]> git.ipfire.org Git - thirdparty/openvpn.git/blame - src/openvpn/options.h
Fix new doxygen warnings about using @return in void functions
[thirdparty/openvpn.git] / src / openvpn / options.h
CommitLineData
6fbf66fa
JY
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
022f0a43 8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
6fbf66fa
JY
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
caa54ac3
DS
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
6fbf66fa
JY
22 */
23
24/*
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, http://cmeerw.org)
27 */
28
29#ifndef OPTIONS_H
30#define OPTIONS_H
31
32#include "basic.h"
33#include "common.h"
34#include "mtu.h"
35#include "route.h"
36#include "tun.h"
37#include "socket.h"
38#include "plugin.h"
39#include "manage.h"
40#include "proxy.h"
38d96bd7 41#include "comp.h"
3eee126e 42#include "pushlist.h"
581bef87 43#include "clinat.h"
2193d7c0 44#include "crypto_backend.h"
b3e0d95d 45#include "dns.h"
2193d7c0 46
6fbf66fa
JY
47
48/*
49 * Maximum number of parameters associated with an option,
50 * including the option name itself.
51 */
52#define MAX_PARMS 16
53
54/*
55 * Max size of options line and parameter.
56 */
57#define OPTION_PARM_SIZE 256
58#define OPTION_LINE_SIZE 256
59
60extern const char title_string[];
61
6fbf66fa 62/* certain options are saved before --pull modifications are applied */
c1150e5b 63struct options_pre_connect
6fbf66fa 64{
81d882d5
DS
65 bool tuntap_options_defined;
66 struct tuntap_options tuntap_options;
6fbf66fa 67
81d882d5
DS
68 bool routes_defined;
69 struct route_option_list *routes;
6fbf66fa 70
81d882d5
DS
71 bool routes_ipv6_defined;
72 struct route_ipv6_option_list *routes_ipv6;
91402236 73
57c8d220
AS
74 const char *route_default_gateway;
75 const char *route_ipv6_default_gateway;
76
81d882d5
DS
77 bool client_nat_defined;
78 struct client_nat_option_list *client_nat;
581bef87 79
b3e0d95d
HH
80 struct dns_options dns_options;
81
abe49856
DS
82 const char *ciphername;
83 const char *authname;
7064ccb9 84
5a2ed714
AS
85 int ping_send_timeout;
86 int ping_rec_timeout;
87 int ping_rec_timeout_action;
88
81d882d5 89 int foreign_option_index;
2a414c3c 90 struct compress_options comp;
6fbf66fa
JY
91};
92
c7ca9133 93#if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
81d882d5 94#error "At least one of OpenSSL or mbed TLS needs to be defined."
6fbf66fa
JY
95#endif
96
8466c2ca
AQ
97struct local_entry
98{
99 const char *local;
100 const char *port;
619c3e9a 101 int proto;
8466c2ca
AQ
102};
103
4e9a51d7
JY
104struct connection_entry
105{
8466c2ca 106 struct local_list *local_list;
81d882d5
DS
107 int proto;
108 sa_family_t af;
109 const char *local_port;
110 bool local_port_defined;
111 const char *remote_port;
81d882d5
DS
112 const char *remote;
113 bool remote_float;
114 bool bind_defined;
115 bool bind_ipv6_only;
116 bool bind_local;
117 int connect_retry_seconds;
118 int connect_retry_seconds_max;
119 int connect_timeout;
120 struct http_proxy_options *http_proxy_options;
121 const char *socks_proxy_server;
122 const char *socks_proxy_port;
123 const char *socks_proxy_authfile;
124
125 int tun_mtu; /* MTU of tun device */
761575cb 126 int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */
01aed6a5
AS
127 int tun_mtu_max; /* maximum MTU that can be pushed */
128
81d882d5
DS
129 bool tun_mtu_defined; /* true if user overriding parm with command line option */
130 int tun_mtu_extra;
131 bool tun_mtu_extra_defined;
132 int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */
133 bool link_mtu_defined; /* true if user overriding parm with command line option */
5f6ea597 134 int tls_mtu; /* Maximum MTU for the control channel messages */
81d882d5
DS
135
136 /* Advanced MTU negotiation and datagram fragmentation options */
137 int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
138
139 int fragment; /* internal fragmentation size */
0d969976
AS
140 bool fragment_encap; /* true if --fragment had the "mtu" parameter to
141 * include overhead from IP and TCP/UDP encapsulation */
81d882d5 142 int mssfix; /* Upper bound on TCP MSS */
0d86da32 143 bool mssfix_default; /* true if --mssfix should use the default parameters */
0fcb7cad
AS
144 bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include
145 * overhead from IP and TCP/UDP encapsulation */
47671d6d 146 bool mssfix_fixed; /* use the mssfix value without any encapsulation adjustments */
81d882d5
DS
147
148 int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */
149
150#define CE_DISABLED (1<<0)
151#define CE_MAN_QUERY_PROXY (1<<1)
152#define CE_MAN_QUERY_REMOTE_UNDEF 0
153#define CE_MAN_QUERY_REMOTE_QUERY 1
154#define CE_MAN_QUERY_REMOTE_ACCEPT 2
155#define CE_MAN_QUERY_REMOTE_MOD 3
156#define CE_MAN_QUERY_REMOTE_SKIP 4
157#define CE_MAN_QUERY_REMOTE_MASK (0x07)
158#define CE_MAN_QUERY_REMOTE_SHIFT (2)
159 unsigned int flags;
57d6f103
AQ
160
161 /* Shared secret used for TLS control channel authentication */
162 const char *tls_auth_file;
cb2e9218 163 bool tls_auth_file_inline;
57d6f103
AQ
164 int key_direction;
165
166 /* Shared secret used for TLS control channel authenticated encryption */
167 const char *tls_crypt_file;
cb2e9218 168 bool tls_crypt_file_inline;
9d59029a
SK
169
170 /* Client-specific secret or server key used for TLS control channel
171 * authenticated encryption v2 */
172 const char *tls_crypt_v2_file;
cb2e9218 173 bool tls_crypt_v2_file_inline;
e7d8c4a7
AS
174
175 /* Allow only client that support resending the wrapped client key */
176 bool tls_crypt_v2_force_cookie;
4e9a51d7
JY
177};
178
179struct remote_entry
180{
81d882d5
DS
181 const char *remote;
182 const char *remote_port;
183 int proto;
184 sa_family_t af;
4e9a51d7
JY
185};
186
4e9a51d7
JY
187#define CONNECTION_LIST_SIZE 64
188
8466c2ca
AQ
189struct local_list
190{
9bb02bc3 191 int capacity;
8466c2ca 192 int len;
9bb02bc3 193 struct local_entry **array;
8466c2ca
AQ
194};
195
4e9a51d7
JY
196struct connection_list
197{
4954beb6 198 int capacity;
81d882d5
DS
199 int len;
200 int current;
4954beb6 201 struct connection_entry **array;
4e9a51d7
JY
202};
203
204struct remote_list
205{
4954beb6 206 int capacity;
81d882d5 207 int len;
4954beb6 208 struct remote_entry **array;
4e9a51d7
JY
209};
210
08081aa0
AS
211struct provider_list
212{
213 /* Names of the providers */
214 const char *names[MAX_PARMS];
215 /* Pointers to the loaded providers to unload them */
216 provider_t *providers[MAX_PARMS];
217};
218
99f28081
AQ
219enum vlan_acceptable_frames
220{
e375a5ce 221 VLAN_ONLY_TAGGED,
99f28081 222 VLAN_ONLY_UNTAGGED_OR_PRIORITY,
d626fa17 223 VLAN_ALL,
99f28081
AQ
224};
225
54561af6
JY
226struct remote_host_store
227{
81d882d5
DS
228#define RH_HOST_LEN 80
229 char host[RH_HOST_LEN];
076fd3e4 230#define RH_PORT_LEN 20
81d882d5 231 char port[RH_PORT_LEN];
54561af6 232};
54561af6 233
0d80b562
AS
234enum genkey_type {
235 GENKEY_SECRET,
236 GENKEY_TLS_CRYPTV2_CLIENT,
237 GENKEY_TLS_CRYPTV2_SERVER,
1b9a88a2 238 GENKEY_AUTH_TOKEN
0d80b562
AS
239};
240
d1fe6d52
AS
241struct verify_hash_list
242{
243 /* We support SHA256 and SHA1 fingerpint. In the case of using the
244 * deprecated SHA1, only the first 20 bytes of each list item are used */
245 uint8_t hash[SHA256_DIGEST_LENGTH];
246 struct verify_hash_list *next;
247};
248
6fbf66fa
JY
249/* Command line options */
250struct options
251{
81d882d5
DS
252 struct gc_arena gc;
253 bool gc_owned;
6fbf66fa 254
81d882d5
DS
255 /* first config file */
256 const char *config;
6fbf66fa 257
81d882d5
DS
258 /* major mode */
259#define MODE_POINT_TO_POINT 0
260#define MODE_SERVER 1
261 int mode;
6fbf66fa 262
81d882d5
DS
263 /* enable forward compatibility for post-2.1 features */
264 bool forward_compatible;
00a622f5 265 /** What version we should try to be compatible with as major * 10000 +
abe49856 266 * minor * 100 + patch, e.g. 2.4.7 => 20407 */
00a622f5
AQ
267 unsigned int backwards_compatible;
268
42d9f324 269 /* list of options that should be ignored even if unknown */
81d882d5 270 const char **ignore_unknown_option;
373faab1 271
81d882d5
DS
272 /* persist parms */
273 bool persist_config;
274 int persist_mode;
6fbf66fa 275
81d882d5
DS
276 const char *key_pass_file;
277 bool show_ciphers;
278 bool show_digests;
279 bool show_engines;
280 bool show_tls_ciphers;
281 bool show_curves;
282 bool genkey;
0d80b562 283 enum genkey_type genkey_type;
9cf7b492
AS
284 const char *genkey_filename;
285 const char *genkey_extra_data;
81d882d5
DS
286
287 /* Networking parms */
288 int connect_retry_max;
289 struct connection_entry ce;
290 struct connection_list *connection_list;
291
292 struct remote_list *remote_list;
c9474fa3 293 /* Do not advance the connection or remote addr list */
81d882d5 294 bool no_advance;
c9474fa3
AS
295 /* Advance directly to the next remote, skipping remaining addresses of the
296 * current remote */
297 bool advance_next_remote;
81d882d5
DS
298 /* Counts the number of unsuccessful connection attempts */
299 unsigned int unsuccessful_attempts;
ec5ffe35
SN
300 /* count of connection entries to advance by when no_advance is not set */
301 int ce_advance_count;
c9474fa3
AS
302 /* the server can suggest a backoff time to the client, it
303 * will still be capped by the max timeout between connections
304 * (300s by default) */
305 int server_backoff_time;
4e9a51d7 306
a4b8f653 307#if ENABLE_MANAGEMENT
81d882d5
DS
308 struct http_proxy_options *http_proxy_override;
309#endif
310
311 struct remote_host_store *rh_store;
312
b3e0d95d
HH
313 struct dns_options dns_options;
314
81d882d5
DS
315 bool remote_random;
316 const char *ipchange;
317 const char *dev;
318 const char *dev_type;
319 const char *dev_node;
320 const char *lladdr;
321 int topology; /* one of the TOP_x values from proto.h */
322 const char *ifconfig_local;
323 const char *ifconfig_remote_netmask;
324 const char *ifconfig_ipv6_local;
325 int ifconfig_ipv6_netbits;
326 const char *ifconfig_ipv6_remote;
327 bool ifconfig_noexec;
328 bool ifconfig_nowarn;
81d882d5 329 int shaper;
6fbf66fa 330
81d882d5 331 int proto_force;
51e6e5b0 332
81d882d5 333 bool mtu_test;
6fbf66fa 334
ffea644c 335#ifdef ENABLE_MEMSTATS
81d882d5 336 char *memstats_fn;
ffea644c
JY
337#endif
338
81d882d5 339 bool mlock;
6fbf66fa 340
81d882d5
DS
341 int keepalive_ping; /* a proxy for ping/ping-restart */
342 int keepalive_timeout;
6fbf66fa 343
81d882d5 344 int inactivity_timeout; /* --inactive */
cae1a7fc 345 int64_t inactivity_minimum_bytes;
838911cc 346
f96290ff
DZ
347 int session_timeout; /* Force-kill session after n seconds */
348
81d882d5
DS
349 int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */
350 int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */
351 bool ping_timer_remote; /* Run ping timer only if we have a remote address */
6fbf66fa 352
81d882d5
DS
353#define PING_UNDEF 0
354#define PING_EXIT 1
355#define PING_RESTART 2
356 int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */
6fbf66fa 357
81d882d5
DS
358 bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
359 bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
360 bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
6fbf66fa 361
6fbf66fa 362#if PASSTOS_CAPABILITY
81d882d5 363 bool passtos;
6fbf66fa
JY
364#endif
365
81d882d5
DS
366 int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */
367 bool resolve_in_advance;
368 const char *ip_remote_hint;
6fbf66fa 369
81d882d5 370 struct tuntap_options tuntap_options;
d8490738
AS
371 /* DCO is disabled and should not be used as backend driver for the
372 * tun/tap device */
373 bool disable_dco;
6fbf66fa 374
81d882d5
DS
375 /* Misc parms */
376 const char *username;
377 const char *groupname;
378 const char *chroot_dir;
379 const char *cd_dir;
cd5990e0 380#ifdef ENABLE_SELINUX
81d882d5 381 char *selinux_context;
99385447 382#endif
81d882d5
DS
383 const char *writepid;
384 const char *up_script;
385 const char *down_script;
386 bool user_script_used;
387 bool down_pre;
388 bool up_delay;
389 bool up_restart;
390 bool daemon;
6fbf66fa 391
81d882d5 392 int remap_sigusr1;
6fbf66fa 393
81d882d5
DS
394 bool log;
395 bool suppress_timestamps;
396 bool machine_readable_output;
397 int nice;
398 int verbosity;
399 int mute;
6fbf66fa
JY
400
401#ifdef ENABLE_DEBUG
81d882d5 402 int gremlin;
6fbf66fa
JY
403#endif
404
81d882d5
DS
405 const char *status_file;
406 int status_file_version;
407 int status_file_update_freq;
6fbf66fa 408
81d882d5
DS
409 /* optimize TUN/TAP/UDP writes */
410 bool fast_io;
6fbf66fa 411
81d882d5 412 struct compress_options comp;
81d882d5
DS
413
414 /* buffer sizes */
415 int rcvbuf;
416 int sndbuf;
417
418 /* mark value */
419 int mark;
19d3c602 420 char *bind_dev;
81d882d5
DS
421
422 /* socket flags */
423 unsigned int sockflags;
424
425 /* route management */
426 const char *route_script;
427 const char *route_predown_script;
428 const char *route_default_gateway;
d24e1b17 429 const char *route_ipv6_default_gateway;
f93fc813 430 int route_default_table_id;
81d882d5
DS
431 int route_default_metric;
432 bool route_noexec;
433 int route_delay;
434 int route_delay_window;
435 bool route_delay_defined;
436 struct route_option_list *routes;
437 struct route_ipv6_option_list *routes_ipv6; /* IPv6 */
e11d2d14 438 bool block_ipv6;
81d882d5
DS
439 bool route_nopull;
440 bool route_gateway_via_dhcp;
441 bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
442 struct client_nat_option_list *client_nat;
581bef87 443
81d882d5
DS
444 /* Enable options consistency check between peers */
445 bool occ;
6fbf66fa
JY
446
447#ifdef ENABLE_MANAGEMENT
81d882d5
DS
448 const char *management_addr;
449 const char *management_port;
450 const char *management_user_pass;
451 int management_log_history_cache;
452 int management_echo_buffer_size;
453 int management_state_buffer_size;
90efcacb 454
81d882d5
DS
455 const char *management_client_user;
456 const char *management_client_group;
bb564a59 457
81d882d5 458 const char *management_certificate;
6fbf66fa 459#endif
ff7d7989
FL
460 /* Mask of MF_ values of manage.h */
461 unsigned int management_flags;
6fbf66fa
JY
462
463#ifdef ENABLE_PLUGIN
81d882d5 464 struct plugin_option_list *plugin_list;
6fbf66fa
JY
465#endif
466
81d882d5
DS
467 /* the tmp dir is for now only used in the P2P server context */
468 const char *tmp_dir;
469 bool server_defined;
470 in_addr_t server_network;
471 in_addr_t server_netmask;
472 bool server_ipv6_defined; /* IPv6 */
473 struct in6_addr server_network_ipv6; /* IPv6 */
474 unsigned int server_netbits_ipv6; /* IPv6 */
475
476#define SF_NOPOOL (1<<0)
477#define SF_TCP_NODELAY_HELPER (1<<1)
478#define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
479 unsigned int server_flags;
480
481 bool server_bridge_proxy_dhcp;
482
483 bool server_bridge_defined;
484 in_addr_t server_bridge_ip;
485 in_addr_t server_bridge_netmask;
486 in_addr_t server_bridge_pool_start;
487 in_addr_t server_bridge_pool_end;
488
489 struct push_list push_list;
490 bool ifconfig_pool_defined;
491 in_addr_t ifconfig_pool_start;
492 in_addr_t ifconfig_pool_end;
493 in_addr_t ifconfig_pool_netmask;
494 const char *ifconfig_pool_persist_filename;
495 int ifconfig_pool_persist_refresh_freq;
496
497 bool ifconfig_ipv6_pool_defined; /* IPv6 */
498 struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */
499 int ifconfig_ipv6_pool_netbits; /* IPv6 */
500
501 int real_hash_size;
502 int virtual_hash_size;
503 const char *client_connect_script;
504 const char *client_disconnect_script;
505 const char *learn_address_script;
23eec2d2 506 const char *client_crresponse_script;
81d882d5
DS
507 const char *client_config_dir;
508 bool ccd_exclusive;
509 bool disable;
ebd433bd 510 const char *override_username;
81d882d5
DS
511 int n_bcast_buf;
512 int tcp_queue_limit;
513 struct iroute *iroutes;
514 struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */
515 bool push_ifconfig_defined;
516 in_addr_t push_ifconfig_local;
517 in_addr_t push_ifconfig_remote_netmask;
518 in_addr_t push_ifconfig_local_alias;
519 bool push_ifconfig_constraint_defined;
520 in_addr_t push_ifconfig_constraint_network;
521 in_addr_t push_ifconfig_constraint_netmask;
6ae2f19d 522 bool push_ifconfig_ipv4_blocked; /* IPv4 */
81d882d5
DS
523 bool push_ifconfig_ipv6_defined; /* IPv6 */
524 struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */
525 int push_ifconfig_ipv6_netbits; /* IPv6 */
526 struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */
527 bool push_ifconfig_ipv6_blocked; /* IPv6 */
528 bool enable_c2c;
529 bool duplicate_cn;
b520c68c 530
81d882d5
DS
531 int cf_max;
532 int cf_per;
b520c68c
AS
533
534 int cf_initial_max;
535 int cf_initial_per;
536
81d882d5
DS
537 int max_clients;
538 int max_routes_per_client;
539 int stale_routes_check_interval;
540 int stale_routes_ageing_time;
541
542 const char *auth_user_pass_verify_script;
543 bool auth_user_pass_verify_script_via_file;
544 bool auth_token_generate;
c8723aa7
AS
545 bool auth_token_call_auth;
546 int auth_token_lifetime;
9a516170 547 int auth_token_renewal;
1b9a88a2 548 const char *auth_token_secret_file;
cb2e9218 549 bool auth_token_secret_file_inline;
1b9a88a2 550
6add6b2f 551#if PORT_SHARE
81d882d5
DS
552 char *port_share_host;
553 char *port_share_port;
554 const char *port_share_journal_dir;
6fbf66fa
JY
555#endif
556
81d882d5
DS
557 bool client;
558 bool pull; /* client pull of config options from server */
559 int push_continuation;
560 unsigned int push_option_types_found;
561 const char *auth_user_pass_file;
7d48d31b 562 bool auth_user_pass_file_inline;
c1150e5b 563 struct options_pre_connect *pre_connect;
6fbf66fa 564
81d882d5 565 int scheduled_exit_interval;
6fbf66fa 566
66b9409b 567#ifdef ENABLE_MANAGEMENT
81d882d5 568 struct static_challenge_info sc_info;
6fbf66fa 569#endif
81d882d5
DS
570 /* Cipher parms */
571 const char *shared_secret_file;
cb2e9218 572 bool shared_secret_file_inline;
392da5bd 573 bool allow_deprecated_insecure_static_crypto;
81d882d5
DS
574 int key_direction;
575 const char *ciphername;
2c1d8c33 576 bool enable_ncp_fallback; /**< If defined fall back to
abe49856 577 * ciphername if NCP fails */
6a7931a4
AS
578 /** The original ncp_ciphers specified by the user in the configuration*/
579 const char *ncp_ciphers_conf;
81d882d5
DS
580 const char *ncp_ciphers;
581 const char *authname;
81d882d5 582 const char *engine;
08081aa0 583 struct provider_list providers;
81d882d5
DS
584 bool mute_replay_warnings;
585 int replay_window;
586 int replay_time;
587 const char *packet_id_file;
81d882d5 588 bool test_crypto;
0f25d296 589#ifdef ENABLE_PREDICTION_RESISTANCE
81d882d5
DS
590 bool use_prediction_resistance;
591#endif
592
593 /* TLS (control channel) parms */
594 bool tls_server;
595 bool tls_client;
596 const char *ca_file;
cb2e9218 597 bool ca_file_inline;
81d882d5
DS
598 const char *ca_path;
599 const char *dh_file;
cb2e9218 600 bool dh_file_inline;
81d882d5 601 const char *cert_file;
cb2e9218 602 bool cert_file_inline;
81d882d5 603 const char *extra_certs_file;
cb2e9218 604 bool extra_certs_file_inline;
81d882d5 605 const char *priv_key_file;
cb2e9218 606 bool priv_key_file_inline;
81d882d5 607 const char *pkcs12_file;
cb2e9218 608 bool pkcs12_file_inline;
81d882d5 609 const char *cipher_list;
ea4ee313 610 const char *cipher_list_tls13;
8353ae80 611 const char *tls_groups;
aba75874 612 const char *tls_cert_profile;
81d882d5
DS
613 const char *ecdh_curve;
614 const char *tls_verify;
c58c7c3c 615 const char *tls_export_peer_cert_dir;
81d882d5
DS
616 int verify_x509_type;
617 const char *verify_x509_name;
81d882d5 618 const char *crl_file;
cb2e9218 619 bool crl_file_inline;
81d882d5
DS
620
621 int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
622 unsigned remote_cert_ku[MAX_PARMS];
623 const char *remote_cert_eku;
d1fe6d52 624 struct verify_hash_list *verify_hash;
2193d7c0 625 hash_algo_type verify_hash_algo;
c3a7065d 626 int verify_hash_depth;
c3746da7 627 bool verify_hash_no_ca;
81d882d5 628 unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
bed73623
JY
629
630#ifdef ENABLE_PKCS11
81d882d5
DS
631 const char *pkcs11_providers[MAX_PARMS];
632 unsigned pkcs11_private_mode[MAX_PARMS];
633 bool pkcs11_protected_authentication[MAX_PARMS];
634 bool pkcs11_cert_private[MAX_PARMS];
635 int pkcs11_pin_cache_period;
636 const char *pkcs11_id;
637 bool pkcs11_id_management;
bed73623
JY
638#endif
639
93c22ecc 640#ifdef ENABLE_CRYPTOAPI
81d882d5 641 const char *cryptoapi_cert;
6fbf66fa 642#endif
81d882d5
DS
643 /* Per-packet timeout on control channel */
644 int tls_timeout;
6fbf66fa 645
81d882d5 646 /* Data channel key renegotiation parameters */
d52ea247
AS
647 int64_t renegotiate_bytes;
648 int64_t renegotiate_packets;
81d882d5 649 int renegotiate_seconds;
dd996463 650 int renegotiate_seconds_min;
6fbf66fa 651
81d882d5
DS
652 /* Data channel key handshake must finalize
653 * within n seconds of handshake initiation. */
654 int handshake_window;
6fbf66fa 655
fbd18db6 656#ifdef ENABLE_X509ALTUSERNAME
3b04c34d
VG
657 /* Field list used to be the username in X509 cert. */
658 char *x509_username_field[MAX_PARMS];
fbd18db6 659#endif
2e8337de 660
81d882d5
DS
661 /* Old key allowed to live n seconds after new key goes active */
662 int transition_window;
6fbf66fa 663
81d882d5
DS
664 /* Shared secret used for TLS control channel authentication */
665 const char *tls_auth_file;
cb2e9218 666 bool tls_auth_file_inline;
6fbf66fa 667
81d882d5
DS
668 /* Shared secret used for TLS control channel authenticated encryption */
669 const char *tls_crypt_file;
cb2e9218 670 bool tls_crypt_file_inline;
c6e24fa3 671
9d59029a
SK
672 /* Client-specific secret or server key used for TLS control channel
673 * authenticated encryption v2 */
674 const char *tls_crypt_v2_file;
cb2e9218 675 bool tls_crypt_v2_file_inline;
9d59029a 676
9d59029a
SK
677 const char *tls_crypt_v2_metadata;
678
ff931c5e
SK
679 const char *tls_crypt_v2_verify_script;
680
81d882d5
DS
681 /* Allow only one session */
682 bool single_session;
6fbf66fa 683
81d882d5 684 bool push_peer_info;
aaf72974 685
81d882d5 686 bool tls_exit;
6fbf66fa 687
81d882d5 688 const struct x509_track *x509_track;
9356bae8 689
81d882d5
DS
690 /* special state parms */
691 int foreign_option_index;
6fbf66fa 692
445b192a 693#ifdef _WIN32
81d882d5
DS
694 HANDLE msg_channel;
695 const char *exit_event_name;
696 bool exit_event_initial_state;
697 bool show_net_up;
698 int route_method;
699 bool block_outside_dns;
d8490738 700 enum tun_driver_type windows_driver;
6fbf66fa 701#endif
65eedc35 702
81d882d5
DS
703 bool use_peer_id;
704 uint32_t peer_id;
685e486e 705
81d882d5
DS
706 /* Keying Material Exporters [RFC 5705] */
707 const char *keying_material_exporter_label;
708 int keying_material_exporter_length;
fa796096
AS
709 /* force using TLS key material export for data channel key generation */
710 bool force_key_material_export;
7f74c27e 711
99f28081
AQ
712 bool vlan_tagging;
713 enum vlan_acceptable_frames vlan_accept;
714 uint16_t vlan_pvid;
715
81d882d5 716 struct pull_filter_list *pull_filter_list;
e8c42658 717
81d882d5
DS
718 /* Useful when packets sent by openvpn itself are not subject
719 * to the routing tables that would move packets into the tunnel. */
720 bool allow_recursive_routing;
6dc09d0d 721
9c625f4a 722 /* data channel crypto flags set by push/pull. Reuses the CO_* crypto_flags */
179b3728 723 unsigned int imported_protocol_flags;
6fbf66fa
JY
724};
725
726#define streq(x, y) (!strcmp((x), (y)))
727
728/*
729 * Option classes.
730 */
731#define OPT_P_GENERAL (1<<0)
732#define OPT_P_UP (1<<1)
733#define OPT_P_ROUTE (1<<2)
8a7d0005 734#define OPT_P_DHCPDNS (1<<3) /* includes ip windows options like */
6fbf66fa
JY
735#define OPT_P_SCRIPT (1<<4)
736#define OPT_P_SETENV (1<<5)
737#define OPT_P_SHAPER (1<<6)
738#define OPT_P_TIMER (1<<7)
739#define OPT_P_PERSIST (1<<8)
740#define OPT_P_PERSIST_IP (1<<9)
741#define OPT_P_COMP (1<<10) /* TODO */
742#define OPT_P_MESSAGES (1<<11)
d728ebed 743#define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */
6fbf66fa
JY
744#define OPT_P_TLS_PARMS (1<<13) /* TODO */
745#define OPT_P_MTU (1<<14) /* TODO */
746#define OPT_P_NICE (1<<15)
747#define OPT_P_PUSH (1<<16)
6168f53d 748#define OPT_P_INSTANCE (1<<17) /**< allowed in ccd, client-connect etc*/
6fbf66fa
JY
749#define OPT_P_CONFIG (1<<18)
750#define OPT_P_EXPLICIT_NOTIFY (1<<19)
751#define OPT_P_ECHO (1<<20)
752#define OPT_P_INHERIT (1<<21)
3c7f2f55
JY
753#define OPT_P_ROUTE_EXTRAS (1<<22)
754#define OPT_P_PULL_MODE (1<<23)
755#define OPT_P_PLUGIN (1<<24)
00d39170
JY
756#define OPT_P_SOCKBUF (1<<25)
757#define OPT_P_SOCKFLAGS (1<<26)
4e9a51d7 758#define OPT_P_CONNECTION (1<<27)
65eedc35 759#define OPT_P_PEER_ID (1<<28)
cb2e9218 760#define OPT_P_INLINE (1<<29)
01aed6a5 761#define OPT_P_PUSH_MTU (1<<30)
f93fc813 762#define OPT_P_ROUTE_TABLE (1<<31)
6fbf66fa 763
3c7f2f55 764#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
6fbf66fa 765
6fbf66fa 766#define PULL_DEFINED(opt) ((opt)->pull)
6fbf66fa 767#define PUSH_DEFINED(opt) ((opt)->push_list)
6fbf66fa
JY
768
769#ifndef PULL_DEFINED
770#define PULL_DEFINED(opt) (false)
771#endif
772
773#ifndef PUSH_DEFINED
774#define PUSH_DEFINED(opt) (false)
775#endif
776
445b192a 777#ifdef _WIN32
6fbf66fa
JY
778#define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
779#else
780#define ROUTE_OPTION_FLAGS(o) (0)
781#endif
782
6fbf66fa 783#define SHAPER_DEFINED(opt) ((opt)->shaper)
6fbf66fa
JY
784
785#ifdef ENABLE_PLUGIN
786#define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
787#else
788#define PLUGIN_OPTION_LIST(opt) (NULL)
789#endif
790
99d217b2 791#ifdef ENABLE_MANAGEMENT
90efcacb
JY
792#define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
793#else
794#define MAN_CLIENT_AUTH_ENABLED(opt) (false)
795#endif
796
81d882d5
DS
797void parse_argv(struct options *options,
798 const int argc,
799 char *argv[],
800 const int msglevel,
801 const unsigned int permission_mask,
802 unsigned int *option_types_found,
803 struct env_set *es);
6fbf66fa 804
81d882d5 805void notnull(const char *arg, const char *description);
6fbf66fa 806
81d882d5 807void usage_small(void);
6fbf66fa 808
5b17803e
JY
809void show_library_versions(const unsigned int flags);
810
445b192a 811#ifdef _WIN32
cdc65ea0 812void show_windows_version(const unsigned int flags);
81d882d5 813
cdc65ea0
LS
814#endif
815
3da238e6
AQ
816void show_dco_version(const unsigned int flags);
817
81d882d5
DS
818void init_options(struct options *o, const bool init_gc);
819
820void uninit_options(struct options *o);
6fbf66fa 821
81d882d5 822void setenv_settings(struct env_set *es, const struct options *o);
6fbf66fa 823
81d882d5
DS
824void show_settings(const struct options *o);
825
826bool string_defined_equal(const char *s1, const char *s2);
6fbf66fa 827
81d882d5
DS
828const char *options_string_version(const char *s, struct gc_arena *gc);
829
830char *options_string(const struct options *o,
831 const struct frame *frame,
832 struct tuntap *tt,
dc7fcd71 833 openvpn_net_ctx_t *ctx,
81d882d5
DS
834 bool remote,
835 struct gc_arena *gc);
836
837bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n);
6fbf66fa 838
81d882d5 839void options_warning_safe(char *actual, const char *expected, size_t actual_n);
6fbf66fa 840
81d882d5
DS
841bool options_cmp_equal(char *actual, const char *expected);
842
843void options_warning(char *actual, const char *expected);
6fbf66fa 844
6e5ad2fa
SK
845/**
846 * Given an OpenVPN options string, extract the value of an option.
847 *
81d882d5
DS
848 * @param options_string Zero-terminated, comma-separated options string
849 * @param opt_name The name of the option to extract
850 * @param gc The gc to allocate the return value
6e5ad2fa
SK
851 *
852 * @return gc-allocated value of option with name opt_name if option was found,
853 * or NULL otherwise.
854 */
81d882d5
DS
855char *options_string_extract_option(const char *options_string,
856 const char *opt_name, struct gc_arena *gc);
857
6e5ad2fa 858
dac85fff 859void options_postprocess(struct options *options, struct env_set *es);
6e5ad2fa 860
b3e0d95d
HH
861bool options_postprocess_pull(struct options *o, struct env_set *es);
862
c1150e5b 863void pre_connect_restore(struct options *o, struct gc_arena *gc);
6fbf66fa 864
81d882d5
DS
865bool apply_push_options(struct options *options,
866 struct buffer *buf,
867 unsigned int permission_mask,
868 unsigned int *option_types_found,
869 struct env_set *es);
6fbf66fa 870
81d882d5 871void options_detach(struct options *o);
6fbf66fa 872
81d882d5
DS
873void options_server_import(struct options *o,
874 const char *filename,
875 int msglevel,
876 unsigned int permission_mask,
877 unsigned int *option_types_found,
878 struct env_set *es);
6fbf66fa 879
81d882d5 880void pre_pull_default(struct options *o);
6fbf66fa 881
81d882d5 882void rol_check_alloc(struct options *options);
6fbf66fa 883
81d882d5
DS
884int parse_line(const char *line,
885 char *p[],
886 const int n,
887 const char *file,
888 const int line_num,
889 int msglevel,
890 struct gc_arena *gc);
6fbf66fa 891
3c7f2f55
JY
892/*
893 * parse/print topology coding
894 */
895
81d882d5
DS
896int parse_topology(const char *str, const int msglevel);
897
898const char *print_topology(const int topology);
3c7f2f55 899
6fbf66fa
JY
900/*
901 * Manage auth-retry variable
902 */
903
6fbf66fa
JY
904#define AR_NONE 0
905#define AR_INTERACT 1
906#define AR_NOINTERACT 2
907
81d882d5
DS
908int auth_retry_get(void);
909
910bool auth_retry_set(const int msglevel, const char *option);
911
912const char *auth_retry_print(void);
6fbf66fa 913
81d882d5
DS
914void options_string_import(struct options *options,
915 const char *config,
916 const int msglevel,
917 const unsigned int permission_mask,
918 unsigned int *option_types_found,
919 struct env_set *es);
3c7f2f55 920
4b85c488
SN
921bool key_is_external(const struct options *options);
922
619c3e9a
GDG
923bool has_udp_in_local_list(const struct options *options);
924
4f1671fa
AQ
925/**
926 * Returns whether the current configuration has dco enabled.
927 */
928static inline bool
929dco_enabled(const struct options *o)
930{
e9a156a1 931#ifdef ENABLE_DCO
d8490738 932 return !o->disable_dco;
3adbc5c6 933#else
4f1671fa 934 return false;
e9a156a1 935#endif /* ENABLE_DCO */
4f1671fa
AQ
936}
937
81d882d5 938#endif /* ifndef OPTIONS_H */