/*-
 * SSLsplit - transparent SSL/TLS interception
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 * 1. Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef OPTS_H
#define OPTS_H

#include "nat.h"
#include "ssl.h"
#include "attrib.h"
#include "logger.h"
#include "cert.h"

#include <sys/types.h>
#include <sys/socket.h>
#include <Maat_rule.h>
#include <string>
#include <memory>

class HttpScan;
class Http;

struct proxyspec
{
    unsigned int ssl : 1;
    unsigned int http : 1;
    unsigned int upgrade: 1;
    unsigned int dns : 1;        /* set if spec needs DNS lookups */
    struct sockaddr_storage listen_addr;
    socklen_t listen_addrlen;
    /* connect_addr and connect_addrlen are set: static mode;
     * natlookup is set: NAT mode; natsocket /may/ be set too;
     * sni_port is set, in which case we use SNI lookups */
    struct sockaddr_storage connect_addr;
    socklen_t connect_addrlen;
    unsigned short sni_port;
    char * natengine;
    nat_lookup_cb_t natlookup;
    nat_socket_cb_t natsocket;
    struct proxyspec * next;

    /* free at end of connection */
    bool free_after_use;
};

/* TFE Runtime Instances */
struct tfe_instance
{
    /* Global Maat Feather */
    Maat_feather_t maat_feather;
    /* Maat Logger */
    void * maat_logger;

    /* HTTPSCAN */
    std::unique_ptr<HttpScan> http_scan_module;
    /* Http */
    std::unique_ptr<Http> http_module;
    /* Struct Logger */
    std::unique_ptr<StructLogger> struct_logger_module;
    /* CertCA */
    std::unique_ptr<CertCA> cert_ca_module;

    /* stat handler */
    struct tfe_stat_ctx * stat_module;
};

struct tfe_maat_config
{
    /* Maat Params */
    std::string str_table_info_file;
    std::string str_log_file_path;
    std::string str_interface_symbol;
    std::string str_stat_file;

    /* Maat Config Source */
    enum cfg_load_from_t
    {
        LOAD_FROM_JSON_FILE = 0,
        LOAD_FROM_REDIS_SERVER = 1,
        LOAD_FROM_LOAD_IRIS = 2
    };

    cfg_load_from_t cfg_load_from;

    /* from JSON FILE */
    std::string str_json_file_path;
    /* from REDIR Server */
    std::string str_redis_addr;
    unsigned short redir_port;
    unsigned int redis_db_index;

    /* from IRIS */
    std::string str_full_cfg_dir;
    std::string str_inc_cfg_dir;

    /* scan interval */
    bool is_effect_interval_ms_set{false};
    unsigned int effect_interval_ms;

    bool is_scan_interval_ms_set{false};
    unsigned int scan_interval_ms;
};

struct tfe_forgesocket_config
{
    bool en_forgesocket;
    std::string str_unix_domain_file;
};

struct tfe_config
{
    /* Configure Files */
    char * cfgfile;

    /* Options */
    unsigned int debug : 1;
    unsigned int detach : 1;
    unsigned int sslcomp : 1;
    unsigned int no_ssl2 : 1;
    unsigned int no_ssl3 : 1;
    unsigned int no_tls10 : 1;
    unsigned int no_tls11 : 1;
    unsigned int no_tls12 : 1;
    unsigned int passthrough : 1;
    unsigned int deny_ocsp : 1;
    unsigned int contentlog_isdir : 1;
    unsigned int contentlog_isspec : 1;
    unsigned int certgen_writeall: 1;

    char * ciphers;
    char * certgendir;
    char * tgcrtdir;
    char * dropuser;
    char * dropgroup;
    char * jaildir;
    char * pidfile;
    char * connectlog;
    char * contentlog;
    char * contentlog_basedir; /* static part of logspec, for privsep srv */
    char * masterkeylog;
    CONST_SSL_METHOD * (* sslmethod)(void);
    int sslversion;

    /* Private Key */
    EVP_PKEY * key;

    DH * dh;
    char * ecdhcurve;
    struct proxyspec * spec;
    char * crlurl;

    tfe_maat_config * maat_config;
    tfe_forgesocket_config * forgesocket_config;
};

extern tfe_instance * g_tfe_instance;
extern tfe_config * g_tfe_config;

struct tfe_config * tfe_config_new(void) MALLOC;
void tfe_config_free(struct tfe_config *) NONNULL(1);
int tfe_config_has_ssl_spec(struct tfe_config *) NONNULL(1) WUNRES;
int tfe_config_has_dns_spec(struct tfe_config *) NONNULL(1) WUNRES;
void tfe_config_proto_force(struct tfe_config *, const char *, const char *) NONNULL(1, 2, 3);
void tfe_config_proto_disable(struct tfe_config *, const char *, const char *) NONNULL(1, 2, 3);
void tfe_config_proto_dbg_dump(struct tfe_config *) NONNULL(1);
void tfe_config_load_from_file(tfe_config * cfg, const char * c_str_file);

#define OPTS_DEBUG(opts) unlikely((opts)->debug)

void proxyspec_free(struct proxyspec *) NONNULL(1);
char * proxyspec_str(struct proxyspec *) NONNULL(1) MALLOC;

#endif /* !OPTS_H */

/* vim: set noet ft=c: */