2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, http://cmeerw.org)
44 #include "crypto_backend.h"
48 * Maximum number of parameters associated with an option,
49 * including the option name itself.
54 * Max size of options line and parameter.
56 #define OPTION_PARM_SIZE 256
57 #define OPTION_LINE_SIZE 256
59 extern const char title_string
[];
63 /* certain options are saved before --pull modifications are applied */
64 struct options_pre_pull
66 bool tuntap_options_defined
;
67 struct tuntap_options tuntap_options
;
70 struct route_option_list
*routes
;
72 bool routes_ipv6_defined
;
73 struct route_ipv6_option_list
*routes_ipv6
;
75 bool client_nat_defined
;
76 struct client_nat_option_list
*client_nat
;
78 int foreign_option_index
;
82 #if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
83 #error "At least one of OpenSSL or mbed TLS needs to be defined."
86 struct connection_entry
90 const char *local_port
;
91 bool local_port_defined
;
92 const char *remote_port
;
99 int connect_retry_seconds
;
100 int connect_retry_seconds_max
;
102 struct http_proxy_options
*http_proxy_options
;
103 const char *socks_proxy_server
;
104 const char *socks_proxy_port
;
105 const char *socks_proxy_authfile
;
107 int tun_mtu
; /* MTU of tun device */
108 bool tun_mtu_defined
; /* true if user overriding parm with command line option */
110 bool tun_mtu_extra_defined
;
111 int link_mtu
; /* MTU of device over which tunnel packets pass via TCP/UDP */
112 bool link_mtu_defined
; /* true if user overriding parm with command line option */
114 /* Advanced MTU negotiation and datagram fragmentation options */
115 int mtu_discover_type
; /* used if OS supports setting Path MTU discovery options on socket */
117 int fragment
; /* internal fragmentation size */
118 int mssfix
; /* Upper bound on TCP MSS */
119 bool mssfix_default
; /* true if --mssfix was supplied without a parameter */
121 int explicit_exit_notification
; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */
123 #define CE_DISABLED (1<<0)
124 #define CE_MAN_QUERY_PROXY (1<<1)
125 #define CE_MAN_QUERY_REMOTE_UNDEF 0
126 #define CE_MAN_QUERY_REMOTE_QUERY 1
127 #define CE_MAN_QUERY_REMOTE_ACCEPT 2
128 #define CE_MAN_QUERY_REMOTE_MOD 3
129 #define CE_MAN_QUERY_REMOTE_SKIP 4
130 #define CE_MAN_QUERY_REMOTE_MASK (0x07)
131 #define CE_MAN_QUERY_REMOTE_SHIFT (2)
134 /* Shared secret used for TLS control channel authentication */
135 const char *tls_auth_file
;
136 const char *tls_auth_file_inline
;
139 /* Shared secret used for TLS control channel authenticated encryption */
140 const char *tls_crypt_file
;
141 const char *tls_crypt_inline
;
143 /* Client-specific secret or server key used for TLS control channel
144 * authenticated encryption v2 */
145 const char *tls_crypt_v2_file
;
146 const char *tls_crypt_v2_inline
;
152 const char *remote_port
;
157 #define CONNECTION_LIST_SIZE 64
159 struct connection_list
163 struct connection_entry
*array
[CONNECTION_LIST_SIZE
];
169 struct remote_entry
*array
[CONNECTION_LIST_SIZE
];
172 struct remote_host_store
174 #define RH_HOST_LEN 80
175 char host
[RH_HOST_LEN
];
176 #define RH_PORT_LEN 20
177 char port
[RH_PORT_LEN
];
182 GENKEY_TLS_CRYPTV2_CLIENT
,
183 GENKEY_TLS_CRYPTV2_SERVER
,
186 /* Command line options */
192 /* first config file */
196 #define MODE_POINT_TO_POINT 0
197 #define MODE_SERVER 1
200 /* enable forward compatibility for post-2.1 features */
201 bool forward_compatible
;
202 /* list of options that should be ignored even if unknown */
203 const char **ignore_unknown_option
;
209 const char *key_pass_file
;
213 bool show_tls_ciphers
;
216 enum genkey_type genkey_type
;
217 const char* genkey_filename
;
218 const char* genkey_extra_data
;
220 /* Networking parms */
221 int connect_retry_max
;
222 struct connection_entry ce
;
223 struct connection_list
*connection_list
;
225 struct remote_list
*remote_list
;
226 /* Do not advanced the connection or remote addr list*/
228 /* Counts the number of unsuccessful connection attempts */
229 unsigned int unsuccessful_attempts
;
231 #if ENABLE_MANAGEMENT
232 struct http_proxy_options
*http_proxy_override
;
235 struct remote_host_store
*rh_store
;
238 const char *ipchange
;
240 const char *dev_type
;
241 const char *dev_node
;
243 int topology
; /* one of the TOP_x values from proto.h */
244 const char *ifconfig_local
;
245 const char *ifconfig_remote_netmask
;
246 const char *ifconfig_ipv6_local
;
247 int ifconfig_ipv6_netbits
;
248 const char *ifconfig_ipv6_remote
;
249 bool ifconfig_noexec
;
250 bool ifconfig_nowarn
;
251 #ifdef ENABLE_FEATURE_SHAPER
261 #ifdef ENABLE_MEMSTATS
267 int keepalive_ping
; /* a proxy for ping/ping-restart */
268 int keepalive_timeout
;
270 int inactivity_timeout
; /* --inactive */
271 int inactivity_minimum_bytes
;
273 int ping_send_timeout
; /* Send a TCP/UDP ping to remote every n seconds */
274 int ping_rec_timeout
; /* Expect a TCP/UDP ping from remote at least once every n seconds */
275 bool ping_timer_remote
; /* Run ping timer only if we have a remote address */
279 #define PING_RESTART 2
280 int ping_rec_timeout_action
; /* What action to take on ping_rec_timeout (exit or restart)? */
282 bool persist_tun
; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
283 bool persist_local_ip
; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
284 bool persist_remote_ip
; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
285 bool persist_key
; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
287 #if PASSTOS_CAPABILITY
291 int resolve_retry_seconds
; /* If hostname resolve fails, retry for n seconds */
292 bool resolve_in_advance
;
293 const char *ip_remote_hint
;
295 struct tuntap_options tuntap_options
;
298 const char *username
;
299 const char *groupname
;
300 const char *chroot_dir
;
302 #ifdef ENABLE_SELINUX
303 char *selinux_context
;
305 const char *writepid
;
306 const char *up_script
;
307 const char *down_script
;
308 bool user_script_used
;
316 /* inetd modes defined in socket.h */
320 bool suppress_timestamps
;
321 bool machine_readable_output
;
330 const char *status_file
;
331 int status_file_version
;
332 int status_file_update_freq
;
334 /* optimize TUN/TAP/UDP writes */
338 struct compress_options comp
;
349 unsigned int sockflags
;
351 /* route management */
352 const char *route_script
;
353 const char *route_predown_script
;
354 const char *route_default_gateway
;
355 const char *route_ipv6_default_gateway
;
356 int route_default_metric
;
359 int route_delay_window
;
360 bool route_delay_defined
;
361 struct route_option_list
*routes
;
362 struct route_ipv6_option_list
*routes_ipv6
; /* IPv6 */
365 bool route_gateway_via_dhcp
;
366 bool allow_pull_fqdn
; /* as a client, allow server to push a FQDN for certain parameters */
367 struct client_nat_option_list
*client_nat
;
370 /* Enable options consistency check between peers */
374 #ifdef ENABLE_MANAGEMENT
375 const char *management_addr
;
376 const char *management_port
;
377 const char *management_user_pass
;
378 int management_log_history_cache
;
379 int management_echo_buffer_size
;
380 int management_state_buffer_size
;
381 const char *management_write_peer_info_file
;
383 const char *management_client_user
;
384 const char *management_client_group
;
386 /* Mask of MF_ values of manage.h */
387 unsigned int management_flags
;
388 const char *management_certificate
;
392 struct plugin_option_list
*plugin_list
;
400 /* the tmp dir is for now only used in the P2P server context */
403 in_addr_t server_network
;
404 in_addr_t server_netmask
;
405 bool server_ipv6_defined
; /* IPv6 */
406 struct in6_addr server_network_ipv6
; /* IPv6 */
407 unsigned int server_netbits_ipv6
; /* IPv6 */
409 #define SF_NOPOOL (1<<0)
410 #define SF_TCP_NODELAY_HELPER (1<<1)
411 #define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
412 unsigned int server_flags
;
414 bool server_bridge_proxy_dhcp
;
416 bool server_bridge_defined
;
417 in_addr_t server_bridge_ip
;
418 in_addr_t server_bridge_netmask
;
419 in_addr_t server_bridge_pool_start
;
420 in_addr_t server_bridge_pool_end
;
422 struct push_list push_list
;
423 bool ifconfig_pool_defined
;
424 in_addr_t ifconfig_pool_start
;
425 in_addr_t ifconfig_pool_end
;
426 in_addr_t ifconfig_pool_netmask
;
427 const char *ifconfig_pool_persist_filename
;
428 int ifconfig_pool_persist_refresh_freq
;
430 bool ifconfig_ipv6_pool_defined
; /* IPv6 */
431 struct in6_addr ifconfig_ipv6_pool_base
; /* IPv6 */
432 int ifconfig_ipv6_pool_netbits
; /* IPv6 */
435 int virtual_hash_size
;
436 const char *client_connect_script
;
437 const char *client_disconnect_script
;
438 const char *learn_address_script
;
439 const char *client_config_dir
;
444 struct iroute
*iroutes
;
445 struct iroute_ipv6
*iroutes_ipv6
; /* IPv6 */
446 bool push_ifconfig_defined
;
447 in_addr_t push_ifconfig_local
;
448 in_addr_t push_ifconfig_remote_netmask
;
449 in_addr_t push_ifconfig_local_alias
;
450 bool push_ifconfig_constraint_defined
;
451 in_addr_t push_ifconfig_constraint_network
;
452 in_addr_t push_ifconfig_constraint_netmask
;
453 bool push_ifconfig_ipv4_blocked
; /* IPv4 */
454 bool push_ifconfig_ipv6_defined
; /* IPv6 */
455 struct in6_addr push_ifconfig_ipv6_local
; /* IPv6 */
456 int push_ifconfig_ipv6_netbits
; /* IPv6 */
457 struct in6_addr push_ifconfig_ipv6_remote
; /* IPv6 */
458 bool push_ifconfig_ipv6_blocked
; /* IPv6 */
464 int max_routes_per_client
;
465 int stale_routes_check_interval
;
466 int stale_routes_ageing_time
;
468 const char *auth_user_pass_verify_script
;
469 bool auth_user_pass_verify_script_via_file
;
470 bool auth_token_generate
;
471 unsigned int auth_token_lifetime
;
473 char *port_share_host
;
474 char *port_share_port
;
475 const char *port_share_journal_dir
;
477 #endif /* if P2MP_SERVER */
480 bool pull
; /* client pull of config options from server */
481 int push_continuation
;
482 unsigned int push_option_types_found
;
483 const char *auth_user_pass_file
;
484 struct options_pre_pull
*pre_pull
;
486 int scheduled_exit_interval
;
488 #ifdef ENABLE_MANAGEMENT
489 struct static_challenge_info sc_info
;
494 const char *shared_secret_file
;
495 const char *shared_secret_file_inline
;
497 const char *ciphername
;
499 const char *ncp_ciphers
;
500 const char *authname
;
502 const char *prng_hash
;
503 int prng_nonce_secret_len
;
506 bool mute_replay_warnings
;
509 const char *packet_id_file
;
511 #ifdef ENABLE_PREDICTION_RESISTANCE
512 bool use_prediction_resistance
;
515 /* TLS (control channel) parms */
521 const char *cert_file
;
522 const char *extra_certs_file
;
523 const char *priv_key_file
;
524 const char *pkcs12_file
;
525 const char *cipher_list
;
526 const char *cipher_list_tls13
;
527 const char *tls_cert_profile
;
528 const char *ecdh_curve
;
529 const char *tls_verify
;
530 int verify_x509_type
;
531 const char *verify_x509_name
;
532 const char *tls_export_cert
;
533 const char *crl_file
;
535 const char *ca_file_inline
;
536 const char *cert_file_inline
;
537 const char *extra_certs_file_inline
;
538 const char *crl_file_inline
;
539 char *priv_key_file_inline
;
540 const char *dh_file_inline
;
541 const char *pkcs12_file_inline
; /* contains the base64 encoding of pkcs12 file */
543 int ns_cert_type
; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
544 unsigned remote_cert_ku
[MAX_PARMS
];
545 const char *remote_cert_eku
;
546 uint8_t *verify_hash
;
547 hash_algo_type verify_hash_algo
;
548 unsigned int ssl_flags
; /* set to SSLF_x flags from ssl.h */
551 const char *pkcs11_providers
[MAX_PARMS
];
552 unsigned pkcs11_private_mode
[MAX_PARMS
];
553 bool pkcs11_protected_authentication
[MAX_PARMS
];
554 bool pkcs11_cert_private
[MAX_PARMS
];
555 int pkcs11_pin_cache_period
;
556 const char *pkcs11_id
;
557 bool pkcs11_id_management
;
560 #ifdef ENABLE_CRYPTOAPI
561 const char *cryptoapi_cert
;
564 /* data channel key exchange method */
567 /* Per-packet timeout on control channel */
570 /* Data channel key renegotiation parameters */
571 int renegotiate_bytes
;
572 int renegotiate_packets
;
573 int renegotiate_seconds
;
574 int renegotiate_seconds_min
;
576 /* Data channel key handshake must finalize
577 * within n seconds of handshake initiation. */
578 int handshake_window
;
580 #ifdef ENABLE_X509ALTUSERNAME
581 /* Field used to be the username in X509 cert. */
582 char *x509_username_field
;
585 /* Old key allowed to live n seconds after new key goes active */
586 int transition_window
;
588 /* Shared secret used for TLS control channel authentication */
589 const char *tls_auth_file
;
590 const char *tls_auth_file_inline
;
592 /* Shared secret used for TLS control channel authenticated encryption */
593 const char *tls_crypt_file
;
594 const char *tls_crypt_inline
;
596 /* Client-specific secret or server key used for TLS control channel
597 * authenticated encryption v2 */
598 const char *tls_crypt_v2_file
;
599 const char *tls_crypt_v2_inline
;
601 const char *tls_crypt_v2_metadata
;
603 const char *tls_crypt_v2_verify_script
;
605 /* Allow only one session */
612 const struct x509_track
*x509_track
;
614 /* special state parms */
615 int foreign_option_index
;
619 const char *exit_event_name
;
620 bool exit_event_initial_state
;
623 bool block_outside_dns
;
629 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
630 /* Keying Material Exporters [RFC 5705] */
631 const char *keying_material_exporter_label
;
632 int keying_material_exporter_length
;
635 struct pull_filter_list
*pull_filter_list
;
637 /* Useful when packets sent by openvpn itself are not subject
638 * to the routing tables that would move packets into the tunnel. */
639 bool allow_recursive_routing
;
642 #define streq(x, y) (!strcmp((x), (y)))
647 #define OPT_P_GENERAL (1<<0)
648 #define OPT_P_UP (1<<1)
649 #define OPT_P_ROUTE (1<<2)
650 #define OPT_P_IPWIN32 (1<<3)
651 #define OPT_P_SCRIPT (1<<4)
652 #define OPT_P_SETENV (1<<5)
653 #define OPT_P_SHAPER (1<<6)
654 #define OPT_P_TIMER (1<<7)
655 #define OPT_P_PERSIST (1<<8)
656 #define OPT_P_PERSIST_IP (1<<9)
657 #define OPT_P_COMP (1<<10) /* TODO */
658 #define OPT_P_MESSAGES (1<<11)
659 #define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */
660 #define OPT_P_TLS_PARMS (1<<13) /* TODO */
661 #define OPT_P_MTU (1<<14) /* TODO */
662 #define OPT_P_NICE (1<<15)
663 #define OPT_P_PUSH (1<<16)
664 #define OPT_P_INSTANCE (1<<17)
665 #define OPT_P_CONFIG (1<<18)
666 #define OPT_P_EXPLICIT_NOTIFY (1<<19)
667 #define OPT_P_ECHO (1<<20)
668 #define OPT_P_INHERIT (1<<21)
669 #define OPT_P_ROUTE_EXTRAS (1<<22)
670 #define OPT_P_PULL_MODE (1<<23)
671 #define OPT_P_PLUGIN (1<<24)
672 #define OPT_P_SOCKBUF (1<<25)
673 #define OPT_P_SOCKFLAGS (1<<26)
674 #define OPT_P_CONNECTION (1<<27)
675 #define OPT_P_PEER_ID (1<<28)
677 #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
680 #define PULL_DEFINED(opt) ((opt)->pull)
682 #define PUSH_DEFINED(opt) ((opt)->push_list)
687 #define PULL_DEFINED(opt) (false)
691 #define PUSH_DEFINED(opt) (false)
695 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
697 #define ROUTE_OPTION_FLAGS(o) (0)
700 #ifdef ENABLE_FEATURE_SHAPER
701 #define SHAPER_DEFINED(opt) ((opt)->shaper)
703 #define SHAPER_DEFINED(opt) (false)
707 #define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
709 #define PLUGIN_OPTION_LIST(opt) (NULL)
712 #ifdef MANAGEMENT_DEF_AUTH
713 #define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
715 #define MAN_CLIENT_AUTH_ENABLED(opt) (false)
718 void parse_argv(struct options
*options
,
722 const unsigned int permission_mask
,
723 unsigned int *option_types_found
,
726 void notnull(const char *arg
, const char *description
);
728 void usage_small(void);
730 void show_library_versions(const unsigned int flags
);
733 void show_windows_version(const unsigned int flags
);
737 void init_options(struct options
*o
, const bool init_gc
);
739 void uninit_options(struct options
*o
);
741 void setenv_settings(struct env_set
*es
, const struct options
*o
);
743 void show_settings(const struct options
*o
);
745 bool string_defined_equal(const char *s1
, const char *s2
);
749 const char *options_string_version(const char *s
, struct gc_arena
*gc
);
751 char *options_string(const struct options
*o
,
752 const struct frame
*frame
,
754 openvpn_net_ctx_t
*ctx
,
756 struct gc_arena
*gc
);
758 bool options_cmp_equal_safe(char *actual
, const char *expected
, size_t actual_n
);
760 void options_warning_safe(char *actual
, const char *expected
, size_t actual_n
);
762 bool options_cmp_equal(char *actual
, const char *expected
);
764 void options_warning(char *actual
, const char *expected
);
769 * Given an OpenVPN options string, extract the value of an option.
771 * @param options_string Zero-terminated, comma-separated options string
772 * @param opt_name The name of the option to extract
773 * @param gc The gc to allocate the return value
775 * @return gc-allocated value of option with name opt_name if option was found,
778 char *options_string_extract_option(const char *options_string
,
779 const char *opt_name
, struct gc_arena
*gc
);
782 void options_postprocess(struct options
*options
);
784 void pre_pull_save(struct options
*o
);
786 void pre_pull_restore(struct options
*o
, struct gc_arena
*gc
);
788 bool apply_push_options(struct options
*options
,
790 unsigned int permission_mask
,
791 unsigned int *option_types_found
,
794 void options_detach(struct options
*o
);
796 void options_server_import(struct options
*o
,
797 const char *filename
,
799 unsigned int permission_mask
,
800 unsigned int *option_types_found
,
803 void pre_pull_default(struct options
*o
);
805 void rol_check_alloc(struct options
*options
);
807 int parse_line(const char *line
,
813 struct gc_arena
*gc
);
816 * parse/print topology coding
819 int parse_topology(const char *str
, const int msglevel
);
821 const char *print_topology(const int topology
);
824 * Manage auth-retry variable
830 #define AR_INTERACT 1
831 #define AR_NOINTERACT 2
833 int auth_retry_get(void);
835 bool auth_retry_set(const int msglevel
, const char *option
);
837 const char *auth_retry_print(void);
841 void options_string_import(struct options
*options
,
844 const unsigned int permission_mask
,
845 unsigned int *option_types_found
,
848 #endif /* ifndef OPTIONS_H */