release/src/router/openvpn/options.h

   1 /*
   2  *  OpenVPN -- An application to securely tunnel IP networks
   3  *             over a single UDP port, with support for SSL/TLS-based
   4  *             session authentication and key exchange,
   5  *             packet encryption, packet authentication, and
   6  *             packet compression.
   7  *
   8  *  Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
   9  *
  10  *  This program is free software; you can redistribute it and/or modify
  11  *  it under the terms of the GNU General Public License version 2
  12  *  as published by the Free Software Foundation.
  13  *
  14  *  This program is distributed in the hope that it will be useful,
  15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *  GNU General Public License for more details.
  18  *
  19  *  You should have received a copy of the GNU General Public License
  20  *  along with this program (see the file COPYING included with this
  21  *  distribution); if not, write to the Free Software Foundation, Inc.,
  22  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  23  */
  24
  25 /*
  26  * 2004-01-28: Added Socks5 proxy support
  27  *   (Christof Meerwald, http://cmeerw.org)
  28  */
  29
  30 #ifndef OPTIONS_H
  31 #define OPTIONS_H
  32
  33 #include "basic.h"
  34 #include "common.h"
  35 #include "mtu.h"
  36 #include "route.h"
  37 #include "tun.h"
  38 #include "socket.h"
  39 #include "plugin.h"
  40 #include "manage.h"
  41 #include "proxy.h"
  42 #include "lzo.h"
  43 #include "pushlist.h"
  44
  45 /*
  46  * Maximum number of parameters associated with an option,
  47  * including the option name itself.
  48  */
  49 #define MAX_PARMS 16
  50
  51 /*
  52  * Max size of options line and parameter.
  53  */
  54 #define OPTION_PARM_SIZE 256
  55 #define OPTION_LINE_SIZE 256
  56
  57 extern const char title_string[];
  58
  59 #if P2MP
  60
  61 /* certain options are saved before --pull modifications are applied */
  62 struct options_pre_pull
  63 {
  64   bool tuntap_options_defined;
  65   struct tuntap_options tuntap_options;
  66
  67   bool routes_defined;
  68   struct route_option_list *routes;
  69
  70   int foreign_option_index;
  71 };
  72
  73 #endif
  74
  75 struct connection_entry
  76 {
  77   int proto;
  78   int local_port;
  79   bool local_port_defined;
  80   int remote_port;
  81   bool port_option_used;
  82   const char *local;
  83   const char *remote;
  84   bool remote_float;
  85   bool bind_defined;
  86   bool bind_local;
  87   int connect_retry_seconds;
  88   bool connect_retry_defined;
  89   int connect_retry_max;
  90   int connect_timeout;
  91   bool connect_timeout_defined;
  92 #ifdef ENABLE_HTTP_PROXY
  93   struct http_proxy_options *http_proxy_options;
  94 #endif
  95 #ifdef ENABLE_SOCKS
  96   const char *socks_proxy_server;
  97   int socks_proxy_port;
  98   bool socks_proxy_retry;
  99 #endif
 100 };
 101
 102 struct remote_entry
 103 {
 104   const char *remote;
 105   int remote_port;
 106   int proto;
 107 };
 108
 109 #ifdef ENABLE_CONNECTION
 110
 111 #define CONNECTION_LIST_SIZE 64
 112
 113 struct connection_list
 114 {
 115   int len;
 116   int current;
 117   bool no_advance;
 118   struct connection_entry *array[CONNECTION_LIST_SIZE];
 119 };
 120
 121 struct remote_list
 122 {
 123   int len;
 124   struct remote_entry *array[CONNECTION_LIST_SIZE];
 125 };
 126
 127 #endif
 128
 129 /* Command line options */
 130 struct options
 131 {
 132   struct gc_arena gc;
 133   bool gc_owned;
 134
 135   /* first config file */
 136   const char *config;
 137
 138   /* major mode */
 139 # define MODE_POINT_TO_POINT 0
 140 # define MODE_SERVER         1
 141   int mode;
 142
 143   /* enable forward compatibility for post-2.1 features */
 144   bool forward_compatible;
 145
 146   /* persist parms */
 147   bool persist_config;
 148   int persist_mode;
 149
 150 #ifdef USE_CRYPTO
 151   const char *key_pass_file;
 152   bool show_ciphers;
 153   bool show_digests;
 154   bool show_engines;
 155 #ifdef USE_SSL
 156   bool show_tls_ciphers;
 157 #endif
 158   bool genkey;
 159 #endif
 160
 161   /* Networking parms */
 162   struct connection_entry ce;
 163
 164 #ifdef ENABLE_CONNECTION
 165   struct connection_list *connection_list;
 166   struct remote_list *remote_list;
 167 #endif
 168
 169 #ifdef GENERAL_PROXY_SUPPORT
 170   struct auto_proxy_info *auto_proxy_info;
 171 #endif
 172
 173   bool remote_random;
 174   const char *ipchange;
 175   const char *dev;
 176   const char *dev_type;
 177   const char *dev_node;
 178   const char *lladdr;
 179   int topology; /* one of the TOP_x values from proto.h */
 180   const char *ifconfig_local;
 181   const char *ifconfig_remote_netmask;
 182   bool ifconfig_noexec;
 183   bool ifconfig_nowarn;
 184 #ifdef HAVE_GETTIMEOFDAY
 185   int shaper;
 186 #endif
 187   int tun_mtu;           /* MTU of tun device */
 188   int tun_mtu_extra;
 189   bool tun_mtu_extra_defined;
 190   int link_mtu;          /* MTU of device over which tunnel packets pass via TCP/UDP */
 191   bool tun_mtu_defined;  /* true if user overriding parm with command line option */
 192   bool link_mtu_defined; /* true if user overriding parm with command line option */
 193
 194   /* Advanced MTU negotiation and datagram fragmentation options */
 195   int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
 196
 197 #ifdef ENABLE_OCC
 198   bool mtu_test;
 199 #endif
 200
 201   int fragment;                 /* internal fragmentation size */
 202
 203   bool mlock;
 204
 205   int keepalive_ping;           /* a proxy for ping/ping-restart */
 206   int keepalive_timeout;
 207
 208   int inactivity_timeout;       /* --inactive */
 209   int inactivity_minimum_bytes;
 210
 211   int ping_send_timeout;        /* Send a TCP/UDP ping to remote every n seconds */
 212   int ping_rec_timeout;         /* Expect a TCP/UDP ping from remote at least once every n seconds */
 213   bool ping_timer_remote;       /* Run ping timer only if we have a remote address */
 214   bool tun_ipv6;                /* Build tun dev that supports IPv6 */
 215
 216 # define PING_UNDEF   0
 217 # define PING_EXIT    1
 218 # define PING_RESTART 2
 219   int ping_rec_timeout_action;  /* What action to take on ping_rec_timeout (exit or restart)? */
 220
 221 #ifdef ENABLE_OCC
 222   int explicit_exit_notification;  /* Explicitly tell peer when we are exiting via OCC_EXIT message */
 223 #endif
 224
 225   bool persist_tun;             /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
 226   bool persist_local_ip;        /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
 227   bool persist_remote_ip;       /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
 228   bool persist_key;             /* Don't re-read key files on SIGUSR1 or PING_RESTART */
 229
 230   int mssfix;                   /* Upper bound on TCP MSS */
 231   bool mssfix_default;          /* true if --mssfix was supplied without a parameter */
 232
 233 #if PASSTOS_CAPABILITY
 234   bool passtos;
 235 #endif
 236
 237   int resolve_retry_seconds;    /* If hostname resolve fails, retry for n seconds */
 238
 239   struct tuntap_options tuntap_options;
 240
 241   /* Misc parms */
 242   const char *username;
 243   const char *groupname;
 244   const char *chroot_dir;
 245   const char *cd_dir;
 246 #ifdef HAVE_SETCON
 247   char *selinux_context;
 248 #endif
 249   const char *writepid;
 250   const char *up_script;
 251   const char *down_script;
 252   bool down_pre;
 253   bool up_delay;
 254   bool up_restart;
 255   bool daemon;
 256
 257   int remap_sigusr1;
 258
 259   /* inetd modes defined in socket.h */
 260   int inetd;
 261
 262   bool log;
 263   bool suppress_timestamps;
 264   int nice;
 265   int verbosity;
 266   int mute;
 267
 268 #ifdef ENABLE_DEBUG
 269   int gremlin;
 270 #endif
 271
 272   const char *status_file;
 273   int status_file_version;
 274   int status_file_update_freq;
 275
 276   /* optimize TUN/TAP/UDP writes */
 277   bool fast_io;
 278
 279 #ifdef USE_LZO
 280   /* LZO_x flags from lzo.h */
 281   unsigned int lzo;
 282 #endif
 283
 284   /* buffer sizes */
 285   int rcvbuf;
 286   int sndbuf;
 287
 288   /* socket flags */
 289   unsigned int sockflags;
 290
 291   /* route management */
 292   const char *route_script;
 293   const char *route_default_gateway;
 294   int route_default_metric;
 295   bool route_noexec;
 296   int route_delay;
 297   int route_delay_window;
 298   bool route_delay_defined;
 299   int max_routes;
 300   struct route_option_list *routes;
 301   bool route_nopull;
 302   bool route_gateway_via_dhcp;
 303   bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
 304
 305 #ifdef ENABLE_OCC
 306   /* Enable options consistency check between peers */
 307   bool occ;
 308 #endif
 309
 310 #ifdef ENABLE_MANAGEMENT
 311   const char *management_addr;
 312   int management_port;
 313   const char *management_user_pass;
 314   int management_log_history_cache;
 315   int management_echo_buffer_size;
 316   int management_state_buffer_size;
 317   const char *management_write_peer_info_file;
 318
 319   const char *management_client_user;
 320   const char *management_client_group;
 321
 322   /* Mask of MF_ values of manage.h */
 323   unsigned int management_flags;
 324 #endif
 325
 326 #ifdef ENABLE_PLUGIN
 327   struct plugin_option_list *plugin_list;
 328 #endif
 329
 330 #ifdef USE_PTHREAD
 331   int n_threads;
 332   int nice_work;
 333 #endif
 334
 335 #if P2MP
 336
 337 #if P2MP_SERVER
 338   bool server_defined;
 339   in_addr_t server_network;
 340   in_addr_t server_netmask;
 341
 342 # define SF_NOPOOL (1<<0)
 343 # define SF_TCP_NODELAY_HELPER (1<<1)
 344 # define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
 345   unsigned int server_flags;
 346
 347   bool server_bridge_proxy_dhcp;
 348
 349   bool server_bridge_defined;
 350   in_addr_t server_bridge_ip;
 351   in_addr_t server_bridge_netmask;
 352   in_addr_t server_bridge_pool_start;
 353   in_addr_t server_bridge_pool_end;
 354
 355   struct push_list push_list;
 356   bool ifconfig_pool_defined;
 357   in_addr_t ifconfig_pool_start;
 358   in_addr_t ifconfig_pool_end;
 359   in_addr_t ifconfig_pool_netmask;
 360   const char *ifconfig_pool_persist_filename;
 361   int ifconfig_pool_persist_refresh_freq;
 362   int real_hash_size;
 363   int virtual_hash_size;
 364   const char *client_connect_script;
 365   const char *client_disconnect_script;
 366   const char *learn_address_script;
 367   const char *tmp_dir;
 368   const char *client_config_dir;
 369   bool ccd_exclusive;
 370   bool disable;
 371   int n_bcast_buf;
 372   int tcp_queue_limit;
 373   struct iroute *iroutes;
 374   bool push_ifconfig_defined;
 375   in_addr_t push_ifconfig_local;
 376   in_addr_t push_ifconfig_remote_netmask;
 377   bool push_ifconfig_constraint_defined;
 378   in_addr_t push_ifconfig_constraint_network;
 379   in_addr_t push_ifconfig_constraint_netmask;
 380   bool enable_c2c;
 381   bool duplicate_cn;
 382   int cf_max;
 383   int cf_per;
 384   int max_clients;
 385   int max_routes_per_client;
 386
 387   const char *auth_user_pass_verify_script;
 388   bool auth_user_pass_verify_script_via_file;
 389   unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
 390 #if PORT_SHARE
 391   char *port_share_host;
 392   int port_share_port;
 393 #endif
 394 #endif
 395
 396   bool client;
 397   bool pull; /* client pull of config options from server */
 398   int push_continuation;
 399   const char *auth_user_pass_file;
 400   struct options_pre_pull *pre_pull;
 401
 402   int server_poll_timeout;
 403
 404   int scheduled_exit_interval;
 405
 406 #endif
 407
 408 #ifdef USE_CRYPTO
 409   /* Cipher parms */
 410   const char *shared_secret_file;
 411 #if ENABLE_INLINE_FILES
 412   const char *shared_secret_file_inline;
 413 #endif
 414   int key_direction;
 415   bool ciphername_defined;
 416   const char *ciphername;
 417   bool authname_defined;
 418   const char *authname;
 419   int keysize;
 420   const char *prng_hash;
 421   int prng_nonce_secret_len;
 422   const char *engine;
 423   bool replay;
 424   bool mute_replay_warnings;
 425   int replay_window;
 426   int replay_time;
 427   const char *packet_id_file;
 428   bool use_iv;
 429   bool test_crypto;
 430
 431 #ifdef USE_SSL
 432   /* TLS (control channel) parms */
 433   bool tls_server;
 434   bool tls_client;
 435   const char *ca_file;
 436   const char *ca_path;
 437   const char *dh_file;
 438   const char *cert_file;
 439   const char *priv_key_file;
 440   const char *pkcs12_file;
 441   const char *cipher_list;
 442   const char *tls_verify;
 443   const char *tls_remote;
 444   const char *crl_file;
 445
 446 #if ENABLE_INLINE_FILES
 447   const char *ca_file_inline;
 448   const char *cert_file_inline;
 449   char *priv_key_file_inline;
 450   const char *dh_file_inline;
 451 #endif
 452
 453   int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */
 454   unsigned remote_cert_ku[MAX_PARMS];
 455   const char *remote_cert_eku;
 456
 457 #ifdef ENABLE_PKCS11
 458   const char *pkcs11_providers[MAX_PARMS];
 459   unsigned pkcs11_private_mode[MAX_PARMS];
 460   bool pkcs11_protected_authentication[MAX_PARMS];
 461   bool pkcs11_cert_private[MAX_PARMS];
 462   int pkcs11_pin_cache_period;
 463   const char *pkcs11_id;
 464   bool pkcs11_id_management;
 465 #endif
 466
 467 #ifdef WIN32
 468   const char *cryptoapi_cert;
 469 #endif
 470
 471   /* data channel key exchange method */
 472   int key_method;
 473
 474   /* Per-packet timeout on control channel */
 475   int tls_timeout;
 476
 477   /* Data channel key renegotiation parameters */
 478   int renegotiate_bytes;
 479   int renegotiate_packets;
 480   int renegotiate_seconds;
 481
 482   /* Data channel key handshake must finalize
 483      within n seconds of handshake initiation. */
 484   int handshake_window;
 485
 486   /* Old key allowed to live n seconds after new key goes active */
 487   int transition_window;
 488
 489   /* Special authentication MAC for TLS control channel */
 490   const char *tls_auth_file;            /* shared secret */
 491 #if ENABLE_INLINE_FILES
 492   const char *tls_auth_file_inline;
 493 #endif
 494
 495   /* Allow only one session */
 496   bool single_session;
 497
 498   bool tls_exit;
 499
 500 #endif /* USE_SSL */
 501 #endif /* USE_CRYPTO */
 502
 503   /* special state parms */
 504   int foreign_option_index;
 505
 506 #ifdef WIN32
 507   const char *exit_event_name;
 508   bool exit_event_initial_state;
 509   bool show_net_up;
 510   int route_method;
 511 #endif
 512 };
 513
 514 #define streq(x, y) (!strcmp((x), (y)))
 515
 516 /*
 517  * Option classes.
 518  */
 519 #define OPT_P_GENERAL         (1<<0)
 520 #define OPT_P_UP              (1<<1)
 521 #define OPT_P_ROUTE           (1<<2)
 522 #define OPT_P_IPWIN32         (1<<3)
 523 #define OPT_P_SCRIPT          (1<<4)
 524 #define OPT_P_SETENV          (1<<5)
 525 #define OPT_P_SHAPER          (1<<6)
 526 #define OPT_P_TIMER           (1<<7)
 527 #define OPT_P_PERSIST         (1<<8)
 528 #define OPT_P_PERSIST_IP      (1<<9)
 529 #define OPT_P_COMP            (1<<10) /* TODO */
 530 #define OPT_P_MESSAGES        (1<<11)
 531 #define OPT_P_CRYPTO          (1<<12) /* TODO */
 532 #define OPT_P_TLS_PARMS       (1<<13) /* TODO */
 533 #define OPT_P_MTU             (1<<14) /* TODO */
 534 #define OPT_P_NICE            (1<<15)
 535 #define OPT_P_PUSH            (1<<16)
 536 #define OPT_P_INSTANCE        (1<<17)
 537 #define OPT_P_CONFIG          (1<<18)
 538 #define OPT_P_EXPLICIT_NOTIFY (1<<19)
 539 #define OPT_P_ECHO            (1<<20)
 540 #define OPT_P_INHERIT         (1<<21)
 541 #define OPT_P_ROUTE_EXTRAS    (1<<22)
 542 #define OPT_P_PULL_MODE       (1<<23)
 543 #define OPT_P_PLUGIN          (1<<24)
 544 #define OPT_P_SOCKBUF         (1<<25)
 545 #define OPT_P_SOCKFLAGS       (1<<26)
 546 #define OPT_P_CONNECTION      (1<<27)
 547
 548 #define OPT_P_DEFAULT   (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
 549
 550 #if P2MP
 551 #define PULL_DEFINED(opt) ((opt)->pull)
 552 #if P2MP_SERVER
 553 #define PUSH_DEFINED(opt) ((opt)->push_list)
 554 #endif
 555 #endif
 556
 557 #ifndef PULL_DEFINED
 558 #define PULL_DEFINED(opt) (false)
 559 #endif
 560
 561 #ifndef PUSH_DEFINED
 562 #define PUSH_DEFINED(opt) (false)
 563 #endif
 564
 565 #ifdef WIN32
 566 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
 567 #else
 568 #define ROUTE_OPTION_FLAGS(o) (0)
 569 #endif
 570
 571 #ifdef HAVE_GETTIMEOFDAY
 572 #define SHAPER_DEFINED(opt) ((opt)->shaper)
 573 #else
 574 #define SHAPER_DEFINED(opt) (false)
 575 #endif
 576
 577 #ifdef ENABLE_PLUGIN
 578 #define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
 579 #else
 580 #define PLUGIN_OPTION_LIST(opt) (NULL)
 581 #endif
 582
 583 #ifdef MANAGEMENT_DEF_AUTH
 584 #define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
 585 #else
 586 #define MAN_CLIENT_AUTH_ENABLED(opt) (false)
 587 #endif
 588
 589 void parse_argv (struct options *options,
 590                  const int argc,
 591                  char *argv[],
 592                  const int msglevel,
 593                  const unsigned int permission_mask,
 594                  unsigned int *option_types_found,
 595                  struct env_set *es);
 596
 597 void notnull (const char *arg, const char *description);
 598
 599 void usage_small (void);
 600
 601 void init_options (struct options *o, const bool init_gc);
 602 void uninit_options (struct options *o);
 603
 604 void setenv_settings (struct env_set *es, const struct options *o);
 605 void show_settings (const struct options *o);
 606
 607 bool string_defined_equal (const char *s1, const char *s2);
 608
 609 #ifdef ENABLE_OCC
 610
 611 const char *options_string_version (const char* s, struct gc_arena *gc);
 612
 613 char *options_string (const struct options *o,
 614                       const struct frame *frame,
 615                       struct tuntap *tt,
 616                       bool remote,
 617                       struct gc_arena *gc);
 618
 619 bool options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n);
 620 void options_warning_safe (char *actual, const char *expected, size_t actual_n);
 621 bool options_cmp_equal (char *actual, const char *expected);
 622 void options_warning (char *actual, const char *expected);
 623
 624 #endif
 625
 626 void options_postprocess (struct options *options);
 627
 628 void pre_pull_save (struct options *o);
 629 void pre_pull_restore (struct options *o);
 630
 631 bool apply_push_options (struct options *options,
 632                          struct buffer *buf,
 633                          unsigned int permission_mask,
 634                          unsigned int *option_types_found,
 635                          struct env_set *es);
 636
 637 bool is_persist_option (const struct options *o);
 638 bool is_stateful_restart (const struct options *o);
 639
 640 void options_detach (struct options *o);
 641
 642 void options_server_import (struct options *o,
 643                             const char *filename,
 644                             int msglevel,
 645                             unsigned int permission_mask,
 646                             unsigned int *option_types_found,
 647                             struct env_set *es);
 648
 649 void pre_pull_default (struct options *o);
 650
 651 void rol_check_alloc (struct options *options);
 652
 653 int parse_line (const char *line,
 654                 char *p[],
 655                 const int n,
 656                 const char *file,
 657                 const int line_num,
 658                 int msglevel,
 659                 struct gc_arena *gc);
 660
 661 /*
 662  * parse/print topology coding
 663  */
 664
 665 int parse_topology (const char *str, const int msglevel);
 666 const char *print_topology (const int topology);
 667
 668 /*
 669  * Manage auth-retry variable
 670  */
 671
 672 #if P2MP
 673
 674 #define AR_NONE       0
 675 #define AR_INTERACT   1
 676 #define AR_NOINTERACT 2
 677
 678 int auth_retry_get (void);
 679 bool auth_retry_set (const int msglevel, const char *option);
 680 const char *auth_retry_print (void);
 681
 682 #endif
 683
 684 void options_string_import (struct options *options,
 685                             const char *config,
 686                             const int msglevel,
 687                             const unsigned int permission_mask,
 688                             unsigned int *option_types_found,
 689                             struct env_set *es);
 690
 691 /*
 692  * inline functions
 693  */
 694 static inline bool
 695 connection_list_defined (const struct options *o)
 696 {
 697 #ifdef ENABLE_CONNECTION
 698   return o->connection_list != NULL;
 699 #else
 700   return false;
 701 #endif
 702 }
 703
 704 static inline void
 705 connection_list_set_no_advance (struct options *o)
 706 {
 707 #ifdef ENABLE_CONNECTION
 708   if (o->connection_list)
 709     o->connection_list->no_advance = true;
 710 #endif
 711 }
 712
 713 #endif