]> git.ipfire.org Git - thirdparty/openvpn.git/blame - src/openvpn/options.h
projects / thirdparty / openvpn.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
msvc: switch to openssl3
[thirdparty/openvpn.git] / src / openvpn / options.h
CommitLineData
6fbf66fa
JY		 1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
1800d77e 8 * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
6fbf66fa
JY		 9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
caa54ac3
DS		 19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
6fbf66fa
JY		 22 */
23
24/*
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, http://cmeerw.org)
27 */
28
29#ifndef OPTIONS_H
30#define OPTIONS_H
31
32#include "basic.h"
33#include "common.h"
34#include "mtu.h"
35#include "route.h"
36#include "tun.h"
37#include "socket.h"
38#include "plugin.h"
39#include "manage.h"
40#include "proxy.h"
38d96bd7 41#include "comp.h"
3eee126e 42#include "pushlist.h"
581bef87 43#include "clinat.h"
2193d7c0 44#include "crypto_backend.h"
2193d7c0 45
6fbf66fa
JY		 46
47/*
48 * Maximum number of parameters associated with an option,
49 * including the option name itself.
50 */
51#define MAX_PARMS 16
52
53/*
54 * Max size of options line and parameter.
55 */
56#define OPTION_PARM_SIZE 256
57#define OPTION_LINE_SIZE 256
58
59extern const char title_string[];
60
6fbf66fa 61/* certain options are saved before --pull modifications are applied */
c1150e5b 62struct options_pre_connect
6fbf66fa 63{
81d882d5
DS		 64 bool tuntap_options_defined;
65 struct tuntap_options tuntap_options;
6fbf66fa 66
81d882d5
DS		 67 bool routes_defined;
68 struct route_option_list *routes;
6fbf66fa 69
81d882d5
DS		 70 bool routes_ipv6_defined;
71 struct route_ipv6_option_list *routes_ipv6;
91402236 72
57c8d220
AS		 73 const char *route_default_gateway;
74 const char *route_ipv6_default_gateway;
75
81d882d5
DS		 76 bool client_nat_defined;
77 struct client_nat_option_list *client_nat;
581bef87 78
7064ccb9
AS		 79 const char* ciphername;
80 const char* authname;
7064ccb9 81
5a2ed714
AS		 82 int ping_send_timeout;
83 int ping_rec_timeout;
84 int ping_rec_timeout_action;
85
81d882d5 86 int foreign_option_index;
2a414c3c
AS		 87#ifdef USE_COMP
88 struct compress_options comp;
89#endif
6fbf66fa
JY		 90};
91
c7ca9133 92#if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
81d882d5 93#error "At least one of OpenSSL or mbed TLS needs to be defined."
6fbf66fa
JY		 94#endif
95
4e9a51d7
JY		 96struct connection_entry
97{
81d882d5
DS		 98 int proto;
99 sa_family_t af;
100 const char *local_port;
101 bool local_port_defined;
102 const char *remote_port;
103 const char *local;
104 const char *remote;
105 bool remote_float;
106 bool bind_defined;
107 bool bind_ipv6_only;
108 bool bind_local;
109 int connect_retry_seconds;
110 int connect_retry_seconds_max;
111 int connect_timeout;
112 struct http_proxy_options *http_proxy_options;
113 const char *socks_proxy_server;
114 const char *socks_proxy_port;
115 const char *socks_proxy_authfile;
116
117 int tun_mtu; /* MTU of tun device */
118 bool tun_mtu_defined; /* true if user overriding parm with command line option */
119 int tun_mtu_extra;
120 bool tun_mtu_extra_defined;
121 int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */
122 bool link_mtu_defined; /* true if user overriding parm with command line option */
123
124 /* Advanced MTU negotiation and datagram fragmentation options */
125 int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
126
127 int fragment; /* internal fragmentation size */
128 int mssfix; /* Upper bound on TCP MSS */
129 bool mssfix_default; /* true if --mssfix was supplied without a parameter */
130
131 int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */
132
133#define CE_DISABLED (1<<0)
134#define CE_MAN_QUERY_PROXY (1<<1)
135#define CE_MAN_QUERY_REMOTE_UNDEF 0
136#define CE_MAN_QUERY_REMOTE_QUERY 1
137#define CE_MAN_QUERY_REMOTE_ACCEPT 2
138#define CE_MAN_QUERY_REMOTE_MOD 3
139#define CE_MAN_QUERY_REMOTE_SKIP 4
140#define CE_MAN_QUERY_REMOTE_MASK (0x07)
141#define CE_MAN_QUERY_REMOTE_SHIFT (2)
142 unsigned int flags;
57d6f103
AQ		 143
144 /* Shared secret used for TLS control channel authentication */
145 const char *tls_auth_file;
cb2e9218 146 bool tls_auth_file_inline;
57d6f103
AQ		 147 int key_direction;
148
149 /* Shared secret used for TLS control channel authenticated encryption */
150 const char *tls_crypt_file;
cb2e9218 151 bool tls_crypt_file_inline;
9d59029a
SK		 152
153 /* Client-specific secret or server key used for TLS control channel
154 * authenticated encryption v2 */
155 const char *tls_crypt_v2_file;
cb2e9218 156 bool tls_crypt_v2_file_inline;
4e9a51d7
JY		 157};
158
159struct remote_entry
160{
81d882d5
DS		 161 const char *remote;
162 const char *remote_port;
163 int proto;
164 sa_family_t af;
4e9a51d7
JY		 165};
166
4e9a51d7
JY		 167#define CONNECTION_LIST_SIZE 64
168
169struct connection_list
170{
81d882d5
DS		 171 int len;
172 int current;
173 struct connection_entry *array[CONNECTION_LIST_SIZE];
4e9a51d7
JY		 174};
175
176struct remote_list
177{
81d882d5
DS		 178 int len;
179 struct remote_entry *array[CONNECTION_LIST_SIZE];
4e9a51d7
JY		 180};
181
08081aa0
AS		 182struct provider_list
183{
184 /* Names of the providers */
185 const char *names[MAX_PARMS];
186 /* Pointers to the loaded providers to unload them */
187 provider_t *providers[MAX_PARMS];
188};
189
99f28081
AQ		 190enum vlan_acceptable_frames
191{
e375a5ce 192 VLAN_ONLY_TAGGED,
99f28081 193 VLAN_ONLY_UNTAGGED_OR_PRIORITY,
d626fa17 194 VLAN_ALL,
99f28081
AQ		 195};
196
54561af6
JY		 197struct remote_host_store
198{
81d882d5
DS		 199#define RH_HOST_LEN 80
200 char host[RH_HOST_LEN];
076fd3e4 201#define RH_PORT_LEN 20
81d882d5 202 char port[RH_PORT_LEN];
54561af6 203};
54561af6 204
0d80b562
AS		 205enum genkey_type {
206 GENKEY_SECRET,
207 GENKEY_TLS_CRYPTV2_CLIENT,
208 GENKEY_TLS_CRYPTV2_SERVER,
1b9a88a2 209 GENKEY_AUTH_TOKEN
0d80b562
AS		 210};
211
d1fe6d52
AS		 212struct verify_hash_list
213{
214 /* We support SHA256 and SHA1 fingerpint. In the case of using the
215 * deprecated SHA1, only the first 20 bytes of each list item are used */
216 uint8_t hash[SHA256_DIGEST_LENGTH];
217 struct verify_hash_list *next;
218};
219
6fbf66fa
JY		 220/* Command line options */
221struct options
222{
81d882d5
DS		 223 struct gc_arena gc;
224 bool gc_owned;
6fbf66fa 225
81d882d5
DS		 226 /* first config file */
227 const char *config;
6fbf66fa 228
81d882d5
DS		 229 /* major mode */
230#define MODE_POINT_TO_POINT 0
231#define MODE_SERVER 1
232 int mode;
6fbf66fa 233
81d882d5
DS		 234 /* enable forward compatibility for post-2.1 features */
235 bool forward_compatible;
00a622f5
AQ		 236 /** What version we should try to be compatible with as major * 10000 +
237 * minor * 100 + patch, e.g. 2.4.7 => 20407 */
238 unsigned int backwards_compatible;
239
42d9f324 240 /* list of options that should be ignored even if unknown */
81d882d5 241 const char **ignore_unknown_option;
373faab1 242
81d882d5
DS		 243 /* persist parms */
244 bool persist_config;
245 int persist_mode;
6fbf66fa 246
81d882d5
DS		 247 const char *key_pass_file;
248 bool show_ciphers;
249 bool show_digests;
250 bool show_engines;
251 bool show_tls_ciphers;
252 bool show_curves;
253 bool genkey;
0d80b562 254 enum genkey_type genkey_type;
9cf7b492
AS		 255 const char *genkey_filename;
256 const char *genkey_extra_data;
81d882d5
DS		 257
258 /* Networking parms */
259 int connect_retry_max;
260 struct connection_entry ce;
261 struct connection_list *connection_list;
262
263 struct remote_list *remote_list;
264 /* Do not advanced the connection or remote addr list*/
265 bool no_advance;
266 /* Counts the number of unsuccessful connection attempts */
267 unsigned int unsuccessful_attempts;
4e9a51d7 268
a4b8f653 269#if ENABLE_MANAGEMENT
81d882d5
DS		 270 struct http_proxy_options *http_proxy_override;
271#endif
272
273 struct remote_host_store *rh_store;
274
275 bool remote_random;
276 const char *ipchange;
277 const char *dev;
278 const char *dev_type;
279 const char *dev_node;
280 const char *lladdr;
281 int topology; /* one of the TOP_x values from proto.h */
282 const char *ifconfig_local;
283 const char *ifconfig_remote_netmask;
284 const char *ifconfig_ipv6_local;
285 int ifconfig_ipv6_netbits;
286 const char *ifconfig_ipv6_remote;
287 bool ifconfig_noexec;
288 bool ifconfig_nowarn;
81d882d5 289 int shaper;
6fbf66fa 290
81d882d5 291 int proto_force;
51e6e5b0 292
81d882d5 293 bool mtu_test;
6fbf66fa 294
ffea644c 295#ifdef ENABLE_MEMSTATS
81d882d5 296 char *memstats_fn;
ffea644c
JY		 297#endif
298
81d882d5 299 bool mlock;
6fbf66fa 300
81d882d5
DS		 301 int keepalive_ping; /* a proxy for ping/ping-restart */
302 int keepalive_timeout;
6fbf66fa 303
81d882d5
DS		 304 int inactivity_timeout; /* --inactive */
305 int inactivity_minimum_bytes;
838911cc 306
81d882d5
DS		 307 int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */
308 int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */
309 bool ping_timer_remote; /* Run ping timer only if we have a remote address */
6fbf66fa 310
81d882d5
DS		 311#define PING_UNDEF 0
312#define PING_EXIT 1
313#define PING_RESTART 2
314 int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */
6fbf66fa 315
81d882d5
DS		 316 bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
317 bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
318 bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
319 bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
6fbf66fa 320
6fbf66fa 321#if PASSTOS_CAPABILITY
81d882d5 322 bool passtos;
6fbf66fa
JY		 323#endif
324
81d882d5
DS		 325 int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */
326 bool resolve_in_advance;
327 const char *ip_remote_hint;
6fbf66fa 328
81d882d5 329 struct tuntap_options tuntap_options;
6fbf66fa 330
81d882d5
DS		 331 /* Misc parms */
332 const char *username;
333 const char *groupname;
334 const char *chroot_dir;
335 const char *cd_dir;
cd5990e0 336#ifdef ENABLE_SELINUX
81d882d5 337 char *selinux_context;
99385447 338#endif
81d882d5
DS		 339 const char *writepid;
340 const char *up_script;
341 const char *down_script;
342 bool user_script_used;
343 bool down_pre;
344 bool up_delay;
345 bool up_restart;
346 bool daemon;
6fbf66fa 347
81d882d5 348 int remap_sigusr1;
6fbf66fa 349
81d882d5
DS		 350 bool log;
351 bool suppress_timestamps;
352 bool machine_readable_output;
353 int nice;
354 int verbosity;
355 int mute;
6fbf66fa
JY		 356
357#ifdef ENABLE_DEBUG
81d882d5 358 int gremlin;
6fbf66fa
JY		 359#endif
360
81d882d5
DS		 361 const char *status_file;
362 int status_file_version;
363 int status_file_update_freq;
6fbf66fa 364
81d882d5
DS		 365 /* optimize TUN/TAP/UDP writes */
366 bool fast_io;
6fbf66fa 367
38d96bd7 368#ifdef USE_COMP
81d882d5
DS		 369 struct compress_options comp;
370#endif
371
372 /* buffer sizes */
373 int rcvbuf;
374 int sndbuf;
375
376 /* mark value */
377 int mark;
19d3c602 378 char *bind_dev;
81d882d5
DS		 379
380 /* socket flags */
381 unsigned int sockflags;
382
383 /* route management */
384 const char *route_script;
385 const char *route_predown_script;
386 const char *route_default_gateway;
d24e1b17 387 const char *route_ipv6_default_gateway;
81d882d5
DS		 388 int route_default_metric;
389 bool route_noexec;
390 int route_delay;
391 int route_delay_window;
392 bool route_delay_defined;
393 struct route_option_list *routes;
394 struct route_ipv6_option_list *routes_ipv6; /* IPv6 */
e11d2d14 395 bool block_ipv6;
81d882d5
DS		 396 bool route_nopull;
397 bool route_gateway_via_dhcp;
398 bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
399 struct client_nat_option_list *client_nat;
581bef87 400
81d882d5
DS		 401 /* Enable options consistency check between peers */
402 bool occ;
6fbf66fa
JY		 403
404#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 405 const char *management_addr;
406 const char *management_port;
407 const char *management_user_pass;
408 int management_log_history_cache;
409 int management_echo_buffer_size;
410 int management_state_buffer_size;
411 const char *management_write_peer_info_file;
90efcacb 412
81d882d5
DS		 413 const char *management_client_user;
414 const char *management_client_group;
bb564a59 415
81d882d5
DS		 416 /* Mask of MF_ values of manage.h */
417 unsigned int management_flags;
418 const char *management_certificate;
6fbf66fa
JY		 419#endif
420
421#ifdef ENABLE_PLUGIN
81d882d5 422 struct plugin_option_list *plugin_list;
6fbf66fa
JY		 423#endif
424
81d882d5
DS		 425 /* the tmp dir is for now only used in the P2P server context */
426 const char *tmp_dir;
427 bool server_defined;
428 in_addr_t server_network;
429 in_addr_t server_netmask;
430 bool server_ipv6_defined; /* IPv6 */
431 struct in6_addr server_network_ipv6; /* IPv6 */
432 unsigned int server_netbits_ipv6; /* IPv6 */
433
434#define SF_NOPOOL (1<<0)
435#define SF_TCP_NODELAY_HELPER (1<<1)
436#define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
437 unsigned int server_flags;
438
439 bool server_bridge_proxy_dhcp;
440
441 bool server_bridge_defined;
442 in_addr_t server_bridge_ip;
443 in_addr_t server_bridge_netmask;
444 in_addr_t server_bridge_pool_start;
445 in_addr_t server_bridge_pool_end;
446
447 struct push_list push_list;
448 bool ifconfig_pool_defined;
449 in_addr_t ifconfig_pool_start;
450 in_addr_t ifconfig_pool_end;
451 in_addr_t ifconfig_pool_netmask;
452 const char *ifconfig_pool_persist_filename;
453 int ifconfig_pool_persist_refresh_freq;
454
455 bool ifconfig_ipv6_pool_defined; /* IPv6 */
456 struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */
457 int ifconfig_ipv6_pool_netbits; /* IPv6 */
458
459 int real_hash_size;
460 int virtual_hash_size;
461 const char *client_connect_script;
462 const char *client_disconnect_script;
463 const char *learn_address_script;
464 const char *client_config_dir;
465 bool ccd_exclusive;
466 bool disable;
467 int n_bcast_buf;
468 int tcp_queue_limit;
469 struct iroute *iroutes;
470 struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */
471 bool push_ifconfig_defined;
472 in_addr_t push_ifconfig_local;
473 in_addr_t push_ifconfig_remote_netmask;
474 in_addr_t push_ifconfig_local_alias;
475 bool push_ifconfig_constraint_defined;
476 in_addr_t push_ifconfig_constraint_network;
477 in_addr_t push_ifconfig_constraint_netmask;
6ae2f19d 478 bool push_ifconfig_ipv4_blocked; /* IPv4 */
81d882d5
DS		 479 bool push_ifconfig_ipv6_defined; /* IPv6 */
480 struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */
481 int push_ifconfig_ipv6_netbits; /* IPv6 */
482 struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */
483 bool push_ifconfig_ipv6_blocked; /* IPv6 */
484 bool enable_c2c;
485 bool duplicate_cn;
486 int cf_max;
487 int cf_per;
488 int max_clients;
489 int max_routes_per_client;
490 int stale_routes_check_interval;
491 int stale_routes_ageing_time;
492
493 const char *auth_user_pass_verify_script;
494 bool auth_user_pass_verify_script_via_file;
495 bool auth_token_generate;
c8723aa7
AS		 496 bool auth_token_gen_secret_file;
497 bool auth_token_call_auth;
498 int auth_token_lifetime;
1b9a88a2 499 const char *auth_token_secret_file;
cb2e9218 500 bool auth_token_secret_file_inline;
1b9a88a2 501
6add6b2f 502#if PORT_SHARE
81d882d5
DS		 503 char *port_share_host;
504 char *port_share_port;
505 const char *port_share_journal_dir;
6fbf66fa
JY		 506#endif
507
81d882d5
DS		 508 bool client;
509 bool pull; /* client pull of config options from server */
510 int push_continuation;
511 unsigned int push_option_types_found;
512 const char *auth_user_pass_file;
c1150e5b 513 struct options_pre_connect *pre_connect;
6fbf66fa 514
81d882d5 515 int scheduled_exit_interval;
6fbf66fa 516
66b9409b 517#ifdef ENABLE_MANAGEMENT
81d882d5 518 struct static_challenge_info sc_info;
6fbf66fa 519#endif
81d882d5
DS		 520 /* Cipher parms */
521 const char *shared_secret_file;
cb2e9218 522 bool shared_secret_file_inline;
81d882d5
DS		 523 int key_direction;
524 const char *ciphername;
2c1d8c33
AS		 525 bool enable_ncp_fallback; /**< If defined fall back to
526 * ciphername if NCP fails */
81d882d5
DS		 527 const char *ncp_ciphers;
528 const char *authname;
81d882d5 529 const char *engine;
08081aa0 530 struct provider_list providers;
81d882d5
DS		 531 bool replay;
532 bool mute_replay_warnings;
533 int replay_window;
534 int replay_time;
535 const char *packet_id_file;
81d882d5 536 bool test_crypto;
0f25d296 537#ifdef ENABLE_PREDICTION_RESISTANCE
81d882d5
DS		 538 bool use_prediction_resistance;
539#endif
540
541 /* TLS (control channel) parms */
542 bool tls_server;
543 bool tls_client;
544 const char *ca_file;
cb2e9218 545 bool ca_file_inline;
81d882d5
DS		 546 const char *ca_path;
547 const char *dh_file;
cb2e9218 548 bool dh_file_inline;
81d882d5 549 const char *cert_file;
cb2e9218 550 bool cert_file_inline;
81d882d5 551 const char *extra_certs_file;
cb2e9218 552 bool extra_certs_file_inline;
81d882d5 553 const char *priv_key_file;
cb2e9218 554 bool priv_key_file_inline;
81d882d5 555 const char *pkcs12_file;
cb2e9218 556 bool pkcs12_file_inline;
81d882d5 557 const char *cipher_list;
ea4ee313 558 const char *cipher_list_tls13;
8353ae80 559 const char *tls_groups;
aba75874 560 const char *tls_cert_profile;
81d882d5
DS		 561 const char *ecdh_curve;
562 const char *tls_verify;
563 int verify_x509_type;
564 const char *verify_x509_name;
565 const char *tls_export_cert;
566 const char *crl_file;
cb2e9218 567 bool crl_file_inline;
81d882d5
DS		 568
569 int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
570 unsigned remote_cert_ku[MAX_PARMS];
571 const char *remote_cert_eku;
d1fe6d52 572 struct verify_hash_list *verify_hash;
2193d7c0 573 hash_algo_type verify_hash_algo;
c3a7065d 574 int verify_hash_depth;
423ced96 575 bool verify_hash_no_ca;
81d882d5 576 unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
bed73623
JY		 577
578#ifdef ENABLE_PKCS11
81d882d5
DS		 579 const char *pkcs11_providers[MAX_PARMS];
580 unsigned pkcs11_private_mode[MAX_PARMS];
581 bool pkcs11_protected_authentication[MAX_PARMS];
582 bool pkcs11_cert_private[MAX_PARMS];
583 int pkcs11_pin_cache_period;
584 const char *pkcs11_id;
585 bool pkcs11_id_management;
bed73623
JY		 586#endif
587
93c22ecc 588#ifdef ENABLE_CRYPTOAPI
81d882d5 589 const char *cryptoapi_cert;
6fbf66fa 590#endif
81d882d5
DS		 591 /* Per-packet timeout on control channel */
592 int tls_timeout;
6fbf66fa 593
81d882d5
DS		 594 /* Data channel key renegotiation parameters */
595 int renegotiate_bytes;
596 int renegotiate_packets;
597 int renegotiate_seconds;
dd996463 598 int renegotiate_seconds_min;
6fbf66fa 599
81d882d5
DS		 600 /* Data channel key handshake must finalize
601 * within n seconds of handshake initiation. */
602 int handshake_window;
6fbf66fa 603
fbd18db6 604#ifdef ENABLE_X509ALTUSERNAME
3b04c34d
VG		 605 /* Field list used to be the username in X509 cert. */
606 char *x509_username_field[MAX_PARMS];
fbd18db6 607#endif
2e8337de 608
81d882d5
DS		 609 /* Old key allowed to live n seconds after new key goes active */
610 int transition_window;
6fbf66fa 611
81d882d5
DS		 612 /* Shared secret used for TLS control channel authentication */
613 const char *tls_auth_file;
cb2e9218 614 bool tls_auth_file_inline;
6fbf66fa 615
81d882d5
DS		 616 /* Shared secret used for TLS control channel authenticated encryption */
617 const char *tls_crypt_file;
cb2e9218 618 bool tls_crypt_file_inline;
c6e24fa3 619
9d59029a
SK		 620 /* Client-specific secret or server key used for TLS control channel
621 * authenticated encryption v2 */
622 const char *tls_crypt_v2_file;
cb2e9218 623 bool tls_crypt_v2_file_inline;
9d59029a 624
9d59029a
SK		 625 const char *tls_crypt_v2_metadata;
626
ff931c5e
SK		 627 const char *tls_crypt_v2_verify_script;
628
81d882d5
DS		 629 /* Allow only one session */
630 bool single_session;
6fbf66fa 631
81d882d5 632 bool push_peer_info;
aaf72974 633
81d882d5 634 bool tls_exit;
6fbf66fa 635
81d882d5 636 const struct x509_track *x509_track;
9356bae8 637
81d882d5
DS		 638 /* special state parms */
639 int foreign_option_index;
6fbf66fa 640
445b192a 641#ifdef _WIN32
81d882d5
DS		 642 HANDLE msg_channel;
643 const char *exit_event_name;
644 bool exit_event_initial_state;
645 bool show_net_up;
646 int route_method;
647 bool block_outside_dns;
36215dc5 648 enum windows_driver_type windows_driver;
6fbf66fa 649#endif
65eedc35 650
81d882d5
DS		 651 bool use_peer_id;
652 uint32_t peer_id;
685e486e 653
5defbba4 654#ifdef HAVE_EXPORT_KEYING_MATERIAL
81d882d5
DS		 655 /* Keying Material Exporters [RFC 5705] */
656 const char *keying_material_exporter_label;
657 int keying_material_exporter_length;
685e486e 658#endif
7f74c27e 659
99f28081
AQ		 660 bool vlan_tagging;
661 enum vlan_acceptable_frames vlan_accept;
662 uint16_t vlan_pvid;
663
81d882d5 664 struct pull_filter_list *pull_filter_list;
e8c42658 665
81d882d5
DS		 666 /* Useful when packets sent by openvpn itself are not subject
667 * to the routing tables that would move packets into the tunnel. */
668 bool allow_recursive_routing;
6dc09d0d 669
9c625f4a
AS		 670 /* data channel crypto flags set by push/pull. Reuses the CO_* crypto_flags */
671 unsigned int data_channel_crypto_flags;
6fbf66fa
JY		 672};
673
674#define streq(x, y) (!strcmp((x), (y)))
675
676/*
677 * Option classes.
678 */
679#define OPT_P_GENERAL (1<<0)
680#define OPT_P_UP (1<<1)
681#define OPT_P_ROUTE (1<<2)
682#define OPT_P_IPWIN32 (1<<3)
683#define OPT_P_SCRIPT (1<<4)
684#define OPT_P_SETENV (1<<5)
685#define OPT_P_SHAPER (1<<6)
686#define OPT_P_TIMER (1<<7)
687#define OPT_P_PERSIST (1<<8)
688#define OPT_P_PERSIST_IP (1<<9)
689#define OPT_P_COMP (1<<10) /* TODO */
690#define OPT_P_MESSAGES (1<<11)
d728ebed 691#define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */
6fbf66fa
JY		 692#define OPT_P_TLS_PARMS (1<<13) /* TODO */
693#define OPT_P_MTU (1<<14) /* TODO */
694#define OPT_P_NICE (1<<15)
695#define OPT_P_PUSH (1<<16)
6168f53d 696#define OPT_P_INSTANCE (1<<17) /**< allowed in ccd, client-connect etc*/
6fbf66fa
JY		 697#define OPT_P_CONFIG (1<<18)
698#define OPT_P_EXPLICIT_NOTIFY (1<<19)
699#define OPT_P_ECHO (1<<20)
700#define OPT_P_INHERIT (1<<21)
3c7f2f55
JY		 701#define OPT_P_ROUTE_EXTRAS (1<<22)
702#define OPT_P_PULL_MODE (1<<23)
703#define OPT_P_PLUGIN (1<<24)
00d39170
JY		 704#define OPT_P_SOCKBUF (1<<25)
705#define OPT_P_SOCKFLAGS (1<<26)
4e9a51d7 706#define OPT_P_CONNECTION (1<<27)
65eedc35 707#define OPT_P_PEER_ID (1<<28)
cb2e9218 708#define OPT_P_INLINE (1<<29)
6fbf66fa 709
3c7f2f55 710#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
6fbf66fa 711
6fbf66fa 712#define PULL_DEFINED(opt) ((opt)->pull)
6fbf66fa 713#define PUSH_DEFINED(opt) ((opt)->push_list)
6fbf66fa
JY		 714
715#ifndef PULL_DEFINED
716#define PULL_DEFINED(opt) (false)
717#endif
718
719#ifndef PUSH_DEFINED
720#define PUSH_DEFINED(opt) (false)
721#endif
722
445b192a 723#ifdef _WIN32
6fbf66fa
JY		 724#define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
725#else
726#define ROUTE_OPTION_FLAGS(o) (0)
727#endif
728
6fbf66fa 729#define SHAPER_DEFINED(opt) ((opt)->shaper)
6fbf66fa
JY		 730
731#ifdef ENABLE_PLUGIN
732#define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
733#else
734#define PLUGIN_OPTION_LIST(opt) (NULL)
735#endif
736
99d217b2 737#ifdef ENABLE_MANAGEMENT
90efcacb
JY		 738#define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
739#else
740#define MAN_CLIENT_AUTH_ENABLED(opt) (false)
741#endif
742
81d882d5
DS		 743void parse_argv(struct options *options,
744 const int argc,
745 char *argv[],
746 const int msglevel,
747 const unsigned int permission_mask,
748 unsigned int *option_types_found,
749 struct env_set *es);
6fbf66fa 750
81d882d5 751void notnull(const char *arg, const char *description);
6fbf66fa 752
81d882d5 753void usage_small(void);
6fbf66fa 754
5b17803e
JY		 755void show_library_versions(const unsigned int flags);
756
445b192a 757#ifdef _WIN32
cdc65ea0 758void show_windows_version(const unsigned int flags);
81d882d5 759
cdc65ea0
LS		 760#endif
761
81d882d5
DS		 762void init_options(struct options *o, const bool init_gc);
763
764void uninit_options(struct options *o);
6fbf66fa 765
81d882d5 766void setenv_settings(struct env_set *es, const struct options *o);
6fbf66fa 767
81d882d5
DS		 768void show_settings(const struct options *o);
769
770bool string_defined_equal(const char *s1, const char *s2);
6fbf66fa 771
81d882d5
DS		 772const char *options_string_version(const char *s, struct gc_arena *gc);
773
774char *options_string(const struct options *o,
775 const struct frame *frame,
776 struct tuntap *tt,
dc7fcd71 777 openvpn_net_ctx_t *ctx,
81d882d5
DS		 778 bool remote,
779 struct gc_arena *gc);
780
781bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n);
6fbf66fa 782
81d882d5 783void options_warning_safe(char *actual, const char *expected, size_t actual_n);
6fbf66fa 784
81d882d5
DS		 785bool options_cmp_equal(char *actual, const char *expected);
786
787void options_warning(char *actual, const char *expected);
6fbf66fa 788
6e5ad2fa
SK		 789/**
790 * Given an OpenVPN options string, extract the value of an option.
791 *
81d882d5
DS		 792 * @param options_string Zero-terminated, comma-separated options string
793 * @param opt_name The name of the option to extract
794 * @param gc The gc to allocate the return value
6e5ad2fa
SK		 795 *
796 * @return gc-allocated value of option with name opt_name if option was found,
797 * or NULL otherwise.
798 */
81d882d5
DS		 799char *options_string_extract_option(const char *options_string,
800 const char *opt_name, struct gc_arena *gc);
801
6e5ad2fa 802
81d882d5 803void options_postprocess(struct options *options);
6e5ad2fa 804
c1150e5b 805void pre_connect_save(struct options *o);
6fbf66fa 806
c1150e5b 807void pre_connect_restore(struct options *o, struct gc_arena *gc);
6fbf66fa 808
81d882d5
DS		 809bool apply_push_options(struct options *options,
810 struct buffer *buf,
811 unsigned int permission_mask,
812 unsigned int *option_types_found,
813 struct env_set *es);
6fbf66fa 814
81d882d5 815void options_detach(struct options *o);
6fbf66fa 816
81d882d5
DS		 817void options_server_import(struct options *o,
818 const char *filename,
819 int msglevel,
820 unsigned int permission_mask,
821 unsigned int *option_types_found,
822 struct env_set *es);
6fbf66fa 823
81d882d5 824void pre_pull_default(struct options *o);
6fbf66fa 825
81d882d5 826void rol_check_alloc(struct options *options);
6fbf66fa 827
81d882d5
DS		 828int parse_line(const char *line,
829 char *p[],
830 const int n,
831 const char *file,
832 const int line_num,
833 int msglevel,
834 struct gc_arena *gc);
6fbf66fa 835
3c7f2f55
JY		 836/*
837 * parse/print topology coding
838 */
839
81d882d5
DS		 840int parse_topology(const char *str, const int msglevel);
841
842const char *print_topology(const int topology);
3c7f2f55 843
6fbf66fa
JY		 844/*
845 * Manage auth-retry variable
846 */
847
6fbf66fa
JY		 848#define AR_NONE 0
849#define AR_INTERACT 1
850#define AR_NOINTERACT 2
851
81d882d5
DS		 852int auth_retry_get(void);
853
854bool auth_retry_set(const int msglevel, const char *option);
855
856const char *auth_retry_print(void);
6fbf66fa 857
81d882d5
DS		 858void options_string_import(struct options *options,
859 const char *config,
860 const int msglevel,
861 const unsigned int permission_mask,
862 unsigned int *option_types_found,
863 struct env_set *es);
3c7f2f55 864
4b85c488
SN		 865bool key_is_external(const struct options *options);
866
81d882d5 867#endif /* ifndef OPTIONS_H */
Mirror of https://github.com/OpenVPN/openvpn.git