summaryrefslogtreecommitdiff
path: root/src/openvpn/options.h
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-09-01 16:52:17 +0200
committerBernhard Schmidt <berni@debian.org>2020-09-01 16:52:17 +0200
commit9fc3b98112217f2d92a67977dbde0987cc7a1803 (patch)
tree29fcc8654ee65d9dd89ade797bea2f3d9dfd9cfd /src/openvpn/options.h
parenta8758c0e03eed188dcb9da0e4fd781a67c25bf1e (diff)
parent69b02b1f7fd609d84ace13ab04697158de2418a9 (diff)
Merge branch 'debian/experimental-2.5'
Diffstat (limited to 'src/openvpn/options.h')
-rw-r--r--src/openvpn/options.h117
1 files changed, 75 insertions, 42 deletions
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index f3cafea..877e939 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -41,9 +41,7 @@
#include "comp.h"
#include "pushlist.h"
#include "clinat.h"
-#ifdef ENABLE_CRYPTO
#include "crypto_backend.h"
-#endif
/*
@@ -81,7 +79,7 @@ struct options_pre_pull
};
#endif
-#if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
+#if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
#error "At least one of OpenSSL or mbed TLS needs to be defined."
#endif
@@ -132,6 +130,20 @@ struct connection_entry
#define CE_MAN_QUERY_REMOTE_MASK (0x07)
#define CE_MAN_QUERY_REMOTE_SHIFT (2)
unsigned int flags;
+
+ /* Shared secret used for TLS control channel authentication */
+ const char *tls_auth_file;
+ bool tls_auth_file_inline;
+ int key_direction;
+
+ /* Shared secret used for TLS control channel authenticated encryption */
+ const char *tls_crypt_file;
+ bool tls_crypt_file_inline;
+
+ /* Client-specific secret or server key used for TLS control channel
+ * authenticated encryption v2 */
+ const char *tls_crypt_v2_file;
+ bool tls_crypt_v2_file_inline;
};
struct remote_entry
@@ -157,6 +169,13 @@ struct remote_list
struct remote_entry *array[CONNECTION_LIST_SIZE];
};
+enum vlan_acceptable_frames
+{
+ VLAN_ONLY_TAGGED,
+ VLAN_ONLY_UNTAGGED_OR_PRIORITY,
+ VLAN_ALL,
+};
+
struct remote_host_store
{
#define RH_HOST_LEN 80
@@ -165,6 +184,13 @@ struct remote_host_store
char port[RH_PORT_LEN];
};
+enum genkey_type {
+ GENKEY_SECRET,
+ GENKEY_TLS_CRYPTV2_CLIENT,
+ GENKEY_TLS_CRYPTV2_SERVER,
+ GENKEY_AUTH_TOKEN
+};
+
/* Command line options */
struct options
{
@@ -188,7 +214,6 @@ struct options
bool persist_config;
int persist_mode;
-#ifdef ENABLE_CRYPTO
const char *key_pass_file;
bool show_ciphers;
bool show_digests;
@@ -196,7 +221,9 @@ struct options
bool show_tls_ciphers;
bool show_curves;
bool genkey;
-#endif
+ enum genkey_type genkey_type;
+ const char *genkey_filename;
+ const char *genkey_extra_data;
/* Networking parms */
int connect_retry_max;
@@ -235,9 +262,7 @@ struct options
int proto_force;
-#ifdef ENABLE_OCC
bool mtu_test;
-#endif
#ifdef ENABLE_MEMSTATS
char *memstats_fn;
@@ -325,6 +350,7 @@ struct options
/* mark value */
int mark;
+ char *bind_dev;
/* socket flags */
unsigned int sockflags;
@@ -333,6 +359,7 @@ struct options
const char *route_script;
const char *route_predown_script;
const char *route_default_gateway;
+ const char *route_ipv6_default_gateway;
int route_default_metric;
bool route_noexec;
int route_delay;
@@ -340,15 +367,14 @@ struct options
bool route_delay_defined;
struct route_option_list *routes;
struct route_ipv6_option_list *routes_ipv6; /* IPv6 */
+ bool block_ipv6;
bool route_nopull;
bool route_gateway_via_dhcp;
bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
struct client_nat_option_list *client_nat;
-#ifdef ENABLE_OCC
/* Enable options consistency check between peers */
bool occ;
-#endif
#ifdef ENABLE_MANAGEMENT
const char *management_addr;
@@ -375,7 +401,6 @@ struct options
#if P2MP
-#if P2MP_SERVER
/* the tmp dir is for now only used in the P2P server context */
const char *tmp_dir;
bool server_defined;
@@ -429,6 +454,7 @@ struct options
bool push_ifconfig_constraint_defined;
in_addr_t push_ifconfig_constraint_network;
in_addr_t push_ifconfig_constraint_netmask;
+ bool push_ifconfig_ipv4_blocked; /* IPv4 */
bool push_ifconfig_ipv6_defined; /* IPv6 */
struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */
int push_ifconfig_ipv6_netbits; /* IPv6 */
@@ -446,13 +472,17 @@ struct options
const char *auth_user_pass_verify_script;
bool auth_user_pass_verify_script_via_file;
bool auth_token_generate;
- unsigned int auth_token_lifetime;
+ bool auth_token_gen_secret_file;
+ bool auth_token_call_auth;
+ int auth_token_lifetime;
+ const char *auth_token_secret_file;
+ bool auth_token_secret_file_inline;
+
#if PORT_SHARE
char *port_share_host;
char *port_share_port;
const char *port_share_journal_dir;
#endif
-#endif /* if P2MP_SERVER */
bool client;
bool pull; /* client pull of config options from server */
@@ -463,17 +493,18 @@ struct options
int scheduled_exit_interval;
-#ifdef ENABLE_CLIENT_CR
+#ifdef ENABLE_MANAGEMENT
struct static_challenge_info sc_info;
#endif
#endif /* if P2MP */
-#ifdef ENABLE_CRYPTO
/* Cipher parms */
const char *shared_secret_file;
- const char *shared_secret_file_inline;
+ bool shared_secret_file_inline;
int key_direction;
const char *ciphername;
+ bool enable_ncp_fallback; /**< If defined fall back to
+ * ciphername if NCP fails */
bool ncp_enabled;
const char *ncp_ciphers;
const char *authname;
@@ -486,7 +517,6 @@ struct options
int replay_window;
int replay_time;
const char *packet_id_file;
- bool use_iv;
bool test_crypto;
#ifdef ENABLE_PREDICTION_RESISTANCE
bool use_prediction_resistance;
@@ -496,14 +526,21 @@ struct options
bool tls_server;
bool tls_client;
const char *ca_file;
+ bool ca_file_inline;
const char *ca_path;
const char *dh_file;
+ bool dh_file_inline;
const char *cert_file;
+ bool cert_file_inline;
const char *extra_certs_file;
+ bool extra_certs_file_inline;
const char *priv_key_file;
+ bool priv_key_file_inline;
const char *pkcs12_file;
+ bool pkcs12_file_inline;
const char *cipher_list;
const char *cipher_list_tls13;
+ const char *tls_groups;
const char *tls_cert_profile;
const char *ecdh_curve;
const char *tls_verify;
@@ -511,14 +548,7 @@ struct options
const char *verify_x509_name;
const char *tls_export_cert;
const char *crl_file;
-
- const char *ca_file_inline;
- const char *cert_file_inline;
- const char *extra_certs_file_inline;
- const char *crl_file_inline;
- char *priv_key_file_inline;
- const char *dh_file_inline;
- const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */
+ bool crl_file_inline;
int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
unsigned remote_cert_ku[MAX_PARMS];
@@ -540,10 +570,6 @@ struct options
#ifdef ENABLE_CRYPTOAPI
const char *cryptoapi_cert;
#endif
-
- /* data channel key exchange method */
- int key_method;
-
/* Per-packet timeout on control channel */
int tls_timeout;
@@ -551,6 +577,7 @@ struct options
int renegotiate_bytes;
int renegotiate_packets;
int renegotiate_seconds;
+ int renegotiate_seconds_min;
/* Data channel key handshake must finalize
* within n seconds of handshake initiation. */
@@ -566,23 +593,28 @@ struct options
/* Shared secret used for TLS control channel authentication */
const char *tls_auth_file;
- const char *tls_auth_file_inline;
+ bool tls_auth_file_inline;
/* Shared secret used for TLS control channel authenticated encryption */
const char *tls_crypt_file;
- const char *tls_crypt_inline;
+ bool tls_crypt_file_inline;
+
+ /* Client-specific secret or server key used for TLS control channel
+ * authenticated encryption v2 */
+ const char *tls_crypt_v2_file;
+ bool tls_crypt_v2_file_inline;
+
+ const char *tls_crypt_v2_metadata;
+
+ const char *tls_crypt_v2_verify_script;
/* Allow only one session */
bool single_session;
-#ifdef ENABLE_PUSH_PEER_INFO
bool push_peer_info;
-#endif
bool tls_exit;
-#endif /* ENABLE_CRYPTO */
-
const struct x509_track *x509_track;
/* special state parms */
@@ -595,17 +627,22 @@ struct options
bool show_net_up;
int route_method;
bool block_outside_dns;
+ enum windows_driver_type windows_driver;
#endif
bool use_peer_id;
uint32_t peer_id;
-#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
/* Keying Material Exporters [RFC 5705] */
const char *keying_material_exporter_label;
int keying_material_exporter_length;
#endif
+ bool vlan_tagging;
+ enum vlan_acceptable_frames vlan_accept;
+ uint16_t vlan_pvid;
+
struct pull_filter_list *pull_filter_list;
/* Useful when packets sent by openvpn itself are not subject
@@ -635,7 +672,7 @@ struct options
#define OPT_P_MTU (1<<14) /* TODO */
#define OPT_P_NICE (1<<15)
#define OPT_P_PUSH (1<<16)
-#define OPT_P_INSTANCE (1<<17)
+#define OPT_P_INSTANCE (1<<17) /**< allowed in ccd, client-connect etc*/
#define OPT_P_CONFIG (1<<18)
#define OPT_P_EXPLICIT_NOTIFY (1<<19)
#define OPT_P_ECHO (1<<20)
@@ -647,15 +684,14 @@ struct options
#define OPT_P_SOCKFLAGS (1<<26)
#define OPT_P_CONNECTION (1<<27)
#define OPT_P_PEER_ID (1<<28)
+#define OPT_P_INLINE (1<<29)
#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
#if P2MP
#define PULL_DEFINED(opt) ((opt)->pull)
-#if P2MP_SERVER
#define PUSH_DEFINED(opt) ((opt)->push_list)
#endif
-#endif
#ifndef PULL_DEFINED
#define PULL_DEFINED(opt) (false)
@@ -718,13 +754,12 @@ void show_settings(const struct options *o);
bool string_defined_equal(const char *s1, const char *s2);
-#ifdef ENABLE_OCC
-
const char *options_string_version(const char *s, struct gc_arena *gc);
char *options_string(const struct options *o,
const struct frame *frame,
struct tuntap *tt,
+ openvpn_net_ctx_t *ctx,
bool remote,
struct gc_arena *gc);
@@ -736,8 +771,6 @@ bool options_cmp_equal(char *actual, const char *expected);
void options_warning(char *actual, const char *expected);
-#endif
-
/**
* Given an OpenVPN options string, extract the value of an option.
*