#ifndef PROJECT_H_INCLUDED
#define PROJECT_H_INCLUDED
-/** Version string. */
-#define PROJECT_H_VERSION "$Id: project.h,v 1.217 2016/09/27 22:48:28 ler762 Exp $"
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/project.h,v $
* project. Does not define any variables or functions
* (though it does declare some macros).
*
- * Copyright : Written by and Copyright (C) 2001-2014 the
- * Privoxy team. http://www.privoxy.org/
+ * Copyright : Written by and Copyright (C) 2001-2021 the
+ * Privoxy team. https://www.privoxy.org/
*
* Based on the Internet Junkbuster originally written
* by and Copyright (C) 1997 Anonymous Coders and
/* Needed for pcre choice */
#include "config.h"
+#ifdef FEATURE_HTTPS_INSPECTION
+/*
+* Macros for SSL structures
+*/
+#define CERT_INFO_BUF_SIZE 4096
+#define ISSUER_NAME_BUF_SIZE 2048
+#define HASH_OF_HOST_BUF_SIZE 16
+#endif /* FEATURE_HTTPS_INSPECTION */
+
+#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+
+#if defined(MBEDTLS_SSL_CACHE_C)
+#include "mbedtls/ssl_cache.h"
+#endif
+#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */
+
+#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL
+#ifdef _WIN32
+#include <windef.h>
+#include <minwindef.h>
+#include <basetsd.h>
+#include <minwinbase.h>
+#include <wincrypt.h>
+#undef X509_NAME
+#undef X509_EXTENSIONS
+#endif
+#include <openssl/ssl.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */
+
+#ifdef FEATURE_HTTPS_INSPECTION_WOLFSSL
+#include <wolfssl/options.h>
+#include <wolfssl/ssl.h>
+#endif /* FEATURE_HTTPS_INSPECTION_WOLFSSL */
+
/* Need for struct sockaddr_storage */
#ifdef HAVE_RFC2553
# ifndef _WIN32
*/
#ifdef STATIC_PCRE
+#ifdef HAVE_PCRE2
+# include "pcre2.h"
+# include "pcre2posix.h"
+#else
# include "pcre.h"
+# include "pcreposix.h"
+#endif
#else
-# ifdef PCRE_H_IN_SUBDIR
-# include <pcre/pcre.h>
+# ifdef HAVE_PCRE2
+# ifdef PCRE2_H_IN_SUBDIR
+# define PCRE2_CODE_UNIT_WIDTH 8
+# include <pcre2/pcre2.h>
+# else
+# define PCRE2_CODE_UNIT_WIDTH 8
+# include <pcre2.h>
+# endif
+# ifdef PCRE2POSIX_H_IN_SUBDIR
+# include <pcre2/pcre2posix.h>
+# else
+# include <pcre2posix.h>
+# endif
# else
-# include <pcre.h>
+# ifdef PCRE_H_IN_SUBDIR
+# include <pcre/pcre.h>
+# else
+# include <pcre.h>
+# endif
+# ifdef PCREPOSIX_H_IN_SUBDIR
+# include <pcre/pcreposix.h>
+# else
+# include <pcreposix.h>
+# endif
# endif
#endif
# include <pcrs.h>
#endif
-#ifdef STATIC_PCRE
-# include "pcreposix.h"
-#else
-# ifdef PCRE_H_IN_SUBDIR
-# include <pcre/pcreposix.h>
-# else
-# include <pcreposix.h>
-# endif
-#endif
-
-#ifdef AMIGA
-#include "amiga.h"
-#endif /* def AMIGA */
-
#ifdef _WIN32
/*
* I don't want to have to #include all this just for the declaration
/**
* This macro is used to free a pointer that may be NULL.
* It also sets the variable to NULL after it's been freed.
- * The paramater should be a simple variable without side effects.
+ * The parameter should be a simple variable without side effects.
*/
#define freez(X) { if(X) { free((void*)X); X = NULL ; } }
/**
* A map from a string to another string.
- * This is used for the paramaters passed in a HTTP GET request, and
+ * This is used for the parameters passed in a HTTP GET request, and
* to store the exports when the CGI interface is filling in a template.
*/
struct map
struct map_entry *last;
};
+#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS
+/*
+ * Struct of attributes necessary for TLS/SSL connection
+ */
+typedef struct {
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_config conf;
+ mbedtls_net_context socket_fd;
+ mbedtls_x509_crt server_cert;
+ mbedtls_x509_crt ca_cert;
+ mbedtls_pk_context prim_key;
+ int *ciphersuites_list;
+
+ #if defined(MBEDTLS_SSL_CACHE_C)
+ mbedtls_ssl_cache_context cache;
+ #endif
+} mbedtls_connection_attr;
+#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */
+
+#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL
+/*
+ * Struct of attributes necessary for TLS/SSL connection
+ */
+typedef struct {
+ SSL_CTX *ctx;
+ BIO *bio;
+} openssl_connection_attr;
+#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */
+
+#ifdef FEATURE_HTTPS_INSPECTION_WOLFSSL
+/*
+ * Struct of attributes necessary for TLS/SSL connection
+ */
+typedef struct {
+ WOLFSSL_CTX *ctx;
+ WOLFSSL *ssl;
+} wolfssl_connection_attr;
+#endif /* def FEATURE_HTTPS_INSPECTION_WOLFSSL */
/**
* A HTTP request. This includes the method (GET, POST) and
char *ocmd; /**< Backup of original cmd for CLF logging */
char *gpc; /**< HTTP method: GET, POST, ... */
char *url; /**< The URL */
- char *ver; /**< Protocol version */
+ char *version; /**< Protocol version */
int status; /**< HTTP Status */
- char *host; /**< Host part of URL */
int port; /**< Port of URL or 80 (default) */
+ char *host; /**< Host part of URL */
char *path; /**< Path of URL */
char *hostport; /**< host[:port] */
- int ssl; /**< Flag if protocol is https */
char *host_ip_addr_str; /**< String with dotted decimal representation
of host's IP. NULL before connect_to() */
-#ifndef FEATURE_EXTENDED_HOST_PATTERNS
char *dbuffer; /**< Buffer with '\0'-delimited domain name. */
char **dvec; /**< List of pointers to the strings in dbuffer. */
int dcount; /**< How many parts to this domain? (length of dvec) */
-#endif /* ndef FEATURE_EXTENDED_HOST_PATTERNS */
+
+#ifdef FEATURE_HTTPS_INSPECTION
+ int client_ssl; /**< Flag if we should communicate with client over ssl */
+ int server_ssl; /**< Flag if we should communicate with server over ssl */
+ unsigned char hash_of_host_hex[(HASH_OF_HOST_BUF_SIZE * 2) + 1]; /**< chars for hash in hex string and one for '\0' */
+ unsigned char hash_of_host[HASH_OF_HOST_BUF_SIZE+1]; /**< chars for bytes of hash and one for '\0' */
+#endif
+ short int ssl; /**< Flag if protocol is https */
};
+
+#ifdef FEATURE_HTTPS_INSPECTION
+/*
+ * Struct for linked list containing certificates
+ */
+typedef struct certs_chain {
+ char info_buf[CERT_INFO_BUF_SIZE]; /* text info about properties of certificate */
+ char *file_buf; /* buffer for whole certificate - format to save in file */
+ struct certs_chain *next; /* next certificate in chain of trust */
+} certs_chain_t;
+#endif
+
/**
* Reasons for generating a http_response instead of delivering
* the requested resource. Mostly ordered the way they are checked
enum crunch_reason crunch_reason; /**< Why the response was generated in the first place. */
};
+#ifdef HAVE_PCRE2
+#define REGEX_TYPE pcre2_code
+#else
+#define REGEX_TYPE regex_t
+#endif
+
struct url_spec
{
-#ifdef FEATURE_EXTENDED_HOST_PATTERNS
- regex_t *host_regex;/**< Regex for host matching */
-#else
+#ifdef FEATURE_PCRE_HOST_PATTERNS
+ REGEX_TYPE *host_regex;/**< Regex for host matching */
+ enum host_regex_type { VANILLA_HOST_PATTERN, PCRE_HOST_PATTERN } host_regex_type;
+#endif /* defined FEATURE_PCRE_HOST_PATTERNS */
+ int dcount; /**< How many parts to this domain? (length of dvec) */
char *dbuffer; /**< Buffer with '\0'-delimited domain name, or NULL to match all hosts. */
char **dvec; /**< List of pointers to the strings in dbuffer. */
- int dcount; /**< How many parts to this domain? (length of dvec) */
int unanchored; /**< Bitmap - flags are ANCHOR_LEFT and ANCHOR_RIGHT. */
-#endif /* defined FEATURE_EXTENDED_HOST_PATTERNS */
char *port_list; /**< List of acceptable ports, or NULL to match all ports */
- regex_t *preg; /**< Regex for matching path part */
+ REGEX_TYPE *preg; /**< Regex for matching path part */
};
/**
union
{
struct url_spec url_spec;
- regex_t *tag_regex;
+ REGEX_TYPE *tag_regex;
} pattern;
unsigned int flags; /**< Bitmap with various pattern properties. */
};
-/**
- * Return the number of bytes in the I/O buffer associated with the passed
- * I/O buffer. May be zero.
- */
-#define IOB_PEEK(IOB) ((IOB->cur > IOB->eod) ? (IOB->eod - IOB->cur) : 0)
-
-
/* Bits for csp->content_type bitmask: */
#define CT_TEXT 0x0001U /**< Suitable for pcrs filtering. */
#define CT_GIF 0x0002U /**< Suitable for GIF filtering. */
*/
#define CT_GZIP 0x0010U /**< gzip-compressed data. */
#define CT_DEFLATE 0x0020U /**< zlib-compressed data. */
+#define CT_BROTLI 0x0040U /**< Brotli-compressed data. */
/**
* Flag to signal that the server declared the content type,
* so we can differentiate between unknown and undeclared
* content types.
*/
-#define CT_DECLARED 0x0040U
+#define CT_DECLARED 0x0080U
/**
* The mask which includes all actions.
#define ACTION_CRUNCH_CLIENT_HEADER 0x00200000UL
/** Action bitmap: Enable text mode by force */
#define ACTION_FORCE_TEXT_MODE 0x00400000UL
-/** Action bitmap: Enable text mode by force */
+/** Action bitmap: Remove the "If-None-Match" header. */
#define ACTION_CRUNCH_IF_NONE_MATCH 0x00800000UL
/** Action bitmap: Enable content-disposition crunching */
#define ACTION_HIDE_CONTENT_DISPOSITION 0x01000000UL
#define ACTION_HIDE_ACCEPT_LANGUAGE 0x04000000UL
/** Action bitmap: Limit the cookie lifetime */
#define ACTION_LIMIT_COOKIE_LIFETIME 0x08000000UL
-
+/** Action bitmap: Delay writes */
+#define ACTION_DELAY_RESPONSE 0x10000000UL
+/** Action bitmap: Turn https inspection on */
+#define ACTION_HTTPS_INSPECTION 0x20000000UL
+/** Action bitmap: Turn certificates verification off */
+#define ACTION_IGNORE_CERTIFICATE_ERRORS 0x40000000UL
/** Action string index: How to deanimate GIFs */
#define ACTION_STRING_DEANIMATE 0
#define ACTION_STRING_CHANGE_X_FORWARDED_FOR 17
/** Action string index: how many minutes cookies should be valid. */
#define ACTION_STRING_LIMIT_COOKIE_LIFETIME 18
+/** Action string index: how many milliseconds writes should be delayed. */
+#define ACTION_STRING_DELAY_RESPONSE 19
/** Number of string actions. */
-#define ACTION_STRING_COUNT 19
+#define ACTION_STRING_COUNT 20
/* To make the ugly hack in sed easier to understand */
#define ACTION_MULTI_SERVER_HEADER_TAGGER 5
/** Number of multi-string actions. */
#define ACTION_MULTI_EXTERNAL_FILTER 6
+/** Index into current_action_spec::multi[] for tags to suppress. */
+#define ACTION_MULTI_SUPPRESS_TAG 7
+/** Index into current_action_spec::multi[] for client body filters to apply. */
+#define ACTION_MULTI_CLIENT_BODY_FILTER 8
+/** Index into current_action_spec::multi[] for client body taggers to apply. */
+#define ACTION_MULTI_CLIENT_BODY_TAGGER 9
/** Number of multi-string actions. */
-#define ACTION_MULTI_COUNT 7
+#define ACTION_MULTI_COUNT 10
/**
unsigned long flags;
/**
- * Paramaters for those actions that require them.
+ * Parameters for those actions that require them.
* Each entry is valid if & only if the corresponding entry in "flags" is
* set.
*/
char *host;
int port;
enum forwarder_type forwarder_type;
- char *gateway_host;
- int gateway_port;
char *forward_host;
int forward_port;
+
+ int gateway_port;
+ char *gateway_host;
+ char *auth_username;
+ char *auth_password;
+
};
#define CSP_FLAG_UNSUPPORTED_CLIENT_EXPECTATION 0x02000000U
/**
- * Flag for csp->flags: Set if we answered the request ourselve.
+ * Flag for csp->flags: Set if we answered the request ourselves.
*/
#define CSP_FLAG_CRUNCHED 0x04000000U
* Maximum number of actions/filter files. This limit is arbitrary - it's just used
* to size an array.
*/
-#define MAX_AF_FILES 30
+#define MAX_AF_FILES 100
/**
* Maximum number of sockets to listen to. This limit is arbitrary - it's just used
*/
#define MAX_LISTENING_SOCKETS 10
+struct ssl_attr {
+#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS
+ mbedtls_connection_attr mbedtls_attr; /* Mbed TLS attrs*/
+#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */
+#ifdef FEATURE_HTTPS_INSPECTION_OPENSSL
+ openssl_connection_attr openssl_attr; /* OpenSSL atrrs */
+#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */
+#ifdef FEATURE_HTTPS_INSPECTION_WOLFSSL
+ wolfssl_connection_attr wolfssl_attr; /* wolfSSL atrrs */
+#endif /* FEATURE_HTTPS_INSPECTION_WOLFSSL */
+};
/**
* The state of a Privoxy processing thread.
*/
/** Multi-purpose flag container, see CSP_FLAG_* above */
unsigned int flags;
+ /** MIME-Type key, see CT_* above */
+ unsigned int content_type;
+
/** Client PC's IP address, as reported by the accept() function.
As a string. */
char *ip_addr_str;
/* XXX: should be renamed to server_iob */
struct iob iob[1];
+ struct ssl_attr ssl_server_attr; /* attributes for connection to server */
+ struct ssl_attr ssl_client_attr; /* attributes for connection to client */
+
/** An I/O buffer used for buffering data read from the client */
struct iob client_iob[1];
+ /** Buffer used to briefly store data read from the network
+ * before forwarding or processing it.
+ */
+ char *receive_buffer;
+ size_t receive_buffer_size;
+
/** List of all headers for this request */
struct list headers[1];
+#ifdef FEATURE_HTTPS_INSPECTION
+ /** List of all encrypted headers for this request */
+ struct list https_headers[1];
+#endif
+
/** List of all tags that apply to this request */
struct list tags[1];
char *client_address;
#endif
- /** MIME-Type key, see CT_* above */
- unsigned int content_type;
-
/** Actions files associated with this client */
struct file_list *actions_list[MAX_AF_FILES];
* or NULL. Currently only used for socks errors.
*/
char *error_message;
+
+#ifdef FEATURE_HTTPS_INSPECTION
+ /* Result of server certificate verification
+ *
+ * Values for flag determining certificate validity
+ * are compatible with return value of function
+ * mbedtls_ssl_get_verify_result() for mbedtls
+ * and SSL_get_verify_result() for openssl.
+ * There are no values for "invalid certificate", they are
+ * set by the functions mentioned above.
+ */
+#define SSL_CERT_VALID 0
+#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS
+#define SSL_CERT_NOT_VERIFIED 0xFFFFFFFF
+ uint32_t server_cert_verification_result;
+#endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */
+#if defined(FEATURE_HTTPS_INSPECTION_OPENSSL) || defined(FEATURE_HTTPS_INSPECTION_WOLFSSL)
+#define SSL_CERT_NOT_VERIFIED ~0L
+ long server_cert_verification_result;
+#endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */
+
+ /* Flag for certificate validity checking */
+ int dont_verify_certificate;
+
+ /*
+ * Flags if SSL connection with server or client is opened.
+ * Thanks to this flags, we can call function to close both connections
+ * and we don't have to care about more details.
+ */
+ short int ssl_with_server_is_opened;
+ short int ssl_with_client_is_opened;
+
+ /*
+ * Server certificate chain of trust including strings with certificates
+ * information and string with whole certificate file
+ */
+ struct certs_chain server_certs_chain;
+#endif
};
/**
/** Connection type. Must be SOCKS_NONE, SOCKS_4, SOCKS_4A or SOCKS_5. */
enum forwarder_type type;
+ /** SOCKS server port. */
+ int gateway_port;
+
/** SOCKS server hostname. Only valid if "type" is SOCKS_4 or SOCKS_4A. */
char *gateway_host;
- /** SOCKS server port. */
- int gateway_port;
+ /** SOCKS5 username. */
+ char *auth_username;
+
+ /** SOCKS5 password. */
+ char *auth_password;
/** Parent HTTP proxy hostname, or NULL for none. */
char *forward_host;
FT_SERVER_HEADER_FILTER = 2,
FT_CLIENT_HEADER_TAGGER = 3,
FT_SERVER_HEADER_TAGGER = 4,
+ FT_SUPPRESS_TAG = 5,
+ FT_CLIENT_BODY_FILTER = 6,
+ FT_CLIENT_BODY_TAGGER = 7,
+ FT_ADD_HEADER = 8,
#ifdef FEATURE_EXTERNAL_FILTERS
- FT_EXTERNAL_CONTENT_FILTER = 5,
+ FT_EXTERNAL_CONTENT_FILTER = 9,
#endif
FT_INVALID_FILTER = 42,
};
#ifdef FEATURE_EXTERNAL_FILTERS
-#define MAX_FILTER_TYPES 6
+#define MAX_FILTER_TYPES 10
#else
-#define MAX_FILTER_TYPES 5
+#define MAX_FILTER_TYPES 9
#endif
/**
struct access_control_addr src[1]; /**< Client IP address */
struct access_control_addr dst[1]; /**< Website or parent proxy IP address */
#ifdef HAVE_RFC2553
- int wildcard_dst; /** < dst address is wildcard */
+ short wildcard_dst; /** < dst address is wildcard */
#endif
short action; /**< ACL_PERMIT or ACL_DENY */
/** Bitmask of features that can be controlled through the config file. */
unsigned feature_flags;
+ /** Nonzero if we need to bind() to the new port. */
+ int need_bind;
+
/** The log file name. */
const char *logfile;
/** The directory for customized CGI templates. */
const char *templdir;
+ /** "Cross-origin resource sharing" (CORS) allowed origin */
+ const char *cors_allowed_origin;
+
#ifdef FEATURE_EXTERNAL_FILTERS
/** The template used to create temporary files. */
const char *temporary_directory;
/** IP addresses to bind to. Defaults to HADDR_DEFAULT == 127.0.0.1. */
const char *haddr[MAX_LISTENING_SOCKETS];
+ /** Trusted referring site that can be used to reach CGI
+ * pages that aren't marked as harmful.
+ */
+ const char *trusted_cgi_referrer;
+
/** Ports to bind to. Defaults to HADDR_PORT == 8118. */
int hport[MAX_LISTENING_SOCKETS];
/** Size limit for IOB */
size_t buffer_limit;
+ /** Size of the receive buffer */
+ size_t receive_buffer_size;
+
+ /** Use accf_http(4) if available */
+ int enable_accept_filter;
+
+ /** Backlog passed to listen() */
+ int listen_backlog;
+
#ifdef FEATURE_TRUST
/** The file name of the trust file. */
/** List of loaders */
int (*loaders[NLOADERS])(struct client_state *);
- /** Nonzero if we need to bind() to the new port. */
- int need_bind;
+#ifdef FEATURE_HTTPS_INSPECTION
+ /** Password for proxy ca file **/
+ char *ca_password;
+
+ /** Directory with files of ca **/
+ char *ca_directory;
+
+ /** Filename of ca certificate **/
+ char *ca_cert_file;
+
+ /** Filename of ca key **/
+ char *ca_key_file;
+
+ /** Directory for saving certificates and keys for each webpage **/
+ char *certificate_directory;
+
+ /** Cipher list to use **/
+ char *cipher_list;
+
+ /** Filename of trusted CAs certificates **/
+ char *trusted_cas_file;
+#endif
};
/** Calculates the number of elements in an array, using sizeof. */
* The prefix for CGI pages. Written out in generated HTML.
* INCLUDES the trailing slash.
*/
+#ifdef FEATURE_HTTPS_INSPECTION
+#define CGI_PREFIX "//" CGI_SITE_2_HOST CGI_SITE_2_PATH "/"
+#define CGI_PREFIX_HTTPS "https:" CGI_PREFIX
+#else
#define CGI_PREFIX "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/"
+#endif
+#define CGI_PREFIX_HTTP "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/"
#endif /* ndef PROJECT_H_INCLUDED */