release/src/router/openvpn/options.h

   1 /*
   2  *  OpenVPN -- An application to securely tunnel IP networks
   3  *             over a single UDP port, with support for SSL/TLS-based
   4  *             session authentication and key exchange,
   5  *             packet encryption, packet authentication, and
   6  *             packet compression.
   7  *
   8  *  Copyright (C) 2002-2008 OpenVPN Technologies, Inc. <sales@openvpn.net>
   9  *
  10  *  This program is free software; you can redistribute it and/or modify
  11  *  it under the terms of the GNU General Public License version 2
  12  *  as published by the Free Software Foundation.
  13  *
  14  *  This program is distributed in the hope that it will be useful,
  15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *  GNU General Public License for more details.
  18  *
  19  *  You should have received a copy of the GNU General Public License
  20  *  along with this program (see the file COPYING included with this
  21  *  distribution); if not, write to the Free Software Foundation, Inc.,
  22  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  23  */
  24
  25 /*
  26  * 2004-01-28: Added Socks5 proxy support
  27  *   (Christof Meerwald, http://cmeerw.org)
  28  */
  29
  30 #ifndef OPTIONS_H
  31 #define OPTIONS_H
  32
  33 #include "basic.h"
  34 #include "common.h"
  35 #include "mtu.h"
  36 #include "route.h"
  37 #include "tun.h"
  38 #include "socket.h"
  39 #include "plugin.h"
  40 #include "manage.h"
  41 #include "proxy.h"
  42 #include "lzo.h"
  43
  44 /*
  45  * Maximum number of parameters associated with an option,
  46  * including the option name itself.
  47  */
  48 #define MAX_PARMS 16
  49
  50 /*
  51  * Max size of options line and parameter.
  52  */
  53 #define OPTION_PARM_SIZE 256
  54 #define OPTION_LINE_SIZE 256
  55
  56 extern const char title_string[];
  57
  58 #if P2MP
  59
  60 #if P2MP_SERVER
  61 /* parameters to be pushed to peer */
  62
  63 #define MAX_PUSH_LIST_LEN TLS_CHANNEL_BUF_SIZE /* This parm is related to PLAINTEXT_BUFFER_SIZE in ssl.h */
  64
  65 struct push_list {
  66   /* newline delimited options, like config file */
  67   char options[MAX_PUSH_LIST_LEN];
  68 };
  69 #endif
  70
  71 /* certain options are saved before --pull modifications are applied */
  72 struct options_pre_pull
  73 {
  74   bool tuntap_options_defined;
  75   struct tuntap_options tuntap_options;
  76
  77   bool routes_defined;
  78   struct route_option_list routes;
  79
  80   int foreign_option_index;
  81 };
  82
  83 #endif
  84
  85 struct connection_entry
  86 {
  87   int proto;
  88   int local_port;
  89   bool local_port_defined;
  90   int remote_port;
  91   bool port_option_used;
  92   const char *local;
  93   const char *remote;
  94   bool remote_float;
  95   bool bind_defined;
  96   bool bind_local;
  97   int connect_retry_seconds;
  98   bool connect_retry_defined;
  99   int connect_retry_max;
 100   int connect_timeout;
 101   bool connect_timeout_defined;
 102 #ifdef ENABLE_HTTP_PROXY
 103   struct http_proxy_options *http_proxy_options;
 104 #endif
 105 #ifdef ENABLE_SOCKS
 106   const char *socks_proxy_server;
 107   int socks_proxy_port;
 108   bool socks_proxy_retry;
 109 #endif
 110 };
 111
 112 struct remote_entry
 113 {
 114   const char *remote;
 115   int remote_port;
 116   int proto;
 117 };
 118
 119 #ifdef ENABLE_CONNECTION
 120
 121 #define CONNECTION_LIST_SIZE 64
 122
 123 struct connection_list
 124 {
 125   int len;
 126   int current;
 127   bool no_advance;
 128   struct connection_entry *array[CONNECTION_LIST_SIZE];
 129 };
 130
 131 struct remote_list
 132 {
 133   int len;
 134   struct remote_entry *array[CONNECTION_LIST_SIZE];
 135 };
 136
 137 #endif
 138
 139 /* Command line options */
 140 struct options
 141 {
 142   struct gc_arena gc;
 143   bool gc_owned;
 144
 145   /* first config file */
 146   const char *config;
 147
 148   /* major mode */
 149 # define MODE_POINT_TO_POINT 0
 150 # define MODE_SERVER         1
 151   int mode;
 152
 153   /* persist parms */
 154   bool persist_config;
 155   int persist_mode;
 156
 157 #ifdef USE_CRYPTO
 158   const char *key_pass_file;
 159   bool show_ciphers;
 160   bool show_digests;
 161   bool show_engines;
 162 #ifdef USE_SSL
 163   bool show_tls_ciphers;
 164 #endif
 165   bool genkey;
 166 #endif
 167
 168   /* Networking parms */
 169   struct connection_entry ce;
 170
 171 #ifdef ENABLE_CONNECTION
 172   struct connection_list *connection_list;
 173   struct remote_list *remote_list;
 174 #endif
 175
 176 #ifdef GENERAL_PROXY_SUPPORT
 177   struct auto_proxy_info *auto_proxy_info;
 178 #endif
 179
 180   bool remote_random;
 181   const char *ipchange;
 182   const char *dev;
 183   const char *dev_type;
 184   const char *dev_node;
 185   const char *lladdr;
 186   int topology; /* one of the TOP_x values from proto.h */
 187   const char *ifconfig_local;
 188   const char *ifconfig_remote_netmask;
 189   bool ifconfig_noexec;
 190   bool ifconfig_nowarn;
 191 #ifdef HAVE_GETTIMEOFDAY
 192   int shaper;
 193 #endif
 194   int tun_mtu;           /* MTU of tun device */
 195   int tun_mtu_extra;
 196   bool tun_mtu_extra_defined;
 197   int link_mtu;          /* MTU of device over which tunnel packets pass via TCP/UDP */
 198   bool tun_mtu_defined;  /* true if user overriding parm with command line option */
 199   bool link_mtu_defined; /* true if user overriding parm with command line option */
 200
 201   /* Advanced MTU negotiation and datagram fragmentation options */
 202   int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */
 203
 204 #ifdef ENABLE_OCC
 205   bool mtu_test;
 206 #endif
 207
 208   int fragment;                 /* internal fragmentation size */
 209
 210   bool mlock;
 211
 212   int keepalive_ping;           /* a proxy for ping/ping-restart */
 213   int keepalive_timeout;
 214
 215   int inactivity_timeout;       /* --inactive */
 216   int inactivity_minimum_bytes;
 217
 218   int ping_send_timeout;        /* Send a TCP/UDP ping to remote every n seconds */
 219   int ping_rec_timeout;         /* Expect a TCP/UDP ping from remote at least once every n seconds */
 220   bool ping_timer_remote;       /* Run ping timer only if we have a remote address */
 221   bool tun_ipv6;                /* Build tun dev that supports IPv6 */
 222
 223 # define PING_UNDEF   0
 224 # define PING_EXIT    1
 225 # define PING_RESTART 2
 226   int ping_rec_timeout_action;  /* What action to take on ping_rec_timeout (exit or restart)? */
 227
 228 #ifdef ENABLE_OCC
 229   int explicit_exit_notification;  /* Explicitly tell peer when we are exiting via OCC_EXIT message */
 230 #endif
 231
 232   bool persist_tun;             /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
 233   bool persist_local_ip;        /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
 234   bool persist_remote_ip;       /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
 235   bool persist_key;             /* Don't re-read key files on SIGUSR1 or PING_RESTART */
 236
 237   int mssfix;                   /* Upper bound on TCP MSS */
 238   bool mssfix_default;          /* true if --mssfix was supplied without a parameter */
 239
 240 #if PASSTOS_CAPABILITY
 241   bool passtos;
 242 #endif
 243
 244   int resolve_retry_seconds;    /* If hostname resolve fails, retry for n seconds */
 245
 246   struct tuntap_options tuntap_options;
 247
 248   /* Misc parms */
 249   const char *username;
 250   const char *groupname;
 251   const char *chroot_dir;
 252   const char *cd_dir;
 253   const char *writepid;
 254   const char *up_script;
 255   const char *down_script;
 256   bool down_pre;
 257   bool up_delay;
 258   bool up_restart;
 259   bool daemon;
 260
 261   int remap_sigusr1;
 262
 263   /* inetd modes defined in socket.h */
 264   int inetd;
 265
 266   bool log;
 267   bool suppress_timestamps;
 268   int nice;
 269   int verbosity;
 270   int mute;
 271
 272 #ifdef ENABLE_DEBUG
 273   int gremlin;
 274 #endif
 275
 276   const char *status_file;
 277   int status_file_version;
 278   int status_file_update_freq;
 279
 280   /* optimize TUN/TAP/UDP writes */
 281   bool fast_io;
 282
 283 #ifdef USE_LZO
 284   /* LZO_x flags from lzo.h */
 285   unsigned int lzo;
 286 #endif
 287
 288   /* buffer sizes */
 289   int rcvbuf;
 290   int sndbuf;
 291
 292   /* socket flags */
 293   unsigned int sockflags;
 294
 295   /* route management */
 296   const char *route_script;
 297   const char *route_default_gateway;
 298   int route_default_metric;
 299   bool route_noexec;
 300   int route_delay;
 301   int route_delay_window;
 302   bool route_delay_defined;
 303   struct route_option_list *routes;
 304   bool route_nopull;
 305   bool route_gateway_via_dhcp;
 306   bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
 307
 308 #ifdef ENABLE_OCC
 309   /* Enable options consistency check between peers */
 310   bool occ;
 311 #endif
 312
 313 #ifdef ENABLE_MANAGEMENT
 314   const char *management_addr;
 315   int management_port;
 316   const char *management_user_pass;
 317   int management_log_history_cache;
 318   int management_echo_buffer_size;
 319   int management_state_buffer_size;
 320   const char *management_write_peer_info_file;
 321
 322   const char *management_client_user;
 323   const char *management_client_group;
 324
 325   /* Mask of MF_ values of manage.h */
 326   unsigned int management_flags;
 327 #endif
 328
 329 #ifdef ENABLE_PLUGIN
 330   struct plugin_option_list *plugin_list;
 331 #endif
 332
 333 #ifdef USE_PTHREAD
 334   int n_threads;
 335   int nice_work;
 336 #endif
 337
 338 #if P2MP
 339
 340 #if P2MP_SERVER
 341   bool server_defined;
 342   in_addr_t server_network;
 343   in_addr_t server_netmask;
 344
 345 # define SF_NOPOOL (1<<0)
 346   unsigned int server_flags;
 347
 348   bool server_bridge_proxy_dhcp;
 349
 350   bool server_bridge_defined;
 351   in_addr_t server_bridge_ip;
 352   in_addr_t server_bridge_netmask;
 353   in_addr_t server_bridge_pool_start;
 354   in_addr_t server_bridge_pool_end;
 355
 356   struct push_list *push_list;
 357   bool ifconfig_pool_defined;
 358   in_addr_t ifconfig_pool_start;
 359   in_addr_t ifconfig_pool_end;
 360   in_addr_t ifconfig_pool_netmask;
 361   const char *ifconfig_pool_persist_filename;
 362   int ifconfig_pool_persist_refresh_freq;
 363   int real_hash_size;
 364   int virtual_hash_size;
 365   const char *client_connect_script;
 366   const char *client_disconnect_script;
 367   const char *learn_address_script;
 368   const char *tmp_dir;
 369   const char *client_config_dir;
 370   bool ccd_exclusive;
 371   bool disable;
 372   int n_bcast_buf;
 373   int tcp_queue_limit;
 374   struct iroute *iroutes;
 375   bool push_ifconfig_defined;
 376   in_addr_t push_ifconfig_local;
 377   in_addr_t push_ifconfig_remote_netmask;
 378   bool push_ifconfig_constraint_defined;
 379   in_addr_t push_ifconfig_constraint_network;
 380   in_addr_t push_ifconfig_constraint_netmask;
 381   bool enable_c2c;
 382   bool duplicate_cn;
 383   int cf_max;
 384   int cf_per;
 385   int max_clients;
 386   int max_routes_per_client;
 387
 388   bool client_cert_not_required;
 389   bool username_as_common_name;
 390   const char *auth_user_pass_verify_script;
 391   bool auth_user_pass_verify_script_via_file;
 392 #if PORT_SHARE
 393   char *port_share_host;
 394   int port_share_port;
 395 #endif
 396 #endif
 397
 398   bool client;
 399   bool pull; /* client pull of config options from server */
 400   const char *auth_user_pass_file;
 401   struct options_pre_pull *pre_pull;
 402
 403   int scheduled_exit_interval;
 404
 405 #endif
 406
 407 #ifdef USE_CRYPTO
 408   /* Cipher parms */
 409   const char *shared_secret_file;
 410 #if ENABLE_INLINE_FILES
 411   const char *shared_secret_file_inline;
 412 #endif
 413   int key_direction;
 414   bool ciphername_defined;
 415   const char *ciphername;
 416   bool authname_defined;
 417   const char *authname;
 418   int keysize;
 419   const char *engine;
 420   bool replay;
 421   bool mute_replay_warnings;
 422   int replay_window;
 423   int replay_time;
 424   const char *packet_id_file;
 425   bool use_iv;
 426   bool test_crypto;
 427
 428 #ifdef USE_SSL
 429   /* TLS (control channel) parms */
 430   bool tls_server;
 431   bool tls_client;
 432   const char *ca_file;
 433   const char *ca_path;
 434   const char *dh_file;
 435   const char *cert_file;
 436   const char *priv_key_file;
 437   const char *pkcs12_file;
 438   const char *cipher_list;
 439   const char *tls_verify;
 440   const char *tls_remote;
 441   const char *crl_file;
 442
 443 #if ENABLE_INLINE_FILES
 444   const char *ca_file_inline;
 445   const char *cert_file_inline;
 446   char *priv_key_file_inline;
 447   const char *dh_file_inline;
 448 #endif
 449
 450   int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */
 451   unsigned remote_cert_ku[MAX_PARMS];
 452   const char *remote_cert_eku;
 453
 454 #ifdef ENABLE_PKCS11
 455   const char *pkcs11_providers[MAX_PARMS];
 456   unsigned pkcs11_private_mode[MAX_PARMS];
 457   bool pkcs11_protected_authentication[MAX_PARMS];
 458   bool pkcs11_cert_private[MAX_PARMS];
 459   int pkcs11_pin_cache_period;
 460   const char *pkcs11_id;
 461   bool pkcs11_id_management;
 462 #endif
 463
 464 #ifdef WIN32
 465   const char *cryptoapi_cert;
 466 #endif
 467
 468   /* data channel key exchange method */
 469   int key_method;
 470
 471   /* Per-packet timeout on control channel */
 472   int tls_timeout;
 473
 474   /* Data channel key renegotiation parameters */
 475   int renegotiate_bytes;
 476   int renegotiate_packets;
 477   int renegotiate_seconds;
 478
 479   /* Data channel key handshake must finalize
 480      within n seconds of handshake initiation. */
 481   int handshake_window;
 482
 483   /* Old key allowed to live n seconds after new key goes active */
 484   int transition_window;
 485
 486   /* Special authentication MAC for TLS control channel */
 487   const char *tls_auth_file;            /* shared secret */
 488 #if ENABLE_INLINE_FILES
 489   const char *tls_auth_file_inline;
 490 #endif
 491
 492   /* Allow only one session */
 493   bool single_session;
 494
 495   bool tls_exit;
 496
 497 #endif /* USE_SSL */
 498 #endif /* USE_CRYPTO */
 499
 500   /* special state parms */
 501   int foreign_option_index;
 502
 503 #ifdef WIN32
 504   const char *exit_event_name;
 505   bool exit_event_initial_state;
 506   bool show_net_up;
 507   int route_method;
 508 #endif
 509 };
 510
 511 #define streq(x, y) (!strcmp((x), (y)))
 512
 513 /*
 514  * Option classes.
 515  */
 516 #define OPT_P_GENERAL         (1<<0)
 517 #define OPT_P_UP              (1<<1)
 518 #define OPT_P_ROUTE           (1<<2)
 519 #define OPT_P_IPWIN32         (1<<3)
 520 #define OPT_P_SCRIPT          (1<<4)
 521 #define OPT_P_SETENV          (1<<5)
 522 #define OPT_P_SHAPER          (1<<6)
 523 #define OPT_P_TIMER           (1<<7)
 524 #define OPT_P_PERSIST         (1<<8)
 525 #define OPT_P_PERSIST_IP      (1<<9)
 526 #define OPT_P_COMP            (1<<10) /* TODO */
 527 #define OPT_P_MESSAGES        (1<<11)
 528 #define OPT_P_CRYPTO          (1<<12) /* TODO */
 529 #define OPT_P_TLS_PARMS       (1<<13) /* TODO */
 530 #define OPT_P_MTU             (1<<14) /* TODO */
 531 #define OPT_P_NICE            (1<<15)
 532 #define OPT_P_PUSH            (1<<16)
 533 #define OPT_P_INSTANCE        (1<<17)
 534 #define OPT_P_CONFIG          (1<<18)
 535 #define OPT_P_EXPLICIT_NOTIFY (1<<19)
 536 #define OPT_P_ECHO            (1<<20)
 537 #define OPT_P_INHERIT         (1<<21)
 538 #define OPT_P_ROUTE_EXTRAS    (1<<22)
 539 #define OPT_P_PULL_MODE       (1<<23)
 540 #define OPT_P_PLUGIN          (1<<24)
 541 #define OPT_P_SOCKBUF         (1<<25)
 542 #define OPT_P_SOCKFLAGS       (1<<26)
 543 #define OPT_P_CONNECTION      (1<<27)
 544
 545 #define OPT_P_DEFAULT   (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
 546
 547 #if P2MP
 548 #define PULL_DEFINED(opt) ((opt)->pull)
 549 #if P2MP_SERVER
 550 #define PUSH_DEFINED(opt) ((opt)->push_list)
 551 #endif
 552 #endif
 553
 554 #ifndef PULL_DEFINED
 555 #define PULL_DEFINED(opt) (false)
 556 #endif
 557
 558 #ifndef PUSH_DEFINED
 559 #define PUSH_DEFINED(opt) (false)
 560 #endif
 561
 562 #ifdef WIN32
 563 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
 564 #else
 565 #define ROUTE_OPTION_FLAGS(o) (0)
 566 #endif
 567
 568 #ifdef HAVE_GETTIMEOFDAY
 569 #define SHAPER_DEFINED(opt) ((opt)->shaper)
 570 #else
 571 #define SHAPER_DEFINED(opt) (false)
 572 #endif
 573
 574 #ifdef ENABLE_PLUGIN
 575 #define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
 576 #else
 577 #define PLUGIN_OPTION_LIST(opt) (NULL)
 578 #endif
 579
 580 #ifdef MANAGEMENT_DEF_AUTH
 581 #define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
 582 #else
 583 #define MAN_CLIENT_AUTH_ENABLED(opt) (false)
 584 #endif
 585
 586 void parse_argv (struct options *options,
 587                  const int argc,
 588                  char *argv[],
 589                  const int msglevel,
 590                  const unsigned int permission_mask,
 591                  unsigned int *option_types_found,
 592                  struct env_set *es);
 593
 594 void notnull (const char *arg, const char *description);
 595
 596 void usage_small (void);
 597
 598 void init_options (struct options *o, const bool init_gc);
 599 void uninit_options (struct options *o);
 600
 601 void setenv_settings (struct env_set *es, const struct options *o);
 602 void show_settings (const struct options *o);
 603
 604 bool string_defined_equal (const char *s1, const char *s2);
 605
 606 #ifdef ENABLE_OCC
 607
 608 const char *options_string_version (const char* s, struct gc_arena *gc);
 609
 610 char *options_string (const struct options *o,
 611                       const struct frame *frame,
 612                       struct tuntap *tt,
 613                       bool remote,
 614                       struct gc_arena *gc);
 615
 616 bool options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n);
 617 void options_warning_safe (char *actual, const char *expected, size_t actual_n);
 618 bool options_cmp_equal (char *actual, const char *expected);
 619 void options_warning (char *actual, const char *expected);
 620
 621 #endif
 622
 623 void options_postprocess (struct options *options);
 624
 625 void pre_pull_save (struct options *o);
 626 void pre_pull_restore (struct options *o);
 627
 628 bool apply_push_options (struct options *options,
 629                          struct buffer *buf,
 630                          unsigned int permission_mask,
 631                          unsigned int *option_types_found,
 632                          struct env_set *es);
 633
 634 bool is_persist_option (const struct options *o);
 635 bool is_stateful_restart (const struct options *o);
 636
 637 void options_detach (struct options *o);
 638
 639 void options_server_import (struct options *o,
 640                             const char *filename,
 641                             int msglevel,
 642                             unsigned int permission_mask,
 643                             unsigned int *option_types_found,
 644                             struct env_set *es);
 645
 646 void pre_pull_default (struct options *o);
 647
 648 void rol_check_alloc (struct options *options);
 649
 650 int parse_line (const char *line,
 651                 char *p[],
 652                 const int n,
 653                 const char *file,
 654                 const int line_num,
 655                 int msglevel,
 656                 struct gc_arena *gc);
 657
 658 /*
 659  * parse/print topology coding
 660  */
 661
 662 int parse_topology (const char *str, const int msglevel);
 663 const char *print_topology (const int topology);
 664
 665 /*
 666  * Manage auth-retry variable
 667  */
 668
 669 #if P2MP
 670
 671 #define AR_NONE       0
 672 #define AR_INTERACT   1
 673 #define AR_NOINTERACT 2
 674
 675 int auth_retry_get (void);
 676 bool auth_retry_set (const int msglevel, const char *option);
 677 const char *auth_retry_print (void);
 678
 679 #endif
 680
 681 void options_string_import (struct options *options,
 682                             const char *config,
 683                             const int msglevel,
 684                             const unsigned int permission_mask,
 685                             unsigned int *option_types_found,
 686                             struct env_set *es);
 687
 688 /*
 689  * inline functions
 690  */
 691 static inline bool
 692 connection_list_defined (const struct options *o)
 693 {
 694 #ifdef ENABLE_CONNECTION
 695   return o->connection_list != NULL;
 696 #else
 697   return false;
 698 #endif
 699 }
 700
 701 static inline void
 702 connection_list_set_no_advance (struct options *o)
 703 {
 704 #ifdef ENABLE_CONNECTION
 705   if (o->connection_list)
 706     o->connection_list->no_advance = true;
 707 #endif
 708 }
 709
 710 #endif