X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=project.h;h=ffe6d0ae70e811c94202336e26c014cf7fe9b7b5;hp=2c1e51d54e3a8f37db1f5d9e5610247096076077;hb=e52674334610f4c2a1eb22b095c126527705f314;hpb=b9b7fa995883b91f442dfeedd5a5afb3138150e4 diff --git a/project.h b/project.h index 2c1e51d5..ffe6d0ae 100644 --- a/project.h +++ b/project.h @@ -45,16 +45,16 @@ #include "config.h" #ifdef FEATURE_HTTPS_INSPECTION -#ifdef FEATURE_PTHREAD -# include - typedef pthread_mutex_t privoxy_mutex_t; -#else -# ifdef _WIN32 -# include -# endif - typedef CRITICAL_SECTION privoxy_mutex_t; -#endif +/* +* Macros for SSL structures +*/ +#define CERT_INFO_BUF_SIZE 4096 +#define CERT_FILE_BUF_SIZE 16384 +#define ISSUER_NAME_BUF_SIZE 2048 +#define HASH_OF_HOST_BUF_SIZE 16 +#endif /* FEATURE_HTTPS_INSPECTION */ +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS #include "mbedtls/net_sockets.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" @@ -62,15 +62,18 @@ #if defined(MBEDTLS_SSL_CACHE_C) #include "mbedtls/ssl_cache.h" #endif +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ -/* -* Macros for SSL structures -*/ -#define CERT_INFO_BUF_SIZE 4096 -#define CERT_FILE_BUF_SIZE 16384 -#define ISSUER_NAME_BUF_SIZE 2048 -#define HASH_OF_HOST_BUF_SIZE 16 +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +#ifdef _WIN32 +#include +#undef X509_NAME +#undef X509_EXTENSIONS #endif +#include +#include +#include +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ /* Need for struct sockaddr_storage */ #ifdef HAVE_RFC2553 @@ -287,7 +290,7 @@ struct map struct map_entry *last; }; -#ifdef FEATURE_HTTPS_INSPECTION +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS /* * Struct of attributes necessary for TLS/SSL connection */ @@ -298,13 +301,23 @@ typedef struct { mbedtls_x509_crt server_cert; mbedtls_x509_crt ca_cert; mbedtls_pk_context prim_key; + int *ciphersuites_list; #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_context cache; #endif } mbedtls_connection_attr; -#endif +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +/* + * Struct of attributes necessary for TLS/SSL connection + */ +typedef struct { + SSL_CTX *ctx; + BIO *bio; +} openssl_connection_attr; +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ /** * A HTTP request. This includes the method (GET, POST) and * the parsed URL. @@ -322,20 +335,17 @@ struct http_request char *version; /**< Protocol version */ int status; /**< HTTP Status */ - char *host; /**< Host part of URL */ int port; /**< Port of URL or 80 (default) */ + char *host; /**< Host part of URL */ char *path; /**< Path of URL */ char *hostport; /**< host[:port] */ - int ssl; /**< Flag if protocol is https */ char *host_ip_addr_str; /**< String with dotted decimal representation of host's IP. NULL before connect_to() */ -#ifndef FEATURE_EXTENDED_HOST_PATTERNS char *dbuffer; /**< Buffer with '\0'-delimited domain name. */ char **dvec; /**< List of pointers to the strings in dbuffer. */ int dcount; /**< How many parts to this domain? (length of dvec) */ -#endif /* ndef FEATURE_EXTENDED_HOST_PATTERNS */ #ifdef FEATURE_HTTPS_INSPECTION int client_ssl; /**< Flag if we should communicate with client over ssl */ @@ -343,6 +353,7 @@ struct http_request unsigned char hash_of_host_hex[(HASH_OF_HOST_BUF_SIZE * 2) + 1]; /**< chars for hash in hex string and one for '\0' */ unsigned char hash_of_host[HASH_OF_HOST_BUF_SIZE+1]; /**< chars for bytes of hash and one for '\0' */ #endif + short int ssl; /**< Flag if protocol is https */ }; @@ -351,7 +362,7 @@ struct http_request * Struct for linked list containing certificates */ typedef struct certs_chain { - char text_buf[CERT_INFO_BUF_SIZE]; /* text info about properties of certificate */ + char info_buf[CERT_INFO_BUF_SIZE]; /* text info about properties of certificate */ char file_buf[CERT_FILE_BUF_SIZE]; /* buffer for whole certificate - format to save in file */ struct certs_chain *next; /* next certificate in chain of trust */ } certs_chain_t; @@ -396,14 +407,14 @@ struct http_response struct url_spec { -#ifdef FEATURE_EXTENDED_HOST_PATTERNS +#ifdef FEATURE_PCRE_HOST_PATTERNS regex_t *host_regex;/**< Regex for host matching */ -#else + enum host_regex_type { VANILLA_HOST_PATTERN, PCRE_HOST_PATTERN } host_regex_type; +#endif /* defined FEATURE_PCRE_HOST_PATTERNS */ + int dcount; /**< How many parts to this domain? (length of dvec) */ char *dbuffer; /**< Buffer with '\0'-delimited domain name, or NULL to match all hosts. */ char **dvec; /**< List of pointers to the strings in dbuffer. */ - int dcount; /**< How many parts to this domain? (length of dvec) */ int unanchored; /**< Bitmap - flags are ANCHOR_LEFT and ANCHOR_RIGHT. */ -#endif /* defined FEATURE_EXTENDED_HOST_PATTERNS */ char *port_list; /**< List of acceptable ports, or NULL to match all ports */ @@ -473,13 +484,6 @@ struct iob }; -/** - * Return the number of bytes in the I/O buffer associated with the passed - * I/O buffer. May be zero. - */ -#define IOB_PEEK(IOB) ((IOB->cur > IOB->eod) ? (IOB->eod - IOB->cur) : 0) - - /* Bits for csp->content_type bitmask: */ #define CT_TEXT 0x0001U /**< Suitable for pcrs filtering. */ #define CT_GIF 0x0002U /**< Suitable for GIF filtering. */ @@ -491,13 +495,14 @@ struct iob */ #define CT_GZIP 0x0010U /**< gzip-compressed data. */ #define CT_DEFLATE 0x0020U /**< zlib-compressed data. */ +#define CT_BROTLI 0x0040U /**< Brotli-compressed data. */ /** * Flag to signal that the server declared the content type, * so we can differentiate between unknown and undeclared * content types. */ -#define CT_DECLARED 0x0040U +#define CT_DECLARED 0x0080U /** * The mask which includes all actions. @@ -634,8 +639,12 @@ struct iob #define ACTION_MULTI_SERVER_HEADER_TAGGER 5 /** Number of multi-string actions. */ #define ACTION_MULTI_EXTERNAL_FILTER 6 +/** Index into current_action_spec::multi[] for tags to suppress. */ +#define ACTION_MULTI_SUPPRESS_TAG 7 +/** Index into current_action_spec::multi[] for client body filters to apply. */ +#define ACTION_MULTI_CLIENT_BODY_FILTER 8 /** Number of multi-string actions. */ -#define ACTION_MULTI_COUNT 7 +#define ACTION_MULTI_COUNT 9 /** @@ -755,10 +764,14 @@ struct reusable_connection char *host; int port; enum forwarder_type forwarder_type; - char *gateway_host; - int gateway_port; char *forward_host; int forward_port; + + int gateway_port; + char *gateway_host; + char *auth_username; + char *auth_password; + }; @@ -961,6 +974,14 @@ struct reusable_connection */ #define MAX_LISTENING_SOCKETS 10 +struct ssl_attr { +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS + mbedtls_connection_attr mbedtls_attr; /* Mbed TLS attrs*/ +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL + openssl_connection_attr openssl_attr; /* OpenSSL atrrs */ +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ +}; /** * The state of a Privoxy processing thread. */ @@ -984,6 +1005,9 @@ struct client_state /** Multi-purpose flag container, see CSP_FLAG_* above */ unsigned int flags; + /** MIME-Type key, see CT_* above */ + unsigned int content_type; + /** Client PC's IP address, as reported by the accept() function. As a string. */ char *ip_addr_str; @@ -1015,10 +1039,8 @@ struct client_state /* XXX: should be renamed to server_iob */ struct iob iob[1]; -#ifdef FEATURE_HTTPS_INSPECTION - mbedtls_connection_attr mbedtls_server_attr; /* attributes for connection to server */ - mbedtls_connection_attr mbedtls_client_attr; /* attributes for connection to client */ -#endif + struct ssl_attr ssl_server_attr; /* attributes for connection to server */ + struct ssl_attr ssl_client_attr; /* attributes for connection to client */ /** An I/O buffer used for buffering data read from the client */ struct iob client_iob[1]; @@ -1051,9 +1073,6 @@ struct client_state char *client_address; #endif - /** MIME-Type key, see CT_* above */ - unsigned int content_type; - /** Actions files associated with this client */ struct file_list *actions_list[MAX_AF_FILES]; @@ -1089,8 +1108,24 @@ struct client_state char *error_message; #ifdef FEATURE_HTTPS_INSPECTION - /* Result of server certificate verification */ + /* Result of server certificate verification + * + * Values for flag determining certificate validity + * are compatible with return value of function + * mbedtls_ssl_get_verify_result() for mbedtls + * and SSL_get_verify_result() for openssl. + * There are no values for "invalid certificate", they are + * set by the functions mentioned above. + */ +#define SSL_CERT_VALID 0 +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS +#define SSL_CERT_NOT_VERIFIED 0xFFFFFFFF uint32_t server_cert_verification_result; +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +#define SSL_CERT_NOT_VERIFIED ~0L + long server_cert_verification_result; +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ /* Flag for certificate validity checking */ int dont_verify_certificate; @@ -1100,8 +1135,8 @@ struct client_state * Thanks to this flags, we can call function to close both connections * and we don't have to care about more details. */ - int ssl_with_server_is_opened; - int ssl_with_client_is_opened; + short int ssl_with_server_is_opened; + short int ssl_with_client_is_opened; /* * Server certificate chain of trust including strings with certificates @@ -1229,12 +1264,12 @@ struct forward_spec /** Connection type. Must be SOCKS_NONE, SOCKS_4, SOCKS_4A or SOCKS_5. */ enum forwarder_type type; - /** SOCKS server hostname. Only valid if "type" is SOCKS_4 or SOCKS_4A. */ - char *gateway_host; - /** SOCKS server port. */ int gateway_port; + /** SOCKS server hostname. Only valid if "type" is SOCKS_4 or SOCKS_4A. */ + char *gateway_host; + /** SOCKS5 username. */ char *auth_username; @@ -1260,16 +1295,18 @@ enum filter_type FT_SERVER_HEADER_FILTER = 2, FT_CLIENT_HEADER_TAGGER = 3, FT_SERVER_HEADER_TAGGER = 4, + FT_SUPPRESS_TAG = 5, + FT_CLIENT_BODY_FILTER = 6, #ifdef FEATURE_EXTERNAL_FILTERS - FT_EXTERNAL_CONTENT_FILTER = 5, + FT_EXTERNAL_CONTENT_FILTER = 7, #endif FT_INVALID_FILTER = 42, }; #ifdef FEATURE_EXTERNAL_FILTERS -#define MAX_FILTER_TYPES 6 +#define MAX_FILTER_TYPES 8 #else -#define MAX_FILTER_TYPES 5 +#define MAX_FILTER_TYPES 7 #endif /** @@ -1321,7 +1358,7 @@ struct access_control_list struct access_control_addr src[1]; /**< Client IP address */ struct access_control_addr dst[1]; /**< Website or parent proxy IP address */ #ifdef HAVE_RFC2553 - int wildcard_dst; /** < dst address is wildcard */ + short wildcard_dst; /** < dst address is wildcard */ #endif short action; /**< ACL_PERMIT or ACL_DENY */ @@ -1399,6 +1436,9 @@ struct configuration_spec /** Bitmask of features that can be controlled through the config file. */ unsigned feature_flags; + /** Nonzero if we need to bind() to the new port. */ + int need_bind; + /** The log file name. */ const char *logfile; @@ -1530,9 +1570,6 @@ struct configuration_spec /** List of loaders */ int (*loaders[NLOADERS])(struct client_state *); - /** Nonzero if we need to bind() to the new port. */ - int need_bind; - #ifdef FEATURE_HTTPS_INSPECTION /** Password for proxy ca file **/ char * ca_password; @@ -1549,6 +1586,9 @@ struct configuration_spec /** Directory for saving certificates and keys for each webpage **/ char *certificate_directory; + /** Cipher list to use **/ + char *cipher_list; + /** Filename of trusted CAs certificates **/ char * trusted_cas_file; #endif @@ -1602,7 +1642,13 @@ struct configuration_spec * The prefix for CGI pages. Written out in generated HTML. * INCLUDES the trailing slash. */ +#ifdef FEATURE_HTTPS_INSPECTION +#define CGI_PREFIX "//" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" +#define CGI_PREFIX_HTTPS "https:" CGI_PREFIX +#else #define CGI_PREFIX "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" +#endif +#define CGI_PREFIX_HTTP "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" #endif /* ndef PROJECT_H_INCLUDED */