1 #ifndef PROJECT_H_INCLUDED 2 #define PROJECT_H_INCLUDED 3 /********************************************************************* 4 * 5 * File : $Source: /cvsroot/ijbswa/current/project.h,v $ 6 * 7 * Purpose : Defines data structures which are widely used in the 8 * project. Does not define any variables or functions 9 * (though it does declare some macros). 10 * 11 * Copyright : Written by and Copyright (C) 2001-2021 the 12 * Privoxy team. https://www.privoxy.org/ 13 * 14 * Based on the Internet Junkbuster originally written 15 * by and Copyright (C) 1997 Anonymous Coders and 16 * Junkbusters Corporation. http://www.junkbusters.com 17 * 18 * This program is free software; you can redistribute it 19 * and/or modify it under the terms of the GNU General 20 * Public License as published by the Free Software 21 * Foundation; either version 2 of the License, or (at 22 * your option) any later version. 23 * 24 * This program is distributed in the hope that it will 25 * be useful, but WITHOUT ANY WARRANTY; without even the 26 * implied warranty of MERCHANTABILITY or FITNESS FOR A 27 * PARTICULAR PURPOSE. See the GNU General Public 28 * License for more details. 29 * 30 * The GNU General Public License should be included with 31 * this file. If not, you can view it at 32 * http://www.gnu.org/copyleft/gpl.html 33 * or write to the Free Software Foundation, Inc., 59 34 * Temple Place - Suite 330, Boston, MA 02111-1307, USA. 35 * 36 *********************************************************************/ 37 38 39 /* Declare struct FILE for vars and funcs. */ 40 #include <stdio.h> 41 42 /* Need time_t for file_list */ 43 #include <time.h> 44 /* Needed for pcre choice */ 45 #include "config.h" 46 47 #ifdef FEATURE_HTTPS_INSPECTION 48 /* 49 * Macros for SSL structures 50 */ 51 #define CERT_INFO_BUF_SIZE 4096 52 #define ISSUER_NAME_BUF_SIZE 2048 53 #define HASH_OF_HOST_BUF_SIZE 16 54 #endif /* FEATURE_HTTPS_INSPECTION */ 55 56 #ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS 57 #include "mbedtls/net_sockets.h" 58 #include "mbedtls/entropy.h" 59 #include "mbedtls/ctr_drbg.h" 60 61 #if defined(MBEDTLS_SSL_CACHE_C) 62 #include "mbedtls/ssl_cache.h" 63 #endif 64 #endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ 65 66 #ifdef FEATURE_HTTPS_INSPECTION_OPENSSL 67 #ifdef _WIN32 68 #include <wincrypt.h> 69 #undef X509_NAME 70 #undef X509_EXTENSIONS 71 #endif 72 #include <openssl/ssl.h> 73 #include <openssl/bio.h> 74 #include <openssl/err.h> 75 #endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ 76 77 /* Need for struct sockaddr_storage */ 78 #ifdef HAVE_RFC2553 79 # ifndef _WIN32 80 # include <netdb.h> 81 # include <sys/socket.h> 82 # else 83 # include <stdint.h> 84 # include <ws2tcpip.h> 85 typedef unsigned short in_port_t; 86 # endif 87 #endif 88 89 90 /* 91 * Include appropriate regular expression libraries. 92 * Note that pcrs and pcre (native) are needed for cgi 93 * and are included anyway. 94 */ 95 96 #ifdef STATIC_PCRE 97 # include "pcre.h" 98 #else 99 # ifdef PCRE_H_IN_SUBDIR 100 # include <pcre/pcre.h> 101 # else 102 # include <pcre.h> 103 # endif 104 #endif 105 106 #ifdef STATIC_PCRS 107 # include "pcrs.h" 108 #else 109 # include <pcrs.h> 110 #endif 111 112 #ifdef STATIC_PCRE 113 # include "pcreposix.h" 114 #else 115 # ifdef PCRE_H_IN_SUBDIR 116 # include <pcre/pcreposix.h> 117 # else 118 # include <pcreposix.h> 119 # endif 120 #endif 121 122 #ifdef _WIN32 123 /* 124 * I don't want to have to #include all this just for the declaration 125 * of SOCKET. However, it looks like we have to... 126 */ 127 #ifndef STRICT 128 #define STRICT 129 #endif 130 #include <windows.h> 131 #endif 132 133 134 #ifdef _WIN32 135 136 typedef SOCKET jb_socket; 137 138 #define JB_INVALID_SOCKET INVALID_SOCKET 139 140 #else /* ndef _WIN32 */ 141 142 /** 143 * The type used by sockets. On UNIX it's an int. Microsoft decided to 144 * make it an unsigned. 145 */ 146 typedef int jb_socket; 147 148 /** 149 * The error value used for variables of type jb_socket. On UNIX this 150 * is -1, however Microsoft decided to make socket handles unsigned, so 151 * they use a different value. 152 */ 153 154 #define JB_INVALID_SOCKET (-1) 155 156 #endif /* ndef _WIN32 */ 157 158 159 /** 160 * A standard error code. This should be JB_ERR_OK or one of the JB_ERR_xxx 161 * series of errors. 162 */ 163 enum privoxy_err 164 { 165 JB_ERR_OK = 0, /**< Success, no error */ 166 JB_ERR_MEMORY = 1, /**< Out of memory */ 167 JB_ERR_CGI_PARAMS = 2, /**< Missing or corrupt CGI parameters */ 168 JB_ERR_FILE = 3, /**< Error opening, reading or writing a file */ 169 JB_ERR_PARSE = 4, /**< Error parsing file */ 170 JB_ERR_MODIFIED = 5, /**< File has been modified outside of the 171 CGI actions editor. */ 172 JB_ERR_COMPRESS = 6 /**< Error on decompression */ 173 }; 174 175 typedef enum privoxy_err jb_err; 176 177 /** 178 * This macro is used to free a pointer that may be NULL. 179 * It also sets the variable to NULL after it's been freed. 180 * The parameter should be a simple variable without side effects. 181 */ 182 #define freez(X) { if(X) { free((void*)X); X = NULL ; } } 183 184 185 /** 186 * Macro definitions for platforms where isspace() and friends 187 * are macros that use their argument directly as an array index 188 * and thus better be positive. Supposedly that's the case on 189 * some unspecified Solaris versions. 190 * Note: Remember to #include <ctype.h> if you use these macros. 191 */ 192 #define privoxy_isdigit(__X) isdigit((int)(unsigned char)(__X)) 193 #define privoxy_isupper(__X) isupper((int)(unsigned char)(__X)) 194 #define privoxy_toupper(__X) toupper((int)(unsigned char)(__X)) 195 #define privoxy_tolower(__X) tolower((int)(unsigned char)(__X)) 196 #define privoxy_isspace(__X) isspace((int)(unsigned char)(__X)) 197 198 /** 199 * Use for statically allocated buffers if you have no other choice. 200 * Remember to check the length of what you write into the buffer 201 * - we don't want any buffer overflows! 202 */ 203 #define BUFFER_SIZE 5000 204 205 /** 206 * Max length of CGI parameters (arbitrary limit). 207 */ 208 #define CGI_PARAM_LEN_MAX 500U 209 210 /** 211 * Buffer size for capturing struct hostent data in the 212 * gethostby(name|addr)_r library calls. Since we don't 213 * loop over gethostbyname_r, the buffer must be sufficient 214 * to accommodate multiple IN A RRs, as used in DNS round robin 215 * load balancing. W3C's wwwlib uses 1K, so that should be 216 * good enough for us, too. 217 */ 218 /** 219 * XXX: Temporary doubled, for some configurations 220 * 1K is still too small and we didn't get the 221 * real fix ready for inclusion. 222 */ 223 #define HOSTENT_BUFFER_SIZE 2048 224 225 /** 226 * Default TCP/IP address to listen on, as a string. 227 * Set to "127.0.0.1:8118". 228 */ 229 #define HADDR_DEFAULT "127.0.0.1:8118" 230 231 232 /* Forward def for struct client_state */ 233 struct configuration_spec; 234 235 236 /** 237 * Entry in a linked list of strings. 238 */ 239 struct list_entry 240 { 241 /** 242 * The string pointer. It must point to a dynamically malloc()ed 243 * string or be NULL for the list functions to work. In the latter 244 * case, just be careful next time you iterate through the list in 245 * your own code. 246 */ 247 char *str; 248 249 /** Next entry in the linked list, or NULL if no more. */ 250 struct list_entry *next; 251 }; 252 253 /** 254 * A header for a linked list of strings. 255 */ 256 struct list 257 { 258 /** First entry in the list, or NULL if the list is empty. */ 259 struct list_entry *first; 260 261 /** Last entry in the list, or NULL if the list is empty. */ 262 struct list_entry *last; 263 }; 264 265 266 /** 267 * An entry in a map. This is a name=value pair. 268 */ 269 struct map_entry 270 { 271 /** The key for the map. */ 272 const char *name; 273 /** The value associated with that key. */ 274 const char *value; 275 /** The next map entry, or NULL if none. */ 276 struct map_entry *next; 277 }; 278 279 /** 280 * A map from a string to another string. 281 * This is used for the parameters passed in a HTTP GET request, and 282 * to store the exports when the CGI interface is filling in a template. 283 */ 284 struct map 285 { 286 /** The first map entry, or NULL if the map is empty. */ 287 struct map_entry *first; 288 /** The last map entry, or NULL if the map is empty. */ 289 struct map_entry *last; 290 }; 291 292 #ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS 293 /* 294 * Struct of attributes necessary for TLS/SSL connection 295 */ 296 typedef struct { 297 mbedtls_ssl_context ssl; 298 mbedtls_ssl_config conf; 299 mbedtls_net_context socket_fd; 300 mbedtls_x509_crt server_cert; 301 mbedtls_x509_crt ca_cert; 302 mbedtls_pk_context prim_key; 303 int *ciphersuites_list; 304 305 #if defined(MBEDTLS_SSL_CACHE_C) 306 mbedtls_ssl_cache_context cache; 307 #endif 308 } mbedtls_connection_attr; 309 #endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ 310 311 #ifdef FEATURE_HTTPS_INSPECTION_OPENSSL 312 /* 313 * Struct of attributes necessary for TLS/SSL connection 314 */ 315 typedef struct { 316 SSL_CTX *ctx; 317 BIO *bio; 318 } openssl_connection_attr; 319 #endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ 320 /** 321 * A HTTP request. This includes the method (GET, POST) and 322 * the parsed URL. 323 * 324 * This is also used whenever we want to match a URL against a 325 * URL pattern. This always contains the URL to match, and never 326 * a URL pattern. (See struct url_spec). 327 */ 328 struct http_request 329 { 330 char *cmd; /**< Whole command line: method, URL, Version */ 331 char *ocmd; /**< Backup of original cmd for CLF logging */ 332 char *gpc; /**< HTTP method: GET, POST, ... */ 333 char *url; /**< The URL */ 334 char *version; /**< Protocol version */ 335 int status; /**< HTTP Status */ 336 337 int port; /**< Port of URL or 80 (default) */ 338 char *host; /**< Host part of URL */ 339 char *path; /**< Path of URL */ 340 char *hostport; /**< host[:port] */ 341 342 char *host_ip_addr_str; /**< String with dotted decimal representation 343 of host's IP. NULL before connect_to() */ 344 345 char *dbuffer; /**< Buffer with '\0'-delimited domain name. */ 346 char **dvec; /**< List of pointers to the strings in dbuffer. */ 347 int dcount; /**< How many parts to this domain? (length of dvec) */ 348 349 #ifdef FEATURE_HTTPS_INSPECTION 350 int client_ssl; /**< Flag if we should communicate with client over ssl */ 351 int server_ssl; /**< Flag if we should communicate with server over ssl */ 352 unsigned char hash_of_host_hex[(HASH_OF_HOST_BUF_SIZE * 2) + 1]; /**< chars for hash in hex string and one for '\0' */ 353 unsigned char hash_of_host[HASH_OF_HOST_BUF_SIZE+1]; /**< chars for bytes of hash and one for '\0' */ 354 #endif 355 short int ssl; /**< Flag if protocol is https */ 356 }; 357 358 359 #ifdef FEATURE_HTTPS_INSPECTION 360 /* 361 * Struct for linked list containing certificates 362 */ 363 typedef struct certs_chain { 364 char info_buf[CERT_INFO_BUF_SIZE]; /* text info about properties of certificate */ 365 char *file_buf; /* buffer for whole certificate - format to save in file */ 366 struct certs_chain *next; /* next certificate in chain of trust */ 367 } certs_chain_t; 368 #endif 369 370 /** 371 * Reasons for generating a http_response instead of delivering 372 * the requested resource. Mostly ordered the way they are checked 373 * for in chat(). 374 */ 375 enum crunch_reason 376 { 377 UNSUPPORTED, 378 BLOCKED, 379 UNTRUSTED, 380 REDIRECTED, 381 CGI_CALL, 382 NO_SUCH_DOMAIN, 383 FORWARDING_FAILED, 384 CONNECT_FAILED, 385 OUT_OF_MEMORY, 386 INTERNAL_ERROR, 387 CONNECTION_TIMEOUT, 388 NO_SERVER_DATA 389 }; 390 391 /** 392 * Response generated by CGI, blocker, or error handler 393 */ 394 struct http_response 395 { 396 char *status; /**< HTTP status (string). */ 397 struct list headers[1]; /**< List of header lines. */ 398 char *head; /**< Formatted http response head. */ 399 size_t head_length; /**< Length of http response head. */ 400 char *body; /**< HTTP document body. */ 401 size_t content_length; /**< Length of body, REQUIRED if binary body. */ 402 int is_static; /**< Nonzero if the content will never change and 403 should be cached by the browser (e.g. images). */ 404 enum crunch_reason crunch_reason; /**< Why the response was generated in the first place. */ 405 }; 406 407 struct url_spec 408 { 409 #ifdef FEATURE_PCRE_HOST_PATTERNS 410 regex_t *host_regex;/**< Regex for host matching */ 411 enum host_regex_type { VANILLA_HOST_PATTERN, PCRE_HOST_PATTERN } host_regex_type; 412 #endif /* defined FEATURE_PCRE_HOST_PATTERNS */ 413 int dcount; /**< How many parts to this domain? (length of dvec) */ 414 char *dbuffer; /**< Buffer with '\0'-delimited domain name, or NULL to match all hosts. */ 415 char **dvec; /**< List of pointers to the strings in dbuffer. */ 416 int unanchored; /**< Bitmap - flags are ANCHOR_LEFT and ANCHOR_RIGHT. */ 417 418 char *port_list; /**< List of acceptable ports, or NULL to match all ports */ 419 420 regex_t *preg; /**< Regex for matching path part */ 421 }; 422 423 /** 424 * A URL or a tag pattern. 425 */ 426 struct pattern_spec 427 { 428 /** The string which was parsed to produce this pattern_spec. 429 Used for debugging or display only. */ 430 char *spec; 431 432 union 433 { 434 struct url_spec url_spec; 435 regex_t *tag_regex; 436 } pattern; 437 438 unsigned int flags; /**< Bitmap with various pattern properties. */ 439 }; 440 441 /** 442 * Constant for host part matching in URLs. If set, indicates that the start of 443 * the pattern must match the start of the URL. E.g. this is not set for the 444 * pattern ".example.com", so that it will match both "example.com" and 445 * "www.example.com". It is set for the pattern "example.com", which makes it 446 * match "example.com" only, not "www.example.com". 447 */ 448 #define ANCHOR_LEFT 1 449 450 /** 451 * Constant for host part matching in URLs. If set, indicates that the end of 452 * the pattern must match the end of the URL. E.g. this is not set for the 453 * pattern "ad.", so that it will match any host called "ad", irrespective 454 * of how many subdomains are in the fully-qualified domain name. 455 */ 456 #define ANCHOR_RIGHT 2 457 458 /** Pattern spec bitmap: It's an URL pattern. */ 459 #define PATTERN_SPEC_URL_PATTERN 0x00000001UL 460 461 /** Pattern spec bitmap: It's a TAG pattern. */ 462 #define PATTERN_SPEC_TAG_PATTERN 0x00000002UL 463 464 /** Pattern spec bitmap: It's a NO-REQUEST-TAG pattern. */ 465 #define PATTERN_SPEC_NO_REQUEST_TAG_PATTERN 0x00000004UL 466 467 /** Pattern spec bitmap: It's a NO-RESPONSE-TAG pattern. */ 468 #define PATTERN_SPEC_NO_RESPONSE_TAG_PATTERN 0x00000008UL 469 470 /** Pattern spec bitmap: It's a CLIENT-TAG pattern. */ 471 #define PATTERN_SPEC_CLIENT_TAG_PATTERN 0x00000010UL 472 473 /** 474 * An I/O buffer. Holds a string which can be appended to, and can have data 475 * removed from the beginning. 476 */ 477 struct iob 478 { 479 char *buf; /**< Start of buffer */ 480 char *cur; /**< Start of relevant data */ 481 char *eod; /**< End of relevant data */ 482 size_t size; /**< Size as malloc()ed */ 483 }; 484 485 486 /* Bits for csp->content_type bitmask: */ 487 #define CT_TEXT 0x0001U /**< Suitable for pcrs filtering. */ 488 #define CT_GIF 0x0002U /**< Suitable for GIF filtering. */ 489 #define CT_TABOO 0x0004U /**< DO NOT filter, irrespective of other flags. */ 490 491 /* Although these are not, strictly speaking, content types 492 * (they are content encodings), it is simple to handle them 493 * as such. 494 */ 495 #define CT_GZIP 0x0010U /**< gzip-compressed data. */ 496 #define CT_DEFLATE 0x0020U /**< zlib-compressed data. */ 497 #define CT_BROTLI 0x0040U /**< Brotli-compressed data. */ 498 499 /** 500 * Flag to signal that the server declared the content type, 501 * so we can differentiate between unknown and undeclared 502 * content types. 503 */ 504 #define CT_DECLARED 0x0080U 505 506 /** 507 * The mask which includes all actions. 508 */ 509 #define ACTION_MASK_ALL (~0UL) 510 511 /** 512 * The most compatible set of actions - i.e. none. 513 */ 514 #define ACTION_MOST_COMPATIBLE 0x00000000UL 515 516 /** Action bitmap: Block the request. */ 517 #define ACTION_BLOCK 0x00000001UL 518 /** Action bitmap: Deanimate if it's a GIF. */ 519 #define ACTION_DEANIMATE 0x00000002UL 520 /** Action bitmap: Downgrade HTTP/1.1 to 1.0. */ 521 #define ACTION_DOWNGRADE 0x00000004UL 522 /** Action bitmap: Fast redirects. */ 523 #define ACTION_FAST_REDIRECTS 0x00000008UL 524 /** Action bitmap: Remove or add "X-Forwarded-For" header. */ 525 #define ACTION_CHANGE_X_FORWARDED_FOR 0x00000010UL 526 /** Action bitmap: Hide "From" header. */ 527 #define ACTION_HIDE_FROM 0x00000020UL 528 /** Action bitmap: Hide "Referer" header. (sic - follow HTTP, not English). */ 529 #define ACTION_HIDE_REFERER 0x00000040UL 530 /** Action bitmap: Hide "User-Agent" and similar headers. */ 531 #define ACTION_HIDE_USER_AGENT 0x00000080UL 532 /** Action bitmap: This is an image. */ 533 #define ACTION_IMAGE 0x00000100UL 534 /** Action bitmap: Sets the image blocker. */ 535 #define ACTION_IMAGE_BLOCKER 0x00000200UL 536 /** Action bitmap: Prevent compression. */ 537 #define ACTION_NO_COMPRESSION 0x00000400UL 538 /** Action bitmap: Change cookies to session only cookies. */ 539 #define ACTION_SESSION_COOKIES_ONLY 0x00000800UL 540 /** Action bitmap: Block cookies coming from the client. */ 541 #define ACTION_CRUNCH_OUTGOING_COOKIES 0x00001000UL 542 /** Action bitmap: Block cookies coming from the server. */ 543 #define ACTION_CRUNCH_INCOMING_COOKIES 0x00002000UL 544 /** Action bitmap: Override the forward settings in the config file */ 545 #define ACTION_FORWARD_OVERRIDE 0x00004000UL 546 /** Action bitmap: Block as empty document */ 547 #define ACTION_HANDLE_AS_EMPTY_DOCUMENT 0x00008000UL 548 /** Action bitmap: Limit CONNECT requests to safe ports. */ 549 #define ACTION_LIMIT_CONNECT 0x00010000UL 550 /** Action bitmap: Redirect request. */ 551 #define ACTION_REDIRECT 0x00020000UL 552 /** Action bitmap: Crunch or modify "if-modified-since" header. */ 553 #define ACTION_HIDE_IF_MODIFIED_SINCE 0x00040000UL 554 /** Action bitmap: Overwrite Content-Type header. */ 555 #define ACTION_CONTENT_TYPE_OVERWRITE 0x00080000UL 556 /** Action bitmap: Crunch specified server header. */ 557 #define ACTION_CRUNCH_SERVER_HEADER 0x00100000UL 558 /** Action bitmap: Crunch specified client header */ 559 #define ACTION_CRUNCH_CLIENT_HEADER 0x00200000UL 560 /** Action bitmap: Enable text mode by force */ 561 #define ACTION_FORCE_TEXT_MODE 0x00400000UL 562 /** Action bitmap: Remove the "If-None-Match" header. */ 563 #define ACTION_CRUNCH_IF_NONE_MATCH 0x00800000UL 564 /** Action bitmap: Enable content-disposition crunching */ 565 #define ACTION_HIDE_CONTENT_DISPOSITION 0x01000000UL 566 /** Action bitmap: Replace or block Last-Modified header */ 567 #define ACTION_OVERWRITE_LAST_MODIFIED 0x02000000UL 568 /** Action bitmap: Replace or block Accept-Language header */ 569 #define ACTION_HIDE_ACCEPT_LANGUAGE 0x04000000UL 570 /** Action bitmap: Limit the cookie lifetime */ 571 #define ACTION_LIMIT_COOKIE_LIFETIME 0x08000000UL 572 /** Action bitmap: Delay writes */ 573 #define ACTION_DELAY_RESPONSE 0x10000000UL 574 /** Action bitmap: Turn https inspection on */ 575 #define ACTION_HTTPS_INSPECTION 0x20000000UL 576 /** Action bitmap: Turn certificates verification off */ 577 #define ACTION_IGNORE_CERTIFICATE_ERRORS 0x40000000UL 578 579 /** Action string index: How to deanimate GIFs */ 580 #define ACTION_STRING_DEANIMATE 0 581 /** Action string index: Replacement for "From:" header */ 582 #define ACTION_STRING_FROM 1 583 /** Action string index: How to block images */ 584 #define ACTION_STRING_IMAGE_BLOCKER 2 585 /** Action string index: Replacement for "Referer:" header */ 586 #define ACTION_STRING_REFERER 3 587 /** Action string index: Replacement for "User-Agent:" header */ 588 #define ACTION_STRING_USER_AGENT 4 589 /** Action string index: Legal CONNECT ports. */ 590 #define ACTION_STRING_LIMIT_CONNECT 5 591 /** Action string index: Server headers containing this pattern are crunched*/ 592 #define ACTION_STRING_SERVER_HEADER 6 593 /** Action string index: Client headers containing this pattern are crunched*/ 594 #define ACTION_STRING_CLIENT_HEADER 7 595 /** Action string index: Replacement for the "Accept-Language:" header*/ 596 #define ACTION_STRING_LANGUAGE 8 597 /** Action string index: Replacement for the "Content-Type:" header*/ 598 #define ACTION_STRING_CONTENT_TYPE 9 599 /** Action string index: Replacement for the "content-disposition:" header*/ 600 #define ACTION_STRING_CONTENT_DISPOSITION 10 601 /** Action string index: Replacement for the "If-Modified-Since:" header*/ 602 #define ACTION_STRING_IF_MODIFIED_SINCE 11 603 /** Action string index: Replacement for the "Last-Modified:" header. */ 604 #define ACTION_STRING_LAST_MODIFIED 12 605 /** Action string index: Redirect URL */ 606 #define ACTION_STRING_REDIRECT 13 607 /** Action string index: Decode before redirect? */ 608 #define ACTION_STRING_FAST_REDIRECTS 14 609 /** Action string index: Overriding forward rule. */ 610 #define ACTION_STRING_FORWARD_OVERRIDE 15 611 /** Action string index: Reason for the block. */ 612 #define ACTION_STRING_BLOCK 16 613 /** Action string index: what to do with the "X-Forwarded-For" header. */ 614 #define ACTION_STRING_CHANGE_X_FORWARDED_FOR 17 615 /** Action string index: how many minutes cookies should be valid. */ 616 #define ACTION_STRING_LIMIT_COOKIE_LIFETIME 18 617 /** Action string index: how many milliseconds writes should be delayed. */ 618 #define ACTION_STRING_DELAY_RESPONSE 19 619 /** Number of string actions. */ 620 #define ACTION_STRING_COUNT 20 621 622 623 /* To make the ugly hack in sed easier to understand */ 624 #define CHECK_EVERY_HEADER_REMAINING 0 625 626 627 /** Index into current_action_spec::multi[] for headers to add. */ 628 #define ACTION_MULTI_ADD_HEADER 0 629 /** Index into current_action_spec::multi[] for content filters to apply. */ 630 #define ACTION_MULTI_FILTER 1 631 /** Index into current_action_spec::multi[] for server-header filters to apply. */ 632 #define ACTION_MULTI_SERVER_HEADER_FILTER 2 633 /** Index into current_action_spec::multi[] for client-header filters to apply. */ 634 #define ACTION_MULTI_CLIENT_HEADER_FILTER 3 635 /** Index into current_action_spec::multi[] for client-header tags to apply. */ 636 #define ACTION_MULTI_CLIENT_HEADER_TAGGER 4 637 /** Index into current_action_spec::multi[] for server-header tags to apply. */ 638 #define ACTION_MULTI_SERVER_HEADER_TAGGER 5 639 /** Number of multi-string actions. */ 640 #define ACTION_MULTI_EXTERNAL_FILTER 6 641 /** Index into current_action_spec::multi[] for tags to suppress. */ 642 #define ACTION_MULTI_SUPPRESS_TAG 7 643 /** Index into current_action_spec::multi[] for client body filters to apply. */ 644 #define ACTION_MULTI_CLIENT_BODY_FILTER 8 645 /** Number of multi-string actions. */ 646 #define ACTION_MULTI_COUNT 9 647 648 649 /** 650 * This structure contains a list of actions to apply to a URL. 651 * It only contains positive instructions - no "-" options. 652 * It is not used to store the actions list itself, only for 653 * url_actions() to return the current values. 654 */ 655 struct current_action_spec 656 { 657 /** Actions to apply. A bit set to "1" means perform the action. */ 658 unsigned long flags; 659 660 /** 661 * Parameters for those actions that require them. 662 * Each entry is valid if & only if the corresponding entry in "flags" is 663 * set. 664 */ 665 char * string[ACTION_STRING_COUNT]; 666 667 /** Lists of strings for multi-string actions. */ 668 struct list multi[ACTION_MULTI_COUNT][1]; 669 }; 670 671 672 /** 673 * This structure contains a set of changes to actions. 674 * It can contain both positive and negative instructions. 675 * It is used to store an entry in the actions list. 676 */ 677 struct action_spec 678 { 679 unsigned long mask; /**< Actions to keep. A bit set to "0" means remove action. */ 680 unsigned long add; /**< Actions to add. A bit set to "1" means add action. */ 681 682 /** 683 * Parameters for those actions that require them. 684 * Each entry is valid if & only if the corresponding entry in "flags" is 685 * set. 686 */ 687 char * string[ACTION_STRING_COUNT]; 688 689 /** Lists of strings to remove, for multi-string actions. */ 690 struct list multi_remove[ACTION_MULTI_COUNT][1]; 691 692 /** If nonzero, remove *all* strings from the multi-string action. */ 693 int multi_remove_all[ACTION_MULTI_COUNT]; 694 695 /** Lists of strings to add, for multi-string actions. */ 696 struct list multi_add[ACTION_MULTI_COUNT][1]; 697 }; 698 699 700 /** 701 * This structure is used to store action files. 702 * 703 * It contains an URL or tag pattern, and the changes to 704 * the actions. It's a linked list and should only be 705 * free'd through unload_actions_file() unless there's 706 * only a single entry. 707 */ 708 struct url_actions 709 { 710 struct pattern_spec url[1]; /**< The URL or tag pattern. */ 711 712 struct action_spec *action; /**< Action settings that might be shared with 713 the list entry before or after the current 714 one and can't be free'd willy nilly. */ 715 716 struct url_actions *next; /**< Next action section in file, or NULL. */ 717 }; 718 719 enum forwarder_type { 720 /**< Don't use a SOCKS server, forward to a HTTP proxy directly */ 721 SOCKS_NONE = 0, 722 /**< original SOCKS 4 protocol */ 723 SOCKS_4 = 40, 724 /**< SOCKS 4A, DNS resolution is done by the SOCKS server */ 725 SOCKS_4A = 41, 726 /**< SOCKS 5 with hostnames, DNS resolution is done by the SOCKS server */ 727 SOCKS_5 = 50, 728 /**< Like SOCKS5, but uses non-standard Tor extensions (currently only optimistic data) */ 729 SOCKS_5T, 730 /**< 731 * Don't use a SOCKS server, forward to the specified webserver. 732 * The difference to SOCKS_NONE is that a request line without 733 * full URL is sent. 734 */ 735 FORWARD_WEBSERVER, 736 }; 737 738 /* 739 * Structure to hold the server socket and the information 740 * required to make sure we only reuse the connection if 741 * the host and forwarding settings are the same. 742 */ 743 struct reusable_connection 744 { 745 jb_socket sfd; 746 int in_use; 747 time_t timestamp; /* XXX: rename? */ 748 749 time_t request_sent; 750 time_t response_received; 751 752 /* 753 * Number of seconds after which this 754 * connection will no longer be reused. 755 */ 756 unsigned int keep_alive_timeout; 757 /* 758 * Number of requests that were sent to this connection. 759 * This is currently only for debugging purposes. 760 */ 761 unsigned int requests_sent_total; 762 763 char *host; 764 int port; 765 enum forwarder_type forwarder_type; 766 char *forward_host; 767 int forward_port; 768 769 int gateway_port; 770 char *gateway_host; 771 char *auth_username; 772 char *auth_password; 773 774 }; 775 776 777 /* 778 * Flags for use in csp->flags 779 */ 780 781 /** 782 * Flag for csp->flags: Set if this client is processing data. 783 * Cleared when the thread associated with this structure dies. 784 */ 785 #define CSP_FLAG_ACTIVE 0x01U 786 787 /** 788 * Flag for csp->flags: Set if the server's reply is in "chunked" 789 * transfer encoding 790 */ 791 #define CSP_FLAG_CHUNKED 0x02U 792 793 /** 794 * Flag for csp->flags: Set if this request was enforced, although it would 795 * normally have been blocked. 796 */ 797 #define CSP_FLAG_FORCED 0x04U 798 799 /** 800 * Flag for csp->flags: Set if any modification to the body was done. 801 */ 802 #define CSP_FLAG_MODIFIED 0x08U 803 804 /** 805 * Flag for csp->flags: Set if request was blocked. 806 */ 807 #define CSP_FLAG_REJECTED 0x10U 808 809 /** 810 * Flag for csp->flags: Set if we are toggled on (FEATURE_TOGGLE). 811 */ 812 #define CSP_FLAG_TOGGLED_ON 0x20U 813 814 /** 815 * Flag for csp->flags: Set if an acceptable Connection header 816 * has already been set by the client. 817 */ 818 #define CSP_FLAG_CLIENT_CONNECTION_HEADER_SET 0x00000040U 819 820 /** 821 * Flag for csp->flags: Set if an acceptable Connection header 822 * has already been set by the server. 823 */ 824 #define CSP_FLAG_SERVER_CONNECTION_HEADER_SET 0x00000080U 825 826 /** 827 * Flag for csp->flags: Signals header parsers whether they 828 * are parsing server or client headers. 829 */ 830 #define CSP_FLAG_CLIENT_HEADER_PARSING_DONE 0x00000100U 831 832 /** 833 * Flag for csp->flags: Set if adding the Host: header 834 * isn't necessary. 835 */ 836 #define CSP_FLAG_HOST_HEADER_IS_SET 0x00000200U 837 838 /** 839 * Flag for csp->flags: Set if filtering is disabled by X-Filter: No 840 * XXX: As we now have tags we might as well ditch this. 841 */ 842 #define CSP_FLAG_NO_FILTERING 0x00000400U 843 844 /** 845 * Flag for csp->flags: Set the client IP has appended to 846 * an already existing X-Forwarded-For header in which case 847 * no new header has to be generated. 848 */ 849 #define CSP_FLAG_X_FORWARDED_FOR_APPENDED 0x00000800U 850 851 /** 852 * Flag for csp->flags: Set if the server wants to keep 853 * the connection alive. 854 */ 855 #define CSP_FLAG_SERVER_CONNECTION_KEEP_ALIVE 0x00001000U 856 857 /** 858 * Flag for csp->flags: Set if the server specified the 859 * content length. 860 */ 861 #define CSP_FLAG_SERVER_CONTENT_LENGTH_SET 0x00002000U 862 863 /** 864 * Flag for csp->flags: Set if we know the content length, 865 * either because the server set it, or we figured it out 866 * on our own. 867 */ 868 #define CSP_FLAG_CONTENT_LENGTH_SET 0x00004000U 869 870 /** 871 * Flag for csp->flags: Set if the client wants to keep 872 * the connection alive. 873 */ 874 #define CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE 0x00008000U 875 876 /** 877 * Flag for csp->flags: Set if we think we got the whole 878 * client request and shouldn't read any additional data 879 * coming from the client until the current request has 880 * been dealt with. 881 */ 882 #define CSP_FLAG_CLIENT_REQUEST_COMPLETELY_READ 0x00010000U 883 884 /** 885 * Flag for csp->flags: Set if the server promised us to 886 * keep the connection open for a known number of seconds. 887 */ 888 #define CSP_FLAG_SERVER_KEEP_ALIVE_TIMEOUT_SET 0x00020000U 889 890 /** 891 * Flag for csp->flags: Set if we think we can't reuse 892 * the server socket. XXX: It's also set after sabotaging 893 * pipelining attempts which is somewhat inconsistent with 894 * the name. 895 */ 896 #define CSP_FLAG_SERVER_SOCKET_TAINTED 0x00040000U 897 898 /** 899 * Flag for csp->flags: Set if the Proxy-Connection header 900 * is among the server headers. 901 */ 902 #define CSP_FLAG_SERVER_PROXY_CONNECTION_HEADER_SET 0x00080000U 903 904 /** 905 * Flag for csp->flags: Set if the client reused its connection. 906 */ 907 #define CSP_FLAG_REUSED_CLIENT_CONNECTION 0x00100000U 908 909 /** 910 * Flag for csp->flags: Set if the supports deflate compression. 911 */ 912 #define CSP_FLAG_CLIENT_SUPPORTS_DEFLATE 0x00200000U 913 914 /** 915 * Flag for csp->flags: Set if the content has been deflated by Privoxy 916 */ 917 #define CSP_FLAG_BUFFERED_CONTENT_DEFLATED 0x00400000U 918 919 /** 920 * Flag for csp->flags: Set if we already read (parts of) 921 * a pipelined request in which case the client obviously 922 * isn't done talking. 923 */ 924 #define CSP_FLAG_PIPELINED_REQUEST_WAITING 0x00800000U 925 926 /** 927 * Flag for csp->flags: Set if the client body is chunk-encoded 928 */ 929 #define CSP_FLAG_CHUNKED_CLIENT_BODY 0x01000000U 930 931 /** 932 * Flag for csp->flags: Set if the client set the Expect header 933 */ 934 #define CSP_FLAG_UNSUPPORTED_CLIENT_EXPECTATION 0x02000000U 935 936 /** 937 * Flag for csp->flags: Set if we answered the request ourselves. 938 */ 939 #define CSP_FLAG_CRUNCHED 0x04000000U 940 941 #ifdef FUZZ 942 /** 943 * Flag for csp->flags: Set if we are working with fuzzed input 944 */ 945 #define CSP_FLAG_FUZZED_INPUT 0x08000000U 946 #endif 947 948 /* 949 * Flags for use in return codes of child processes 950 */ 951 952 /** 953 * Flag for process return code: Set if exiting process has been toggled 954 * during its lifetime. 955 */ 956 #define RC_FLAG_TOGGLED 0x10 957 958 /** 959 * Flag for process return code: Set if exiting process has blocked its 960 * request. 961 */ 962 #define RC_FLAG_BLOCKED 0x20 963 964 /** 965 * Maximum number of actions/filter files. This limit is arbitrary - it's just used 966 * to size an array. 967 */ 968 #define MAX_AF_FILES 100 969 970 /** 971 * Maximum number of sockets to listen to. This limit is arbitrary - it's just used 972 * to size an array. 973 */ 974 #define MAX_LISTENING_SOCKETS 10 975 976 struct ssl_attr { 977 #ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS 978 mbedtls_connection_attr mbedtls_attr; /* Mbed TLS attrs*/ 979 #endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ 980 #ifdef FEATURE_HTTPS_INSPECTION_OPENSSL 981 openssl_connection_attr openssl_attr; /* OpenSSL atrrs */ 982 #endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ 983 }; 984 /** 985 * The state of a Privoxy processing thread. 986 */ 987 struct client_state 988 { 989 /** The proxy's configuration */ 990 struct configuration_spec * config; 991 992 /** The actions to perform on the current request */ 993 struct current_action_spec action[1]; 994 995 /** socket to talk to client (web browser) */ 996 jb_socket cfd; 997 998 /** Number of requests received on the client socket. */ 999 unsigned int requests_received_total; 1000 1001 /** current connection to the server (may go through a proxy) */ 1002 struct reusable_connection server_connection; 1003 1004 /** Multi-purpose flag container, see CSP_FLAG_* above */ 1005 unsigned int flags; 1006 1007 /** MIME-Type key, see CT_* above */ 1008 unsigned int content_type; 1009 1010 /** Client PC's IP address, as reported by the accept() function. 1011 As a string. */ 1012 char *ip_addr_str; 1013 #ifdef HAVE_RFC2553 1014 /** Client PC's TCP address, as reported by the accept() function. 1015 As a sockaddr. */ 1016 struct sockaddr_storage tcp_addr; 1017 #else 1018 /** Client PC's IP address, as reported by the accept() function. 1019 As a number. */ 1020 unsigned long ip_addr_long; 1021 #endif /* def HAVE_RFC2553 */ 1022 1023 /** The host name and port (as a string of the form '<hostname>:<port>') 1024 of the server socket to which the client connected. */ 1025 char *listen_addr_str; 1026 1027 /** The URL that was requested */ 1028 struct http_request http[1]; 1029 1030 /* 1031 * The final forwarding settings. 1032 * XXX: Currently this is only used for forward-override, 1033 * so we can free the space in sweep. 1034 */ 1035 struct forward_spec * fwd; 1036 1037 /** An I/O buffer used for buffering data read from the server */ 1038 /* XXX: should be renamed to server_iob */ 1039 struct iob iob[1]; 1040 1041 struct ssl_attr ssl_server_attr; /* attributes for connection to server */ 1042 struct ssl_attr ssl_client_attr; /* attributes for connection to client */ 1043 1044 /** An I/O buffer used for buffering data read from the client */ 1045 struct iob client_iob[1]; 1046 1047 /** Buffer used to briefly store data read from the network 1048 * before forwarding or processing it. 1049 */ 1050 char *receive_buffer; 1051 size_t receive_buffer_size; 1052 1053 /** List of all headers for this request */ 1054 struct list headers[1]; 1055 1056 #ifdef FEATURE_HTTPS_INSPECTION 1057 /** List of all encrypted headers for this request */ 1058 struct list https_headers[1]; 1059 #endif 1060 1061 /** List of all tags that apply to this request */ 1062 struct list tags[1]; 1063 1064 #ifdef FEATURE_CLIENT_TAGS 1065 /** List of all tags that apply to this client (assigned based on address) */ 1066 struct list client_tags[1]; 1067 /** The address of the client the request (presumably) came from. 1068 * Either the address returned by accept(), or the address provided 1069 * with the X-Forwarded-For header, provided Privoxy has been configured 1070 * to use it. 1071 */ 1072 char *client_address; 1073 #endif 1074 1075 /** Actions files associated with this client */ 1076 struct file_list *actions_list[MAX_AF_FILES]; 1077 1078 /** pcrs job files. */ 1079 struct file_list *rlist[MAX_AF_FILES]; 1080 1081 /** Length after content modification. */ 1082 unsigned long long content_length; 1083 1084 /* XXX: is this the right location? */ 1085 1086 /** Expected length of content after which we 1087 * should stop reading from the server socket. 1088 */ 1089 unsigned long long expected_content_length; 1090 1091 /** Expected length of content after which we 1092 * should stop reading from the client socket. 1093 */ 1094 unsigned long long expected_client_content_length; 1095 1096 #ifdef FEATURE_TRUST 1097 1098 /** Trust file. */ 1099 struct file_list *tlist; 1100 1101 #endif /* def FEATURE_TRUST */ 1102 1103 /** 1104 * Failure reason to embedded in the CGI error page, 1105 * or NULL. Currently only used for socks errors. 1106 */ 1107 char *error_message; 1108 1109 #ifdef FEATURE_HTTPS_INSPECTION 1110 /* Result of server certificate verification 1111 * 1112 * Values for flag determining certificate validity 1113 * are compatible with return value of function 1114 * mbedtls_ssl_get_verify_result() for mbedtls 1115 * and SSL_get_verify_result() for openssl. 1116 * There are no values for "invalid certificate", they are 1117 * set by the functions mentioned above. 1118 */ 1119 #define SSL_CERT_VALID 0 1120 #ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS 1121 #define SSL_CERT_NOT_VERIFIED 0xFFFFFFFF 1122 uint32_t server_cert_verification_result; 1123 #endif /* FEATURE_HTTPS_INSPECTION_MBEDTLS */ 1124 #ifdef FEATURE_HTTPS_INSPECTION_OPENSSL 1125 #define SSL_CERT_NOT_VERIFIED ~0L 1126 long server_cert_verification_result; 1127 #endif /* FEATURE_HTTPS_INSPECTION_OPENSSL */ 1128 1129 /* Flag for certificate validity checking */ 1130 int dont_verify_certificate; 1131 1132 /* 1133 * Flags if SSL connection with server or client is opened. 1134 * Thanks to this flags, we can call function to close both connections 1135 * and we don't have to care about more details. 1136 */ 1137 short int ssl_with_server_is_opened; 1138 short int ssl_with_client_is_opened; 1139 1140 /* 1141 * Server certificate chain of trust including strings with certificates 1142 * information and string with whole certificate file 1143 */ 1144 struct certs_chain server_certs_chain; 1145 #endif 1146 }; 1147 1148 /** 1149 * List of client states so the main thread can keep 1150 * track of them and garbage collect their resources. 1151 */ 1152 struct client_states 1153 { 1154 struct client_states *next; 1155 struct client_state csp; 1156 }; 1157 1158 /** 1159 * A function to add a header 1160 */ 1161 typedef jb_err (*add_header_func_ptr)(struct client_state *); 1162 1163 /** 1164 * A function to process a header 1165 */ 1166 typedef jb_err (*parser_func_ptr )(struct client_state *, char **); 1167 1168 1169 /** 1170 * List of available CGI functions. 1171 */ 1172 struct cgi_dispatcher 1173 { 1174 /** The URL of the CGI, relative to the CGI root. */ 1175 const char * const name; 1176 1177 /** The handler function for the CGI */ 1178 jb_err (* const handler)(struct client_state *csp, struct http_response *rsp, const struct map *parameters); 1179 1180 /** The description of the CGI, to appear on the main menu, or NULL to hide it. */ 1181 const char * const description; 1182 1183 /** A flag that indicates whether unintentional calls to this CGI can cause damage */ 1184 int harmless; 1185 }; 1186 1187 1188 /** 1189 * A data file used by Privoxy. Kept in a linked list. 1190 */ 1191 struct file_list 1192 { 1193 /** 1194 * This is a pointer to the data structures associated with the file. 1195 * Read-only once the structure has been created. 1196 */ 1197 void *f; 1198 1199 /** 1200 * The unloader function. 1201 * Normally NULL. When we are finished with file (i.e. when we have 1202 * loaded a new one), set to a pointer to an unloader function. 1203 * Unloader will be called by sweep() (called from main loop) when 1204 * all clients using this file are done. This prevents threading 1205 * problems. 1206 */ 1207 void (*unloader)(void *); 1208 1209 /** 1210 * Used internally by sweep(). Do not access from elsewhere. 1211 */ 1212 int active; 1213 1214 /** 1215 * File last-modified time, so we can check if file has been changed. 1216 * Read-only once the structure has been created. 1217 */ 1218 time_t lastmodified; 1219 1220 /** 1221 * The full filename. 1222 */ 1223 char * filename; 1224 1225 /** 1226 * Pointer to next entry in the linked list of all "file_list"s. 1227 * This linked list is so that sweep() can navigate it. 1228 * Since sweep() can remove items from the list, we must be careful 1229 * to only access this value from main thread (when we know sweep 1230 * won't be running). 1231 */ 1232 struct file_list *next; 1233 }; 1234 1235 1236 #ifdef FEATURE_TRUST 1237 1238 /** 1239 * The format of a trust file when loaded into memory. 1240 */ 1241 struct block_spec 1242 { 1243 struct pattern_spec url[1]; /**< The URL pattern */ 1244 int reject; /**< FIXME: Please document this! */ 1245 struct block_spec *next; /**< Next entry in linked list */ 1246 }; 1247 1248 /** 1249 * Arbitrary limit for the number of trusted referrers. 1250 */ 1251 #define MAX_TRUSTED_REFERRERS 512 1252 1253 #endif /* def FEATURE_TRUST */ 1254 1255 /** 1256 * How to forward a connection to a parent proxy. 1257 */ 1258 struct forward_spec 1259 { 1260 /** URL pattern that this forward_spec is for. */ 1261 struct pattern_spec url[1]; 1262 1263 /** Connection type. Must be SOCKS_NONE, SOCKS_4, SOCKS_4A or SOCKS_5. */ 1264 enum forwarder_type type; 1265 1266 /** SOCKS server port. */ 1267 int gateway_port; 1268 1269 /** SOCKS server hostname. Only valid if "type" is SOCKS_4 or SOCKS_4A. */ 1270 char *gateway_host; 1271 1272 /** SOCKS5 username. */ 1273 char *auth_username; 1274 1275 /** SOCKS5 password. */ 1276 char *auth_password; 1277 1278 /** Parent HTTP proxy hostname, or NULL for none. */ 1279 char *forward_host; 1280 1281 /** Parent HTTP proxy port. */ 1282 int forward_port; 1283 1284 /** Next entry in the linked list. */ 1285 struct forward_spec *next; 1286 }; 1287 1288 1289 /* Supported filter types */ 1290 enum filter_type 1291 { 1292 FT_CONTENT_FILTER = 0, 1293 FT_CLIENT_HEADER_FILTER = 1, 1294 FT_SERVER_HEADER_FILTER = 2, 1295 FT_CLIENT_HEADER_TAGGER = 3, 1296 FT_SERVER_HEADER_TAGGER = 4, 1297 FT_SUPPRESS_TAG = 5, 1298 FT_CLIENT_BODY_FILTER = 6, 1299 FT_ADD_HEADER = 7, 1300 #ifdef FEATURE_EXTERNAL_FILTERS 1301 FT_EXTERNAL_CONTENT_FILTER = 8, 1302 #endif 1303 FT_INVALID_FILTER = 42, 1304 }; 1305 1306 #ifdef FEATURE_EXTERNAL_FILTERS 1307 #define MAX_FILTER_TYPES 9 1308 #else 1309 #define MAX_FILTER_TYPES 8 1310 #endif 1311 1312 /** 1313 * This struct represents one filter (one block) from 1314 * the re_filterfile. If there is more than one filter 1315 * in the file, the file will be represented by a 1316 * chained list of re_filterfile specs. 1317 */ 1318 struct re_filterfile_spec 1319 { 1320 char *name; /**< Name from FILTER: statement in re_filterfile. */ 1321 char *description; /**< Description from FILTER: statement in re_filterfile. */ 1322 struct list patterns[1]; /**< The patterns from the re_filterfile. */ 1323 pcrs_job *joblist; /**< The resulting compiled pcrs_jobs. */ 1324 enum filter_type type; /**< Filter type (content, client-header, server-header). */ 1325 int dynamic; /**< Set to one if the pattern might contain variables 1326 and has to be recompiled for every request. */ 1327 struct re_filterfile_spec *next; /**< The pointer for chaining. */ 1328 }; 1329 1330 1331 #ifdef FEATURE_ACL 1332 1333 #define ACL_PERMIT 1 /**< Accept connection request */ 1334 #define ACL_DENY 2 /**< Reject connection request */ 1335 1336 /** 1337 * An IP address pattern. Used to specify networks in the ACL. 1338 */ 1339 struct access_control_addr 1340 { 1341 #ifdef HAVE_RFC2553 1342 struct sockaddr_storage addr; /* <The TCP address in network order. */ 1343 struct sockaddr_storage mask; /* <The TCP mask in network order. */ 1344 #else 1345 unsigned long addr; /**< The IP address as an integer. */ 1346 unsigned long mask; /**< The network mask as an integer. */ 1347 unsigned long port; /**< The port number. */ 1348 #endif /* HAVE_RFC2553 */ 1349 }; 1350 1351 /** 1352 * An access control list (ACL) entry. 1353 * 1354 * This is a linked list. 1355 */ 1356 struct access_control_list 1357 { 1358 struct access_control_addr src[1]; /**< Client IP address */ 1359 struct access_control_addr dst[1]; /**< Website or parent proxy IP address */ 1360 #ifdef HAVE_RFC2553 1361 short wildcard_dst; /** < dst address is wildcard */ 1362 #endif 1363 1364 short action; /**< ACL_PERMIT or ACL_DENY */ 1365 struct access_control_list *next; /**< The next entry in the ACL. */ 1366 }; 1367 1368 #endif /* def FEATURE_ACL */ 1369 1370 1371 /** Maximum number of loaders (actions, re_filter, ...) */ 1372 #define NLOADERS 8 1373 1374 /** 1375 * This struct represents a client-spcific-tag and it's description 1376 */ 1377 struct client_tag_spec 1378 { 1379 char *name; /**< Name from "client-specific-tag bla" directive */ 1380 char *description; /**< Description from "client-specific-tag-description " directive */ 1381 struct client_tag_spec *next; /**< The pointer for chaining. */ 1382 }; 1383 1384 /** configuration_spec::feature_flags: CGI actions editor. */ 1385 #define RUNTIME_FEATURE_CGI_EDIT_ACTIONS 1U 1386 1387 /** configuration_spec::feature_flags: Web-based toggle. */ 1388 #define RUNTIME_FEATURE_CGI_TOGGLE 2U 1389 1390 /** configuration_spec::feature_flags: HTTP-header-based toggle. */ 1391 #define RUNTIME_FEATURE_HTTP_TOGGLE 4U 1392 1393 /** configuration_spec::feature_flags: Split large forms to limit the number of GET arguments. */ 1394 #define RUNTIME_FEATURE_SPLIT_LARGE_FORMS 8U 1395 1396 /** configuration_spec::feature_flags: Check the host header for requests with host-less request lines. */ 1397 #define RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS 16U 1398 1399 /** configuration_spec::feature_flags: Don't allow to circumvent blocks with the force prefix. */ 1400 #define RUNTIME_FEATURE_ENFORCE_BLOCKS 32U 1401 1402 /** configuration_spec::feature_flags: Allow to block or redirect CGI requests. */ 1403 #define RUNTIME_FEATURE_CGI_CRUNCHING 64U 1404 1405 /** configuration_spec::feature_flags: Try to keep the connection to the server alive. */ 1406 #define RUNTIME_FEATURE_CONNECTION_KEEP_ALIVE 128U 1407 1408 /** configuration_spec::feature_flags: Share outgoing connections between different client connections. */ 1409 #define RUNTIME_FEATURE_CONNECTION_SHARING 256U 1410 1411 /** configuration_spec::feature_flags: Pages blocked with +handle-as-empty-doc get a return status of 200 OK. */ 1412 #define RUNTIME_FEATURE_EMPTY_DOC_RETURNS_OK 512U 1413 1414 /** configuration_spec::feature_flags: Buffered content is sent compressed if the client supports it. */ 1415 #define RUNTIME_FEATURE_COMPRESSION 1024U 1416 1417 /** configuration_spec::feature_flags: Pipelined requests are served instead of being discarded. */ 1418 #define RUNTIME_FEATURE_TOLERATE_PIPELINING 2048U 1419 1420 /** configuration_spec::feature_flags: Proxy authentication headers are forwarded instead of removed. */ 1421 #define RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS 4096U 1422 1423 /** 1424 * Data loaded from the configuration file. 1425 * 1426 * (Anomaly: toggle is still handled through a global, not this structure) 1427 */ 1428 struct configuration_spec 1429 { 1430 /** What to log */ 1431 int debug; 1432 1433 /** Nonzero to enable multithreading. */ 1434 int multi_threaded; 1435 1436 /** Bitmask of features that can be controlled through the config file. */ 1437 unsigned feature_flags; 1438 1439 /** Nonzero if we need to bind() to the new port. */ 1440 int need_bind; 1441 1442 /** The log file name. */ 1443 const char *logfile; 1444 1445 /** The config file directory. */ 1446 const char *confdir; 1447 1448 /** The directory for customized CGI templates. */ 1449 const char *templdir; 1450 1451 /** "Cross-origin resource sharing" (CORS) allowed origin */ 1452 const char *cors_allowed_origin; 1453 1454 #ifdef FEATURE_EXTERNAL_FILTERS 1455 /** The template used to create temporary files. */ 1456 const char *temporary_directory; 1457 #endif 1458 1459 /** The log file directory. */ 1460 const char *logdir; 1461 1462 /** The full paths to the actions files. */ 1463 const char *actions_file[MAX_AF_FILES]; 1464 1465 /** The short names of the actions files. */ 1466 const char *actions_file_short[MAX_AF_FILES]; 1467 1468 /** The administrator's email address */ 1469 char *admin_address; 1470 1471 /** A URL with info on this proxy */ 1472 char *proxy_info_url; 1473 1474 /** URL to the user manual (on our website or local copy) */ 1475 char *usermanual; 1476 1477 /** The file names of the pcre filter files. */ 1478 const char *re_filterfile[MAX_AF_FILES]; 1479 1480 /** The short names of the pcre filter files. */ 1481 const char *re_filterfile_short[MAX_AF_FILES]; 1482 1483 /**< List of ordered client header names. */ 1484 struct list ordered_client_headers[1]; 1485 1486 /** The hostname to show on CGI pages, or NULL to use the real one. */ 1487 const char *hostname; 1488 1489 /** IP addresses to bind to. Defaults to HADDR_DEFAULT == 127.0.0.1. */ 1490 const char *haddr[MAX_LISTENING_SOCKETS]; 1491 1492 /** Trusted referring site that can be used to reach CGI 1493 * pages that aren't marked as harmful. 1494 */ 1495 const char *trusted_cgi_referrer; 1496 1497 /** Ports to bind to. Defaults to HADDR_PORT == 8118. */ 1498 int hport[MAX_LISTENING_SOCKETS]; 1499 1500 /** Size limit for IOB */ 1501 size_t buffer_limit; 1502 1503 /** Size of the receive buffer */ 1504 size_t receive_buffer_size; 1505 1506 /** Use accf_http(4) if available */ 1507 int enable_accept_filter; 1508 1509 /** Backlog passed to listen() */ 1510 int listen_backlog; 1511 1512 #ifdef FEATURE_TRUST 1513 1514 /** The file name of the trust file. */ 1515 const char * trustfile; 1516 1517 /** FIXME: DOCME: Document this. */ 1518 struct list trust_info[1]; 1519 1520 /** FIXME: DOCME: Document this. */ 1521 struct pattern_spec *trust_list[MAX_TRUSTED_REFERRERS]; 1522 1523 #endif /* def FEATURE_TRUST */ 1524 1525 #ifdef FEATURE_CLIENT_TAGS 1526 struct client_tag_spec client_tags[1]; 1527 1528 /* Maximum number of seconds a temporarily enabled tag stays enabled. */ 1529 unsigned int client_tag_lifetime; 1530 #endif /* def FEATURE_CLIENT_TAGS */ 1531 int trust_x_forwarded_for; 1532 1533 #ifdef FEATURE_ACL 1534 1535 /** The access control list (ACL). */ 1536 struct access_control_list *acl; 1537 1538 #endif /* def FEATURE_ACL */ 1539 1540 /** Information about parent proxies (forwarding). */ 1541 struct forward_spec *forward; 1542 1543 /** Number of retries in case a forwarded connection attempt fails */ 1544 int forwarded_connect_retries; 1545 1546 /** Maximum number of client connections. */ 1547 int max_client_connections; 1548 1549 /* Timeout when waiting on sockets for data to become available. */ 1550 int socket_timeout; 1551 1552 #ifdef FEATURE_CONNECTION_KEEP_ALIVE 1553 /* Maximum number of seconds after which an open connection will no longer be reused. */ 1554 unsigned int keep_alive_timeout; 1555 1556 /* Assumed server-side keep alive timeout if none is specified. */ 1557 unsigned int default_server_timeout; 1558 #endif 1559 1560 #ifdef FEATURE_COMPRESSION 1561 int compression_level; 1562 #endif 1563 1564 /** All options from the config file, HTML-formatted. */ 1565 char *proxy_args; 1566 1567 /** The configuration file object. */ 1568 struct file_list *config_file_list; 1569 1570 /** List of loaders */ 1571 int (*loaders[NLOADERS])(struct client_state *); 1572 1573 #ifdef FEATURE_HTTPS_INSPECTION 1574 /** Password for proxy ca file **/ 1575 char *ca_password; 1576 1577 /** Directory with files of ca **/ 1578 char *ca_directory; 1579 1580 /** Filename of ca certificate **/ 1581 char *ca_cert_file; 1582 1583 /** Filename of ca key **/ 1584 char *ca_key_file; 1585 1586 /** Directory for saving certificates and keys for each webpage **/ 1587 char *certificate_directory; 1588 1589 /** Cipher list to use **/ 1590 char *cipher_list; 1591 1592 /** Filename of trusted CAs certificates **/ 1593 char *trusted_cas_file; 1594 #endif 1595 }; 1596 1597 /** Calculates the number of elements in an array, using sizeof. */ 1598 #define SZ(X) (sizeof(X) / sizeof(*X)) 1599 1600 /** The force load URL prefix. Not behind an ifdef because 1601 * it's always used for the show-status page. */ 1602 #define FORCE_PREFIX "/PRIVOXY-FORCE" 1603 1604 #ifdef FEATURE_NO_GIFS 1605 /** The MIME type for images ("image/png" or "image/gif"). */ 1606 #define BUILTIN_IMAGE_MIMETYPE "image/png" 1607 #else 1608 #define BUILTIN_IMAGE_MIMETYPE "image/gif" 1609 #endif /* def FEATURE_NO_GIFS */ 1610 1611 1612 /* 1613 * Hardwired URLs 1614 */ 1615 1616 /** URL for the Privoxy home page. */ 1617 #define HOME_PAGE_URL "https://www.privoxy.org/" 1618 1619 /** URL for the Privoxy user manual. */ 1620 #define USER_MANUAL_URL HOME_PAGE_URL VERSION "/user-manual/" 1621 1622 /** Prefix for actions help links (append to USER_MANUAL_URL). */ 1623 #define ACTIONS_HELP_PREFIX "actions-file.html#" 1624 1625 /** Prefix for config option help links (append to USER_MANUAL_URL). */ 1626 #define CONFIG_HELP_PREFIX "config.html#" 1627 1628 /* 1629 * The "hosts" to intercept and display CGI pages. 1630 * First one is a hostname only, second one can specify host and path. 1631 * 1632 * Notes: 1633 * 1) Do not specify the http: prefix 1634 * 2) CGI_SITE_2_PATH must not end with /, one will be added automatically. 1635 * 3) CGI_SITE_2_PATH must start with /, unless it is the empty string. 1636 */ 1637 #define CGI_SITE_1_HOST "p.p" 1638 #define CGI_SITE_2_HOST "config.privoxy.org" 1639 #define CGI_SITE_2_PATH "" 1640 1641 /** 1642 * The prefix for CGI pages. Written out in generated HTML. 1643 * INCLUDES the trailing slash. 1644 */ 1645 #ifdef FEATURE_HTTPS_INSPECTION 1646 #define CGI_PREFIX "//" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" 1647 #define CGI_PREFIX_HTTPS "https:" CGI_PREFIX 1648 #else 1649 #define CGI_PREFIX "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" 1650 #endif 1651 #define CGI_PREFIX_HTTP "http://" CGI_SITE_2_HOST CGI_SITE_2_PATH "/" 1652 1653 #endif /* ndef PROJECT_H_INCLUDED */ 1654 1655 /* 1656 Local Variables: 1657 tab-width: 3 1658 end: 1659 */ 1660