X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=project.h;h=ffe6d0ae70e811c94202336e26c014cf7fe9b7b5;hp=9b548792b7e213a883a9ed587e5932ce9c113929;hb=60513e33c518dd45644143581976e601d4d6aa60;hpb=d51ecc85d592ae919c8d114cd8c1eb82107d99c7 diff --git a/project.h b/project.h index 9b548792..ffe6d0ae 100644 --- a/project.h +++ b/project.h @@ -1,7 +1,5 @@ #ifndef PROJECT_H_INCLUDED #define PROJECT_H_INCLUDED -/** Version string. */ -#define PROJECT_H_VERSION "$Id: project.h,v 1.211 2016/01/16 12:30:28 fabiankeil Exp $" /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/project.h,v $ @@ -11,7 +9,7 @@ * (though it does declare some macros). * * Copyright : Written by and Copyright (C) 2001-2014 the - * Privoxy team. http://www.privoxy.org/ + * Privoxy team. https://www.privoxy.org/ * * Based on the Internet Junkbuster originally written * by and Copyright (C) 1997 Anonymous Coders and @@ -46,6 +44,37 @@ /* Needed for pcre choice */ #include "config.h" +#ifdef FEATURE_HTTPS_INSPECTION +/* +* Macros for SSL structures +*/ +#define CERT_INFO_BUF_SIZE 4096 +#define CERT_FILE_BUF_SIZE 16384 +#define ISSUER_NAME_BUF_SIZE 2048 +#define HASH_OF_HOST_BUF_SIZE 16 +#endif /* FEATURE_HTTPS_INSPECTION */ + +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS +#include "mbedtls/net_sockets.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" + +#if defined(MBEDTLS_SSL_CACHE_C) +#include "mbedtls/ssl_cache.h" +#endif +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ + +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +#ifdef _WIN32 +#include +#undef X509_NAME +#undef X509_EXTENSIONS +#endif +#include +#include +#include +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ + /* Need for struct sockaddr_storage */ #ifdef HAVE_RFC2553 # ifndef _WIN32 @@ -53,7 +82,6 @@ # include # else # include -# include # include typedef unsigned short in_port_t; # endif @@ -92,10 +120,6 @@ # endif #endif -#ifdef AMIGA -#include "amiga.h" -#endif /* def AMIGA */ - #ifdef _WIN32 /* * I don't want to have to #include all this just for the declaration @@ -154,7 +178,7 @@ typedef enum privoxy_err jb_err; /** * This macro is used to free a pointer that may be NULL. * It also sets the variable to NULL after it's been freed. - * The paramater should be a simple variable without side effects. + * The parameter should be a simple variable without side effects. */ #define freez(X) { if(X) { free((void*)X); X = NULL ; } } @@ -255,7 +279,7 @@ struct map_entry /** * A map from a string to another string. - * This is used for the paramaters passed in a HTTP GET request, and + * This is used for the parameters passed in a HTTP GET request, and * to store the exports when the CGI interface is filling in a template. */ struct map @@ -266,7 +290,34 @@ struct map struct map_entry *last; }; - +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS +/* + * Struct of attributes necessary for TLS/SSL connection + */ +typedef struct { + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_net_context socket_fd; + mbedtls_x509_crt server_cert; + mbedtls_x509_crt ca_cert; + mbedtls_pk_context prim_key; + int *ciphersuites_list; + + #if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_cache_context cache; + #endif +} mbedtls_connection_attr; +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ + +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +/* + * Struct of attributes necessary for TLS/SSL connection + */ +typedef struct { + SSL_CTX *ctx; + BIO *bio; +} openssl_connection_attr; +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ /** * A HTTP request. This includes the method (GET, POST) and * the parsed URL. @@ -281,25 +332,42 @@ struct http_request char *ocmd; /**< Backup of original cmd for CLF logging */ char *gpc; /**< HTTP method: GET, POST, ... */ char *url; /**< The URL */ - char *ver; /**< Protocol version */ + char *version; /**< Protocol version */ int status; /**< HTTP Status */ - char *host; /**< Host part of URL */ int port; /**< Port of URL or 80 (default) */ + char *host; /**< Host part of URL */ char *path; /**< Path of URL */ char *hostport; /**< host[:port] */ - int ssl; /**< Flag if protocol is https */ char *host_ip_addr_str; /**< String with dotted decimal representation of host's IP. NULL before connect_to() */ -#ifndef FEATURE_EXTENDED_HOST_PATTERNS char *dbuffer; /**< Buffer with '\0'-delimited domain name. */ char **dvec; /**< List of pointers to the strings in dbuffer. */ int dcount; /**< How many parts to this domain? (length of dvec) */ -#endif /* ndef FEATURE_EXTENDED_HOST_PATTERNS */ + +#ifdef FEATURE_HTTPS_INSPECTION + int client_ssl; /**< Flag if we should communicate with client over ssl */ + int server_ssl; /**< Flag if we should communicate with server over ssl */ + unsigned char hash_of_host_hex[(HASH_OF_HOST_BUF_SIZE * 2) + 1]; /**< chars for hash in hex string and one for '\0' */ + unsigned char hash_of_host[HASH_OF_HOST_BUF_SIZE+1]; /**< chars for bytes of hash and one for '\0' */ +#endif + short int ssl; /**< Flag if protocol is https */ }; + +#ifdef FEATURE_HTTPS_INSPECTION +/* + * Struct for linked list containing certificates + */ +typedef struct certs_chain { + char info_buf[CERT_INFO_BUF_SIZE]; /* text info about properties of certificate */ + char file_buf[CERT_FILE_BUF_SIZE]; /* buffer for whole certificate - format to save in file */ + struct certs_chain *next; /* next certificate in chain of trust */ +} certs_chain_t; +#endif + /** * Reasons for generating a http_response instead of delivering * the requested resource. Mostly ordered the way they are checked @@ -339,14 +407,14 @@ struct http_response struct url_spec { -#ifdef FEATURE_EXTENDED_HOST_PATTERNS +#ifdef FEATURE_PCRE_HOST_PATTERNS regex_t *host_regex;/**< Regex for host matching */ -#else + enum host_regex_type { VANILLA_HOST_PATTERN, PCRE_HOST_PATTERN } host_regex_type; +#endif /* defined FEATURE_PCRE_HOST_PATTERNS */ + int dcount; /**< How many parts to this domain? (length of dvec) */ char *dbuffer; /**< Buffer with '\0'-delimited domain name, or NULL to match all hosts. */ char **dvec; /**< List of pointers to the strings in dbuffer. */ - int dcount; /**< How many parts to this domain? (length of dvec) */ int unanchored; /**< Bitmap - flags are ANCHOR_LEFT and ANCHOR_RIGHT. */ -#endif /* defined FEATURE_EXTENDED_HOST_PATTERNS */ char *port_list; /**< List of acceptable ports, or NULL to match all ports */ @@ -400,6 +468,9 @@ struct pattern_spec /** Pattern spec bitmap: It's a NO-RESPONSE-TAG pattern. */ #define PATTERN_SPEC_NO_RESPONSE_TAG_PATTERN 0x00000008UL +/** Pattern spec bitmap: It's a CLIENT-TAG pattern. */ +#define PATTERN_SPEC_CLIENT_TAG_PATTERN 0x00000010UL + /** * An I/O buffer. Holds a string which can be appended to, and can have data * removed from the beginning. @@ -413,13 +484,6 @@ struct iob }; -/** - * Return the number of bytes in the I/O buffer associated with the passed - * I/O buffer. May be zero. - */ -#define IOB_PEEK(IOB) ((IOB->cur > IOB->eod) ? (IOB->eod - IOB->cur) : 0) - - /* Bits for csp->content_type bitmask: */ #define CT_TEXT 0x0001U /**< Suitable for pcrs filtering. */ #define CT_GIF 0x0002U /**< Suitable for GIF filtering. */ @@ -431,13 +495,14 @@ struct iob */ #define CT_GZIP 0x0010U /**< gzip-compressed data. */ #define CT_DEFLATE 0x0020U /**< zlib-compressed data. */ +#define CT_BROTLI 0x0040U /**< Brotli-compressed data. */ /** * Flag to signal that the server declared the content type, * so we can differentiate between unknown and undeclared * content types. */ -#define CT_DECLARED 0x0040U +#define CT_DECLARED 0x0080U /** * The mask which includes all actions. @@ -495,7 +560,7 @@ struct iob #define ACTION_CRUNCH_CLIENT_HEADER 0x00200000UL /** Action bitmap: Enable text mode by force */ #define ACTION_FORCE_TEXT_MODE 0x00400000UL -/** Action bitmap: Enable text mode by force */ +/** Action bitmap: Remove the "If-None-Match" header. */ #define ACTION_CRUNCH_IF_NONE_MATCH 0x00800000UL /** Action bitmap: Enable content-disposition crunching */ #define ACTION_HIDE_CONTENT_DISPOSITION 0x01000000UL @@ -505,7 +570,12 @@ struct iob #define ACTION_HIDE_ACCEPT_LANGUAGE 0x04000000UL /** Action bitmap: Limit the cookie lifetime */ #define ACTION_LIMIT_COOKIE_LIFETIME 0x08000000UL - +/** Action bitmap: Delay writes */ +#define ACTION_DELAY_RESPONSE 0x10000000UL +/** Action bitmap: Turn https inspection on */ +#define ACTION_HTTPS_INSPECTION 0x20000000UL +/** Action bitmap: Turn certificates verification off */ +#define ACTION_IGNORE_CERTIFICATE_ERRORS 0x40000000UL /** Action string index: How to deanimate GIFs */ #define ACTION_STRING_DEANIMATE 0 @@ -545,8 +615,10 @@ struct iob #define ACTION_STRING_CHANGE_X_FORWARDED_FOR 17 /** Action string index: how many minutes cookies should be valid. */ #define ACTION_STRING_LIMIT_COOKIE_LIFETIME 18 +/** Action string index: how many milliseconds writes should be delayed. */ +#define ACTION_STRING_DELAY_RESPONSE 19 /** Number of string actions. */ -#define ACTION_STRING_COUNT 19 +#define ACTION_STRING_COUNT 20 /* To make the ugly hack in sed easier to understand */ @@ -567,8 +639,12 @@ struct iob #define ACTION_MULTI_SERVER_HEADER_TAGGER 5 /** Number of multi-string actions. */ #define ACTION_MULTI_EXTERNAL_FILTER 6 +/** Index into current_action_spec::multi[] for tags to suppress. */ +#define ACTION_MULTI_SUPPRESS_TAG 7 +/** Index into current_action_spec::multi[] for client body filters to apply. */ +#define ACTION_MULTI_CLIENT_BODY_FILTER 8 /** Number of multi-string actions. */ -#define ACTION_MULTI_COUNT 7 +#define ACTION_MULTI_COUNT 9 /** @@ -583,7 +659,7 @@ struct current_action_spec unsigned long flags; /** - * Paramaters for those actions that require them. + * Parameters for those actions that require them. * Each entry is valid if & only if the corresponding entry in "flags" is * set. */ @@ -688,10 +764,14 @@ struct reusable_connection char *host; int port; enum forwarder_type forwarder_type; - char *gateway_host; - int gateway_port; char *forward_host; int forward_port; + + int gateway_port; + char *gateway_host; + char *auth_username; + char *auth_password; + }; @@ -855,10 +935,16 @@ struct reusable_connection #define CSP_FLAG_UNSUPPORTED_CLIENT_EXPECTATION 0x02000000U /** - * Flag for csp->flags: Set if we answered the request ourselve. + * Flag for csp->flags: Set if we answered the request ourselves. */ #define CSP_FLAG_CRUNCHED 0x04000000U +#ifdef FUZZ +/** + * Flag for csp->flags: Set if we are working with fuzzed input + */ +#define CSP_FLAG_FUZZED_INPUT 0x08000000U +#endif /* * Flags for use in return codes of child processes @@ -880,7 +966,7 @@ struct reusable_connection * Maximum number of actions/filter files. This limit is arbitrary - it's just used * to size an array. */ -#define MAX_AF_FILES 30 +#define MAX_AF_FILES 100 /** * Maximum number of sockets to listen to. This limit is arbitrary - it's just used @@ -888,6 +974,14 @@ struct reusable_connection */ #define MAX_LISTENING_SOCKETS 10 +struct ssl_attr { +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS + mbedtls_connection_attr mbedtls_attr; /* Mbed TLS attrs*/ +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL + openssl_connection_attr openssl_attr; /* OpenSSL atrrs */ +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ +}; /** * The state of a Privoxy processing thread. */ @@ -911,6 +1005,9 @@ struct client_state /** Multi-purpose flag container, see CSP_FLAG_* above */ unsigned int flags; + /** MIME-Type key, see CT_* above */ + unsigned int content_type; + /** Client PC's IP address, as reported by the accept() function. As a string. */ char *ip_addr_str; @@ -924,6 +1021,10 @@ struct client_state unsigned long ip_addr_long; #endif /* def HAVE_RFC2553 */ + /** The host name and port (as a string of the form ':') + of the server socket to which the client connected. */ + char *listen_addr_str; + /** The URL that was requested */ struct http_request http[1]; @@ -938,17 +1039,39 @@ struct client_state /* XXX: should be renamed to server_iob */ struct iob iob[1]; + struct ssl_attr ssl_server_attr; /* attributes for connection to server */ + struct ssl_attr ssl_client_attr; /* attributes for connection to client */ + /** An I/O buffer used for buffering data read from the client */ struct iob client_iob[1]; + /** Buffer used to briefly store data read from the network + * before forwarding or processing it. + */ + char *receive_buffer; + size_t receive_buffer_size; + /** List of all headers for this request */ struct list headers[1]; +#ifdef FEATURE_HTTPS_INSPECTION + /** List of all encrypted headers for this request */ + struct list https_headers[1]; +#endif + /** List of all tags that apply to this request */ struct list tags[1]; - /** MIME-Type key, see CT_* above */ - unsigned int content_type; +#ifdef FEATURE_CLIENT_TAGS + /** List of all tags that apply to this client (assigned based on address) */ + struct list client_tags[1]; + /** The address of the client the request (presumably) came from. + * Either the address returned by accept(), or the address provided + * with the X-Forwarded-For header, provided Privoxy has been configured + * to use it. + */ + char *client_address; +#endif /** Actions files associated with this client */ struct file_list *actions_list[MAX_AF_FILES]; @@ -983,6 +1106,44 @@ struct client_state * or NULL. Currently only used for socks errors. */ char *error_message; + +#ifdef FEATURE_HTTPS_INSPECTION + /* Result of server certificate verification + * + * Values for flag determining certificate validity + * are compatible with return value of function + * mbedtls_ssl_get_verify_result() for mbedtls + * and SSL_get_verify_result() for openssl. + * There are no values for "invalid certificate", they are + * set by the functions mentioned above. + */ +#define SSL_CERT_VALID 0 +#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS +#define SSL_CERT_NOT_VERIFIED 0xFFFFFFFF + uint32_t server_cert_verification_result; +#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ +#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL +#define SSL_CERT_NOT_VERIFIED ~0L + long server_cert_verification_result; +#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ + + /* Flag for certificate validity checking */ + int dont_verify_certificate; + + /* + * Flags if SSL connection with server or client is opened. + * Thanks to this flags, we can call function to close both connections + * and we don't have to care about more details. + */ + short int ssl_with_server_is_opened; + short int ssl_with_client_is_opened; + + /* + * Server certificate chain of trust including strings with certificates + * information and string with whole certificate file + */ + struct certs_chain server_certs_chain; +#endif }; /** @@ -1103,11 +1264,17 @@ struct forward_spec /** Connection type. Must be SOCKS_NONE, SOCKS_4, SOCKS_4A or SOCKS_5. */ enum forwarder_type type; + /** SOCKS server port. */ + int gateway_port; + /** SOCKS server hostname. Only valid if "type" is SOCKS_4 or SOCKS_4A. */ char *gateway_host; - /** SOCKS server port. */ - int gateway_port; + /** SOCKS5 username. */ + char *auth_username; + + /** SOCKS5 password. */ + char *auth_password; /** Parent HTTP proxy hostname, or NULL for none. */ char *forward_host; @@ -1128,16 +1295,18 @@ enum filter_type FT_SERVER_HEADER_FILTER = 2, FT_CLIENT_HEADER_TAGGER = 3, FT_SERVER_HEADER_TAGGER = 4, + FT_SUPPRESS_TAG = 5, + FT_CLIENT_BODY_FILTER = 6, #ifdef FEATURE_EXTERNAL_FILTERS - FT_EXTERNAL_CONTENT_FILTER = 5, + FT_EXTERNAL_CONTENT_FILTER = 7, #endif FT_INVALID_FILTER = 42, }; #ifdef FEATURE_EXTERNAL_FILTERS -#define MAX_FILTER_TYPES 6 +#define MAX_FILTER_TYPES 8 #else -#define MAX_FILTER_TYPES 5 +#define MAX_FILTER_TYPES 7 #endif /** @@ -1189,7 +1358,7 @@ struct access_control_list struct access_control_addr src[1]; /**< Client IP address */ struct access_control_addr dst[1]; /**< Website or parent proxy IP address */ #ifdef HAVE_RFC2553 - int wildcard_dst; /** < dst address is wildcard */ + short wildcard_dst; /** < dst address is wildcard */ #endif short action; /**< ACL_PERMIT or ACL_DENY */ @@ -1202,6 +1371,15 @@ struct access_control_list /** Maximum number of loaders (actions, re_filter, ...) */ #define NLOADERS 8 +/** + * This struct represents a client-spcific-tag and it's description + */ +struct client_tag_spec +{ + char *name; /**< Name from "client-specific-tag bla" directive */ + char *description; /**< Description from "client-specific-tag-description " directive */ + struct client_tag_spec *next; /**< The pointer for chaining. */ +}; /** configuration_spec::feature_flags: CGI actions editor. */ #define RUNTIME_FEATURE_CGI_EDIT_ACTIONS 1U @@ -1258,6 +1436,9 @@ struct configuration_spec /** Bitmask of features that can be controlled through the config file. */ unsigned feature_flags; + /** Nonzero if we need to bind() to the new port. */ + int need_bind; + /** The log file name. */ const char *logfile; @@ -1267,6 +1448,9 @@ struct configuration_spec /** The directory for customized CGI templates. */ const char *templdir; + /** "Cross-origin resource sharing" (CORS) allowed origin */ + const char *cors_allowed_origin; + #ifdef FEATURE_EXTERNAL_FILTERS /** The template used to create temporary files. */ const char *temporary_directory; @@ -1305,12 +1489,26 @@ struct configuration_spec /** IP addresses to bind to. Defaults to HADDR_DEFAULT == 127.0.0.1. */ const char *haddr[MAX_LISTENING_SOCKETS]; + /** Trusted referring site that can be used to reach CGI + * pages that aren't marked as harmful. + */ + const char *trusted_cgi_referrer; + /** Ports to bind to. Defaults to HADDR_PORT == 8118. */ int hport[MAX_LISTENING_SOCKETS]; /** Size limit for IOB */ size_t buffer_limit; + /** Size of the receive buffer */ + size_t receive_buffer_size; + + /** Use accf_http(4) if available */ + int enable_accept_filter; + + /** Backlog passed to listen() */ + int listen_backlog; + #ifdef FEATURE_TRUST /** The file name of the trust file. */ @@ -1324,6 +1522,14 @@ struct configuration_spec #endif /* def FEATURE_TRUST */ +#ifdef FEATURE_CLIENT_TAGS + struct client_tag_spec client_tags[1]; + + /* Maximum number of seconds a temporarily enabled tag stays enabled. */ + unsigned int client_tag_lifetime; +#endif /* def FEATURE_CLIENT_TAGS */ + int trust_x_forwarded_for; + #ifdef FEATURE_ACL /** The access control list (ACL). */ @@ -1364,8 +1570,28 @@ struct configuration_spec /** List of loaders */ int (*loaders[NLOADERS])(struct client_state *); - /** Nonzero if we need to bind() to the new port. */ - int need_bind; +#ifdef FEATURE_HTTPS_INSPECTION + /** Password for proxy ca file **/ + char * ca_password; + + /** Directory with files of ca **/ + char *ca_directory; + + /** Filename of ca certificate **/ + char * ca_cert_file; + + /** Filename of ca key **/ + char * ca_key_file; + + /** Directory for saving certificates and keys for each webpage **/ + char *certificate_directory; + + /** Cipher list to use **/ + char *cipher_list; + + /** Filename of trusted CAs certificates **/ + char * trusted_cas_file; +#endif }; /** Calculates the number of elements in an array, using sizeof. */ @@ -1388,7 +1614,7 @@ struct configuration_spec */ /** URL for the Privoxy home page. */ -#define HOME_PAGE_URL "http://www.privoxy.org/" +#define HOME_PAGE_URL "https://www.privoxy.org/" /** URL for the Privoxy user manual. */ #define USER_MANUAL_URL HOME_PAGE_URL VERSION "/user-manual/" @@ -1416,7 +1642,13 @@ struct configuration_spec * The prefix for CGI pages. Written out in generated HTML. * INCLUDES the trailing slash. */ +#ifdef FEATURE_HTTPS_INSPECTION +#define CGI_PREFIX "//" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" +#define CGI_PREFIX_HTTPS "https:" CGI_PREFIX +#else #define CGI_PREFIX "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" +#endif +#define CGI_PREFIX_HTTP "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" #endif /* ndef PROJECT_H_INCLUDED */