/*
* Global variables/defines.
*
- * Copyright (C) 2011 Simon Ruderich
+ * Copyright (C) 2011-2014 Simon Ruderich
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
#include <config.h>
-#include <stdlib.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
-/* GnuTLS */
#include <gnutls/gnutls.h>
#include "log.h"
-/* Paths to necessary TLS files: the CA and the server key. */
-#define PROXY_CA_FILE "proxy-ca.pem"
-#define PROXY_KEY_FILE "proxy-key.pem"
+/* Length for path arrays. */
+#define TLSPROXY_MAX_PATH_LENGTH 1024
+
+/* Paths to proxy files: the CA, the server key and DH parameters. */
+#define PROXY_CA_PATH "proxy-ca.pem"
+#define PROXY_KEY_PATH "proxy-key.pem"
+#define PROXY_DH_PATH "proxy-dh.pem"
/* Path to special "invalid" certificate send to the client when an error
* occurs. */
-#define PROXY_INVALID_CERT_FILE "proxy-invalid.pem"
+#define PROXY_INVALID_CERT_PATH "proxy-invalid.pem"
/* The server certificate for the given hostname is stored in
* "./certificate-hostname-proxy.pem" - we use this for the connection to the
* client. */
-#define PROXY_SERVER_CERT_FORMAT "./certificate-%s-proxy.pem"
+#define PROXY_SERVER_CERT_FILE_FORMAT "./certificate-%s-proxy.pem"
/* The remote server certificate for the given hostname is stored in
* "./certificate-hostname-proxy.pem" - we make sure the server sends this
* certificate. */
-#define STORED_SERVER_CERT_FORMAT "./certificate-%s-server.pem"
+#define STORED_SERVER_CERT_FILE_FORMAT "./certificate-%s-server.pem"
+
+/* GnuTLS priority string used for both server and client connections. */
+#define PROXY_TLS_PRIORITIES \
+ /* Don't use known insecure algorithms. */ \
+ "SECURE" \
+ /* Lower priority of SHA-1, user better hashes if possible. */ \
+ ":-SHA1:+SHA1" \
+ /* Force safe renegotiations. Shouldn't cause any problems as this \
+ * option only affects the server side (with GnuTLS defaults) and the \
+ * local clients most-likely already support safe renegotiations (old \
+ * servers are therefore not an issue). */ \
+ ":%SAFE_RENEGOTIATION"
/* Proxy hostname and port if specified on the command line. */
char *global_proxy_host;
char *global_proxy_port;
+/* Passphrase for authentication of this proxy. Used with the -a option. */
+char *global_http_digest_authorization;
+
/* Log level, command line option. */
int global_log_level;
+/* Passthrough connections if no certificate is stored for this hostname?
+ * Specified on the command line. */
+int global_passthrough_unknown;
+
/* "Global" GnuTLS data used by all threads, read only. */
-gnutls_priority_t tls_priority_cache;
-gnutls_dh_params_t tls_dh_params;
+gnutls_priority_t global_tls_priority_cache;
+gnutls_dh_params_t global_tls_dh_params;
+
+/* Very simple compile time asserts. No good error message though. */
+#define ct_assert(x) { \
+ int unused[(x) ? 1 : -1]; \
+ (void)unused; \
+}
#endif
ruderich.org/simon / tlsproxy / tlsproxy.git / blobdiff