/*- * SSLsplit - transparent SSL/TLS interception * https://www.roe.ch/SSLsplit * * Copyright (c) 2009-2018, Daniel Roethlisberger . * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #ifndef OPTS_H #define OPTS_H #include "proc.h" #include "nat.h" #include "ssl.h" #include "attrib.h" #include #include typedef struct proxyspec { unsigned int ssl : 1; unsigned int http : 1; unsigned int upgrade: 1; unsigned int mail : 1; unsigned int pop3 : 1; unsigned int smtp : 1; unsigned int dns : 1; /* set if spec needs DNS lookups */ struct sockaddr_storage listen_addr; socklen_t listen_addrlen; /* connect_addr and connect_addrlen are set: static mode; * natlookup is set: NAT mode; natsocket /may/ be set too; * sni_port is set, in which case we use SNI lookups */ struct sockaddr_storage connect_addr; socklen_t connect_addrlen; unsigned short sni_port; char *natengine; nat_lookup_cb_t natlookup; nat_socket_cb_t natsocket; struct proxyspec *next; struct sockaddr_storage parent_dst_addr; socklen_t parent_dst_addrlen; struct sockaddr_storage child_src_addr; socklen_t child_src_addrlen; } proxyspec_t; typedef struct opts { unsigned int debug : 1; unsigned int detach : 1; unsigned int sslcomp : 1; #ifdef HAVE_SSLV2 unsigned int no_ssl2 : 1; #endif /* HAVE_SSLV2 */ #ifdef HAVE_SSLV3 unsigned int no_ssl3 : 1; #endif /* HAVE_SSLV3 */ #ifdef HAVE_TLSV10 unsigned int no_tls10 : 1; #endif /* HAVE_TLSV10 */ #ifdef HAVE_TLSV11 unsigned int no_tls11 : 1; #endif /* HAVE_TLSV11 */ #ifdef HAVE_TLSV12 unsigned int no_tls12 : 1; #endif /* HAVE_TLSV12 */ unsigned int passthrough : 1; unsigned int deny_ocsp : 1; unsigned int contentlog_isdir : 1; unsigned int contentlog_isspec : 1; #ifdef HAVE_LOCAL_PROCINFO unsigned int lprocinfo : 1; #endif /* HAVE_LOCAL_PROCINFO */ unsigned int certgen_writeall: 1; char *ciphers; char *certgendir; char *tgcrtdir; char *dropuser; char *dropgroup; char *jaildir; char *pidfile; char *conffile; char *connectlog; char *contentlog; char *contentlog_basedir; /* static part of logspec, for privsep srv */ char *masterkeylog; CONST_SSL_METHOD *(*sslmethod)(void); #if OPENSSL_VERSION_NUMBER >= 0x10100000L int sslversion; #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ X509 *cacrt; EVP_PKEY *cakey; EVP_PKEY *key; STACK_OF(X509) *chain; X509 *clientcrt; EVP_PKEY *clientkey; #ifndef OPENSSL_NO_DH DH *dh; #endif /* !OPENSSL_NO_DH */ #ifndef OPENSSL_NO_ECDH char *ecdhcurve; #endif /* !OPENSSL_NO_ECDH */ proxyspec_t *spec; char *crlurl; unsigned int conn_idle_timeout; unsigned int expired_conn_check_period; unsigned int ssl_shutdown_retry_delay; unsigned int stats_period; unsigned int statslog: 1; unsigned int log_stats: 1; unsigned int remove_http_accept_encoding: 1; unsigned int remove_http_referer: 1; unsigned int verify_peer: 1; unsigned int allow_wrong_host: 1; } opts_t; void NORET oom_die(const char *) NONNULL(1); opts_t *opts_new(void) MALLOC; void opts_free(opts_t *) NONNULL(1); int opts_has_ssl_spec(opts_t *) NONNULL(1) WUNRES; int opts_has_dns_spec(opts_t *) NONNULL(1) WUNRES; void opts_proto_dbg_dump(opts_t *) NONNULL(1); #define OPTS_DEBUG(opts) unlikely((opts)->debug) void proxyspec_parse(int *, char **[], const char *, proxyspec_t **); void proxyspec_free(proxyspec_t *) NONNULL(1); char *proxyspec_str(proxyspec_t *) NONNULL(1) MALLOC; void opts_set_cacrt(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_cakey(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_chain(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_key(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_crl(opts_t *, const char *) NONNULL(1,2); void opts_set_tgcrtdir(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_certgendir_writeall(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_certgendir_writegencerts(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_deny_ocsp(opts_t *) NONNULL(1); void opts_set_passthrough(opts_t *) NONNULL(1); void opts_set_clientcrt(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_clientkey(opts_t *, const char *, const char *) NONNULL(1,2,3); #ifndef OPENSSL_NO_DH void opts_set_dh(opts_t *, const char *, const char *) NONNULL(1,2,3); #endif /* !OPENSSL_NO_DH */ #ifndef OPENSSL_NO_ECDH void opts_set_ecdhcurve(opts_t *, const char *, const char *) NONNULL(1,2,3); #endif /* !OPENSSL_NO_ECDH */ void opts_unset_sslcomp(opts_t *) NONNULL(1); void opts_force_proto(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_disable_proto(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_ciphers(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_user(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_group(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_jaildir(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_pidfile(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_connectlog(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_contentlog(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_contentlogdir(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_contentlogpathspec(opts_t *, const char *, const char *) NONNULL(1,2,3); #ifdef HAVE_LOCAL_PROCINFO void opts_set_lprocinfo(opts_t *) NONNULL(1); #endif /* HAVE_LOCAL_PROCINFO */ void opts_set_masterkeylog(opts_t *, const char *, const char *) NONNULL(1,2,3); void opts_set_daemon(opts_t *) NONNULL(1); void opts_set_debug(opts_t *) NONNULL(1); void opts_set_debug_level(const char *) NONNULL(1); void opts_set_statslog(opts_t *) NONNULL(1); int load_conffile(opts_t *, const char *, const char *) NONNULL(1,2,3); #endif /* !OPTS_H */ /* vim: set noet ft=c: */