src/openvpn/options.h

   1 /*
   2  *  OpenVPN -- An application to securely tunnel IP networks
   3  *             over a single UDP port, with support for SSL/TLS-based
   4  *             session authentication and key exchange,
   5  *             packet encryption, packet authentication, and
   6  *             packet compression.
   7  *
   8  *  Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
   9  *
  10  *  This program is free software; you can redistribute it and/or modify
  11  *  it under the terms of the GNU General Public License version 2
  12  *  as published by the Free Software Foundation.
  13  *
  14  *  This program is distributed in the hope that it will be useful,
  15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *  GNU General Public License for more details.
  18  *
  19  *  You should have received a copy of the GNU General Public License along
  20  *  with this program; if not, write to the Free Software Foundation, Inc.,
  21  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  22  */
  23
  24 /*
  25  * 2004-01-28: Added Socks5 proxy support
  26  *   (Christof Meerwald, http://cmeerw.org)
  27  */
  28
  29 #ifndef OPTIONS_H
  30 #define OPTIONS_H
  31
  32 #include "basic.h"
  33 #include "common.h"
  34 #include "mtu.h"
  35 #include "route.h"
  36 #include "tun.h"
  37 #include "socket.h"
  38 #include "plugin.h"
  39 #include "manage.h"
  40 #include "proxy.h"
  41 #include "comp.h"
  42 #include "pushlist.h"
  43 #include "clinat.h"
  44 #include "crypto_backend.h"
  45 #include "dns.h"
  46
  47
  48 /*
  49  * Maximum number of parameters associated with an option,
  50  * including the option name itself.
  51  */
  52 #define MAX_PARMS 16
  53
  54 /*
  55  * Max size of options line and parameter.
  56  */
  57 #define OPTION_PARM_SIZE 256
  58 #define OPTION_LINE_SIZE 256
  59
  60 extern const char title_string[];
  61
  62 /* certain options are saved before --pull modifications are applied */
  63 struct options_pre_connect
  64 {
  65     bool tuntap_options_defined;
  66     struct tuntap_options tuntap_options;
  67
  68     bool routes_defined;
  69     struct route_option_list *routes;
  70
  71     bool routes_ipv6_defined;
  72     struct route_ipv6_option_list *routes_ipv6;
  73
  74     const char *route_default_gateway;
  75     const char *route_ipv6_default_gateway;
  76
  77     bool client_nat_defined;
  78     struct client_nat_option_list *client_nat;
  79
  80     struct dns_options dns_options;
  81
  82     const char *ciphername;
  83     const char *authname;
  84
  85     int ping_send_timeout;
  86     int ping_rec_timeout;
  87     int ping_rec_timeout_action;
  88
  89     int foreign_option_index;
  90     struct compress_options comp;
  91 };
  92
  93 #if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
  94 #error "At least one of OpenSSL or mbed TLS needs to be defined."
  95 #endif
  96
  97 struct connection_entry
  98 {
  99     int proto;
 100     sa_family_t af;
 101     const char *local_port;
 102     bool local_port_defined;
 103     const char *remote_port;
 104     const char *local;
 105     const char *remote;
 106     bool remote_float;
 107     bool bind_defined;
 108     bool bind_ipv6_only;
 109     bool bind_local;
 110     int connect_retry_seconds;
 111     int connect_retry_seconds_max;
 112     int connect_timeout;
 113     struct http_proxy_options *http_proxy_options;
 114     const char *socks_proxy_server;
 115     const char *socks_proxy_port;
 116     const char *socks_proxy_authfile;
 117
 118     int tun_mtu;         /* MTU of tun device */
 119     int occ_mtu;         /* if non-null, this is the MTU we announce to peers in OCC */
 120     int tun_mtu_max;     /* maximum MTU that can be pushed */
 121
 122     bool tun_mtu_defined; /* true if user overriding parm with command line option */
 123     int tun_mtu_extra;
 124     bool tun_mtu_extra_defined;
 125     int link_mtu;        /* MTU of device over which tunnel packets pass via TCP/UDP */
 126     bool link_mtu_defined; /* true if user overriding parm with command line option */
 127     int tls_mtu;         /* Maximum MTU for the control channel messages */
 128
 129     /* Advanced MTU negotiation and datagram fragmentation options */
 130     int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
 131
 132     int fragment;        /* internal fragmentation size */
 133     bool fragment_encap; /* true if --fragment had the "mtu" parameter to
 134                           * include overhead from IP and TCP/UDP encapsulation */
 135     int mssfix;          /* Upper bound on TCP MSS */
 136     bool mssfix_default; /* true if --mssfix should use the default parameters */
 137     bool mssfix_encap;   /* true if --mssfix had the "mtu" parameter to include
 138                           * overhead from IP and TCP/UDP encapsulation */
 139     bool mssfix_fixed;   /* use the mssfix value without any encapsulation adjustments */
 140
 141     int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */
 142
 143 #define CE_DISABLED (1<<0)
 144 #define CE_MAN_QUERY_PROXY (1<<1)
 145 #define CE_MAN_QUERY_REMOTE_UNDEF  0
 146 #define CE_MAN_QUERY_REMOTE_QUERY  1
 147 #define CE_MAN_QUERY_REMOTE_ACCEPT 2
 148 #define CE_MAN_QUERY_REMOTE_MOD    3
 149 #define CE_MAN_QUERY_REMOTE_SKIP   4
 150 #define CE_MAN_QUERY_REMOTE_MASK   (0x07)
 151 #define CE_MAN_QUERY_REMOTE_SHIFT  (2)
 152     unsigned int flags;
 153
 154     /* Shared secret used for TLS control channel authentication */
 155     const char *tls_auth_file;
 156     bool tls_auth_file_inline;
 157     int key_direction;
 158
 159     /* Shared secret used for TLS control channel authenticated encryption */
 160     const char *tls_crypt_file;
 161     bool tls_crypt_file_inline;
 162
 163     /* Client-specific secret or server key used for TLS control channel
 164      * authenticated encryption v2 */
 165     const char *tls_crypt_v2_file;
 166     bool tls_crypt_v2_file_inline;
 167
 168     /* Allow only client that support resending the wrapped client key */
 169     bool tls_crypt_v2_force_cookie;
 170 };
 171
 172 struct remote_entry
 173 {
 174     const char *remote;
 175     const char *remote_port;
 176     int proto;
 177     sa_family_t af;
 178 };
 179
 180 #define CONNECTION_LIST_SIZE 64
 181
 182 struct connection_list
 183 {
 184     int capacity;
 185     int len;
 186     int current;
 187     struct connection_entry **array;
 188 };
 189
 190 struct remote_list
 191 {
 192     int capacity;
 193     int len;
 194     struct remote_entry **array;
 195 };
 196
 197 struct provider_list
 198 {
 199     /* Names of the providers */
 200     const char *names[MAX_PARMS];
 201     /* Pointers to the loaded providers to unload them */
 202     provider_t *providers[MAX_PARMS];
 203 };
 204
 205 enum vlan_acceptable_frames
 206 {
 207     VLAN_ONLY_TAGGED,
 208     VLAN_ONLY_UNTAGGED_OR_PRIORITY,
 209     VLAN_ALL,
 210 };
 211
 212 struct remote_host_store
 213 {
 214 #define RH_HOST_LEN 80
 215     char host[RH_HOST_LEN];
 216 #define RH_PORT_LEN 20
 217     char port[RH_PORT_LEN];
 218 };
 219
 220 enum genkey_type {
 221     GENKEY_SECRET,
 222     GENKEY_TLS_CRYPTV2_CLIENT,
 223     GENKEY_TLS_CRYPTV2_SERVER,
 224     GENKEY_AUTH_TOKEN
 225 };
 226
 227 struct verify_hash_list
 228 {
 229     /* We support SHA256 and SHA1 fingerpint. In the case of using the
 230      * deprecated SHA1, only the first 20 bytes of each list item are used */
 231     uint8_t hash[SHA256_DIGEST_LENGTH];
 232     struct verify_hash_list *next;
 233 };
 234
 235 /* Command line options */
 236 struct options
 237 {
 238     struct gc_arena gc;
 239     bool gc_owned;
 240
 241     /* first config file */
 242     const char *config;
 243
 244     /* major mode */
 245 #define MODE_POINT_TO_POINT 0
 246 #define MODE_SERVER         1
 247     int mode;
 248
 249     /* enable forward compatibility for post-2.1 features */
 250     bool forward_compatible;
 251     /** What version we should try to be compatible with as major * 10000 +
 252      * minor * 100 + patch, e.g. 2.4.7 => 20407 */
 253     unsigned int backwards_compatible;
 254
 255     /* list of options that should be ignored even if unknown */
 256     const char **ignore_unknown_option;
 257
 258     /* persist parms */
 259     bool persist_config;
 260     int persist_mode;
 261
 262     const char *key_pass_file;
 263     bool show_ciphers;
 264     bool show_digests;
 265     bool show_engines;
 266     bool show_tls_ciphers;
 267     bool show_curves;
 268     bool genkey;
 269     enum genkey_type genkey_type;
 270     const char *genkey_filename;
 271     const char *genkey_extra_data;
 272
 273     /* Networking parms */
 274     int connect_retry_max;
 275     struct connection_entry ce;
 276     struct connection_list *connection_list;
 277
 278     struct remote_list *remote_list;
 279     /* Do not advance the connection or remote addr list */
 280     bool no_advance;
 281     /* Advance directly to the next remote, skipping remaining addresses of the
 282      * current remote */
 283     bool advance_next_remote;
 284     /* Counts the number of unsuccessful connection attempts */
 285     unsigned int unsuccessful_attempts;
 286     /* count of connection entries to advance by when no_advance is not set */
 287     int ce_advance_count;
 288     /* the server can suggest a backoff time to the client, it
 289      * will still be capped by the max timeout between connections
 290      * (300s by default) */
 291     int server_backoff_time;
 292
 293 #if ENABLE_MANAGEMENT
 294     struct http_proxy_options *http_proxy_override;
 295 #endif
 296
 297     struct remote_host_store *rh_store;
 298
 299     struct dns_options dns_options;
 300
 301     bool remote_random;
 302     const char *ipchange;
 303     const char *dev;
 304     const char *dev_type;
 305     const char *dev_node;
 306     const char *lladdr;
 307     int topology; /* one of the TOP_x values from proto.h */
 308     const char *ifconfig_local;
 309     const char *ifconfig_remote_netmask;
 310     const char *ifconfig_ipv6_local;
 311     int ifconfig_ipv6_netbits;
 312     const char *ifconfig_ipv6_remote;
 313     bool ifconfig_noexec;
 314     bool ifconfig_nowarn;
 315     int shaper;
 316
 317     int proto_force;
 318
 319     bool mtu_test;
 320
 321 #ifdef ENABLE_MEMSTATS
 322     char *memstats_fn;
 323 #endif
 324
 325     bool mlock;
 326
 327     int keepalive_ping;         /* a proxy for ping/ping-restart */
 328     int keepalive_timeout;
 329
 330     int inactivity_timeout;     /* --inactive */
 331     int64_t inactivity_minimum_bytes;
 332
 333     int session_timeout;        /* Force-kill session after n seconds */
 334
 335     int ping_send_timeout;      /* Send a TCP/UDP ping to remote every n seconds */
 336     int ping_rec_timeout;       /* Expect a TCP/UDP ping from remote at least once every n seconds */
 337     bool ping_timer_remote;     /* Run ping timer only if we have a remote address */
 338
 339 #define PING_UNDEF   0
 340 #define PING_EXIT    1
 341 #define PING_RESTART 2
 342     int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */
 343
 344     bool persist_tun;           /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
 345     bool persist_local_ip;      /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
 346     bool persist_remote_ip;     /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
 347     bool persist_key;           /* Don't re-read key files on SIGUSR1 or PING_RESTART */
 348
 349 #if PASSTOS_CAPABILITY
 350     bool passtos;
 351 #endif
 352
 353     int resolve_retry_seconds;  /* If hostname resolve fails, retry for n seconds */
 354     bool resolve_in_advance;
 355     const char *ip_remote_hint;
 356
 357     struct tuntap_options tuntap_options;
 358
 359     /* Misc parms */
 360     const char *username;
 361     const char *groupname;
 362     const char *chroot_dir;
 363     const char *cd_dir;
 364 #ifdef ENABLE_SELINUX
 365     char *selinux_context;
 366 #endif
 367     const char *writepid;
 368     const char *up_script;
 369     const char *down_script;
 370     bool user_script_used;
 371     bool down_pre;
 372     bool up_delay;
 373     bool up_restart;
 374     bool daemon;
 375
 376     int remap_sigusr1;
 377
 378     bool log;
 379     bool suppress_timestamps;
 380     bool machine_readable_output;
 381     int nice;
 382     int verbosity;
 383     int mute;
 384
 385 #ifdef ENABLE_DEBUG
 386     int gremlin;
 387 #endif
 388
 389     const char *status_file;
 390     int status_file_version;
 391     int status_file_update_freq;
 392
 393     /* optimize TUN/TAP/UDP writes */
 394     bool fast_io;
 395
 396     struct compress_options comp;
 397
 398     /* buffer sizes */
 399     int rcvbuf;
 400     int sndbuf;
 401
 402     /* mark value */
 403     int mark;
 404     char *bind_dev;
 405
 406     /* socket flags */
 407     unsigned int sockflags;
 408
 409     /* route management */
 410     const char *route_script;
 411     const char *route_predown_script;
 412     const char *route_default_gateway;
 413     const char *route_ipv6_default_gateway;
 414     int route_default_metric;
 415     bool route_noexec;
 416     int route_delay;
 417     int route_delay_window;
 418     bool route_delay_defined;
 419     struct route_option_list *routes;
 420     struct route_ipv6_option_list *routes_ipv6;                 /* IPv6 */
 421     bool block_ipv6;
 422     bool route_nopull;
 423     bool route_gateway_via_dhcp;
 424     bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
 425     struct client_nat_option_list *client_nat;
 426
 427     /* Enable options consistency check between peers */
 428     bool occ;
 429
 430 #ifdef ENABLE_MANAGEMENT
 431     const char *management_addr;
 432     const char *management_port;
 433     const char *management_user_pass;
 434     int management_log_history_cache;
 435     int management_echo_buffer_size;
 436     int management_state_buffer_size;
 437
 438     const char *management_client_user;
 439     const char *management_client_group;
 440
 441     const char *management_certificate;
 442 #endif
 443     /* Mask of MF_ values of manage.h */
 444     unsigned int management_flags;
 445
 446 #ifdef ENABLE_PLUGIN
 447     struct plugin_option_list *plugin_list;
 448 #endif
 449
 450     /* the tmp dir is for now only used in the P2P server context */
 451     const char *tmp_dir;
 452     bool server_defined;
 453     in_addr_t server_network;
 454     in_addr_t server_netmask;
 455     bool server_ipv6_defined;                           /* IPv6 */
 456     struct in6_addr server_network_ipv6;                /* IPv6 */
 457     unsigned int server_netbits_ipv6;                   /* IPv6 */
 458
 459 #define SF_NOPOOL (1<<0)
 460 #define SF_TCP_NODELAY_HELPER (1<<1)
 461 #define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
 462     unsigned int server_flags;
 463
 464     bool server_bridge_proxy_dhcp;
 465
 466     bool server_bridge_defined;
 467     in_addr_t server_bridge_ip;
 468     in_addr_t server_bridge_netmask;
 469     in_addr_t server_bridge_pool_start;
 470     in_addr_t server_bridge_pool_end;
 471
 472     struct push_list push_list;
 473     bool ifconfig_pool_defined;
 474     in_addr_t ifconfig_pool_start;
 475     in_addr_t ifconfig_pool_end;
 476     in_addr_t ifconfig_pool_netmask;
 477     const char *ifconfig_pool_persist_filename;
 478     int ifconfig_pool_persist_refresh_freq;
 479
 480     bool ifconfig_ipv6_pool_defined;                    /* IPv6 */
 481     struct in6_addr ifconfig_ipv6_pool_base;            /* IPv6 */
 482     int ifconfig_ipv6_pool_netbits;                     /* IPv6 */
 483
 484     int real_hash_size;
 485     int virtual_hash_size;
 486     const char *client_connect_script;
 487     const char *client_disconnect_script;
 488     const char *learn_address_script;
 489     const char *client_crresponse_script;
 490     const char *client_config_dir;
 491     bool ccd_exclusive;
 492     bool disable;
 493     int n_bcast_buf;
 494     int tcp_queue_limit;
 495     struct iroute *iroutes;
 496     struct iroute_ipv6 *iroutes_ipv6;                   /* IPv6 */
 497     bool push_ifconfig_defined;
 498     in_addr_t push_ifconfig_local;
 499     in_addr_t push_ifconfig_remote_netmask;
 500     in_addr_t push_ifconfig_local_alias;
 501     bool push_ifconfig_constraint_defined;
 502     in_addr_t push_ifconfig_constraint_network;
 503     in_addr_t push_ifconfig_constraint_netmask;
 504     bool push_ifconfig_ipv4_blocked;                    /* IPv4 */
 505     bool push_ifconfig_ipv6_defined;                    /* IPv6 */
 506     struct in6_addr push_ifconfig_ipv6_local;           /* IPv6 */
 507     int push_ifconfig_ipv6_netbits;                     /* IPv6 */
 508     struct in6_addr push_ifconfig_ipv6_remote;          /* IPv6 */
 509     bool push_ifconfig_ipv6_blocked;                    /* IPv6 */
 510     bool enable_c2c;
 511     bool duplicate_cn;
 512
 513     int cf_max;
 514     int cf_per;
 515
 516     int cf_initial_max;
 517     int cf_initial_per;
 518
 519     int max_clients;
 520     int max_routes_per_client;
 521     int stale_routes_check_interval;
 522     int stale_routes_ageing_time;
 523
 524     const char *auth_user_pass_verify_script;
 525     bool auth_user_pass_verify_script_via_file;
 526     bool auth_token_generate;
 527     bool auth_token_call_auth;
 528     int auth_token_lifetime;
 529     int auth_token_renewal;
 530     const char *auth_token_secret_file;
 531     bool auth_token_secret_file_inline;
 532
 533 #if PORT_SHARE
 534     char *port_share_host;
 535     char *port_share_port;
 536     const char *port_share_journal_dir;
 537 #endif
 538
 539     bool client;
 540     bool pull; /* client pull of config options from server */
 541     int push_continuation;
 542     unsigned int push_option_types_found;
 543     const char *auth_user_pass_file;
 544     bool auth_user_pass_file_inline;
 545     struct options_pre_connect *pre_connect;
 546
 547     int scheduled_exit_interval;
 548
 549 #ifdef ENABLE_MANAGEMENT
 550     struct static_challenge_info sc_info;
 551 #endif
 552     /* Cipher parms */
 553     const char *shared_secret_file;
 554     bool shared_secret_file_inline;
 555     bool allow_deprecated_insecure_static_crypto;
 556     int key_direction;
 557     const char *ciphername;
 558     bool enable_ncp_fallback;      /**< If defined fall back to
 559                                    * ciphername if NCP fails */
 560     const char *ncp_ciphers;
 561     const char *authname;
 562     const char *engine;
 563     struct provider_list providers;
 564     bool mute_replay_warnings;
 565     int replay_window;
 566     int replay_time;
 567     const char *packet_id_file;
 568     bool test_crypto;
 569 #ifdef ENABLE_PREDICTION_RESISTANCE
 570     bool use_prediction_resistance;
 571 #endif
 572
 573     /* TLS (control channel) parms */
 574     bool tls_server;
 575     bool tls_client;
 576     const char *ca_file;
 577     bool ca_file_inline;
 578     const char *ca_path;
 579     const char *dh_file;
 580     bool dh_file_inline;
 581     const char *cert_file;
 582     bool cert_file_inline;
 583     const char *extra_certs_file;
 584     bool extra_certs_file_inline;
 585     const char *priv_key_file;
 586     bool priv_key_file_inline;
 587     const char *pkcs12_file;
 588     bool pkcs12_file_inline;
 589     const char *cipher_list;
 590     const char *cipher_list_tls13;
 591     const char *tls_groups;
 592     const char *tls_cert_profile;
 593     const char *ecdh_curve;
 594     const char *tls_verify;
 595     int verify_x509_type;
 596     const char *verify_x509_name;
 597     const char *crl_file;
 598     bool crl_file_inline;
 599
 600     int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
 601     unsigned remote_cert_ku[MAX_PARMS];
 602     const char *remote_cert_eku;
 603     struct verify_hash_list *verify_hash;
 604     hash_algo_type verify_hash_algo;
 605     int verify_hash_depth;
 606     bool verify_hash_no_ca;
 607     unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
 608
 609 #ifdef ENABLE_PKCS11
 610     const char *pkcs11_providers[MAX_PARMS];
 611     unsigned pkcs11_private_mode[MAX_PARMS];
 612     bool pkcs11_protected_authentication[MAX_PARMS];
 613     bool pkcs11_cert_private[MAX_PARMS];
 614     int pkcs11_pin_cache_period;
 615     const char *pkcs11_id;
 616     bool pkcs11_id_management;
 617 #endif
 618
 619 #ifdef ENABLE_CRYPTOAPI
 620     const char *cryptoapi_cert;
 621 #endif
 622     /* Per-packet timeout on control channel */
 623     int tls_timeout;
 624
 625     /* Data channel key renegotiation parameters */
 626     int renegotiate_bytes;
 627     int renegotiate_packets;
 628     int renegotiate_seconds;
 629     int renegotiate_seconds_min;
 630
 631     /* Data channel key handshake must finalize
 632      * within n seconds of handshake initiation. */
 633     int handshake_window;
 634
 635 #ifdef ENABLE_X509ALTUSERNAME
 636     /* Field list used to be the username in X509 cert. */
 637     char *x509_username_field[MAX_PARMS];
 638 #endif
 639
 640     /* Old key allowed to live n seconds after new key goes active */
 641     int transition_window;
 642
 643     /* Shared secret used for TLS control channel authentication */
 644     const char *tls_auth_file;
 645     bool tls_auth_file_inline;
 646
 647     /* Shared secret used for TLS control channel authenticated encryption */
 648     const char *tls_crypt_file;
 649     bool tls_crypt_file_inline;
 650
 651     /* Client-specific secret or server key used for TLS control channel
 652      * authenticated encryption v2 */
 653     const char *tls_crypt_v2_file;
 654     bool tls_crypt_v2_file_inline;
 655
 656     const char *tls_crypt_v2_metadata;
 657
 658     const char *tls_crypt_v2_verify_script;
 659
 660     /* Allow only one session */
 661     bool single_session;
 662
 663     bool push_peer_info;
 664
 665     bool tls_exit;
 666
 667     const struct x509_track *x509_track;
 668
 669     /* special state parms */
 670     int foreign_option_index;
 671
 672 #ifdef _WIN32
 673     HANDLE msg_channel;
 674     const char *exit_event_name;
 675     bool exit_event_initial_state;
 676     bool show_net_up;
 677     int route_method;
 678     bool block_outside_dns;
 679     enum windows_driver_type windows_driver;
 680 #endif
 681
 682     bool use_peer_id;
 683     uint32_t peer_id;
 684
 685 #ifdef HAVE_EXPORT_KEYING_MATERIAL
 686     /* Keying Material Exporters [RFC 5705] */
 687     const char *keying_material_exporter_label;
 688     int keying_material_exporter_length;
 689 #endif
 690
 691     bool vlan_tagging;
 692     enum vlan_acceptable_frames vlan_accept;
 693     uint16_t vlan_pvid;
 694
 695     struct pull_filter_list *pull_filter_list;
 696
 697     /* Useful when packets sent by openvpn itself are not subject
 698      * to the routing tables that would move packets into the tunnel. */
 699     bool allow_recursive_routing;
 700
 701     /* data channel crypto flags set by push/pull. Reuses the CO_* crypto_flags */
 702     unsigned int imported_protocol_flags;
 703 };
 704
 705 #define streq(x, y) (!strcmp((x), (y)))
 706
 707 /*
 708  * Option classes.
 709  */
 710 #define OPT_P_GENERAL         (1<<0)
 711 #define OPT_P_UP              (1<<1)
 712 #define OPT_P_ROUTE           (1<<2)
 713 #define OPT_P_DHCPDNS         (1<<3)    /* includes ip windows options like */
 714 #define OPT_P_SCRIPT          (1<<4)
 715 #define OPT_P_SETENV          (1<<5)
 716 #define OPT_P_SHAPER          (1<<6)
 717 #define OPT_P_TIMER           (1<<7)
 718 #define OPT_P_PERSIST         (1<<8)
 719 #define OPT_P_PERSIST_IP      (1<<9)
 720 #define OPT_P_COMP            (1<<10) /* TODO */
 721 #define OPT_P_MESSAGES        (1<<11)
 722 #define OPT_P_NCP             (1<<12) /**< Negotiable crypto parameters */
 723 #define OPT_P_TLS_PARMS       (1<<13) /* TODO */
 724 #define OPT_P_MTU             (1<<14) /* TODO */
 725 #define OPT_P_NICE            (1<<15)
 726 #define OPT_P_PUSH            (1<<16)
 727 #define OPT_P_INSTANCE        (1<<17) /**< allowed in ccd, client-connect etc*/
 728 #define OPT_P_CONFIG          (1<<18)
 729 #define OPT_P_EXPLICIT_NOTIFY (1<<19)
 730 #define OPT_P_ECHO            (1<<20)
 731 #define OPT_P_INHERIT         (1<<21)
 732 #define OPT_P_ROUTE_EXTRAS    (1<<22)
 733 #define OPT_P_PULL_MODE       (1<<23)
 734 #define OPT_P_PLUGIN          (1<<24)
 735 #define OPT_P_SOCKBUF         (1<<25)
 736 #define OPT_P_SOCKFLAGS       (1<<26)
 737 #define OPT_P_CONNECTION      (1<<27)
 738 #define OPT_P_PEER_ID         (1<<28)
 739 #define OPT_P_INLINE          (1<<29)
 740 #define OPT_P_PUSH_MTU        (1<<30)
 741
 742 #define OPT_P_DEFAULT   (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
 743
 744 #define PULL_DEFINED(opt) ((opt)->pull)
 745 #define PUSH_DEFINED(opt) ((opt)->push_list)
 746
 747 #ifndef PULL_DEFINED
 748 #define PULL_DEFINED(opt) (false)
 749 #endif
 750
 751 #ifndef PUSH_DEFINED
 752 #define PUSH_DEFINED(opt) (false)
 753 #endif
 754
 755 #ifdef _WIN32
 756 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
 757 #else
 758 #define ROUTE_OPTION_FLAGS(o) (0)
 759 #endif
 760
 761 #define SHAPER_DEFINED(opt) ((opt)->shaper)
 762
 763 #ifdef ENABLE_PLUGIN
 764 #define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
 765 #else
 766 #define PLUGIN_OPTION_LIST(opt) (NULL)
 767 #endif
 768
 769 #ifdef ENABLE_MANAGEMENT
 770 #define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
 771 #else
 772 #define MAN_CLIENT_AUTH_ENABLED(opt) (false)
 773 #endif
 774
 775 void parse_argv(struct options *options,
 776                 const int argc,
 777                 char *argv[],
 778                 const int msglevel,
 779                 const unsigned int permission_mask,
 780                 unsigned int *option_types_found,
 781                 struct env_set *es);
 782
 783 void notnull(const char *arg, const char *description);
 784
 785 void usage_small(void);
 786
 787 void show_library_versions(const unsigned int flags);
 788
 789 #ifdef _WIN32
 790 void show_windows_version(const unsigned int flags);
 791
 792 #endif
 793
 794 void show_dco_version(const unsigned int flags);
 795
 796 void init_options(struct options *o, const bool init_gc);
 797
 798 void uninit_options(struct options *o);
 799
 800 void setenv_settings(struct env_set *es, const struct options *o);
 801
 802 void show_settings(const struct options *o);
 803
 804 bool string_defined_equal(const char *s1, const char *s2);
 805
 806 const char *options_string_version(const char *s, struct gc_arena *gc);
 807
 808 char *options_string(const struct options *o,
 809                      const struct frame *frame,
 810                      struct tuntap *tt,
 811                      openvpn_net_ctx_t *ctx,
 812                      bool remote,
 813                      struct gc_arena *gc);
 814
 815 bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n);
 816
 817 void options_warning_safe(char *actual, const char *expected, size_t actual_n);
 818
 819 bool options_cmp_equal(char *actual, const char *expected);
 820
 821 void options_warning(char *actual, const char *expected);
 822
 823 /**
 824  * Given an OpenVPN options string, extract the value of an option.
 825  *
 826  * @param options_string        Zero-terminated, comma-separated options string
 827  * @param opt_name              The name of the option to extract
 828  * @param gc                    The gc to allocate the return value
 829  *
 830  * @return gc-allocated value of option with name opt_name if option was found,
 831  *         or NULL otherwise.
 832  */
 833 char *options_string_extract_option(const char *options_string,
 834                                     const char *opt_name, struct gc_arena *gc);
 835
 836
 837 void options_postprocess(struct options *options, struct env_set *es);
 838
 839 bool options_postprocess_pull(struct options *o, struct env_set *es);
 840
 841 void pre_connect_restore(struct options *o, struct gc_arena *gc);
 842
 843 bool apply_push_options(struct options *options,
 844                         struct buffer *buf,
 845                         unsigned int permission_mask,
 846                         unsigned int *option_types_found,
 847                         struct env_set *es);
 848
 849 void options_detach(struct options *o);
 850
 851 void options_server_import(struct options *o,
 852                            const char *filename,
 853                            int msglevel,
 854                            unsigned int permission_mask,
 855                            unsigned int *option_types_found,
 856                            struct env_set *es);
 857
 858 void pre_pull_default(struct options *o);
 859
 860 void rol_check_alloc(struct options *options);
 861
 862 int parse_line(const char *line,
 863                char *p[],
 864                const int n,
 865                const char *file,
 866                const int line_num,
 867                int msglevel,
 868                struct gc_arena *gc);
 869
 870 /*
 871  * parse/print topology coding
 872  */
 873
 874 int parse_topology(const char *str, const int msglevel);
 875
 876 const char *print_topology(const int topology);
 877
 878 /*
 879  * Manage auth-retry variable
 880  */
 881
 882 #define AR_NONE       0
 883 #define AR_INTERACT   1
 884 #define AR_NOINTERACT 2
 885
 886 int auth_retry_get(void);
 887
 888 bool auth_retry_set(const int msglevel, const char *option);
 889
 890 const char *auth_retry_print(void);
 891
 892 void options_string_import(struct options *options,
 893                            const char *config,
 894                            const int msglevel,
 895                            const unsigned int permission_mask,
 896                            unsigned int *option_types_found,
 897                            struct env_set *es);
 898
 899 bool key_is_external(const struct options *options);
 900
 901 /**
 902  * Returns whether the current configuration has dco enabled.
 903  */
 904 static inline bool
 905 dco_enabled(const struct options *o)
 906 {
 907 #ifdef ENABLE_DCO
 908     return !o->tuntap_options.disable_dco;
 909 #else
 910     return false;
 911 #endif /* ENABLE_DCO */
 912 }
 913
 914 #endif /* ifndef OPTIONS_H */