2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, http://cmeerw.org)
44 #include "crypto_backend.h"
48 * Maximum number of parameters associated with an option,
49 * including the option name itself.
54 * Max size of options line and parameter.
56 #define OPTION_PARM_SIZE 256
57 #define OPTION_LINE_SIZE 256
59 extern const char title_string
[];
63 /* certain options are saved before --pull modifications are applied */
64 struct options_pre_pull
66 bool tuntap_options_defined
;
67 struct tuntap_options tuntap_options
;
70 struct route_option_list
*routes
;
72 bool routes_ipv6_defined
;
73 struct route_ipv6_option_list
*routes_ipv6
;
75 bool client_nat_defined
;
76 struct client_nat_option_list
*client_nat
;
78 int foreign_option_index
;
82 #if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
83 #error "At least one of OpenSSL or mbed TLS needs to be defined."
86 struct connection_entry
90 const char *local_port
;
91 bool local_port_defined
;
92 const char *remote_port
;
99 int connect_retry_seconds
;
100 int connect_retry_seconds_max
;
102 struct http_proxy_options
*http_proxy_options
;
103 const char *socks_proxy_server
;
104 const char *socks_proxy_port
;
105 const char *socks_proxy_authfile
;
107 int tun_mtu
; /* MTU of tun device */
108 bool tun_mtu_defined
; /* true if user overriding parm with command line option */
110 bool tun_mtu_extra_defined
;
111 int link_mtu
; /* MTU of device over which tunnel packets pass via TCP/UDP */
112 bool link_mtu_defined
; /* true if user overriding parm with command line option */
114 /* Advanced MTU negotiation and datagram fragmentation options */
115 int mtu_discover_type
; /* used if OS supports setting Path MTU discovery options on socket */
117 int fragment
; /* internal fragmentation size */
118 int mssfix
; /* Upper bound on TCP MSS */
119 bool mssfix_default
; /* true if --mssfix was supplied without a parameter */
121 int explicit_exit_notification
; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */
123 #define CE_DISABLED (1<<0)
124 #define CE_MAN_QUERY_PROXY (1<<1)
125 #define CE_MAN_QUERY_REMOTE_UNDEF 0
126 #define CE_MAN_QUERY_REMOTE_QUERY 1
127 #define CE_MAN_QUERY_REMOTE_ACCEPT 2
128 #define CE_MAN_QUERY_REMOTE_MOD 3
129 #define CE_MAN_QUERY_REMOTE_SKIP 4
130 #define CE_MAN_QUERY_REMOTE_MASK (0x07)
131 #define CE_MAN_QUERY_REMOTE_SHIFT (2)
134 /* Shared secret used for TLS control channel authentication */
135 const char *tls_auth_file
;
136 const char *tls_auth_file_inline
;
139 /* Shared secret used for TLS control channel authenticated encryption */
140 const char *tls_crypt_file
;
141 const char *tls_crypt_inline
;
143 /* Client-specific secret or server key used for TLS control channel
144 * authenticated encryption v2 */
145 const char *tls_crypt_v2_file
;
146 const char *tls_crypt_v2_inline
;
152 const char *remote_port
;
157 #define CONNECTION_LIST_SIZE 64
159 struct connection_list
163 struct connection_entry
*array
[CONNECTION_LIST_SIZE
];
169 struct remote_entry
*array
[CONNECTION_LIST_SIZE
];
172 enum vlan_acceptable_frames
175 VLAN_ONLY_UNTAGGED_OR_PRIORITY
,
179 struct remote_host_store
181 #define RH_HOST_LEN 80
182 char host
[RH_HOST_LEN
];
183 #define RH_PORT_LEN 20
184 char port
[RH_PORT_LEN
];
189 GENKEY_TLS_CRYPTV2_CLIENT
,
190 GENKEY_TLS_CRYPTV2_SERVER
,
194 /* Command line options */
200 /* first config file */
204 #define MODE_POINT_TO_POINT 0
205 #define MODE_SERVER 1
208 /* enable forward compatibility for post-2.1 features */
209 bool forward_compatible
;
210 /* list of options that should be ignored even if unknown */
211 const char **ignore_unknown_option
;
217 const char *key_pass_file
;
221 bool show_tls_ciphers
;
224 enum genkey_type genkey_type
;
225 const char* genkey_filename
;
226 const char* genkey_extra_data
;
228 /* Networking parms */
229 int connect_retry_max
;
230 struct connection_entry ce
;
231 struct connection_list
*connection_list
;
233 struct remote_list
*remote_list
;
234 /* Do not advanced the connection or remote addr list*/
236 /* Counts the number of unsuccessful connection attempts */
237 unsigned int unsuccessful_attempts
;
239 #if ENABLE_MANAGEMENT
240 struct http_proxy_options
*http_proxy_override
;
243 struct remote_host_store
*rh_store
;
246 const char *ipchange
;
248 const char *dev_type
;
249 const char *dev_node
;
251 int topology
; /* one of the TOP_x values from proto.h */
252 const char *ifconfig_local
;
253 const char *ifconfig_remote_netmask
;
254 const char *ifconfig_ipv6_local
;
255 int ifconfig_ipv6_netbits
;
256 const char *ifconfig_ipv6_remote
;
257 bool ifconfig_noexec
;
258 bool ifconfig_nowarn
;
259 #ifdef ENABLE_FEATURE_SHAPER
269 #ifdef ENABLE_MEMSTATS
275 int keepalive_ping
; /* a proxy for ping/ping-restart */
276 int keepalive_timeout
;
278 int inactivity_timeout
; /* --inactive */
279 int inactivity_minimum_bytes
;
281 int ping_send_timeout
; /* Send a TCP/UDP ping to remote every n seconds */
282 int ping_rec_timeout
; /* Expect a TCP/UDP ping from remote at least once every n seconds */
283 bool ping_timer_remote
; /* Run ping timer only if we have a remote address */
287 #define PING_RESTART 2
288 int ping_rec_timeout_action
; /* What action to take on ping_rec_timeout (exit or restart)? */
290 bool persist_tun
; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
291 bool persist_local_ip
; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
292 bool persist_remote_ip
; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
293 bool persist_key
; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
295 #if PASSTOS_CAPABILITY
299 int resolve_retry_seconds
; /* If hostname resolve fails, retry for n seconds */
300 bool resolve_in_advance
;
301 const char *ip_remote_hint
;
303 struct tuntap_options tuntap_options
;
306 const char *username
;
307 const char *groupname
;
308 const char *chroot_dir
;
310 #ifdef ENABLE_SELINUX
311 char *selinux_context
;
313 const char *writepid
;
314 const char *up_script
;
315 const char *down_script
;
316 bool user_script_used
;
324 /* inetd modes defined in socket.h */
328 bool suppress_timestamps
;
329 bool machine_readable_output
;
338 const char *status_file
;
339 int status_file_version
;
340 int status_file_update_freq
;
342 /* optimize TUN/TAP/UDP writes */
346 struct compress_options comp
;
357 unsigned int sockflags
;
359 /* route management */
360 const char *route_script
;
361 const char *route_predown_script
;
362 const char *route_default_gateway
;
363 const char *route_ipv6_default_gateway
;
364 int route_default_metric
;
367 int route_delay_window
;
368 bool route_delay_defined
;
369 struct route_option_list
*routes
;
370 struct route_ipv6_option_list
*routes_ipv6
; /* IPv6 */
373 bool route_gateway_via_dhcp
;
374 bool allow_pull_fqdn
; /* as a client, allow server to push a FQDN for certain parameters */
375 struct client_nat_option_list
*client_nat
;
378 /* Enable options consistency check between peers */
382 #ifdef ENABLE_MANAGEMENT
383 const char *management_addr
;
384 const char *management_port
;
385 const char *management_user_pass
;
386 int management_log_history_cache
;
387 int management_echo_buffer_size
;
388 int management_state_buffer_size
;
389 const char *management_write_peer_info_file
;
391 const char *management_client_user
;
392 const char *management_client_group
;
394 /* Mask of MF_ values of manage.h */
395 unsigned int management_flags
;
396 const char *management_certificate
;
400 struct plugin_option_list
*plugin_list
;
408 /* the tmp dir is for now only used in the P2P server context */
411 in_addr_t server_network
;
412 in_addr_t server_netmask
;
413 bool server_ipv6_defined
; /* IPv6 */
414 struct in6_addr server_network_ipv6
; /* IPv6 */
415 unsigned int server_netbits_ipv6
; /* IPv6 */
417 #define SF_NOPOOL (1<<0)
418 #define SF_TCP_NODELAY_HELPER (1<<1)
419 #define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
420 unsigned int server_flags
;
422 bool server_bridge_proxy_dhcp
;
424 bool server_bridge_defined
;
425 in_addr_t server_bridge_ip
;
426 in_addr_t server_bridge_netmask
;
427 in_addr_t server_bridge_pool_start
;
428 in_addr_t server_bridge_pool_end
;
430 struct push_list push_list
;
431 bool ifconfig_pool_defined
;
432 in_addr_t ifconfig_pool_start
;
433 in_addr_t ifconfig_pool_end
;
434 in_addr_t ifconfig_pool_netmask
;
435 const char *ifconfig_pool_persist_filename
;
436 int ifconfig_pool_persist_refresh_freq
;
438 bool ifconfig_ipv6_pool_defined
; /* IPv6 */
439 struct in6_addr ifconfig_ipv6_pool_base
; /* IPv6 */
440 int ifconfig_ipv6_pool_netbits
; /* IPv6 */
443 int virtual_hash_size
;
444 const char *client_connect_script
;
445 const char *client_disconnect_script
;
446 const char *learn_address_script
;
447 const char *client_config_dir
;
452 struct iroute
*iroutes
;
453 struct iroute_ipv6
*iroutes_ipv6
; /* IPv6 */
454 bool push_ifconfig_defined
;
455 in_addr_t push_ifconfig_local
;
456 in_addr_t push_ifconfig_remote_netmask
;
457 in_addr_t push_ifconfig_local_alias
;
458 bool push_ifconfig_constraint_defined
;
459 in_addr_t push_ifconfig_constraint_network
;
460 in_addr_t push_ifconfig_constraint_netmask
;
461 bool push_ifconfig_ipv4_blocked
; /* IPv4 */
462 bool push_ifconfig_ipv6_defined
; /* IPv6 */
463 struct in6_addr push_ifconfig_ipv6_local
; /* IPv6 */
464 int push_ifconfig_ipv6_netbits
; /* IPv6 */
465 struct in6_addr push_ifconfig_ipv6_remote
; /* IPv6 */
466 bool push_ifconfig_ipv6_blocked
; /* IPv6 */
472 int max_routes_per_client
;
473 int stale_routes_check_interval
;
474 int stale_routes_ageing_time
;
476 const char *auth_user_pass_verify_script
;
477 bool auth_user_pass_verify_script_via_file
;
478 bool auth_token_generate
;
479 bool auth_token_gen_secret_file
;
480 bool auth_token_call_auth
;
481 int auth_token_lifetime
;
482 const char *auth_token_secret_file
;
483 const char *auth_token_secret_file_inline
;
486 char *port_share_host
;
487 char *port_share_port
;
488 const char *port_share_journal_dir
;
490 #endif /* if P2MP_SERVER */
493 bool pull
; /* client pull of config options from server */
494 int push_continuation
;
495 unsigned int push_option_types_found
;
496 const char *auth_user_pass_file
;
497 struct options_pre_pull
*pre_pull
;
499 int scheduled_exit_interval
;
501 #ifdef ENABLE_MANAGEMENT
502 struct static_challenge_info sc_info
;
507 const char *shared_secret_file
;
508 const char *shared_secret_file_inline
;
510 const char *ciphername
;
512 const char *ncp_ciphers
;
513 const char *authname
;
515 const char *prng_hash
;
516 int prng_nonce_secret_len
;
519 bool mute_replay_warnings
;
522 const char *packet_id_file
;
524 #ifdef ENABLE_PREDICTION_RESISTANCE
525 bool use_prediction_resistance
;
528 /* TLS (control channel) parms */
534 const char *cert_file
;
535 const char *extra_certs_file
;
536 const char *priv_key_file
;
537 const char *pkcs12_file
;
538 const char *cipher_list
;
539 const char *cipher_list_tls13
;
540 const char *tls_cert_profile
;
541 const char *ecdh_curve
;
542 const char *tls_verify
;
543 int verify_x509_type
;
544 const char *verify_x509_name
;
545 const char *tls_export_cert
;
546 const char *crl_file
;
548 const char *ca_file_inline
;
549 const char *cert_file_inline
;
550 const char *extra_certs_file_inline
;
551 const char *crl_file_inline
;
552 char *priv_key_file_inline
;
553 const char *dh_file_inline
;
554 const char *pkcs12_file_inline
; /* contains the base64 encoding of pkcs12 file */
556 int ns_cert_type
; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
557 unsigned remote_cert_ku
[MAX_PARMS
];
558 const char *remote_cert_eku
;
559 uint8_t *verify_hash
;
560 hash_algo_type verify_hash_algo
;
561 unsigned int ssl_flags
; /* set to SSLF_x flags from ssl.h */
564 const char *pkcs11_providers
[MAX_PARMS
];
565 unsigned pkcs11_private_mode
[MAX_PARMS
];
566 bool pkcs11_protected_authentication
[MAX_PARMS
];
567 bool pkcs11_cert_private
[MAX_PARMS
];
568 int pkcs11_pin_cache_period
;
569 const char *pkcs11_id
;
570 bool pkcs11_id_management
;
573 #ifdef ENABLE_CRYPTOAPI
574 const char *cryptoapi_cert
;
577 /* data channel key exchange method */
580 /* Per-packet timeout on control channel */
583 /* Data channel key renegotiation parameters */
584 int renegotiate_bytes
;
585 int renegotiate_packets
;
586 int renegotiate_seconds
;
587 int renegotiate_seconds_min
;
589 /* Data channel key handshake must finalize
590 * within n seconds of handshake initiation. */
591 int handshake_window
;
593 #ifdef ENABLE_X509ALTUSERNAME
594 /* Field used to be the username in X509 cert. */
595 char *x509_username_field
;
598 /* Old key allowed to live n seconds after new key goes active */
599 int transition_window
;
601 /* Shared secret used for TLS control channel authentication */
602 const char *tls_auth_file
;
603 const char *tls_auth_file_inline
;
605 /* Shared secret used for TLS control channel authenticated encryption */
606 const char *tls_crypt_file
;
607 const char *tls_crypt_inline
;
609 /* Client-specific secret or server key used for TLS control channel
610 * authenticated encryption v2 */
611 const char *tls_crypt_v2_file
;
612 const char *tls_crypt_v2_inline
;
614 const char *tls_crypt_v2_metadata
;
616 const char *tls_crypt_v2_verify_script
;
618 /* Allow only one session */
625 const struct x509_track
*x509_track
;
627 /* special state parms */
628 int foreign_option_index
;
632 const char *exit_event_name
;
633 bool exit_event_initial_state
;
636 bool block_outside_dns
;
643 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
644 /* Keying Material Exporters [RFC 5705] */
645 const char *keying_material_exporter_label
;
646 int keying_material_exporter_length
;
650 enum vlan_acceptable_frames vlan_accept
;
653 struct pull_filter_list
*pull_filter_list
;
655 /* Useful when packets sent by openvpn itself are not subject
656 * to the routing tables that would move packets into the tunnel. */
657 bool allow_recursive_routing
;
660 #define streq(x, y) (!strcmp((x), (y)))
665 #define OPT_P_GENERAL (1<<0)
666 #define OPT_P_UP (1<<1)
667 #define OPT_P_ROUTE (1<<2)
668 #define OPT_P_IPWIN32 (1<<3)
669 #define OPT_P_SCRIPT (1<<4)
670 #define OPT_P_SETENV (1<<5)
671 #define OPT_P_SHAPER (1<<6)
672 #define OPT_P_TIMER (1<<7)
673 #define OPT_P_PERSIST (1<<8)
674 #define OPT_P_PERSIST_IP (1<<9)
675 #define OPT_P_COMP (1<<10) /* TODO */
676 #define OPT_P_MESSAGES (1<<11)
677 #define OPT_P_NCP (1<<12) /**< Negotiable crypto parameters */
678 #define OPT_P_TLS_PARMS (1<<13) /* TODO */
679 #define OPT_P_MTU (1<<14) /* TODO */
680 #define OPT_P_NICE (1<<15)
681 #define OPT_P_PUSH (1<<16)
682 #define OPT_P_INSTANCE (1<<17)
683 #define OPT_P_CONFIG (1<<18)
684 #define OPT_P_EXPLICIT_NOTIFY (1<<19)
685 #define OPT_P_ECHO (1<<20)
686 #define OPT_P_INHERIT (1<<21)
687 #define OPT_P_ROUTE_EXTRAS (1<<22)
688 #define OPT_P_PULL_MODE (1<<23)
689 #define OPT_P_PLUGIN (1<<24)
690 #define OPT_P_SOCKBUF (1<<25)
691 #define OPT_P_SOCKFLAGS (1<<26)
692 #define OPT_P_CONNECTION (1<<27)
693 #define OPT_P_PEER_ID (1<<28)
695 #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
698 #define PULL_DEFINED(opt) ((opt)->pull)
700 #define PUSH_DEFINED(opt) ((opt)->push_list)
705 #define PULL_DEFINED(opt) (false)
709 #define PUSH_DEFINED(opt) (false)
713 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
715 #define ROUTE_OPTION_FLAGS(o) (0)
718 #ifdef ENABLE_FEATURE_SHAPER
719 #define SHAPER_DEFINED(opt) ((opt)->shaper)
721 #define SHAPER_DEFINED(opt) (false)
725 #define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
727 #define PLUGIN_OPTION_LIST(opt) (NULL)
730 #ifdef MANAGEMENT_DEF_AUTH
731 #define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
733 #define MAN_CLIENT_AUTH_ENABLED(opt) (false)
736 void parse_argv(struct options
*options
,
740 const unsigned int permission_mask
,
741 unsigned int *option_types_found
,
744 void notnull(const char *arg
, const char *description
);
746 void usage_small(void);
748 void show_library_versions(const unsigned int flags
);
751 void show_windows_version(const unsigned int flags
);
755 void init_options(struct options
*o
, const bool init_gc
);
757 void uninit_options(struct options
*o
);
759 void setenv_settings(struct env_set
*es
, const struct options
*o
);
761 void show_settings(const struct options
*o
);
763 bool string_defined_equal(const char *s1
, const char *s2
);
767 const char *options_string_version(const char *s
, struct gc_arena
*gc
);
769 char *options_string(const struct options
*o
,
770 const struct frame
*frame
,
772 openvpn_net_ctx_t
*ctx
,
774 struct gc_arena
*gc
);
776 bool options_cmp_equal_safe(char *actual
, const char *expected
, size_t actual_n
);
778 void options_warning_safe(char *actual
, const char *expected
, size_t actual_n
);
780 bool options_cmp_equal(char *actual
, const char *expected
);
782 void options_warning(char *actual
, const char *expected
);
787 * Given an OpenVPN options string, extract the value of an option.
789 * @param options_string Zero-terminated, comma-separated options string
790 * @param opt_name The name of the option to extract
791 * @param gc The gc to allocate the return value
793 * @return gc-allocated value of option with name opt_name if option was found,
796 char *options_string_extract_option(const char *options_string
,
797 const char *opt_name
, struct gc_arena
*gc
);
800 void options_postprocess(struct options
*options
);
802 void pre_pull_save(struct options
*o
);
804 void pre_pull_restore(struct options
*o
, struct gc_arena
*gc
);
806 bool apply_push_options(struct options
*options
,
808 unsigned int permission_mask
,
809 unsigned int *option_types_found
,
812 void options_detach(struct options
*o
);
814 void options_server_import(struct options
*o
,
815 const char *filename
,
817 unsigned int permission_mask
,
818 unsigned int *option_types_found
,
821 void pre_pull_default(struct options
*o
);
823 void rol_check_alloc(struct options
*options
);
825 int parse_line(const char *line
,
831 struct gc_arena
*gc
);
834 * parse/print topology coding
837 int parse_topology(const char *str
, const int msglevel
);
839 const char *print_topology(const int topology
);
842 * Manage auth-retry variable
848 #define AR_INTERACT 1
849 #define AR_NOINTERACT 2
851 int auth_retry_get(void);
853 bool auth_retry_set(const int msglevel
, const char *option
);
855 const char *auth_retry_print(void);
859 void options_string_import(struct options
*options
,
862 const unsigned int permission_mask
,
863 unsigned int *option_types_found
,
866 #endif /* ifndef OPTIONS_H */