X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=project.h;h=e5b034bf7a2c80bb885892a6057481c08a953324;hp=7135760042e32caf5b1a7ec32f1e45c4dd655e64;hb=bce0c44ff68888e53be6e0f986cb46c39ce8e3a5;hpb=e693e665a5012fba131bf207821e31164f27d72b diff --git a/project.h b/project.h index 71357600..e5b034bf 100644 --- a/project.h +++ b/project.h @@ -1,7 +1,5 @@ #ifndef PROJECT_H_INCLUDED #define PROJECT_H_INCLUDED -/** Version string. */ -#define PROJECT_H_VERSION "$Id: project.h,v 1.140 2009/06/08 16:47:07 fabiankeil Exp $" /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/project.h,v $ @@ -10,8 +8,8 @@ * project. Does not define any variables or functions * (though it does declare some macros). * - * Copyright : Written by and Copyright (C) 2001-2009 the - * Privoxy team. http://www.privoxy.org/ + * Copyright : Written by and Copyright (C) 2001-2014 the + * Privoxy team. https://www.privoxy.org/ * * Based on the Internet Junkbuster originally written * by and Copyright (C) 1997 Anonymous Coders and @@ -46,9 +44,44 @@ /* Needed for pcre choice */ #include "config.h" -#ifdef HAVE_RFC2553 +#ifdef FEATURE_HTTPS_INSPECTION +#ifdef FEATURE_PTHREAD +# include + typedef pthread_mutex_t privoxy_mutex_t; +#else +# ifdef _WIN32 +# include +# endif + typedef CRITICAL_SECTION privoxy_mutex_t; +#endif + +#include "mbedtls/net_sockets.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" + +#if defined(MBEDTLS_SSL_CACHE_C) +#include "mbedtls/ssl_cache.h" +#endif + +/* +* Macros for SSL structures +*/ +#define CERT_INFO_BUF_SIZE 4096 +#define CERT_FILE_BUF_SIZE 16384 +#define ISSUER_NAME_BUF_SIZE 2048 +#define HASH_OF_HOST_BUF_SIZE 16 +#endif + /* Need for struct sockaddr_storage */ -#include +#ifdef HAVE_RFC2553 +# ifndef _WIN32 +# include +# include +# else +# include +# include + typedef unsigned short in_port_t; +# endif #endif @@ -84,10 +117,6 @@ # endif #endif -#ifdef AMIGA -#include "amiga.h" -#endif /* def AMIGA */ - #ifdef _WIN32 /* * I don't want to have to #include all this just for the declaration @@ -100,10 +129,6 @@ #endif -#ifdef __cplusplus -extern "C" { -#endif - #ifdef _WIN32 typedef SOCKET jb_socket; @@ -133,16 +158,19 @@ typedef int jb_socket; * A standard error code. This should be JB_ERR_OK or one of the JB_ERR_xxx * series of errors. */ -typedef int jb_err; +enum privoxy_err +{ + JB_ERR_OK = 0, /**< Success, no error */ + JB_ERR_MEMORY = 1, /**< Out of memory */ + JB_ERR_CGI_PARAMS = 2, /**< Missing or corrupt CGI parameters */ + JB_ERR_FILE = 3, /**< Error opening, reading or writing a file */ + JB_ERR_PARSE = 4, /**< Error parsing file */ + JB_ERR_MODIFIED = 5, /**< File has been modified outside of the + CGI actions editor. */ + JB_ERR_COMPRESS = 6 /**< Error on decompression */ +}; -#define JB_ERR_OK 0 /**< Success, no error */ -#define JB_ERR_MEMORY 1 /**< Out of memory */ -#define JB_ERR_CGI_PARAMS 2 /**< Missing or corrupt CGI parameters */ -#define JB_ERR_FILE 3 /**< Error opening, reading or writing a file */ -#define JB_ERR_PARSE 4 /**< Error parsing file */ -#define JB_ERR_MODIFIED 5 /**< File has been modified outside of the - CGI actions editor. */ -#define JB_ERR_COMPRESS 6 /**< Error on decompression */ +typedef enum privoxy_err jb_err; /** * This macro is used to free a pointer that may be NULL. @@ -153,19 +181,17 @@ typedef int jb_err; /** - * Fix a problem with Solaris. There should be no effect on other - * platforms. - * - * Solaris's isspace() is a macro which uses it's argument directly - * as an array index. Therefore we need to make sure that high-bit - * characters generate +ve values, and ideally we also want to make - * the argument match the declared parameter type of "int". - * + * Macro definitions for platforms where isspace() and friends + * are macros that use their argument directly as an array index + * and thus better be positive. Supposedly that's the case on + * some unspecified Solaris versions. * Note: Remember to #include if you use these macros. */ -#define ijb_toupper(__X) toupper((int)(unsigned char)(__X)) -#define ijb_tolower(__X) tolower((int)(unsigned char)(__X)) -#define ijb_isspace(__X) isspace((int)(unsigned char)(__X)) +#define privoxy_isdigit(__X) isdigit((int)(unsigned char)(__X)) +#define privoxy_isupper(__X) isupper((int)(unsigned char)(__X)) +#define privoxy_toupper(__X) toupper((int)(unsigned char)(__X)) +#define privoxy_tolower(__X) tolower((int)(unsigned char)(__X)) +#define privoxy_isspace(__X) isspace((int)(unsigned char)(__X)) /** * Use for statically allocated buffers if you have no other choice. @@ -183,7 +209,7 @@ typedef int jb_err; * Buffer size for capturing struct hostent data in the * gethostby(name|addr)_r library calls. Since we don't * loop over gethostbyname_r, the buffer must be sufficient - * to accomodate multiple IN A RRs, as used in DNS round robin + * to accommodate multiple IN A RRs, as used in DNS round robin * load balancing. W3C's wwwlib uses 1K, so that should be * good enough for us, too. */ @@ -194,14 +220,6 @@ typedef int jb_err; */ #define HOSTENT_BUFFER_SIZE 2048 -/** - * Do not use. Originally this was so that you can - * say "while (FOREVER) { ...do something... }". - * However, this gives a warning with some compilers (e.g. VC++). - * Instead, use "for (;;) { ...do something... }". - */ -#define FOREVER 1 - /** * Default TCP/IP address to listen on, as a string. * Set to "127.0.0.1:8118". @@ -225,7 +243,7 @@ struct list_entry * your own code. */ char *str; - + /** Next entry in the linked list, or NULL if no more. */ struct list_entry *next; }; @@ -269,6 +287,23 @@ struct map struct map_entry *last; }; +#ifdef FEATURE_HTTPS_INSPECTION +/* + * Struct of attributes necessary for TLS/SSL connection + */ +typedef struct { + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_net_context socket_fd; + mbedtls_x509_crt server_cert; + mbedtls_x509_crt ca_cert; + mbedtls_pk_context prim_key; + + #if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_cache_context cache; + #endif +} mbedtls_connection_attr; +#endif /** * A HTTP request. This includes the method (GET, POST) and @@ -301,50 +336,66 @@ struct http_request char **dvec; /**< List of pointers to the strings in dbuffer. */ int dcount; /**< How many parts to this domain? (length of dvec) */ #endif /* ndef FEATURE_EXTENDED_HOST_PATTERNS */ + +#ifdef FEATURE_HTTPS_INSPECTION + int client_ssl; /**< Flag if we should comunicate with slient over ssl */ + int server_ssl; /**< Flag if we should comunicate with server over ssl */ + unsigned char hash_of_host_hex[(HASH_OF_HOST_BUF_SIZE * 2) + 1]; /**< chars for hash in hex string and one for '\0' */ + unsigned char hash_of_host[HASH_OF_HOST_BUF_SIZE+1]; /**< chars for bytes of hash and one for '\0' */ +#endif }; + +#ifdef FEATURE_HTTPS_INSPECTION +/* + * Struct for linked list containing certificates + */ +typedef struct certs_chain { + char text_buf[CERT_INFO_BUF_SIZE]; /* text info about properties of certificate */ + char file_buf[CERT_FILE_BUF_SIZE]; /* buffer for whole certificate - format to save in file */ + struct certs_chain *next; /* next certificate in chain of trust */ +} certs_chain_t; +#endif + /** * Reasons for generating a http_response instead of delivering * the requested resource. Mostly ordered the way they are checked * for in chat(). */ -#define RSP_REASON_UNSUPPORTED 1 -#define RSP_REASON_BLOCKED 2 -#define RSP_REASON_UNTRUSTED 3 -#define RSP_REASON_REDIRECTED 4 -#define RSP_REASON_CGI_CALL 5 -#define RSP_REASON_NO_SUCH_DOMAIN 6 -#define RSP_REASON_FORWARDING_FAILED 7 -#define RSP_REASON_CONNECT_FAILED 8 -#define RSP_REASON_OUT_OF_MEMORY 9 -#define RSP_REASON_INTERNAL_ERROR 10 -#define RSP_REASON_CONNECTION_TIMEOUT 11 +enum crunch_reason +{ + UNSUPPORTED, + BLOCKED, + UNTRUSTED, + REDIRECTED, + CGI_CALL, + NO_SUCH_DOMAIN, + FORWARDING_FAILED, + CONNECT_FAILED, + OUT_OF_MEMORY, + INTERNAL_ERROR, + CONNECTION_TIMEOUT, + NO_SERVER_DATA +}; /** * Response generated by CGI, blocker, or error handler */ struct http_response { - char *status; /**< HTTP status (string). */ - struct list headers[1]; /**< List of header lines. */ - char *head; /**< Formatted http response head. */ - size_t head_length; /**< Length of http response head. */ - char *body; /**< HTTP document body. */ - size_t content_length; /**< Length of body, REQUIRED if binary body. */ - int is_static; /**< Nonzero if the content will never change and - should be cached by the browser (e.g. images). */ - int reason; /**< Why the response was generated in the first place. */ + char *status; /**< HTTP status (string). */ + struct list headers[1]; /**< List of header lines. */ + char *head; /**< Formatted http response head. */ + size_t head_length; /**< Length of http response head. */ + char *body; /**< HTTP document body. */ + size_t content_length; /**< Length of body, REQUIRED if binary body. */ + int is_static; /**< Nonzero if the content will never change and + should be cached by the browser (e.g. images). */ + enum crunch_reason crunch_reason; /**< Why the response was generated in the first place. */ }; -/** - * A URL or a tag pattern. - */ struct url_spec { - /** The string which was parsed to produce this url_spec. - Used for debugging or display only. */ - char *spec; - #ifdef FEATURE_EXTENDED_HOST_PATTERNS regex_t *host_regex;/**< Regex for host matching */ #else @@ -357,17 +408,25 @@ struct url_spec char *port_list; /**< List of acceptable ports, or NULL to match all ports */ regex_t *preg; /**< Regex for matching path part */ - regex_t *tag_regex; /**< Regex for matching tags */ }; /** - * If you declare a static url_spec, this is the value to initialize it to zero. + * A URL or a tag pattern. */ -#ifndef FEATURE_EXTENDED_HOST_PATTERNS -#define URL_SPEC_INITIALIZER { NULL, NULL, NULL, 0, 0, NULL, NULL, NULL } -#else -#define URL_SPEC_INITIALIZER { NULL, NULL, NULL, NULL, NULL } -#endif /* def FEATURE_EXTENDED_HOST_PATTERNS */ +struct pattern_spec +{ + /** The string which was parsed to produce this pattern_spec. + Used for debugging or display only. */ + char *spec; + + union + { + struct url_spec url_spec; + regex_t *tag_regex; + } pattern; + + unsigned int flags; /**< Bitmap with various pattern properties. */ +}; /** * Constant for host part matching in URLs. If set, indicates that the start of @@ -386,6 +445,20 @@ struct url_spec */ #define ANCHOR_RIGHT 2 +/** Pattern spec bitmap: It's an URL pattern. */ +#define PATTERN_SPEC_URL_PATTERN 0x00000001UL + +/** Pattern spec bitmap: It's a TAG pattern. */ +#define PATTERN_SPEC_TAG_PATTERN 0x00000002UL + +/** Pattern spec bitmap: It's a NO-REQUEST-TAG pattern. */ +#define PATTERN_SPEC_NO_REQUEST_TAG_PATTERN 0x00000004UL + +/** Pattern spec bitmap: It's a NO-RESPONSE-TAG pattern. */ +#define PATTERN_SPEC_NO_RESPONSE_TAG_PATTERN 0x00000008UL + +/** Pattern spec bitmap: It's a CLIENT-TAG pattern. */ +#define PATTERN_SPEC_CLIENT_TAG_PATTERN 0x00000010UL /** * An I/O buffer. Holds a string which can be appended to, and can have data @@ -402,17 +475,10 @@ struct iob /** * Return the number of bytes in the I/O buffer associated with the passed - * client_state pointer. - * May be zero. + * I/O buffer. May be zero. */ -#define IOB_PEEK(CSP) ((CSP->iob->cur > CSP->iob->eod) ? (CSP->iob->eod - CSP->iob->cur) : 0) - +#define IOB_PEEK(IOB) ((IOB->cur > IOB->eod) ? (IOB->eod - IOB->cur) : 0) -/** - * Remove any data in the I/O buffer associated with the passed - * client_state pointer. - */ -#define IOB_RESET(CSP) if(CSP->iob->buf) free(CSP->iob->buf); memset(CSP->iob, '\0', sizeof(CSP->iob)); /* Bits for csp->content_type bitmask: */ #define CT_TEXT 0x0001U /**< Suitable for pcrs filtering. */ @@ -466,11 +532,11 @@ struct iob /** Action bitmap: Prevent compression. */ #define ACTION_NO_COMPRESSION 0x00000400UL /** Action bitmap: Change cookies to session only cookies. */ -#define ACTION_NO_COOKIE_KEEP 0x00000800UL -/** Action bitmap: Block rending cookies. */ -#define ACTION_NO_COOKIE_READ 0x00001000UL -/** Action bitmap: Block setting cookies. */ -#define ACTION_NO_COOKIE_SET 0x00002000UL +#define ACTION_SESSION_COOKIES_ONLY 0x00000800UL +/** Action bitmap: Block cookies coming from the client. */ +#define ACTION_CRUNCH_OUTGOING_COOKIES 0x00001000UL +/** Action bitmap: Block cookies coming from the server. */ +#define ACTION_CRUNCH_INCOMING_COOKIES 0x00002000UL /** Action bitmap: Override the forward settings in the config file */ #define ACTION_FORWARD_OVERRIDE 0x00004000UL /** Action bitmap: Block as empty document */ @@ -489,15 +555,22 @@ struct iob #define ACTION_CRUNCH_CLIENT_HEADER 0x00200000UL /** Action bitmap: Enable text mode by force */ #define ACTION_FORCE_TEXT_MODE 0x00400000UL -/** Action bitmap: Enable text mode by force */ +/** Action bitmap: Remove the "If-None-Match" header. */ #define ACTION_CRUNCH_IF_NONE_MATCH 0x00800000UL -/** Action bitmap: Enable content-dispostion crunching */ +/** Action bitmap: Enable content-disposition crunching */ #define ACTION_HIDE_CONTENT_DISPOSITION 0x01000000UL /** Action bitmap: Replace or block Last-Modified header */ #define ACTION_OVERWRITE_LAST_MODIFIED 0x02000000UL /** Action bitmap: Replace or block Accept-Language header */ #define ACTION_HIDE_ACCEPT_LANGUAGE 0x04000000UL - +/** Action bitmap: Limit the cookie lifetime */ +#define ACTION_LIMIT_COOKIE_LIFETIME 0x08000000UL +/** Action bitmap: Delay writes */ +#define ACTION_DELAY_RESPONSE 0x10000000UL +/** Action bitmap: Turn https inspection on */ +#define ACTION_HTTPS_INSPECTION 0x20000000UL +/** Action bitmap: Turn certificates verification off */ +#define ACTION_IGNORE_CERTIFICATE_ERRORS 0x40000000UL /** Action string index: How to deanimate GIFs */ #define ACTION_STRING_DEANIMATE 0 @@ -519,7 +592,7 @@ struct iob #define ACTION_STRING_LANGUAGE 8 /** Action string index: Replacement for the "Content-Type:" header*/ #define ACTION_STRING_CONTENT_TYPE 9 -/** Action string index: Replacement for the "content-dispostion:" header*/ +/** Action string index: Replacement for the "content-disposition:" header*/ #define ACTION_STRING_CONTENT_DISPOSITION 10 /** Action string index: Replacement for the "If-Modified-Since:" header*/ #define ACTION_STRING_IF_MODIFIED_SINCE 11 @@ -535,8 +608,12 @@ struct iob #define ACTION_STRING_BLOCK 16 /** Action string index: what to do with the "X-Forwarded-For" header. */ #define ACTION_STRING_CHANGE_X_FORWARDED_FOR 17 +/** Action string index: how many minutes cookies should be valid. */ +#define ACTION_STRING_LIMIT_COOKIE_LIFETIME 18 +/** Action string index: how many milliseconds writes should be delayed. */ +#define ACTION_STRING_DELAY_RESPONSE 19 /** Number of string actions. */ -#define ACTION_STRING_COUNT 18 +#define ACTION_STRING_COUNT 20 /* To make the ugly hack in sed easier to understand */ @@ -556,7 +633,9 @@ struct iob /** Index into current_action_spec::multi[] for server-header tags to apply. */ #define ACTION_MULTI_SERVER_HEADER_TAGGER 5 /** Number of multi-string actions. */ -#define ACTION_MULTI_COUNT 6 +#define ACTION_MULTI_EXTERNAL_FILTER 6 +/** Number of multi-string actions. */ +#define ACTION_MULTI_COUNT 7 /** @@ -593,7 +672,7 @@ struct action_spec unsigned long add; /**< Actions to add. A bit set to "1" means add action. */ /** - * Paramaters for those actions that require them. + * Parameters for those actions that require them. * Each entry is valid if & only if the corresponding entry in "flags" is * set. */ @@ -620,7 +699,7 @@ struct action_spec */ struct url_actions { - struct url_spec url[1]; /**< The URL or tag pattern. */ + struct pattern_spec url[1]; /**< The URL or tag pattern. */ struct action_spec *action; /**< Action settings that might be shared with the list entry before or after the current @@ -629,25 +708,53 @@ struct url_actions struct url_actions *next; /**< Next action section in file, or NULL. */ }; +enum forwarder_type { + /**< Don't use a SOCKS server, forward to a HTTP proxy directly */ + SOCKS_NONE = 0, + /**< original SOCKS 4 protocol */ + SOCKS_4 = 40, + /**< SOCKS 4A, DNS resolution is done by the SOCKS server */ + SOCKS_4A = 41, + /**< SOCKS 5 with hostnames, DNS resolution is done by the SOCKS server */ + SOCKS_5 = 50, + /**< Like SOCKS5, but uses non-standard Tor extensions (currently only optimistic data) */ + SOCKS_5T, + /**< + * Don't use a SOCKS server, forward to the specified webserver. + * The difference to SOCKS_NONE is that a request line without + * full URL is sent. + */ + FORWARD_WEBSERVER, +}; /* - * Structure to make sure we only reuse the server socket - * if the host and forwarding settings are the same. + * Structure to hold the server socket and the information + * required to make sure we only reuse the connection if + * the host and forwarding settings are the same. */ struct reusable_connection { jb_socket sfd; int in_use; - time_t timestamp; + time_t timestamp; /* XXX: rename? */ + + time_t request_sent; + time_t response_received; + /* * Number of seconds after which this * connection will no longer be reused. */ unsigned int keep_alive_timeout; + /* + * Number of requests that were sent to this connection. + * This is currently only for debugging purposes. + */ + unsigned int requests_sent_total; char *host; int port; - int forwarder_type; + enum forwarder_type forwarder_type; char *gateway_host; int gateway_port; char *forward_host; @@ -658,7 +765,7 @@ struct reusable_connection /* * Flags for use in csp->flags */ - + /** * Flag for csp->flags: Set if this client is processing data. * Cleared when the thread associated with this structure dies. @@ -735,7 +842,6 @@ struct reusable_connection */ #define CSP_FLAG_SERVER_CONNECTION_KEEP_ALIVE 0x00001000U -#ifdef FEATURE_CONNECTION_KEEP_ALIVE /** * Flag for csp->flags: Set if the server specified the * content length. @@ -743,7 +849,7 @@ struct reusable_connection #define CSP_FLAG_SERVER_CONTENT_LENGTH_SET 0x00002000U /** - * Flag for csp->flags: Set if we know the content lenght, + * Flag for csp->flags: Set if we know the content length, * either because the server set it, or we figured it out * on our own. */ @@ -754,20 +860,91 @@ struct reusable_connection * the connection alive. */ #define CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE 0x00008000U -#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */ + +/** + * Flag for csp->flags: Set if we think we got the whole + * client request and shouldn't read any additional data + * coming from the client until the current request has + * been dealt with. + */ +#define CSP_FLAG_CLIENT_REQUEST_COMPLETELY_READ 0x00010000U + +/** + * Flag for csp->flags: Set if the server promised us to + * keep the connection open for a known number of seconds. + */ +#define CSP_FLAG_SERVER_KEEP_ALIVE_TIMEOUT_SET 0x00020000U + +/** + * Flag for csp->flags: Set if we think we can't reuse + * the server socket. XXX: It's also set after sabotaging + * pipelining attempts which is somewhat inconsistent with + * the name. + */ +#define CSP_FLAG_SERVER_SOCKET_TAINTED 0x00040000U + +/** + * Flag for csp->flags: Set if the Proxy-Connection header + * is among the server headers. + */ +#define CSP_FLAG_SERVER_PROXY_CONNECTION_HEADER_SET 0x00080000U + +/** + * Flag for csp->flags: Set if the client reused its connection. + */ +#define CSP_FLAG_REUSED_CLIENT_CONNECTION 0x00100000U + +/** + * Flag for csp->flags: Set if the supports deflate compression. + */ +#define CSP_FLAG_CLIENT_SUPPORTS_DEFLATE 0x00200000U + +/** + * Flag for csp->flags: Set if the content has been deflated by Privoxy + */ +#define CSP_FLAG_BUFFERED_CONTENT_DEFLATED 0x00400000U + +/** + * Flag for csp->flags: Set if we already read (parts of) + * a pipelined request in which case the client obviously + * isn't done talking. + */ +#define CSP_FLAG_PIPELINED_REQUEST_WAITING 0x00800000U + +/** + * Flag for csp->flags: Set if the client body is chunk-encoded + */ +#define CSP_FLAG_CHUNKED_CLIENT_BODY 0x01000000U + +/** + * Flag for csp->flags: Set if the client set the Expect header + */ +#define CSP_FLAG_UNSUPPORTED_CLIENT_EXPECTATION 0x02000000U + +/** + * Flag for csp->flags: Set if we answered the request ourselve. + */ +#define CSP_FLAG_CRUNCHED 0x04000000U + +#ifdef FUZZ +/** + * Flag for csp->flags: Set if we are working with fuzzed input + */ +#define CSP_FLAG_FUZZED_INPUT 0x08000000U +#endif /* * Flags for use in return codes of child processes */ /** - * Flag for process return code: Set if exiting porcess has been toggled + * Flag for process return code: Set if exiting process has been toggled * during its lifetime. */ #define RC_FLAG_TOGGLED 0x10 /** - * Flag for process return code: Set if exiting porcess has blocked its + * Flag for process return code: Set if exiting process has blocked its * request. */ #define RC_FLAG_BLOCKED 0x20 @@ -776,7 +953,13 @@ struct reusable_connection * Maximum number of actions/filter files. This limit is arbitrary - it's just used * to size an array. */ -#define MAX_AF_FILES 10 +#define MAX_AF_FILES 100 + +/** + * Maximum number of sockets to listen to. This limit is arbitrary - it's just used + * to size an array. + */ +#define MAX_LISTENING_SOCKETS 10 /** * The state of a Privoxy processing thread. @@ -792,8 +975,8 @@ struct client_state /** socket to talk to client (web browser) */ jb_socket cfd; - /** socket to talk to server (web server or proxy) */ - jb_socket sfd; + /** Number of requests received on the client socket. */ + unsigned int requests_received_total; /** current connection to the server (may go through a proxy) */ struct reusable_connection server_connection; @@ -814,6 +997,10 @@ struct client_state unsigned long ip_addr_long; #endif /* def HAVE_RFC2553 */ + /** The host name and port (as a string of the form ':') + of the server socket to which the client connected. */ + char *listen_addr_str; + /** The URL that was requested */ struct http_request http[1]; @@ -824,15 +1011,46 @@ struct client_state */ struct forward_spec * fwd; - /** An I/O buffer used for buffering data read from the network */ + /** An I/O buffer used for buffering data read from the server */ + /* XXX: should be renamed to server_iob */ struct iob iob[1]; +#ifdef FEATURE_HTTPS_INSPECTION + mbedtls_connection_attr mbedtls_server_attr; /* attributes for connection to server */ + mbedtls_connection_attr mbedtls_client_attr; /* attributes for connection to client */ +#endif + + /** An I/O buffer used for buffering data read from the client */ + struct iob client_iob[1]; + + /** Buffer used to briefly store data read from the network + * before forwarding or processing it. + */ + char *receive_buffer; + size_t receive_buffer_size; + /** List of all headers for this request */ struct list headers[1]; +#ifdef FEATURE_HTTPS_INSPECTION + /** List of all encrypted headers for this request */ + struct list https_headers[1]; +#endif + /** List of all tags that apply to this request */ struct list tags[1]; +#ifdef FEATURE_CLIENT_TAGS + /** List of all tags that apply to this client (assigned based on address) */ + struct list client_tags[1]; + /** The address of the client the request (presumably) came from. + * Either the address returned by accept(), or the address provided + * with the X-Forwarded-For header, provided Privoxy has been configured + * to use it. + */ + char *client_address; +#endif + /** MIME-Type key, see CT_* above */ unsigned int content_type; @@ -845,13 +1063,17 @@ struct client_state /** Length after content modification. */ unsigned long long content_length; -#ifdef FEATURE_CONNECTION_KEEP_ALIVE + /* XXX: is this the right location? */ + /** Expected length of content after which we * should stop reading from the server socket. */ - /* XXX: is this the right location? */ unsigned long long expected_content_length; -#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */ + + /** Expected length of content after which we + * should stop reading from the client socket. + */ + unsigned long long expected_client_content_length; #ifdef FEATURE_TRUST @@ -866,10 +1088,38 @@ struct client_state */ char *error_message; - /** Next thread in linked list. Only read or modify from the main thread! */ - struct client_state *next; +#ifdef FEATURE_HTTPS_INSPECTION + /* Result of server certificate verification */ + uint32_t server_cert_verification_result; + + /* Flag for certificate validity checking */ + int dont_verify_certificate; + + /* + * Flags if SSL connection with server or client is opened. + * Thanks to this flags, we can call function to close both connections + * and we don't have to care about more details. + */ + int ssl_with_server_is_opened; + int ssl_with_client_is_opened; + + /* + * Server certificate chain of trust including strings with certificates + * informations and string with whole certificate file + */ + struct certs_chain server_certs_chain; +#endif }; +/** + * List of client states so the main thread can keep + * track of them and garbage collect their resources. + */ +struct client_states +{ + struct client_states *next; + struct client_state csp; +}; /** * A function to add a header @@ -932,7 +1182,7 @@ struct file_list * Read-only once the structure has been created. */ time_t lastmodified; - + /** * The full filename. */ @@ -956,9 +1206,9 @@ struct file_list */ struct block_spec { - struct url_spec url[1]; /**< The URL pattern */ - int reject; /**< FIXME: Please document this! */ - struct block_spec *next; /**< Next entry in linked list */ + struct pattern_spec url[1]; /**< The URL pattern */ + int reject; /**< FIXME: Please document this! */ + struct block_spec *next; /**< Next entry in linked list */ }; /** @@ -968,23 +1218,16 @@ struct block_spec #endif /* def FEATURE_TRUST */ - -#define SOCKS_NONE 0 /**< Don't use a SOCKS server */ -#define SOCKS_4 40 /**< original SOCKS 4 protocol */ -#define SOCKS_4A 41 /**< as modified for hosts w/o external DNS */ -#define SOCKS_5 50 /**< as modified for hosts w/o external DNS */ - - /** * How to forward a connection to a parent proxy. */ struct forward_spec { /** URL pattern that this forward_spec is for. */ - struct url_spec url[1]; + struct pattern_spec url[1]; /** Connection type. Must be SOCKS_NONE, SOCKS_4, SOCKS_4A or SOCKS_5. */ - int type; + enum forwarder_type type; /** SOCKS server hostname. Only valid if "type" is SOCKS_4 or SOCKS_4A. */ char *gateway_host; @@ -992,6 +1235,12 @@ struct forward_spec /** SOCKS server port. */ int gateway_port; + /** SOCKS5 username. */ + char *auth_username; + + /** SOCKS5 password. */ + char *auth_password; + /** Parent HTTP proxy hostname, or NULL for none. */ char *forward_host; @@ -1003,19 +1252,25 @@ struct forward_spec }; -/** - * Initializer for a static struct forward_spec. - */ -#define FORWARD_SPEC_INITIALIZER { { URL_SPEC_INITIALIZER }, 0, NULL, 0, NULL, 0, NULL } - /* Supported filter types */ -#define FT_CONTENT_FILTER 0 -#define FT_CLIENT_HEADER_FILTER 1 -#define FT_SERVER_HEADER_FILTER 2 -#define FT_CLIENT_HEADER_TAGGER 3 -#define FT_SERVER_HEADER_TAGGER 4 +enum filter_type +{ + FT_CONTENT_FILTER = 0, + FT_CLIENT_HEADER_FILTER = 1, + FT_SERVER_HEADER_FILTER = 2, + FT_CLIENT_HEADER_TAGGER = 3, + FT_SERVER_HEADER_TAGGER = 4, +#ifdef FEATURE_EXTERNAL_FILTERS + FT_EXTERNAL_CONTENT_FILTER = 5, +#endif + FT_INVALID_FILTER = 42, +}; +#ifdef FEATURE_EXTERNAL_FILTERS +#define MAX_FILTER_TYPES 6 +#else #define MAX_FILTER_TYPES 5 +#endif /** * This struct represents one filter (one block) from @@ -1029,7 +1284,7 @@ struct re_filterfile_spec char *description; /**< Description from FILTER: statement in re_filterfile. */ struct list patterns[1]; /**< The patterns from the re_filterfile. */ pcrs_job *joblist; /**< The resulting compiled pcrs_jobs. */ - int type; /**< Filter type (content, client-header, server-header). */ + enum filter_type type; /**< Filter type (content, client-header, server-header). */ int dynamic; /**< Set to one if the pattern might contain variables and has to be recompiled for every request. */ struct re_filterfile_spec *next; /**< The pointer for chaining. */ @@ -1079,6 +1334,15 @@ struct access_control_list /** Maximum number of loaders (actions, re_filter, ...) */ #define NLOADERS 8 +/** + * This struct represents a client-spcific-tag and it's description + */ +struct client_tag_spec +{ + char *name; /**< Name from "client-specific-tag bla" directive */ + char *description; /**< Description from "client-specific-tag-description " directive */ + struct client_tag_spec *next; /**< The pointer for chaining. */ +}; /** configuration_spec::feature_flags: CGI actions editor. */ #define RUNTIME_FEATURE_CGI_EDIT_ACTIONS 1U @@ -1107,6 +1371,18 @@ struct access_control_list /** configuration_spec::feature_flags: Share outgoing connections between different client connections. */ #define RUNTIME_FEATURE_CONNECTION_SHARING 256U +/** configuration_spec::feature_flags: Pages blocked with +handle-as-empty-doc get a return status of 200 OK. */ +#define RUNTIME_FEATURE_EMPTY_DOC_RETURNS_OK 512U + +/** configuration_spec::feature_flags: Buffered content is sent compressed if the client supports it. */ +#define RUNTIME_FEATURE_COMPRESSION 1024U + +/** configuration_spec::feature_flags: Pipelined requests are served instead of being discarded. */ +#define RUNTIME_FEATURE_TOLERATE_PIPELINING 2048U + +/** configuration_spec::feature_flags: Proxy authentication headers are forwarded instead of removed. */ +#define RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS 4096U + /** * Data loaded from the configuration file. * @@ -1116,19 +1392,11 @@ struct configuration_spec { /** What to log */ int debug; - + /** Nonzero to enable multithreading. */ int multi_threaded; - /** - * Bitmask of features that can be enabled/disabled through the config - * file. Currently defined bits: - * - * - RUNTIME_FEATURE_CGI_EDIT_ACTIONS - * - RUNTIME_FEATURE_CGI_TOGGLE - * - RUNTIME_FEATURE_HTTP_TOGGLE - * - RUNTIME_FEATURE_SPLIT_LARGE_FORMS - */ + /** Bitmask of features that can be controlled through the config file. */ unsigned feature_flags; /** The log file name. */ @@ -1140,6 +1408,14 @@ struct configuration_spec /** The directory for customized CGI templates. */ const char *templdir; + /** "Cross-origin resource sharing" (CORS) allowed origin */ + const char *cors_allowed_origin; + +#ifdef FEATURE_EXTERNAL_FILTERS + /** The template used to create temporary files. */ + const char *temporary_directory; +#endif + /** The log file directory. */ const char *logdir; @@ -1164,18 +1440,35 @@ struct configuration_spec /** The short names of the pcre filter files. */ const char *re_filterfile_short[MAX_AF_FILES]; + /**< List of ordered client header names. */ + struct list ordered_client_headers[1]; + /** The hostname to show on CGI pages, or NULL to use the real one. */ const char *hostname; - /** IP address to bind to. Defaults to HADDR_DEFAULT == 127.0.0.1. */ - const char *haddr; + /** IP addresses to bind to. Defaults to HADDR_DEFAULT == 127.0.0.1. */ + const char *haddr[MAX_LISTENING_SOCKETS]; + + /** Trusted referring site that can be used to reach CGI + * pages that aren't marked as harmful. + */ + const char *trusted_cgi_referrer; - /** Port to bind to. Defaults to HADDR_PORT == 8118. */ - int hport; + /** Ports to bind to. Defaults to HADDR_PORT == 8118. */ + int hport[MAX_LISTENING_SOCKETS]; /** Size limit for IOB */ size_t buffer_limit; + /** Size of the receive buffer */ + size_t receive_buffer_size; + + /** Use accf_http(4) if available */ + int enable_accept_filter; + + /** Backlog passed to listen() */ + int listen_backlog; + #ifdef FEATURE_TRUST /** The file name of the trust file. */ @@ -1185,10 +1478,18 @@ struct configuration_spec struct list trust_info[1]; /** FIXME: DOCME: Document this. */ - struct url_spec *trust_list[MAX_TRUSTED_REFERRERS]; + struct pattern_spec *trust_list[MAX_TRUSTED_REFERRERS]; #endif /* def FEATURE_TRUST */ +#ifdef FEATURE_CLIENT_TAGS + struct client_tag_spec client_tags[1]; + + /* Maximum number of seconds a temporarily enabled tag stays enabled. */ + unsigned int client_tag_lifetime; +#endif /* def FEATURE_CLIENT_TAGS */ + int trust_x_forwarded_for; + #ifdef FEATURE_ACL /** The access control list (ACL). */ @@ -1211,6 +1512,13 @@ struct configuration_spec #ifdef FEATURE_CONNECTION_KEEP_ALIVE /* Maximum number of seconds after which an open connection will no longer be reused. */ unsigned int keep_alive_timeout; + + /* Assumed server-side keep alive timeout if none is specified. */ + unsigned int default_server_timeout; +#endif + +#ifdef FEATURE_COMPRESSION + int compression_level; #endif /** All options from the config file, HTML-formatted. */ @@ -1224,15 +1532,34 @@ struct configuration_spec /** Nonzero if we need to bind() to the new port. */ int need_bind; + +#ifdef FEATURE_HTTPS_INSPECTION + /** Password for proxy ca file **/ + char * ca_password; + + /** Directory with files of ca **/ + char *ca_directory; + + /** Filename of ca certificate **/ + char * ca_cert_file; + + /** Filename of ca key **/ + char * ca_key_file; + + /** Directory for saving certificates and keys for each webpage **/ + char *certificate_directory; + + /** Filename of trusted CAs certificates **/ + char * trusted_cas_file; +#endif }; /** Calculates the number of elements in an array, using sizeof. */ #define SZ(X) (sizeof(X) / sizeof(*X)) -#ifdef FEATURE_FORCE_LOAD -/** The force load URL prefix. */ +/** The force load URL prefix. Not behind an ifdef because + * it's always used for the show-status page. */ #define FORCE_PREFIX "/PRIVOXY-FORCE" -#endif /* def FEATURE_FORCE_LOAD */ #ifdef FEATURE_NO_GIFS /** The MIME type for images ("image/png" or "image/gif"). */ @@ -1242,12 +1569,12 @@ struct configuration_spec #endif /* def FEATURE_NO_GIFS */ -/* +/* * Hardwired URLs */ /** URL for the Privoxy home page. */ -#define HOME_PAGE_URL "http://www.privoxy.org/" +#define HOME_PAGE_URL "https://www.privoxy.org/" /** URL for the Privoxy user manual. */ #define USER_MANUAL_URL HOME_PAGE_URL VERSION "/user-manual/" @@ -1277,10 +1604,6 @@ struct configuration_spec */ #define CGI_PREFIX "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" -#ifdef __cplusplus -} /* extern "C" */ -#endif - #endif /* ndef PROJECT_H_INCLUDED */ /*