2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26
* 2004-01-28: Added Socks5 proxy support
27
* (Christof Meerwald, http://cmeerw.org)
47
* Maximum number of parameters associated with an option,
48
* including the option name itself.
53
* Max size of options line and parameter.
55
#define OPTION_PARM_SIZE 256
56
#define OPTION_LINE_SIZE 256
58
extern const char title_string[];
62
/* certain options are saved before --pull modifications are applied */
63
struct options_pre_pull
65
bool tuntap_options_defined;
66
struct tuntap_options tuntap_options;
69
struct route_option_list *routes;
71
bool routes_ipv6_defined;
72
struct route_ipv6_option_list *routes_ipv6;
74
#ifdef ENABLE_CLIENT_NAT
75
bool client_nat_defined;
76
struct client_nat_option_list *client_nat;
79
int foreign_option_index;
83
#if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_POLARSSL)
84
# error "At least one of OpenSSL or PolarSSL needs to be defined."
87
struct connection_entry
91
bool local_port_defined;
98
int connect_retry_seconds;
99
bool connect_retry_defined;
100
int connect_retry_max;
102
bool connect_timeout_defined;
103
#ifdef ENABLE_HTTP_PROXY
104
struct http_proxy_options *http_proxy_options;
107
const char *socks_proxy_server;
108
int socks_proxy_port;
109
const char *socks_proxy_authfile;
110
bool socks_proxy_retry;
113
int tun_mtu; /* MTU of tun device */
114
bool tun_mtu_defined; /* true if user overriding parm with command line option */
116
bool tun_mtu_extra_defined;
117
int link_mtu; /* MTU of device over which tunnel packets pass via TCP/UDP */
118
bool link_mtu_defined; /* true if user overriding parm with command line option */
120
/* Advanced MTU negotiation and datagram fragmentation options */
121
int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
123
int fragment; /* internal fragmentation size */
124
int mssfix; /* Upper bound on TCP MSS */
125
bool mssfix_default; /* true if --mssfix was supplied without a parameter */
128
int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT message */
131
# define CE_DISABLED (1<<0)
132
# define CE_MAN_QUERY_PROXY (1<<1)
133
# define CE_MAN_QUERY_REMOTE_UNDEF 0
134
# define CE_MAN_QUERY_REMOTE_QUERY 1
135
# define CE_MAN_QUERY_REMOTE_ACCEPT 2
136
# define CE_MAN_QUERY_REMOTE_MOD 3
137
# define CE_MAN_QUERY_REMOTE_SKIP 4
138
# define CE_MAN_QUERY_REMOTE_MASK (0x07)
139
# define CE_MAN_QUERY_REMOTE_SHIFT (2)
150
#define CONNECTION_LIST_SIZE 64
152
struct connection_list
158
struct connection_entry *array[CONNECTION_LIST_SIZE];
164
struct remote_entry *array[CONNECTION_LIST_SIZE];
167
struct remote_host_store
169
# define RH_HOST_LEN 80
170
char host[RH_HOST_LEN];
173
/* Command line options */
179
/* first config file */
183
# define MODE_POINT_TO_POINT 0
184
# define MODE_SERVER 1
187
/* enable forward compatibility for post-2.1 features */
188
bool forward_compatible;
195
const char *key_pass_file;
200
bool show_tls_ciphers;
205
/* Networking parms */
206
struct connection_entry ce;
207
char *remote_ip_hint;
208
struct connection_list *connection_list;
209
struct remote_list *remote_list;
210
bool force_connection_list;
212
#if HTTP_PROXY_OVERRIDE
213
struct http_proxy_options *http_proxy_override;
216
struct remote_host_store *rh_store;
219
const char *ipchange;
221
const char *dev_type;
222
const char *dev_node;
224
int topology; /* one of the TOP_x values from proto.h */
225
const char *ifconfig_local;
226
const char *ifconfig_remote_netmask;
227
const char *ifconfig_ipv6_local;
228
int ifconfig_ipv6_netbits;
229
const char *ifconfig_ipv6_remote;
230
bool ifconfig_noexec;
231
bool ifconfig_nowarn;
232
#ifdef ENABLE_FEATURE_SHAPER
242
#ifdef ENABLE_MEMSTATS
248
int keepalive_ping; /* a proxy for ping/ping-restart */
249
int keepalive_timeout;
251
int inactivity_timeout; /* --inactive */
252
int inactivity_minimum_bytes;
254
int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */
255
int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */
256
bool ping_timer_remote; /* Run ping timer only if we have a remote address */
257
bool tun_ipv6; /* Build tun dev that supports IPv6 */
259
# define PING_UNDEF 0
261
# define PING_RESTART 2
262
int ping_rec_timeout_action; /* What action to take on ping_rec_timeout (exit or restart)? */
264
bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
265
bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
266
bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
267
bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
269
#if PASSTOS_CAPABILITY
273
int resolve_retry_seconds; /* If hostname resolve fails, retry for n seconds */
275
struct tuntap_options tuntap_options;
278
const char *username;
279
const char *groupname;
280
const char *chroot_dir;
282
#ifdef ENABLE_SELINUX
283
char *selinux_context;
285
const char *writepid;
286
const char *up_script;
287
const char *down_script;
295
/* inetd modes defined in socket.h */
299
bool suppress_timestamps;
308
const char *status_file;
309
int status_file_version;
310
int status_file_update_freq;
312
/* optimize TUN/TAP/UDP writes */
316
/* LZO_x flags from lzo.h */
328
unsigned int sockflags;
330
/* route management */
331
const char *route_script;
332
const char *route_predown_script;
333
const char *route_default_gateway;
334
int route_default_metric;
337
int route_delay_window;
338
bool route_delay_defined;
340
struct route_option_list *routes;
341
struct route_ipv6_option_list *routes_ipv6; /* IPv6 */
343
bool route_gateway_via_dhcp;
344
bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
346
#ifdef ENABLE_CLIENT_NAT
347
struct client_nat_option_list *client_nat;
351
/* Enable options consistency check between peers */
355
#ifdef ENABLE_MANAGEMENT
356
const char *management_addr;
358
const char *management_user_pass;
359
int management_log_history_cache;
360
int management_echo_buffer_size;
361
int management_state_buffer_size;
362
const char *management_write_peer_info_file;
364
const char *management_client_user;
365
const char *management_client_group;
367
/* Mask of MF_ values of manage.h */
368
unsigned int management_flags;
372
struct plugin_option_list *plugin_list;
380
/* the tmp dir is for now only used in the P2P server context */
383
in_addr_t server_network;
384
in_addr_t server_netmask;
385
bool server_ipv6_defined; /* IPv6 */
386
struct in6_addr server_network_ipv6; /* IPv6 */
387
unsigned int server_netbits_ipv6; /* IPv6 */
389
# define SF_NOPOOL (1<<0)
390
# define SF_TCP_NODELAY_HELPER (1<<1)
391
# define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
392
unsigned int server_flags;
394
bool server_bridge_proxy_dhcp;
396
bool server_bridge_defined;
397
in_addr_t server_bridge_ip;
398
in_addr_t server_bridge_netmask;
399
in_addr_t server_bridge_pool_start;
400
in_addr_t server_bridge_pool_end;
402
struct push_list push_list;
403
bool ifconfig_pool_defined;
404
in_addr_t ifconfig_pool_start;
405
in_addr_t ifconfig_pool_end;
406
in_addr_t ifconfig_pool_netmask;
407
const char *ifconfig_pool_persist_filename;
408
int ifconfig_pool_persist_refresh_freq;
410
bool ifconfig_ipv6_pool_defined; /* IPv6 */
411
struct in6_addr ifconfig_ipv6_pool_base; /* IPv6 */
412
int ifconfig_ipv6_pool_netbits; /* IPv6 */
415
int virtual_hash_size;
416
const char *client_connect_script;
417
const char *client_disconnect_script;
418
const char *learn_address_script;
419
const char *client_config_dir;
424
struct iroute *iroutes;
425
struct iroute_ipv6 *iroutes_ipv6; /* IPv6 */
426
bool push_ifconfig_defined;
427
in_addr_t push_ifconfig_local;
428
in_addr_t push_ifconfig_remote_netmask;
429
#ifdef ENABLE_CLIENT_NAT
430
in_addr_t push_ifconfig_local_alias;
432
bool push_ifconfig_constraint_defined;
433
in_addr_t push_ifconfig_constraint_network;
434
in_addr_t push_ifconfig_constraint_netmask;
435
bool push_ifconfig_ipv6_defined; /* IPv6 */
436
struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */
437
int push_ifconfig_ipv6_netbits; /* IPv6 */
438
struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */
444
int max_routes_per_client;
445
int stale_routes_check_interval;
446
int stale_routes_ageing_time;
448
const char *auth_user_pass_verify_script;
449
bool auth_user_pass_verify_script_via_file;
451
char *port_share_host;
453
const char *port_share_journal_dir;
458
bool pull; /* client pull of config options from server */
459
int push_continuation;
460
const char *auth_user_pass_file;
461
struct options_pre_pull *pre_pull;
463
int server_poll_timeout;
465
int scheduled_exit_interval;
467
#ifdef ENABLE_CLIENT_CR
468
struct static_challenge_info sc_info;
474
const char *shared_secret_file;
475
const char *shared_secret_file_inline;
477
bool ciphername_defined;
478
const char *ciphername;
479
bool authname_defined;
480
const char *authname;
482
const char *prng_hash;
483
int prng_nonce_secret_len;
486
bool mute_replay_warnings;
489
const char *packet_id_file;
492
#ifdef ENABLE_PREDICTION_RESISTANCE
493
bool use_prediction_resistance;
497
/* TLS (control channel) parms */
503
const char *cert_file;
504
const char *extra_certs_file;
505
const char *priv_key_file;
506
const char *pkcs12_file;
507
const char *cipher_list;
508
const char *tls_verify;
509
int verify_x509_type;
510
const char *verify_x509_name;
511
const char *tls_export_cert;
512
const char *crl_file;
514
const char *ca_file_inline;
515
const char *cert_file_inline;
516
const char *extra_certs_file_inline;
517
char *priv_key_file_inline;
518
const char *dh_file_inline;
519
const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */
521
int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
522
unsigned remote_cert_ku[MAX_PARMS];
523
const char *remote_cert_eku;
524
uint8_t *verify_hash;
525
unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
528
const char *pkcs11_providers[MAX_PARMS];
529
unsigned pkcs11_private_mode[MAX_PARMS];
530
bool pkcs11_protected_authentication[MAX_PARMS];
531
bool pkcs11_cert_private[MAX_PARMS];
532
int pkcs11_pin_cache_period;
533
const char *pkcs11_id;
534
bool pkcs11_id_management;
537
#ifdef ENABLE_CRYPTOAPI
538
const char *cryptoapi_cert;
541
/* data channel key exchange method */
544
/* Per-packet timeout on control channel */
547
/* Data channel key renegotiation parameters */
548
int renegotiate_bytes;
549
int renegotiate_packets;
550
int renegotiate_seconds;
552
/* Data channel key handshake must finalize
553
within n seconds of handshake initiation. */
554
int handshake_window;
556
#ifdef ENABLE_X509ALTUSERNAME
557
/* Field used to be the username in X509 cert. */
558
char *x509_username_field;
561
/* Old key allowed to live n seconds after new key goes active */
562
int transition_window;
564
/* Special authentication MAC for TLS control channel */
565
const char *tls_auth_file; /* shared secret */
566
const char *tls_auth_file_inline;
568
/* Allow only one session */
571
#ifdef ENABLE_PUSH_PEER_INFO
577
#endif /* ENABLE_SSL */
578
#endif /* ENABLE_CRYPTO */
580
#ifdef ENABLE_X509_TRACK
581
const struct x509_track *x509_track;
584
/* special state parms */
585
int foreign_option_index;
588
const char *exit_event_name;
589
bool exit_event_initial_state;
595
#define streq(x, y) (!strcmp((x), (y)))
600
#define OPT_P_GENERAL (1<<0)
601
#define OPT_P_UP (1<<1)
602
#define OPT_P_ROUTE (1<<2)
603
#define OPT_P_IPWIN32 (1<<3)
604
#define OPT_P_SCRIPT (1<<4)
605
#define OPT_P_SETENV (1<<5)
606
#define OPT_P_SHAPER (1<<6)
607
#define OPT_P_TIMER (1<<7)
608
#define OPT_P_PERSIST (1<<8)
609
#define OPT_P_PERSIST_IP (1<<9)
610
#define OPT_P_COMP (1<<10) /* TODO */
611
#define OPT_P_MESSAGES (1<<11)
612
#define OPT_P_CRYPTO (1<<12) /* TODO */
613
#define OPT_P_TLS_PARMS (1<<13) /* TODO */
614
#define OPT_P_MTU (1<<14) /* TODO */
615
#define OPT_P_NICE (1<<15)
616
#define OPT_P_PUSH (1<<16)
617
#define OPT_P_INSTANCE (1<<17)
618
#define OPT_P_CONFIG (1<<18)
619
#define OPT_P_EXPLICIT_NOTIFY (1<<19)
620
#define OPT_P_ECHO (1<<20)
621
#define OPT_P_INHERIT (1<<21)
622
#define OPT_P_ROUTE_EXTRAS (1<<22)
623
#define OPT_P_PULL_MODE (1<<23)
624
#define OPT_P_PLUGIN (1<<24)
625
#define OPT_P_SOCKBUF (1<<25)
626
#define OPT_P_SOCKFLAGS (1<<26)
627
#define OPT_P_CONNECTION (1<<27)
629
#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
632
#define PULL_DEFINED(opt) ((opt)->pull)
634
#define PUSH_DEFINED(opt) ((opt)->push_list)
639
#define PULL_DEFINED(opt) (false)
643
#define PUSH_DEFINED(opt) (false)
647
#define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
649
#define ROUTE_OPTION_FLAGS(o) (0)
652
#ifdef ENABLE_FEATURE_SHAPER
653
#define SHAPER_DEFINED(opt) ((opt)->shaper)
655
#define SHAPER_DEFINED(opt) (false)
659
#define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
661
#define PLUGIN_OPTION_LIST(opt) (NULL)
664
#ifdef MANAGEMENT_DEF_AUTH
665
#define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
667
#define MAN_CLIENT_AUTH_ENABLED(opt) (false)
670
void parse_argv (struct options *options,
674
const unsigned int permission_mask,
675
unsigned int *option_types_found,
678
void notnull (const char *arg, const char *description);
680
void usage_small (void);
682
void init_options (struct options *o, const bool init_gc);
683
void uninit_options (struct options *o);
685
void setenv_settings (struct env_set *es, const struct options *o);
686
void show_settings (const struct options *o);
688
bool string_defined_equal (const char *s1, const char *s2);
692
const char *options_string_version (const char* s, struct gc_arena *gc);
694
char *options_string (const struct options *o,
695
const struct frame *frame,
698
struct gc_arena *gc);
700
bool options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n);
701
void options_warning_safe (char *actual, const char *expected, size_t actual_n);
702
bool options_cmp_equal (char *actual, const char *expected);
703
void options_warning (char *actual, const char *expected);
707
void options_postprocess (struct options *options);
709
void pre_pull_save (struct options *o);
710
void pre_pull_restore (struct options *o);
712
bool apply_push_options (struct options *options,
714
unsigned int permission_mask,
715
unsigned int *option_types_found,
718
void options_detach (struct options *o);
720
void options_server_import (struct options *o,
721
const char *filename,
723
unsigned int permission_mask,
724
unsigned int *option_types_found,
727
void pre_pull_default (struct options *o);
729
void rol_check_alloc (struct options *options);
731
int parse_line (const char *line,
737
struct gc_arena *gc);
740
* parse/print topology coding
743
int parse_topology (const char *str, const int msglevel);
744
const char *print_topology (const int topology);
747
* Manage auth-retry variable
753
#define AR_INTERACT 1
754
#define AR_NOINTERACT 2
756
int auth_retry_get (void);
757
bool auth_retry_set (const int msglevel, const char *option);
758
const char *auth_retry_print (void);
762
void options_string_import (struct options *options,
765
const unsigned int permission_mask,
766
unsigned int *option_types_found,
769
bool get_ipv6_addr( const char * prefix_str, struct in6_addr *network,
770
unsigned int * netbits, char ** printable_ipv6,
777
connection_list_defined (const struct options *o)
779
return o->connection_list != NULL;
783
connection_list_set_no_advance (struct options *o)
785
if (o->connection_list)
786
o->connection_list->no_advance = true;