[thirdparty/openvpn.git] / options.h

/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program (see the file COPYING included with this
 *  distribution); if not, write to the Free Software Foundation, Inc.,
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

/*
 * 2004-01-28: Added Socks5 proxy support
 *   (Christof Meerwald, http://cmeerw.org)
 */

#ifndef OPTIONS_H
#define OPTIONS_H

#include "basic.h"
#include "common.h"
#include "mtu.h"
#include "route.h"
#include "tun.h"
#include "socket.h"
#include "plugin.h"
#include "manage.h"
#include "proxy.h"
#include "lzo.h"

/*
 * Maximum number of parameters associated with an option,
 * including the option name itself.
 */
#define MAX_PARMS 16

/*
 * Max size of options line and parameter.
 */
#define OPTION_PARM_SIZE 256
#define OPTION_LINE_SIZE 256

extern const char title_string[];

#if P2MP

#if P2MP_SERVER
/* parameters to be pushed to peer */

#define MAX_PUSH_LIST_LEN TLS_CHANNEL_BUF_SIZE /* This parm is related to PLAINTEXT_BUFFER_SIZE in ssl.h */

struct push_list {
  /* newline delimited options, like config file */
  char options[MAX_PUSH_LIST_LEN];
};
#endif

/* certain options are saved before --pull modifications are applied */
struct options_pre_pull
{
  bool tuntap_options_defined;
  struct tuntap_options tuntap_options;

  bool routes_defined;
  struct route_option_list routes;

  int foreign_option_index;
};

#endif

struct connection_entry
{
  int proto;
  int local_port;
  bool local_port_defined;
  int remote_port;
  bool port_option_used;
  const char *local;
  const char *remote;
  bool remote_float;
  bool bind_defined;
  bool bind_local;
  int connect_retry_seconds;
  bool connect_retry_defined;
  int connect_retry_max;
  int connect_timeout;
  bool connect_timeout_defined;
#ifdef ENABLE_HTTP_PROXY
  struct http_proxy_options *http_proxy_options;
#endif  
#ifdef ENABLE_SOCKS
  const char *socks_proxy_server;
  int socks_proxy_port;
  bool socks_proxy_retry;
#endif
};

struct remote_entry
{
  const char *remote;
  int remote_port;
  int proto;
};

#ifdef ENABLE_CONNECTION

#define CONNECTION_LIST_SIZE 64

struct connection_list
{
  int len;
  int current;
  bool no_advance;
  struct connection_entry *array[CONNECTION_LIST_SIZE];
};

struct remote_list
{
  int len;
  struct remote_entry *array[CONNECTION_LIST_SIZE];
};

#endif

/* Command line options */
struct options
{
  struct gc_arena gc;
  bool gc_owned;

  /* first config file */
  const char *config;

  /* major mode */
# define MODE_POINT_TO_POINT 0
# define MODE_SERVER         1
  int mode;

  /* persist parms */
  bool persist_config;
  int persist_mode;

#ifdef USE_CRYPTO
  const char *key_pass_file;
  bool show_ciphers;
  bool show_digests;
  bool show_engines;
#ifdef USE_SSL
  bool show_tls_ciphers;
#endif
  bool genkey;
#endif

  /* Networking parms */
  struct connection_entry ce;

#ifdef ENABLE_CONNECTION
  struct connection_list *connection_list;
  struct remote_list *remote_list;
#endif

#ifdef GENERAL_PROXY_SUPPORT
  struct auto_proxy_info *auto_proxy_info;
#endif

  bool remote_random;
  const char *ipchange;
  const char *dev;
  const char *dev_type;
  const char *dev_node;
  const char *lladdr;
  int topology; /* one of the TOP_x values from proto.h */
  const char *ifconfig_local;
  const char *ifconfig_remote_netmask;
  bool ifconfig_noexec;
  bool ifconfig_nowarn;
#ifdef HAVE_GETTIMEOFDAY
  int shaper;
#endif
  int tun_mtu;           /* MTU of tun device */
  int tun_mtu_extra;
  bool tun_mtu_extra_defined;
  int link_mtu;          /* MTU of device over which tunnel packets pass via TCP/UDP */
  bool tun_mtu_defined;  /* true if user overriding parm with command line option */
  bool link_mtu_defined; /* true if user overriding parm with command line option */

  /* Advanced MTU negotiation and datagram fragmentation options */
  int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */

#ifdef ENABLE_OCC
  bool mtu_test;
#endif

  int fragment;                 /* internal fragmentation size */

  bool mlock;

  int keepalive_ping;           /* a proxy for ping/ping-restart */
  int keepalive_timeout;

  int inactivity_timeout;       /* --inactive */
  int inactivity_minimum_bytes;

  int ping_send_timeout;        /* Send a TCP/UDP ping to remote every n seconds */
  int ping_rec_timeout;         /* Expect a TCP/UDP ping from remote at least once every n seconds */
  bool ping_timer_remote;       /* Run ping timer only if we have a remote address */
  bool tun_ipv6;                /* Build tun dev that supports IPv6 */

# define PING_UNDEF   0
# define PING_EXIT    1
# define PING_RESTART 2
  int ping_rec_timeout_action;  /* What action to take on ping_rec_timeout (exit or restart)? */

#ifdef ENABLE_OCC
  int explicit_exit_notification;  /* Explicitly tell peer when we are exiting via OCC_EXIT message */
#endif

  bool persist_tun;             /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
  bool persist_local_ip;        /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
  bool persist_remote_ip;       /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
  bool persist_key;             /* Don't re-read key files on SIGUSR1 or PING_RESTART */

  int mssfix;                   /* Upper bound on TCP MSS */
  bool mssfix_default;          /* true if --mssfix was supplied without a parameter */

#if PASSTOS_CAPABILITY
  bool passtos;                  
#endif

  int resolve_retry_seconds;    /* If hostname resolve fails, retry for n seconds */

  struct tuntap_options tuntap_options;

  /* Misc parms */
  const char *username;
  const char *groupname;
  const char *chroot_dir;
  const char *cd_dir;
  const char *writepid;
  const char *up_script;
  const char *down_script;
  bool down_pre;
  bool up_delay;
  bool up_restart;
  bool daemon;

  int remap_sigusr1;

  /* inetd modes defined in socket.h */
  int inetd;

  bool log;
  bool suppress_timestamps;
  int nice;
  int verbosity;
  int mute;

#ifdef ENABLE_DEBUG
  int gremlin;
#endif

  const char *status_file;
  int status_file_version;
  int status_file_update_freq;

  /* optimize TUN/TAP/UDP writes */
  bool fast_io;

#ifdef USE_LZO
  /* LZO_x flags from lzo.h */
  unsigned int lzo;
#endif

  /* buffer sizes */
  int rcvbuf;
  int sndbuf;

  /* socket flags */
  unsigned int sockflags;

  /* route management */
  const char *route_script;
  const char *route_default_gateway;
  int route_default_metric;
  bool route_noexec;
  int route_delay;
  int route_delay_window;
  bool route_delay_defined;
  struct route_option_list *routes;
  bool route_nopull;
  bool route_gateway_via_dhcp;
  bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */

#ifdef ENABLE_OCC
  /* Enable options consistency check between peers */
  bool occ;
#endif

#ifdef ENABLE_MANAGEMENT
  const char *management_addr;
  int management_port;
  const char *management_user_pass;
  int management_log_history_cache;
  int management_echo_buffer_size;
  int management_state_buffer_size;
  const char *management_write_peer_info_file;

  /* Mask of MF_ values of manage.h */
  unsigned int management_flags;
#endif

#ifdef ENABLE_PLUGIN
  struct plugin_option_list *plugin_list;
#endif

#ifdef USE_PTHREAD
  int n_threads;
  int nice_work;
#endif

#if P2MP

#if P2MP_SERVER
  bool server_defined;
  in_addr_t server_network;
  in_addr_t server_netmask;

# define SF_NOPOOL (1<<0)
  unsigned int server_flags;

  bool server_bridge_proxy_dhcp;

  bool server_bridge_defined;
  in_addr_t server_bridge_ip;
  in_addr_t server_bridge_netmask;
  in_addr_t server_bridge_pool_start;
  in_addr_t server_bridge_pool_end;

  struct push_list *push_list;
  bool ifconfig_pool_defined;
  in_addr_t ifconfig_pool_start;
  in_addr_t ifconfig_pool_end;
  in_addr_t ifconfig_pool_netmask;
  const char *ifconfig_pool_persist_filename;
  int ifconfig_pool_persist_refresh_freq;
  int real_hash_size;
  int virtual_hash_size;
  const char *client_connect_script;
  const char *client_disconnect_script;
  const char *learn_address_script;
  const char *tmp_dir;
  const char *client_config_dir;
  bool ccd_exclusive;
  bool disable;
  int n_bcast_buf;
  int tcp_queue_limit;
  struct iroute *iroutes;
  bool push_ifconfig_defined;
  in_addr_t push_ifconfig_local;
  in_addr_t push_ifconfig_remote_netmask;
  bool push_ifconfig_constraint_defined;
  in_addr_t push_ifconfig_constraint_network;
  in_addr_t push_ifconfig_constraint_netmask;
  bool enable_c2c;
  bool duplicate_cn;
  int cf_max;
  int cf_per;
  int max_clients;
  int max_routes_per_client;

  bool client_cert_not_required;
  bool username_as_common_name;
  const char *auth_user_pass_verify_script;
  bool auth_user_pass_verify_script_via_file;
#if PORT_SHARE
  char *port_share_host;
  int port_share_port;
#endif
#endif

  bool client;
  bool pull; /* client pull of config options from server */
  const char *auth_user_pass_file;
  struct options_pre_pull *pre_pull;

  int scheduled_exit_interval;

#endif

#ifdef USE_CRYPTO
  /* Cipher parms */
  const char *shared_secret_file;
#if ENABLE_INLINE_FILES
  const char *shared_secret_file_inline;
#endif
  int key_direction;
  bool ciphername_defined;
  const char *ciphername;
  bool authname_defined;
  const char *authname;
  int keysize;
  const char *engine;
  bool replay;
  bool mute_replay_warnings;
  int replay_window;
  int replay_time;
  const char *packet_id_file;
  bool use_iv;
  bool test_crypto;

#ifdef USE_SSL
  /* TLS (control channel) parms */
  bool tls_server;
  bool tls_client;
  const char *ca_file;
  const char *ca_path;
  const char *dh_file;
  const char *cert_file;
  const char *priv_key_file;
  const char *pkcs12_file;
  const char *cipher_list;
  const char *tls_verify;
  const char *tls_remote;
  const char *crl_file;

#if ENABLE_INLINE_FILES
  const char *ca_file_inline;
  const char *cert_file_inline;
  char *priv_key_file_inline;
  const char *dh_file_inline;
#endif

  int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */
  unsigned remote_cert_ku[MAX_PARMS];
  const char *remote_cert_eku;

#ifdef ENABLE_PKCS11
  const char *pkcs11_providers[MAX_PARMS];
  unsigned pkcs11_private_mode[MAX_PARMS];
  bool pkcs11_protected_authentication[MAX_PARMS];
  bool pkcs11_cert_private[MAX_PARMS];
  int pkcs11_pin_cache_period;
  const char *pkcs11_id;
  bool pkcs11_id_management;
#endif

#ifdef WIN32
  const char *cryptoapi_cert;
#endif

  /* data channel key exchange method */
  int key_method;

  /* Per-packet timeout on control channel */
  int tls_timeout;

  /* Data channel key renegotiation parameters */
  int renegotiate_bytes;
  int renegotiate_packets;
  int renegotiate_seconds;

  /* Data channel key handshake must finalize
     within n seconds of handshake initiation. */
  int handshake_window;

  /* Old key allowed to live n seconds after new key goes active */
  int transition_window;

  /* Special authentication MAC for TLS control channel */
  const char *tls_auth_file;		/* shared secret */
#if ENABLE_INLINE_FILES
  const char *tls_auth_file_inline;
#endif

  /* Allow only one session */
  bool single_session;

  bool tls_exit;

#endif /* USE_SSL */
#endif /* USE_CRYPTO */

  /* special state parms */
  int foreign_option_index;

#ifdef WIN32
  const char *exit_event_name;
  bool exit_event_initial_state;
  bool show_net_up;
  int route_method;
#endif
};

#define streq(x, y) (!strcmp((x), (y)))

/*
 * Option classes.
 */
#define OPT_P_GENERAL         (1<<0)
#define OPT_P_UP              (1<<1)
#define OPT_P_ROUTE           (1<<2)
#define OPT_P_IPWIN32         (1<<3)
#define OPT_P_SCRIPT          (1<<4)
#define OPT_P_SETENV          (1<<5)
#define OPT_P_SHAPER          (1<<6)
#define OPT_P_TIMER           (1<<7)
#define OPT_P_PERSIST         (1<<8)
#define OPT_P_PERSIST_IP      (1<<9)
#define OPT_P_COMP            (1<<10) /* TODO */
#define OPT_P_MESSAGES        (1<<11)
#define OPT_P_CRYPTO          (1<<12) /* TODO */
#define OPT_P_TLS_PARMS       (1<<13) /* TODO */
#define OPT_P_MTU             (1<<14) /* TODO */
#define OPT_P_NICE            (1<<15)
#define OPT_P_PUSH            (1<<16)
#define OPT_P_INSTANCE        (1<<17)
#define OPT_P_CONFIG          (1<<18)
#define OPT_P_EXPLICIT_NOTIFY (1<<19)
#define OPT_P_ECHO            (1<<20)
#define OPT_P_INHERIT         (1<<21)
#define OPT_P_ROUTE_EXTRAS    (1<<22)
#define OPT_P_PULL_MODE       (1<<23)
#define OPT_P_PLUGIN          (1<<24)
#define OPT_P_SOCKBUF         (1<<25)
#define OPT_P_SOCKFLAGS       (1<<26)
#define OPT_P_CONNECTION      (1<<27)

#define OPT_P_DEFAULT   (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))

#if P2MP
#define PULL_DEFINED(opt) ((opt)->pull)
#if P2MP_SERVER
#define PUSH_DEFINED(opt) ((opt)->push_list)
#endif
#endif

#ifndef PULL_DEFINED
#define PULL_DEFINED(opt) (false)
#endif

#ifndef PUSH_DEFINED
#define PUSH_DEFINED(opt) (false)
#endif

#ifdef WIN32
#define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
#else
#define ROUTE_OPTION_FLAGS(o) (0)
#endif

#ifdef HAVE_GETTIMEOFDAY
#define SHAPER_DEFINED(opt) ((opt)->shaper)
#else
#define SHAPER_DEFINED(opt) (false)
#endif

#ifdef ENABLE_PLUGIN
#define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
#else
#define PLUGIN_OPTION_LIST(opt) (NULL)
#endif

#ifdef MANAGEMENT_DEF_AUTH
#define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
#else
#define MAN_CLIENT_AUTH_ENABLED(opt) (false)
#endif

void parse_argv (struct options *options,
		 const int argc,
		 char *argv[],
		 const int msglevel,
		 const unsigned int permission_mask,
		 unsigned int *option_types_found,
		 struct env_set *es);

void notnull (const char *arg, const char *description);

void usage_small (void);

void init_options (struct options *o, const bool init_gc);
void uninit_options (struct options *o);

void setenv_settings (struct env_set *es, const struct options *o);
void show_settings (const struct options *o);

bool string_defined_equal (const char *s1, const char *s2);

#ifdef ENABLE_OCC

const char *options_string_version (const char* s, struct gc_arena *gc);

char *options_string (const struct options *o,
		      const struct frame *frame,
		      struct tuntap *tt,
		      bool remote,
		      struct gc_arena *gc);

int options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n);
void options_warning_safe (char *actual, const char *expected, size_t actual_n);
int options_cmp_equal (char *actual, const char *expected);
void options_warning (char *actual, const char *expected);

#endif

void options_postprocess (struct options *options);

void pre_pull_save (struct options *o);
void pre_pull_restore (struct options *o);

bool apply_push_options (struct options *options,
			 struct buffer *buf,
			 unsigned int permission_mask,
			 unsigned int *option_types_found,
			 struct env_set *es);

bool is_persist_option (const struct options *o);
bool is_stateful_restart (const struct options *o);

void options_detach (struct options *o);

void options_server_import (struct options *o,
			    const char *filename,
			    int msglevel,
			    unsigned int permission_mask,
			    unsigned int *option_types_found,
			    struct env_set *es);

void pre_pull_default (struct options *o);

void rol_check_alloc (struct options *options);

int parse_line (const char *line,
		char *p[],
		const int n,
		const char *file,
		const int line_num,
		int msglevel,
		struct gc_arena *gc);

/*
 * parse/print topology coding
 */

int parse_topology (const char *str, const int msglevel);
const char *print_topology (const int topology);

/*
 * Manage auth-retry variable
 */

#if P2MP

#define AR_NONE       0
#define AR_INTERACT   1
#define AR_NOINTERACT 2

int auth_retry_get (void);
bool auth_retry_set (const int msglevel, const char *option);
const char *auth_retry_print (void);

#endif

void options_string_import (struct options *options,
			    const char *config,
			    const int msglevel,
			    const unsigned int permission_mask,
			    unsigned int *option_types_found,
			    struct env_set *es);

/*
 * inline functions
 */
static inline bool
connection_list_defined (const struct options *o)
{
#ifdef ENABLE_CONNECTION
  return o->connection_list != NULL;
#else
  return false;
#endif
}

static inline void
connection_list_set_no_advance (struct options *o)
{
#ifdef ENABLE_CONNECTION
  if (o->connection_list)
    o->connection_list->no_advance = true;
#endif
}

#endif
Commit	Line	Data
6fbf66fa JY	1	/*
	2	* OpenVPN -- An application to securely tunnel IP networks
	3	* over a single UDP port, with support for SSL/TLS-based
	4	* session authentication and key exchange,
	5	* packet encryption, packet authentication, and
	6	* packet compression.
	7	*
1c0cc4ad	8	* Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
6fbf66fa JY	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License version 2
	12	* as published by the Free Software Foundation.
	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program (see the file COPYING included with this
	21	* distribution); if not, write to the Free Software Foundation, Inc.,
	22	* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	23	*/
	24
	25	/*
	26	* 2004-01-28: Added Socks5 proxy support
	27	* (Christof Meerwald, http://cmeerw.org)
	28	*/
	29
	30	#ifndef OPTIONS_H
	31	#define OPTIONS_H
	32
	33	#include "basic.h"
	34	#include "common.h"
	35	#include "mtu.h"
	36	#include "route.h"
	37	#include "tun.h"
	38	#include "socket.h"
	39	#include "plugin.h"
	40	#include "manage.h"
	41	#include "proxy.h"
537073fd	42	#include "lzo.h"
6fbf66fa JY	43
	44	/*
	45	* Maximum number of parameters associated with an option,
	46	* including the option name itself.
	47	*/
	48	#define MAX_PARMS 16
	49
	50	/*
	51	* Max size of options line and parameter.
	52	*/
	53	#define OPTION_PARM_SIZE 256
	54	#define OPTION_LINE_SIZE 256
	55
	56	extern const char title_string[];
	57
	58	#if P2MP
	59
	60	#if P2MP_SERVER
	61	/* parameters to be pushed to peer */
	62
	63	#define MAX_PUSH_LIST_LEN TLS_CHANNEL_BUF_SIZE /* This parm is related to PLAINTEXT_BUFFER_SIZE in ssl.h */
	64
	65	struct push_list {
	66	/* newline delimited options, like config file */
	67	char options[MAX_PUSH_LIST_LEN];
	68	};
	69	#endif
	70
	71	/* certain options are saved before --pull modifications are applied */
	72	struct options_pre_pull
	73	{
	74	bool tuntap_options_defined;
	75	struct tuntap_options tuntap_options;
	76
	77	bool routes_defined;
	78	struct route_option_list routes;
	79
	80	int foreign_option_index;
	81	};
	82
	83	#endif
	84
4e9a51d7 JY	85	struct connection_entry
	86	{
	87	int proto;
	88	int local_port;
	89	bool local_port_defined;
	90	int remote_port;
	91	bool port_option_used;
	92	const char *local;
	93	const char *remote;
	94	bool remote_float;
	95	bool bind_defined;
	96	bool bind_local;
	97	int connect_retry_seconds;
	98	bool connect_retry_defined;
	99	int connect_retry_max;
	100	int connect_timeout;
	101	bool connect_timeout_defined;
	102	#ifdef ENABLE_HTTP_PROXY
	103	struct http_proxy_options *http_proxy_options;
	104	#endif
	105	#ifdef ENABLE_SOCKS
	106	const char *socks_proxy_server;
	107	int socks_proxy_port;
	108	bool socks_proxy_retry;
	109	#endif
	110	};
	111
	112	struct remote_entry
	113	{
	114	const char *remote;
	115	int remote_port;
	116	int proto;
	117	};
	118
	119	#ifdef ENABLE_CONNECTION
	120
	121	#define CONNECTION_LIST_SIZE 64
	122
	123	struct connection_list
	124	{
	125	int len;
	126	int current;
	127	bool no_advance;
	128	struct connection_entry *array[CONNECTION_LIST_SIZE];
	129	};
	130
	131	struct remote_list
	132	{
	133	int len;
	134	struct remote_entry *array[CONNECTION_LIST_SIZE];
	135	};
	136
	137	#endif
	138
6fbf66fa JY	139	/* Command line options */
	140	struct options
	141	{
	142	struct gc_arena gc;
4e9a51d7	143	bool gc_owned;
6fbf66fa JY	144
	145	/* first config file */
	146	const char *config;
	147
	148	/* major mode */
	149	# define MODE_POINT_TO_POINT 0
	150	# define MODE_SERVER 1
	151	int mode;
	152
	153	/* persist parms */
	154	bool persist_config;
	155	int persist_mode;
	156
	157	#ifdef USE_CRYPTO
	158	const char *key_pass_file;
	159	bool show_ciphers;
	160	bool show_digests;
	161	bool show_engines;
	162	#ifdef USE_SSL
	163	bool show_tls_ciphers;
	164	#endif
	165	bool genkey;
	166	#endif
	167
	168	/* Networking parms */
4e9a51d7 JY	169	struct connection_entry ce;
	170
	171	#ifdef ENABLE_CONNECTION
	172	struct connection_list *connection_list;
6fbf66fa	173	struct remote_list *remote_list;
4e9a51d7 JY	174	#endif
	175
	176	#ifdef GENERAL_PROXY_SUPPORT
	177	struct auto_proxy_info *auto_proxy_info;
	178	#endif
	179
6fbf66fa JY	180	bool remote_random;
6fbf66fa JY	181	const char *ipchange;
6fbf66fa JY	182	const char *dev;
	183	const char *dev_type;
	184	const char *dev_node;
e12fe286	185	const char *lladdr;
3c7f2f55	186	int topology; /* one of the TOP_x values from proto.h */
6fbf66fa JY	187	const char *ifconfig_local;
	188	const char *ifconfig_remote_netmask;
	189	bool ifconfig_noexec;
	190	bool ifconfig_nowarn;
	191	#ifdef HAVE_GETTIMEOFDAY
	192	int shaper;
	193	#endif
	194	int tun_mtu; /* MTU of tun device */
	195	int tun_mtu_extra;
	196	bool tun_mtu_extra_defined;
	197	int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */
	198	bool tun_mtu_defined; /* true if user overriding parm with command line option */
	199	bool link_mtu_defined; /* true if user overriding parm with command line option */
	200
6fbf66fa JY	201	/* Advanced MTU negotiation and datagram fragmentation options */
	202	int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
	203
	204	#ifdef ENABLE_OCC
	205	bool mtu_test;
	206	#endif
	207
	208	int fragment; /* internal fragmentation size */
	209
	210	bool mlock;
	211
	212	int keepalive_ping; /* a proxy for ping/ping-restart */
	213	int keepalive_timeout;
	214
838911cc JY	215	int inactivity_timeout; /* --inactive */
	216	int inactivity_minimum_bytes;
	217
6fbf66fa JY	218	int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */
	219	int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */
	220	bool ping_timer_remote; /* Run ping timer only if we have a remote address */
	221	bool tun_ipv6; /* Build tun dev that supports IPv6 */
	222
	223	# define PING_UNDEF 0
	224	# define PING_EXIT 1
	225	# define PING_RESTART 2
	226	int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */
	227
	228	#ifdef ENABLE_OCC
	229	int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT message */
	230	#endif
	231
	232	bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
	233	bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
	234	bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
	235	bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
	236
	237	int mssfix; /* Upper bound on TCP MSS */
	238	bool mssfix_default; /* true if --mssfix was supplied without a parameter */
	239
	240	#if PASSTOS_CAPABILITY
	241	bool passtos;
	242	#endif
	243
	244	int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */
	245
	246	struct tuntap_options tuntap_options;
	247
	248	/* Misc parms */
	249	const char *username;
	250	const char *groupname;
	251	const char *chroot_dir;
	252	const char *cd_dir;
	253	const char *writepid;
	254	const char *up_script;
	255	const char *down_script;
	256	bool down_pre;
	257	bool up_delay;
	258	bool up_restart;
	259	bool daemon;
	260
	261	int remap_sigusr1;
	262
	263	/* inetd modes defined in socket.h */
	264	int inetd;
	265
	266	bool log;
	267	bool suppress_timestamps;
	268	int nice;
	269	int verbosity;
	270	int mute;
	271
	272	#ifdef ENABLE_DEBUG
	273	int gremlin;
	274	#endif
	275
	276	const char *status_file;
	277	int status_file_version;
	278	int status_file_update_freq;
	279
	280	/* optimize TUN/TAP/UDP writes */
	281	bool fast_io;
282
283	#ifdef USE_LZO
537073fd JY	284	/* LZO_x flags from lzo.h */
537073fd JY	285	unsigned int lzo;
6fbf66fa JY	286	#endif
	287
	288	/* buffer sizes */
	289	int rcvbuf;
	290	int sndbuf;
	291
00d39170 JY	292	/* socket flags */
	293	unsigned int sockflags;
	294
6fbf66fa JY	295	/* route management */
	296	const char *route_script;
	297	const char *route_default_gateway;
40ac3d7a	298	int route_default_metric;
6fbf66fa JY	299	bool route_noexec;
	300	int route_delay;
	301	int route_delay_window;
	302	bool route_delay_defined;
	303	struct route_option_list *routes;
3c7f2f55	304	bool route_nopull;
03731db3	305	bool route_gateway_via_dhcp;
0a838de8	306	bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
6fbf66fa	307
6fbf66fa JY	308	#ifdef ENABLE_OCC
	309	/* Enable options consistency check between peers */
	310	bool occ;
	311	#endif
	312
	313	#ifdef ENABLE_MANAGEMENT
	314	const char *management_addr;
	315	int management_port;
	316	const char *management_user_pass;
	317	int management_log_history_cache;
	318	int management_echo_buffer_size;
	319	int management_state_buffer_size;
8d33c060	320	const char *management_write_peer_info_file;
90efcacb JY	321
	322	/* Mask of MF_ values of manage.h */
	323	unsigned int management_flags;
6fbf66fa JY	324	#endif
	325
	326	#ifdef ENABLE_PLUGIN
	327	struct plugin_option_list *plugin_list;
	328	#endif
	329
	330	#ifdef USE_PTHREAD
	331	int n_threads;
	332	int nice_work;
	333	#endif
	334
	335	#if P2MP
	336
	337	#if P2MP_SERVER
	338	bool server_defined;
	339	in_addr_t server_network;
	340	in_addr_t server_netmask;
	341
3c7f2f55 JY	342	# define SF_NOPOOL (1<<0)
	343	unsigned int server_flags;
	344
03731db3 JY	345	bool server_bridge_proxy_dhcp;
03731db3 JY	346
6fbf66fa JY	347	bool server_bridge_defined;
	348	in_addr_t server_bridge_ip;
	349	in_addr_t server_bridge_netmask;
	350	in_addr_t server_bridge_pool_start;
	351	in_addr_t server_bridge_pool_end;
	352
	353	struct push_list *push_list;
	354	bool ifconfig_pool_defined;
	355	in_addr_t ifconfig_pool_start;
	356	in_addr_t ifconfig_pool_end;
	357	in_addr_t ifconfig_pool_netmask;
	358	const char *ifconfig_pool_persist_filename;
	359	int ifconfig_pool_persist_refresh_freq;
6fbf66fa JY	360	int real_hash_size;
	361	int virtual_hash_size;
	362	const char *client_connect_script;
	363	const char *client_disconnect_script;
	364	const char *learn_address_script;
	365	const char *tmp_dir;
	366	const char *client_config_dir;
	367	bool ccd_exclusive;
	368	bool disable;
	369	int n_bcast_buf;
	370	int tcp_queue_limit;
	371	struct iroute *iroutes;
	372	bool push_ifconfig_defined;
	373	in_addr_t push_ifconfig_local;
	374	in_addr_t push_ifconfig_remote_netmask;
3c7f2f55 JY	375	bool push_ifconfig_constraint_defined;
	376	in_addr_t push_ifconfig_constraint_network;
	377	in_addr_t push_ifconfig_constraint_netmask;
6fbf66fa JY	378	bool enable_c2c;
	379	bool duplicate_cn;
	380	int cf_max;
	381	int cf_per;
	382	int max_clients;
	383	int max_routes_per_client;
	384
	385	bool client_cert_not_required;
	386	bool username_as_common_name;
	387	const char *auth_user_pass_verify_script;
	388	bool auth_user_pass_verify_script_via_file;
6add6b2f JY	389	#if PORT_SHARE
	390	char *port_share_host;
	391	int port_share_port;
	392	#endif
6fbf66fa JY	393	#endif
	394
	395	bool client;
	396	bool pull; /* client pull of config options from server */
	397	const char *auth_user_pass_file;
	398	struct options_pre_pull *pre_pull;
	399
	400	int scheduled_exit_interval;
	401
	402	#endif
	403
	404	#ifdef USE_CRYPTO
	405	/* Cipher parms */
	406	const char *shared_secret_file;
c959fc74 JY	407	#if ENABLE_INLINE_FILES
	408	const char *shared_secret_file_inline;
	409	#endif
6fbf66fa JY	410	int key_direction;
	411	bool ciphername_defined;
	412	const char *ciphername;
	413	bool authname_defined;
	414	const char *authname;
	415	int keysize;
	416	const char *engine;
	417	bool replay;
	418	bool mute_replay_warnings;
	419	int replay_window;
	420	int replay_time;
	421	const char *packet_id_file;
	422	bool use_iv;
	423	bool test_crypto;
	424
	425	#ifdef USE_SSL
	426	/* TLS (control channel) parms */
	427	bool tls_server;
	428	bool tls_client;
	429	const char *ca_file;
e9c5e170	430	const char *ca_path;
6fbf66fa JY	431	const char *dh_file;
	432	const char *cert_file;
	433	const char *priv_key_file;
	434	const char *pkcs12_file;
	435	const char *cipher_list;
	436	const char *tls_verify;
	437	const char *tls_remote;
	438	const char *crl_file;
d40f2b20 JY	439
	440	#if ENABLE_INLINE_FILES
	441	const char *ca_file_inline;
	442	const char *cert_file_inline;
	443	char *priv_key_file_inline;
	444	const char *dh_file_inline;
	445	#endif
	446
6fbf66fa	447	int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */
411e89ae JY	448	unsigned remote_cert_ku[MAX_PARMS];
411e89ae JY	449	const char *remote_cert_eku;
bed73623 JY	450
bed73623 JY	451	#ifdef ENABLE_PKCS11
ce98fd24	452	const char *pkcs11_providers[MAX_PARMS];
718526e0	453	unsigned pkcs11_private_mode[MAX_PARMS];
18597b93 JY	454	bool pkcs11_protected_authentication[MAX_PARMS];
	455	bool pkcs11_cert_private[MAX_PARMS];
	456	int pkcs11_pin_cache_period;
ce98fd24	457	const char *pkcs11_id;
1bda73a7	458	bool pkcs11_id_management;
bed73623 JY	459	#endif
bed73623 JY	460
6fbf66fa JY	461	#ifdef WIN32
	462	const char *cryptoapi_cert;
	463	#endif
	464
	465	/* data channel key exchange method */
	466	int key_method;
	467
	468	/* Per-packet timeout on control channel */
	469	int tls_timeout;
	470
	471	/* Data channel key renegotiation parameters */
	472	int renegotiate_bytes;
	473	int renegotiate_packets;
	474	int renegotiate_seconds;
	475
	476	/* Data channel key handshake must finalize
	477	within n seconds of handshake initiation. */
	478	int handshake_window;
	479
	480	/* Old key allowed to live n seconds after new key goes active */
	481	int transition_window;
	482
	483	/* Special authentication MAC for TLS control channel */
	484	const char tls_auth_file; / shared secret */
c959fc74 JY	485	#if ENABLE_INLINE_FILES
	486	const char *tls_auth_file_inline;
	487	#endif
6fbf66fa JY	488
	489	/* Allow only one session */
	490	bool single_session;
	491
	492	bool tls_exit;
	493
	494	#endif /* USE_SSL */
	495	#endif /* USE_CRYPTO */
	496
	497	/* special state parms */
	498	int foreign_option_index;
	499
	500	#ifdef WIN32
	501	const char *exit_event_name;
	502	bool exit_event_initial_state;
	503	bool show_net_up;
	504	int route_method;
	505	#endif
	506	};
	507
	508	#define streq(x, y) (!strcmp((x), (y)))
	509
	510	/*
	511	* Option classes.
	512	*/
	513	#define OPT_P_GENERAL (1<<0)
	514	#define OPT_P_UP (1<<1)
	515	#define OPT_P_ROUTE (1<<2)
	516	#define OPT_P_IPWIN32 (1<<3)
	517	#define OPT_P_SCRIPT (1<<4)
	518	#define OPT_P_SETENV (1<<5)
	519	#define OPT_P_SHAPER (1<<6)
	520	#define OPT_P_TIMER (1<<7)
	521	#define OPT_P_PERSIST (1<<8)
	522	#define OPT_P_PERSIST_IP (1<<9)
	523	#define OPT_P_COMP (1<<10) /* TODO */
	524	#define OPT_P_MESSAGES (1<<11)
	525	#define OPT_P_CRYPTO (1<<12) /* TODO */
	526	#define OPT_P_TLS_PARMS (1<<13) /* TODO */
	527	#define OPT_P_MTU (1<<14) /* TODO */
	528	#define OPT_P_NICE (1<<15)
	529	#define OPT_P_PUSH (1<<16)
	530	#define OPT_P_INSTANCE (1<<17)
	531	#define OPT_P_CONFIG (1<<18)
	532	#define OPT_P_EXPLICIT_NOTIFY (1<<19)
	533	#define OPT_P_ECHO (1<<20)
	534	#define OPT_P_INHERIT (1<<21)
3c7f2f55 JY	535	#define OPT_P_ROUTE_EXTRAS (1<<22)
	536	#define OPT_P_PULL_MODE (1<<23)
	537	#define OPT_P_PLUGIN (1<<24)
00d39170 JY	538	#define OPT_P_SOCKBUF (1<<25)
00d39170 JY	539	#define OPT_P_SOCKFLAGS (1<<26)
4e9a51d7	540	#define OPT_P_CONNECTION (1<<27)
6fbf66fa	541
3c7f2f55	542	#define OPT_P_DEFAULT (~(OPT_P_INSTANCE\|OPT_P_PULL_MODE))
6fbf66fa JY	543
	544	#if P2MP
	545	#define PULL_DEFINED(opt) ((opt)->pull)
	546	#if P2MP_SERVER
	547	#define PUSH_DEFINED(opt) ((opt)->push_list)
	548	#endif
	549	#endif
	550
	551	#ifndef PULL_DEFINED
	552	#define PULL_DEFINED(opt) (false)
	553	#endif
	554
	555	#ifndef PUSH_DEFINED
	556	#define PUSH_DEFINED(opt) (false)
	557	#endif
	558
	559	#ifdef WIN32
	560	#define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
	561	#else
	562	#define ROUTE_OPTION_FLAGS(o) (0)
	563	#endif
	564
	565	#ifdef HAVE_GETTIMEOFDAY
	566	#define SHAPER_DEFINED(opt) ((opt)->shaper)
	567	#else
	568	#define SHAPER_DEFINED(opt) (false)
	569	#endif
	570
	571	#ifdef ENABLE_PLUGIN
	572	#define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
	573	#else
	574	#define PLUGIN_OPTION_LIST(opt) (NULL)
	575	#endif
	576
90efcacb JY	577	#ifdef MANAGEMENT_DEF_AUTH
	578	#define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
	579	#else
	580	#define MAN_CLIENT_AUTH_ENABLED(opt) (false)
	581	#endif
	582
6fbf66fa JY	583	void parse_argv (struct options *options,
	584	const int argc,
	585	char *argv[],
	586	const int msglevel,
	587	const unsigned int permission_mask,
	588	unsigned int *option_types_found,
	589	struct env_set *es);
	590
	591	void notnull (const char arg, const char description);
	592
	593	void usage_small (void);
	594
4e9a51d7	595	void init_options (struct options *o, const bool init_gc);
6fbf66fa JY	596	void uninit_options (struct options *o);
	597
	598	void setenv_settings (struct env_set es, const struct options o);
	599	void show_settings (const struct options *o);
	600
	601	bool string_defined_equal (const char s1, const char s2);
	602
	603	#ifdef ENABLE_OCC
	604
	605	const char options_string_version (const char s, struct gc_arena *gc);
	606
	607	char options_string (const struct options o,
	608	const struct frame *frame,
	609	struct tuntap *tt,
	610	bool remote,
	611	struct gc_arena *gc);
	612
	613	int options_cmp_equal_safe (char actual, const char expected, size_t actual_n);
	614	void options_warning_safe (char actual, const char expected, size_t actual_n);
	615	int options_cmp_equal (char actual, const char expected);
	616	void options_warning (char actual, const char expected);
	617
	618	#endif
	619
4e9a51d7	620	void options_postprocess (struct options *options);
6fbf66fa JY	621
	622	void pre_pull_save (struct options *o);
	623	void pre_pull_restore (struct options *o);
	624
	625	bool apply_push_options (struct options *options,
	626	struct buffer *buf,
	627	unsigned int permission_mask,
	628	unsigned int *option_types_found,
	629	struct env_set *es);
	630
	631	bool is_persist_option (const struct options *o);
	632	bool is_stateful_restart (const struct options *o);
	633
	634	void options_detach (struct options *o);
	635
	636	void options_server_import (struct options *o,
	637	const char *filename,
	638	int msglevel,
	639	unsigned int permission_mask,
	640	unsigned int *option_types_found,
	641	struct env_set *es);
	642
	643	void pre_pull_default (struct options *o);
	644
	645	void rol_check_alloc (struct options *options);
	646
	647	int parse_line (const char *line,
	648	char *p[],
	649	const int n,
	650	const char *file,
	651	const int line_num,
	652	int msglevel,
	653	struct gc_arena *gc);
	654
3c7f2f55 JY	655	/*
	656	* parse/print topology coding
	657	*/
	658
	659	int parse_topology (const char *str, const int msglevel);
	660	const char *print_topology (const int topology);
	661
6fbf66fa JY	662	/*
	663	* Manage auth-retry variable
	664	*/
	665
	666	#if P2MP
	667
	668	#define AR_NONE 0
	669	#define AR_INTERACT 1
	670	#define AR_NOINTERACT 2
	671
	672	int auth_retry_get (void);
	673	bool auth_retry_set (const int msglevel, const char *option);
	674	const char *auth_retry_print (void);
	675
	676	#endif
	677
90efcacb	678	void options_string_import (struct options *options,
3c7f2f55 JY	679	const char *config,
	680	const int msglevel,
	681	const unsigned int permission_mask,
	682	unsigned int *option_types_found,
	683	struct env_set *es);
	684
4e9a51d7 JY	685	/*
	686	* inline functions
	687	*/
	688	static inline bool
	689	connection_list_defined (const struct options *o)
	690	{
	691	#ifdef ENABLE_CONNECTION
	692	return o->connection_list != NULL;
	693	#else
	694	return false;
	695	#endif
	696	}
	697
	698	static inline void
	699	connection_list_set_no_advance (struct options *o)
	700	{
	701	#ifdef ENABLE_CONNECTION
	702	if (o->connection_list)
	703	o->connection_list->no_advance = true;
	704	#endif
	705	}
	706
3c7f2f55	707	#endif