]> git.ipfire.org Git - thirdparty/openvpn.git/blob - src/openvpn/options.c
projects / thirdparty / openvpn.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Change command help to match man page and implementation
[thirdparty/openvpn.git] / src / openvpn / options.c
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2022 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25 /*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38
39 #include "syshead.h"
40
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "ssl_ncp.h"
49 #include "options.h"
50 #include "misc.h"
51 #include "socket.h"
52 #include "packet_id.h"
53 #include "pkcs11.h"
54 #include "win32.h"
55 #include "push.h"
56 #include "pool.h"
57 #include "proto.h"
58 #include "helper.h"
59 #include "manage.h"
60 #include "forward.h"
61 #include "ssl_verify.h"
62 #include "platform.h"
63 #include "xkey_common.h"
64 #include "dco.h"
65 #include <ctype.h>
66
67 #include "memdbg.h"
68
69 const char title_string[] =
70 PACKAGE_STRING
71 #ifdef CONFIGURE_GIT_REVISION
72 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
73 #endif
74 " " TARGET_ALIAS
75 #if defined(ENABLE_CRYPTO_MBEDTLS)
76 " [SSL (mbed TLS)]"
77 #elif defined(ENABLE_CRYPTO_OPENSSL)
78 " [SSL (OpenSSL)]"
79 #else
80 " [SSL]"
81 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
82 #ifdef USE_COMP
83 #ifdef ENABLE_LZO
84 " [LZO]"
85 #endif
86 #ifdef ENABLE_LZ4
87 " [LZ4]"
88 #endif
89 #ifdef ENABLE_COMP_STUB
90 " [COMP_STUB]"
91 #endif
92 #endif /* USE_COMP */
93 #if EPOLL
94 " [EPOLL]"
95 #endif
96 #ifdef PRODUCT_TAP_DEBUG
97 " [TAPDBG]"
98 #endif
99 #ifdef ENABLE_PKCS11
100 " [PKCS11]"
101 #endif
102 #if ENABLE_IP_PKTINFO
103 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
104 " [MH/PKTINFO]"
105 #elif defined(IP_RECVDSTADDR)
106 " [MH/RECVDA]"
107 #endif
108 #endif
109 " [AEAD]"
110 #ifdef ENABLE_DCO
111 " [DCO]"
112 #endif
113 #ifdef CONFIGURE_GIT_REVISION
114 " built on " __DATE__
115 #endif
116 ;
117
118 #ifndef ENABLE_SMALL
119
120 static const char usage_message[] =
121 "%s\n"
122 "\n"
123 "General Options:\n"
124 "--config file : Read configuration options from file.\n"
125 "--help : Show options.\n"
126 "--version : Show copyright and version information.\n"
127 "\n"
128 "Tunnel Options:\n"
129 "--local host : Local host name or ip address. Implies --bind.\n"
130 "--remote host [port] : Remote host name or ip address.\n"
131 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
132 "--remote-random-hostname : Add a random string to remote DNS name.\n"
133 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
134 "--proto p : Use protocol p for communicating with peer.\n"
135 " p = udp (default), tcp-server, tcp-client\n"
136 " udp4, tcp4-server, tcp4-client\n"
137 " udp6, tcp6-server, tcp6-client\n"
138 "--proto-force p : only consider protocol p in list of connection profiles.\n"
139 " p = udp or tcp\n"
140 "--connect-retry n [m] : For client, number of seconds to wait between\n"
141 " connection retries (default=%d). On repeated retries\n"
142 " the wait time is exponentially increased to a maximum of m\n"
143 " (default=%d).\n"
144 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
145 "--http-proxy s p [up] [auth] : Connect to remote host\n"
146 " through an HTTP proxy at address s and port p.\n"
147 " If proxy authentication is required,\n"
148 " up is a file containing username/password on 2 lines, or\n"
149 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
150 " the proxy requires NTLM authentication.\n"
151 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
152 " determine auth method and query for username/password\n"
153 " if needed. auto-nct disables weak proxy auth methods.\n"
154 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
155 " Repeat to set multiple options.\n"
156 " VERSION version (default=1.0)\n"
157 " AGENT user-agent\n"
158 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
159 " address s and port p (default port = 1080).\n"
160 " If proxy authentication is required,\n"
161 " up is a file containing username/password on 2 lines, or\n"
162 " 'stdin' to prompt for console.\n"
163 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
164 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
165 " resolve for n seconds before failing (disabled by default).\n"
166 " Set n=\"infinite\" to retry indefinitely.\n"
167 "--float : Allow remote to change its IP address/port, such as through\n"
168 " DHCP (this is the default if --remote is not used).\n"
169 "--ipchange cmd : Run command cmd on remote ip address initial\n"
170 " setting or change -- execute as: cmd ip-address port#\n"
171 "--port port : TCP/UDP port # for both local and remote.\n"
172 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
173 "--rport port : TCP/UDP port # for remote (default=%s).\n"
174 "--bind : Bind to local address and port. (This is the default unless\n"
175 " --proto tcp-client"
176 " or --http-proxy"
177 " or --socks-proxy"
178 " is used).\n"
179 "--nobind : Do not bind to local address and port.\n"
180 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
181 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
182 " this option only if the tun/tap device used with --dev\n"
183 " does not begin with \"tun\" or \"tap\".\n"
184 "--dev-node node : Explicitly set the device node rather than using\n"
185 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
186 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
187 "--disable-dco : Do not attempt using Data Channel Offload.\n"
188 #endif
189 "--lladdr hw : Set the link layer address of the tap device.\n"
190 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
191 #ifdef ENABLE_IPROUTE
192 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
193 #endif
194 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
195 " endpoint and rn as a remote endpoint. l & rn should be\n"
196 " swapped on the other peer. l & rn must be private\n"
197 " addresses outside of the subnets used by either peer.\n"
198 " TAP: configure device to use IP address l as a local\n"
199 " endpoint and rn as a subnet mask.\n"
200 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
201 " endpoint (as a /64) and r as remote endpoint\n"
202 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
203 " pass --ifconfig parms by environment to scripts.\n"
204 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
205 " connection doesn't match the remote side.\n"
206 "--route network [netmask] [gateway] [metric] :\n"
207 " Add route to routing table after connection\n"
208 " is established. Multiple routes can be specified.\n"
209 " netmask default: 255.255.255.255\n"
210 " gateway default: taken from --route-gateway or --ifconfig\n"
211 " Specify default by leaving blank or setting to \"default\".\n"
212 "--route-ipv6 network/bits [gateway] [metric] :\n"
213 " Add IPv6 route to routing table after connection\n"
214 " is established. Multiple routes can be specified.\n"
215 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
216 " in --ifconfig-ipv6\n"
217 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
218 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
219 "--route-metric m : Specify a default metric for use with --route.\n"
220 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
221 " adding routes (may be 0). If not specified, routes will\n"
222 " be added immediately after tun/tap open. On Windows, wait\n"
223 " up to w seconds for TUN/TAP adapter to come up.\n"
224 "--route-up cmd : Run command cmd after routes are added.\n"
225 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
226 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
227 " --route-up script using environmental variables.\n"
228 "--route-nopull : When used with --client or --pull, accept options pushed\n"
229 " by server EXCEPT for routes, dns, and dhcp options.\n"
230 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
231 " --ifconfig, --route, and --route-gateway.\n"
232 "--redirect-gateway [flags]: Automatically execute routing\n"
233 " commands to redirect all outgoing IP traffic through the\n"
234 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
235 " connected via a common subnet, such as with WiFi.\n"
236 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
237 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
238 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
239 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
240 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
241 " the default gateway. Useful when pushing private subnets.\n"
242 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
243 " ICMPv6 host unreachable messages on the client.\n"
244 " (Server) Instead of forwarding IPv6 packets send\n"
245 " ICMPv6 host unreachable packets to the client.\n"
246 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
247 "--push-peer-info : (client only) push client info to server.\n"
248 "--setenv name value : Set a custom environmental variable to pass to script.\n"
249 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
250 " directives for future OpenVPN versions to be ignored.\n"
251 "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
252 " these options to be ignored when unknown\n"
253 "--script-security level: Where level can be:\n"
254 " 0 -- strictly no calling of external programs\n"
255 " 1 -- (default) only call built-ins such as ifconfig\n"
256 " 2 -- allow calling of built-ins and scripts\n"
257 " 3 -- allow password to be passed to scripts via env\n"
258 "--shaper n : Restrict output to peer to n bytes per second.\n"
259 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
260 " ping once every n seconds, restart if ping not received\n"
261 " for m seconds.\n"
262 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
263 " produces a combined in/out byte count < bytes.\n"
264 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
265 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
266 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
267 " remote address.\n"
268 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
269 #if ENABLE_IP_PKTINFO
270 "--multihome : Configure a multi-homed UDP server.\n"
271 #endif
272 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
273 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
274 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
275 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
276 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
277 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
278 #if PASSTOS_CAPABILITY
279 "--passtos : TOS passthrough (applies to IPv4 only).\n"
280 #endif
281 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
282 " TCP/UDP MTU from it (default=%d).\n"
283 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
284 " as n bytes more than the tun-mtu size on read\n"
285 " (default TUN=0 TAP=%d).\n"
286 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
287 " from it.\n"
288 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
289 " 'no' -- Never send DF (Don't Fragment) frames\n"
290 " 'maybe' -- Use per-route hints\n"
291 " 'yes' -- Always DF (Don't Fragment)\n"
292 "--mtu-test : Empirically measure and report MTU.\n"
293 #ifdef ENABLE_FRAGMENT
294 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
295 " datagrams are sent which are larger than max bytes.\n"
296 " Adds 4 bytes of overhead per datagram.\n"
297 #endif
298 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
299 " or --fragment max value, whichever is lower.\n"
300 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
301 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
302 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
303 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
304 " can be matched in policy routing and packetfilter rules.\n"
305 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
306 " listening for connections. This allows sending encrypted packets\n"
307 " via a VRF present on the system.\n"
308 #endif
309 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
310 #ifdef ENABLE_MEMSTATS
311 "--memstats file : Write live usage stats to memory mapped binary file.\n"
312 #endif
313 "--mlock : Disable Paging -- ensures key material and tunnel\n"
314 " data will never be written to disk.\n"
315 "--up cmd : Run command cmd after successful tun device open.\n"
316 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
317 " ifconfig-local-ip ifconfig-remote-ip\n"
318 " (pre --user or --group UID/GID change)\n"
319 "--up-delay : Delay tun/tap open and possible --up script execution\n"
320 " until after TCP/UDP connection establishment with peer.\n"
321 "--down cmd : Run command cmd after tun device close.\n"
322 " (post --user/--group UID/GID change and/or --chroot)\n"
323 " (command parameters are same as --up option)\n"
324 "--down-pre : Run --down command before TUN/TAP close.\n"
325 "--up-restart : Run up/down commands for all restarts including those\n"
326 " caused by --ping-restart or SIGUSR1\n"
327 "--user user : Set UID to user after initialization.\n"
328 "--group group : Set GID to group after initialization.\n"
329 "--chroot dir : Chroot to this directory after initialization.\n"
330 #ifdef ENABLE_SELINUX
331 "--setcon context: Apply this SELinux context after initialization.\n"
332 #endif
333 "--cd dir : Change to this directory before initialization.\n"
334 "--daemon [name] : Become a daemon after initialization.\n"
335 " The optional 'name' parameter will be passed\n"
336 " as the program name to the system logger.\n"
337 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
338 " See --daemon above for a description of the 'name' parm.\n"
339 "--log file : Output log to file which is created/truncated on open.\n"
340 "--log-append file : Append log to file, or create file if nonexistent.\n"
341 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
342 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
343 "--writepid file : Write main process ID to file.\n"
344 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
345 "--echo [parms ...] : Echo parameters to log output.\n"
346 "--verb n : Set output verbosity to n (default=%d):\n"
347 " (Level 3 is recommended if you want a good summary\n"
348 " of what's happening without being swamped by output).\n"
349 " : 0 -- no output except fatal errors\n"
350 " : 1 -- startup info + connection initiated messages +\n"
351 " non-fatal encryption & net errors\n"
352 " : 2,3 -- show TLS negotiations & route info\n"
353 " : 4 -- show parameters\n"
354 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
355 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
356 " : 6 to 11 -- debug messages of increasing verbosity\n"
357 "--mute n : Log at most n consecutive messages in the same category.\n"
358 "--status file [n] : Write operational status to file every n seconds.\n"
359 "--status-version [n] : Choose the status file format version number.\n"
360 " Currently, n can be 1, 2, or 3 (default=1).\n"
361 "--disable-occ : Disable options consistency check between peers.\n"
362 #ifdef ENABLE_DEBUG
363 "--gremlin mask : Special stress testing mode (for debugging only).\n"
364 #endif
365 #if defined(USE_COMP)
366 "--compress alg : Use compression algorithm alg\n"
367 "--allow-compression: Specify whether compression should be allowed\n"
368 #if defined(ENABLE_LZO)
369 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
370 " packet for incompressible data.\n"
371 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
372 " is specified.\n"
373 #endif
374 #endif
375 #ifdef ENABLE_MANAGEMENT
376 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
377 " management functions. pass is a password file\n"
378 " or 'stdin' to prompt from console.\n"
379 #if UNIX_SOCK_SUPPORT
380 " To listen on a unix domain socket, specific the pathname\n"
381 " in place of ip and use 'unix' as the port number.\n"
382 #endif
383 "--management-client : Management interface will connect as a TCP client to\n"
384 " ip/port rather than listen as a TCP server.\n"
385 "--management-query-passwords : Query management channel for private key\n"
386 " and auth-user-pass passwords.\n"
387 "--management-query-proxy : Query management channel for proxy information.\n"
388 "--management-query-remote : Query management channel for --remote directive.\n"
389 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
390 " of the management interface explicitly starts it.\n"
391 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
392 "--management-forget-disconnect : Forget passwords when management disconnect\n"
393 " event occurs.\n"
394 "--management-up-down : Report tunnel up/down events to management interface.\n"
395 "--management-log-cache n : Cache n lines of log file history for usage\n"
396 " by the management channel.\n"
397 #if UNIX_SOCK_SUPPORT
398 "--management-client-user u : When management interface is a unix socket, only\n"
399 " allow connections from user u.\n"
400 "--management-client-group g : When management interface is a unix socket, only\n"
401 " allow connections from group g.\n"
402 #endif
403 "--management-client-auth : gives management interface client the responsibility\n"
404 " to authenticate clients after their client certificate\n"
405 " has been verified.\n"
406 #endif /* ifdef ENABLE_MANAGEMENT */
407 #ifdef ENABLE_PLUGIN
408 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
409 " to its initialization function.\n"
410 #endif
411 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
412 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
413 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
414 "\n"
415 "Multi-Client Server options (when --mode server is used):\n"
416 "--server network netmask : Helper option to easily configure server mode.\n"
417 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
418 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
419 " easily configure ethernet bridging server mode.\n"
420 "--push \"option\" : Push a config file option back to the peer for remote\n"
421 " execution. Peer must specify --pull in its config file.\n"
422 "--push-reset : Don't inherit global push list for specific\n"
423 " client instance.\n"
424 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
425 " a specific client instance.\n"
426 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
427 " to be dynamically allocated to connecting clients.\n"
428 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
429 " data to file, at seconds intervals (default=600).\n"
430 " If seconds=0, file will be treated as read-only.\n"
431 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
432 " to be dynamically allocated to connecting clients.\n"
433 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
434 " overrides --ifconfig-pool dynamic allocation.\n"
435 " Only valid in a client-specific config file.\n"
436 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
437 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
438 " Only valid in a client-specific config file.\n"
439 "--iroute network [netmask] : Route subnet to client.\n"
440 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
441 " Sets up internal routes only.\n"
442 " Only valid in a client-specific config file.\n"
443 "--disable : Client is disabled.\n"
444 " Only valid in a client-specific config file.\n"
445 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
446 " mandatory client certificate verification.\n"
447 " Default is to require the client to supply a certificate.\n"
448 "--username-as-common-name : For auth-user-pass authentication, use\n"
449 " the authenticated username as the common name,\n"
450 " rather than the common name from the client cert.\n"
451 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
452 " run command cmd to verify. If method='via-env', pass\n"
453 " user/pass via environment, if method='via-file', pass\n"
454 " user/pass via temporary file.\n"
455 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
456 " to each client, replacing the password. Useful when\n"
457 " OTP based two-factor auth mechanisms are in use and\n"
458 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
459 " for generated tokens can be set.\n"
460 "--opt-verify : Clients that connect with options that are incompatible\n"
461 " with those of the server will be disconnected.\n"
462 "--auth-user-pass-optional : Allow connections by clients that don't\n"
463 " specify a username/password.\n"
464 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
465 " any printable character.\n"
466 "--client-to-client : Internally route client-to-client traffic.\n"
467 "--duplicate-cn : Allow multiple clients with the same common name to\n"
468 " concurrently connect.\n"
469 "--client-connect cmd : Run command cmd on client connection.\n"
470 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
471 "--client-config-dir dir : Directory for custom client config files.\n"
472 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
473 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
474 "--hash-size r v : Set the size of the real address hash table to r and the\n"
475 " virtual address table to v.\n"
476 "--bcast-buffers n : Allocate n broadcast buffers.\n"
477 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
478 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
479 " as well as pushes it to connecting clients.\n"
480 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
481 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
482 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
483 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
484 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
485 " older than n seconds. Run this check every t\n"
486 " seconds (defaults to n).\n"
487 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
488 " clients. n = 1 - reconnect to same server,\n"
489 " 2 - advance to next server, default=1.\n"
490 #if PORT_SHARE
491 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
492 " sessions to a web server at host:port. dir specifies an\n"
493 " optional directory to write origin IP:port data.\n"
494 #endif
495 "\n"
496 "Client options (when connecting to a multi-client server):\n"
497 "--client : Helper option to easily configure client mode.\n"
498 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
499 " up is a file containing the username on the first line,\n"
500 " and a password on the second. If either the password or both\n"
501 " the username and the password are omitted OpenVPN will prompt\n"
502 " for them from console.\n"
503 "--pull : Accept certain config file options from the peer as if they\n"
504 " were part of the local config file. Must be specified\n"
505 " when connecting to a '--mode server' remote host.\n"
506 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
507 " server if it starts with the text t. The action flag accept,\n"
508 " ignore or reject causes the option to be allowed, removed or\n"
509 " rejected with error. May be specified multiple times, and\n"
510 " each filter is applied in the order of appearance.\n"
511 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
512 " Valid options are :\n"
513 " address <addr[:port]> [addr[:port]] : server address 4/6\n"
514 " resolve-domains <domain> [domain ...] : split domains\n"
515 " exclude-domains <domain> [domain ...] : domains not to resolve\n"
516 " dnssec <yes|no|optional> : option to use DNSSEC\n"
517 " type <DoH|DoT> : query server over HTTPS / TLS\n"
518 " sni <domain> : DNS server name indication\n"
519 "--dns search-domains <domain> [domain ...]:\n"
520 " Add domains to DNS domain search list\n"
521 "--auth-retry t : How to handle auth failures. Set t to\n"
522 " none (default), interact, or nointeract.\n"
523 "--static-challenge t e : Enable static challenge/response protocol using\n"
524 " challenge text t, with e indicating echo flag (0|1)\n"
525 "--connect-timeout n : when polling possible remote servers to connect to\n"
526 " in a round-robin fashion, spend no more than n seconds\n"
527 " waiting for a response before trying the next server.\n"
528 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
529 " incoming tun packets with same destination as host.\n"
530 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
531 " server/remote. n = # of retries, default=1.\n"
532 "\n"
533 "Data Channel Encryption Options (must be compatible between peers):\n"
534 "(These options are meaningful for both Static Key & TLS-mode)\n"
535 "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
536 " Use shared secret file f, generate with --genkey.\n"
537 " The optional d parameter controls key directionality.\n"
538 " If d is specified, use separate keys for each\n"
539 " direction, set d=0 on one side of the connection,\n"
540 " and d=1 on the other side.\n"
541 "--auth alg : Authenticate packets with HMAC using message\n"
542 " digest algorithm alg (default=%s).\n"
543 " (usually adds 16 or 20 bytes per packet)\n"
544 " Set alg=none to disable authentication.\n"
545 "--cipher alg : Encrypt packets with cipher algorithm alg\n"
546 " (default=%s).\n"
547 " Set alg=none to disable encryption.\n"
548 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
549 #ifndef ENABLE_CRYPTO_MBEDTLS
550 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
551 #endif
552 "--no-replay : (DEPRECATED) Disable replay protection.\n"
553 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
554 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
555 " and a time window of t seconds.\n"
556 " Default n=%d t=%d\n"
557 "--replay-persist file : Persist replay-protection state across sessions\n"
558 " using file.\n"
559 "--test-crypto : Run a self-test of crypto features enabled.\n"
560 " For debugging only.\n"
561 #ifdef ENABLE_PREDICTION_RESISTANCE
562 "--use-prediction-resistance: Enable prediction resistance on the random\n"
563 " number generator.\n"
564 #endif
565 "\n"
566 "TLS Key Negotiation Options:\n"
567 "(These options are meaningful only for TLS-mode)\n"
568 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
569 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
570 "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
571 " number, such as 1 (default), 2, etc.\n"
572 "--ca file : Certificate authority file in .pem format containing\n"
573 " root certificate.\n"
574 #ifndef ENABLE_CRYPTO_MBEDTLS
575 "--capath dir : A directory of trusted certificates (CAs"
576 " and CRLs).\n"
577 #endif /* ENABLE_CRYPTO_MBEDTLS */
578 "--dh file : File containing Diffie Hellman parameters\n"
579 " in .pem format (for --tls-server only).\n"
580 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
581 "--cert file : Local certificate in .pem format -- must be signed\n"
582 " by a Certificate Authority in --ca file.\n"
583 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
584 "--key file : Local private key in .pem format.\n"
585 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
586 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
587 " is specified, require max TLS version supported by SSL implementation.\n"
588 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
589 #ifndef ENABLE_CRYPTO_MBEDTLS
590 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
591 " and optionally the root CA certificate.\n"
592 #endif
593 #ifdef ENABLE_X509ALTUSERNAME
594 "--x509-username-field : Field in x509 certificate containing the username.\n"
595 " Default is CN in the Subject field.\n"
596 #endif
597 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
598 " Valid algo flags are SHA1 and SHA256. \n"
599 #ifdef _WIN32
600 "--cryptoapicert select-string : Load the certificate and private key from the\n"
601 " Windows Certificate System Store.\n"
602 #endif
603 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
604 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
605 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
606 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
607 " (default=legacy).\n"
608 "--providers l : A list l of OpenSSL providers to load.\n"
609 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
610 " if no ACK from remote within n seconds (default=%d).\n"
611 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
612 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
613 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
614 " and at least min (defaults to 90%% of max on servers and equal\n"
615 " to max on clients).\n"
616 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
617 " of handshake initiation by any peer (default=%d).\n"
618 "--tran-window n : Transition window -- old key can live this many seconds\n"
619 " after new key renegotiation begins (default=%d).\n"
620 "--single-session: Allow only one session (reset state on restart).\n"
621 "--tls-exit : Exit on TLS negotiation failure.\n"
622 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
623 " control channel to protect against attacks on the TLS stack\n"
624 " and DoS attacks.\n"
625 " f (required) is a shared-secret key file.\n"
626 " The optional d parameter controls key directionality,\n"
627 " see --secret option for more info.\n"
628 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
629 " of the TLS control channel to hide the TLS certificate,\n"
630 " provide basic post-quantum security and protect against\n"
631 " attacks on the TLS stack and DoS attacks.\n"
632 " key (required) provides the pre-shared key file.\n"
633 " see --secret option for more info.\n"
634 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
635 " For servers: use key to decrypt client-specific keys. For\n"
636 " key generation (--genkey tls-crypt-v2-client): use key to\n"
637 " encrypt generated client-specific key. (See --tls-crypt.)\n"
638 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
639 " fresh tls-crypt-v2 client key, and store to\n"
640 " keyfile. If supplied, include metadata in wrapped key.\n"
641 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
642 " fresh tls-crypt-v2 server key, and store to keyfile\n"
643 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
644 " client-supplied tls-crypt-v2 client key\n"
645 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
646 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
647 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
648 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
649 " pending TLS connection that has otherwise passed all other\n"
650 " tests of certification. cmd should return 0 to allow\n"
651 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
652 " executed as 'cmd certificate_depth subject')\n"
653 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
654 " in an openvpn temporary file in [directory]. Peer cert is \n"
655 " stored before tls-verify script execution and deleted after.\n"
656 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
657 " DN name. The remote host must also pass all other tests\n"
658 " of verification.\n"
659 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
660 " an explicit nsCertType designation t = 'client' | 'server'.\n"
661 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
662 " plugins and management interface.\n"
663 #ifdef HAVE_EXPORT_KEYING_MATERIAL
664 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
665 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
666 #endif
667 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
668 " explicit key usage, you can specify more than one value.\n"
669 " value should be given in hex format.\n"
670 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
671 " explicit extended key usage. Extended key usage can be encoded\n"
672 " as an object identifier or OpenSSL string representation.\n"
673 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
674 " key usage and extended key usage based on RFC3280 TLS rules.\n"
675 " t = 'client' | 'server'.\n"
676 #ifdef ENABLE_PKCS11
677 "\n"
678 "PKCS#11 Options:\n"
679 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
680 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
681 " path. Set for each provider.\n"
682 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
683 " 0 : Try to determine automatically (default).\n"
684 " 1 : Use Sign.\n"
685 " 2 : Use SignRecover.\n"
686 " 4 : Use Decrypt.\n"
687 " 8 : Use Unwrap.\n"
688 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
689 " certificate can be accessed. Set for each provider.\n"
690 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
691 " cache until token is removed.\n"
692 "--pkcs11-id-management : Acquire identity from management interface.\n"
693 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
694 #endif /* ENABLE_PKCS11 */
695 "\n"
696 "SSL Library information:\n"
697 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
698 "--show-digests : Show message digest algorithms to use with --auth option.\n"
699 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
700 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
701 #ifdef _WIN32
702 "\n"
703 "Windows Specific:\n"
704 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
705 " from SystemRoot environment variable.\n"
706 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
707 " IP address using method = manual, netsh, ipapi,\n"
708 " dynamic, or adaptive (default = adaptive).\n"
709 " Dynamic method allows two optional parameters:\n"
710 " offset: DHCP server address offset (> -256 and < 256).\n"
711 " If 0, use network address, if >0, take nth\n"
712 " address forward from network address, if <0,\n"
713 " take nth address backward from broadcast\n"
714 " address.\n"
715 " Default is 0.\n"
716 " lease-time: Lease time in seconds.\n"
717 " Default is one year.\n"
718 "--route-method : Which method to use for adding routes on Windows?\n"
719 " adaptive (default) -- Try ipapi then fall back to exe.\n"
720 " ipapi -- Use IP helper API.\n"
721 " exe -- Call the route.exe shell command.\n"
722 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
723 " be used with --ip-win32 dynamic. For options\n"
724 " which allow multiple addresses,\n"
725 " --dhcp-option must be repeated.\n"
726 " DOMAIN name : Set DNS suffix\n"
727 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
728 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
729 " NTP : Set NTP server address(es)\n"
730 " NBDD : Set NBDD server address(es)\n"
731 " WINS addr : Set WINS server address(es)\n"
732 " NBT type : Set NetBIOS over TCP/IP Node type\n"
733 " 1: B, 2: P, 4: M, 8: H\n"
734 " NBS id : Set NetBIOS scope ID\n"
735 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
736 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
737 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
738 " startup.\n"
739 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
740 " on connection initiation.\n"
741 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
742 " attempting to set adapter properties.\n"
743 "--pause-exit : When run from a console window, pause before exiting.\n"
744 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
745 " service, and should not be used directly by end-users.\n"
746 " ex is the name of an event object which, when\n"
747 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
748 " optional parameter controls the initial state of ex.\n"
749 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
750 " after TAP adapter is up and routes have been added.\n"
751 "--windows-driver : Which tun driver to use?\n"
752 " tap-windows6 (default)\n"
753 " wintun\n"
754 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
755 "Windows Standalone Options:\n"
756 "\n"
757 "--show-adapters : Show all TAP-Windows adapters.\n"
758 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
759 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
760 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
761 " to access TAP adapter.\n"
762 #endif /* ifdef _WIN32 */
763 "\n"
764 "Generate a new key :\n"
765 "--genkey secret file : Generate a new random key of type and write to file\n"
766 " (for use with --secret, --tls-auth or --tls-crypt)."
767 #ifdef ENABLE_FEATURE_TUN_PERSIST
768 "\n"
769 "Tun/tap config mode (available with linux 2.4+):\n"
770 "--mktun : Create a persistent tunnel.\n"
771 "--rmtun : Remove a persistent tunnel.\n"
772 "--dev tunX|tapX : tun/tap device\n"
773 "--dev-type dt : Device type. See tunnel options above for details.\n"
774 "--user user : User to set privilege to.\n"
775 "--group group : Group to set privilege to.\n"
776 #endif
777 #ifdef ENABLE_PKCS11
778 "\n"
779 "PKCS#11 standalone options:\n"
780 #ifdef DEFAULT_PKCS11_MODULE
781 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
782 #else
783 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
784 #endif
785 " --verb option can be added *BEFORE* this.\n"
786 #endif /* ENABLE_PKCS11 */
787 "\n"
788 "General Standalone Options:\n"
789 #ifdef ENABLE_DEBUG
790 "--show-gateway : Show info about default gateway.\n"
791 #endif
792 ;
793
794 #endif /* !ENABLE_SMALL */
795
796 /*
797 * This is where the options defaults go.
798 * Any option not explicitly set here
799 * will be set to 0.
800 */
801 void
802 init_options(struct options *o, const bool init_gc)
803 {
804 CLEAR(*o);
805 if (init_gc)
806 {
807 gc_init(&o->gc);
808 gc_init(&o->dns_options.gc);
809 o->gc_owned = true;
810 }
811 o->mode = MODE_POINT_TO_POINT;
812 o->topology = TOP_NET30;
813 o->ce.proto = PROTO_UDP;
814 o->ce.af = AF_UNSPEC;
815 o->ce.bind_ipv6_only = false;
816 o->ce.connect_retry_seconds = 5;
817 o->ce.connect_retry_seconds_max = 300;
818 o->ce.connect_timeout = 120;
819 o->connect_retry_max = 0;
820 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
821 o->verbosity = 1;
822 o->status_file_update_freq = 60;
823 o->status_file_version = 1;
824 o->ce.bind_local = true;
825 o->ce.tun_mtu = TUN_MTU_DEFAULT;
826 o->ce.link_mtu = LINK_MTU_DEFAULT;
827 o->ce.mtu_discover_type = -1;
828 o->ce.mssfix = 0;
829 o->ce.mssfix_default = true;
830 o->ce.mssfix_encap = true;
831 o->route_delay_window = 30;
832 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
833 o->resolve_in_advance = false;
834 o->proto_force = -1;
835 o->occ = true;
836 #ifdef ENABLE_MANAGEMENT
837 o->management_log_history_cache = 250;
838 o->management_echo_buffer_size = 100;
839 o->management_state_buffer_size = 100;
840 #endif
841 #ifdef ENABLE_FEATURE_TUN_PERSIST
842 o->persist_mode = 1;
843 #endif
844 #ifdef _WIN32
845 #if 0
846 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
847 #else
848 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
849 #endif
850 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
851 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
852 o->route_method = ROUTE_METHOD_ADAPTIVE;
853 o->block_outside_dns = false;
854 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
855 #endif
856 o->vlan_accept = VLAN_ALL;
857 o->vlan_pvid = 1;
858 o->real_hash_size = 256;
859 o->virtual_hash_size = 256;
860 o->n_bcast_buf = 256;
861 o->tcp_queue_limit = 64;
862 o->max_clients = 1024;
863 o->max_routes_per_client = 256;
864 o->stale_routes_check_interval = 0;
865 o->ifconfig_pool_persist_refresh_freq = 600;
866 o->scheduled_exit_interval = 5;
867 o->authname = "SHA1";
868 o->replay = true;
869 o->replay_window = DEFAULT_SEQ_BACKTRACK;
870 o->replay_time = DEFAULT_TIME_BACKTRACK;
871 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
872 #ifdef ENABLE_PREDICTION_RESISTANCE
873 o->use_prediction_resistance = false;
874 #endif
875 o->tls_timeout = 2;
876 o->renegotiate_bytes = -1;
877 o->renegotiate_seconds = 3600;
878 o->renegotiate_seconds_min = -1;
879 o->handshake_window = 60;
880 o->transition_window = 3600;
881 o->tls_cert_profile = NULL;
882 o->ecdh_curve = NULL;
883 #ifdef ENABLE_X509ALTUSERNAME
884 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
885 #endif
886 #ifdef ENABLE_PKCS11
887 o->pkcs11_pin_cache_period = -1;
888 #endif /* ENABLE_PKCS11 */
889
890 /* P2MP server context features */
891 o->auth_token_generate = false;
892
893 /* Set default --tmp-dir */
894 #ifdef _WIN32
895 /* On Windows, find temp dir via environment variables */
896 o->tmp_dir = win_get_tempdir();
897 #else
898 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
899 o->tmp_dir = getenv("TMPDIR");
900 if (!o->tmp_dir)
901 {
902 o->tmp_dir = "/tmp";
903 }
904 #endif /* _WIN32 */
905 o->allow_recursive_routing = false;
906 }
907
908 void
909 uninit_options(struct options *o)
910 {
911 if (o->gc_owned)
912 {
913 gc_free(&o->gc);
914 gc_free(&o->dns_options.gc);
915 }
916 }
917
918 struct pull_filter
919 {
920 #define PUF_TYPE_UNDEF 0 /** undefined filter type */
921 #define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
922 #define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
923 #define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
924 int type;
925 int size;
926 char *pattern;
927 struct pull_filter *next;
928 };
929
930 struct pull_filter_list
931 {
932 struct pull_filter *head;
933 struct pull_filter *tail;
934 };
935
936 #ifndef ENABLE_SMALL
937
938 static const char *
939 pull_filter_type_name(int type)
940 {
941 if (type == PUF_TYPE_ACCEPT)
942 {
943 return "accept";
944 }
945 if (type == PUF_TYPE_IGNORE)
946 {
947 return "ignore";
948 }
949 if (type == PUF_TYPE_REJECT)
950 {
951 return "reject";
952 }
953 else
954 {
955 return "???";
956 }
957 }
958
959 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
960 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
961 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
962 o->var ## _inline ? "[INLINE]" : \
963 (o->var ? o->var : "[UNDEF]"), \
964 "'%s'")
965 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
966 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
967 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
968 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
969 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
970
971 #endif /* ifndef ENABLE_SMALL */
972
973 static void
974 setenv_connection_entry(struct env_set *es,
975 const struct connection_entry *e,
976 const int i)
977 {
978 setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
979 setenv_str_i(es, "local", e->local, i);
980 setenv_str_i(es, "local_port", e->local_port, i);
981 setenv_str_i(es, "remote", e->remote, i);
982 setenv_str_i(es, "remote_port", e->remote_port, i);
983
984 if (e->http_proxy_options)
985 {
986 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
987 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
988 }
989 if (e->socks_proxy_server)
990 {
991 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
992 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
993 }
994 }
995
996 void
997 setenv_settings(struct env_set *es, const struct options *o)
998 {
999 setenv_str(es, "config", o->config);
1000 setenv_int(es, "verb", o->verbosity);
1001 setenv_int(es, "daemon", o->daemon);
1002 setenv_int(es, "daemon_log_redirect", o->log);
1003 setenv_long_long(es, "daemon_start_time", time(NULL));
1004 setenv_int(es, "daemon_pid", platform_getpid());
1005
1006 if (o->connection_list)
1007 {
1008 int i;
1009 for (i = 0; i < o->connection_list->len; ++i)
1010 {
1011 setenv_connection_entry(es, o->connection_list->array[i], i+1);
1012 }
1013 }
1014 else
1015 {
1016 setenv_connection_entry(es, &o->ce, 1);
1017 }
1018
1019 if (!o->pull)
1020 {
1021 setenv_dns_options(&o->dns_options, es);
1022 }
1023 }
1024
1025 static void
1026 setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1027 {
1028 if (len > 0)
1029 {
1030 struct gc_arena gc = gc_new();
1031 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1032 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1033 int i;
1034 bool first = true;
1035 bool good = true;
1036
1037 good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1038 ++o->foreign_option_index;
1039 for (i = 0; i < len; ++i)
1040 {
1041 if (argv[i])
1042 {
1043 if (!first)
1044 {
1045 good &= buf_printf(&value, " ");
1046 }
1047 good &= buf_printf(&value, "%s", argv[i]);
1048 first = false;
1049 }
1050 }
1051 if (good)
1052 {
1053 setenv_str(es, BSTR(&name), BSTR(&value));
1054 }
1055 else
1056 {
1057 msg(M_WARN, "foreign_option: name/value overflow");
1058 }
1059 gc_free(&gc);
1060 }
1061 }
1062
1063 static in_addr_t
1064 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1065 {
1066 unsigned int flags = GETADDR_HOST_ORDER;
1067 bool succeeded = false;
1068 in_addr_t ret;
1069
1070 if (msglevel & M_FATAL)
1071 {
1072 flags |= GETADDR_FATAL;
1073 }
1074
1075 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1076 if (!succeeded && error)
1077 {
1078 *error = true;
1079 }
1080 return ret;
1081 }
1082
1083 /**
1084 * Returns newly allocated string containing address part without "/nn".
1085 *
1086 * If gc != NULL, the allocated memory is registered in the supplied gc.
1087 */
1088 static char *
1089 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1090 {
1091 const char *end = strchr(addr, '/');
1092 char *ret = NULL;
1093 if (NULL == end)
1094 {
1095 ret = string_alloc(addr, gc);
1096 }
1097 else
1098 {
1099 size_t len = end - addr;
1100 ret = gc_malloc(len + 1, true, gc);
1101 memcpy(ret, addr, len);
1102 }
1103 return ret;
1104 }
1105
1106 static bool
1107 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1108 {
1109 struct in6_addr t_addr;
1110 unsigned int t_bits;
1111
1112 return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1113 }
1114
1115 static char *
1116 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1117 {
1118 char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1119 char *dest = ret;
1120 char c;
1121
1122 do
1123 {
1124 c = *src++;
1125 if (c == from)
1126 {
1127 c = to;
1128 }
1129 *dest++ = c;
1130 }
1131 while (c);
1132 return ret;
1133 }
1134
1135 /**
1136 * Parses a hexstring and checks if the string has the correct length. Return
1137 * a verify_hash_list containing the parsed hash string.
1138 *
1139 * @param str String to check/parse
1140 * @param nbytes Number of bytes expected in the hexstr (e.g. 20 for SHA1)
1141 * @param msglevel message level to use when printing warnings/errors
1142 * @param gc The returned object will be allocated in this gc
1143 */
1144 static struct verify_hash_list *
1145 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1146 {
1147 int i = 0;
1148 const char *cp = str;
1149
1150 struct verify_hash_list *ret;
1151 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1152
1153 char term = 0;
1154 unsigned int byte;
1155
1156 while (*cp && i < nbytes)
1157 {
1158 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1159 if (!isxdigit(cp[0])
1160 || !isxdigit(cp[1])
1161 || (cp[2] != ':' && cp[2] != '\0')
1162 || sscanf(cp, "%x", &byte) != 1)
1163 {
1164 msg(msglevel, "format error in hash fingerprint: %s", str);
1165 break;
1166 }
1167
1168 ret->hash[i++] = (uint8_t)byte;
1169
1170 term = cp[2];
1171 if (term == '\0')
1172 {
1173 break;
1174 }
1175 cp += 3;
1176 }
1177 if (i < nbytes)
1178 {
1179 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1180 }
1181 else if (term != '\0')
1182 {
1183 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1184 }
1185 return ret;
1186 }
1187
1188 /**
1189 * Parses a string consisting of multiple lines of hexstrings and checks if each
1190 * string has the correct length. Empty lines are ignored. Returns
1191 * a linked list of (possibly) multiple verify_hash_list objects.
1192 *
1193 * @param str String to check/parse
1194 * @param nbytes Number of bytes expected in the hexstring (e.g. 20 for SHA1)
1195 * @param msglevel message level to use when printing warnings/errors
1196 * @param gc The returned list items will be allocated in this gc
1197 */
1198 static struct verify_hash_list *
1199 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1200 struct gc_arena *gc)
1201 {
1202 struct gc_arena gc_temp = gc_new();
1203 char *lines = string_alloc(str, &gc_temp);
1204
1205 struct verify_hash_list *ret = NULL;
1206
1207 const char *line;
1208 while ((line = strsep(&lines, "\n")))
1209 {
1210 /* ignore leading whitespace */
1211 while (isspace(*line))
1212 {
1213 line++;
1214 }
1215 /* skip empty lines and comment lines */
1216 if (strlen(line) == 0 || *line == '#' || *line == ';')
1217 {
1218 continue;
1219 }
1220
1221 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1222 msglevel, gc);
1223
1224 if (!hash)
1225 {
1226 gc_free(&gc_temp);
1227 return NULL;
1228 }
1229
1230 hash->next = ret;
1231 ret = hash;
1232 }
1233 gc_free(&gc_temp);
1234
1235 return ret;
1236 }
1237 #ifdef _WIN32
1238
1239 #ifndef ENABLE_SMALL
1240
1241 static void
1242 show_dhcp_option_list(const char *name, const char *const *array, int len)
1243 {
1244 int i;
1245 for (i = 0; i < len; ++i)
1246 {
1247 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1248 }
1249 }
1250
1251 static void
1252 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1253 {
1254 struct gc_arena gc = gc_new();
1255 int i;
1256 for (i = 0; i < len; ++i)
1257 {
1258 msg(D_SHOW_PARMS, " %s[%d] = %s",
1259 name,
1260 i,
1261 print_in_addr_t(array[i], 0, &gc));
1262 }
1263 gc_free(&gc);
1264 }
1265
1266 static void
1267 show_tuntap_options(const struct tuntap_options *o)
1268 {
1269 SHOW_BOOL(ip_win32_defined);
1270 SHOW_INT(ip_win32_type);
1271 SHOW_INT(dhcp_masq_offset);
1272 SHOW_INT(dhcp_lease_time);
1273 SHOW_INT(tap_sleep);
1274 SHOW_BOOL(dhcp_options);
1275 SHOW_BOOL(dhcp_renew);
1276 SHOW_BOOL(dhcp_pre_release);
1277 SHOW_STR(domain);
1278 SHOW_STR(netbios_scope);
1279 SHOW_INT(netbios_node_type);
1280 SHOW_BOOL(disable_nbt);
1281
1282 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1283 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1284 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1285 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1286 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1287 }
1288
1289 #endif /* ifndef ENABLE_SMALL */
1290 #endif /* ifdef _WIN32 */
1291
1292 #if defined(_WIN32) || defined(TARGET_ANDROID)
1293 static void
1294 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1295 {
1296 struct in6_addr addr;
1297 if (*len >= N_DHCP_ADDR)
1298 {
1299 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1300 N_DHCP_ADDR);
1301 }
1302 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1303 {
1304 dns6_list[(*len)++] = addr;
1305 }
1306 }
1307 static void
1308 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1309 {
1310 if (*len >= N_DHCP_ADDR)
1311 {
1312 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1313 name,
1314 N_DHCP_ADDR,
1315 name);
1316 }
1317 else
1318 {
1319 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1320 {
1321 bool error = false;
1322 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1323 if (!error)
1324 {
1325 array[(*len)++] = addr;
1326 }
1327 }
1328 else
1329 {
1330 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1331 }
1332 }
1333 }
1334
1335 /*
1336 * If DNS options are set use these for TUN/TAP options as well.
1337 * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1338 * Existing options will be discarded.
1339 */
1340 static void
1341 tuntap_options_copy_dns(struct options *o)
1342 {
1343 struct tuntap_options *tt = &o->tuntap_options;
1344 struct dns_options *dns = &o->dns_options;
1345
1346 if (dns->search_domains)
1347 {
1348 tt->domain_search_list_len = 0;
1349 const struct dns_domain *domain = dns->search_domains;
1350 while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN)
1351 {
1352 tt->domain_search_list[tt->domain_search_list_len++] = domain->name;
1353 domain = domain->next;
1354 }
1355 if (domain)
1356 {
1357 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1358 }
1359 }
1360
1361 if (dns->servers)
1362 {
1363 tt->dns_len = 0;
1364 tt->dns6_len = 0;
1365 bool overflow = false;
1366 const struct dns_server *server = dns->servers;
1367 while (server)
1368 {
1369 if (server->addr4_defined && tt->dns_len < N_DHCP_ADDR)
1370 {
1371 tt->dns[tt->dns_len++] = server->addr4.s_addr;
1372 }
1373 else
1374 {
1375 overflow = true;
1376 }
1377 if (server->addr6_defined && tt->dns6_len < N_DHCP_ADDR)
1378 {
1379 tt->dns6[tt->dns6_len++] = server->addr6;
1380 }
1381 else
1382 {
1383 overflow = true;
1384 }
1385 server = server->next;
1386 }
1387 if (overflow)
1388 {
1389 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1390 }
1391 }
1392 }
1393 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1394 static void
1395 foreign_options_copy_dns(struct options *o, struct env_set *es)
1396 {
1397 const struct dns_domain *domain = o->dns_options.search_domains;
1398 const struct dns_server *server = o->dns_options.servers;
1399 if (!domain && !server)
1400 {
1401 return;
1402 }
1403
1404 /* reset the index since we're starting all over again */
1405 int opt_max = o->foreign_option_index;
1406 o->foreign_option_index = 0;
1407
1408 for (int i = 1; i <= opt_max; ++i)
1409 {
1410 char name[32];
1411 openvpn_snprintf(name, sizeof(name), "foreign_option_%d", i);
1412
1413 const char *env_str = env_set_get(es, name);
1414 const char *value = strchr(env_str, '=') + 1;
1415 if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value)
1416 || (server && strstr(value, "dhcp-option DNS") == value))
1417 {
1418 setenv_del(es, name);
1419 }
1420 else
1421 {
1422 setenv_foreign_option(o, &value, 1, es);
1423 }
1424 }
1425
1426 struct gc_arena gc = gc_new();
1427
1428 while (server)
1429 {
1430 if (server->addr4_defined)
1431 {
1432 const char *argv[] = {
1433 "dhcp-option",
1434 "DNS",
1435 print_in_addr_t(server->addr4.s_addr, 0, &gc)
1436 };
1437 setenv_foreign_option(o, argv, 3, es);
1438 }
1439 if (server->addr6_defined)
1440 {
1441 const char *argv[] = {
1442 "dhcp-option",
1443 "DNS6",
1444 print_in6_addr(server->addr6, 0, &gc)
1445 };
1446 setenv_foreign_option(o, argv, 3, es);
1447 }
1448 server = server->next;
1449 }
1450 while (domain)
1451 {
1452 const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name };
1453 setenv_foreign_option(o, argv, 3, es);
1454 domain = domain->next;
1455 }
1456
1457 gc_free(&gc);
1458
1459 /* remove old leftover entries */
1460 while (o->foreign_option_index < opt_max)
1461 {
1462 char name[32];
1463 openvpn_snprintf(name, sizeof(name), "foreign_option_%d", opt_max--);
1464 setenv_del(es, name);
1465 }
1466 }
1467 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1468
1469 #ifndef ENABLE_SMALL
1470 static const char *
1471 print_vlan_accept(enum vlan_acceptable_frames mode)
1472 {
1473 switch (mode)
1474 {
1475 case VLAN_ONLY_TAGGED:
1476 return "tagged";
1477
1478 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1479 return "untagged";
1480
1481 case VLAN_ALL:
1482 return "all";
1483 }
1484 return NULL;
1485 }
1486
1487 static void
1488 show_p2mp_parms(const struct options *o)
1489 {
1490 struct gc_arena gc = gc_new();
1491
1492 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1493 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1494 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1495 SHOW_INT(server_netbits_ipv6);
1496 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1497 msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1498 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1499 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1500 if (o->push_list.head)
1501 {
1502 const struct push_entry *e = o->push_list.head;
1503 while (e)
1504 {
1505 if (e->enable)
1506 {
1507 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1508 }
1509 e = e->next;
1510 }
1511 }
1512 SHOW_BOOL(ifconfig_pool_defined);
1513 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1514 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1515 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1516 SHOW_STR(ifconfig_pool_persist_filename);
1517 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1518 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1519 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1520 SHOW_INT(ifconfig_ipv6_pool_netbits);
1521 SHOW_INT(n_bcast_buf);
1522 SHOW_INT(tcp_queue_limit);
1523 SHOW_INT(real_hash_size);
1524 SHOW_INT(virtual_hash_size);
1525 SHOW_STR(client_connect_script);
1526 SHOW_STR(learn_address_script);
1527 SHOW_STR(client_disconnect_script);
1528 SHOW_STR(client_config_dir);
1529 SHOW_BOOL(ccd_exclusive);
1530 SHOW_STR(tmp_dir);
1531 SHOW_BOOL(push_ifconfig_defined);
1532 msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1533 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1534 SHOW_BOOL(push_ifconfig_ipv6_defined);
1535 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1536 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1537 SHOW_BOOL(enable_c2c);
1538 SHOW_BOOL(duplicate_cn);
1539 SHOW_INT(cf_max);
1540 SHOW_INT(cf_per);
1541 SHOW_INT(max_clients);
1542 SHOW_INT(max_routes_per_client);
1543 SHOW_STR(auth_user_pass_verify_script);
1544 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1545 SHOW_BOOL(auth_token_generate);
1546 SHOW_INT(auth_token_lifetime);
1547 SHOW_STR_INLINE(auth_token_secret_file);
1548 #if PORT_SHARE
1549 SHOW_STR(port_share_host);
1550 SHOW_STR(port_share_port);
1551 #endif
1552 SHOW_BOOL(vlan_tagging);
1553 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1554 SHOW_INT(vlan_pvid);
1555
1556 SHOW_BOOL(client);
1557 SHOW_BOOL(pull);
1558 SHOW_STR(auth_user_pass_file);
1559
1560 gc_free(&gc);
1561 }
1562
1563 #endif /* ! ENABLE_SMALL */
1564
1565 static void
1566 option_iroute(struct options *o,
1567 const char *network_str,
1568 const char *netmask_str,
1569 int msglevel)
1570 {
1571 struct iroute *ir;
1572
1573 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1574 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1575 ir->netbits = 32; /* host route if no netmask given */
1576
1577 if (netmask_str)
1578 {
1579 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1580 ir->netbits = netmask_to_netbits2(netmask);
1581
1582 if (ir->netbits < 0)
1583 {
1584 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1585 network_str,
1586 netmask_str);
1587 return;
1588 }
1589 }
1590
1591 ir->next = o->iroutes;
1592 o->iroutes = ir;
1593 }
1594
1595 static void
1596 option_iroute_ipv6(struct options *o,
1597 const char *prefix_str,
1598 int msglevel)
1599 {
1600 struct iroute_ipv6 *ir;
1601
1602 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1603
1604 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1605 {
1606 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1607 prefix_str);
1608 return;
1609 }
1610
1611 ir->next = o->iroutes_ipv6;
1612 o->iroutes_ipv6 = ir;
1613 }
1614
1615 #ifndef ENABLE_SMALL
1616 static void
1617 show_http_proxy_options(const struct http_proxy_options *o)
1618 {
1619 int i;
1620 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1621 SHOW_STR(server);
1622 SHOW_STR(port);
1623 SHOW_STR(auth_method_string);
1624 SHOW_STR(auth_file);
1625 SHOW_STR(http_version);
1626 SHOW_STR(user_agent);
1627 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1628 {
1629 if (o->custom_headers[i].content)
1630 {
1631 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1632 o->custom_headers[i].name, o->custom_headers[i].content);
1633 }
1634 else
1635 {
1636 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1637 o->custom_headers[i].name);
1638 }
1639 }
1640 msg(D_SHOW_PARMS, "END http_proxy");
1641 }
1642 #endif /* ifndef ENABLE_SMALL */
1643
1644 void
1645 options_detach(struct options *o)
1646 {
1647 gc_detach(&o->gc);
1648 o->routes = NULL;
1649 o->client_nat = NULL;
1650 clone_push_list(o);
1651 }
1652
1653 void
1654 rol_check_alloc(struct options *options)
1655 {
1656 if (!options->routes)
1657 {
1658 options->routes = new_route_option_list(&options->gc);
1659 }
1660 }
1661
1662 static void
1663 rol6_check_alloc(struct options *options)
1664 {
1665 if (!options->routes_ipv6)
1666 {
1667 options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1668 }
1669 }
1670
1671 static void
1672 cnol_check_alloc(struct options *options)
1673 {
1674 if (!options->client_nat)
1675 {
1676 options->client_nat = new_client_nat_list(&options->gc);
1677 }
1678 }
1679
1680 #ifndef ENABLE_SMALL
1681 static void
1682 show_connection_entry(const struct connection_entry *o)
1683 {
1684 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1685 SHOW_STR(local);
1686 SHOW_STR(local_port);
1687 SHOW_STR(remote);
1688 SHOW_STR(remote_port);
1689 SHOW_BOOL(remote_float);
1690 SHOW_BOOL(bind_defined);
1691 SHOW_BOOL(bind_local);
1692 SHOW_BOOL(bind_ipv6_only);
1693 SHOW_INT(connect_retry_seconds);
1694 SHOW_INT(connect_timeout);
1695
1696 if (o->http_proxy_options)
1697 {
1698 show_http_proxy_options(o->http_proxy_options);
1699 }
1700 SHOW_STR(socks_proxy_server);
1701 SHOW_STR(socks_proxy_port);
1702 SHOW_INT(tun_mtu);
1703 SHOW_BOOL(tun_mtu_defined);
1704 SHOW_INT(link_mtu);
1705 SHOW_BOOL(link_mtu_defined);
1706 SHOW_INT(tun_mtu_extra);
1707 SHOW_BOOL(tun_mtu_extra_defined);
1708
1709 SHOW_INT(mtu_discover_type);
1710
1711 #ifdef ENABLE_FRAGMENT
1712 SHOW_INT(fragment);
1713 #endif
1714 SHOW_INT(mssfix);
1715 SHOW_BOOL(mssfix_encap);
1716 SHOW_BOOL(mssfix_fixed);
1717
1718 SHOW_INT(explicit_exit_notification);
1719
1720 SHOW_STR_INLINE(tls_auth_file);
1721 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1722 "%s");
1723 SHOW_STR_INLINE(tls_crypt_file);
1724 SHOW_STR_INLINE(tls_crypt_v2_file);
1725 }
1726
1727
1728 static void
1729 show_connection_entries(const struct options *o)
1730 {
1731 if (o->connection_list)
1732 {
1733 const struct connection_list *l = o->connection_list;
1734 int i;
1735 for (i = 0; i < l->len; ++i)
1736 {
1737 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1738 show_connection_entry(l->array[i]);
1739 }
1740 }
1741 else
1742 {
1743 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1744 show_connection_entry(&o->ce);
1745 }
1746 msg(D_SHOW_PARMS, "Connection profiles END");
1747 }
1748
1749 static void
1750 show_pull_filter_list(const struct pull_filter_list *l)
1751 {
1752 struct pull_filter *f;
1753 if (!l)
1754 {
1755 return;
1756 }
1757
1758 msg(D_SHOW_PARMS, " Pull filters:");
1759 for (f = l->head; f; f = f->next)
1760 {
1761 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1762 }
1763 }
1764
1765 #endif /* ifndef ENABLE_SMALL */
1766
1767 void
1768 show_settings(const struct options *o)
1769 {
1770 #ifndef ENABLE_SMALL
1771 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1772
1773 SHOW_STR(config);
1774
1775 SHOW_INT(mode);
1776
1777 #ifdef ENABLE_FEATURE_TUN_PERSIST
1778 SHOW_BOOL(persist_config);
1779 SHOW_INT(persist_mode);
1780 #endif
1781
1782 SHOW_BOOL(show_ciphers);
1783 SHOW_BOOL(show_digests);
1784 SHOW_BOOL(show_engines);
1785 SHOW_BOOL(genkey);
1786 SHOW_STR(genkey_filename);
1787 SHOW_STR(key_pass_file);
1788 SHOW_BOOL(show_tls_ciphers);
1789
1790 SHOW_INT(connect_retry_max);
1791 show_connection_entries(o);
1792
1793 SHOW_BOOL(remote_random);
1794
1795 SHOW_STR(ipchange);
1796 SHOW_STR(dev);
1797 SHOW_STR(dev_type);
1798 SHOW_STR(dev_node);
1799 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
1800 SHOW_BOOL(tuntap_options.disable_dco);
1801 #endif
1802 SHOW_STR(lladdr);
1803 SHOW_INT(topology);
1804 SHOW_STR(ifconfig_local);
1805 SHOW_STR(ifconfig_remote_netmask);
1806 SHOW_BOOL(ifconfig_noexec);
1807 SHOW_BOOL(ifconfig_nowarn);
1808 SHOW_STR(ifconfig_ipv6_local);
1809 SHOW_INT(ifconfig_ipv6_netbits);
1810 SHOW_STR(ifconfig_ipv6_remote);
1811
1812 SHOW_INT(shaper);
1813 SHOW_INT(mtu_test);
1814
1815 SHOW_BOOL(mlock);
1816
1817 SHOW_INT(keepalive_ping);
1818 SHOW_INT(keepalive_timeout);
1819 SHOW_INT(inactivity_timeout);
1820 SHOW_INT64(inactivity_minimum_bytes);
1821 SHOW_INT(ping_send_timeout);
1822 SHOW_INT(ping_rec_timeout);
1823 SHOW_INT(ping_rec_timeout_action);
1824 SHOW_BOOL(ping_timer_remote);
1825 SHOW_INT(remap_sigusr1);
1826 SHOW_BOOL(persist_tun);
1827 SHOW_BOOL(persist_local_ip);
1828 SHOW_BOOL(persist_remote_ip);
1829 SHOW_BOOL(persist_key);
1830
1831 #if PASSTOS_CAPABILITY
1832 SHOW_BOOL(passtos);
1833 #endif
1834
1835 SHOW_INT(resolve_retry_seconds);
1836 SHOW_BOOL(resolve_in_advance);
1837
1838 SHOW_STR(username);
1839 SHOW_STR(groupname);
1840 SHOW_STR(chroot_dir);
1841 SHOW_STR(cd_dir);
1842 #ifdef ENABLE_SELINUX
1843 SHOW_STR(selinux_context);
1844 #endif
1845 SHOW_STR(writepid);
1846 SHOW_STR(up_script);
1847 SHOW_STR(down_script);
1848 SHOW_BOOL(down_pre);
1849 SHOW_BOOL(up_restart);
1850 SHOW_BOOL(up_delay);
1851 SHOW_BOOL(daemon);
1852 SHOW_BOOL(log);
1853 SHOW_BOOL(suppress_timestamps);
1854 SHOW_BOOL(machine_readable_output);
1855 SHOW_INT(nice);
1856 SHOW_INT(verbosity);
1857 SHOW_INT(mute);
1858 #ifdef ENABLE_DEBUG
1859 SHOW_INT(gremlin);
1860 #endif
1861 SHOW_STR(status_file);
1862 SHOW_INT(status_file_version);
1863 SHOW_INT(status_file_update_freq);
1864
1865 SHOW_BOOL(occ);
1866 SHOW_INT(rcvbuf);
1867 SHOW_INT(sndbuf);
1868 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1869 SHOW_INT(mark);
1870 #endif
1871 SHOW_INT(sockflags);
1872
1873 SHOW_BOOL(fast_io);
1874
1875 #ifdef USE_COMP
1876 SHOW_INT(comp.alg);
1877 SHOW_INT(comp.flags);
1878 #endif
1879
1880 SHOW_STR(route_script);
1881 SHOW_STR(route_default_gateway);
1882 SHOW_INT(route_default_metric);
1883 SHOW_BOOL(route_noexec);
1884 SHOW_INT(route_delay);
1885 SHOW_INT(route_delay_window);
1886 SHOW_BOOL(route_delay_defined);
1887 SHOW_BOOL(route_nopull);
1888 SHOW_BOOL(route_gateway_via_dhcp);
1889 SHOW_BOOL(allow_pull_fqdn);
1890 show_pull_filter_list(o->pull_filter_list);
1891
1892 if (o->routes)
1893 {
1894 print_route_options(o->routes, D_SHOW_PARMS);
1895 }
1896
1897 if (o->client_nat)
1898 {
1899 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1900 }
1901
1902 show_dns_options(&o->dns_options);
1903
1904 #ifdef ENABLE_MANAGEMENT
1905 SHOW_STR(management_addr);
1906 SHOW_STR(management_port);
1907 SHOW_STR(management_user_pass);
1908 SHOW_INT(management_log_history_cache);
1909 SHOW_INT(management_echo_buffer_size);
1910 SHOW_STR(management_client_user);
1911 SHOW_STR(management_client_group);
1912 SHOW_INT(management_flags);
1913 #endif
1914 #ifdef ENABLE_PLUGIN
1915 if (o->plugin_list)
1916 {
1917 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1918 }
1919 #endif
1920
1921 SHOW_STR_INLINE(shared_secret_file);
1922 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1923 SHOW_STR(ciphername);
1924 SHOW_STR(ncp_ciphers);
1925 SHOW_STR(authname);
1926 #ifndef ENABLE_CRYPTO_MBEDTLS
1927 SHOW_BOOL(engine);
1928 #endif /* ENABLE_CRYPTO_MBEDTLS */
1929 SHOW_BOOL(replay);
1930 SHOW_BOOL(mute_replay_warnings);
1931 SHOW_INT(replay_window);
1932 SHOW_INT(replay_time);
1933 SHOW_STR(packet_id_file);
1934 SHOW_BOOL(test_crypto);
1935 #ifdef ENABLE_PREDICTION_RESISTANCE
1936 SHOW_BOOL(use_prediction_resistance);
1937 #endif
1938
1939 SHOW_BOOL(tls_server);
1940 SHOW_BOOL(tls_client);
1941 SHOW_STR_INLINE(ca_file);
1942 SHOW_STR(ca_path);
1943 SHOW_STR_INLINE(dh_file);
1944 #ifdef ENABLE_MANAGEMENT
1945 if ((o->management_flags & MF_EXTERNAL_CERT))
1946 {
1947 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1948 }
1949 else
1950 #endif
1951 SHOW_STR_INLINE(cert_file);
1952 SHOW_STR_INLINE(extra_certs_file);
1953
1954 #ifdef ENABLE_MANAGEMENT
1955 if ((o->management_flags & MF_EXTERNAL_KEY))
1956 {
1957 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1958 }
1959 else
1960 #endif
1961 SHOW_STR_INLINE(priv_key_file);
1962 #ifndef ENABLE_CRYPTO_MBEDTLS
1963 SHOW_STR_INLINE(pkcs12_file);
1964 #endif
1965 #ifdef ENABLE_CRYPTOAPI
1966 SHOW_STR(cryptoapi_cert);
1967 #endif
1968 SHOW_STR(cipher_list);
1969 SHOW_STR(cipher_list_tls13);
1970 SHOW_STR(tls_cert_profile);
1971 SHOW_STR(tls_verify);
1972 SHOW_STR(tls_export_cert);
1973 SHOW_INT(verify_x509_type);
1974 SHOW_STR(verify_x509_name);
1975 SHOW_STR_INLINE(crl_file);
1976 SHOW_INT(ns_cert_type);
1977 {
1978 int i;
1979 for (i = 0; i<MAX_PARMS; i++)
1980 {
1981 SHOW_INT(remote_cert_ku[i]);
1982 }
1983 }
1984 SHOW_STR(remote_cert_eku);
1985 if (o->verify_hash)
1986 {
1987 SHOW_INT(verify_hash_algo);
1988 SHOW_INT(verify_hash_depth);
1989 struct gc_arena gc = gc_new();
1990 struct verify_hash_list *hl = o->verify_hash;
1991 int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
1992 SHA256_DIGEST_LENGTH;
1993 while (hl)
1994 {
1995 char *s = format_hex_ex(hl->hash, digest_len, 0,
1996 1, ":", &gc);
1997 SHOW_PARM(verify_hash, s, "%s");
1998 hl = hl->next;
1999 }
2000 gc_free(&gc);
2001 }
2002 SHOW_INT(ssl_flags);
2003
2004 SHOW_INT(tls_timeout);
2005
2006 SHOW_INT(renegotiate_bytes);
2007 SHOW_INT(renegotiate_packets);
2008 SHOW_INT(renegotiate_seconds);
2009
2010 SHOW_INT(handshake_window);
2011 SHOW_INT(transition_window);
2012
2013 SHOW_BOOL(single_session);
2014 SHOW_BOOL(push_peer_info);
2015 SHOW_BOOL(tls_exit);
2016
2017 SHOW_STR(tls_crypt_v2_metadata);
2018
2019 #ifdef ENABLE_PKCS11
2020 {
2021 int i;
2022 for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2023 {
2024 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
2025 }
2026 }
2027 {
2028 int i;
2029 for (i = 0; i<MAX_PARMS; i++)
2030 {
2031 SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
2032 }
2033 }
2034 {
2035 int i;
2036 for (i = 0; i<MAX_PARMS; i++)
2037 {
2038 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
2039 }
2040 }
2041 {
2042 int i;
2043 for (i = 0; i<MAX_PARMS; i++)
2044 {
2045 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
2046 }
2047 }
2048 SHOW_INT(pkcs11_pin_cache_period);
2049 SHOW_STR(pkcs11_id);
2050 SHOW_BOOL(pkcs11_id_management);
2051 #endif /* ENABLE_PKCS11 */
2052
2053 show_p2mp_parms(o);
2054
2055 #ifdef _WIN32
2056 SHOW_BOOL(show_net_up);
2057 SHOW_INT(route_method);
2058 SHOW_BOOL(block_outside_dns);
2059 show_tuntap_options(&o->tuntap_options);
2060 #endif
2061 #endif /* ifndef ENABLE_SMALL */
2062 }
2063
2064 #undef SHOW_PARM
2065 #undef SHOW_STR
2066 #undef SHOW_INT
2067 #undef SHOW_BOOL
2068
2069 #ifdef ENABLE_MANAGEMENT
2070
2071 static struct http_proxy_options *
2072 parse_http_proxy_override(const char *server,
2073 const char *port,
2074 const char *flags,
2075 const int msglevel,
2076 struct gc_arena *gc)
2077 {
2078 if (server && port)
2079 {
2080 struct http_proxy_options *ho;
2081 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2082 ho->server = string_alloc(server, gc);
2083 ho->port = port;
2084 if (flags && !strcmp(flags, "nct"))
2085 {
2086 ho->auth_retry = PAR_NCT;
2087 }
2088 else
2089 {
2090 ho->auth_retry = PAR_ALL;
2091 }
2092 ho->http_version = "1.0";
2093 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2094 return ho;
2095 }
2096 else
2097 {
2098 return NULL;
2099 }
2100 }
2101
2102 static void
2103 options_postprocess_http_proxy_override(struct options *o)
2104 {
2105 const struct connection_list *l = o->connection_list;
2106 int i;
2107 bool succeed = false;
2108 for (i = 0; i < l->len; ++i)
2109 {
2110 struct connection_entry *ce = l->array[i];
2111 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2112 {
2113 ce->http_proxy_options = o->http_proxy_override;
2114 succeed = true;
2115 }
2116 }
2117 if (succeed)
2118 {
2119 for (i = 0; i < l->len; ++i)
2120 {
2121 struct connection_entry *ce = l->array[i];
2122 if (ce->proto == PROTO_UDP)
2123 {
2124 ce->flags |= CE_DISABLED;
2125 }
2126 }
2127 }
2128 else
2129 {
2130 msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2131 }
2132 }
2133
2134 #endif /* ifdef ENABLE_MANAGEMENT */
2135
2136 static struct connection_list *
2137 alloc_connection_list_if_undef(struct options *options)
2138 {
2139 if (!options->connection_list)
2140 {
2141 ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
2142 }
2143 return options->connection_list;
2144 }
2145
2146 static struct connection_entry *
2147 alloc_connection_entry(struct options *options, const int msglevel)
2148 {
2149 struct connection_list *l = alloc_connection_list_if_undef(options);
2150 struct connection_entry *e;
2151
2152 if (l->len >= CONNECTION_LIST_SIZE)
2153 {
2154 msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
2155 return NULL;
2156 }
2157 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2158 l->array[l->len++] = e;
2159 return e;
2160 }
2161
2162 static struct remote_list *
2163 alloc_remote_list_if_undef(struct options *options)
2164 {
2165 if (!options->remote_list)
2166 {
2167 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2168 }
2169 return options->remote_list;
2170 }
2171
2172 static struct remote_entry *
2173 alloc_remote_entry(struct options *options, const int msglevel)
2174 {
2175 struct remote_list *l = alloc_remote_list_if_undef(options);
2176 struct remote_entry *e;
2177
2178 if (l->len >= CONNECTION_LIST_SIZE)
2179 {
2180 msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
2181 return NULL;
2182 }
2183 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2184 l->array[l->len++] = e;
2185 return e;
2186 }
2187
2188 static struct pull_filter_list *
2189 alloc_pull_filter_list(struct options *o)
2190 {
2191 if (!o->pull_filter_list)
2192 {
2193 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2194 }
2195 return o->pull_filter_list;
2196 }
2197
2198 static struct pull_filter *
2199 alloc_pull_filter(struct options *o, const int msglevel)
2200 {
2201 struct pull_filter_list *l = alloc_pull_filter_list(o);
2202 struct pull_filter *f;
2203
2204 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2205 if (l->head)
2206 {
2207 ASSERT(l->tail);
2208 l->tail->next = f;
2209 }
2210 else
2211 {
2212 ASSERT(!l->tail);
2213 l->head = f;
2214 }
2215 l->tail = f;
2216 return f;
2217 }
2218
2219 static void
2220 connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2221 {
2222 if (re->remote)
2223 {
2224 ce->remote = re->remote;
2225 }
2226 if (re->remote_port)
2227 {
2228 ce->remote_port = re->remote_port;
2229 }
2230 if (re->proto >= 0)
2231 {
2232 ce->proto = re->proto;
2233 }
2234 if (re->af > 0)
2235 {
2236 ce->af = re->af;
2237 }
2238 }
2239
2240 static void
2241 connection_entry_preload_key(const char **key_file, bool *key_inline,
2242 struct gc_arena *gc)
2243 {
2244 if (key_file && *key_file && !(*key_inline))
2245 {
2246 struct buffer in = buffer_read_from_file(*key_file, gc);
2247 if (!buf_valid(&in))
2248 {
2249 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2250 }
2251
2252 *key_file = (const char *) in.data;
2253 *key_inline = true;
2254 }
2255 }
2256
2257 static void
2258 check_ca_required(const struct options *options)
2259 {
2260 if (options->verify_hash_no_ca
2261 || options->pkcs12_file
2262 || options->ca_file
2263 #ifndef ENABLE_CRYPTO_MBEDTLS
2264 || options->ca_path
2265 #endif
2266 )
2267 {
2268 return;
2269 }
2270
2271 const char *const str = "You must define CA file (--ca)"
2272 #ifndef ENABLE_CRYPTO_MBEDTLS
2273 " or CA path (--capath)"
2274 #endif
2275 " and/or peer fingerprint verification (--peer-fingerprint)";
2276 msg(M_USAGE, str);
2277 }
2278
2279 static void
2280 options_postprocess_verify_ce(const struct options *options,
2281 const struct connection_entry *ce)
2282 {
2283 struct options defaults;
2284 int dev = DEV_TYPE_UNDEF;
2285 bool pull = false;
2286
2287 init_options(&defaults, true);
2288
2289 if (options->test_crypto)
2290 {
2291 notnull(options->shared_secret_file, "key file (--secret)");
2292 }
2293 else
2294 {
2295 notnull(options->dev, "TUN/TAP device (--dev)");
2296 }
2297
2298 /*
2299 * Get tun/tap/null device type
2300 */
2301 dev = dev_type_enum(options->dev, options->dev_type);
2302
2303 /*
2304 * If "proto tcp" is specified, make sure we know whether it is
2305 * tcp-client or tcp-server.
2306 */
2307 if (ce->proto == PROTO_TCP)
2308 {
2309 msg(M_USAGE,
2310 "--proto tcp is ambiguous in this context. Please specify "
2311 "--proto tcp-server or --proto tcp-client");
2312 }
2313
2314 if (options->lladdr && dev != DEV_TYPE_TAP)
2315 {
2316 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2317 }
2318
2319 /*
2320 * Sanity check on MTU parameters
2321 */
2322 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2323 {
2324 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2325 }
2326
2327 if (!proto_is_udp(ce->proto) && options->mtu_test)
2328 {
2329 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2330 }
2331
2332 /* will we be pulling options from server? */
2333 pull = options->pull;
2334
2335 /*
2336 * Sanity check on --local, --remote, and --ifconfig
2337 */
2338
2339 if (proto_is_net(ce->proto)
2340 && string_defined_equal(ce->local, ce->remote)
2341 && string_defined_equal(ce->local_port, ce->remote_port))
2342 {
2343 msg(M_USAGE, "--remote and --local addresses are the same");
2344 }
2345
2346 if (string_defined_equal(ce->remote, options->ifconfig_local)
2347 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2348 {
2349 msg(M_USAGE,
2350 "--local and --remote addresses must be distinct from --ifconfig "
2351 "addresses");
2352 }
2353
2354 if (string_defined_equal(ce->local, options->ifconfig_local)
2355 || string_defined_equal(ce->local, options->ifconfig_remote_netmask))
2356 {
2357 msg(M_USAGE,
2358 "--local addresses must be distinct from --ifconfig addresses");
2359 }
2360
2361 if (string_defined_equal(options->ifconfig_local,
2362 options->ifconfig_remote_netmask))
2363 {
2364 msg(M_USAGE,
2365 "local and remote/netmask --ifconfig addresses must be different");
2366 }
2367
2368 if (ce->bind_defined && !ce->bind_local)
2369 {
2370 msg(M_USAGE, "--bind and --nobind can't be used together");
2371 }
2372
2373 if (ce->local && !ce->bind_local)
2374 {
2375 msg(M_USAGE,
2376 "--local and --nobind don't make sense when used together");
2377 }
2378
2379 if (ce->local_port_defined && !ce->bind_local)
2380 {
2381 msg(M_USAGE,
2382 "--lport and --nobind don't make sense when used together");
2383 }
2384
2385 if (!ce->remote && !ce->bind_local)
2386 {
2387 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2388 }
2389
2390 /*
2391 * Check for consistency of management options
2392 */
2393 #ifdef ENABLE_MANAGEMENT
2394 if (!options->management_addr
2395 && (options->management_flags
2396 || options->management_log_history_cache != defaults.management_log_history_cache))
2397 {
2398 msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2399 }
2400
2401 if ((options->management_client_user || options->management_client_group)
2402 && !(options->management_flags & MF_UNIX_SOCK))
2403 {
2404 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2405 }
2406
2407 if (options->management_addr
2408 && !(options->management_flags & MF_UNIX_SOCK)
2409 && (!options->management_user_pass))
2410 {
2411 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2412 "passwords is STRONGLY discouraged and considered insecure");
2413 }
2414
2415 #endif /* ifdef ENABLE_MANAGEMENT */
2416
2417 #if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
2418 if ((tls_version_max() >= TLS_VER_1_3)
2419 && (options->management_flags & MF_EXTERNAL_KEY)
2420 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2421 )
2422 {
2423 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2424 "nopadding argument/support");
2425 }
2426 #endif
2427 /*
2428 * Windows-specific options.
2429 */
2430
2431 #ifdef _WIN32
2432 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2433 {
2434 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2435 }
2436
2437 if ((options->tuntap_options.ip_win32_defined)
2438 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2439 {
2440 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2441 }
2442
2443 if (options->tuntap_options.dhcp_options
2444 && options->windows_driver != WINDOWS_DRIVER_WINTUN
2445 && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2446 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2447 {
2448 msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or adaptive");
2449 }
2450
2451 if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2452 {
2453 msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2454 }
2455 #endif /* ifdef _WIN32 */
2456
2457 /*
2458 * Check that protocol options make sense.
2459 */
2460
2461 #ifdef ENABLE_FRAGMENT
2462 if (!proto_is_udp(ce->proto) && ce->fragment)
2463 {
2464 msg(M_USAGE, "--fragment can only be used with --proto udp");
2465 }
2466 #endif
2467
2468 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2469 {
2470 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2471 }
2472
2473 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2474 {
2475 msg(M_USAGE,
2476 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2477 "tcp-client)");
2478 }
2479
2480 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2481 {
2482 msg(M_USAGE,
2483 "--http-proxy not specified but other http proxy options present");
2484 }
2485
2486 if (ce->http_proxy_options && ce->socks_proxy_server)
2487 {
2488 msg(M_USAGE,
2489 "--http-proxy can not be used together with --socks-proxy");
2490 }
2491
2492 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2493 {
2494 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2495 }
2496
2497 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2498 {
2499 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2500 }
2501
2502 /*
2503 * Check consistency of --mode server options.
2504 */
2505 if (options->mode == MODE_SERVER)
2506 {
2507 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2508 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2509 #ifdef TARGET_ANDROID
2510 msg(M_FATAL, "--mode server not supported on Android");
2511 #endif
2512 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2513 {
2514 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2515 }
2516 if (options->pull)
2517 {
2518 msg(M_USAGE, "--pull cannot be used with --mode server");
2519 }
2520 if (options->pull_filter_list)
2521 {
2522 msg(M_WARN, "--pull-filter ignored for --mode server");
2523 }
2524 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2525 {
2526 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2527 }
2528 #if PORT_SHARE
2529 if ((options->port_share_host || options->port_share_port)
2530 && (ce->proto != PROTO_TCP_SERVER))
2531 {
2532 msg(M_USAGE, "--port-share only works in TCP server mode "
2533 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2534 }
2535 #endif
2536 if (!options->tls_server)
2537 {
2538 msg(M_USAGE, "--mode server requires --tls-server");
2539 }
2540 if (ce->remote)
2541 {
2542 msg(M_USAGE, "--remote cannot be used with --mode server");
2543 }
2544 if (!ce->bind_local)
2545 {
2546 msg(M_USAGE, "--nobind cannot be used with --mode server");
2547 }
2548 if (ce->http_proxy_options)
2549 {
2550 msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2551 }
2552 if (ce->socks_proxy_server)
2553 {
2554 msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2555 }
2556 /* <connection> blocks force to have a remote embedded, so we check
2557 * for the --remote and bail out if it is present
2558 */
2559 if (options->connection_list->len >1
2560 || options->connection_list->array[0]->remote)
2561 {
2562 msg(M_USAGE, "<connection> cannot be used with --mode server");
2563 }
2564
2565 if (options->shaper)
2566 {
2567 msg(M_USAGE, "--shaper cannot be used with --mode server");
2568 }
2569 if (options->ipchange)
2570 {
2571 msg(M_USAGE,
2572 "--ipchange cannot be used with --mode server (use "
2573 "--client-connect instead)");
2574 }
2575 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2576 {
2577 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2578 }
2579 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2580 {
2581 msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2582 }
2583 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2584 {
2585 msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2586 }
2587 if (options->routes && (options->routes->flags & RG_ENABLE))
2588 {
2589 msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2590 }
2591 if (options->route_delay_defined)
2592 {
2593 msg(M_USAGE, "--route-delay cannot be used with --mode server");
2594 }
2595 if (options->up_delay)
2596 {
2597 msg(M_USAGE, "--up-delay cannot be used with --mode server");
2598 }
2599 if (!options->ifconfig_pool_defined
2600 && !options->ifconfig_ipv6_pool_defined
2601 && options->ifconfig_pool_persist_filename)
2602 {
2603 msg(M_USAGE,
2604 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2605 }
2606 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2607 {
2608 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2609 }
2610 if (options->allow_recursive_routing)
2611 {
2612 msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2613 }
2614 if (options->auth_user_pass_file)
2615 {
2616 msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2617 }
2618 if (options->ccd_exclusive && !options->client_config_dir)
2619 {
2620 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2621 }
2622 if (options->auth_token_generate && !options->renegotiate_seconds)
2623 {
2624 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2625 "--renegotiate_seconds setting");
2626 }
2627 {
2628 const bool ccnr = (options->auth_user_pass_verify_script
2629 || PLUGIN_OPTION_LIST(options)
2630 || MAN_CLIENT_AUTH_ENABLED(options));
2631 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2632 if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
2633 {
2634 msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2635 }
2636 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2637 {
2638 msg(M_USAGE, "--username-as-common-name %s", postfix);
2639 }
2640 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2641 {
2642 msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2643 }
2644 }
2645
2646 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2647 {
2648 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2649 }
2650 if (!options->vlan_tagging)
2651 {
2652 if (options->vlan_accept != defaults.vlan_accept)
2653 {
2654 msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2655 }
2656 if (options->vlan_pvid != defaults.vlan_pvid)
2657 {
2658 msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2659 }
2660 }
2661 }
2662 else
2663 {
2664 /*
2665 * When not in server mode, err if parameters are
2666 * specified which require --mode server.
2667 */
2668 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2669 {
2670 msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2671 }
2672 if (options->ifconfig_ipv6_pool_defined)
2673 {
2674 msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2675 }
2676 if (options->real_hash_size != defaults.real_hash_size
2677 || options->virtual_hash_size != defaults.virtual_hash_size)
2678 {
2679 msg(M_USAGE, "--hash-size requires --mode server");
2680 }
2681 if (options->learn_address_script)
2682 {
2683 msg(M_USAGE, "--learn-address requires --mode server");
2684 }
2685 if (options->client_connect_script)
2686 {
2687 msg(M_USAGE, "--client-connect requires --mode server");
2688 }
2689 if (options->client_disconnect_script)
2690 {
2691 msg(M_USAGE, "--client-disconnect requires --mode server");
2692 }
2693 if (options->client_config_dir || options->ccd_exclusive)
2694 {
2695 msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2696 }
2697 if (options->enable_c2c)
2698 {
2699 msg(M_USAGE, "--client-to-client requires --mode server");
2700 }
2701 if (options->duplicate_cn)
2702 {
2703 msg(M_USAGE, "--duplicate-cn requires --mode server");
2704 }
2705 if (options->cf_max || options->cf_per)
2706 {
2707 msg(M_USAGE, "--connect-freq requires --mode server");
2708 }
2709 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2710 {
2711 msg(M_USAGE, "--verify-client-cert requires --mode server");
2712 }
2713 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2714 {
2715 msg(M_USAGE, "--username-as-common-name requires --mode server");
2716 }
2717 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2718 {
2719 msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2720 }
2721 if (options->ssl_flags & SSLF_OPT_VERIFY)
2722 {
2723 msg(M_USAGE, "--opt-verify requires --mode server");
2724 }
2725 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2726 {
2727 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2728 "affect the server. To have TCP_NODELAY in both direction use "
2729 "tcp-nodelay in the server configuration instead.");
2730 }
2731 if (options->auth_user_pass_verify_script)
2732 {
2733 msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2734 }
2735 if (options->auth_token_generate)
2736 {
2737 msg(M_USAGE, "--auth-gen-token requires --mode server");
2738 }
2739 #if PORT_SHARE
2740 if (options->port_share_host || options->port_share_port)
2741 {
2742 msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2743 }
2744 #endif
2745
2746 if (options->stale_routes_check_interval)
2747 {
2748 msg(M_USAGE, "--stale-routes-check requires --mode server");
2749 }
2750
2751 if (options->vlan_tagging)
2752 {
2753 msg(M_USAGE, "--vlan-tagging requires --mode server");
2754 }
2755 }
2756
2757 /*
2758 * Check consistency of replay options
2759 */
2760 if (!options->replay
2761 && (options->replay_window != defaults.replay_window
2762 || options->replay_time != defaults.replay_time))
2763 {
2764 msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2765 }
2766
2767 /*
2768 * SSL/TLS mode sanity checks.
2769 */
2770 if (options->tls_server + options->tls_client
2771 +(options->shared_secret_file != NULL) > 1)
2772 {
2773 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2774 }
2775
2776 if (!options->tls_server && !options->tls_client)
2777 {
2778 msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
2779 "configuration detected. OpenVPN 2.7 will remove the "
2780 "functionality to run a VPN without TLS. "
2781 "See the examples section in the manual page for "
2782 "examples of a similar quick setup with peer-fingerprint.");
2783 }
2784
2785 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2786 {
2787 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2788 "--verify-client-cert none|optional "
2789 "may accept clients which do not present a certificate");
2790 }
2791
2792 const int tls_version_max =
2793 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2794 & SSLF_TLS_VERSION_MAX_MASK;
2795 const int tls_version_min =
2796 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2797 & SSLF_TLS_VERSION_MIN_MASK;
2798
2799 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2800 {
2801 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2802 }
2803
2804 if (options->tls_server || options->tls_client)
2805 {
2806 check_ca_required(options);
2807 #ifdef ENABLE_PKCS11
2808 if (options->pkcs11_providers[0])
2809 {
2810 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2811 {
2812 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2813 }
2814 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2815 {
2816 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2817 }
2818 if (options->cert_file)
2819 {
2820 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2821 }
2822 if (options->priv_key_file)
2823 {
2824 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2825 }
2826 #ifdef ENABLE_MANAGEMENT
2827 if (options->management_flags & MF_EXTERNAL_KEY)
2828 {
2829 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2830 }
2831 if (options->management_flags & MF_EXTERNAL_CERT)
2832 {
2833 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2834 }
2835 #endif
2836 if (options->pkcs12_file)
2837 {
2838 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2839 }
2840 #ifdef ENABLE_CRYPTOAPI
2841 if (options->cryptoapi_cert)
2842 {
2843 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2844 }
2845 #endif
2846 }
2847 else
2848 #endif /* ifdef ENABLE_PKCS11 */
2849 #ifdef ENABLE_MANAGEMENT
2850 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2851 {
2852 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2853 }
2854 else if ((options->management_flags & MF_EXTERNAL_CERT))
2855 {
2856 if (options->cert_file)
2857 {
2858 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2859 }
2860 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2861 {
2862 msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2863 }
2864 }
2865 else
2866 #endif
2867 #ifdef ENABLE_CRYPTOAPI
2868 if (options->cryptoapi_cert)
2869 {
2870 if (options->cert_file)
2871 {
2872 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2873 }
2874 if (options->priv_key_file)
2875 {
2876 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2877 }
2878 if (options->pkcs12_file)
2879 {
2880 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2881 }
2882 #ifdef ENABLE_MANAGEMENT
2883 if (options->management_flags & MF_EXTERNAL_KEY)
2884 {
2885 msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2886 }
2887 if (options->management_flags & MF_EXTERNAL_CERT)
2888 {
2889 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2890 }
2891 #endif
2892 }
2893 else
2894 #endif /* ifdef ENABLE_CRYPTOAPI */
2895 if (options->pkcs12_file)
2896 {
2897 #ifdef ENABLE_CRYPTO_MBEDTLS
2898 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2899 #else
2900 if (options->ca_path)
2901 {
2902 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2903 }
2904 if (options->cert_file)
2905 {
2906 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2907 }
2908 if (options->priv_key_file)
2909 {
2910 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2911 }
2912 #ifdef ENABLE_MANAGEMENT
2913 if (options->management_flags & MF_EXTERNAL_KEY)
2914 {
2915 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2916 }
2917 if (options->management_flags & MF_EXTERNAL_CERT)
2918 {
2919 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2920 }
2921 #endif
2922 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2923 }
2924 else
2925 {
2926 #ifdef ENABLE_CRYPTO_MBEDTLS
2927 if (options->ca_path)
2928 {
2929 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2930 }
2931 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2932 if (pull)
2933 {
2934
2935 const int sum =
2936 #ifdef ENABLE_MANAGEMENT
2937 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2938 +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2939 #else
2940 (options->cert_file != NULL) + (options->priv_key_file != NULL);
2941 #endif
2942
2943 if (sum == 0)
2944 {
2945 if (!options->auth_user_pass_file)
2946 {
2947 msg(M_USAGE, "No client-side authentication method is "
2948 "specified. You must use either "
2949 "--cert/--key, --pkcs12, or "
2950 "--auth-user-pass");
2951 }
2952 }
2953 else if (sum == 2)
2954 {
2955 }
2956 else
2957 {
2958 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2959 }
2960 }
2961 else
2962 {
2963 #ifdef ENABLE_MANAGEMENT
2964 if (!(options->management_flags & MF_EXTERNAL_CERT))
2965 #endif
2966 notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2967 #ifdef ENABLE_MANAGEMENT
2968 if (!(options->management_flags & MF_EXTERNAL_KEY))
2969 #endif
2970 notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2971 }
2972 }
2973 if (ce->tls_auth_file && ce->tls_crypt_file)
2974 {
2975 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2976 }
2977 if (options->tls_client && ce->tls_crypt_v2_file
2978 && (ce->tls_auth_file || ce->tls_crypt_file))
2979 {
2980 msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2981 }
2982 }
2983 else
2984 {
2985 /*
2986 * Make sure user doesn't specify any TLS options
2987 * when in non-TLS mode.
2988 */
2989
2990 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
2991 }
2992
2993 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2994
2995 MUST_BE_UNDEF(ca_file);
2996 MUST_BE_UNDEF(ca_path);
2997 MUST_BE_UNDEF(dh_file);
2998 MUST_BE_UNDEF(cert_file);
2999 MUST_BE_UNDEF(priv_key_file);
3000 #ifndef ENABLE_CRYPTO_MBEDTLS
3001 MUST_BE_UNDEF(pkcs12_file);
3002 #endif
3003 MUST_BE_UNDEF(cipher_list);
3004 MUST_BE_UNDEF(cipher_list_tls13);
3005 MUST_BE_UNDEF(tls_cert_profile);
3006 MUST_BE_UNDEF(tls_verify);
3007 MUST_BE_UNDEF(tls_export_cert);
3008 MUST_BE_UNDEF(verify_x509_name);
3009 MUST_BE_UNDEF(tls_timeout);
3010 MUST_BE_UNDEF(renegotiate_bytes);
3011 MUST_BE_UNDEF(renegotiate_packets);
3012 MUST_BE_UNDEF(renegotiate_seconds);
3013 MUST_BE_UNDEF(handshake_window);
3014 MUST_BE_UNDEF(transition_window);
3015 MUST_BE_UNDEF(tls_auth_file);
3016 MUST_BE_UNDEF(tls_crypt_file);
3017 MUST_BE_UNDEF(tls_crypt_v2_file);
3018 MUST_BE_UNDEF(single_session);
3019 MUST_BE_UNDEF(push_peer_info);
3020 MUST_BE_UNDEF(tls_exit);
3021 MUST_BE_UNDEF(crl_file);
3022 MUST_BE_UNDEF(ns_cert_type);
3023 MUST_BE_UNDEF(remote_cert_ku[0]);
3024 MUST_BE_UNDEF(remote_cert_eku);
3025 #ifdef ENABLE_PKCS11
3026 MUST_BE_UNDEF(pkcs11_providers[0]);
3027 MUST_BE_UNDEF(pkcs11_private_mode[0]);
3028 MUST_BE_UNDEF(pkcs11_id);
3029 MUST_BE_UNDEF(pkcs11_id_management);
3030 #endif
3031
3032 if (pull)
3033 {
3034 msg(M_USAGE, err, "--pull");
3035 }
3036 }
3037 #undef MUST_BE_UNDEF
3038
3039 if (options->auth_user_pass_file && !options->pull)
3040 {
3041 msg(M_USAGE, "--auth-user-pass requires --pull");
3042 }
3043
3044 uninit_options(&defaults);
3045 }
3046
3047 static void
3048 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
3049 {
3050 const int dev = dev_type_enum(o->dev, o->dev_type);
3051
3052 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3053 {
3054 if (ce->proto == PROTO_TCP)
3055 {
3056 ce->proto = PROTO_TCP_SERVER;
3057 }
3058 }
3059
3060 if (o->client)
3061 {
3062 if (ce->proto == PROTO_TCP)
3063 {
3064 ce->proto = PROTO_TCP_CLIENT;
3065 }
3066 }
3067
3068 /* an option is present that requires local bind to enabled */
3069 bool need_bind = ce->local || ce->local_port_defined || ce->bind_defined;
3070
3071 /* socks proxy is enabled */
3072 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
3073
3074 /* If binding is not forced by an explicit option and we have (at least)
3075 * one of --tcp-client, --pull (or --client), or socks we do not bind
3076 * locally to have "normal" IP client behaviour of a random source port */
3077 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
3078 {
3079 ce->bind_local = false;
3080 }
3081
3082 if (!ce->bind_local)
3083 {
3084 ce->local_port = NULL;
3085 }
3086
3087 /* if protocol forcing is enabled, disable all protocols
3088 * except for the forced one
3089 */
3090 if (o->proto_force >= 0 && o->proto_force != ce->proto)
3091 {
3092 ce->flags |= CE_DISABLED;
3093 }
3094
3095 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3096 * so fall back to IPv4-only (trac #1221)
3097 */
3098 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
3099 {
3100 if (ce->af == AF_INET6)
3101 {
3102 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
3103 "'--socks-proxy' today. Forcing IPv4 mode." );
3104 }
3105 else
3106 {
3107 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3108 "work correctly with '--socks-proxy' today. Forcing IPv4." );
3109 }
3110 ce->af = AF_INET;
3111 }
3112
3113 /*
3114 * Set MTU defaults
3115 */
3116 {
3117 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3118 {
3119 ce->tun_mtu_defined = true;
3120 }
3121 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3122 {
3123 ce->tun_mtu_extra_defined = true;
3124 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3125 }
3126 }
3127
3128 /*
3129 * If --mssfix is supplied without a parameter or not specified at all,
3130 * default it to --fragment value, if --fragment is specified and otherwise
3131 * to the default if tun-mtu is 1500
3132 */
3133 if (o->ce.mssfix_default)
3134 {
3135 #ifdef ENABLE_FRAGMENT
3136 if (ce->fragment)
3137 {
3138 ce->mssfix = ce->fragment;
3139 }
3140 else
3141 #endif
3142 if (ce->tun_mtu_defined)
3143 {
3144 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3145 {
3146 /* We want to only set mssfix default value if we use a default
3147 * MTU Size, otherwise the different size of tun should either
3148 * already solve the problem or mssfix might artifically make the
3149 * payload packets smaller without mssfix 0 */
3150 ce->mssfix = MSSFIX_DEFAULT;
3151 ce->mssfix_encap = true;
3152 }
3153 else
3154 {
3155 /* We still apply the mssfix value but only adjust it to the
3156 * size of the tun interface. */
3157 ce->mssfix = ce->tun_mtu;
3158 ce->mssfix_fixed = true;
3159 }
3160 }
3161 }
3162
3163 /*
3164 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3165 *
3166 * At the end only one of these will be really set because the parser
3167 * logic prevents configurations where more are set.
3168 */
3169 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3170 {
3171 ce->tls_auth_file = o->tls_auth_file;
3172 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3173 ce->key_direction = o->key_direction;
3174
3175 ce->tls_crypt_file = o->tls_crypt_file;
3176 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3177
3178 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3179 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3180 }
3181
3182 /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
3183 * keys were not already embedded in the config file.
3184 */
3185 if (o->persist_key)
3186 {
3187 connection_entry_preload_key(&ce->tls_auth_file,
3188 &ce->tls_auth_file_inline, &o->gc);
3189 connection_entry_preload_key(&ce->tls_crypt_file,
3190 &ce->tls_crypt_file_inline, &o->gc);
3191 connection_entry_preload_key(&ce->tls_crypt_v2_file,
3192 &ce->tls_crypt_v2_file_inline, &o->gc);
3193 }
3194
3195 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3196 {
3197 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3198 ce->explicit_exit_notification = 0;
3199 }
3200 }
3201
3202 #ifdef _WIN32
3203 /* If iservice is in use, we need def1 method for redirect-gateway */
3204 static void
3205 remap_redirect_gateway_flags(struct options *opt)
3206 {
3207 if (opt->routes
3208 && opt->route_method == ROUTE_METHOD_SERVICE
3209 && opt->routes->flags & RG_REROUTE_GW
3210 && !(opt->routes->flags & RG_DEF1))
3211 {
3212 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3213 opt->routes->flags |= RG_DEF1;
3214 }
3215 }
3216 #endif
3217
3218 /*
3219 * Save/Restore certain option defaults before --pull is applied.
3220 */
3221
3222 static void
3223 pre_connect_save(struct options *o)
3224 {
3225 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3226 o->pre_connect->tuntap_options = o->tuntap_options;
3227 o->pre_connect->tuntap_options_defined = true;
3228 o->pre_connect->foreign_option_index = o->foreign_option_index;
3229
3230 if (o->routes)
3231 {
3232 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3233 o->pre_connect->routes_defined = true;
3234 }
3235 if (o->routes_ipv6)
3236 {
3237 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3238 o->pre_connect->routes_ipv6_defined = true;
3239 }
3240 if (o->client_nat)
3241 {
3242 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3243 o->pre_connect->client_nat_defined = true;
3244 }
3245
3246 o->pre_connect->route_default_gateway = o->route_default_gateway;
3247 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3248
3249 o->pre_connect->dns_options = clone_dns_options(o->dns_options, &o->gc);
3250
3251 /* NCP related options that can be overwritten by a push */
3252 o->pre_connect->ciphername = o->ciphername;
3253 o->pre_connect->authname = o->authname;
3254
3255 /* Ping related options should be reset to the config values on reconnect */
3256 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3257 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3258 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3259
3260 /* Miscellaneous Options */
3261 #ifdef USE_COMP
3262 o->pre_connect->comp = o->comp;
3263 #endif
3264 }
3265
3266 void
3267 pre_connect_restore(struct options *o, struct gc_arena *gc)
3268 {
3269 const struct options_pre_connect *pp = o->pre_connect;
3270 if (pp)
3271 {
3272 CLEAR(o->tuntap_options);
3273 if (pp->tuntap_options_defined)
3274 {
3275 o->tuntap_options = pp->tuntap_options;
3276 }
3277
3278 if (pp->routes_defined)
3279 {
3280 rol_check_alloc(o);
3281 copy_route_option_list(o->routes, pp->routes, gc);
3282 }
3283 else
3284 {
3285 o->routes = NULL;
3286 }
3287
3288 if (pp->routes_ipv6_defined)
3289 {
3290 rol6_check_alloc(o);
3291 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3292 }
3293 else
3294 {
3295 o->routes_ipv6 = NULL;
3296 }
3297
3298 o->route_default_gateway = pp->route_default_gateway;
3299 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3300
3301 /* Free DNS options and reset them to pre-pull state */
3302 gc_free(&o->dns_options.gc);
3303 struct gc_arena dns_gc = gc_new();
3304 o->dns_options = clone_dns_options(pp->dns_options, &dns_gc);
3305 o->dns_options.gc = dns_gc;
3306
3307 if (pp->client_nat_defined)
3308 {
3309 cnol_check_alloc(o);
3310 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3311 }
3312 else
3313 {
3314 o->client_nat = NULL;
3315 }
3316
3317 o->foreign_option_index = pp->foreign_option_index;
3318
3319 o->ciphername = pp->ciphername;
3320 o->authname = pp->authname;
3321
3322 o->ping_rec_timeout = pp->ping_rec_timeout;
3323 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3324 o->ping_send_timeout = pp->ping_send_timeout;
3325
3326 /* Miscellaneous Options */
3327 #ifdef USE_COMP
3328 o->comp = pp->comp;
3329 #endif
3330 }
3331
3332 o->push_continuation = 0;
3333 o->push_option_types_found = 0;
3334 o->data_channel_crypto_flags = 0;
3335 }
3336
3337 static void
3338 options_postprocess_mutate_invariant(struct options *options)
3339 {
3340 #ifdef _WIN32
3341 const int dev = dev_type_enum(options->dev, options->dev_type);
3342
3343 /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3344 if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
3345 || options->windows_driver == WINDOWS_DRIVER_DCO)
3346 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3347 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3348 {
3349 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3350 }
3351
3352 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3353 {
3354 /* delay may only be necessary when we perform DHCP handshake */
3355 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3356 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3357 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3358 {
3359 options->route_delay_defined = true;
3360 options->route_delay = 5; /* Vista sometimes has a race without this */
3361 }
3362 }
3363
3364 if (options->ifconfig_noexec)
3365 {
3366 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3367 options->ifconfig_noexec = false;
3368 }
3369
3370 remap_redirect_gateway_flags(options);
3371
3372 /*
3373 * Check consistency of --mode server options.
3374 */
3375 if (options->mode == MODE_SERVER)
3376 {
3377 /*
3378 * We need to explicitly set --tap-sleep because
3379 * we do not schedule event timers in the top-level context.
3380 */
3381 options->tuntap_options.tap_sleep = 10;
3382 if (options->route_delay_defined && options->route_delay)
3383 {
3384 options->tuntap_options.tap_sleep = options->route_delay;
3385 }
3386 options->route_delay_defined = false;
3387 }
3388 #endif /* ifdef _WIN32 */
3389
3390 #ifdef DEFAULT_PKCS11_MODULE
3391 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3392 * by default if the user asks for PKCS#11 without otherwise specifying
3393 * the module to use. */
3394 if (!options->pkcs11_providers[0]
3395 && (options->pkcs11_id || options->pkcs11_id_management))
3396 {
3397 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3398 }
3399 #endif
3400 }
3401
3402 static void
3403 options_postprocess_verify(const struct options *o)
3404 {
3405 if (o->connection_list)
3406 {
3407 int i;
3408 for (i = 0; i < o->connection_list->len; ++i)
3409 {
3410 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3411 }
3412 }
3413 else
3414 {
3415 options_postprocess_verify_ce(o, &o->ce);
3416 }
3417
3418 dns_options_verify(M_FATAL, &o->dns_options);
3419
3420 if (dco_enabled(o) && o->enable_c2c)
3421 {
3422 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3423 "channel offload: packets are always sent to the VPN "
3424 "interface and then routed based on the system routing table");
3425 }
3426 }
3427
3428 /**
3429 * Checks for availibility of Chacha20-Poly1305 and sets
3430 * the ncp_cipher to either AES-256-GCM:AES-128-GCM or
3431 * AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.
3432 */
3433 static void
3434 options_postprocess_setdefault_ncpciphers(struct options *o)
3435 {
3436 if (o->ncp_ciphers)
3437 {
3438 /* custom --data-ciphers set, keep list */
3439 return;
3440 }
3441
3442 /* check if crypto library supports chacha */
3443 bool can_do_chacha = cipher_valid("CHACHA20-POLY1305");
3444
3445 if (can_do_chacha && dco_enabled(o))
3446 {
3447 /* also make sure that dco supports chacha */
3448 can_do_chacha = tls_item_in_cipher_list("CHACHA20-POLY1305", dco_get_supported_ciphers());
3449 }
3450
3451 if (can_do_chacha)
3452 {
3453 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3454 }
3455 else
3456 {
3457 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
3458 }
3459 }
3460
3461 static void
3462 options_postprocess_cipher(struct options *o)
3463 {
3464 if (!o->pull && !(o->mode == MODE_SERVER))
3465 {
3466 /* If the cipher is not set, use the old default of BF-CBC. We will
3467 * warn that this is deprecated on cipher initialisation, no need
3468 * to warn here as well */
3469 if (!o->ciphername)
3470 {
3471 o->ciphername = "BF-CBC";
3472 }
3473 else
3474 {
3475 o->enable_ncp_fallback = true;
3476 }
3477 return;
3478 }
3479
3480 /* pull or P2MP mode */
3481 if (!o->ciphername)
3482 {
3483 /* We still need to set the ciphername to BF-CBC since various other
3484 * parts of OpenVPN assert that the ciphername is set */
3485 o->ciphername = "BF-CBC";
3486
3487 msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3488 "defaulted to BF-CBC as fallback when cipher negotiation "
3489 "failed in this case. If you need this fallback please add "
3490 "'--data-ciphers-fallback 'BF-CBC' to your configuration "
3491 "and/or add BF-CBC to --data-ciphers.");
3492 }
3493 else if (!o->enable_ncp_fallback
3494 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3495 {
3496 msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3497 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3498 "negotiations. ",
3499 o->ciphername, o->ncp_ciphers);
3500 }
3501 }
3502
3503 /**
3504 * The option --compat-mode is used to set up default settings to values
3505 * used on the specified openvpn version and earlier.
3506 *
3507 * This function is used in various "default option" paths to test if the
3508 * user requested compatibility with a version before the one specified
3509 * as argument. This way some default settings can be automatically
3510 * altered to guarantee compatibility with the version specified by the
3511 * user via --compat-mode.
3512 *
3513 * @param version need compatibility with openvpn versions before the
3514 * one specified (20401 = before 2.4.1)
3515 * @return whether compatibility should be enabled
3516 */
3517 static bool
3518 need_compatibility_before(const struct options *o, unsigned int version)
3519 {
3520 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3521 }
3522
3523 /**
3524 * Changes default values so that OpenVPN can be compatible with the user
3525 * specified version
3526 */
3527 static void
3528 options_set_backwards_compatible_options(struct options *o)
3529 {
3530 /* TLS min version is not set */
3531 int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3532 & SSLF_TLS_VERSION_MIN_MASK;
3533 if (tls_ver_min == 0)
3534 {
3535 int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3536 & SSLF_TLS_VERSION_MAX_MASK;
3537 if (need_compatibility_before(o, 20307))
3538 {
3539 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3540 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3541 }
3542 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3543 {
3544 /* Use TLS 1.2 as proper default */
3545 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3546 }
3547 else
3548 {
3549 /* Maximize the minimum version */
3550 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3551 }
3552 }
3553
3554 if (need_compatibility_before(o, 20400))
3555 {
3556 if (!o->ciphername)
3557 {
3558 /* If ciphername is not set default to BF-CBC when targeting these
3559 * old versions that do not have NCP */
3560 o->ciphername = "BF-CBC";
3561 }
3562 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3563 * not have OCC strings required for "poor man's NCP" */
3564 o->enable_ncp_fallback = true;
3565 }
3566
3567 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3568 * Version 2.4 might probably does not need it but NCP was not so
3569 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3570 * Only do this iif --cipher is not explicitly (BF-CBC). This is not
3571 * 100% correct backwards compatible behaviour but 2.5 already behaved like
3572 * this */
3573 if (o->ciphername && need_compatibility_before(o, 20500)
3574 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3575 {
3576 append_cipher_to_ncp_list(o, o->ciphername);
3577 }
3578
3579 #ifdef USE_COMP
3580 /* Compression is deprecated and we do not want to announce support for it
3581 * by default anymore, additionally DCO breaks with compression.
3582 *
3583 * Disable compression by default starting with 2.6.0 if no other
3584 * compression related option has been explicitly set */
3585 if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600)
3586 && (o->comp.flags == 0))
3587 {
3588 o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
3589 }
3590 #endif
3591 }
3592
3593 static void
3594 options_postprocess_mutate(struct options *o, struct env_set *es)
3595 {
3596 int i;
3597 /*
3598 * Process helper-type options which map to other, more complex
3599 * sequences of options.
3600 */
3601 helper_client_server(o);
3602 helper_keepalive(o);
3603 helper_tcp_nodelay(o);
3604
3605 options_postprocess_setdefault_ncpciphers(o);
3606 options_set_backwards_compatible_options(o);
3607
3608 options_postprocess_cipher(o);
3609 options_postprocess_mutate_invariant(o);
3610
3611 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3612 if (o->ncp_ciphers == NULL)
3613 {
3614 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3615 }
3616
3617 if (o->remote_list && !o->connection_list)
3618 {
3619 /*
3620 * Convert remotes into connection list
3621 */
3622 const struct remote_list *rl = o->remote_list;
3623 for (i = 0; i < rl->len; ++i)
3624 {
3625 const struct remote_entry *re = rl->array[i];
3626 struct connection_entry ce = o->ce;
3627 struct connection_entry *ace;
3628
3629 ASSERT(re->remote);
3630 connection_entry_load_re(&ce, re);
3631 ace = alloc_connection_entry(o, M_USAGE);
3632 ASSERT(ace);
3633 *ace = ce;
3634 }
3635 }
3636 else if (!o->remote_list && !o->connection_list)
3637 {
3638 struct connection_entry *ace;
3639 ace = alloc_connection_entry(o, M_USAGE);
3640 ASSERT(ace);
3641 *ace = o->ce;
3642 }
3643
3644 ASSERT(o->connection_list);
3645 for (i = 0; i < o->connection_list->len; ++i)
3646 {
3647 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3648 }
3649
3650 if (o->tls_server)
3651 {
3652 /* Check that DH file is specified, or explicitly disabled */
3653 notnull(o->dh_file, "DH file (--dh)");
3654 if (streq(o->dh_file, "none"))
3655 {
3656 o->dh_file = NULL;
3657 }
3658 }
3659 else if (o->dh_file)
3660 {
3661 /* DH file is only meaningful in a tls-server context. */
3662 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3663 "include this in your server configuration");
3664 o->dh_file = NULL;
3665 }
3666 #if ENABLE_MANAGEMENT
3667 if (o->http_proxy_override)
3668 {
3669 options_postprocess_http_proxy_override(o);
3670 }
3671 #endif
3672 if (!o->ca_file && !o->ca_path && o->verify_hash
3673 && o->verify_hash_depth == 0)
3674 {
3675 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3676 "option set). ");
3677 o->verify_hash_no_ca = true;
3678 }
3679
3680 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3681 {
3682 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3683 "incompatible with each other.");
3684 }
3685
3686 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
3687 /* check if any option should force disabling DCO */
3688 o->tuntap_options.disable_dco = !dco_check_option_conflict(D_DCO, o)
3689 || !dco_check_startup_option_conflict(D_DCO, o);
3690 #elif defined(_WIN32)
3691 /* in Windows we have no 'fallback to non-DCO' strategy, so if a conflicting
3692 * option is found, we simply bail out by means of M_USAGE
3693 */
3694 dco_check_option_conflict(M_USAGE, o);
3695 dco_check_startup_option_conflict(M_USAGE, o);
3696 #endif
3697
3698 if (dco_enabled(o) && o->dev_node)
3699 {
3700 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3701 "data channel offload");
3702 o->dev_node = NULL;
3703 }
3704
3705 /*
3706 * Save certain parms before modifying options during connect, especially
3707 * when using --pull
3708 */
3709 if (o->pull)
3710 {
3711 dns_options_preprocess_pull(&o->dns_options);
3712 }
3713 else
3714 {
3715 #if defined(_WIN32) || defined(TARGET_ANDROID)
3716 tuntap_options_copy_dns(o);
3717 #else
3718 foreign_options_copy_dns(o, es);
3719 #endif
3720 }
3721 pre_connect_save(o);
3722 }
3723
3724 /*
3725 * Check file/directory sanity
3726 *
3727 */
3728 #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
3729
3730 #define CHKACC_FILE (1<<0) /** Check for a file/directory presence */
3731 #define CHKACC_DIRPATH (1<<1) /** Check for directory presence where a file should reside */
3732 #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
3733 #define CHKACC_ACPTSTDIN (1<<3) /** If filename is stdin, it's allowed and "exists" */
3734 #define CHKACC_PRIVATE (1<<4) /** Warn if this (private) file is group/others accessible */
3735
3736 static bool
3737 check_file_access(const int type, const char *file, const int mode, const char *opt)
3738 {
3739 int errcode = 0;
3740
3741 /* If no file configured, no errors to look for */
3742 if (!file)
3743 {
3744 return false;
3745 }
3746
3747 /* If stdin is allowed and the file name is 'stdin', then do no
3748 * further checks as stdin is always available
3749 */
3750 if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3751 {
3752 return false;
3753 }
3754
3755 /* Is the directory path leading to the given file accessible? */
3756 if (type & CHKACC_DIRPATH)
3757 {
3758 char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3759 char *dirpath = dirname(fullpath);
3760
3761 if (platform_access(dirpath, mode|X_OK) != 0)
3762 {
3763 errcode = errno;
3764 }
3765 free(fullpath);
3766 }
3767
3768 /* Is the file itself accessible? */
3769 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3770 {
3771 errcode = errno;
3772 }
3773
3774 /* If the file exists and is accessible, is it writable? */
3775 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3776 {
3777 if (platform_access(file, W_OK) != 0)
3778 {
3779 errcode = errno;
3780 }
3781 }
3782
3783 /* Warn if a given private file is group/others accessible. */
3784 if (type & CHKACC_PRIVATE)
3785 {
3786 platform_stat_t st;
3787 if (platform_stat(file, &st))
3788 {
3789 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3790 }
3791 #ifndef _WIN32
3792 else
3793 {
3794 if (st.st_mode & (S_IRWXG|S_IRWXO))
3795 {
3796 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3797 }
3798 }
3799 #endif
3800 }
3801
3802 /* Scream if an error is found */
3803 if (errcode > 0)
3804 {
3805 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3806 }
3807
3808 /* Return true if an error occurred */
3809 return (errcode != 0 ? true : false);
3810 }
3811
3812 /* A wrapper for check_file_access() which also takes a chroot directory.
3813 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3814 * otherwise it will look for the file inside the given chroot directory instead.
3815 */
3816 static bool
3817 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3818 {
3819 bool ret = false;
3820
3821 /* If no file configured, no errors to look for */
3822 if (!file)
3823 {
3824 return false;
3825 }
3826
3827 /* If chroot is set, look for the file/directory inside the chroot */
3828 if (chroot)
3829 {
3830 struct gc_arena gc = gc_new();
3831 struct buffer chroot_file;
3832
3833 chroot_file = prepend_dir(chroot, file, &gc);
3834 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3835 gc_free(&gc);
3836 }
3837 else
3838 {
3839 /* No chroot in play, just call core file check function */
3840 ret = check_file_access(type, file, mode, opt);
3841 }
3842 return ret;
3843 }
3844
3845 /**
3846 * A wrapper for check_file_access_chroot() that returns false immediately if
3847 * the file is inline (and therefore there is no access to check)
3848 */
3849 static bool
3850 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3851 const int type, const char *file,
3852 const int mode, const char *opt)
3853 {
3854 if (is_inline)
3855 {
3856 return false;
3857 }
3858
3859 return check_file_access_chroot(chroot, type, file, mode, opt);
3860 }
3861
3862 /**
3863 * A wrapper for check_file_access() that returns false immediately if the file
3864 * is inline (and therefore there is no access to check)
3865 */
3866 static bool
3867 check_file_access_inline(bool is_inline, const int type, const char *file,
3868 const int mode, const char *opt)
3869 {
3870 if (is_inline)
3871 {
3872 return false;
3873 }
3874
3875 return check_file_access(type, file, mode, opt);
3876 }
3877
3878 /*
3879 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3880 * valid file with appropriate permissions.
3881 *
3882 * "command" consists of a path, optionally followed by a space, which may be
3883 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3884 * performed.
3885 *
3886 * The path and arguments in "command" may be single- or double-quoted or escaped.
3887 *
3888 * The path is extracted from "command", then check_file_access() is called to check it. The
3889 * arguments, if any, are ignored.
3890 *
3891 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3892 * check_file_access() arguments.
3893 */
3894 static bool
3895 check_cmd_access(const char *command, const char *opt, const char *chroot)
3896 {
3897 struct argv argv;
3898 bool return_code;
3899
3900 /* If no command was set, there are no errors to look for */
3901 if (!command)
3902 {
3903 return false;
3904 }
3905
3906 /* Extract executable path and arguments */
3907 argv = argv_new();
3908 argv_parse_cmd(&argv, command);
3909
3910 /* if an executable is specified then check it; otherwise, complain */
3911 if (argv.argv[0])
3912 {
3913 /* Scripts requires R_OK as well, but that might fail on binaries which
3914 * only requires X_OK to function on Unix - a scenario not unlikely to
3915 * be seen on suid binaries.
3916 */
3917 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3918 }
3919 else
3920 {
3921 msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3922 opt, command);
3923 return_code = true;
3924 }
3925
3926 argv_free(&argv);
3927
3928 return return_code;
3929 }
3930
3931 /*
3932 * Sanity check of all file/dir options. Checks that file/dir
3933 * is accessible by OpenVPN
3934 */
3935 static void
3936 options_postprocess_filechecks(struct options *options)
3937 {
3938 bool errs = false;
3939
3940 /* ** SSL/TLS/crypto related files ** */
3941 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
3942 options->dh_file, R_OK, "--dh");
3943
3944 if (!options->verify_hash_no_ca)
3945 {
3946 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
3947 options->ca_file, R_OK, "--ca");
3948 }
3949
3950 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
3951 options->ca_path, R_OK, "--capath");
3952
3953 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE,
3954 options->cert_file, R_OK, "--cert");
3955
3956 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
3957 options->extra_certs_file, R_OK,
3958 "--extra-certs");
3959
3960 #ifdef ENABLE_MANAGMENT
3961 if (!(options->management_flags & MF_EXTERNAL_KEY))
3962 #endif
3963 {
3964 errs |= check_file_access_inline(options->priv_key_file_inline,
3965 CHKACC_FILE|CHKACC_PRIVATE,
3966 options->priv_key_file, R_OK, "--key");
3967 }
3968
3969 errs |= check_file_access_inline(options->pkcs12_file_inline,
3970 CHKACC_FILE|CHKACC_PRIVATE,
3971 options->pkcs12_file, R_OK, "--pkcs12");
3972
3973 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
3974 {
3975 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
3976 options->crl_file, R_OK|X_OK,
3977 "--crl-verify directory");
3978 }
3979 else
3980 {
3981 errs |= check_file_access_chroot_inline(options->crl_file_inline,
3982 options->chroot_dir,
3983 CHKACC_FILE, options->crl_file,
3984 R_OK, "--crl-verify");
3985 }
3986
3987 ASSERT(options->connection_list);
3988 for (int i = 0; i < options->connection_list->len; ++i)
3989 {
3990 struct connection_entry *ce = options->connection_list->array[i];
3991
3992 errs |= check_file_access_inline(ce->tls_auth_file_inline,
3993 CHKACC_FILE|CHKACC_PRIVATE,
3994 ce->tls_auth_file, R_OK,
3995 "--tls-auth");
3996 errs |= check_file_access_inline(ce->tls_crypt_file_inline,
3997 CHKACC_FILE|CHKACC_PRIVATE,
3998 ce->tls_crypt_file, R_OK,
3999 "--tls-crypt");
4000 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4001 CHKACC_FILE|CHKACC_PRIVATE,
4002 ce->tls_crypt_v2_file, R_OK,
4003 "--tls-crypt-v2");
4004 }
4005
4006 errs |= check_file_access_inline(options->shared_secret_file_inline,
4007 CHKACC_FILE|CHKACC_PRIVATE,
4008 options->shared_secret_file, R_OK,
4009 "--secret");
4010
4011 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4012 options->packet_id_file, R_OK|W_OK, "--replay-persist");
4013
4014 /* ** Password files ** */
4015 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4016 options->key_pass_file, R_OK, "--askpass");
4017 #ifdef ENABLE_MANAGEMENT
4018 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4019 options->management_user_pass, R_OK,
4020 "--management user/password file");
4021 #endif /* ENABLE_MANAGEMENT */
4022 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4023 options->auth_user_pass_file, R_OK,
4024 "--auth-user-pass");
4025 /* ** System related ** */
4026 errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4027 R_OK|X_OK, "--chroot directory");
4028 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4029 R_OK|W_OK, "--writepid");
4030
4031 /* ** Log related ** */
4032 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4033 R_OK|W_OK, "--status");
4034
4035 /* ** Config related ** */
4036 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
4037 R_OK|W_OK|X_OK, "--tls-export-cert");
4038 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4039 R_OK|X_OK, "--client-config-dir");
4040 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4041 R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4042
4043 if (errs)
4044 {
4045 msg(M_USAGE, "Please correct these errors.");
4046 }
4047 }
4048 #endif /* !ENABLE_SMALL */
4049
4050 /*
4051 * Sanity check on options.
4052 * Also set some options based on other
4053 * options.
4054 */
4055 void
4056 options_postprocess(struct options *options, struct env_set *es)
4057 {
4058 options_postprocess_mutate(options, es);
4059 options_postprocess_verify(options);
4060 #ifndef ENABLE_SMALL
4061 options_postprocess_filechecks(options);
4062 #endif /* !ENABLE_SMALL */
4063 }
4064
4065 /*
4066 * Sanity check on options after more options were pulled from server.
4067 * Also time to modify some options based on other options.
4068 */
4069 bool
4070 options_postprocess_pull(struct options *o, struct env_set *es)
4071 {
4072 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4073 if (success)
4074 {
4075 dns_options_postprocess_pull(&o->dns_options);
4076 setenv_dns_options(&o->dns_options, es);
4077 #if defined(_WIN32) || defined(TARGET_ANDROID)
4078 tuntap_options_copy_dns(o);
4079 #else
4080 foreign_options_copy_dns(o, es);
4081 #endif
4082 }
4083 return success;
4084 }
4085
4086 /*
4087 * Build an options string to represent data channel encryption options.
4088 * This string must match exactly between peers. The keysize is checked
4089 * separately by read_key().
4090 *
4091 * The following options must match on both peers:
4092 *
4093 * Tunnel options:
4094 *
4095 * --dev tun|tap [unit number need not match]
4096 * --dev-type tun|tap
4097 * --link-mtu
4098 * --udp-mtu
4099 * --tun-mtu
4100 * --proto udp
4101 * --proto tcp-client [matched with --proto tcp-server
4102 * on the other end of the connection]
4103 * --proto tcp-server [matched with --proto tcp-client on
4104 * the other end of the connection]
4105 * --tun-ipv6
4106 * --ifconfig x y [matched with --ifconfig y x on
4107 * the other end of the connection]
4108 *
4109 * --comp-lzo
4110 * --compress alg
4111 * --fragment
4112 *
4113 * Crypto Options:
4114 *
4115 * --cipher
4116 * --auth
4117 * --keysize
4118 * --secret
4119 * --no-replay
4120 *
4121 * SSL Options:
4122 *
4123 * --tls-auth
4124 * --tls-client [matched with --tls-server on
4125 * the other end of the connection]
4126 * --tls-server [matched with --tls-client on
4127 * the other end of the connection]
4128 */
4129 char *
4130 options_string(const struct options *o,
4131 const struct frame *frame,
4132 struct tuntap *tt,
4133 openvpn_net_ctx_t *ctx,
4134 bool remote,
4135 struct gc_arena *gc)
4136 {
4137 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4138 bool tt_local = false;
4139
4140 buf_printf(&out, "V4");
4141
4142 /*
4143 * Tunnel Options
4144 */
4145
4146 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4147 /* the link-mtu that we send has only a meaning if have a fixed
4148 * cipher (p2p) or have a fallback cipher configured for older non
4149 * ncp clients. But not sending it will make even 2.4 complain
4150 * about it being missing. So still send it. */
4151 buf_printf(&out, ",link-mtu %u",
4152 (unsigned int) calc_options_string_link_mtu(o, frame));
4153
4154 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4155 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4156
4157 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4158 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4159 * is usually pushed by the server, triggering a non-helpful warning
4160 */
4161 if (o->ifconfig_ipv6_local && p2p_nopull)
4162 {
4163 buf_printf(&out, ",tun-ipv6");
4164 }
4165
4166 /*
4167 * Try to get ifconfig parameters into the options string.
4168 * If tt is undefined, make a temporary instantiation.
4169 */
4170 if (!tt)
4171 {
4172 tt = init_tun(o->dev,
4173 o->dev_type,
4174 o->topology,
4175 o->ifconfig_local,
4176 o->ifconfig_remote_netmask,
4177 o->ifconfig_ipv6_local,
4178 o->ifconfig_ipv6_netbits,
4179 o->ifconfig_ipv6_remote,
4180 NULL,
4181 NULL,
4182 false,
4183 NULL,
4184 ctx,
4185 NULL);
4186 if (tt)
4187 {
4188 tt_local = true;
4189 }
4190 }
4191
4192 if (tt && p2p_nopull)
4193 {
4194 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4195 if (ios && strlen(ios))
4196 {
4197 buf_printf(&out, ",ifconfig %s", ios);
4198 }
4199 }
4200 if (tt_local)
4201 {
4202 free(tt);
4203 tt = NULL;
4204 }
4205
4206 #ifdef USE_COMP
4207 if (o->comp.alg != COMP_ALG_UNDEF)
4208 {
4209 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4210 }
4211 #endif
4212
4213 #ifdef ENABLE_FRAGMENT
4214 if (o->ce.fragment)
4215 {
4216 buf_printf(&out, ",mtu-dynamic");
4217 }
4218 #endif
4219
4220 #define TLS_CLIENT (o->tls_client)
4221 #define TLS_SERVER (o->tls_server)
4222
4223 /*
4224 * Key direction
4225 */
4226 {
4227 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4228 if (kd)
4229 {
4230 buf_printf(&out, ",keydir %s", kd);
4231 }
4232 }
4233
4234 /*
4235 * Crypto Options
4236 */
4237 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4238 {
4239 struct key_type kt;
4240
4241 ASSERT((o->shared_secret_file != NULL)
4242 + (TLS_CLIENT == true)
4243 + (TLS_SERVER == true)
4244 <= 1);
4245
4246 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4247 * to work here in the default configuration */
4248 const char *ciphername = o->ciphername;
4249 int keysize = 0;
4250
4251 if (strcmp(o->ciphername, "BF-CBC") == 0)
4252 {
4253 init_key_type(&kt, "none", o->authname, true, false);
4254 keysize = 128;
4255 }
4256 else
4257 {
4258 init_key_type(&kt, o->ciphername, o->authname, true, false);
4259 ciphername = cipher_kt_name(kt.cipher);
4260 if (cipher_defined(o->ciphername))
4261 {
4262 keysize = cipher_kt_key_size(kt.cipher) * 8;
4263 }
4264 }
4265 /* Only announce the cipher to our peer if we are willing to
4266 * support it */
4267 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4268 {
4269 buf_printf(&out, ",cipher %s", ciphername);
4270 }
4271 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4272 buf_printf(&out, ",keysize %d", keysize);
4273 if (o->shared_secret_file)
4274 {
4275 buf_printf(&out, ",secret");
4276 }
4277 if (!o->replay)
4278 {
4279 buf_printf(&out, ",no-replay");
4280 }
4281
4282 #ifdef ENABLE_PREDICTION_RESISTANCE
4283 if (o->use_prediction_resistance)
4284 {
4285 buf_printf(&out, ",use-prediction-resistance");
4286 }
4287 #endif
4288 }
4289
4290 /*
4291 * SSL Options
4292 */
4293 {
4294 if (TLS_CLIENT || TLS_SERVER)
4295 {
4296 if (o->ce.tls_auth_file)
4297 {
4298 buf_printf(&out, ",tls-auth");
4299 }
4300 /* Not adding tls-crypt here, because we won't reach this code if
4301 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4302 * break stuff, so leaving that in place. */
4303
4304 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4305 }
4306
4307 if (remote)
4308 {
4309 if (TLS_CLIENT)
4310 {
4311 buf_printf(&out, ",tls-server");
4312 }
4313 else if (TLS_SERVER)
4314 {
4315 buf_printf(&out, ",tls-client");
4316 }
4317 }
4318 else
4319 {
4320 if (TLS_CLIENT)
4321 {
4322 buf_printf(&out, ",tls-client");
4323 }
4324 else if (TLS_SERVER)
4325 {
4326 buf_printf(&out, ",tls-server");
4327 }
4328 }
4329 }
4330
4331 #undef TLS_CLIENT
4332 #undef TLS_SERVER
4333
4334 return BSTR(&out);
4335 }
4336
4337 /*
4338 * Compare option strings for equality.
4339 * If the first two chars of the strings differ, it means that
4340 * we are looking at different versions of the options string,
4341 * therefore don't compare them and return true.
4342 */
4343
4344 bool
4345 options_cmp_equal(char *actual, const char *expected)
4346 {
4347 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4348 }
4349
4350 void
4351 options_warning(char *actual, const char *expected)
4352 {
4353 options_warning_safe(actual, expected, strlen(actual) + 1);
4354 }
4355
4356 static const char *
4357 options_warning_extract_parm1(const char *option_string,
4358 struct gc_arena *gc_ret)
4359 {
4360 struct gc_arena gc = gc_new();
4361 struct buffer b = string_alloc_buf(option_string, &gc);
4362 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4363 const char *ret;
4364
4365 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4366 ret = string_alloc(p, gc_ret);
4367 gc_free(&gc);
4368 return ret;
4369 }
4370
4371 static void
4372 options_warning_safe_scan2(const int msglevel,
4373 const int delim,
4374 const bool report_inconsistent,
4375 const char *p1,
4376 const struct buffer *b2_src,
4377 const char *b1_name,
4378 const char *b2_name)
4379 {
4380 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4381 * OCC in a future version (because it's not useful). To reduce questions
4382 * when interoperating, we no longer printing a warning about it.
4383 */
4384 if (strprefix(p1, "key-method ")
4385 || strprefix(p1, "keydir ")
4386 || strprefix(p1, "proto ")
4387 || streq(p1, "tls-auth")
4388 || strprefix(p1, "tun-ipv6")
4389 || strprefix(p1, "cipher "))
4390 {
4391 return;
4392 }
4393
4394 if (strlen(p1) > 0)
4395 {
4396 struct gc_arena gc = gc_new();
4397 struct buffer b2 = *b2_src;
4398 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4399 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4400
4401 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4402 {
4403 if (strlen(p2))
4404 {
4405 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4406
4407 if (!strcmp(p1, p2))
4408 {
4409 goto done;
4410 }
4411 if (!strcmp(p1_prefix, p2_prefix))
4412 {
4413 if (report_inconsistent)
4414 {
4415 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4416 safe_print(p1_prefix, &gc),
4417 b1_name,
4418 safe_print(p1, &gc),
4419 b2_name,
4420 safe_print(p2, &gc));
4421 }
4422 goto done;
4423 }
4424 }
4425 }
4426
4427 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4428 safe_print(p1_prefix, &gc),
4429 b1_name,
4430 b2_name,
4431 b1_name,
4432 safe_print(p1, &gc));
4433
4434 done:
4435 gc_free(&gc);
4436 }
4437 }
4438
4439 static void
4440 options_warning_safe_scan1(const int msglevel,
4441 const int delim,
4442 const bool report_inconsistent,
4443 const struct buffer *b1_src,
4444 const struct buffer *b2_src,
4445 const char *b1_name,
4446 const char *b2_name)
4447 {
4448 struct gc_arena gc = gc_new();
4449 struct buffer b = *b1_src;
4450 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4451
4452 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4453 {
4454 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4455 }
4456
4457 gc_free(&gc);
4458 }
4459
4460 static void
4461 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4462 {
4463 struct gc_arena gc = gc_new();
4464
4465 if (actual_n > 0)
4466 {
4467 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4468 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4469 actual[actual_n - 1] = 0;
4470
4471 buf_printf(&local, "version %s", expected);
4472 buf_printf(&remote, "version %s", actual);
4473
4474 options_warning_safe_scan1(msglevel, ',', true,
4475 &local, &remote,
4476 "local", "remote");
4477
4478 options_warning_safe_scan1(msglevel, ',', false,
4479 &remote, &local,
4480 "remote", "local");
4481 }
4482
4483 gc_free(&gc);
4484 }
4485
4486 bool
4487 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4488 {
4489 struct gc_arena gc = gc_new();
4490 bool ret = true;
4491
4492 if (actual_n > 0)
4493 {
4494 actual[actual_n - 1] = 0;
4495 #ifndef ENABLE_STRICT_OPTIONS_CHECK
4496 if (strncmp(actual, expected, 2))
4497 {
4498 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4499 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4500 }
4501 else
4502 #endif
4503 ret = !strcmp(actual, expected);
4504 }
4505 gc_free(&gc);
4506 return ret;
4507 }
4508
4509 void
4510 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4511 {
4512 options_warning_safe_ml(M_WARN, actual, expected, actual_n);
4513 }
4514
4515 const char *
4516 options_string_version(const char *s, struct gc_arena *gc)
4517 {
4518 struct buffer out = alloc_buf_gc(4, gc);
4519 strncpynt((char *) BPTR(&out), s, 3);
4520 return BSTR(&out);
4521 }
4522
4523 char *
4524 options_string_extract_option(const char *options_string, const char *opt_name,
4525 struct gc_arena *gc)
4526 {
4527 char *ret = NULL;
4528 const size_t opt_name_len = strlen(opt_name);
4529
4530 const char *p = options_string;
4531 while (p)
4532 {
4533 if (0 == strncmp(p, opt_name, opt_name_len)
4534 && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4535 {
4536 /* option found, extract value */
4537 const char *start = &p[opt_name_len+1];
4538 const char *end = strchr(p, ',');
4539 size_t val_len = end ? end - start : strlen(start);
4540 ret = gc_malloc(val_len+1, true, gc);
4541 memcpy(ret, start, val_len);
4542 break;
4543 }
4544 p = strchr(p, ',');
4545 if (p)
4546 {
4547 p++; /* skip delimiter */
4548 }
4549 }
4550 return ret;
4551 }
4552
4553 #ifdef _WIN32
4554 /**
4555 * Parses --windows-driver config option
4556 *
4557 * @param str value of --windows-driver option
4558 * @param msglevel msglevel to report parsing error
4559 * @return enum windows_driver_type driver type, WINDOWS_DRIVER_UNSPECIFIED on unknown --windows-driver value
4560 */
4561 static enum windows_driver_type
4562 parse_windows_driver(const char *str, const int msglevel)
4563 {
4564 if (streq(str, "tap-windows6"))
4565 {
4566 return WINDOWS_DRIVER_TAP_WINDOWS6;
4567 }
4568 else if (streq(str, "wintun"))
4569 {
4570 return WINDOWS_DRIVER_WINTUN;
4571 }
4572
4573 else if (streq(str, "ovpn-dco"))
4574 {
4575 return WINDOWS_DRIVER_DCO;
4576 }
4577 else
4578 {
4579 msg(msglevel, "--windows-driver must be tap-windows6, wintun "
4580 "or ovpn-dco");
4581 return WINDOWS_DRIVER_UNSPECIFIED;
4582 }
4583 }
4584 #endif /* ifdef _WIN32 */
4585
4586 /*
4587 * parse/print topology coding
4588 */
4589
4590 int
4591 parse_topology(const char *str, const int msglevel)
4592 {
4593 if (streq(str, "net30"))
4594 {
4595 return TOP_NET30;
4596 }
4597 else if (streq(str, "p2p"))
4598 {
4599 return TOP_P2P;
4600 }
4601 else if (streq(str, "subnet"))
4602 {
4603 return TOP_SUBNET;
4604 }
4605 else
4606 {
4607 msg(msglevel, "--topology must be net30, p2p, or subnet");
4608 return TOP_UNDEF;
4609 }
4610 }
4611
4612 const char *
4613 print_topology(const int topology)
4614 {
4615 switch (topology)
4616 {
4617 case TOP_UNDEF:
4618 return "undef";
4619
4620 case TOP_NET30:
4621 return "net30";
4622
4623 case TOP_P2P:
4624 return "p2p";
4625
4626 case TOP_SUBNET:
4627 return "subnet";
4628
4629 default:
4630 return "unknown";
4631 }
4632 }
4633
4634 /*
4635 * Manage auth-retry variable
4636 */
4637
4638 static int global_auth_retry; /* GLOBAL */
4639
4640 int
4641 auth_retry_get(void)
4642 {
4643 return global_auth_retry;
4644 }
4645
4646 bool
4647 auth_retry_set(const int msglevel, const char *option)
4648 {
4649 if (streq(option, "interact"))
4650 {
4651 global_auth_retry = AR_INTERACT;
4652 }
4653 else if (streq(option, "nointeract"))
4654 {
4655 global_auth_retry = AR_NOINTERACT;
4656 }
4657 else if (streq(option, "none"))
4658 {
4659 global_auth_retry = AR_NONE;
4660 }
4661 else
4662 {
4663 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4664 return false;
4665 }
4666 return true;
4667 }
4668
4669 const char *
4670 auth_retry_print(void)
4671 {
4672 switch (global_auth_retry)
4673 {
4674 case AR_NONE:
4675 return "none";
4676
4677 case AR_NOINTERACT:
4678 return "nointeract";
4679
4680 case AR_INTERACT:
4681 return "interact";
4682
4683 default:
4684 return "???";
4685 }
4686 }
4687
4688 /*
4689 * Print the help message.
4690 */
4691 static void
4692 usage(void)
4693 {
4694 FILE *fp = msg_fp(0);
4695
4696 #ifdef ENABLE_SMALL
4697
4698 fprintf(fp, "Usage message not available\n");
4699
4700 #else
4701
4702 struct options o;
4703 init_options(&o, true);
4704
4705 fprintf(fp, usage_message,
4706 title_string,
4707 o.ce.connect_retry_seconds,
4708 o.ce.connect_retry_seconds_max,
4709 o.ce.local_port, o.ce.remote_port,
4710 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4711 o.verbosity,
4712 o.authname, o.ciphername,
4713 o.replay_window, o.replay_time,
4714 o.tls_timeout, o.renegotiate_seconds,
4715 o.handshake_window, o.transition_window);
4716 fflush(fp);
4717
4718 #endif /* ENABLE_SMALL */
4719
4720 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4721 }
4722
4723 void
4724 usage_small(void)
4725 {
4726 msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4727 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4728 }
4729
4730 #ifdef _WIN32
4731 void
4732 show_windows_version(const unsigned int flags)
4733 {
4734 struct gc_arena gc = gc_new();
4735 msg(flags, "Windows version %s", win32_version_string(&gc, true));
4736 gc_free(&gc);
4737 }
4738 #endif
4739
4740 void
4741 show_library_versions(const unsigned int flags)
4742 {
4743 #ifdef ENABLE_LZO
4744 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4745 #else
4746 #define LZO_LIB_VER_STR "", ""
4747 #endif
4748
4749 msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4750 LZO_LIB_VER_STR);
4751
4752 #undef LZO_LIB_VER_STR
4753 }
4754
4755 static void
4756 usage_version(void)
4757 {
4758 msg(M_INFO|M_NOPREFIX, "%s", title_string);
4759 show_library_versions( M_INFO|M_NOPREFIX );
4760 #ifdef _WIN32
4761 show_windows_version( M_INFO|M_NOPREFIX );
4762 #endif
4763 msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4764 msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>");
4765 #ifndef ENABLE_SMALL
4766 #ifdef CONFIGURE_DEFINES
4767 msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4768 #endif
4769 #ifdef CONFIGURE_SPECIAL_BUILD
4770 msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4771 #endif
4772 #endif
4773 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4774 }
4775
4776 void
4777 notnull(const char *arg, const char *description)
4778 {
4779 if (!arg)
4780 {
4781 msg(M_USAGE, "You must define %s", description);
4782 }
4783 }
4784
4785 bool
4786 string_defined_equal(const char *s1, const char *s2)
4787 {
4788 if (s1 && s2)
4789 {
4790 return !strcmp(s1, s2);
4791 }
4792 else
4793 {
4794 return false;
4795 }
4796 }
4797
4798 #if 0
4799 static void
4800 ping_rec_err(int msglevel)
4801 {
4802 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4803 }
4804 #endif
4805
4806 static int
4807 positive_atoi(const char *str)
4808 {
4809 const int i = atoi(str);
4810 return i < 0 ? 0 : i;
4811 }
4812
4813 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4814 static unsigned int
4815 atou(const char *str)
4816 {
4817 unsigned int val = 0;
4818 sscanf(str, "%u", &val);
4819 return val;
4820 }
4821 #endif
4822
4823 static inline bool
4824 space(unsigned char c)
4825 {
4826 return c == '\0' || isspace(c);
4827 }
4828
4829 int
4830 parse_line(const char *line,
4831 char *p[],
4832 const int n,
4833 const char *file,
4834 const int line_num,
4835 int msglevel,
4836 struct gc_arena *gc)
4837 {
4838 const int STATE_INITIAL = 0;
4839 const int STATE_READING_QUOTED_PARM = 1;
4840 const int STATE_READING_UNQUOTED_PARM = 2;
4841 const int STATE_DONE = 3;
4842 const int STATE_READING_SQUOTED_PARM = 4;
4843
4844 const char *error_prefix = "";
4845
4846 int ret = 0;
4847 const char *c = line;
4848 int state = STATE_INITIAL;
4849 bool backslash = false;
4850 char in, out;
4851
4852 char parm[OPTION_PARM_SIZE];
4853 unsigned int parm_len = 0;
4854
4855 msglevel &= ~M_OPTERR;
4856
4857 if (msglevel & M_MSG_VIRT_OUT)
4858 {
4859 error_prefix = "ERROR: ";
4860 }
4861
4862 do
4863 {
4864 in = *c;
4865 out = 0;
4866
4867 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4868 {
4869 backslash = true;
4870 }
4871 else
4872 {
4873 if (state == STATE_INITIAL)
4874 {
4875 if (!space(in))
4876 {
4877 if (in == ';' || in == '#') /* comment */
4878 {
4879 break;
4880 }
4881 if (!backslash && in == '\"')
4882 {
4883 state = STATE_READING_QUOTED_PARM;
4884 }
4885 else if (!backslash && in == '\'')
4886 {
4887 state = STATE_READING_SQUOTED_PARM;
4888 }
4889 else
4890 {
4891 out = in;
4892 state = STATE_READING_UNQUOTED_PARM;
4893 }
4894 }
4895 }
4896 else if (state == STATE_READING_UNQUOTED_PARM)
4897 {
4898 if (!backslash && space(in))
4899 {
4900 state = STATE_DONE;
4901 }
4902 else
4903 {
4904 out = in;
4905 }
4906 }
4907 else if (state == STATE_READING_QUOTED_PARM)
4908 {
4909 if (!backslash && in == '\"')
4910 {
4911 state = STATE_DONE;
4912 }
4913 else
4914 {
4915 out = in;
4916 }
4917 }
4918 else if (state == STATE_READING_SQUOTED_PARM)
4919 {
4920 if (in == '\'')
4921 {
4922 state = STATE_DONE;
4923 }
4924 else
4925 {
4926 out = in;
4927 }
4928 }
4929 if (state == STATE_DONE)
4930 {
4931 /* ASSERT (parm_len > 0); */
4932 p[ret] = gc_malloc(parm_len + 1, true, gc);
4933 memcpy(p[ret], parm, parm_len);
4934 p[ret][parm_len] = '\0';
4935 state = STATE_INITIAL;
4936 parm_len = 0;
4937 ++ret;
4938 }
4939
4940 if (backslash && out)
4941 {
4942 if (!(out == '\\' || out == '\"' || space(out)))
4943 {
4944 #ifdef ENABLE_SMALL
4945 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4946 #else
4947 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4948 #endif
4949 return 0;
4950 }
4951 }
4952 backslash = false;
4953 }
4954
4955 /* store parameter character */
4956 if (out)
4957 {
4958 if (parm_len >= SIZE(parm))
4959 {
4960 parm[SIZE(parm) - 1] = 0;
4961 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
4962 error_prefix, file, line_num, (int) SIZE(parm), parm);
4963 return 0;
4964 }
4965 parm[parm_len++] = out;
4966 }
4967
4968 /* avoid overflow if too many parms in one config file line */
4969 if (ret >= n)
4970 {
4971 break;
4972 }
4973
4974 } while (*c++ != '\0');
4975
4976 if (state == STATE_READING_QUOTED_PARM)
4977 {
4978 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
4979 return 0;
4980 }
4981 if (state == STATE_READING_SQUOTED_PARM)
4982 {
4983 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
4984 return 0;
4985 }
4986 if (state != STATE_INITIAL)
4987 {
4988 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
4989 return 0;
4990 }
4991 #if 0
4992 {
4993 int i;
4994 for (i = 0; i < ret; ++i)
4995 {
4996 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
4997 }
4998 }
4999 #endif
5000 return ret;
5001 }
5002
5003 static void
5004 bypass_doubledash(char **p)
5005 {
5006 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5007 {
5008 *p += 2;
5009 }
5010 }
5011
5012 struct in_src {
5013 #define IS_TYPE_FP 1
5014 #define IS_TYPE_BUF 2
5015 int type;
5016 union {
5017 FILE *fp;
5018 struct buffer *multiline;
5019 } u;
5020 };
5021
5022 static bool
5023 in_src_get(const struct in_src *is, char *line, const int size)
5024 {
5025 if (is->type == IS_TYPE_FP)
5026 {
5027 return BOOL_CAST(fgets(line, size, is->u.fp));
5028 }
5029 else if (is->type == IS_TYPE_BUF)
5030 {
5031 bool status = buf_parse(is->u.multiline, '\n', line, size);
5032 if ((int) strlen(line) + 1 < size)
5033 {
5034 strcat(line, "\n");
5035 }
5036 return status;
5037 }
5038 else
5039 {
5040 ASSERT(0);
5041 return false;
5042 }
5043 }
5044
5045 static char *
5046 read_inline_file(struct in_src *is, const char *close_tag,
5047 int *num_lines, struct gc_arena *gc)
5048 {
5049 char line[OPTION_LINE_SIZE];
5050 struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5051 char *ret;
5052 bool endtagfound = false;
5053
5054 while (in_src_get(is, line, sizeof(line)))
5055 {
5056 (*num_lines)++;
5057 char *line_ptr = line;
5058 /* Remove leading spaces */
5059 while (isspace(*line_ptr))
5060 {
5061 line_ptr++;
5062 }
5063 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5064 {
5065 endtagfound = true;
5066 break;
5067 }
5068 if (!buf_safe(&buf, strlen(line)+1))
5069 {
5070 /* Increase buffer size */
5071 struct buffer buf2 = alloc_buf(buf.capacity * 2);
5072 ASSERT(buf_copy(&buf2, &buf));
5073 buf_clear(&buf);
5074 free_buf(&buf);
5075 buf = buf2;
5076 }
5077 buf_printf(&buf, "%s", line);
5078 }
5079 if (!endtagfound)
5080 {
5081 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5082 }
5083 ret = string_alloc(BSTR(&buf), gc);
5084 buf_clear(&buf);
5085 free_buf(&buf);
5086 secure_memzero(line, sizeof(line));
5087 return ret;
5088 }
5089
5090 static int
5091 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5092 {
5093 int num_inline_lines = 0;
5094
5095 if (p[0] && !p[1])
5096 {
5097 char *arg = p[0];
5098 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5099 {
5100 struct buffer close_tag;
5101
5102 arg[strlen(arg) - 1] = '\0';
5103 p[0] = string_alloc(arg + 1, gc);
5104 close_tag = alloc_buf(strlen(p[0]) + 4);
5105 buf_printf(&close_tag, "</%s>", p[0]);
5106 p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5107 p[2] = NULL;
5108 free_buf(&close_tag);
5109 }
5110 }
5111 return num_inline_lines;
5112 }
5113
5114 static int
5115 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5116 {
5117 struct in_src is;
5118 is.type = IS_TYPE_FP;
5119 is.u.fp = fp;
5120 return check_inline_file(&is, p, gc);
5121 }
5122
5123 static int
5124 check_inline_file_via_buf(struct buffer *multiline, char *p[],
5125 struct gc_arena *gc)
5126 {
5127 struct in_src is;
5128 is.type = IS_TYPE_BUF;
5129 is.u.multiline = multiline;
5130 return check_inline_file(&is, p, gc);
5131 }
5132
5133 static void
5134 add_option(struct options *options,
5135 char *p[],
5136 bool is_inline,
5137 const char *file,
5138 int line,
5139 const int level,
5140 const int msglevel,
5141 const unsigned int permission_mask,
5142 unsigned int *option_types_found,
5143 struct env_set *es);
5144
5145 static void
5146 read_config_file(struct options *options,
5147 const char *file,
5148 int level,
5149 const char *top_file,
5150 const int top_line,
5151 const int msglevel,
5152 const unsigned int permission_mask,
5153 unsigned int *option_types_found,
5154 struct env_set *es)
5155 {
5156 const int max_recursive_levels = 10;
5157 FILE *fp;
5158 int line_num;
5159 char line[OPTION_LINE_SIZE+1];
5160 char *p[MAX_PARMS+1];
5161
5162 ++level;
5163 if (level <= max_recursive_levels)
5164 {
5165 if (streq(file, "stdin"))
5166 {
5167 fp = stdin;
5168 }
5169 else
5170 {
5171 fp = platform_fopen(file, "r");
5172 }
5173 if (fp)
5174 {
5175 line_num = 0;
5176 while (fgets(line, sizeof(line), fp))
5177 {
5178 int offset = 0;
5179 CLEAR(p);
5180 ++line_num;
5181 if (strlen(line) == OPTION_LINE_SIZE)
5182 {
5183 msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5184 file, line_num, OPTION_LINE_SIZE, line);
5185 }
5186
5187 /* Ignore UTF-8 BOM at start of stream */
5188 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5189 {
5190 offset = 3;
5191 }
5192 if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5193 {
5194 bypass_doubledash(&p[0]);
5195 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5196 add_option(options, p, lines_inline, file, line_num, level,
5197 msglevel, permission_mask, option_types_found,
5198 es);
5199 line_num += lines_inline;
5200 }
5201 }
5202 if (fp != stdin)
5203 {
5204 fclose(fp);
5205 }
5206 }
5207 else
5208 {
5209 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5210 }
5211 }
5212 else
5213 {
5214 msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5215 }
5216 secure_memzero(line, sizeof(line));
5217 CLEAR(p);
5218 }
5219
5220 static void
5221 read_config_string(const char *prefix,
5222 struct options *options,
5223 const char *config,
5224 const int msglevel,
5225 const unsigned int permission_mask,
5226 unsigned int *option_types_found,
5227 struct env_set *es)
5228 {
5229 char line[OPTION_LINE_SIZE];
5230 struct buffer multiline;
5231 int line_num = 0;
5232
5233 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5234
5235 while (buf_parse(&multiline, '\n', line, sizeof(line)))
5236 {
5237 char *p[MAX_PARMS+1];
5238 CLEAR(p);
5239 ++line_num;
5240 if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5241 {
5242 bypass_doubledash(&p[0]);
5243 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5244 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5245 permission_mask, option_types_found, es);
5246 line_num += lines_inline;
5247 }
5248 CLEAR(p);
5249 }
5250 secure_memzero(line, sizeof(line));
5251 }
5252
5253 void
5254 parse_argv(struct options *options,
5255 const int argc,
5256 char *argv[],
5257 const int msglevel,
5258 const unsigned int permission_mask,
5259 unsigned int *option_types_found,
5260 struct env_set *es)
5261 {
5262 int i, j;
5263
5264 /* usage message */
5265 if (argc <= 1)
5266 {
5267 usage();
5268 }
5269
5270 /* config filename specified only? */
5271 if (argc == 2 && strncmp(argv[1], "--", 2))
5272 {
5273 char *p[MAX_PARMS];
5274 CLEAR(p);
5275 p[0] = "config";
5276 p[1] = argv[1];
5277 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5278 option_types_found, es);
5279 }
5280 else
5281 {
5282 /* parse command line */
5283 for (i = 1; i < argc; ++i)
5284 {
5285 char *p[MAX_PARMS];
5286 CLEAR(p);
5287 p[0] = argv[i];
5288 if (strncmp(p[0], "--", 2))
5289 {
5290 msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5291 }
5292 else
5293 {
5294 p[0] += 2;
5295 }
5296
5297 for (j = 1; j < MAX_PARMS; ++j)
5298 {
5299 if (i + j < argc)
5300 {
5301 char *arg = argv[i + j];
5302 if (strncmp(arg, "--", 2))
5303 {
5304 p[j] = arg;
5305 }
5306 else
5307 {
5308 break;
5309 }
5310 }
5311 }
5312 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5313 option_types_found, es);
5314 i += j - 1;
5315 }
5316 }
5317 }
5318
5319 /**
5320 * Filter an option line by all pull filters.
5321 *
5322 * If a match is found, the line is modified depending on
5323 * the filter type, and returns true. If the filter type is
5324 * reject, SIGUSR1 is triggered and the return value is false.
5325 * In that case the caller must end the push processing.
5326 */
5327 static bool
5328 apply_pull_filter(const struct options *o, char *line)
5329 {
5330 struct pull_filter *f;
5331
5332 if (!o->pull_filter_list)
5333 {
5334 return true;
5335 }
5336
5337 for (f = o->pull_filter_list->head; f; f = f->next)
5338 {
5339 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5340 {
5341 msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5342 return true;
5343 }
5344 else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5345 {
5346 msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5347 *line = '\0';
5348 return true;
5349 }
5350 else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5351 {
5352 msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5353 *line = '\0';
5354 throw_signal_soft(SIGUSR1, "Offending option received from server");
5355 return false;
5356 }
5357 }
5358 return true;
5359 }
5360
5361 bool
5362 apply_push_options(struct options *options,
5363 struct buffer *buf,
5364 unsigned int permission_mask,
5365 unsigned int *option_types_found,
5366 struct env_set *es)
5367 {
5368 char line[OPTION_PARM_SIZE];
5369 int line_num = 0;
5370 const char *file = "[PUSH-OPTIONS]";
5371 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5372
5373 while (buf_parse(buf, ',', line, sizeof(line)))
5374 {
5375 char *p[MAX_PARMS+1];
5376 CLEAR(p);
5377 ++line_num;
5378 if (!apply_pull_filter(options, line))
5379 {
5380 return false; /* Cause push/pull error and stop push processing */
5381 }
5382 if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5383 {
5384 add_option(options, p, false, file, line_num, 0, msglevel,
5385 permission_mask, option_types_found, es);
5386 }
5387 }
5388 return true;
5389 }
5390
5391 void
5392 options_server_import(struct options *o,
5393 const char *filename,
5394 int msglevel,
5395 unsigned int permission_mask,
5396 unsigned int *option_types_found,
5397 struct env_set *es)
5398 {
5399 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5400 read_config_file(o,
5401 filename,
5402 0,
5403 filename,
5404 0,
5405 msglevel,
5406 permission_mask,
5407 option_types_found,
5408 es);
5409 }
5410
5411 void
5412 options_string_import(struct options *options,
5413 const char *config,
5414 const int msglevel,
5415 const unsigned int permission_mask,
5416 unsigned int *option_types_found,
5417 struct env_set *es)
5418 {
5419 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5420 }
5421
5422 #define VERIFY_PERMISSION(mask) { \
5423 if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5424 option_types_found, msglevel, options, is_inline)) \
5425 { \
5426 goto err; \
5427 } \
5428 }
5429
5430 static bool
5431 verify_permission(const char *name,
5432 const char *file,
5433 int line,
5434 const unsigned int type,
5435 const unsigned int allowed,
5436 unsigned int *found,
5437 const int msglevel,
5438 struct options *options,
5439 bool is_inline)
5440 {
5441 if (!(type & allowed))
5442 {
5443 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5444 return false;
5445 }
5446
5447 if (is_inline && !(type & OPT_P_INLINE))
5448 {
5449 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5450 file, line);
5451 return false;
5452 }
5453
5454 if (found)
5455 {
5456 *found |= type;
5457 }
5458
5459 #ifndef ENABLE_SMALL
5460 /* Check if this options is allowed in connection block,
5461 * but we are currently not in a connection block
5462 * unless this is a pushed option.
5463 * Parsing a connection block uses a temporary options struct without
5464 * connection_list
5465 */
5466
5467 if ((type & OPT_P_CONNECTION) && options->connection_list
5468 && !(allowed & OPT_P_PULL_MODE))
5469 {
5470 if (file)
5471 {
5472 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5473 }
5474 else
5475 {
5476 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5477 }
5478 }
5479 #endif
5480 return true;
5481 }
5482
5483 /*
5484 * Check that an option doesn't have too
5485 * many parameters.
5486 */
5487
5488 #define NM_QUOTE_HINT (1<<0)
5489
5490 static bool
5491 no_more_than_n_args(const int msglevel,
5492 char *p[],
5493 const int max,
5494 const unsigned int flags)
5495 {
5496 const int len = string_array_len((const char **)p);
5497
5498 if (!len)
5499 {
5500 return false;
5501 }
5502
5503 if (len > max)
5504 {
5505 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5506 p[0],
5507 max - 1,
5508 max >= 3 ? "s" : "",
5509 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5510 return false;
5511 }
5512 else
5513 {
5514 return true;
5515 }
5516 }
5517
5518 static inline int
5519 msglevel_forward_compatible(struct options *options, const int msglevel)
5520 {
5521 return options->forward_compatible ? M_WARN : msglevel;
5522 }
5523
5524 static void
5525 set_user_script(struct options *options,
5526 const char **script,
5527 const char *new_script,
5528 const char *type,
5529 bool in_chroot)
5530 {
5531 if (*script)
5532 {
5533 msg(M_WARN, "Multiple --%s scripts defined. "
5534 "The previously configured script is overridden.", type);
5535 }
5536 *script = new_script;
5537 options->user_script_used = true;
5538
5539 #ifndef ENABLE_SMALL
5540 {
5541 char script_name[100];
5542 openvpn_snprintf(script_name, sizeof(script_name),
5543 "--%s script", type);
5544
5545 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5546 {
5547 msg(M_USAGE, "Please correct this error.");
5548 }
5549
5550 }
5551 #endif
5552 }
5553
5554 #ifdef USE_COMP
5555 static void
5556 show_compression_warning(struct compress_options *info)
5557 {
5558 if (comp_non_stub_enabled(info))
5559 {
5560 /*
5561 * Check if already displayed the strong warning and enabled full
5562 * compression
5563 */
5564 if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5565 {
5566 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5567 "Compression has been used in the past to break encryption. "
5568 "Sent packets are not compressed unless \"allow-compression yes\" "
5569 "is also set.");
5570 }
5571 }
5572 }
5573 #endif
5574
5575 bool
5576 key_is_external(const struct options *options)
5577 {
5578 bool ret = false;
5579 #ifdef ENABLE_MANAGEMENT
5580 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5581 #endif
5582 #ifdef ENABLE_PKCS11
5583 ret = ret || (options->pkcs11_providers[0] != NULL);
5584 #endif
5585 #ifdef ENABLE_CRYPTOAPI
5586 ret = ret || options->cryptoapi_cert;
5587 #endif
5588
5589 return ret;
5590 }
5591
5592 static void
5593 add_option(struct options *options,
5594 char *p[],
5595 bool is_inline,
5596 const char *file,
5597 int line,
5598 const int level,
5599 const int msglevel,
5600 const unsigned int permission_mask,
5601 unsigned int *option_types_found,
5602 struct env_set *es)
5603 {
5604 struct gc_arena gc = gc_new();
5605 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5606 int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5607
5608 ASSERT(MAX_PARMS >= 7);
5609
5610 /*
5611 * If directive begins with "setenv opt" prefix, don't raise an error if
5612 * directive is unrecognized.
5613 */
5614 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5615 {
5616 if (!p[2])
5617 {
5618 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5619 }
5620 p += 2;
5621 msglevel_fc = M_WARN;
5622 }
5623
5624 if (!file)
5625 {
5626 file = "[CMD-LINE]";
5627 line = 1;
5628 }
5629 if (streq(p[0], "help"))
5630 {
5631 VERIFY_PERMISSION(OPT_P_GENERAL);
5632 usage();
5633 if (p[1])
5634 {
5635 msg(msglevel, "--help does not accept any parameters");
5636 goto err;
5637 }
5638 }
5639 if (streq(p[0], "version") && !p[1])
5640 {
5641 VERIFY_PERMISSION(OPT_P_GENERAL);
5642 usage_version();
5643 }
5644 else if (streq(p[0], "config") && p[1] && !p[2])
5645 {
5646 VERIFY_PERMISSION(OPT_P_CONFIG);
5647
5648 /* save first config file only in options */
5649 if (!options->config)
5650 {
5651 options->config = p[1];
5652 }
5653
5654 read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5655 }
5656 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5657 else if (streq(p[0], "show-gateway") && !p[2])
5658 {
5659 struct route_gateway_info rgi;
5660 struct route_ipv6_gateway_info rgi6;
5661 struct in6_addr remote = IN6ADDR_ANY_INIT;
5662 openvpn_net_ctx_t net_ctx;
5663 VERIFY_PERMISSION(OPT_P_GENERAL);
5664 if (p[1])
5665 {
5666 get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5667 }
5668 net_ctx_init(NULL, &net_ctx);
5669 get_default_gateway(&rgi, &net_ctx);
5670 get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5671 print_default_gateway(M_INFO, &rgi, &rgi6);
5672 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5673 }
5674 #endif
5675 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5676 {
5677 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5678 int j;
5679 bool good = true;
5680
5681 VERIFY_PERMISSION(OPT_P_ECHO);
5682
5683 for (j = 1; j < MAX_PARMS; ++j)
5684 {
5685 if (!p[j])
5686 {
5687 break;
5688 }
5689 if (j > 1)
5690 {
5691 good &= buf_printf(&string, " ");
5692 }
5693 good &= buf_printf(&string, "%s", p[j]);
5694 }
5695 if (good)
5696 {
5697 /* only message-related ECHO are logged, since other ECHOs
5698 * can potentially include security-sensitive strings */
5699 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5700 {
5701 msg(M_INFO, "%s:%s",
5702 pull_mode ? "ECHO-PULL" : "ECHO",
5703 BSTR(&string));
5704 }
5705 #ifdef ENABLE_MANAGEMENT
5706 if (management)
5707 {
5708 management_echo(management, BSTR(&string), pull_mode);
5709 }
5710 #endif
5711 }
5712 else
5713 {
5714 msg(M_WARN, "echo/parameter option overflow");
5715 }
5716 }
5717 #ifdef ENABLE_MANAGEMENT
5718 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5719 {
5720 VERIFY_PERMISSION(OPT_P_GENERAL);
5721 if (streq(p[2], "unix"))
5722 {
5723 #if UNIX_SOCK_SUPPORT
5724 options->management_flags |= MF_UNIX_SOCK;
5725 #else
5726 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5727 goto err;
5728 #endif
5729 }
5730
5731 options->management_addr = p[1];
5732 options->management_port = p[2];
5733 if (p[3])
5734 {
5735 options->management_user_pass = p[3];
5736 }
5737 }
5738 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5739 {
5740 VERIFY_PERMISSION(OPT_P_GENERAL);
5741 options->management_client_user = p[1];
5742 }
5743 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5744 {
5745 VERIFY_PERMISSION(OPT_P_GENERAL);
5746 options->management_client_group = p[1];
5747 }
5748 else if (streq(p[0], "management-query-passwords") && !p[1])
5749 {
5750 VERIFY_PERMISSION(OPT_P_GENERAL);
5751 options->management_flags |= MF_QUERY_PASSWORDS;
5752 }
5753 else if (streq(p[0], "management-query-remote") && !p[1])
5754 {
5755 VERIFY_PERMISSION(OPT_P_GENERAL);
5756 options->management_flags |= MF_QUERY_REMOTE;
5757 }
5758 else if (streq(p[0], "management-query-proxy") && !p[1])
5759 {
5760 VERIFY_PERMISSION(OPT_P_GENERAL);
5761 options->management_flags |= MF_QUERY_PROXY;
5762 }
5763 else if (streq(p[0], "management-hold") && !p[1])
5764 {
5765 VERIFY_PERMISSION(OPT_P_GENERAL);
5766 options->management_flags |= MF_HOLD;
5767 }
5768 else if (streq(p[0], "management-signal") && !p[1])
5769 {
5770 VERIFY_PERMISSION(OPT_P_GENERAL);
5771 options->management_flags |= MF_SIGNAL;
5772 }
5773 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5774 {
5775 VERIFY_PERMISSION(OPT_P_GENERAL);
5776 options->management_flags |= MF_FORGET_DISCONNECT;
5777 }
5778 else if (streq(p[0], "management-up-down") && !p[1])
5779 {
5780 VERIFY_PERMISSION(OPT_P_GENERAL);
5781 options->management_flags |= MF_UP_DOWN;
5782 }
5783 else if (streq(p[0], "management-client") && !p[1])
5784 {
5785 VERIFY_PERMISSION(OPT_P_GENERAL);
5786 options->management_flags |= MF_CONNECT_AS_CLIENT;
5787 }
5788 #ifdef ENABLE_MANAGEMENT
5789 else if (streq(p[0], "management-external-key"))
5790 {
5791 VERIFY_PERMISSION(OPT_P_GENERAL);
5792 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5793 {
5794 if (streq(p[j], "nopadding"))
5795 {
5796 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5797 }
5798 else if (streq(p[j], "pkcs1"))
5799 {
5800 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5801 }
5802 else if (streq(p[j], "pss"))
5803 {
5804 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5805 }
5806 else if (streq(p[j], "digest"))
5807 {
5808 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5809 }
5810 else
5811 {
5812 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5813 }
5814 }
5815 /*
5816 * When no option is present, assume that only PKCS1
5817 * padding is supported
5818 */
5819 if (!(options->management_flags
5820 &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5821 {
5822 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5823 }
5824 options->management_flags |= MF_EXTERNAL_KEY;
5825 }
5826 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5827 {
5828 VERIFY_PERMISSION(OPT_P_GENERAL);
5829 options->management_flags |= MF_EXTERNAL_CERT;
5830 options->management_certificate = p[1];
5831 }
5832 else if (streq(p[0], "management-client-auth") && !p[1])
5833 {
5834 VERIFY_PERMISSION(OPT_P_GENERAL);
5835 options->management_flags |= MF_CLIENT_AUTH;
5836 }
5837 #endif /* ifdef ENABLE_MANAGEMENT */
5838 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5839 {
5840 int cache;
5841
5842 VERIFY_PERMISSION(OPT_P_GENERAL);
5843 cache = atoi(p[1]);
5844 if (cache < 1)
5845 {
5846 msg(msglevel, "--management-log-cache parameter is out of range");
5847 goto err;
5848 }
5849 options->management_log_history_cache = cache;
5850 }
5851 #endif /* ifdef ENABLE_MANAGEMENT */
5852 #ifdef ENABLE_PLUGIN
5853 else if (streq(p[0], "plugin") && p[1])
5854 {
5855 VERIFY_PERMISSION(OPT_P_PLUGIN);
5856 if (!options->plugin_list)
5857 {
5858 options->plugin_list = plugin_option_list_new(&options->gc);
5859 }
5860 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5861 {
5862 msg(msglevel, "plugin add failed: %s", p[1]);
5863 goto err;
5864 }
5865 }
5866 #endif
5867 else if (streq(p[0], "mode") && p[1] && !p[2])
5868 {
5869 VERIFY_PERMISSION(OPT_P_GENERAL);
5870 if (streq(p[1], "p2p"))
5871 {
5872 options->mode = MODE_POINT_TO_POINT;
5873 }
5874 else if (streq(p[1], "server"))
5875 {
5876 options->mode = MODE_SERVER;
5877 }
5878 else
5879 {
5880 msg(msglevel, "Bad --mode parameter: %s", p[1]);
5881 goto err;
5882 }
5883 }
5884 else if (streq(p[0], "dev") && p[1] && !p[2])
5885 {
5886 VERIFY_PERMISSION(OPT_P_GENERAL);
5887 options->dev = p[1];
5888 }
5889 else if (streq(p[0], "dev-type") && p[1] && !p[2])
5890 {
5891 VERIFY_PERMISSION(OPT_P_GENERAL);
5892 options->dev_type = p[1];
5893 }
5894 #ifdef _WIN32
5895 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5896 {
5897 VERIFY_PERMISSION(OPT_P_GENERAL);
5898 options->windows_driver = parse_windows_driver(p[1], M_FATAL);
5899 }
5900 #endif
5901 else if (streq(p[0], "disable-dco"))
5902 {
5903 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
5904 options->tuntap_options.disable_dco = true;
5905 #endif
5906 }
5907 else if (streq(p[0], "dev-node") && p[1] && !p[2])
5908 {
5909 VERIFY_PERMISSION(OPT_P_GENERAL);
5910 options->dev_node = p[1];
5911 }
5912 else if (streq(p[0], "lladdr") && p[1] && !p[2])
5913 {
5914 VERIFY_PERMISSION(OPT_P_UP);
5915 if (mac_addr_safe(p[1])) /* MAC address only */
5916 {
5917 options->lladdr = p[1];
5918 }
5919 else
5920 {
5921 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5922 goto err;
5923 }
5924 }
5925 else if (streq(p[0], "topology") && p[1] && !p[2])
5926 {
5927 VERIFY_PERMISSION(OPT_P_UP);
5928 options->topology = parse_topology(p[1], msglevel);
5929 }
5930 else if (streq(p[0], "tun-ipv6") && !p[1])
5931 {
5932 if (!pull_mode)
5933 {
5934 msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5935 }
5936 }
5937 #ifdef ENABLE_IPROUTE
5938 else if (streq(p[0], "iproute") && p[1] && !p[2])
5939 {
5940 VERIFY_PERMISSION(OPT_P_GENERAL);
5941 iproute_path = p[1];
5942 }
5943 #endif
5944 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5945 {
5946 VERIFY_PERMISSION(OPT_P_UP);
5947 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5948 {
5949 options->ifconfig_local = p[1];
5950 options->ifconfig_remote_netmask = p[2];
5951 }
5952 else
5953 {
5954 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5955 goto err;
5956 }
5957 }
5958 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5959 {
5960 unsigned int netbits;
5961
5962 VERIFY_PERMISSION(OPT_P_UP);
5963 if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
5964 && ipv6_addr_safe( p[2] ) )
5965 {
5966 if (netbits < 64 || netbits > 124)
5967 {
5968 msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
5969 goto err;
5970 }
5971
5972 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5973 options->ifconfig_ipv6_netbits = netbits;
5974 options->ifconfig_ipv6_remote = p[2];
5975 }
5976 else
5977 {
5978 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5979 goto err;
5980 }
5981 }
5982 else if (streq(p[0], "ifconfig-noexec") && !p[1])
5983 {
5984 VERIFY_PERMISSION(OPT_P_UP);
5985 options->ifconfig_noexec = true;
5986 }
5987 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5988 {
5989 VERIFY_PERMISSION(OPT_P_UP);
5990 options->ifconfig_nowarn = true;
5991 }
5992 else if (streq(p[0], "local") && p[1] && !p[2])
5993 {
5994 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
5995 options->ce.local = p[1];
5996 }
5997 else if (streq(p[0], "remote-random") && !p[1])
5998 {
5999 VERIFY_PERMISSION(OPT_P_GENERAL);
6000 options->remote_random = true;
6001 }
6002 else if (streq(p[0], "connection") && p[1] && !p[3])
6003 {
6004 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6005 if (is_inline)
6006 {
6007 struct options sub;
6008 struct connection_entry *e;
6009
6010 init_options(&sub, true);
6011 sub.ce = options->ce;
6012 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6013 OPT_P_CONNECTION, option_types_found, es);
6014 if (!sub.ce.remote)
6015 {
6016 msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6017 uninit_options(&sub);
6018 goto err;
6019 }
6020
6021 e = alloc_connection_entry(options, msglevel);
6022 if (!e)
6023 {
6024 uninit_options(&sub);
6025 goto err;
6026 }
6027 *e = sub.ce;
6028 gc_transfer(&options->gc, &sub.gc);
6029 uninit_options(&sub);
6030 }
6031 }
6032 else if (streq(p[0], "ignore-unknown-option") && p[1])
6033 {
6034 int i;
6035 int j;
6036 int numignored = 0;
6037 const char **ignore;
6038
6039 VERIFY_PERMISSION(OPT_P_GENERAL);
6040 /* Find out how many options to be ignored */
6041 for (i = 1; p[i]; i++)
6042 {
6043 numignored++;
6044 }
6045
6046 /* add number of options already ignored */
6047 for (i = 0; options->ignore_unknown_option
6048 && options->ignore_unknown_option[i]; i++)
6049 {
6050 numignored++;
6051 }
6052
6053 /* Allocate array */
6054 ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6055 for (i = 0; options->ignore_unknown_option
6056 && options->ignore_unknown_option[i]; i++)
6057 {
6058 ignore[i] = options->ignore_unknown_option[i];
6059 }
6060
6061 options->ignore_unknown_option = ignore;
6062
6063 for (j = 1; p[j]; j++)
6064 {
6065 /* Allow the user to specify ignore-unknown-option --opt too */
6066 if (p[j][0]=='-' && p[j][1]=='-')
6067 {
6068 options->ignore_unknown_option[i] = (p[j]+2);
6069 }
6070 else
6071 {
6072 options->ignore_unknown_option[i] = p[j];
6073 }
6074 i++;
6075 }
6076
6077 options->ignore_unknown_option[i] = NULL;
6078 }
6079 #if ENABLE_MANAGEMENT
6080 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6081 {
6082 VERIFY_PERMISSION(OPT_P_GENERAL);
6083 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
6084 if (!options->http_proxy_override)
6085 {
6086 goto err;
6087 }
6088 }
6089 #endif
6090 else if (streq(p[0], "remote") && p[1] && !p[4])
6091 {
6092 struct remote_entry re;
6093 re.remote = re.remote_port = NULL;
6094 re.proto = -1;
6095 re.af = 0;
6096
6097 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6098 re.remote = p[1];
6099 if (p[2])
6100 {
6101 re.remote_port = p[2];
6102 if (p[3])
6103 {
6104 const int proto = ascii2proto(p[3]);
6105 const sa_family_t af = ascii2af(p[3]);
6106 if (proto < 0)
6107 {
6108 msg(msglevel,
6109 "remote: bad protocol associated with host %s: '%s'",
6110 p[1], p[3]);
6111 goto err;
6112 }
6113 re.proto = proto;
6114 re.af = af;
6115 }
6116 }
6117 if (permission_mask & OPT_P_GENERAL)
6118 {
6119 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6120 if (!e)
6121 {
6122 goto err;
6123 }
6124 *e = re;
6125 }
6126 else if (permission_mask & OPT_P_CONNECTION)
6127 {
6128 connection_entry_load_re(&options->ce, &re);
6129 }
6130 }
6131 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6132 {
6133 VERIFY_PERMISSION(OPT_P_GENERAL);
6134 if (streq(p[1], "infinite"))
6135 {
6136 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6137 }
6138 else
6139 {
6140 options->resolve_retry_seconds = positive_atoi(p[1]);
6141 }
6142 }
6143 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6144 {
6145 VERIFY_PERMISSION(OPT_P_GENERAL);
6146 options->resolve_in_advance = true;
6147 /* Note the ip-remote-hint and the argument p[1] are for
6148 * backward compatibility */
6149 if (p[1])
6150 {
6151 options->ip_remote_hint = p[1];
6152 }
6153 }
6154 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6155 {
6156 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6157 options->ce.connect_retry_seconds = positive_atoi(p[1]);
6158 /*
6159 * Limit the base value of retry wait interval to 16 bits to avoid
6160 * overflow when scaled up for exponential backoff
6161 */
6162 if (options->ce.connect_retry_seconds > 0xFFFF)
6163 {
6164 options->ce.connect_retry_seconds = 0xFFFF;
6165 msg(M_WARN, "connect retry wait interval truncated to %d",
6166 options->ce.connect_retry_seconds);
6167 }
6168
6169 if (p[2])
6170 {
6171 options->ce.connect_retry_seconds_max =
6172 max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
6173 }
6174 }
6175 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6176 && p[1] && !p[2])
6177 {
6178 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6179 options->ce.connect_timeout = positive_atoi(p[1]);
6180 }
6181 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6182 {
6183 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6184 options->connect_retry_max = positive_atoi(p[1]);
6185 }
6186 else if (streq(p[0], "ipchange") && p[1])
6187 {
6188 VERIFY_PERMISSION(OPT_P_SCRIPT);
6189 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6190 {
6191 goto err;
6192 }
6193 set_user_script(options,
6194 &options->ipchange,
6195 string_substitute(p[1], ',', ' ', &options->gc),
6196 "ipchange", true);
6197 }
6198 else if (streq(p[0], "float") && !p[1])
6199 {
6200 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6201 options->ce.remote_float = true;
6202 }
6203 #ifdef ENABLE_DEBUG
6204 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6205 {
6206 VERIFY_PERMISSION(OPT_P_GENERAL);
6207 options->gremlin = positive_atoi(p[1]);
6208 }
6209 #endif
6210 else if (streq(p[0], "chroot") && p[1] && !p[2])
6211 {
6212 VERIFY_PERMISSION(OPT_P_GENERAL);
6213 options->chroot_dir = p[1];
6214 }
6215 else if (streq(p[0], "cd") && p[1] && !p[2])
6216 {
6217 VERIFY_PERMISSION(OPT_P_GENERAL);
6218 if (platform_chdir(p[1]))
6219 {
6220 msg(M_ERR, "cd to '%s' failed", p[1]);
6221 goto err;
6222 }
6223 options->cd_dir = p[1];
6224 }
6225 #ifdef ENABLE_SELINUX
6226 else if (streq(p[0], "setcon") && p[1] && !p[2])
6227 {
6228 VERIFY_PERMISSION(OPT_P_GENERAL);
6229 options->selinux_context = p[1];
6230 }
6231 #endif
6232 else if (streq(p[0], "writepid") && p[1] && !p[2])
6233 {
6234 VERIFY_PERMISSION(OPT_P_GENERAL);
6235 options->writepid = p[1];
6236 }
6237 else if (streq(p[0], "up") && p[1])
6238 {
6239 VERIFY_PERMISSION(OPT_P_SCRIPT);
6240 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6241 {
6242 goto err;
6243 }
6244 set_user_script(options, &options->up_script, p[1], "up", false);
6245 }
6246 else if (streq(p[0], "down") && p[1])
6247 {
6248 VERIFY_PERMISSION(OPT_P_SCRIPT);
6249 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6250 {
6251 goto err;
6252 }
6253 set_user_script(options, &options->down_script, p[1], "down", true);
6254 }
6255 else if (streq(p[0], "down-pre") && !p[1])
6256 {
6257 VERIFY_PERMISSION(OPT_P_GENERAL);
6258 options->down_pre = true;
6259 }
6260 else if (streq(p[0], "up-delay") && !p[1])
6261 {
6262 VERIFY_PERMISSION(OPT_P_GENERAL);
6263 options->up_delay = true;
6264 }
6265 else if (streq(p[0], "up-restart") && !p[1])
6266 {
6267 VERIFY_PERMISSION(OPT_P_GENERAL);
6268 options->up_restart = true;
6269 }
6270 else if (streq(p[0], "syslog") && !p[2])
6271 {
6272 VERIFY_PERMISSION(OPT_P_GENERAL);
6273 open_syslog(p[1], false);
6274 }
6275 else if (streq(p[0], "daemon") && !p[2])
6276 {
6277 bool didit = false;
6278 VERIFY_PERMISSION(OPT_P_GENERAL);
6279 if (!options->daemon)
6280 {
6281 options->daemon = didit = true;
6282 open_syslog(p[1], false);
6283 }
6284 if (p[1])
6285 {
6286 if (!didit)
6287 {
6288 msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6289 goto err;
6290 }
6291 }
6292 }
6293 else if (streq(p[0], "log") && p[1] && !p[2])
6294 {
6295 VERIFY_PERMISSION(OPT_P_GENERAL);
6296 options->log = true;
6297 redirect_stdout_stderr(p[1], false);
6298 }
6299 else if (streq(p[0], "suppress-timestamps") && !p[1])
6300 {
6301 VERIFY_PERMISSION(OPT_P_GENERAL);
6302 options->suppress_timestamps = true;
6303 set_suppress_timestamps(true);
6304 }
6305 else if (streq(p[0], "machine-readable-output") && !p[1])
6306 {
6307 VERIFY_PERMISSION(OPT_P_GENERAL);
6308 options->machine_readable_output = true;
6309 set_machine_readable_output(true);
6310 }
6311 else if (streq(p[0], "log-append") && p[1] && !p[2])
6312 {
6313 VERIFY_PERMISSION(OPT_P_GENERAL);
6314 options->log = true;
6315 redirect_stdout_stderr(p[1], true);
6316 }
6317 #ifdef ENABLE_MEMSTATS
6318 else if (streq(p[0], "memstats") && p[1] && !p[2])
6319 {
6320 VERIFY_PERMISSION(OPT_P_GENERAL);
6321 options->memstats_fn = p[1];
6322 }
6323 #endif
6324 else if (streq(p[0], "mlock") && !p[1])
6325 {
6326 VERIFY_PERMISSION(OPT_P_GENERAL);
6327 options->mlock = true;
6328 }
6329 #if ENABLE_IP_PKTINFO
6330 else if (streq(p[0], "multihome") && !p[1])
6331 {
6332 VERIFY_PERMISSION(OPT_P_GENERAL);
6333 options->sockflags |= SF_USE_IP_PKTINFO;
6334 }
6335 #endif
6336 else if (streq(p[0], "verb") && p[1] && !p[2])
6337 {
6338 VERIFY_PERMISSION(OPT_P_MESSAGES);
6339 options->verbosity = positive_atoi(p[1]);
6340 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6341 {
6342 /* We pass this flag to the SSL library to avoid
6343 * mbed TLS always generating debug level logging */
6344 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6345 }
6346 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6347 /* Warn when a debug verbosity is supplied when built without debug support */
6348 if (options->verbosity >= 7)
6349 {
6350 msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6351 options->verbosity);
6352 }
6353 #endif
6354 }
6355 else if (streq(p[0], "mute") && p[1] && !p[2])
6356 {
6357 VERIFY_PERMISSION(OPT_P_MESSAGES);
6358 options->mute = positive_atoi(p[1]);
6359 }
6360 else if (streq(p[0], "errors-to-stderr") && !p[1])
6361 {
6362 VERIFY_PERMISSION(OPT_P_MESSAGES);
6363 errors_to_stderr();
6364 }
6365 else if (streq(p[0], "status") && p[1] && !p[3])
6366 {
6367 VERIFY_PERMISSION(OPT_P_GENERAL);
6368 options->status_file = p[1];
6369 if (p[2])
6370 {
6371 options->status_file_update_freq = positive_atoi(p[2]);
6372 }
6373 }
6374 else if (streq(p[0], "status-version") && p[1] && !p[2])
6375 {
6376 int version;
6377
6378 VERIFY_PERMISSION(OPT_P_GENERAL);
6379 version = atoi(p[1]);
6380 if (version < 1 || version > 3)
6381 {
6382 msg(msglevel, "--status-version must be 1 to 3");
6383 goto err;
6384 }
6385 options->status_file_version = version;
6386 }
6387 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6388 {
6389 VERIFY_PERMISSION(OPT_P_GENERAL);
6390 if (streq(p[1], "SIGHUP"))
6391 {
6392 options->remap_sigusr1 = SIGHUP;
6393 }
6394 else if (streq(p[1], "SIGTERM"))
6395 {
6396 options->remap_sigusr1 = SIGTERM;
6397 }
6398 else
6399 {
6400 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6401 goto err;
6402 }
6403 }
6404 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6405 {
6406 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6407 options->ce.link_mtu = positive_atoi(p[1]);
6408 options->ce.link_mtu_defined = true;
6409 }
6410 else if (streq(p[0], "tun-mtu") && p[1] && !p[2])
6411 {
6412 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6413 options->ce.tun_mtu = positive_atoi(p[1]);
6414 options->ce.tun_mtu_defined = true;
6415 }
6416 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6417 {
6418 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6419 options->ce.tun_mtu_extra = positive_atoi(p[1]);
6420 options->ce.tun_mtu_extra_defined = true;
6421 }
6422 #ifdef ENABLE_FRAGMENT
6423 else if (streq(p[0], "mtu-dynamic"))
6424 {
6425 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6426 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6427 goto err;
6428 }
6429 else if (streq(p[0], "fragment") && p[1] && !p[3])
6430 {
6431 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6432 options->ce.fragment = positive_atoi(p[1]);
6433
6434 if (p[2] && streq(p[2], "mtu"))
6435 {
6436 options->ce.fragment_encap = true;
6437 }
6438 else if (p[2])
6439 {
6440 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6441 }
6442 }
6443 #endif /* ifdef ENABLE_FRAGMENT */
6444 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6445 {
6446 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6447 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6448 }
6449 else if (streq(p[0], "mtu-test") && !p[1])
6450 {
6451 VERIFY_PERMISSION(OPT_P_GENERAL);
6452 options->mtu_test = true;
6453 }
6454 else if (streq(p[0], "nice") && p[1] && !p[2])
6455 {
6456 VERIFY_PERMISSION(OPT_P_NICE);
6457 options->nice = atoi(p[1]);
6458 }
6459 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6460 {
6461 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6462 options->rcvbuf = positive_atoi(p[1]);
6463 }
6464 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6465 {
6466 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6467 options->sndbuf = positive_atoi(p[1]);
6468 }
6469 else if (streq(p[0], "mark") && p[1] && !p[2])
6470 {
6471 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6472 VERIFY_PERMISSION(OPT_P_GENERAL);
6473 options->mark = atoi(p[1]);
6474 #endif
6475 }
6476 else if (streq(p[0], "socket-flags"))
6477 {
6478 int j;
6479 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6480 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6481 {
6482 if (streq(p[j], "TCP_NODELAY"))
6483 {
6484 options->sockflags |= SF_TCP_NODELAY;
6485 }
6486 else
6487 {
6488 msg(msglevel, "unknown socket flag: %s", p[j]);
6489 }
6490 }
6491 }
6492 #ifdef TARGET_LINUX
6493 else if (streq(p[0], "bind-dev") && p[1])
6494 {
6495 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6496 options->bind_dev = p[1];
6497 }
6498 #endif
6499 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6500 {
6501 VERIFY_PERMISSION(OPT_P_GENERAL);
6502 #ifdef TARGET_LINUX
6503 options->tuntap_options.txqueuelen = positive_atoi(p[1]);
6504 #else
6505 msg(msglevel, "--txqueuelen not supported on this OS");
6506 goto err;
6507 #endif
6508 }
6509 else if (streq(p[0], "shaper") && p[1] && !p[2])
6510 {
6511 int shaper;
6512
6513 VERIFY_PERMISSION(OPT_P_SHAPER);
6514 shaper = atoi(p[1]);
6515 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6516 {
6517 msg(msglevel, "Bad shaper value, must be between %d and %d",
6518 SHAPER_MIN, SHAPER_MAX);
6519 goto err;
6520 }
6521 options->shaper = shaper;
6522 }
6523 else if (streq(p[0], "port") && p[1] && !p[2])
6524 {
6525 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6526 options->ce.local_port = options->ce.remote_port = p[1];
6527 }
6528 else if (streq(p[0], "lport") && p[1] && !p[2])
6529 {
6530 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6531 options->ce.local_port_defined = true;
6532 options->ce.local_port = p[1];
6533 }
6534 else if (streq(p[0], "rport") && p[1] && !p[2])
6535 {
6536 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6537 options->ce.remote_port = p[1];
6538 }
6539 else if (streq(p[0], "bind") && !p[2])
6540 {
6541 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6542 options->ce.bind_defined = true;
6543 if (p[1] && streq(p[1], "ipv6only"))
6544 {
6545 options->ce.bind_ipv6_only = true;
6546 }
6547
6548 }
6549 else if (streq(p[0], "nobind") && !p[1])
6550 {
6551 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6552 options->ce.bind_local = false;
6553 }
6554 else if (streq(p[0], "fast-io") && !p[1])
6555 {
6556 VERIFY_PERMISSION(OPT_P_GENERAL);
6557 options->fast_io = true;
6558 }
6559 else if (streq(p[0], "inactive") && p[1] && !p[3])
6560 {
6561 VERIFY_PERMISSION(OPT_P_TIMER);
6562 options->inactivity_timeout = positive_atoi(p[1]);
6563 if (p[2])
6564 {
6565 int64_t val = atoll(p[2]);
6566 options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6567 if (options->inactivity_minimum_bytes > INT_MAX)
6568 {
6569 msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6570 " >2 Gbyte was silently ignored in older versions. If "
6571 " your VPN exits unexpectedly with 'Inactivity timeout'"
6572 " in %d seconds, revisit this value.",
6573 options->inactivity_timeout );
6574 }
6575 }
6576 }
6577 else if (streq(p[0], "proto") && p[1] && !p[2])
6578 {
6579 int proto;
6580 sa_family_t af;
6581 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6582 proto = ascii2proto(p[1]);
6583 af = ascii2af(p[1]);
6584 if (proto < 0)
6585 {
6586 msg(msglevel,
6587 "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6588 p[1],
6589 proto2ascii_all(&gc));
6590 goto err;
6591 }
6592 options->ce.proto = proto;
6593 options->ce.af = af;
6594 }
6595 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6596 {
6597 int proto_force;
6598 VERIFY_PERMISSION(OPT_P_GENERAL);
6599 proto_force = ascii2proto(p[1]);
6600 if (proto_force < 0)
6601 {
6602 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6603 goto err;
6604 }
6605 options->proto_force = proto_force;
6606 }
6607 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6608 {
6609 struct http_proxy_options *ho;
6610
6611 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6612
6613 {
6614 if (!p[2])
6615 {
6616 msg(msglevel, "http-proxy port number not defined");
6617 goto err;
6618 }
6619
6620 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6621
6622 ho->server = p[1];
6623 ho->port = p[2];
6624 }
6625
6626 if (p[3])
6627 {
6628 /* auto -- try to figure out proxy addr, port, and type automatically */
6629 /* semiauto -- given proxy addr:port, try to figure out type automatically */
6630 /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6631 if (streq(p[3], "auto"))
6632 {
6633 ho->auth_retry = PAR_ALL;
6634 }
6635 else if (streq(p[3], "auto-nct"))
6636 {
6637 ho->auth_retry = PAR_NCT;
6638 }
6639 else
6640 {
6641 ho->auth_method_string = "basic";
6642 ho->auth_file = p[3];
6643
6644 if (p[4])
6645 {
6646 ho->auth_method_string = p[4];
6647 }
6648 }
6649 }
6650 else
6651 {
6652 ho->auth_method_string = "none";
6653 }
6654 }
6655 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6656 {
6657 struct http_proxy_options *ho;
6658 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6659 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6660 ho->auth_file = p[1];
6661 ho->inline_creds = is_inline;
6662 }
6663 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6664 {
6665 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6666 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6667 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6668 "Use connect-retry-max 1 to get a similar behavior as before.");
6669 }
6670 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6671 {
6672 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6673 msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6674 "server is established is managed with a single timeout set by connect-timeout");
6675 }
6676 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6677 {
6678 struct http_proxy_options *ho;
6679
6680 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6681 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6682
6683 if (streq(p[1], "VERSION") && p[2] && !p[3])
6684 {
6685 ho->http_version = p[2];
6686 }
6687 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6688 {
6689 ho->user_agent = p[2];
6690 }
6691 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6692 && p[2])
6693 {
6694 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6695 * with either two argument or one */
6696
6697 struct http_custom_header *custom_header = NULL;
6698 int i;
6699 /* Find the first free header */
6700 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6701 {
6702 if (!ho->custom_headers[i].name)
6703 {
6704 custom_header = &ho->custom_headers[i];
6705 break;
6706 }
6707 }
6708 if (!custom_header)
6709 {
6710 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6711 }
6712 else
6713 {
6714 /* We will save p[2] and p[3], the proxy code will detect if
6715 * p[3] is NULL */
6716 custom_header->name = p[2];
6717 custom_header->content = p[3];
6718 }
6719 }
6720 else
6721 {
6722 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6723 }
6724 }
6725 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6726 {
6727 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6728
6729 if (p[2])
6730 {
6731 options->ce.socks_proxy_port = p[2];
6732 }
6733 else
6734 {
6735 options->ce.socks_proxy_port = "1080";
6736 }
6737 options->ce.socks_proxy_server = p[1];
6738 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6739 }
6740 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6741 {
6742 VERIFY_PERMISSION(OPT_P_GENERAL);
6743 options->keepalive_ping = atoi(p[1]);
6744 options->keepalive_timeout = atoi(p[2]);
6745 }
6746 else if (streq(p[0], "ping") && p[1] && !p[2])
6747 {
6748 VERIFY_PERMISSION(OPT_P_TIMER);
6749 options->ping_send_timeout = positive_atoi(p[1]);
6750 }
6751 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6752 {
6753 VERIFY_PERMISSION(OPT_P_TIMER);
6754 options->ping_rec_timeout = positive_atoi(p[1]);
6755 options->ping_rec_timeout_action = PING_EXIT;
6756 }
6757 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6758 {
6759 VERIFY_PERMISSION(OPT_P_TIMER);
6760 options->ping_rec_timeout = positive_atoi(p[1]);
6761 options->ping_rec_timeout_action = PING_RESTART;
6762 }
6763 else if (streq(p[0], "ping-timer-rem") && !p[1])
6764 {
6765 VERIFY_PERMISSION(OPT_P_TIMER);
6766 options->ping_timer_remote = true;
6767 }
6768 else if (streq(p[0], "explicit-exit-notify") && !p[2])
6769 {
6770 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
6771 if (p[1])
6772 {
6773 options->ce.explicit_exit_notification = positive_atoi(p[1]);
6774 }
6775 else
6776 {
6777 options->ce.explicit_exit_notification = 1;
6778 }
6779 }
6780 else if (streq(p[0], "persist-tun") && !p[1])
6781 {
6782 VERIFY_PERMISSION(OPT_P_PERSIST);
6783 options->persist_tun = true;
6784 }
6785 else if (streq(p[0], "persist-key") && !p[1])
6786 {
6787 VERIFY_PERMISSION(OPT_P_PERSIST);
6788 options->persist_key = true;
6789 }
6790 else if (streq(p[0], "persist-local-ip") && !p[1])
6791 {
6792 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6793 options->persist_local_ip = true;
6794 }
6795 else if (streq(p[0], "persist-remote-ip") && !p[1])
6796 {
6797 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6798 options->persist_remote_ip = true;
6799 }
6800 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6801 {
6802 VERIFY_PERMISSION(OPT_P_ROUTE);
6803 cnol_check_alloc(options);
6804 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6805 }
6806 else if (streq(p[0], "route") && p[1] && !p[5])
6807 {
6808 VERIFY_PERMISSION(OPT_P_ROUTE);
6809 rol_check_alloc(options);
6810 if (pull_mode)
6811 {
6812 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
6813 {
6814 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
6815 goto err;
6816 }
6817 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
6818 {
6819 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
6820 goto err;
6821 }
6822 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
6823 {
6824 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
6825 goto err;
6826 }
6827 }
6828 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
6829 }
6830 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6831 {
6832 VERIFY_PERMISSION(OPT_P_ROUTE);
6833 rol6_check_alloc(options);
6834 if (pull_mode)
6835 {
6836 if (!ipv6_addr_safe_hexplusbits(p[1]))
6837 {
6838 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
6839 goto err;
6840 }
6841 if (p[2] && !ipv6_addr_safe(p[2]))
6842 {
6843 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
6844 goto err;
6845 }
6846 /* p[3] is metric, if present */
6847 }
6848 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
6849 }
6850 else if (streq(p[0], "max-routes") && !p[2])
6851 {
6852 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
6853 "The number of routes is unlimited as of OpenVPN 2.4. "
6854 "This option will be removed in a future version, "
6855 "please remove it from your configuration.");
6856 }
6857 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
6858 {
6859 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6860 if (streq(p[1], "dhcp"))
6861 {
6862 options->route_gateway_via_dhcp = true;
6863 }
6864 else
6865 {
6866 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
6867 {
6868 options->route_default_gateway = p[1];
6869 }
6870 else
6871 {
6872 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
6873 goto err;
6874 }
6875 }
6876 }
6877 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
6878 {
6879 if (ipv6_addr_safe(p[1]))
6880 {
6881 options->route_ipv6_default_gateway = p[1];
6882 }
6883 else
6884 {
6885 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
6886 goto err;
6887 }
6888 }
6889 else if (streq(p[0], "route-metric") && p[1] && !p[2])
6890 {
6891 VERIFY_PERMISSION(OPT_P_ROUTE);
6892 options->route_default_metric = positive_atoi(p[1]);
6893 }
6894 else if (streq(p[0], "route-delay") && !p[3])
6895 {
6896 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6897 options->route_delay_defined = true;
6898 if (p[1])
6899 {
6900 options->route_delay = positive_atoi(p[1]);
6901 if (p[2])
6902 {
6903 options->route_delay_window = positive_atoi(p[2]);
6904 }
6905 }
6906 else
6907 {
6908 options->route_delay = 0;
6909 }
6910 }
6911 else if (streq(p[0], "route-up") && p[1])
6912 {
6913 VERIFY_PERMISSION(OPT_P_SCRIPT);
6914 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6915 {
6916 goto err;
6917 }
6918 set_user_script(options, &options->route_script, p[1], "route-up", false);
6919 }
6920 else if (streq(p[0], "route-pre-down") && p[1])
6921 {
6922 VERIFY_PERMISSION(OPT_P_SCRIPT);
6923 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6924 {
6925 goto err;
6926 }
6927 set_user_script(options,
6928 &options->route_predown_script,
6929 p[1],
6930 "route-pre-down", true);
6931 }
6932 else if (streq(p[0], "route-noexec") && !p[1])
6933 {
6934 VERIFY_PERMISSION(OPT_P_SCRIPT);
6935 options->route_noexec = true;
6936 }
6937 else if (streq(p[0], "route-nopull") && !p[1])
6938 {
6939 VERIFY_PERMISSION(OPT_P_GENERAL);
6940 options->route_nopull = true;
6941 }
6942 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
6943 {
6944 struct pull_filter *f;
6945 VERIFY_PERMISSION(OPT_P_GENERAL)
6946 f = alloc_pull_filter(options, msglevel);
6947
6948 if (strcmp("accept", p[1]) == 0)
6949 {
6950 f->type = PUF_TYPE_ACCEPT;
6951 }
6952 else if (strcmp("ignore", p[1]) == 0)
6953 {
6954 f->type = PUF_TYPE_IGNORE;
6955 }
6956 else if (strcmp("reject", p[1]) == 0)
6957 {
6958 f->type = PUF_TYPE_REJECT;
6959 }
6960 else
6961 {
6962 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
6963 goto err;
6964 }
6965 f->pattern = p[2];
6966 f->size = strlen(p[2]);
6967 }
6968 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
6969 {
6970 VERIFY_PERMISSION(OPT_P_GENERAL);
6971 options->allow_pull_fqdn = true;
6972 }
6973 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
6974 {
6975 int j;
6976 VERIFY_PERMISSION(OPT_P_ROUTE);
6977 rol_check_alloc(options);
6978
6979 if (options->routes->flags & RG_ENABLE)
6980 {
6981 msg(M_WARN,
6982 "WARNING: You have specified redirect-gateway and "
6983 "redirect-private at the same time (or the same option "
6984 "multiple times). This is not well supported and may lead to "
6985 "unexpected results");
6986 }
6987
6988 options->routes->flags |= RG_ENABLE;
6989
6990 if (streq(p[0], "redirect-gateway"))
6991 {
6992 options->routes->flags |= RG_REROUTE_GW;
6993 }
6994 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6995 {
6996 if (streq(p[j], "local"))
6997 {
6998 options->routes->flags |= RG_LOCAL;
6999 }
7000 else if (streq(p[j], "autolocal"))
7001 {
7002 options->routes->flags |= RG_AUTO_LOCAL;
7003 }
7004 else if (streq(p[j], "def1"))
7005 {
7006 options->routes->flags |= RG_DEF1;
7007 }
7008 else if (streq(p[j], "bypass-dhcp"))
7009 {
7010 options->routes->flags |= RG_BYPASS_DHCP;
7011 }
7012 else if (streq(p[j], "bypass-dns"))
7013 {
7014 options->routes->flags |= RG_BYPASS_DNS;
7015 }
7016 else if (streq(p[j], "block-local"))
7017 {
7018 options->routes->flags |= RG_BLOCK_LOCAL;
7019 }
7020 else if (streq(p[j], "ipv6"))
7021 {
7022 rol6_check_alloc(options);
7023 options->routes_ipv6->flags |= RG_REROUTE_GW;
7024 }
7025 else if (streq(p[j], "!ipv4"))
7026 {
7027 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7028 }
7029 else
7030 {
7031 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7032 goto err;
7033 }
7034 }
7035 #ifdef _WIN32
7036 /* we need this here to handle pushed --redirect-gateway */
7037 remap_redirect_gateway_flags(options);
7038 #endif
7039 }
7040 else if (streq(p[0], "block-ipv6") && !p[1])
7041 {
7042 VERIFY_PERMISSION(OPT_P_ROUTE);
7043 options->block_ipv6 = true;
7044 }
7045 else if (streq(p[0], "remote-random-hostname") && !p[1])
7046 {
7047 VERIFY_PERMISSION(OPT_P_GENERAL);
7048 options->sockflags |= SF_HOST_RANDOMIZE;
7049 }
7050 else if (streq(p[0], "setenv") && p[1] && !p[3])
7051 {
7052 VERIFY_PERMISSION(OPT_P_GENERAL);
7053 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7054 {
7055 options->sockflags |= SF_HOST_RANDOMIZE;
7056 }
7057 else if (streq(p[1], "GENERIC_CONFIG"))
7058 {
7059 msg(msglevel, "this is a generic configuration and cannot directly be used");
7060 goto err;
7061 }
7062 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7063 {
7064 options->push_peer_info = true;
7065 }
7066 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7067 {
7068 options->ce.connect_timeout = positive_atoi(p[2]);
7069 }
7070 else
7071 {
7072 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7073 {
7074 options->forward_compatible = true;
7075 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7076 }
7077 setenv_str(es, p[1], p[2] ? p[2] : "");
7078 }
7079 }
7080 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7081 {
7082 unsigned int major, minor, patch;
7083 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7084 {
7085 msg(msglevel, "cannot parse version number for --compat-mode: %s",
7086 p[1]);
7087 goto err;
7088 }
7089
7090 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7091 }
7092 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7093 {
7094 VERIFY_PERMISSION(OPT_P_SETENV);
7095 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7096 }
7097 else if (streq(p[0], "script-security") && p[1] && !p[2])
7098 {
7099 VERIFY_PERMISSION(OPT_P_GENERAL);
7100 script_security_set(atoi(p[1]));
7101 }
7102 else if (streq(p[0], "mssfix") && !p[3])
7103 {
7104 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7105 if (p[1])
7106 {
7107 /* value specified, assume encapsulation is not
7108 * included unless "mtu" follows later */
7109 options->ce.mssfix = positive_atoi(p[1]);
7110 options->ce.mssfix_encap = false;
7111 options->ce.mssfix_default = false;
7112 }
7113 else
7114 {
7115 /* Set MTU to default values */
7116 options->ce.mssfix_default = true;
7117 options->ce.mssfix_encap = true;
7118 options->ce.mssfix_fixed = false;
7119 }
7120
7121 if (p[2] && streq(p[2], "mtu"))
7122 {
7123 options->ce.mssfix_encap = true;
7124 }
7125 else if (p[2] && streq(p[2], "fixed"))
7126 {
7127 options->ce.mssfix_fixed = true;
7128 }
7129 else if (p[2])
7130 {
7131 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7132 }
7133 }
7134 else if (streq(p[0], "disable-occ") && !p[1])
7135 {
7136 VERIFY_PERMISSION(OPT_P_GENERAL);
7137 options->occ = false;
7138 }
7139 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7140 {
7141 const int lev = M_WARN;
7142 bool error = false;
7143 in_addr_t network, netmask;
7144
7145 VERIFY_PERMISSION(OPT_P_GENERAL);
7146 network = get_ip_addr(p[1], lev, &error);
7147 netmask = get_ip_addr(p[2], lev, &error);
7148 if (error || !network || !netmask)
7149 {
7150 msg(msglevel, "error parsing --server parameters");
7151 goto err;
7152 }
7153 options->server_defined = true;
7154 options->server_network = network;
7155 options->server_netmask = netmask;
7156
7157 if (p[3])
7158 {
7159 if (streq(p[3], "nopool"))
7160 {
7161 options->server_flags |= SF_NOPOOL;
7162 }
7163 else
7164 {
7165 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7166 goto err;
7167 }
7168 }
7169 }
7170 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7171 {
7172 const int lev = M_WARN;
7173 struct in6_addr network;
7174 unsigned int netbits = 0;
7175
7176 VERIFY_PERMISSION(OPT_P_GENERAL);
7177 if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7178 {
7179 msg(msglevel, "error parsing --server-ipv6 parameter");
7180 goto err;
7181 }
7182 if (netbits < 64 || netbits > 124)
7183 {
7184 msg(msglevel,
7185 "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7186 netbits);
7187
7188 goto err;
7189 }
7190 options->server_ipv6_defined = true;
7191 options->server_network_ipv6 = network;
7192 options->server_netbits_ipv6 = netbits;
7193 }
7194 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7195 {
7196 const int lev = M_WARN;
7197 bool error = false;
7198 in_addr_t ip, netmask, pool_start, pool_end;
7199
7200 VERIFY_PERMISSION(OPT_P_GENERAL);
7201 ip = get_ip_addr(p[1], lev, &error);
7202 netmask = get_ip_addr(p[2], lev, &error);
7203 pool_start = get_ip_addr(p[3], lev, &error);
7204 pool_end = get_ip_addr(p[4], lev, &error);
7205 if (error || !ip || !netmask || !pool_start || !pool_end)
7206 {
7207 msg(msglevel, "error parsing --server-bridge parameters");
7208 goto err;
7209 }
7210 options->server_bridge_defined = true;
7211 options->server_bridge_ip = ip;
7212 options->server_bridge_netmask = netmask;
7213 options->server_bridge_pool_start = pool_start;
7214 options->server_bridge_pool_end = pool_end;
7215 }
7216 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7217 {
7218 VERIFY_PERMISSION(OPT_P_GENERAL);
7219 options->server_bridge_proxy_dhcp = true;
7220 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7221 }
7222 else if (streq(p[0], "server-bridge") && !p[1])
7223 {
7224 VERIFY_PERMISSION(OPT_P_GENERAL);
7225 options->server_bridge_proxy_dhcp = true;
7226 }
7227 else if (streq(p[0], "push") && p[1] && !p[2])
7228 {
7229 VERIFY_PERMISSION(OPT_P_PUSH);
7230 push_options(options, &p[1], msglevel, &options->gc);
7231 }
7232 else if (streq(p[0], "push-reset") && !p[1])
7233 {
7234 VERIFY_PERMISSION(OPT_P_INSTANCE);
7235 push_reset(options);
7236 }
7237 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7238 {
7239 VERIFY_PERMISSION(OPT_P_INSTANCE);
7240 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7241 push_remove_option(options, p[1]);
7242 }
7243 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7244 {
7245 const int lev = M_WARN;
7246 bool error = false;
7247 in_addr_t start, end, netmask = 0;
7248
7249 VERIFY_PERMISSION(OPT_P_GENERAL);
7250 start = get_ip_addr(p[1], lev, &error);
7251 end = get_ip_addr(p[2], lev, &error);
7252 if (p[3])
7253 {
7254 netmask = get_ip_addr(p[3], lev, &error);
7255 }
7256 if (error)
7257 {
7258 msg(msglevel, "error parsing --ifconfig-pool parameters");
7259 goto err;
7260 }
7261 if (!ifconfig_pool_verify_range(msglevel, start, end))
7262 {
7263 goto err;
7264 }
7265
7266 options->ifconfig_pool_defined = true;
7267 options->ifconfig_pool_start = start;
7268 options->ifconfig_pool_end = end;
7269 if (netmask)
7270 {
7271 options->ifconfig_pool_netmask = netmask;
7272 }
7273 }
7274 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7275 {
7276 VERIFY_PERMISSION(OPT_P_GENERAL);
7277 options->ifconfig_pool_persist_filename = p[1];
7278 if (p[2])
7279 {
7280 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]);
7281 }
7282 }
7283 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7284 {
7285 const int lev = M_WARN;
7286 struct in6_addr network;
7287 unsigned int netbits = 0;
7288
7289 VERIFY_PERMISSION(OPT_P_GENERAL);
7290 if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7291 {
7292 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7293 goto err;
7294 }
7295 if (netbits < 64 || netbits > 124)
7296 {
7297 msg(msglevel,
7298 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7299 netbits);
7300 goto err;
7301 }
7302
7303 options->ifconfig_ipv6_pool_defined = true;
7304 options->ifconfig_ipv6_pool_base = network;
7305 options->ifconfig_ipv6_pool_netbits = netbits;
7306 }
7307 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7308 {
7309 int real, virtual;
7310
7311 VERIFY_PERMISSION(OPT_P_GENERAL);
7312 real = atoi(p[1]);
7313 virtual = atoi(p[2]);
7314 if (real < 1 || virtual < 1)
7315 {
7316 msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7317 goto err;
7318 }
7319 options->real_hash_size = real;
7320 options->virtual_hash_size = real;
7321 }
7322 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7323 {
7324 int cf_max, cf_per;
7325
7326 VERIFY_PERMISSION(OPT_P_GENERAL);
7327 cf_max = atoi(p[1]);
7328 cf_per = atoi(p[2]);
7329 if (cf_max < 0 || cf_per < 0)
7330 {
7331 msg(msglevel, "--connect-freq parms must be > 0");
7332 goto err;
7333 }
7334 options->cf_max = cf_max;
7335 options->cf_per = cf_per;
7336 }
7337 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7338 {
7339 int max_clients;
7340
7341 VERIFY_PERMISSION(OPT_P_GENERAL);
7342 max_clients = atoi(p[1]);
7343 if (max_clients < 0)
7344 {
7345 msg(msglevel, "--max-clients must be at least 1");
7346 goto err;
7347 }
7348 if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7349 {
7350 msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7351 goto err;
7352 }
7353 options->max_clients = max_clients;
7354 }
7355 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7356 {
7357 VERIFY_PERMISSION(OPT_P_INHERIT);
7358 options->max_routes_per_client = max_int(atoi(p[1]), 1);
7359 }
7360 else if (streq(p[0], "client-cert-not-required") && !p[1])
7361 {
7362 VERIFY_PERMISSION(OPT_P_GENERAL);
7363 msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7364 }
7365 else if (streq(p[0], "verify-client-cert") && !p[2])
7366 {
7367 VERIFY_PERMISSION(OPT_P_GENERAL);
7368
7369 /* Reset any existing flags */
7370 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7371 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7372 if (p[1])
7373 {
7374 if (streq(p[1], "none"))
7375 {
7376 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7377 }
7378 else if (streq(p[1], "optional"))
7379 {
7380 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7381 }
7382 else if (!streq(p[1], "require"))
7383 {
7384 msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7385 goto err;
7386 }
7387 }
7388 }
7389 else if (streq(p[0], "username-as-common-name") && !p[1])
7390 {
7391 VERIFY_PERMISSION(OPT_P_GENERAL);
7392 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7393 }
7394 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7395 {
7396 VERIFY_PERMISSION(OPT_P_GENERAL);
7397 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7398 }
7399 else if (streq(p[0], "opt-verify") && !p[1])
7400 {
7401 VERIFY_PERMISSION(OPT_P_GENERAL);
7402 options->ssl_flags |= SSLF_OPT_VERIFY;
7403 }
7404 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7405 {
7406 VERIFY_PERMISSION(OPT_P_SCRIPT);
7407 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7408 {
7409 goto err;
7410 }
7411 if (p[2])
7412 {
7413 if (streq(p[2], "via-env"))
7414 {
7415 options->auth_user_pass_verify_script_via_file = false;
7416 }
7417 else if (streq(p[2], "via-file"))
7418 {
7419 options->auth_user_pass_verify_script_via_file = true;
7420 }
7421 else
7422 {
7423 msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7424 goto err;
7425 }
7426 }
7427 else
7428 {
7429 msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7430 goto err;
7431 }
7432 set_user_script(options,
7433 &options->auth_user_pass_verify_script,
7434 p[1], "auth-user-pass-verify", true);
7435 }
7436 else if (streq(p[0], "auth-gen-token") && !p[3])
7437 {
7438 VERIFY_PERMISSION(OPT_P_GENERAL);
7439 options->auth_token_generate = true;
7440 options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
7441 if (p[2])
7442 {
7443 if (streq(p[2], "external-auth"))
7444 {
7445 options->auth_token_call_auth = true;
7446 }
7447 else
7448 {
7449 msg(msglevel, "Invalid argument to auth-gen-token: %s", p[2]);
7450 }
7451 }
7452
7453 }
7454 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7455 {
7456 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7457 options->auth_token_secret_file = p[1];
7458 options->auth_token_secret_file_inline = is_inline;
7459
7460 }
7461 else if (streq(p[0], "client-connect") && p[1])
7462 {
7463 VERIFY_PERMISSION(OPT_P_SCRIPT);
7464 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7465 {
7466 goto err;
7467 }
7468 set_user_script(options, &options->client_connect_script,
7469 p[1], "client-connect", true);
7470 }
7471 else if (streq(p[0], "client-disconnect") && p[1])
7472 {
7473 VERIFY_PERMISSION(OPT_P_SCRIPT);
7474 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7475 {
7476 goto err;
7477 }
7478 set_user_script(options, &options->client_disconnect_script,
7479 p[1], "client-disconnect", true);
7480 }
7481 else if (streq(p[0], "learn-address") && p[1])
7482 {
7483 VERIFY_PERMISSION(OPT_P_SCRIPT);
7484 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7485 {
7486 goto err;
7487 }
7488 set_user_script(options, &options->learn_address_script,
7489 p[1], "learn-address", true);
7490 }
7491 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7492 {
7493 VERIFY_PERMISSION(OPT_P_GENERAL);
7494 options->tmp_dir = p[1];
7495 }
7496 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7497 {
7498 VERIFY_PERMISSION(OPT_P_GENERAL);
7499 options->client_config_dir = p[1];
7500 }
7501 else if (streq(p[0], "ccd-exclusive") && !p[1])
7502 {
7503 VERIFY_PERMISSION(OPT_P_GENERAL);
7504 options->ccd_exclusive = true;
7505 }
7506 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7507 {
7508 int n_bcast_buf;
7509
7510 VERIFY_PERMISSION(OPT_P_GENERAL);
7511 n_bcast_buf = atoi(p[1]);
7512 if (n_bcast_buf < 1)
7513 {
7514 msg(msglevel, "--bcast-buffers parameter must be > 0");
7515 }
7516 options->n_bcast_buf = n_bcast_buf;
7517 }
7518 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7519 {
7520 int tcp_queue_limit;
7521
7522 VERIFY_PERMISSION(OPT_P_GENERAL);
7523 tcp_queue_limit = atoi(p[1]);
7524 if (tcp_queue_limit < 1)
7525 {
7526 msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7527 }
7528 options->tcp_queue_limit = tcp_queue_limit;
7529 }
7530 #if PORT_SHARE
7531 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7532 {
7533 VERIFY_PERMISSION(OPT_P_GENERAL);
7534 options->port_share_host = p[1];
7535 options->port_share_port = p[2];
7536 options->port_share_journal_dir = p[3];
7537 }
7538 #endif
7539 else if (streq(p[0], "client-to-client") && !p[1])
7540 {
7541 VERIFY_PERMISSION(OPT_P_GENERAL);
7542 options->enable_c2c = true;
7543 }
7544 else if (streq(p[0], "duplicate-cn") && !p[1])
7545 {
7546 VERIFY_PERMISSION(OPT_P_GENERAL);
7547 options->duplicate_cn = true;
7548 }
7549 else if (streq(p[0], "iroute") && p[1] && !p[3])
7550 {
7551 VERIFY_PERMISSION(OPT_P_INSTANCE);
7552 option_iroute(options, p[1], p[2], msglevel);
7553 }
7554 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7555 {
7556 VERIFY_PERMISSION(OPT_P_INSTANCE);
7557 option_iroute_ipv6(options, p[1], msglevel);
7558 }
7559 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7560 {
7561 in_addr_t local, remote_netmask;
7562
7563 VERIFY_PERMISSION(OPT_P_INSTANCE);
7564 local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7565 remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7566 if (local && remote_netmask)
7567 {
7568 options->push_ifconfig_defined = true;
7569 options->push_ifconfig_local = local;
7570 options->push_ifconfig_remote_netmask = remote_netmask;
7571 if (p[3])
7572 {
7573 options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7574 }
7575 }
7576 else
7577 {
7578 msg(msglevel, "cannot parse --ifconfig-push addresses");
7579 goto err;
7580 }
7581 }
7582 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7583 {
7584 in_addr_t network, netmask;
7585
7586 VERIFY_PERMISSION(OPT_P_GENERAL);
7587 network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7588 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7589 if (network && netmask)
7590 {
7591 options->push_ifconfig_constraint_defined = true;
7592 options->push_ifconfig_constraint_network = network;
7593 options->push_ifconfig_constraint_netmask = netmask;
7594 }
7595 else
7596 {
7597 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7598 goto err;
7599 }
7600 }
7601 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7602 {
7603 struct in6_addr local, remote;
7604 unsigned int netbits;
7605
7606 VERIFY_PERMISSION(OPT_P_INSTANCE);
7607
7608 if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7609 {
7610 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7611 goto err;
7612 }
7613
7614 if (p[2])
7615 {
7616 if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7617 {
7618 msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7619 goto err;
7620 }
7621 }
7622 else
7623 {
7624 if (!options->ifconfig_ipv6_local
7625 || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7626 NULL, msglevel ) )
7627 {
7628 msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7629 goto err;
7630 }
7631 }
7632
7633 options->push_ifconfig_ipv6_defined = true;
7634 options->push_ifconfig_ipv6_local = local;
7635 options->push_ifconfig_ipv6_netbits = netbits;
7636 options->push_ifconfig_ipv6_remote = remote;
7637 options->push_ifconfig_ipv6_blocked = false;
7638 }
7639 else if (streq(p[0], "disable") && !p[1])
7640 {
7641 VERIFY_PERMISSION(OPT_P_INSTANCE);
7642 options->disable = true;
7643 }
7644 else if (streq(p[0], "tcp-nodelay") && !p[1])
7645 {
7646 VERIFY_PERMISSION(OPT_P_GENERAL);
7647 options->server_flags |= SF_TCP_NODELAY_HELPER;
7648 }
7649 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7650 {
7651 int ageing_time, check_interval;
7652
7653 VERIFY_PERMISSION(OPT_P_GENERAL);
7654 ageing_time = atoi(p[1]);
7655 if (p[2])
7656 {
7657 check_interval = atoi(p[2]);
7658 }
7659 else
7660 {
7661 check_interval = ageing_time;
7662 }
7663
7664 if (ageing_time < 1 || check_interval < 1)
7665 {
7666 msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
7667 goto err;
7668 }
7669 options->stale_routes_ageing_time = ageing_time;
7670 options->stale_routes_check_interval = check_interval;
7671 }
7672
7673 else if (streq(p[0], "client") && !p[1])
7674 {
7675 VERIFY_PERMISSION(OPT_P_GENERAL);
7676 options->client = true;
7677 }
7678 else if (streq(p[0], "pull") && !p[1])
7679 {
7680 VERIFY_PERMISSION(OPT_P_GENERAL);
7681 options->pull = true;
7682 }
7683 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7684 {
7685 VERIFY_PERMISSION(OPT_P_PULL_MODE);
7686 options->push_continuation = atoi(p[1]);
7687 }
7688 else if (streq(p[0], "auth-user-pass") && !p[2])
7689 {
7690 VERIFY_PERMISSION(OPT_P_GENERAL);
7691 if (p[1])
7692 {
7693 options->auth_user_pass_file = p[1];
7694 }
7695 else
7696 {
7697 options->auth_user_pass_file = "stdin";
7698 }
7699 }
7700 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7701 {
7702 VERIFY_PERMISSION(OPT_P_GENERAL);
7703 auth_retry_set(msglevel, p[1]);
7704 }
7705 #ifdef ENABLE_MANAGEMENT
7706 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
7707 {
7708 VERIFY_PERMISSION(OPT_P_GENERAL);
7709 options->sc_info.challenge_text = p[1];
7710 if (atoi(p[2]))
7711 {
7712 options->sc_info.flags |= SC_ECHO;
7713 }
7714 }
7715 #endif
7716 else if (streq(p[0], "msg-channel") && p[1])
7717 {
7718 #ifdef _WIN32
7719 VERIFY_PERMISSION(OPT_P_GENERAL);
7720 HANDLE process = GetCurrentProcess();
7721 HANDLE handle = (HANDLE) atoll(p[1]);
7722 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
7723 FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7724 {
7725 msg(msglevel, "could not duplicate service pipe handle");
7726 goto err;
7727 }
7728 options->route_method = ROUTE_METHOD_SERVICE;
7729 #else /* ifdef _WIN32 */
7730 msg(msglevel, "--msg-channel is only supported on Windows");
7731 goto err;
7732 #endif
7733 }
7734 #ifdef _WIN32
7735 else if (streq(p[0], "win-sys") && p[1] && !p[2])
7736 {
7737 VERIFY_PERMISSION(OPT_P_GENERAL);
7738 if (streq(p[1], "env"))
7739 {
7740 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7741 "This entry will now be ignored. "
7742 "Please remove this entry from your configuration file.");
7743 }
7744 else
7745 {
7746 set_win_sys_path(p[1], es);
7747 }
7748 }
7749 else if (streq(p[0], "route-method") && p[1] && !p[2])
7750 {
7751 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7752 if (streq(p[1], "adaptive"))
7753 {
7754 options->route_method = ROUTE_METHOD_ADAPTIVE;
7755 }
7756 else if (streq(p[1], "ipapi"))
7757 {
7758 options->route_method = ROUTE_METHOD_IPAPI;
7759 }
7760 else if (streq(p[1], "exe"))
7761 {
7762 options->route_method = ROUTE_METHOD_EXE;
7763 }
7764 else
7765 {
7766 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7767 goto err;
7768 }
7769 }
7770 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7771 {
7772 const int index = ascii2ipset(p[1]);
7773 struct tuntap_options *to = &options->tuntap_options;
7774
7775 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7776
7777 if (index < 0)
7778 {
7779 msg(msglevel,
7780 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
7781 p[1],
7782 ipset2ascii_all(&gc));
7783 goto err;
7784 }
7785
7786 if (index == IPW32_SET_ADAPTIVE)
7787 {
7788 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
7789 }
7790
7791 if (index == IPW32_SET_DHCP_MASQ)
7792 {
7793 if (p[2])
7794 {
7795 if (!streq(p[2], "default"))
7796 {
7797 int offset = atoi(p[2]);
7798
7799 if (!(offset > -256 && offset < 256))
7800 {
7801 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
7802 goto err;
7803 }
7804
7805 to->dhcp_masq_custom_offset = true;
7806 to->dhcp_masq_offset = offset;
7807 }
7808
7809 if (p[3])
7810 {
7811 const int min_lease = 30;
7812 int lease_time;
7813 lease_time = atoi(p[3]);
7814 if (lease_time < min_lease)
7815 {
7816 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
7817 goto err;
7818 }
7819 to->dhcp_lease_time = lease_time;
7820 }
7821 }
7822 }
7823 to->ip_win32_type = index;
7824 to->ip_win32_defined = true;
7825 }
7826 #endif /* ifdef _WIN32 */
7827 else if (streq(p[0], "dns") && p[1])
7828 {
7829 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7830
7831 if (streq(p[1], "search-domains") && p[2])
7832 {
7833 dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
7834 }
7835 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
7836 {
7837 long priority;
7838 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
7839 {
7840 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
7841 goto err;
7842 }
7843
7844 struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
7845
7846 if (streq(p[3], "address") && !p[6])
7847 {
7848 for (int i = 4; p[i]; i++)
7849 {
7850 if (!dns_server_addr_parse(server, p[i]))
7851 {
7852 msg(msglevel, "--dns server %ld: malformed or duplicate address '%s'", priority, p[i]);
7853 goto err;
7854 }
7855 }
7856 }
7857 else if (streq(p[3], "resolve-domains"))
7858 {
7859 if (server->domain_type == DNS_EXCLUDE_DOMAINS)
7860 {
7861 msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority);
7862 goto err;
7863 }
7864 server->domain_type = DNS_RESOLVE_DOMAINS;
7865 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
7866 }
7867 else if (streq(p[3], "exclude-domains"))
7868 {
7869 if (server->domain_type == DNS_RESOLVE_DOMAINS)
7870 {
7871 msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority);
7872 goto err;
7873 }
7874 server->domain_type = DNS_EXCLUDE_DOMAINS;
7875 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
7876 }
7877 else if (streq(p[3], "dnssec") && !p[5])
7878 {
7879 if (streq(p[4], "yes"))
7880 {
7881 server->dnssec = DNS_SECURITY_YES;
7882 }
7883 else if (streq(p[4], "no"))
7884 {
7885 server->dnssec = DNS_SECURITY_NO;
7886 }
7887 else if (streq(p[4], "optional"))
7888 {
7889 server->dnssec = DNS_SECURITY_OPTIONAL;
7890 }
7891 else
7892 {
7893 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
7894 goto err;
7895 }
7896 }
7897 else if (streq(p[3], "transport") && !p[5])
7898 {
7899 if (streq(p[4], "plain"))
7900 {
7901 server->transport = DNS_TRANSPORT_PLAIN;
7902 }
7903 else if (streq(p[4], "DoH"))
7904 {
7905 server->transport = DNS_TRANSPORT_HTTPS;
7906 }
7907 else if (streq(p[4], "DoT"))
7908 {
7909 server->transport = DNS_TRANSPORT_TLS;
7910 }
7911 else
7912 {
7913 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
7914 goto err;
7915 }
7916 }
7917 else if (streq(p[3], "sni") && !p[5])
7918 {
7919 server->sni = p[4];
7920 }
7921 else
7922 {
7923 msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
7924 goto err;
7925 }
7926 }
7927 else
7928 {
7929 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
7930 goto err;
7931 }
7932 }
7933 #if defined(_WIN32) || defined(TARGET_ANDROID)
7934 else if (streq(p[0], "dhcp-option") && p[1])
7935 {
7936 struct tuntap_options *o = &options->tuntap_options;
7937 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7938 bool ipv6dns = false;
7939
7940 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
7941 && p[2] && !p[3])
7942 {
7943 o->domain = p[2];
7944 }
7945 else if (streq(p[1], "NBS") && p[2] && !p[3])
7946 {
7947 o->netbios_scope = p[2];
7948 }
7949 else if (streq(p[1], "NBT") && p[2] && !p[3])
7950 {
7951 int t;
7952 t = atoi(p[2]);
7953 if (!(t == 1 || t == 2 || t == 4 || t == 8))
7954 {
7955 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
7956 goto err;
7957 }
7958 o->netbios_node_type = t;
7959 }
7960 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
7961 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
7962 {
7963 if (strstr(p[2], ":"))
7964 {
7965 ipv6dns = true;
7966 dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
7967 }
7968 else
7969 {
7970 dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
7971 }
7972 }
7973 else if (streq(p[1], "WINS") && p[2] && !p[3])
7974 {
7975 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
7976 }
7977 else if (streq(p[1], "NTP") && p[2] && !p[3])
7978 {
7979 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
7980 }
7981 else if (streq(p[1], "NBDD") && p[2] && !p[3])
7982 {
7983 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
7984 }
7985 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
7986 {
7987 if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
7988 {
7989 o->domain_search_list[o->domain_search_list_len++] = p[2];
7990 }
7991 else
7992 {
7993 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
7994 p[1], N_SEARCH_LIST_LEN);
7995 }
7996 }
7997 else if (streq(p[1], "DISABLE-NBT") && !p[2])
7998 {
7999 o->disable_nbt = 1;
8000 }
8001 #if defined(TARGET_ANDROID)
8002 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8003 {
8004 o->http_proxy_port = atoi(p[3]);
8005 o->http_proxy = p[2];
8006 }
8007 #endif
8008 else
8009 {
8010 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8011 goto err;
8012 }
8013
8014 /* flag that we have options to give to the TAP driver's DHCPv4 server
8015 * - skipped for "DNS6", as that's not a DHCPv4 option
8016 */
8017 if (!ipv6dns)
8018 {
8019 o->dhcp_options = true;
8020 }
8021 }
8022 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8023 #ifdef _WIN32
8024 else if (streq(p[0], "show-adapters") && !p[1])
8025 {
8026 VERIFY_PERMISSION(OPT_P_GENERAL);
8027 show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8028 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8029 }
8030 else if (streq(p[0], "show-net") && !p[1])
8031 {
8032 VERIFY_PERMISSION(OPT_P_GENERAL);
8033 show_routes(M_INFO|M_NOPREFIX);
8034 show_adapters(M_INFO|M_NOPREFIX);
8035 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8036 }
8037 else if (streq(p[0], "show-net-up") && !p[1])
8038 {
8039 VERIFY_PERMISSION(OPT_P_UP);
8040 options->show_net_up = true;
8041 }
8042 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8043 {
8044 int s;
8045 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8046 s = atoi(p[1]);
8047 if (s < 0 || s >= 256)
8048 {
8049 msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8050 goto err;
8051 }
8052 options->tuntap_options.tap_sleep = s;
8053 }
8054 else if (streq(p[0], "dhcp-renew") && !p[1])
8055 {
8056 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8057 options->tuntap_options.dhcp_renew = true;
8058 }
8059 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8060 {
8061 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8062 options->tuntap_options.dhcp_pre_release = true;
8063 options->tuntap_options.dhcp_renew = true;
8064 }
8065 else if (streq(p[0], "dhcp-release") && !p[1])
8066 {
8067 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8068 }
8069 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8070 {
8071 unsigned int adapter_index;
8072 VERIFY_PERMISSION(OPT_P_GENERAL);
8073 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8074 adapter_index = atou(p[1]);
8075 sleep(options->tuntap_options.tap_sleep);
8076 if (options->tuntap_options.dhcp_pre_release)
8077 {
8078 dhcp_release_by_adapter_index(adapter_index);
8079 }
8080 if (options->tuntap_options.dhcp_renew)
8081 {
8082 dhcp_renew_by_adapter_index(adapter_index);
8083 }
8084 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8085 }
8086 else if (streq(p[0], "register-dns") && !p[1])
8087 {
8088 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8089 options->tuntap_options.register_dns = true;
8090 }
8091 else if (streq(p[0], "block-outside-dns") && !p[1])
8092 {
8093 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8094 options->block_outside_dns = true;
8095 }
8096 else if (streq(p[0], "rdns-internal") && !p[1])
8097 /* standalone method for internal use
8098 *
8099 * (if --register-dns is set, openvpn needs to call itself in a
8100 * sub-process to execute the required functions in a non-blocking
8101 * way, and uses --rdns-internal to signal that to itself)
8102 */
8103 {
8104 VERIFY_PERMISSION(OPT_P_GENERAL);
8105 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8106 if (options->tuntap_options.register_dns)
8107 {
8108 ipconfig_register_dns(NULL);
8109 }
8110 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8111 }
8112 else if (streq(p[0], "show-valid-subnets") && !p[1])
8113 {
8114 VERIFY_PERMISSION(OPT_P_GENERAL);
8115 show_valid_win32_tun_subnets();
8116 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8117 }
8118 else if (streq(p[0], "pause-exit") && !p[1])
8119 {
8120 VERIFY_PERMISSION(OPT_P_GENERAL);
8121 set_pause_exit_win32();
8122 }
8123 else if (streq(p[0], "service") && p[1] && !p[3])
8124 {
8125 VERIFY_PERMISSION(OPT_P_GENERAL);
8126 options->exit_event_name = p[1];
8127 if (p[2])
8128 {
8129 options->exit_event_initial_state = (atoi(p[2]) != 0);
8130 }
8131 }
8132 else if (streq(p[0], "allow-nonadmin") && !p[2])
8133 {
8134 VERIFY_PERMISSION(OPT_P_GENERAL);
8135 tap_allow_nonadmin_access(p[1]);
8136 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8137 }
8138 else if (streq(p[0], "user") && p[1] && !p[2])
8139 {
8140 VERIFY_PERMISSION(OPT_P_GENERAL);
8141 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8142 }
8143 else if (streq(p[0], "group") && p[1] && !p[2])
8144 {
8145 VERIFY_PERMISSION(OPT_P_GENERAL);
8146 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8147 }
8148 #else /* ifdef _WIN32 */
8149 else if (streq(p[0], "user") && p[1] && !p[2])
8150 {
8151 VERIFY_PERMISSION(OPT_P_GENERAL);
8152 options->username = p[1];
8153 }
8154 else if (streq(p[0], "group") && p[1] && !p[2])
8155 {
8156 VERIFY_PERMISSION(OPT_P_GENERAL);
8157 options->groupname = p[1];
8158 }
8159 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8160 {
8161 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8162 setenv_foreign_option(options, (const char **)p, 3, es);
8163 }
8164 else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
8165 {
8166 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8167 }
8168 #endif /* ifdef _WIN32 */
8169 #if PASSTOS_CAPABILITY
8170 else if (streq(p[0], "passtos") && !p[1])
8171 {
8172 VERIFY_PERMISSION(OPT_P_GENERAL);
8173 options->passtos = true;
8174 }
8175 #endif
8176 #if defined(USE_COMP)
8177 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8178 {
8179 VERIFY_PERMISSION(OPT_P_GENERAL);
8180
8181 if (streq(p[1], "no"))
8182 {
8183 options->comp.flags =
8184 COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8185 if (comp_non_stub_enabled(&options->comp))
8186 {
8187 msg(msglevel, "'--allow-compression no' conflicts with "
8188 " enabling compression");
8189 }
8190 }
8191 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8192 {
8193 /* Also printed on a push to hint at configuration problems */
8194 msg(msglevel, "Cannot set allow-compression to '%s' "
8195 "after set to 'no'", p[1]);
8196 goto err;
8197 }
8198 else if (streq(p[1], "asym"))
8199 {
8200 options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
8201 options->comp.flags |= COMP_F_ALLOW_ASYM;
8202 }
8203 else if (streq(p[1], "yes"))
8204 {
8205 msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has "
8206 "been used in the past to break encryption. Allowing compression allows "
8207 "attacks that break encryption. Using \"--allow-compression yes\" is "
8208 "strongly discouraged for common usage. See --compress in the manual "
8209 "page for more information ");
8210
8211 options->comp.flags |= COMP_F_ALLOW_COMPRESS;
8212 }
8213 else
8214 {
8215 msg(msglevel, "bad allow-compression option: %s -- "
8216 "must be 'yes', 'no', or 'asym'", p[1]);
8217 goto err;
8218 }
8219 }
8220 else if (streq(p[0], "comp-lzo") && !p[2])
8221 {
8222 VERIFY_PERMISSION(OPT_P_COMP);
8223
8224 /* All lzo variants do not use swap */
8225 options->comp.flags &= ~COMP_F_SWAP;
8226 #if defined(ENABLE_LZO)
8227 if (p[1] && streq(p[1], "no"))
8228 #endif
8229 {
8230 options->comp.alg = COMP_ALG_STUB;
8231 options->comp.flags &= ~COMP_F_ADAPTIVE;
8232 }
8233 #if defined(ENABLE_LZO)
8234 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8235 {
8236 /* Also printed on a push to hint at configuration problems */
8237 msg(msglevel, "Cannot set comp-lzo to '%s', "
8238 "allow-compression is set to 'no'", p[1]);
8239 goto err;
8240 }
8241 else if (p[1])
8242 {
8243 if (streq(p[1], "yes"))
8244 {
8245 options->comp.alg = COMP_ALG_LZO;
8246 options->comp.flags &= ~COMP_F_ADAPTIVE;
8247 }
8248 else if (streq(p[1], "adaptive"))
8249 {
8250 options->comp.alg = COMP_ALG_LZO;
8251 options->comp.flags |= COMP_F_ADAPTIVE;
8252 }
8253 else
8254 {
8255 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8256 goto err;
8257 }
8258 }
8259 else
8260 {
8261 options->comp.alg = COMP_ALG_LZO;
8262 options->comp.flags |= COMP_F_ADAPTIVE;
8263 }
8264 show_compression_warning(&options->comp);
8265 #endif /* if defined(ENABLE_LZO) */
8266 }
8267 else if (streq(p[0], "comp-noadapt") && !p[1])
8268 {
8269 /*
8270 * We do not need to check here if we allow compression since
8271 * it only modifies a flag if compression is enabled
8272 */
8273 VERIFY_PERMISSION(OPT_P_COMP);
8274 options->comp.flags &= ~COMP_F_ADAPTIVE;
8275 }
8276 else if (streq(p[0], "compress") && !p[2])
8277 {
8278 VERIFY_PERMISSION(OPT_P_COMP);
8279 if (p[1])
8280 {
8281 if (streq(p[1], "stub"))
8282 {
8283 options->comp.alg = COMP_ALG_STUB;
8284 options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8285 }
8286 else if (streq(p[1], "stub-v2"))
8287 {
8288 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8289 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8290 }
8291 else if (streq(p[1], "migrate"))
8292 {
8293 options->comp.alg = COMP_ALG_UNDEF;
8294 options->comp.flags = COMP_F_MIGRATE;
8295
8296 }
8297 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8298 {
8299 /* Also printed on a push to hint at configuration problems */
8300 msg(msglevel, "Cannot set compress to '%s', "
8301 "allow-compression is set to 'no'", p[1]);
8302 goto err;
8303 }
8304 #if defined(ENABLE_LZO)
8305 else if (streq(p[1], "lzo"))
8306 {
8307 options->comp.alg = COMP_ALG_LZO;
8308 options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
8309 }
8310 #endif
8311 #if defined(ENABLE_LZ4)
8312 else if (streq(p[1], "lz4"))
8313 {
8314 options->comp.alg = COMP_ALG_LZ4;
8315 options->comp.flags |= COMP_F_SWAP;
8316 }
8317 else if (streq(p[1], "lz4-v2"))
8318 {
8319 options->comp.alg = COMP_ALGV2_LZ4;
8320 }
8321 #endif
8322 else
8323 {
8324 msg(msglevel, "bad comp option: %s", p[1]);
8325 goto err;
8326 }
8327 }
8328 else
8329 {
8330 options->comp.alg = COMP_ALG_STUB;
8331 options->comp.flags |= COMP_F_SWAP;
8332 }
8333 show_compression_warning(&options->comp);
8334 }
8335 #endif /* USE_COMP */
8336 else if (streq(p[0], "show-ciphers") && !p[1])
8337 {
8338 VERIFY_PERMISSION(OPT_P_GENERAL);
8339 options->show_ciphers = true;
8340 }
8341 else if (streq(p[0], "show-digests") && !p[1])
8342 {
8343 VERIFY_PERMISSION(OPT_P_GENERAL);
8344 options->show_digests = true;
8345 }
8346 else if (streq(p[0], "show-engines") && !p[1])
8347 {
8348 VERIFY_PERMISSION(OPT_P_GENERAL);
8349 options->show_engines = true;
8350 }
8351 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8352 {
8353 int key_direction;
8354
8355 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8356
8357 key_direction = ascii2keydirection(msglevel, p[1]);
8358 if (key_direction >= 0)
8359 {
8360 if (permission_mask & OPT_P_GENERAL)
8361 {
8362 options->key_direction = key_direction;
8363 }
8364 else if (permission_mask & OPT_P_CONNECTION)
8365 {
8366 options->ce.key_direction = key_direction;
8367 }
8368 }
8369 else
8370 {
8371 goto err;
8372 }
8373 }
8374 else if (streq(p[0], "secret") && p[1] && !p[3])
8375 {
8376 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8377 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8378 options->shared_secret_file = p[1];
8379 options->shared_secret_file_inline = is_inline;
8380 if (!is_inline && p[2])
8381 {
8382 int key_direction;
8383
8384 key_direction = ascii2keydirection(msglevel, p[2]);
8385 if (key_direction >= 0)
8386 {
8387 options->key_direction = key_direction;
8388 }
8389 else
8390 {
8391 goto err;
8392 }
8393 }
8394 }
8395 else if (streq(p[0], "genkey") && !p[4])
8396 {
8397 VERIFY_PERMISSION(OPT_P_GENERAL);
8398 options->genkey = true;
8399 if (!p[1])
8400 {
8401 options->genkey_type = GENKEY_SECRET;
8402 }
8403 else
8404 {
8405 if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8406 || streq(p[1], "tls-crypt"))
8407 {
8408 options->genkey_type = GENKEY_SECRET;
8409 }
8410 else if (streq(p[1], "tls-crypt-v2-server"))
8411 {
8412 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8413 }
8414 else if (streq(p[1], "tls-crypt-v2-client"))
8415 {
8416 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8417 if (p[3])
8418 {
8419 options->genkey_extra_data = p[3];
8420 }
8421 }
8422 else if (streq(p[1], "auth-token"))
8423 {
8424 options->genkey_type = GENKEY_AUTH_TOKEN;
8425 }
8426 else
8427 {
8428 msg(msglevel, "unknown --genkey type: %s", p[1]);
8429 }
8430
8431 }
8432 if (p[2])
8433 {
8434 options->genkey_filename = p[2];
8435 }
8436 }
8437 else if (streq(p[0], "auth") && p[1] && !p[2])
8438 {
8439 VERIFY_PERMISSION(OPT_P_GENERAL);
8440 options->authname = p[1];
8441 }
8442 else if (streq(p[0], "cipher") && p[1] && !p[2])
8443 {
8444 VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8445 options->ciphername = p[1];
8446 }
8447 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8448 {
8449 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8450 options->ciphername = p[1];
8451 options->enable_ncp_fallback = true;
8452 }
8453 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8454 && p[1] && !p[2])
8455 {
8456 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8457 if (streq(p[0], "ncp-ciphers"))
8458 {
8459 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8460 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8461 }
8462 options->ncp_ciphers = p[1];
8463 }
8464 else if (streq(p[0], "key-derivation") && p[1])
8465 {
8466 VERIFY_PERMISSION(OPT_P_NCP)
8467 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8468 if (streq(p[1], "tls-ekm"))
8469 {
8470 options->data_channel_crypto_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8471 }
8472 else
8473 #endif
8474 {
8475 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8476 }
8477 }
8478 else if (streq(p[0], "prng") && p[1] && !p[3])
8479 {
8480 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8481 }
8482 else if (streq(p[0], "no-replay") && !p[1])
8483 {
8484 VERIFY_PERMISSION(OPT_P_GENERAL);
8485 options->replay = false;
8486 }
8487 else if (streq(p[0], "replay-window") && !p[3])
8488 {
8489 VERIFY_PERMISSION(OPT_P_GENERAL);
8490 if (p[1])
8491 {
8492 int replay_window;
8493
8494 replay_window = atoi(p[1]);
8495 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8496 {
8497 msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8498 replay_window,
8499 MIN_SEQ_BACKTRACK,
8500 MAX_SEQ_BACKTRACK);
8501 goto err;
8502 }
8503 options->replay_window = replay_window;
8504
8505 if (p[2])
8506 {
8507 int replay_time;
8508
8509 replay_time = atoi(p[2]);
8510 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8511 {
8512 msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8513 replay_time,
8514 MIN_TIME_BACKTRACK,
8515 MAX_TIME_BACKTRACK);
8516 goto err;
8517 }
8518 options->replay_time = replay_time;
8519 }
8520 }
8521 else
8522 {
8523 msg(msglevel, "replay-window option is missing window size parameter");
8524 goto err;
8525 }
8526 }
8527 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8528 {
8529 VERIFY_PERMISSION(OPT_P_GENERAL);
8530 options->mute_replay_warnings = true;
8531 }
8532 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8533 {
8534 VERIFY_PERMISSION(OPT_P_GENERAL);
8535 options->packet_id_file = p[1];
8536 }
8537 else if (streq(p[0], "test-crypto") && !p[1])
8538 {
8539 VERIFY_PERMISSION(OPT_P_GENERAL);
8540 options->test_crypto = true;
8541 }
8542 #ifndef ENABLE_CRYPTO_MBEDTLS
8543 else if (streq(p[0], "engine") && !p[2])
8544 {
8545 VERIFY_PERMISSION(OPT_P_GENERAL);
8546 if (p[1])
8547 {
8548 options->engine = p[1];
8549 }
8550 else
8551 {
8552 options->engine = "auto";
8553 }
8554 }
8555 #endif /* ENABLE_CRYPTO_MBEDTLS */
8556 else if (streq(p[0], "providers") && p[1])
8557 {
8558 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8559 {
8560 options->providers.names[j] = p[j];
8561 }
8562 }
8563 #ifdef ENABLE_PREDICTION_RESISTANCE
8564 else if (streq(p[0], "use-prediction-resistance") && !p[1])
8565 {
8566 VERIFY_PERMISSION(OPT_P_GENERAL);
8567 options->use_prediction_resistance = true;
8568 }
8569 #endif
8570 else if (streq(p[0], "show-tls") && !p[1])
8571 {
8572 VERIFY_PERMISSION(OPT_P_GENERAL);
8573 options->show_tls_ciphers = true;
8574 }
8575 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8576 {
8577 VERIFY_PERMISSION(OPT_P_GENERAL);
8578 options->show_curves = true;
8579 }
8580 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8581 {
8582 VERIFY_PERMISSION(OPT_P_GENERAL);
8583 msg(M_WARN, "Consider setting groups/curves preference with "
8584 "tls-groups instead of forcing a specific curve with "
8585 "ecdh-curve.");
8586 options->ecdh_curve = p[1];
8587 }
8588 else if (streq(p[0], "tls-server") && !p[1])
8589 {
8590 VERIFY_PERMISSION(OPT_P_GENERAL);
8591 options->tls_server = true;
8592 }
8593 else if (streq(p[0], "tls-client") && !p[1])
8594 {
8595 VERIFY_PERMISSION(OPT_P_GENERAL);
8596 options->tls_client = true;
8597 }
8598 else if (streq(p[0], "ca") && p[1] && !p[2])
8599 {
8600 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8601 options->ca_file = p[1];
8602 options->ca_file_inline = is_inline;
8603 }
8604 #ifndef ENABLE_CRYPTO_MBEDTLS
8605 else if (streq(p[0], "capath") && p[1] && !p[2])
8606 {
8607 VERIFY_PERMISSION(OPT_P_GENERAL);
8608 options->ca_path = p[1];
8609 }
8610 #endif /* ENABLE_CRYPTO_MBEDTLS */
8611 else if (streq(p[0], "dh") && p[1] && !p[2])
8612 {
8613 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8614 options->dh_file = p[1];
8615 options->dh_file_inline = is_inline;
8616 }
8617 else if (streq(p[0], "cert") && p[1] && !p[2])
8618 {
8619 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8620 options->cert_file = p[1];
8621 options->cert_file_inline = is_inline;
8622 }
8623 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8624 {
8625 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8626 options->extra_certs_file = p[1];
8627 options->extra_certs_file_inline = is_inline;
8628 }
8629 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8630 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8631 {
8632 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8633
8634 int verify_hash_depth = 0;
8635 if (streq(p[0], "verify-hash"))
8636 {
8637 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8638 "You should switch to the either use the level 1 certificate as "
8639 "--ca option, use --tls-verify or use --peer-fingerprint");
8640 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8641 verify_hash_depth = 1;
8642 }
8643
8644 options->verify_hash_algo = MD_SHA256;
8645
8646 int digest_len = SHA256_DIGEST_LENGTH;
8647
8648 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8649 {
8650 msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
8651 " --peer-fingerprint are mutually exclusive", p[0]);
8652 goto err;
8653 }
8654
8655 if (streq(p[0], "verify-hash"))
8656 {
8657 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8658 {
8659 options->verify_hash_algo = MD_SHA1;
8660 digest_len = SHA_DIGEST_LENGTH;
8661 }
8662 else if (p[2] && !streq(p[2], "SHA256"))
8663 {
8664 msg(msglevel, "invalid or unsupported hashing algorithm: %s "
8665 "(only SHA1 and SHA256 are supported)", p[2]);
8666 goto err;
8667 }
8668 }
8669
8670 struct verify_hash_list *newlist;
8671 newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
8672 msglevel, &options->gc);
8673
8674 /* Append the new list to the end of our current list */
8675 if (!options->verify_hash)
8676 {
8677 options->verify_hash = newlist;
8678 options->verify_hash_depth = verify_hash_depth;
8679 }
8680 else
8681 {
8682 /* since both the old and new list can have multiple entries
8683 * we need to go to the end of one of them to concatenate them */
8684 struct verify_hash_list *listend = options->verify_hash;
8685 while (listend->next)
8686 {
8687 listend = listend->next;
8688 }
8689 listend->next = newlist;
8690 }
8691 }
8692 #ifdef ENABLE_CRYPTOAPI
8693 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8694 {
8695 VERIFY_PERMISSION(OPT_P_GENERAL);
8696 options->cryptoapi_cert = p[1];
8697 }
8698 #endif
8699 else if (streq(p[0], "key") && p[1] && !p[2])
8700 {
8701 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8702 options->priv_key_file = p[1];
8703 options->priv_key_file_inline = is_inline;
8704 }
8705 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8706 {
8707 int ver;
8708 VERIFY_PERMISSION(OPT_P_GENERAL);
8709 ver = tls_version_parse(p[1], p[2]);
8710 if (ver == TLS_VER_BAD)
8711 {
8712 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8713 goto err;
8714 }
8715 options->ssl_flags &=
8716 ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8717 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
8718 }
8719 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8720 {
8721 int ver;
8722 VERIFY_PERMISSION(OPT_P_GENERAL);
8723 ver = tls_version_parse(p[1], NULL);
8724 if (ver == TLS_VER_BAD)
8725 {
8726 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8727 goto err;
8728 }
8729 options->ssl_flags &=
8730 ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8731 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
8732 }
8733 #ifndef ENABLE_CRYPTO_MBEDTLS
8734 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8735 {
8736 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8737 options->pkcs12_file = p[1];
8738 options->pkcs12_file_inline = is_inline;
8739 }
8740 #endif /* ENABLE_CRYPTO_MBEDTLS */
8741 else if (streq(p[0], "askpass") && !p[2])
8742 {
8743 VERIFY_PERMISSION(OPT_P_GENERAL);
8744 if (p[1])
8745 {
8746 options->key_pass_file = p[1];
8747 }
8748 else
8749 {
8750 options->key_pass_file = "stdin";
8751 }
8752 }
8753 else if (streq(p[0], "auth-nocache") && !p[1])
8754 {
8755 VERIFY_PERMISSION(OPT_P_GENERAL);
8756 ssl_set_auth_nocache();
8757 }
8758 else if (streq(p[0], "auth-token") && p[1] && !p[2])
8759 {
8760 VERIFY_PERMISSION(OPT_P_ECHO);
8761 ssl_set_auth_token(p[1]);
8762 #ifdef ENABLE_MANAGEMENT
8763 if (management)
8764 {
8765 management_auth_token(management, p[1]);
8766 }
8767 #endif
8768 }
8769 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
8770 {
8771 VERIFY_PERMISSION(OPT_P_ECHO);
8772 ssl_set_auth_token_user(p[1]);
8773 }
8774 else if (streq(p[0], "single-session") && !p[1])
8775 {
8776 VERIFY_PERMISSION(OPT_P_GENERAL);
8777 options->single_session = true;
8778 }
8779 else if (streq(p[0], "push-peer-info") && !p[1])
8780 {
8781 VERIFY_PERMISSION(OPT_P_GENERAL);
8782 options->push_peer_info = true;
8783 }
8784 else if (streq(p[0], "tls-exit") && !p[1])
8785 {
8786 VERIFY_PERMISSION(OPT_P_GENERAL);
8787 options->tls_exit = true;
8788 }
8789 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
8790 {
8791 VERIFY_PERMISSION(OPT_P_GENERAL);
8792 options->cipher_list = p[1];
8793 }
8794 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
8795 {
8796 VERIFY_PERMISSION(OPT_P_GENERAL);
8797 options->tls_cert_profile = p[1];
8798 }
8799 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
8800 {
8801 VERIFY_PERMISSION(OPT_P_GENERAL);
8802 options->cipher_list_tls13 = p[1];
8803 }
8804 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
8805 {
8806 VERIFY_PERMISSION(OPT_P_GENERAL);
8807 options->tls_groups = p[1];
8808 }
8809 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
8810 || !p[2]))
8811 {
8812 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8813 if (p[2] && streq(p[2], "dir"))
8814 {
8815 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
8816 }
8817 options->crl_file = p[1];
8818 options->crl_file_inline = is_inline;
8819 }
8820 else if (streq(p[0], "tls-verify") && p[1])
8821 {
8822 VERIFY_PERMISSION(OPT_P_SCRIPT);
8823 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8824 {
8825 goto err;
8826 }
8827 set_user_script(options, &options->tls_verify,
8828 string_substitute(p[1], ',', ' ', &options->gc),
8829 "tls-verify", true);
8830 }
8831 #ifndef ENABLE_CRYPTO_MBEDTLS
8832 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
8833 {
8834 VERIFY_PERMISSION(OPT_P_GENERAL);
8835 options->tls_export_cert = p[1];
8836 }
8837 #endif
8838 else if (streq(p[0], "compat-names"))
8839 {
8840 VERIFY_PERMISSION(OPT_P_GENERAL);
8841 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
8842 "Update your configuration.");
8843 goto err;
8844 }
8845 else if (streq(p[0], "no-name-remapping") && !p[1])
8846 {
8847 VERIFY_PERMISSION(OPT_P_GENERAL);
8848 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
8849 "Update your configuration.");
8850 goto err;
8851 }
8852 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
8853 {
8854 int type = VERIFY_X509_SUBJECT_DN;
8855 VERIFY_PERMISSION(OPT_P_GENERAL);
8856 if (p[2])
8857 {
8858 if (streq(p[2], "subject"))
8859 {
8860 type = VERIFY_X509_SUBJECT_DN;
8861 }
8862 else if (streq(p[2], "name"))
8863 {
8864 type = VERIFY_X509_SUBJECT_RDN;
8865 }
8866 else if (streq(p[2], "name-prefix"))
8867 {
8868 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
8869 }
8870 else
8871 {
8872 msg(msglevel, "unknown X.509 name type: %s", p[2]);
8873 goto err;
8874 }
8875 }
8876 options->verify_x509_type = type;
8877 options->verify_x509_name = p[1];
8878 }
8879 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
8880 {
8881 VERIFY_PERMISSION(OPT_P_GENERAL);
8882 if (streq(p[1], "server"))
8883 {
8884 options->ns_cert_type = NS_CERT_CHECK_SERVER;
8885 }
8886 else if (streq(p[1], "client"))
8887 {
8888 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
8889 }
8890 else
8891 {
8892 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
8893 goto err;
8894 }
8895 }
8896 else if (streq(p[0], "remote-cert-ku"))
8897 {
8898 VERIFY_PERMISSION(OPT_P_GENERAL);
8899
8900 size_t j;
8901 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8902 {
8903 sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
8904 }
8905 if (j == 1)
8906 {
8907 /* No specific KU required, but require KU to be present */
8908 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8909 }
8910 }
8911 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
8912 {
8913 VERIFY_PERMISSION(OPT_P_GENERAL);
8914 options->remote_cert_eku = p[1];
8915 }
8916 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
8917 {
8918 VERIFY_PERMISSION(OPT_P_GENERAL);
8919
8920 if (streq(p[1], "server"))
8921 {
8922 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8923 options->remote_cert_eku = "TLS Web Server Authentication";
8924 }
8925 else if (streq(p[1], "client"))
8926 {
8927 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8928 options->remote_cert_eku = "TLS Web Client Authentication";
8929 }
8930 else
8931 {
8932 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
8933 goto err;
8934 }
8935 }
8936 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
8937 {
8938 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8939 options->tls_timeout = positive_atoi(p[1]);
8940 }
8941 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
8942 {
8943 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8944 options->renegotiate_bytes = positive_atoi(p[1]);
8945 }
8946 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
8947 {
8948 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8949 options->renegotiate_packets = positive_atoi(p[1]);
8950 }
8951 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
8952 {
8953 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8954 options->renegotiate_seconds = positive_atoi(p[1]);
8955 if (p[2])
8956 {
8957 options->renegotiate_seconds_min = positive_atoi(p[2]);
8958 }
8959 }
8960 else if (streq(p[0], "hand-window") && p[1] && !p[2])
8961 {
8962 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8963 options->handshake_window = positive_atoi(p[1]);
8964 }
8965 else if (streq(p[0], "tran-window") && p[1] && !p[2])
8966 {
8967 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8968 options->transition_window = positive_atoi(p[1]);
8969 }
8970 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
8971 {
8972 int key_direction = -1;
8973
8974 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
8975
8976 if (permission_mask & OPT_P_GENERAL)
8977 {
8978 options->tls_auth_file = p[1];
8979 options->tls_auth_file_inline = is_inline;
8980
8981 if (!is_inline && p[2])
8982 {
8983 key_direction = ascii2keydirection(msglevel, p[2]);
8984 if (key_direction < 0)
8985 {
8986 goto err;
8987 }
8988 options->key_direction = key_direction;
8989 }
8990
8991 }
8992 else if (permission_mask & OPT_P_CONNECTION)
8993 {
8994 options->ce.tls_auth_file = p[1];
8995 options->ce.tls_auth_file_inline = is_inline;
8996 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
8997
8998 if (!is_inline && p[2])
8999 {
9000 key_direction = ascii2keydirection(msglevel, p[2]);
9001 if (key_direction < 0)
9002 {
9003 goto err;
9004 }
9005 options->ce.key_direction = key_direction;
9006 }
9007 }
9008 }
9009 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9010 {
9011 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9012 if (permission_mask & OPT_P_GENERAL)
9013 {
9014 options->tls_crypt_file = p[1];
9015 options->tls_crypt_file_inline = is_inline;
9016 }
9017 else if (permission_mask & OPT_P_CONNECTION)
9018 {
9019 options->ce.tls_crypt_file = p[1];
9020 options->ce.tls_crypt_file_inline = is_inline;
9021 }
9022 }
9023 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9024 {
9025 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9026 if (permission_mask & OPT_P_GENERAL)
9027 {
9028 options->tls_crypt_v2_file = p[1];
9029 options->tls_crypt_v2_file_inline = is_inline;
9030 }
9031 else if (permission_mask & OPT_P_CONNECTION)
9032 {
9033 options->ce.tls_crypt_v2_file = p[1];
9034 options->ce.tls_crypt_v2_file_inline = is_inline;
9035 }
9036
9037 if (p[2] && streq(p[2], "force-cookie"))
9038 {
9039 options->ce.tls_crypt_v2_force_cookie = true;
9040 }
9041 else if (p[2] && streq(p[2], "allow-noncookie"))
9042 {
9043 options->ce.tls_crypt_v2_force_cookie = false;
9044 }
9045 else if (p[2])
9046 {
9047 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9048 }
9049 }
9050 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9051 {
9052 VERIFY_PERMISSION(OPT_P_GENERAL);
9053 options->tls_crypt_v2_verify_script = p[1];
9054 }
9055 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9056 {
9057 VERIFY_PERMISSION(OPT_P_GENERAL);
9058 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9059 }
9060 #ifdef ENABLE_X509ALTUSERNAME
9061 else if (streq(p[0], "x509-username-field") && p[1])
9062 {
9063 /* This option used to automatically upcase the fieldnames passed as the
9064 * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
9065 * fine-tuned by only upcasing Subject field attribute names which consist
9066 * of all lower-case characters. Mixed-case attributes such as
9067 * "emailAddress" are left as-is. An option parameter having the "ext:"
9068 * prefix for matching X.509v3 extended fields will also remain unchanged.
9069 */
9070 VERIFY_PERMISSION(OPT_P_GENERAL);
9071 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9072 {
9073 char *s = p[j];
9074
9075 if (strncmp("ext:", s, 4) != 0)
9076 {
9077 size_t i = 0;
9078 while (s[i] && !isupper(s[i]))
9079 {
9080 i++;
9081 }
9082 if (strlen(s) == i)
9083 {
9084 while ((*s = toupper(*s)) != '\0')
9085 {
9086 s++;
9087 }
9088 msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
9089 "--x509-username-field parameter to '%s'; please update your"
9090 "configuration", p[j]);
9091 }
9092 }
9093 else if (!x509_username_field_ext_supported(s+4))
9094 {
9095 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9096 }
9097 options->x509_username_field[j-1] = p[j];
9098 }
9099 }
9100 #endif /* ENABLE_X509ALTUSERNAME */
9101 #ifdef ENABLE_PKCS11
9102 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9103 {
9104 char *provider = p[1];
9105 bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 ));
9106
9107 #ifdef DEFAULT_PKCS11_MODULE
9108 if (!provider)
9109 {
9110 provider = DEFAULT_PKCS11_MODULE;
9111 }
9112 else if (!p[2])
9113 {
9114 char *endp = NULL;
9115 int i = strtol(provider, &endp, 10);
9116
9117 if (*endp == 0)
9118 {
9119 /* There was one argument, and it was purely numeric.
9120 * Interpret it as the cert_private argument */
9121 provider = DEFAULT_PKCS11_MODULE;
9122 cert_private = i;
9123 }
9124 }
9125 #else /* ifdef DEFAULT_PKCS11_MODULE */
9126 if (!provider)
9127 {
9128 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9129 goto err;
9130 }
9131 #endif /* ifdef DEFAULT_PKCS11_MODULE */
9132 VERIFY_PERMISSION(OPT_P_GENERAL);
9133
9134 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9135 show_pkcs11_ids(provider, cert_private);
9136 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9137 }
9138 else if (streq(p[0], "pkcs11-providers") && p[1])
9139 {
9140 int j;
9141
9142 VERIFY_PERMISSION(OPT_P_GENERAL);
9143
9144 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9145 {
9146 options->pkcs11_providers[j-1] = p[j];
9147 }
9148 }
9149 else if (streq(p[0], "pkcs11-protected-authentication"))
9150 {
9151 int j;
9152
9153 VERIFY_PERMISSION(OPT_P_GENERAL);
9154
9155 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9156 {
9157 options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9158 }
9159 }
9160 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9161 {
9162 int j;
9163
9164 VERIFY_PERMISSION(OPT_P_GENERAL);
9165
9166 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9167 {
9168 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9169 }
9170 }
9171 else if (streq(p[0], "pkcs11-cert-private"))
9172 {
9173 int j;
9174
9175 VERIFY_PERMISSION(OPT_P_GENERAL);
9176
9177 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9178 {
9179 options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9180 }
9181 }
9182 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9183 {
9184 VERIFY_PERMISSION(OPT_P_GENERAL);
9185 options->pkcs11_pin_cache_period = atoi(p[1]);
9186 }
9187 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9188 {
9189 VERIFY_PERMISSION(OPT_P_GENERAL);
9190 options->pkcs11_id = p[1];
9191 }
9192 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9193 {
9194 VERIFY_PERMISSION(OPT_P_GENERAL);
9195 options->pkcs11_id_management = true;
9196 }
9197 #endif /* ifdef ENABLE_PKCS11 */
9198 else if (streq(p[0], "rmtun") && !p[1])
9199 {
9200 VERIFY_PERMISSION(OPT_P_GENERAL);
9201 options->persist_config = true;
9202 options->persist_mode = 0;
9203 }
9204 else if (streq(p[0], "mktun") && !p[1])
9205 {
9206 VERIFY_PERMISSION(OPT_P_GENERAL);
9207 options->persist_config = true;
9208 options->persist_mode = 1;
9209 }
9210 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9211 {
9212 VERIFY_PERMISSION(OPT_P_PEER_ID);
9213 options->use_peer_id = true;
9214 options->peer_id = atoi(p[1]);
9215 }
9216 #ifdef HAVE_EXPORT_KEYING_MATERIAL
9217 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9218 {
9219 int ekm_length = positive_atoi(p[2]);
9220
9221 VERIFY_PERMISSION(OPT_P_GENERAL);
9222
9223 if (strncmp(p[1], "EXPORTER", 8))
9224 {
9225 msg(msglevel, "Keying material exporter label must begin with "
9226 "\"EXPORTER\"");
9227 goto err;
9228 }
9229 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9230 {
9231 msg(msglevel, "Keying material exporter label must not be '"
9232 EXPORT_KEY_DATA_LABEL "'.");
9233 }
9234 if (ekm_length < 16 || ekm_length > 4095)
9235 {
9236 msg(msglevel, "Invalid keying material exporter length");
9237 goto err;
9238 }
9239
9240 options->keying_material_exporter_label = p[1];
9241 options->keying_material_exporter_length = ekm_length;
9242 }
9243 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
9244 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9245 {
9246 VERIFY_PERMISSION(OPT_P_GENERAL);
9247 options->allow_recursive_routing = true;
9248 }
9249 else if (streq(p[0], "vlan-tagging") && !p[1])
9250 {
9251 VERIFY_PERMISSION(OPT_P_GENERAL);
9252 options->vlan_tagging = true;
9253 }
9254 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9255 {
9256 VERIFY_PERMISSION(OPT_P_GENERAL);
9257 if (streq(p[1], "tagged"))
9258 {
9259 options->vlan_accept = VLAN_ONLY_TAGGED;
9260 }
9261 else if (streq(p[1], "untagged"))
9262 {
9263 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9264 }
9265 else if (streq(p[1], "all"))
9266 {
9267 options->vlan_accept = VLAN_ALL;
9268 }
9269 else
9270 {
9271 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9272 goto err;
9273 }
9274 }
9275 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9276 {
9277 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9278 options->vlan_pvid = positive_atoi(p[1]);
9279 if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9280 || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9281 {
9282 msg(msglevel,
9283 "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9284 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9285 goto err;
9286 }
9287 }
9288 else
9289 {
9290 int i;
9291 int msglevel = msglevel_fc;
9292 /* Check if an option is in --ignore-unknown-option and
9293 * set warning level to non fatal */
9294 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9295 {
9296 if (streq(p[0], options->ignore_unknown_option[i]))
9297 {
9298 msglevel = M_WARN;
9299 break;
9300 }
9301 }
9302 if (file)
9303 {
9304 msg(msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9305 }
9306 else
9307 {
9308 msg(msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9309 }
9310 }
9311 err:
9312 gc_free(&gc);
9313 }
Mirror of https://github.com/OpenVPN/openvpn.git