From 1079962e4c06f88a54e50d997c1b7e84303d30b4 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sat, 15 Aug 2020 21:29:50 +0200 Subject: New upstream version 2.5~beta1 --- src/openvpn/options.h | 117 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 75 insertions(+), 42 deletions(-) (limited to 'src/openvpn/options.h') diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f3cafea..877e939 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -41,9 +41,7 @@ #include "comp.h" #include "pushlist.h" #include "clinat.h" -#ifdef ENABLE_CRYPTO #include "crypto_backend.h" -#endif /* @@ -81,7 +79,7 @@ struct options_pre_pull }; #endif -#if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS) +#if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS) #error "At least one of OpenSSL or mbed TLS needs to be defined." #endif @@ -132,6 +130,20 @@ struct connection_entry #define CE_MAN_QUERY_REMOTE_MASK (0x07) #define CE_MAN_QUERY_REMOTE_SHIFT (2) unsigned int flags; + + /* Shared secret used for TLS control channel authentication */ + const char *tls_auth_file; + bool tls_auth_file_inline; + int key_direction; + + /* Shared secret used for TLS control channel authenticated encryption */ + const char *tls_crypt_file; + bool tls_crypt_file_inline; + + /* Client-specific secret or server key used for TLS control channel + * authenticated encryption v2 */ + const char *tls_crypt_v2_file; + bool tls_crypt_v2_file_inline; }; struct remote_entry @@ -157,6 +169,13 @@ struct remote_list struct remote_entry *array[CONNECTION_LIST_SIZE]; }; +enum vlan_acceptable_frames +{ + VLAN_ONLY_TAGGED, + VLAN_ONLY_UNTAGGED_OR_PRIORITY, + VLAN_ALL, +}; + struct remote_host_store { #define RH_HOST_LEN 80 @@ -165,6 +184,13 @@ struct remote_host_store char port[RH_PORT_LEN]; }; +enum genkey_type { + GENKEY_SECRET, + GENKEY_TLS_CRYPTV2_CLIENT, + GENKEY_TLS_CRYPTV2_SERVER, + GENKEY_AUTH_TOKEN +}; + /* Command line options */ struct options { @@ -188,7 +214,6 @@ struct options bool persist_config; int persist_mode; -#ifdef ENABLE_CRYPTO const char *key_pass_file; bool show_ciphers; bool show_digests; @@ -196,7 +221,9 @@ struct options bool show_tls_ciphers; bool show_curves; bool genkey; -#endif + enum genkey_type genkey_type; + const char *genkey_filename; + const char *genkey_extra_data; /* Networking parms */ int connect_retry_max; @@ -235,9 +262,7 @@ struct options int proto_force; -#ifdef ENABLE_OCC bool mtu_test; -#endif #ifdef ENABLE_MEMSTATS char *memstats_fn; @@ -325,6 +350,7 @@ struct options /* mark value */ int mark; + char *bind_dev; /* socket flags */ unsigned int sockflags; @@ -333,6 +359,7 @@ struct options const char *route_script; const char *route_predown_script; const char *route_default_gateway; + const char *route_ipv6_default_gateway; int route_default_metric; bool route_noexec; int route_delay; @@ -340,15 +367,14 @@ struct options bool route_delay_defined; struct route_option_list *routes; struct route_ipv6_option_list *routes_ipv6; /* IPv6 */ + bool block_ipv6; bool route_nopull; bool route_gateway_via_dhcp; bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */ struct client_nat_option_list *client_nat; -#ifdef ENABLE_OCC /* Enable options consistency check between peers */ bool occ; -#endif #ifdef ENABLE_MANAGEMENT const char *management_addr; @@ -375,7 +401,6 @@ struct options #if P2MP -#if P2MP_SERVER /* the tmp dir is for now only used in the P2P server context */ const char *tmp_dir; bool server_defined; @@ -429,6 +454,7 @@ struct options bool push_ifconfig_constraint_defined; in_addr_t push_ifconfig_constraint_network; in_addr_t push_ifconfig_constraint_netmask; + bool push_ifconfig_ipv4_blocked; /* IPv4 */ bool push_ifconfig_ipv6_defined; /* IPv6 */ struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ int push_ifconfig_ipv6_netbits; /* IPv6 */ @@ -446,13 +472,17 @@ struct options const char *auth_user_pass_verify_script; bool auth_user_pass_verify_script_via_file; bool auth_token_generate; - unsigned int auth_token_lifetime; + bool auth_token_gen_secret_file; + bool auth_token_call_auth; + int auth_token_lifetime; + const char *auth_token_secret_file; + bool auth_token_secret_file_inline; + #if PORT_SHARE char *port_share_host; char *port_share_port; const char *port_share_journal_dir; #endif -#endif /* if P2MP_SERVER */ bool client; bool pull; /* client pull of config options from server */ @@ -463,17 +493,18 @@ struct options int scheduled_exit_interval; -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT struct static_challenge_info sc_info; #endif #endif /* if P2MP */ -#ifdef ENABLE_CRYPTO /* Cipher parms */ const char *shared_secret_file; - const char *shared_secret_file_inline; + bool shared_secret_file_inline; int key_direction; const char *ciphername; + bool enable_ncp_fallback; /**< If defined fall back to + * ciphername if NCP fails */ bool ncp_enabled; const char *ncp_ciphers; const char *authname; @@ -486,7 +517,6 @@ struct options int replay_window; int replay_time; const char *packet_id_file; - bool use_iv; bool test_crypto; #ifdef ENABLE_PREDICTION_RESISTANCE bool use_prediction_resistance; @@ -496,14 +526,21 @@ struct options bool tls_server; bool tls_client; const char *ca_file; + bool ca_file_inline; const char *ca_path; const char *dh_file; + bool dh_file_inline; const char *cert_file; + bool cert_file_inline; const char *extra_certs_file; + bool extra_certs_file_inline; const char *priv_key_file; + bool priv_key_file_inline; const char *pkcs12_file; + bool pkcs12_file_inline; const char *cipher_list; const char *cipher_list_tls13; + const char *tls_groups; const char *tls_cert_profile; const char *ecdh_curve; const char *tls_verify; @@ -511,14 +548,7 @@ struct options const char *verify_x509_name; const char *tls_export_cert; const char *crl_file; - - const char *ca_file_inline; - const char *cert_file_inline; - const char *extra_certs_file_inline; - const char *crl_file_inline; - char *priv_key_file_inline; - const char *dh_file_inline; - const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */ + bool crl_file_inline; int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */ unsigned remote_cert_ku[MAX_PARMS]; @@ -540,10 +570,6 @@ struct options #ifdef ENABLE_CRYPTOAPI const char *cryptoapi_cert; #endif - - /* data channel key exchange method */ - int key_method; - /* Per-packet timeout on control channel */ int tls_timeout; @@ -551,6 +577,7 @@ struct options int renegotiate_bytes; int renegotiate_packets; int renegotiate_seconds; + int renegotiate_seconds_min; /* Data channel key handshake must finalize * within n seconds of handshake initiation. */ @@ -566,23 +593,28 @@ struct options /* Shared secret used for TLS control channel authentication */ const char *tls_auth_file; - const char *tls_auth_file_inline; + bool tls_auth_file_inline; /* Shared secret used for TLS control channel authenticated encryption */ const char *tls_crypt_file; - const char *tls_crypt_inline; + bool tls_crypt_file_inline; + + /* Client-specific secret or server key used for TLS control channel + * authenticated encryption v2 */ + const char *tls_crypt_v2_file; + bool tls_crypt_v2_file_inline; + + const char *tls_crypt_v2_metadata; + + const char *tls_crypt_v2_verify_script; /* Allow only one session */ bool single_session; -#ifdef ENABLE_PUSH_PEER_INFO bool push_peer_info; -#endif bool tls_exit; -#endif /* ENABLE_CRYPTO */ - const struct x509_track *x509_track; /* special state parms */ @@ -595,17 +627,22 @@ struct options bool show_net_up; int route_method; bool block_outside_dns; + enum windows_driver_type windows_driver; #endif bool use_peer_id; uint32_t peer_id; -#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 +#ifdef HAVE_EXPORT_KEYING_MATERIAL /* Keying Material Exporters [RFC 5705] */ const char *keying_material_exporter_label; int keying_material_exporter_length; #endif + bool vlan_tagging; + enum vlan_acceptable_frames vlan_accept; + uint16_t vlan_pvid; + struct pull_filter_list *pull_filter_list; /* Useful when packets sent by openvpn itself are not subject @@ -635,7 +672,7 @@ struct options #define OPT_P_MTU (1<<14) /* TODO */ #define OPT_P_NICE (1<<15) #define OPT_P_PUSH (1<<16) -#define OPT_P_INSTANCE (1<<17) +#define OPT_P_INSTANCE (1<<17) /**< allowed in ccd, client-connect etc*/ #define OPT_P_CONFIG (1<<18) #define OPT_P_EXPLICIT_NOTIFY (1<<19) #define OPT_P_ECHO (1<<20) @@ -647,15 +684,14 @@ struct options #define OPT_P_SOCKFLAGS (1<<26) #define OPT_P_CONNECTION (1<<27) #define OPT_P_PEER_ID (1<<28) +#define OPT_P_INLINE (1<<29) #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE)) #if P2MP #define PULL_DEFINED(opt) ((opt)->pull) -#if P2MP_SERVER #define PUSH_DEFINED(opt) ((opt)->push_list) #endif -#endif #ifndef PULL_DEFINED #define PULL_DEFINED(opt) (false) @@ -718,13 +754,12 @@ void show_settings(const struct options *o); bool string_defined_equal(const char *s1, const char *s2); -#ifdef ENABLE_OCC - const char *options_string_version(const char *s, struct gc_arena *gc); char *options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, + openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc); @@ -736,8 +771,6 @@ bool options_cmp_equal(char *actual, const char *expected); void options_warning(char *actual, const char *expected); -#endif - /** * Given an OpenVPN options string, extract the value of an option. * -- cgit v1.2.3