]> git.ipfire.org Git - thirdparty/openvpn.git/blame - src/openvpn/options.h
projects / thirdparty / openvpn.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove workaround for Android 4.4
[thirdparty/openvpn.git] / src / openvpn / options.h
CommitLineData
6fbf66fa
JY		 1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
1800d77e 8 * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
6fbf66fa
JY		 9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
caa54ac3
DS		 19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
6fbf66fa
JY		 22 */
23
24/*
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, http://cmeerw.org)
27 */
28
29#ifndef OPTIONS_H
30#define OPTIONS_H
31
32#include "basic.h"
33#include "common.h"
34#include "mtu.h"
35#include "route.h"
36#include "tun.h"
37#include "socket.h"
38#include "plugin.h"
39#include "manage.h"
40#include "proxy.h"
38d96bd7 41#include "comp.h"
3eee126e 42#include "pushlist.h"
581bef87 43#include "clinat.h"
2193d7c0 44#include "crypto_backend.h"
b3e0d95d 45#include "dns.h"
2193d7c0 46
6fbf66fa
JY		 47
48/*
49 * Maximum number of parameters associated with an option,
50 * including the option name itself.
51 */
52#define MAX_PARMS 16
53
54/*
55 * Max size of options line and parameter.
56 */
57#define OPTION_PARM_SIZE 256
58#define OPTION_LINE_SIZE 256
59
60extern const char title_string[];
61
6fbf66fa 62/* certain options are saved before --pull modifications are applied */
c1150e5b 63struct options_pre_connect
6fbf66fa 64{
81d882d5
DS		 65 bool tuntap_options_defined;
66 struct tuntap_options tuntap_options;
6fbf66fa 67
81d882d5
DS		 68 bool routes_defined;
69 struct route_option_list *routes;
6fbf66fa 70
81d882d5
DS		 71 bool routes_ipv6_defined;
72 struct route_ipv6_option_list *routes_ipv6;
91402236 73
57c8d220
AS		 74 const char *route_default_gateway;
75 const char *route_ipv6_default_gateway;
76
81d882d5
DS		 77 bool client_nat_defined;
78 struct client_nat_option_list *client_nat;
581bef87 79
b3e0d95d
HH		 80 struct dns_options dns_options;
81
abe49856
DS		 82 const char *ciphername;
83 const char *authname;
7064ccb9 84
5a2ed714
AS		 85 int ping_send_timeout;
86 int ping_rec_timeout;
87 int ping_rec_timeout_action;
88
81d882d5 89 int foreign_option_index;
2a414c3c
AS		 90#ifdef USE_COMP
91 struct compress_options comp;
92#endif
6fbf66fa
JY		 93};
94
c7ca9133 95#if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
81d882d5 96#error "At least one of OpenSSL or mbed TLS needs to be defined."
6fbf66fa
JY		 97#endif
98
4e9a51d7
JY		 99struct connection_entry
100{
81d882d5
DS		 101 int proto;
102 sa_family_t af;
103 const char *local_port;
104 bool local_port_defined;
105 const char *remote_port;
106 const char *local;
107 const char *remote;
108 bool remote_float;
109 bool bind_defined;
110 bool bind_ipv6_only;
111 bool bind_local;
112 int connect_retry_seconds;
113 int connect_retry_seconds_max;
114 int connect_timeout;
115 struct http_proxy_options *http_proxy_options;
116 const char *socks_proxy_server;
117 const char *socks_proxy_port;
118 const char *socks_proxy_authfile;
119
120 int tun_mtu; /* MTU of tun device */
121 bool tun_mtu_defined; /* true if user overriding parm with command line option */
122 int tun_mtu_extra;
123 bool tun_mtu_extra_defined;
124 int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */
125 bool link_mtu_defined; /* true if user overriding parm with command line option */
126
127 /* Advanced MTU negotiation and datagram fragmentation options */
128 int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
129
130 int fragment; /* internal fragmentation size */
0d969976
AS		 131 bool fragment_encap; /* true if --fragment had the "mtu" parameter to
132 * include overhead from IP and TCP/UDP encapsulation */
81d882d5 133 int mssfix; /* Upper bound on TCP MSS */
0d86da32 134 bool mssfix_default; /* true if --mssfix should use the default parameters */
0fcb7cad
AS		 135 bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include
136 * overhead from IP and TCP/UDP encapsulation */
47671d6d 137 bool mssfix_fixed; /* use the mssfix value without any encapsulation adjustments */
81d882d5
DS		 138
139 int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */
140
141#define CE_DISABLED (1<<0)
142#define CE_MAN_QUERY_PROXY (1<<1)
143#define CE_MAN_QUERY_REMOTE_UNDEF 0
144#define CE_MAN_QUERY_REMOTE_QUERY 1
145#define CE_MAN_QUERY_REMOTE_ACCEPT 2
146#define CE_MAN_QUERY_REMOTE_MOD 3
147#define CE_MAN_QUERY_REMOTE_SKIP 4
148#define CE_MAN_QUERY_REMOTE_MASK (0x07)
149#define CE_MAN_QUERY_REMOTE_SHIFT (2)
150 unsigned int flags;
57d6f103
AQ		 151
152 /* Shared secret used for TLS control channel authentication */
153 const char *tls_auth_file;
cb2e9218 154 bool tls_auth_file_inline;
57d6f103
AQ		 155 int key_direction;
156
157 /* Shared secret used for TLS control channel authenticated encryption */
158 const char *tls_crypt_file;
cb2e9218 159 bool tls_crypt_file_inline;
9d59029a
SK		 160
161 /* Client-specific secret or server key used for TLS control channel
162 * authenticated encryption v2 */
163 const char *tls_crypt_v2_file;
cb2e9218 164 bool tls_crypt_v2_file_inline;
4e9a51d7
JY		 165};
166
167struct remote_entry
168{
81d882d5
DS		 169 const char *remote;
170 const char *remote_port;
171 int proto;
172 sa_family_t af;
4e9a51d7
JY		 173};
174
4e9a51d7
JY		 175#define CONNECTION_LIST_SIZE 64
176
177struct connection_list
178{
81d882d5
DS		 179 int len;
180 int current;
181 struct connection_entry *array[CONNECTION_LIST_SIZE];
4e9a51d7
JY		 182};
183
184struct remote_list
185{
81d882d5
DS		 186 int len;
187 struct remote_entry *array[CONNECTION_LIST_SIZE];
4e9a51d7
JY		 188};
189
08081aa0
AS		 190struct provider_list
191{
192 /* Names of the providers */
193 const char *names[MAX_PARMS];
194 /* Pointers to the loaded providers to unload them */
195 provider_t *providers[MAX_PARMS];
196};
197
99f28081
AQ		 198enum vlan_acceptable_frames
199{
e375a5ce 200 VLAN_ONLY_TAGGED,
99f28081 201 VLAN_ONLY_UNTAGGED_OR_PRIORITY,
d626fa17 202 VLAN_ALL,
99f28081
AQ		 203};
204
54561af6
JY		 205struct remote_host_store
206{
81d882d5
DS		 207#define RH_HOST_LEN 80
208 char host[RH_HOST_LEN];
076fd3e4 209#define RH_PORT_LEN 20
81d882d5 210 char port[RH_PORT_LEN];
54561af6 211};
54561af6 212
0d80b562
AS		 213enum genkey_type {
214 GENKEY_SECRET,
215 GENKEY_TLS_CRYPTV2_CLIENT,
216 GENKEY_TLS_CRYPTV2_SERVER,
1b9a88a2 217 GENKEY_AUTH_TOKEN
0d80b562
AS		 218};
219
d1fe6d52
AS		 220struct verify_hash_list
221{
222 /* We support SHA256 and SHA1 fingerpint. In the case of using the
223 * deprecated SHA1, only the first 20 bytes of each list item are used */
224 uint8_t hash[SHA256_DIGEST_LENGTH];
225 struct verify_hash_list *next;
226};
227
6fbf66fa
JY		 228/* Command line options */
229struct options
230{
81d882d5
DS		 231 struct gc_arena gc;
232 bool gc_owned;
6fbf66fa 233
81d882d5
DS		 234 /* first config file */
235 const char *config;
6fbf66fa 236
81d882d5
DS		 237 /* major mode */
238#define MODE_POINT_TO_POINT 0
239#define MODE_SERVER 1
240 int mode;
6fbf66fa 241
81d882d5
DS		 242 /* enable forward compatibility for post-2.1 features */
243 bool forward_compatible;
00a622f5 244 /** What version we should try to be compatible with as major * 10000 +
abe49856 245 * minor * 100 + patch, e.g. 2.4.7 => 20407 */
00a622f5
AQ		 246 unsigned int backwards_compatible;
247
42d9f324 248 /* list of options that should be ignored even if unknown */
81d882d5 249 const char **ignore_unknown_option;
373faab1 250
81d882d5
DS		 251 /* persist parms */
252 bool persist_config;
253 int persist_mode;
6fbf66fa 254
81d882d5
DS		 255 const char *key_pass_file;
256 bool show_ciphers;
257 bool show_digests;
258 bool show_engines;
259 bool show_tls_ciphers;
260 bool show_curves;
261 bool genkey;
0d80b562 262 enum genkey_type genkey_type;
9cf7b492
AS		 263 const char *genkey_filename;
264 const char *genkey_extra_data;
81d882d5
DS		 265
266 /* Networking parms */
267 int connect_retry_max;
268 struct connection_entry ce;
269 struct connection_list *connection_list;
270
271 struct remote_list *remote_list;
272 /* Do not advanced the connection or remote addr list*/
273 bool no_advance;
274 /* Counts the number of unsuccessful connection attempts */
275 unsigned int unsuccessful_attempts;
4e9a51d7 276
a4b8f653 277#if ENABLE_MANAGEMENT
81d882d5
DS		 278 struct http_proxy_options *http_proxy_override;
279#endif
280
281 struct remote_host_store *rh_store;
282
b3e0d95d
HH		 283 struct dns_options dns_options;
284
81d882d5
DS		 285 bool remote_random;
286 const char *ipchange;
287 const char *dev;
288 const char *dev_type;
289 const char *dev_node;
290 const char *lladdr;
291 int topology; /* one of the TOP_x values from proto.h */
292 const char *ifconfig_local;
293 const char *ifconfig_remote_netmask;
294 const char *ifconfig_ipv6_local;
295 int ifconfig_ipv6_netbits;
296 const char *ifconfig_ipv6_remote;
297 bool ifconfig_noexec;
298 bool ifconfig_nowarn;
81d882d5 299 int shaper;
6fbf66fa 300
81d882d5 301 int proto_force;
51e6e5b0 302
81d882d5 303 bool mtu_test;
6fbf66fa 304
ffea644c 305#ifdef ENABLE_MEMSTATS
81d882d5 306 char *memstats_fn;
ffea644c
JY		 307#endif
308
81d882d5 309 bool mlock;
6fbf66fa 310
81d882d5
DS		 311 int keepalive_ping; /* a proxy for ping/ping-restart */
312 int keepalive_timeout;
6fbf66fa 313
81d882d5 314 int inactivity_timeout; /* --inactive */
cae1a7fc 315 int64_t inactivity_minimum_bytes;
838911cc 316
81d882d5
DS		 317 int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */
318 int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */
319 bool ping_timer_remote; /* Run ping timer only if we have a remote address */
6fbf66fa 320
81d882d5
DS		 321#define PING_UNDEF 0
322#define PING_EXIT 1
323#define PING_RESTART 2
324 int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */
6fbf66fa 325
81d882d5
DS		 326 bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
327 bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
328 bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
329 bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
6fbf66fa 330
6fbf66fa 331#if PASSTOS_CAPABILITY
81d882d5 332 bool passtos;
6fbf66fa
JY		 333#endif
334
81d882d5
DS		 335 int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */
336 bool resolve_in_advance;
337 const char *ip_remote_hint;
6fbf66fa 338
81d882d5 339 struct tuntap_options tuntap_options;
6fbf66fa 340
81d882d5
DS		 341 /* Misc parms */
342 const char *username;
343 const char *groupname;
344 const char *chroot_dir;
345 const char *cd_dir;
cd5990e0 346#ifdef ENABLE_SELINUX
81d882d5 347 char *selinux_context;
99385447 348#endif
81d882d5
DS		 349 const char *writepid;
350 const char *up_script;
351 const char *down_script;
352 bool user_script_used;
353 bool down_pre;
354 bool up_delay;
355 bool up_restart;
356 bool daemon;
6fbf66fa 357
81d882d5 358 int remap_sigusr1;
6fbf66fa 359
81d882d5
DS		 360 bool log;
361 bool suppress_timestamps;
362 bool machine_readable_output;
363 int nice;
364 int verbosity;
365 int mute;
6fbf66fa
JY		 366
367#ifdef ENABLE_DEBUG
81d882d5 368 int gremlin;
6fbf66fa
JY		 369#endif
370
81d882d5
DS		 371 const char *status_file;
372 int status_file_version;
373 int status_file_update_freq;
6fbf66fa 374
81d882d5
DS		 375 /* optimize TUN/TAP/UDP writes */
376 bool fast_io;
6fbf66fa 377
38d96bd7 378#ifdef USE_COMP
81d882d5
DS		 379 struct compress_options comp;
380#endif
381
382 /* buffer sizes */
383 int rcvbuf;
384 int sndbuf;
385
386 /* mark value */
387 int mark;
19d3c602 388 char *bind_dev;
81d882d5
DS		 389
390 /* socket flags */
391 unsigned int sockflags;
392
393 /* route management */
394 const char *route_script;
395 const char *route_predown_script;
396 const char *route_default_gateway;
d24e1b17 397 const char *route_ipv6_default_gateway;
81d882d5
DS		 398 int route_default_metric;
399 bool route_noexec;
400 int route_delay;
401 int route_delay_window;
402 bool route_delay_defined;
403 struct route_option_list *routes;
404 struct route_ipv6_option_list *routes_ipv6; /* IPv6 */
e11d2d14 405 bool block_ipv6;
81d882d5
DS		 406 bool route_nopull;
407 bool route_gateway_via_dhcp;
408 bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
409 struct client_nat_option_list *client_nat;
581bef87 410
81d882d5
DS		 411 /* Enable options consistency check between peers */
412 bool occ;
6fbf66fa
JY		 413
414#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 415 const char *management_addr;
416 const char *management_port;
417 const char *management_user_pass;
418 int management_log_history_cache;
419 int management_echo_buffer_size;
420 int management_state_buffer_size;
421 const char *management_write_peer_info_file;
90efcacb 422
81d882d5
DS		 423 const char *management_client_user;
424 const char *management_client_group;
bb564a59 425
81d882d5
DS		 426 /* Mask of MF_ values of manage.h */
427 unsigned int management_flags;
428 const char *management_certificate;
6fbf66fa
JY		 429#endif
430
431#ifdef ENABLE_PLUGIN
81d882d5 432 struct plugin_option_list *plugin_list;
6fbf66fa
JY		 433#endif
434
81d882d5
DS		 435 /* the tmp dir is for now only used in the P2P server context */
436 const char *tmp_dir;
437 bool server_defined;
438 in_addr_t server_network;
439 in_addr_t server_netmask;
440 bool server_ipv6_defined; /* IPv6 */
441 struct in6_addr server_network_ipv6; /* IPv6 */
442 unsigned int server_netbits_ipv6; /* IPv6 */
443
444#define SF_NOPOOL (1<<0)
445#define SF_TCP_NODELAY_HELPER (1<<1)
446#define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
447 unsigned int server_flags;
448
449 bool server_bridge_proxy_dhcp;
450
451 bool server_bridge_defined;
452 in_addr_t server_bridge_ip;
453 in_addr_t server_bridge_netmask;
454 in_addr_t server_bridge_pool_start;
455 in_addr_t server_bridge_pool_end;
456
457 struct push_list push_list;
458 bool ifconfig_pool_defined;
459 in_addr_t ifconfig_pool_start;
460 in_addr_t ifconfig_pool_end;
461 in_addr_t ifconfig_pool_netmask;
462 const char *ifconfig_pool_persist_filename;
463 int ifconfig_pool_persist_refresh_freq;
464
465 bool ifconfig_ipv6_pool_defined; /* IPv6 */
466 struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */
467 int ifconfig_ipv6_pool_netbits; /* IPv6 */
468
469 int real_hash_size;
470 int virtual_hash_size;
471 const char *client_connect_script;
472 const char *client_disconnect_script;
473 const char *learn_address_script;
474 const char *client_config_dir;
475 bool ccd_exclusive;
476 bool disable;
477 int n_bcast_buf;
478 int tcp_queue_limit;
479 struct iroute *iroutes;
480 struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */
481 bool push_ifconfig_defined;
482 in_addr_t push_ifconfig_local;
483 in_addr_t push_ifconfig_remote_netmask;
484 in_addr_t push_ifconfig_local_alias;
485 bool push_ifconfig_constraint_defined;
486 in_addr_t push_ifconfig_constraint_network;
487 in_addr_t push_ifconfig_constraint_netmask;
6ae2f19d 488 bool push_ifconfig_ipv4_blocked; /* IPv4 */
81d882d5
DS		 489 bool push_ifconfig_ipv6_defined; /* IPv6 */
490 struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */
491 int push_ifconfig_ipv6_netbits; /* IPv6 */
492 struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */
493 bool push_ifconfig_ipv6_blocked; /* IPv6 */
494 bool enable_c2c;
495 bool duplicate_cn;
496 int cf_max;
497 int cf_per;
498 int max_clients;
499 int max_routes_per_client;
500 int stale_routes_check_interval;
501 int stale_routes_ageing_time;
502
503 const char *auth_user_pass_verify_script;
504 bool auth_user_pass_verify_script_via_file;
505 bool auth_token_generate;
c8723aa7
AS		 506 bool auth_token_gen_secret_file;
507 bool auth_token_call_auth;
508 int auth_token_lifetime;
1b9a88a2 509 const char *auth_token_secret_file;
cb2e9218 510 bool auth_token_secret_file_inline;
1b9a88a2 511
6add6b2f 512#if PORT_SHARE
81d882d5
DS		 513 char *port_share_host;
514 char *port_share_port;
515 const char *port_share_journal_dir;
6fbf66fa
JY		 516#endif
517
81d882d5
DS		 518 bool client;
519 bool pull; /* client pull of config options from server */
520 int push_continuation;
521 unsigned int push_option_types_found;
522 const char *auth_user_pass_file;
c1150e5b 523 struct options_pre_connect *pre_connect;
6fbf66fa 524
81d882d5 525 int scheduled_exit_interval;
6fbf66fa 526
66b9409b 527#ifdef ENABLE_MANAGEMENT
81d882d5 528 struct static_challenge_info sc_info;
6fbf66fa 529#endif
81d882d5
DS		 530 /* Cipher parms */
531 const char *shared_secret_file;
cb2e9218 532 bool shared_secret_file_inline;
81d882d5
DS		 533 int key_direction;
534 const char *ciphername;
2c1d8c33 535 bool enable_ncp_fallback; /**< If defined fall back to
abe49856 536 * ciphername if NCP fails */
81d882d5
DS		 537 const char *ncp_ciphers;
538 const char *authname;
81d882d5 539 const char *engine;
08081aa0 540 struct provider_list providers;
81d882d5
DS		 541 bool replay;
542 bool mute_replay_warnings;
543 int replay_window;
544 int replay_time;
545 const char *packet_id_file;
81d882d5 546 bool test_crypto;
0f25d296 547#ifdef ENABLE_PREDICTION_RESISTANCE
81d882d5
DS		 548 bool use_prediction_resistance;
549#endif
550
551 /* TLS (control channel) parms */
552 bool tls_server;
553 bool tls_client;
554 const char *ca_file;
cb2e9218 555 bool ca_file_inline;
81d882d5
DS		 556 const char *ca_path;
557 const char *dh_file;
cb2e9218 558 bool dh_file_inline;
81d882d5 559 const char *cert_file;
cb2e9218 560 bool cert_file_inline;
81d882d5 561 const char *extra_certs_file;
cb2e9218 562 bool extra_certs_file_inline;
81d882d5 563 const char *priv_key_file;
cb2e9218 564 bool priv_key_file_inline;
81d882d5 565 const char *pkcs12_file;
cb2e9218 566 bool pkcs12_file_inline;
81d882d5 567 const char *cipher_list;
ea4ee313 568 const char *cipher_list_tls13;
8353ae80 569 const char *tls_groups;
aba75874 570 const char *tls_cert_profile;
81d882d5
DS		 571 const char *ecdh_curve;
572 const char *tls_verify;
573 int verify_x509_type;
574 const char *verify_x509_name;
575 const char *tls_export_cert;
576 const char *crl_file;
cb2e9218 577 bool crl_file_inline;
81d882d5
DS		 578
579 int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
580 unsigned remote_cert_ku[MAX_PARMS];
581 const char *remote_cert_eku;
d1fe6d52 582 struct verify_hash_list *verify_hash;
2193d7c0 583 hash_algo_type verify_hash_algo;
c3a7065d 584 int verify_hash_depth;
423ced96 585 bool verify_hash_no_ca;
81d882d5 586 unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
bed73623
JY		 587
588#ifdef ENABLE_PKCS11
81d882d5
DS		 589 const char *pkcs11_providers[MAX_PARMS];
590 unsigned pkcs11_private_mode[MAX_PARMS];
591 bool pkcs11_protected_authentication[MAX_PARMS];
592 bool pkcs11_cert_private[MAX_PARMS];
593 int pkcs11_pin_cache_period;
594 const char *pkcs11_id;
595 bool pkcs11_id_management;
bed73623
JY		 596#endif
597
93c22ecc 598#ifdef ENABLE_CRYPTOAPI
81d882d5 599 const char *cryptoapi_cert;
6fbf66fa 600#endif
81d882d5
DS		 601 /* Per-packet timeout on control channel */
602 int tls_timeout;
6fbf66fa 603
81d882d5
DS		 604 /* Data channel key renegotiation parameters */
605 int renegotiate_bytes;
606 int renegotiate_packets;
607 int renegotiate_seconds;
dd996463 608 int renegotiate_seconds_min;
6fbf66fa 609
81d882d5
DS		 610 /* Data channel key handshake must finalize
611 * within n seconds of handshake initiation. */
612 int handshake_window;
6fbf66fa 613
fbd18db6 614#ifdef ENABLE_X509ALTUSERNAME
3b04c34d
VG		 615 /* Field list used to be the username in X509 cert. */
616 char *x509_username_field[MAX_PARMS];
fbd18db6 617#endif
2e8337de 618
81d882d5
DS		 619 /* Old key allowed to live n seconds after new key goes active */
620 int transition_window;
6fbf66fa 621
81d882d5
DS		 622 /* Shared secret used for TLS control channel authentication */
623 const char *tls_auth_file;
cb2e9218 624 bool tls_auth_file_inline;
6fbf66fa 625
81d882d5
DS		 626 /* Shared secret used for TLS control channel authenticated encryption */
627 const char *tls_crypt_file;
cb2e9218 628 bool tls_crypt_file_inline;
c6e24fa3 629
9d59029a
SK		 630 /* Client-specific secret or server key used for TLS control channel
631 * authenticated encryption v2 */
632 const char *tls_crypt_v2_file;
cb2e9218 633 bool tls_crypt_v2_file_inline;
9d59029a 634
9d59029a
SK		 635 const char *tls_crypt_v2_metadata;
636
ff931c5e
SK		 637 const char *tls_crypt_v2_verify_script;
638
81d882d5
DS		 639 /* Allow only one session */
640 bool single_session;
6fbf66fa 641
81d882d5 642 bool push_peer_info;
aaf72974 643
81d882d5 644 bool tls_exit;
6fbf66fa 645
81d882d5 646 const struct x509_track *x509_track;
9356bae8 647
81d882d5
DS		 648 /* special state parms */
649 int foreign_option_index;
6fbf66fa 650
445b192a 651#ifdef _WIN32
81d882d5
DS		 652 HANDLE msg_channel;
653 const char *exit_event_name;
654 bool exit_event_initial_state;
655 bool show_net_up;
656 int route_method;
657 bool block_outside_dns;
36215dc5 658 enum windows_driver_type windows_driver;
6fbf66fa 659#endif
65eedc35 660
81d882d5
DS		 661 bool use_peer_id;
662 uint32_t peer_id;
685e486e 663
5defbba4 664#ifdef HAVE_EXPORT_KEYING_MATERIAL
81d882d5
DS		 665 /* Keying Material Exporters [RFC 5705] */
666 const char *keying_material_exporter_label;
667 int keying_material_exporter_length;
685e486e 668#endif
7f74c27e 669
99f28081
AQ		 670 bool vlan_tagging;
671 enum vlan_acceptable_frames vlan_accept;
672 uint16_t vlan_pvid;
673
81d882d5 674 struct pull_filter_list *pull_filter_list;
e8c42658 675
81d882d5
DS		 676 /* Useful when packets sent by openvpn itself are not subject
677 * to the routing tables that would move packets into the tunnel. */
678 bool allow_recursive_routing;
6dc09d0d 679
9c625f4a
AS		 680 /* data channel crypto flags set by push/pull. Reuses the CO_* crypto_flags */
681 unsigned int data_channel_crypto_flags;
6fbf66fa
JY		 682};
683
684#define streq(x, y) (!strcmp((x), (y)))
685
686/*
687 * Option classes.
688 */
689#define OPT_P_GENERAL (1<<0)
690#define OPT_P_UP (1<<1)
691#define OPT_P_ROUTE (1<<2)
692#define OPT_P_IPWIN32 (1<<3)
693#define OPT_P_SCRIPT (1<<4)
694#define OPT_P_SETENV (1<<5)
695#define OPT_P_SHAPER (1<<6)
696#define OPT_P_TIMER (1<<7)
697#define OPT_P_PERSIST (1<<8)
698#define OPT_P_PERSIST_IP (1<<9)
699#define OPT_P_COMP (1<<10) /* TODO */
700#define OPT_P_MESSAGES (1<<11)
d728ebed 701#define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */
6fbf66fa
JY		 702#define OPT_P_TLS_PARMS (1<<13) /* TODO */
703#define OPT_P_MTU (1<<14) /* TODO */
704#define OPT_P_NICE (1<<15)
705#define OPT_P_PUSH (1<<16)
6168f53d 706#define OPT_P_INSTANCE (1<<17) /**< allowed in ccd, client-connect etc*/
6fbf66fa
JY		 707#define OPT_P_CONFIG (1<<18)
708#define OPT_P_EXPLICIT_NOTIFY (1<<19)
709#define OPT_P_ECHO (1<<20)
710#define OPT_P_INHERIT (1<<21)
3c7f2f55
JY		 711#define OPT_P_ROUTE_EXTRAS (1<<22)
712#define OPT_P_PULL_MODE (1<<23)
713#define OPT_P_PLUGIN (1<<24)
00d39170
JY		 714#define OPT_P_SOCKBUF (1<<25)
715#define OPT_P_SOCKFLAGS (1<<26)
4e9a51d7 716#define OPT_P_CONNECTION (1<<27)
65eedc35 717#define OPT_P_PEER_ID (1<<28)
cb2e9218 718#define OPT_P_INLINE (1<<29)
6fbf66fa 719
3c7f2f55 720#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
6fbf66fa 721
6fbf66fa 722#define PULL_DEFINED(opt) ((opt)->pull)
6fbf66fa 723#define PUSH_DEFINED(opt) ((opt)->push_list)
6fbf66fa
JY		 724
725#ifndef PULL_DEFINED
726#define PULL_DEFINED(opt) (false)
727#endif
728
729#ifndef PUSH_DEFINED
730#define PUSH_DEFINED(opt) (false)
731#endif
732
445b192a 733#ifdef _WIN32
6fbf66fa
JY		 734#define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
735#else
736#define ROUTE_OPTION_FLAGS(o) (0)
737#endif
738
6fbf66fa 739#define SHAPER_DEFINED(opt) ((opt)->shaper)
6fbf66fa
JY		 740
741#ifdef ENABLE_PLUGIN
742#define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
743#else
744#define PLUGIN_OPTION_LIST(opt) (NULL)
745#endif
746
99d217b2 747#ifdef ENABLE_MANAGEMENT
90efcacb
JY		 748#define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
749#else
750#define MAN_CLIENT_AUTH_ENABLED(opt) (false)
751#endif
752
81d882d5
DS		 753void parse_argv(struct options *options,
754 const int argc,
755 char *argv[],
756 const int msglevel,
757 const unsigned int permission_mask,
758 unsigned int *option_types_found,
759 struct env_set *es);
6fbf66fa 760
81d882d5 761void notnull(const char *arg, const char *description);
6fbf66fa 762
81d882d5 763void usage_small(void);
6fbf66fa 764
5b17803e
JY		 765void show_library_versions(const unsigned int flags);
766
445b192a 767#ifdef _WIN32
cdc65ea0 768void show_windows_version(const unsigned int flags);
81d882d5 769
cdc65ea0
LS		 770#endif
771
81d882d5
DS		 772void init_options(struct options *o, const bool init_gc);
773
774void uninit_options(struct options *o);
6fbf66fa 775
81d882d5 776void setenv_settings(struct env_set *es, const struct options *o);
6fbf66fa 777
81d882d5
DS		 778void show_settings(const struct options *o);
779
780bool string_defined_equal(const char *s1, const char *s2);
6fbf66fa 781
81d882d5
DS		 782const char *options_string_version(const char *s, struct gc_arena *gc);
783
784char *options_string(const struct options *o,
785 const struct frame *frame,
786 struct tuntap *tt,
dc7fcd71 787 openvpn_net_ctx_t *ctx,
81d882d5
DS		 788 bool remote,
789 struct gc_arena *gc);
790
791bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n);
6fbf66fa 792
81d882d5 793void options_warning_safe(char *actual, const char *expected, size_t actual_n);
6fbf66fa 794
81d882d5
DS		 795bool options_cmp_equal(char *actual, const char *expected);
796
797void options_warning(char *actual, const char *expected);
6fbf66fa 798
6e5ad2fa
SK		 799/**
800 * Given an OpenVPN options string, extract the value of an option.
801 *
81d882d5
DS		 802 * @param options_string Zero-terminated, comma-separated options string
803 * @param opt_name The name of the option to extract
804 * @param gc The gc to allocate the return value
6e5ad2fa
SK		 805 *
806 * @return gc-allocated value of option with name opt_name if option was found,
807 * or NULL otherwise.
808 */
81d882d5
DS		 809char *options_string_extract_option(const char *options_string,
810 const char *opt_name, struct gc_arena *gc);
811
6e5ad2fa 812
81d882d5 813void options_postprocess(struct options *options);
6e5ad2fa 814
b3e0d95d
HH		 815bool options_postprocess_pull(struct options *o, struct env_set *es);
816
c1150e5b 817void pre_connect_save(struct options *o);
6fbf66fa 818
c1150e5b 819void pre_connect_restore(struct options *o, struct gc_arena *gc);
6fbf66fa 820
81d882d5
DS		 821bool apply_push_options(struct options *options,
822 struct buffer *buf,
823 unsigned int permission_mask,
824 unsigned int *option_types_found,
825 struct env_set *es);
6fbf66fa 826
81d882d5 827void options_detach(struct options *o);
6fbf66fa 828
81d882d5
DS		 829void options_server_import(struct options *o,
830 const char *filename,
831 int msglevel,
832 unsigned int permission_mask,
833 unsigned int *option_types_found,
834 struct env_set *es);
6fbf66fa 835
81d882d5 836void pre_pull_default(struct options *o);
6fbf66fa 837
81d882d5 838void rol_check_alloc(struct options *options);
6fbf66fa 839
81d882d5
DS		 840int parse_line(const char *line,
841 char *p[],
842 const int n,
843 const char *file,
844 const int line_num,
845 int msglevel,
846 struct gc_arena *gc);
6fbf66fa 847
3c7f2f55
JY		 848/*
849 * parse/print topology coding
850 */
851
81d882d5
DS		 852int parse_topology(const char *str, const int msglevel);
853
854const char *print_topology(const int topology);
3c7f2f55 855
6fbf66fa
JY		 856/*
857 * Manage auth-retry variable
858 */
859
6fbf66fa
JY		 860#define AR_NONE 0
861#define AR_INTERACT 1
862#define AR_NOINTERACT 2
863
81d882d5
DS		 864int auth_retry_get(void);
865
866bool auth_retry_set(const int msglevel, const char *option);
867
868const char *auth_retry_print(void);
6fbf66fa 869
81d882d5
DS		 870void options_string_import(struct options *options,
871 const char *config,
872 const int msglevel,
873 const unsigned int permission_mask,
874 unsigned int *option_types_found,
875 struct env_set *es);
3c7f2f55 876
4b85c488
SN		 877bool key_is_external(const struct options *options);
878
81d882d5 879#endif /* ifndef OPTIONS_H */
Mirror of https://github.com/OpenVPN/openvpn.git