src/openvpn/options.h

   1 /*
   2  *  OpenVPN -- An application to securely tunnel IP networks
   3  *             over a single UDP port, with support for SSL/TLS-based
   4  *             session authentication and key exchange,
   5  *             packet encryption, packet authentication, and
   6  *             packet compression.
   7  *
   8  *  Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
   9  *
  10  *  This program is free software; you can redistribute it and/or modify
  11  *  it under the terms of the GNU General Public License version 2
  12  *  as published by the Free Software Foundation.
  13  *
  14  *  This program is distributed in the hope that it will be useful,
  15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *  GNU General Public License for more details.
  18  *
  19  *  You should have received a copy of the GNU General Public License along
  20  *  with this program; if not, write to the Free Software Foundation, Inc.,
  21  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  22  */
  23
  24 /*
  25  * 2004-01-28: Added Socks5 proxy support
  26  *   (Christof Meerwald, http://cmeerw.org)
  27  */
  28
  29 #ifndef OPTIONS_H
  30 #define OPTIONS_H
  31
  32 #include "basic.h"
  33 #include "common.h"
  34 #include "mtu.h"
  35 #include "route.h"
  36 #include "tun.h"
  37 #include "socket.h"
  38 #include "plugin.h"
  39 #include "manage.h"
  40 #include "proxy.h"
  41 #include "comp.h"
  42 #include "pushlist.h"
  43 #include "clinat.h"
  44 #include "crypto_backend.h"
  45 #include "dns.h"
  46
  47
  48 /*
  49  * Maximum number of parameters associated with an option,
  50  * including the option name itself.
  51  */
  52 #define MAX_PARMS 16
  53
  54 /*
  55  * Max size of options line and parameter.
  56  */
  57 #define OPTION_PARM_SIZE 256
  58 #define OPTION_LINE_SIZE 256
  59
  60 extern const char title_string[];
  61
  62 /* certain options are saved before --pull modifications are applied */
  63 struct options_pre_connect
  64 {
  65     bool tuntap_options_defined;
  66     struct tuntap_options tuntap_options;
  67
  68     bool routes_defined;
  69     struct route_option_list *routes;
  70
  71     bool routes_ipv6_defined;
  72     struct route_ipv6_option_list *routes_ipv6;
  73
  74     const char *route_default_gateway;
  75     const char *route_ipv6_default_gateway;
  76
  77     bool client_nat_defined;
  78     struct client_nat_option_list *client_nat;
  79
  80     struct dns_options dns_options;
  81
  82     const char *ciphername;
  83     const char *authname;
  84
  85     int ping_send_timeout;
  86     int ping_rec_timeout;
  87     int ping_rec_timeout_action;
  88
  89     int foreign_option_index;
  90     struct compress_options comp;
  91 };
  92
  93 #if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
  94 #error "At least one of OpenSSL or mbed TLS needs to be defined."
  95 #endif
  96
  97 struct local_entry
  98 {
  99     const char *local;
 100     const char *port;
 101     int proto;
 102 };
 103
 104 struct connection_entry
 105 {
 106     struct local_list *local_list;
 107     int proto;
 108     sa_family_t af;
 109     const char *local_port;
 110     bool local_port_defined;
 111     const char *remote_port;
 112     const char *remote;
 113     bool remote_float;
 114     bool bind_defined;
 115     bool bind_ipv6_only;
 116     bool bind_local;
 117     int connect_retry_seconds;
 118     int connect_retry_seconds_max;
 119     int connect_timeout;
 120     struct http_proxy_options *http_proxy_options;
 121     const char *socks_proxy_server;
 122     const char *socks_proxy_port;
 123     const char *socks_proxy_authfile;
 124
 125     int tun_mtu;         /* MTU of tun device */
 126     int occ_mtu;         /* if non-null, this is the MTU we announce to peers in OCC */
 127     int tun_mtu_max;     /* maximum MTU that can be pushed */
 128
 129     bool tun_mtu_defined; /* true if user overriding parm with command line option */
 130     int tun_mtu_extra;
 131     bool tun_mtu_extra_defined;
 132     int link_mtu;        /* MTU of device over which tunnel packets pass via TCP/UDP */
 133     bool link_mtu_defined; /* true if user overriding parm with command line option */
 134     int tls_mtu;         /* Maximum MTU for the control channel messages */
 135
 136     /* Advanced MTU negotiation and datagram fragmentation options */
 137     int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
 138
 139     int fragment;        /* internal fragmentation size */
 140     bool fragment_encap; /* true if --fragment had the "mtu" parameter to
 141                           * include overhead from IP and TCP/UDP encapsulation */
 142     int mssfix;          /* Upper bound on TCP MSS */
 143     bool mssfix_default; /* true if --mssfix should use the default parameters */
 144     bool mssfix_encap;   /* true if --mssfix had the "mtu" parameter to include
 145                           * overhead from IP and TCP/UDP encapsulation */
 146     bool mssfix_fixed;   /* use the mssfix value without any encapsulation adjustments */
 147
 148     int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */
 149
 150 #define CE_DISABLED (1<<0)
 151 #define CE_MAN_QUERY_PROXY (1<<1)
 152 #define CE_MAN_QUERY_REMOTE_UNDEF  0
 153 #define CE_MAN_QUERY_REMOTE_QUERY  1
 154 #define CE_MAN_QUERY_REMOTE_ACCEPT 2
 155 #define CE_MAN_QUERY_REMOTE_MOD    3
 156 #define CE_MAN_QUERY_REMOTE_SKIP   4
 157 #define CE_MAN_QUERY_REMOTE_MASK   (0x07)
 158 #define CE_MAN_QUERY_REMOTE_SHIFT  (2)
 159     unsigned int flags;
 160
 161     /* Shared secret used for TLS control channel authentication */
 162     const char *tls_auth_file;
 163     bool tls_auth_file_inline;
 164     int key_direction;
 165
 166     /* Shared secret used for TLS control channel authenticated encryption */
 167     const char *tls_crypt_file;
 168     bool tls_crypt_file_inline;
 169
 170     /* Client-specific secret or server key used for TLS control channel
 171      * authenticated encryption v2 */
 172     const char *tls_crypt_v2_file;
 173     bool tls_crypt_v2_file_inline;
 174
 175     /* Allow only client that support resending the wrapped client key */
 176     bool tls_crypt_v2_force_cookie;
 177 };
 178
 179 struct remote_entry
 180 {
 181     const char *remote;
 182     const char *remote_port;
 183     int proto;
 184     sa_family_t af;
 185 };
 186
 187 #define CONNECTION_LIST_SIZE 64
 188
 189 struct local_list
 190 {
 191     int capacity;
 192     int len;
 193     struct local_entry **array;
 194 };
 195
 196 struct connection_list
 197 {
 198     int capacity;
 199     int len;
 200     int current;
 201     struct connection_entry **array;
 202 };
 203
 204 struct remote_list
 205 {
 206     int capacity;
 207     int len;
 208     struct remote_entry **array;
 209 };
 210
 211 struct provider_list
 212 {
 213     /* Names of the providers */
 214     const char *names[MAX_PARMS];
 215     /* Pointers to the loaded providers to unload them */
 216     provider_t *providers[MAX_PARMS];
 217 };
 218
 219 enum vlan_acceptable_frames
 220 {
 221     VLAN_ONLY_TAGGED,
 222     VLAN_ONLY_UNTAGGED_OR_PRIORITY,
 223     VLAN_ALL,
 224 };
 225
 226 struct remote_host_store
 227 {
 228 #define RH_HOST_LEN 80
 229     char host[RH_HOST_LEN];
 230 #define RH_PORT_LEN 20
 231     char port[RH_PORT_LEN];
 232 };
 233
 234 enum genkey_type {
 235     GENKEY_SECRET,
 236     GENKEY_TLS_CRYPTV2_CLIENT,
 237     GENKEY_TLS_CRYPTV2_SERVER,
 238     GENKEY_AUTH_TOKEN
 239 };
 240
 241 struct verify_hash_list
 242 {
 243     /* We support SHA256 and SHA1 fingerpint. In the case of using the
 244      * deprecated SHA1, only the first 20 bytes of each list item are used */
 245     uint8_t hash[SHA256_DIGEST_LENGTH];
 246     struct verify_hash_list *next;
 247 };
 248
 249 /* Command line options */
 250 struct options
 251 {
 252     struct gc_arena gc;
 253     bool gc_owned;
 254
 255     /* first config file */
 256     const char *config;
 257
 258     /* major mode */
 259 #define MODE_POINT_TO_POINT 0
 260 #define MODE_SERVER         1
 261     int mode;
 262
 263     /* enable forward compatibility for post-2.1 features */
 264     bool forward_compatible;
 265     /** What version we should try to be compatible with as major * 10000 +
 266      * minor * 100 + patch, e.g. 2.4.7 => 20407 */
 267     unsigned int backwards_compatible;
 268
 269     /* list of options that should be ignored even if unknown */
 270     const char **ignore_unknown_option;
 271
 272     /* persist parms */
 273     bool persist_config;
 274     int persist_mode;
 275
 276     const char *key_pass_file;
 277     bool show_ciphers;
 278     bool show_digests;
 279     bool show_engines;
 280     bool show_tls_ciphers;
 281     bool show_curves;
 282     bool genkey;
 283     enum genkey_type genkey_type;
 284     const char *genkey_filename;
 285     const char *genkey_extra_data;
 286
 287     /* Networking parms */
 288     int connect_retry_max;
 289     struct connection_entry ce;
 290     struct connection_list *connection_list;
 291
 292     struct remote_list *remote_list;
 293     /* Do not advance the connection or remote addr list */
 294     bool no_advance;
 295     /* Advance directly to the next remote, skipping remaining addresses of the
 296      * current remote */
 297     bool advance_next_remote;
 298     /* Counts the number of unsuccessful connection attempts */
 299     unsigned int unsuccessful_attempts;
 300     /* count of connection entries to advance by when no_advance is not set */
 301     int ce_advance_count;
 302     /* the server can suggest a backoff time to the client, it
 303      * will still be capped by the max timeout between connections
 304      * (300s by default) */
 305     int server_backoff_time;
 306
 307 #if ENABLE_MANAGEMENT
 308     struct http_proxy_options *http_proxy_override;
 309 #endif
 310
 311     struct remote_host_store *rh_store;
 312
 313     struct dns_options dns_options;
 314
 315     bool remote_random;
 316     const char *ipchange;
 317     const char *dev;
 318     const char *dev_type;
 319     const char *dev_node;
 320     const char *lladdr;
 321     int topology; /* one of the TOP_x values from proto.h */
 322     const char *ifconfig_local;
 323     const char *ifconfig_remote_netmask;
 324     const char *ifconfig_ipv6_local;
 325     int ifconfig_ipv6_netbits;
 326     const char *ifconfig_ipv6_remote;
 327     bool ifconfig_noexec;
 328     bool ifconfig_nowarn;
 329     int shaper;
 330
 331     int proto_force;
 332
 333     bool mtu_test;
 334
 335 #ifdef ENABLE_MEMSTATS
 336     char *memstats_fn;
 337 #endif
 338
 339     bool mlock;
 340
 341     int keepalive_ping;         /* a proxy for ping/ping-restart */
 342     int keepalive_timeout;
 343
 344     int inactivity_timeout;     /* --inactive */
 345     int64_t inactivity_minimum_bytes;
 346
 347     int session_timeout;        /* Force-kill session after n seconds */
 348
 349     int ping_send_timeout;      /* Send a TCP/UDP ping to remote every n seconds */
 350     int ping_rec_timeout;       /* Expect a TCP/UDP ping from remote at least once every n seconds */
 351     bool ping_timer_remote;     /* Run ping timer only if we have a remote address */
 352
 353 #define PING_UNDEF   0
 354 #define PING_EXIT    1
 355 #define PING_RESTART 2
 356     int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */
 357
 358     bool persist_tun;           /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
 359     bool persist_local_ip;      /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
 360     bool persist_remote_ip;     /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
 361
 362 #if PASSTOS_CAPABILITY
 363     bool passtos;
 364 #endif
 365
 366     int resolve_retry_seconds;  /* If hostname resolve fails, retry for n seconds */
 367     bool resolve_in_advance;
 368     const char *ip_remote_hint;
 369
 370     struct tuntap_options tuntap_options;
 371     /* DCO is disabled and should not be used as backend driver for the
 372      * tun/tap device */
 373     bool disable_dco;
 374
 375     /* Misc parms */
 376     const char *username;
 377     const char *groupname;
 378     const char *chroot_dir;
 379     const char *cd_dir;
 380 #ifdef ENABLE_SELINUX
 381     char *selinux_context;
 382 #endif
 383     const char *writepid;
 384     const char *up_script;
 385     const char *down_script;
 386     bool user_script_used;
 387     bool down_pre;
 388     bool up_delay;
 389     bool up_restart;
 390     bool daemon;
 391
 392     int remap_sigusr1;
 393
 394     bool log;
 395     bool suppress_timestamps;
 396     bool machine_readable_output;
 397     int nice;
 398     int verbosity;
 399     int mute;
 400
 401 #ifdef ENABLE_DEBUG
 402     int gremlin;
 403 #endif
 404
 405     const char *status_file;
 406     int status_file_version;
 407     int status_file_update_freq;
 408
 409     /* optimize TUN/TAP/UDP writes */
 410     bool fast_io;
 411
 412     struct compress_options comp;
 413
 414     /* buffer sizes */
 415     int rcvbuf;
 416     int sndbuf;
 417
 418     /* mark value */
 419     int mark;
 420     char *bind_dev;
 421
 422     /* socket flags */
 423     unsigned int sockflags;
 424
 425     /* route management */
 426     const char *route_script;
 427     const char *route_predown_script;
 428     const char *route_default_gateway;
 429     const char *route_ipv6_default_gateway;
 430     int route_default_table_id;
 431     int route_default_metric;
 432     bool route_noexec;
 433     int route_delay;
 434     int route_delay_window;
 435     bool route_delay_defined;
 436     struct route_option_list *routes;
 437     struct route_ipv6_option_list *routes_ipv6;                 /* IPv6 */
 438     bool block_ipv6;
 439     bool route_nopull;
 440     bool route_gateway_via_dhcp;
 441     bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
 442     struct client_nat_option_list *client_nat;
 443
 444     /* Enable options consistency check between peers */
 445     bool occ;
 446
 447 #ifdef ENABLE_MANAGEMENT
 448     const char *management_addr;
 449     const char *management_port;
 450     const char *management_user_pass;
 451     int management_log_history_cache;
 452     int management_echo_buffer_size;
 453     int management_state_buffer_size;
 454
 455     const char *management_client_user;
 456     const char *management_client_group;
 457
 458     const char *management_certificate;
 459 #endif
 460     /* Mask of MF_ values of manage.h */
 461     unsigned int management_flags;
 462
 463 #ifdef ENABLE_PLUGIN
 464     struct plugin_option_list *plugin_list;
 465 #endif
 466
 467     /* the tmp dir is for now only used in the P2P server context */
 468     const char *tmp_dir;
 469     bool server_defined;
 470     in_addr_t server_network;
 471     in_addr_t server_netmask;
 472     bool server_ipv6_defined;                           /* IPv6 */
 473     struct in6_addr server_network_ipv6;                /* IPv6 */
 474     unsigned int server_netbits_ipv6;                   /* IPv6 */
 475
 476 #define SF_NOPOOL (1<<0)
 477 #define SF_TCP_NODELAY_HELPER (1<<1)
 478 #define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
 479     unsigned int server_flags;
 480
 481     bool server_bridge_proxy_dhcp;
 482
 483     bool server_bridge_defined;
 484     in_addr_t server_bridge_ip;
 485     in_addr_t server_bridge_netmask;
 486     in_addr_t server_bridge_pool_start;
 487     in_addr_t server_bridge_pool_end;
 488
 489     struct push_list push_list;
 490     bool ifconfig_pool_defined;
 491     in_addr_t ifconfig_pool_start;
 492     in_addr_t ifconfig_pool_end;
 493     in_addr_t ifconfig_pool_netmask;
 494     const char *ifconfig_pool_persist_filename;
 495     int ifconfig_pool_persist_refresh_freq;
 496
 497     bool ifconfig_ipv6_pool_defined;                    /* IPv6 */
 498     struct in6_addr ifconfig_ipv6_pool_base;            /* IPv6 */
 499     int ifconfig_ipv6_pool_netbits;                     /* IPv6 */
 500
 501     int real_hash_size;
 502     int virtual_hash_size;
 503     const char *client_connect_script;
 504     const char *client_disconnect_script;
 505     const char *learn_address_script;
 506     const char *client_crresponse_script;
 507     const char *client_config_dir;
 508     bool ccd_exclusive;
 509     bool disable;
 510     const char *override_username;
 511     int n_bcast_buf;
 512     int tcp_queue_limit;
 513     struct iroute *iroutes;
 514     struct iroute_ipv6 *iroutes_ipv6;                   /* IPv6 */
 515     bool push_ifconfig_defined;
 516     in_addr_t push_ifconfig_local;
 517     in_addr_t push_ifconfig_remote_netmask;
 518     in_addr_t push_ifconfig_local_alias;
 519     bool push_ifconfig_constraint_defined;
 520     in_addr_t push_ifconfig_constraint_network;
 521     in_addr_t push_ifconfig_constraint_netmask;
 522     bool push_ifconfig_ipv4_blocked;                    /* IPv4 */
 523     bool push_ifconfig_ipv6_defined;                    /* IPv6 */
 524     struct in6_addr push_ifconfig_ipv6_local;           /* IPv6 */
 525     int push_ifconfig_ipv6_netbits;                     /* IPv6 */
 526     struct in6_addr push_ifconfig_ipv6_remote;          /* IPv6 */
 527     bool push_ifconfig_ipv6_blocked;                    /* IPv6 */
 528     bool enable_c2c;
 529     bool duplicate_cn;
 530
 531     int cf_max;
 532     int cf_per;
 533
 534     int cf_initial_max;
 535     int cf_initial_per;
 536
 537     int max_clients;
 538     int max_routes_per_client;
 539     int stale_routes_check_interval;
 540     int stale_routes_ageing_time;
 541
 542     const char *auth_user_pass_verify_script;
 543     bool auth_user_pass_verify_script_via_file;
 544     bool auth_token_generate;
 545     bool auth_token_call_auth;
 546     int auth_token_lifetime;
 547     int auth_token_renewal;
 548     const char *auth_token_secret_file;
 549     bool auth_token_secret_file_inline;
 550
 551 #if PORT_SHARE
 552     char *port_share_host;
 553     char *port_share_port;
 554     const char *port_share_journal_dir;
 555 #endif
 556
 557     bool client;
 558     bool pull; /* client pull of config options from server */
 559     int push_continuation;
 560     unsigned int push_option_types_found;
 561     const char *auth_user_pass_file;
 562     bool auth_user_pass_file_inline;
 563     struct options_pre_connect *pre_connect;
 564
 565     int scheduled_exit_interval;
 566
 567 #ifdef ENABLE_MANAGEMENT
 568     struct static_challenge_info sc_info;
 569 #endif
 570     /* Cipher parms */
 571     const char *shared_secret_file;
 572     bool shared_secret_file_inline;
 573     bool allow_deprecated_insecure_static_crypto;
 574     int key_direction;
 575     const char *ciphername;
 576     bool enable_ncp_fallback;      /**< If defined fall back to
 577                                    * ciphername if NCP fails */
 578     /** The original ncp_ciphers specified by the user in the configuration*/
 579     const char *ncp_ciphers_conf;
 580     const char *ncp_ciphers;
 581     const char *authname;
 582     const char *engine;
 583     struct provider_list providers;
 584     bool mute_replay_warnings;
 585     int replay_window;
 586     int replay_time;
 587     const char *packet_id_file;
 588     bool test_crypto;
 589 #ifdef ENABLE_PREDICTION_RESISTANCE
 590     bool use_prediction_resistance;
 591 #endif
 592
 593     /* TLS (control channel) parms */
 594     bool tls_server;
 595     bool tls_client;
 596     const char *ca_file;
 597     bool ca_file_inline;
 598     const char *ca_path;
 599     const char *dh_file;
 600     bool dh_file_inline;
 601     const char *cert_file;
 602     bool cert_file_inline;
 603     const char *extra_certs_file;
 604     bool extra_certs_file_inline;
 605     const char *priv_key_file;
 606     bool priv_key_file_inline;
 607     const char *pkcs12_file;
 608     bool pkcs12_file_inline;
 609     const char *cipher_list;
 610     const char *cipher_list_tls13;
 611     const char *tls_groups;
 612     const char *tls_cert_profile;
 613     const char *ecdh_curve;
 614     const char *tls_verify;
 615     const char *tls_export_peer_cert_dir;
 616     int verify_x509_type;
 617     const char *verify_x509_name;
 618     const char *crl_file;
 619     bool crl_file_inline;
 620
 621     int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
 622     unsigned remote_cert_ku[MAX_PARMS];
 623     const char *remote_cert_eku;
 624     struct verify_hash_list *verify_hash;
 625     hash_algo_type verify_hash_algo;
 626     int verify_hash_depth;
 627     bool verify_hash_no_ca;
 628     unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
 629
 630 #ifdef ENABLE_PKCS11
 631     const char *pkcs11_providers[MAX_PARMS];
 632     unsigned pkcs11_private_mode[MAX_PARMS];
 633     bool pkcs11_protected_authentication[MAX_PARMS];
 634     bool pkcs11_cert_private[MAX_PARMS];
 635     int pkcs11_pin_cache_period;
 636     const char *pkcs11_id;
 637     bool pkcs11_id_management;
 638 #endif
 639
 640 #ifdef ENABLE_CRYPTOAPI
 641     const char *cryptoapi_cert;
 642 #endif
 643     /* Per-packet timeout on control channel */
 644     int tls_timeout;
 645
 646     /* Data channel key renegotiation parameters */
 647     int64_t renegotiate_bytes;
 648     int64_t renegotiate_packets;
 649     int renegotiate_seconds;
 650     int renegotiate_seconds_min;
 651
 652     /* Data channel key handshake must finalize
 653      * within n seconds of handshake initiation. */
 654     int handshake_window;
 655
 656 #ifdef ENABLE_X509ALTUSERNAME
 657     /* Field list used to be the username in X509 cert. */
 658     char *x509_username_field[MAX_PARMS];
 659 #endif
 660
 661     /* Old key allowed to live n seconds after new key goes active */
 662     int transition_window;
 663
 664     /* Shared secret used for TLS control channel authentication */
 665     const char *tls_auth_file;
 666     bool tls_auth_file_inline;
 667
 668     /* Shared secret used for TLS control channel authenticated encryption */
 669     const char *tls_crypt_file;
 670     bool tls_crypt_file_inline;
 671
 672     /* Client-specific secret or server key used for TLS control channel
 673      * authenticated encryption v2 */
 674     const char *tls_crypt_v2_file;
 675     bool tls_crypt_v2_file_inline;
 676
 677     const char *tls_crypt_v2_metadata;
 678
 679     const char *tls_crypt_v2_verify_script;
 680
 681     /* Allow only one session */
 682     bool single_session;
 683
 684     bool push_peer_info;
 685
 686     bool tls_exit;
 687
 688     const struct x509_track *x509_track;
 689
 690     /* special state parms */
 691     int foreign_option_index;
 692
 693 #ifdef _WIN32
 694     HANDLE msg_channel;
 695     const char *exit_event_name;
 696     bool exit_event_initial_state;
 697     bool show_net_up;
 698     int route_method;
 699     bool block_outside_dns;
 700     enum tun_driver_type windows_driver;
 701 #endif
 702
 703     bool use_peer_id;
 704     uint32_t peer_id;
 705
 706     /* Keying Material Exporters [RFC 5705] */
 707     const char *keying_material_exporter_label;
 708     int keying_material_exporter_length;
 709     /* force using TLS key material export for data channel key generation */
 710     bool force_key_material_export;
 711
 712     bool vlan_tagging;
 713     enum vlan_acceptable_frames vlan_accept;
 714     uint16_t vlan_pvid;
 715
 716     struct pull_filter_list *pull_filter_list;
 717
 718     /* Useful when packets sent by openvpn itself are not subject
 719      * to the routing tables that would move packets into the tunnel. */
 720     bool allow_recursive_routing;
 721
 722     /* data channel crypto flags set by push/pull. Reuses the CO_* crypto_flags */
 723     unsigned int imported_protocol_flags;
 724 };
 725
 726 #define streq(x, y) (!strcmp((x), (y)))
 727
 728 /*
 729  * Option classes.
 730  */
 731 #define OPT_P_GENERAL         (1<<0)
 732 #define OPT_P_UP              (1<<1)
 733 #define OPT_P_ROUTE           (1<<2)
 734 #define OPT_P_DHCPDNS         (1<<3)    /* includes ip windows options like */
 735 #define OPT_P_SCRIPT          (1<<4)
 736 #define OPT_P_SETENV          (1<<5)
 737 #define OPT_P_SHAPER          (1<<6)
 738 #define OPT_P_TIMER           (1<<7)
 739 #define OPT_P_PERSIST         (1<<8)
 740 #define OPT_P_PERSIST_IP      (1<<9)
 741 #define OPT_P_COMP            (1<<10) /* TODO */
 742 #define OPT_P_MESSAGES        (1<<11)
 743 #define OPT_P_NCP             (1<<12) /**< Negotiable crypto parameters */
 744 #define OPT_P_TLS_PARMS       (1<<13) /* TODO */
 745 #define OPT_P_MTU             (1<<14) /* TODO */
 746 #define OPT_P_NICE            (1<<15)
 747 #define OPT_P_PUSH            (1<<16)
 748 #define OPT_P_INSTANCE        (1<<17) /**< allowed in ccd, client-connect etc*/
 749 #define OPT_P_CONFIG          (1<<18)
 750 #define OPT_P_EXPLICIT_NOTIFY (1<<19)
 751 #define OPT_P_ECHO            (1<<20)
 752 #define OPT_P_INHERIT         (1<<21)
 753 #define OPT_P_ROUTE_EXTRAS    (1<<22)
 754 #define OPT_P_PULL_MODE       (1<<23)
 755 #define OPT_P_PLUGIN          (1<<24)
 756 #define OPT_P_SOCKBUF         (1<<25)
 757 #define OPT_P_SOCKFLAGS       (1<<26)
 758 #define OPT_P_CONNECTION      (1<<27)
 759 #define OPT_P_PEER_ID         (1<<28)
 760 #define OPT_P_INLINE          (1<<29)
 761 #define OPT_P_PUSH_MTU        (1<<30)
 762 #define OPT_P_ROUTE_TABLE     (1<<31)
 763
 764 #define OPT_P_DEFAULT   (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
 765
 766 #define PULL_DEFINED(opt) ((opt)->pull)
 767 #define PUSH_DEFINED(opt) ((opt)->push_list)
 768
 769 #ifndef PULL_DEFINED
 770 #define PULL_DEFINED(opt) (false)
 771 #endif
 772
 773 #ifndef PUSH_DEFINED
 774 #define PUSH_DEFINED(opt) (false)
 775 #endif
 776
 777 #ifdef _WIN32
 778 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
 779 #else
 780 #define ROUTE_OPTION_FLAGS(o) (0)
 781 #endif
 782
 783 #define SHAPER_DEFINED(opt) ((opt)->shaper)
 784
 785 #ifdef ENABLE_PLUGIN
 786 #define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
 787 #else
 788 #define PLUGIN_OPTION_LIST(opt) (NULL)
 789 #endif
 790
 791 #ifdef ENABLE_MANAGEMENT
 792 #define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
 793 #else
 794 #define MAN_CLIENT_AUTH_ENABLED(opt) (false)
 795 #endif
 796
 797 void parse_argv(struct options *options,
 798                 const int argc,
 799                 char *argv[],
 800                 const int msglevel,
 801                 const unsigned int permission_mask,
 802                 unsigned int *option_types_found,
 803                 struct env_set *es);
 804
 805 void notnull(const char *arg, const char *description);
 806
 807 void usage_small(void);
 808
 809 void show_library_versions(const unsigned int flags);
 810
 811 #ifdef _WIN32
 812 void show_windows_version(const unsigned int flags);
 813
 814 #endif
 815
 816 void show_dco_version(const unsigned int flags);
 817
 818 void init_options(struct options *o, const bool init_gc);
 819
 820 void uninit_options(struct options *o);
 821
 822 void setenv_settings(struct env_set *es, const struct options *o);
 823
 824 void show_settings(const struct options *o);
 825
 826 bool string_defined_equal(const char *s1, const char *s2);
 827
 828 const char *options_string_version(const char *s, struct gc_arena *gc);
 829
 830 char *options_string(const struct options *o,
 831                      const struct frame *frame,
 832                      struct tuntap *tt,
 833                      openvpn_net_ctx_t *ctx,
 834                      bool remote,
 835                      struct gc_arena *gc);
 836
 837 bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n);
 838
 839 void options_warning_safe(char *actual, const char *expected, size_t actual_n);
 840
 841 bool options_cmp_equal(char *actual, const char *expected);
 842
 843 void options_warning(char *actual, const char *expected);
 844
 845 /**
 846  * Given an OpenVPN options string, extract the value of an option.
 847  *
 848  * @param options_string        Zero-terminated, comma-separated options string
 849  * @param opt_name              The name of the option to extract
 850  * @param gc                    The gc to allocate the return value
 851  *
 852  * @return gc-allocated value of option with name opt_name if option was found,
 853  *         or NULL otherwise.
 854  */
 855 char *options_string_extract_option(const char *options_string,
 856                                     const char *opt_name, struct gc_arena *gc);
 857
 858
 859 void options_postprocess(struct options *options, struct env_set *es);
 860
 861 bool options_postprocess_pull(struct options *o, struct env_set *es);
 862
 863 void pre_connect_restore(struct options *o, struct gc_arena *gc);
 864
 865 bool apply_push_options(struct options *options,
 866                         struct buffer *buf,
 867                         unsigned int permission_mask,
 868                         unsigned int *option_types_found,
 869                         struct env_set *es);
 870
 871 void options_detach(struct options *o);
 872
 873 void options_server_import(struct options *o,
 874                            const char *filename,
 875                            int msglevel,
 876                            unsigned int permission_mask,
 877                            unsigned int *option_types_found,
 878                            struct env_set *es);
 879
 880 void pre_pull_default(struct options *o);
 881
 882 void rol_check_alloc(struct options *options);
 883
 884 int parse_line(const char *line,
 885                char *p[],
 886                const int n,
 887                const char *file,
 888                const int line_num,
 889                int msglevel,
 890                struct gc_arena *gc);
 891
 892 /*
 893  * parse/print topology coding
 894  */
 895
 896 int parse_topology(const char *str, const int msglevel);
 897
 898 const char *print_topology(const int topology);
 899
 900 /*
 901  * Manage auth-retry variable
 902  */
 903
 904 #define AR_NONE       0
 905 #define AR_INTERACT   1
 906 #define AR_NOINTERACT 2
 907
 908 int auth_retry_get(void);
 909
 910 bool auth_retry_set(const int msglevel, const char *option);
 911
 912 const char *auth_retry_print(void);
 913
 914 void options_string_import(struct options *options,
 915                            const char *config,
 916                            const int msglevel,
 917                            const unsigned int permission_mask,
 918                            unsigned int *option_types_found,
 919                            struct env_set *es);
 920
 921 bool key_is_external(const struct options *options);
 922
 923 bool has_udp_in_local_list(const struct options *options);
 924
 925 /**
 926  * Returns whether the current configuration has dco enabled.
 927  */
 928 static inline bool
 929 dco_enabled(const struct options *o)
 930 {
 931 #ifdef ENABLE_DCO
 932     return !o->disable_dco;
 933 #else
 934     return false;
 935 #endif /* ENABLE_DCO */
 936 }
 937
 938 #endif /* ifndef OPTIONS_H */