/*
 * Global variables/defines.
 *
 * Copyright (C) 2011-2014  Simon Ruderich
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

#ifndef TLSPROXY_H
#define TLSPROXY_H

#include <config.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <gnutls/gnutls.h>

#include "log.h"


/* Length for path arrays. */
#define TLSPROXY_MAX_PATH_LENGTH 1024

/* Paths to proxy files: the CA, the server key and DH parameters. */
#define PROXY_CA_PATH  "proxy-ca.pem"
#define PROXY_KEY_PATH "proxy-key.pem"
#define PROXY_DH_PATH  "proxy-dh.pem"
/* Path to special "invalid" certificate send to the client when an error
 * occurs. */
#define PROXY_INVALID_CERT_PATH "proxy-invalid.pem"
/* The server certificate for the given hostname is stored in
 * "./certificate-hostname-proxy.pem" - we use this for the connection to the
 * client. */
#define PROXY_SERVER_CERT_FILE_FORMAT "./certificate-%s-proxy.pem"
/* The remote server certificate for the given hostname is stored in
 * "./certificate-hostname-proxy.pem" - we make sure the server sends this
 * certificate. */
#define STORED_SERVER_CERT_FILE_FORMAT "./certificate-%s-server.pem"

/* GnuTLS priority string used for both server and client connections. */
#define PROXY_TLS_PRIORITIES \
    /* Don't use known insecure algorithms. */ \
    "SECURE" \
    /* Lower priority of SHA-1, user better hashes if possible. */ \
    ":-SHA1:+SHA1" \
    /* No RC4, it's broken. */ \
    ":-ARCFOUR-40:-ARCFOUR-128" \
    /* Force safe renegotiations. Shouldn't cause any problems as this \
     * option only affects the server side (with GnuTLS defaults) and the \
     * local clients most-likely already support safe renegotiations (old \
     * servers are therefore not an issue). */ \
    ":%SAFE_RENEGOTIATION"


/* Proxy hostname and port if specified on the command line. */
char *global_proxy_host;
char *global_proxy_port;

/* Passphrase for authentication of this proxy. Used with the -a option. */
char *global_http_digest_authorization;

/* Log level, command line option. */
int global_log_level;

/* Passthrough connections if no certificate is stored for this hostname?
 * Specified on the command line. */
int global_passthrough_unknown;

/* "Global" GnuTLS data used by all threads, read only. */
gnutls_priority_t global_tls_priority_cache;
gnutls_dh_params_t global_tls_dh_params;

/* Very simple compile time asserts. No good error message though. */
#define ct_assert(x) { \
    int unused[(x) ? 1 : -1]; \
    (void)unused; \
}

#endif