undeclared * content types. */ -#define CT_DECLARED 0x0040U +#define CT_DECLARED 0x0080U /** * The mask which includes all actions. @@ -503,7 +572,10 @@ struct iob #define ACTION_LIMIT_COOKIE_LIFETIME 0x08000000UL /** Action bitmap: Delay writes */ #define ACTION_DELAY_RESPONSE 0x10000000UL - +/** Action bitmap: Turn https inspection on */ +#define ACTION_HTTPS_INSPECTION 0x20000000UL +/** Action bitmap: Turn certificates verification off */ +#define ACTION_IGNORE_CERTIFICATE_ERRORS 0x40000000UL /** Action string index: How to deanimate GIFs */ #define ACTION_STRING_DEANIMATE 0 @@ -567,8 +639,12 @@ struct iob #define ACTION_MULTI_SERVER_HEADER_TAGGER 5 /** Number of multi-string actions. */ #define ACTION_MULTI_EXTERNAL_FILTER 6 +/** Index into current_action_spec::multi[] for tags to suppress. */ +#define ACTION_MULTI_SUPPRESS_TAG 7 +/** Index into current_action_spec::multi[] for client body filters to apply. */ +#define ACTION_MULTI_CLIENT_BODY_FILTER 8 /** Number of multi-string actions. */ -#define ACTION_MULTI_COUNT 7 +#define ACTION_MULTI_COUNT 9 /** @@ -583,7 +659,7 @@ struct current_action_spec unsigned long flags; /** - * Paramaters for those actions that require them. + * Parameters for those actions that require them. * Each entry is valid if & only if the corresponding entry in "flags" is * set. */ @@ -690,6 +766,9 @@ struct reusable_connection enum forwarder_type forwarder_type; char *gateway_host; int gateway_port; + char *auth_username; + char *auth_password; + char *forward_host; int forward_port; }; @@ -855,7 +934,7 @@ struct reusable_connection #define CSP_FLAG_UNSUPPORTED_CLIENT_EXPECTATION 0x02000000U /** - * Flag for csp->flags: Set if we answered the request ourselve. + * Flag for csp->flags: Set if we answered the request ourselves. */ #define CSP_FLAG_CRUNCHED 0x04000000U @@ -886,7 +965,7 @@ struct reusable_connection * Maximum number of actions/filter files. This limit is arbitrary - it's just used * to size an array. */ -#define MAX_AF_FILES 30 +#define MAX_AF_FILES 100 /** * Maximum number of sockets to listen to. This limit is arbitrary - it's just used @@ -894,6 +973,14 @@ struct reusable_connection */ #define MAX_LISTENING_SOCKETS 10 +struct ssl_attr { +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS + mbedtls_connection_attr mbedtls_attr; /* Mbed TLS attrs*/ +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL + openssl_connection_attr openssl_attr; /* OpenSSL atrrs */ +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ +}; /** * The state of a Privoxy processing thread. */ @@ -948,6 +1035,9 @@ struct client_state /* XXX: should be renamed to server_iob */ struct iob iob[1]; + struct ssl_attr ssl_server_attr; /* attributes for connection to server */ + struct ssl_attr ssl_client_attr; /* attributes for connection to client */ + /** An I/O buffer used for buffering data read from the client */ struct iob client_iob[1]; @@ -960,6 +1050,11 @@ struct client_state /** List of all headers for this request */ struct list headers[1]; +#ifdef FEATURE_HTTPS_INSPECTION + /** List of all encrypted headers for this request */ + struct list https_headers[1]; +#endif + /** List of all tags that apply to this request */ struct list tags[1]; @@ -1010,6 +1105,44 @@ struct client_state * or NULL. Currently only used for socks errors. */ char *error_message; + +#ifdef FEATURE_HTTPS_INSPECTION + /* Result of server certificate verification + * + * Values for flag determining certificate validity + * are compatible with return value of function + * mbedtls_ssl_get_verify_result() for mbedtls + * and SSL_get_verify_result() for openssl. + * There are no values for "invalid certificate", they are + * set by the functions mentioned above. + */ +#define SSL_CERT_VALID 0 +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS +#define SSL_CERT_NOT_VERIFIED 0xFFFFFFFF + uint32_t server_cert_verification_result; +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +#define SSL_CERT_NOT_VERIFIED ~0L + long server_cert_verification_result; +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ + + /* Flag for certificate validity checking */ + int dont_verify_certificate; + + /* + * Flags if SSL connection with server or client is opened. + * Thanks to this flags, we can call function to close both connections + * and we don't have to care about more details. + */ + int ssl_with_server_is_opened; + int ssl_with_client_is_opened; + + /* + * Server certificate chain of trust including strings with certificates + * information and string with whole certificate file + */ + struct certs_chain server_certs_chain; +#endif }; /** @@ -1136,6 +1269,12 @@ struct forward_spec /** SOCKS server port. */ int gateway_port; + /** SOCKS5 username. */ + char *auth_username; + + /** SOCKS5 password. */ + char *auth_password; + /** Parent HTTP proxy hostname, or NULL for none. */ char *forward_host; @@ -1155,16 +1294,18 @@ enum filter_type FT_SERVER_HEADER_FILTER = 2, FT_CLIENT_HEADER_TAGGER = 3, FT_SERVER_HEADER_TAGGER = 4, + FT_SUPPRESS_TAG = 5, + FT_CLIENT_BODY_FILTER = 6, #ifdef FEATURE_EXTERNAL_FILTERS - FT_EXTERNAL_CONTENT_FILTER = 5, + FT_EXTERNAL_CONTENT_FILTER = 7, #endif FT_INVALID_FILTER = 42, }; #ifdef FEATURE_EXTERNAL_FILTERS -#define MAX_FILTER_TYPES 6 +#define MAX_FILTER_TYPES 8 #else -#define MAX_FILTER_TYPES 5 +#define MAX_FILTER_TYPES 7 #endif /** @@ -1427,6 +1568,29 @@ struct configuration_spec /** Nonzero if we need to bind() to the new port. */ int need_bind; + +#ifdef FEATURE_HTTPS_INSPECTION + /** Password for proxy ca file **/ + char * ca_password; + + /** Directory with files of ca **/ + char *ca_directory; + + /** Filename of ca certificate **/ + char * ca_cert_file; + + /** Filename of ca key **/ + char * ca_key_file; + + /** Directory for saving certificates and keys for each webpage **/ + char *certificate_directory; + + /** Cipher list to use **/ + char *cipher_list; + + /** Filename of trusted CAs certificates **/ + char * trusted_cas_file; +#endif }; /** Calculates the number of elements in an array, using sizeof. */ @@ -1477,7 +1641,13 @@ struct configuration_spec * The prefix for CGI pages. Written out in generated HTML. * INCLUDES the trailing slash. */ +#ifdef FEATURE_HTTPS_INSPECTION +#define CGI_PREFIX "//" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" +#define CGI_PREFIX_HTTPS "https:" CGI_PREFIX +#else #define CGI_PREFIX "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" +#endif +#define CGI_PREFIX_HTTP "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" #endif /* ndef PROJECT_H_INCLUDED */