]> git.ipfire.org Git - thirdparty/openvpn.git/blob - src/openvpn/options.c
projects / thirdparty / openvpn.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Remove ability to use configurations without TLS by default
[thirdparty/openvpn.git] / src / openvpn / options.c
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2023 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25 /*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33 #ifdef HAVE_CONFIG_VERSION_H
34 #include "config-version.h"
35 #endif
36
37 #include "syshead.h"
38
39 #include "buffer.h"
40 #include "error.h"
41 #include "common.h"
42 #include "run_command.h"
43 #include "shaper.h"
44 #include "crypto.h"
45 #include "ssl.h"
46 #include "ssl_ncp.h"
47 #include "options.h"
48 #include "misc.h"
49 #include "socket.h"
50 #include "packet_id.h"
51 #include "pkcs11.h"
52 #include "win32.h"
53 #include "push.h"
54 #include "pool.h"
55 #include "proto.h"
56 #include "helper.h"
57 #include "manage.h"
58 #include "forward.h"
59 #include "ssl_verify.h"
60 #include "platform.h"
61 #include "xkey_common.h"
62 #include "dco.h"
63 #include <ctype.h>
64
65 #include "memdbg.h"
66
67 const char title_string[] =
68 PACKAGE_STRING
69 #ifdef CONFIGURE_GIT_REVISION
70 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
71 #endif
72 " " TARGET_ALIAS
73 #if defined(ENABLE_CRYPTO_MBEDTLS)
74 " [SSL (mbed TLS)]"
75 #elif defined(ENABLE_CRYPTO_OPENSSL)
76 " [SSL (OpenSSL)]"
77 #else
78 " [SSL]"
79 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
80 #ifdef USE_COMP
81 #ifdef ENABLE_LZO
82 " [LZO]"
83 #endif
84 #ifdef ENABLE_LZ4
85 " [LZ4]"
86 #endif
87 #ifdef ENABLE_COMP_STUB
88 " [COMP_STUB]"
89 #endif
90 #endif /* USE_COMP */
91 #if EPOLL
92 " [EPOLL]"
93 #endif
94 #ifdef PRODUCT_TAP_DEBUG
95 " [TAPDBG]"
96 #endif
97 #ifdef ENABLE_PKCS11
98 " [PKCS11]"
99 #endif
100 #if ENABLE_IP_PKTINFO
101 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
102 " [MH/PKTINFO]"
103 #elif defined(IP_RECVDSTADDR)
104 " [MH/RECVDA]"
105 #endif
106 #endif
107 " [AEAD]"
108 #ifdef ENABLE_DCO
109 " [DCO]"
110 #endif
111 #ifdef CONFIGURE_GIT_REVISION
112 " built on " __DATE__
113 #endif
114 ;
115
116 #ifndef ENABLE_SMALL
117
118 static const char usage_message[] =
119 "%s\n"
120 "\n"
121 "General Options:\n"
122 "--config file : Read configuration options from file.\n"
123 "--help : Show options.\n"
124 "--version : Show copyright and version information.\n"
125 "\n"
126 "Tunnel Options:\n"
127 "--local host : Local host name or ip address. Implies --bind.\n"
128 "--remote host [port] : Remote host name or ip address.\n"
129 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
130 "--remote-random-hostname : Add a random string to remote DNS name.\n"
131 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
132 "--proto p : Use protocol p for communicating with peer.\n"
133 " p = udp (default), tcp-server, tcp-client\n"
134 " udp4, tcp4-server, tcp4-client\n"
135 " udp6, tcp6-server, tcp6-client\n"
136 "--proto-force p : only consider protocol p in list of connection profiles.\n"
137 " p = udp or tcp\n"
138 "--connect-retry n [m] : For client, number of seconds to wait between\n"
139 " connection retries (default=%d). On repeated retries\n"
140 " the wait time is exponentially increased to a maximum of m\n"
141 " (default=%d).\n"
142 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
143 "--http-proxy s p [up] [auth] : Connect to remote host\n"
144 " through an HTTP proxy at address s and port p.\n"
145 " If proxy authentication is required,\n"
146 " up is a file containing username/password on 2 lines, or\n"
147 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
148 " the proxy requires NTLM authentication.\n"
149 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
150 " determine auth method and query for username/password\n"
151 " if needed. auto-nct disables weak proxy auth methods.\n"
152 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
153 " Repeat to set multiple options.\n"
154 " VERSION version (default=1.0)\n"
155 " AGENT user-agent\n"
156 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
157 " address s and port p (default port = 1080).\n"
158 " If proxy authentication is required,\n"
159 " up is a file containing username/password on 2 lines, or\n"
160 " 'stdin' to prompt for console.\n"
161 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
162 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
163 " resolve for n seconds before failing (disabled by default).\n"
164 " Set n=\"infinite\" to retry indefinitely.\n"
165 "--float : Allow remote to change its IP address/port, such as through\n"
166 " DHCP (this is the default if --remote is not used).\n"
167 "--ipchange cmd : Run command cmd on remote ip address initial\n"
168 " setting or change -- execute as: cmd ip-address port#\n"
169 "--port port : TCP/UDP port # for both local and remote.\n"
170 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
171 "--rport port : TCP/UDP port # for remote (default=%s).\n"
172 "--bind : Bind to local address and port. (This is the default unless\n"
173 " --proto tcp-client"
174 " or --http-proxy"
175 " or --socks-proxy"
176 " is used).\n"
177 "--nobind : Do not bind to local address and port.\n"
178 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
179 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
180 " this option only if the tun/tap device used with --dev\n"
181 " does not begin with \"tun\" or \"tap\".\n"
182 "--dev-node node : Explicitly set the device node rather than using\n"
183 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
184 #if defined(ENABLE_DCO)
185 "--disable-dco : Do not attempt using Data Channel Offload.\n"
186 #endif
187 "--lladdr hw : Set the link layer address of the tap device.\n"
188 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
189 #ifdef ENABLE_IPROUTE
190 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
191 #endif
192 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
193 " endpoint and rn as a remote endpoint. l & rn should be\n"
194 " swapped on the other peer. l & rn must be private\n"
195 " addresses outside of the subnets used by either peer.\n"
196 " TAP: configure device to use IP address l as a local\n"
197 " endpoint and rn as a subnet mask.\n"
198 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
199 " endpoint (as a /64) and r as remote endpoint\n"
200 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
201 " pass --ifconfig parms by environment to scripts.\n"
202 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
203 " connection doesn't match the remote side.\n"
204 "--route network [netmask] [gateway] [metric] :\n"
205 " Add route to routing table after connection\n"
206 " is established. Multiple routes can be specified.\n"
207 " netmask default: 255.255.255.255\n"
208 " gateway default: taken from --route-gateway or --ifconfig\n"
209 " Specify default by leaving blank or setting to \"default\".\n"
210 "--route-ipv6 network/bits [gateway] [metric] :\n"
211 " Add IPv6 route to routing table after connection\n"
212 " is established. Multiple routes can be specified.\n"
213 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
214 " in --ifconfig-ipv6\n"
215 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
216 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
217 "--route-metric m : Specify a default metric for use with --route.\n"
218 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
219 " adding routes (may be 0). If not specified, routes will\n"
220 " be added immediately after tun/tap open. On Windows, wait\n"
221 " up to w seconds for TUN/TAP adapter to come up.\n"
222 "--route-up cmd : Run command cmd after routes are added.\n"
223 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
224 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
225 " --route-up script using environmental variables.\n"
226 "--route-nopull : When used with --client or --pull, accept options pushed\n"
227 " by server EXCEPT for routes, dns, and dhcp options.\n"
228 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
229 " --ifconfig, --route, and --route-gateway.\n"
230 "--redirect-gateway [flags]: Automatically execute routing\n"
231 " commands to redirect all outgoing IP traffic through the\n"
232 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
233 " connected via a common subnet, such as with WiFi.\n"
234 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
235 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
236 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
237 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
238 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
239 " the default gateway. Useful when pushing private subnets.\n"
240 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
241 " ICMPv6 host unreachable messages on the client.\n"
242 " (Server) Instead of forwarding IPv6 packets send\n"
243 " ICMPv6 host unreachable packets to the client.\n"
244 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
245 "--push-peer-info : (client only) push client info to server.\n"
246 "--setenv name value : Set a custom environmental variable to pass to script.\n"
247 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
248 " directives for future OpenVPN versions to be ignored.\n"
249 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
250 " these options to be ignored when unknown\n"
251 "--script-security level: Where level can be:\n"
252 " 0 -- strictly no calling of external programs\n"
253 " 1 -- (default) only call built-ins such as ifconfig\n"
254 " 2 -- allow calling of built-ins and scripts\n"
255 " 3 -- allow password to be passed to scripts via env\n"
256 "--shaper n : Restrict output to peer to n bytes per second.\n"
257 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
258 " ping once every n seconds, restart if ping not received\n"
259 " for m seconds.\n"
260 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
261 " produces a combined in/out byte count < bytes.\n"
262 "--session-timeout n: Limit connection time to n seconds.\n"
263 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
264 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
265 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
266 " remote address.\n"
267 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
268 #if ENABLE_IP_PKTINFO
269 "--multihome : Configure a multi-homed UDP server.\n"
270 #endif
271 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
272 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
273 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
274 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
275 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
276 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
277 #if PASSTOS_CAPABILITY
278 "--passtos : TOS passthrough (applies to IPv4 only).\n"
279 #endif
280 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
281 " TCP/UDP MTU from it (default=%d).\n"
282 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
283 " as n bytes more than the tun-mtu size on read\n"
284 " (default TUN=0 TAP=%d).\n"
285 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
286 " from it.\n"
287 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
288 " 'no' -- Never send DF (Don't Fragment) frames\n"
289 " 'maybe' -- Use per-route hints\n"
290 " 'yes' -- Always DF (Don't Fragment)\n"
291 "--mtu-test : Empirically measure and report MTU.\n"
292 #ifdef ENABLE_FRAGMENT
293 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
294 " datagrams are sent which are larger than max bytes.\n"
295 " Adds 4 bytes of overhead per datagram.\n"
296 #endif
297 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
298 " or --fragment max value, whichever is lower.\n"
299 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
300 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
301 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
302 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
303 " can be matched in policy routing and packetfilter rules.\n"
304 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
305 " listening for connections. This allows sending encrypted packets\n"
306 " via a VRF present on the system.\n"
307 #endif
308 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
309 #ifdef ENABLE_MEMSTATS
310 "--memstats file : Write live usage stats to memory mapped binary file.\n"
311 #endif
312 "--mlock : Disable Paging -- ensures key material and tunnel\n"
313 " data will never be written to disk.\n"
314 "--up cmd : Run command cmd after successful tun device open.\n"
315 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
316 " ifconfig-local-ip ifconfig-remote-ip\n"
317 " (pre --user or --group UID/GID change)\n"
318 "--up-delay : Delay tun/tap open and possible --up script execution\n"
319 " until after TCP/UDP connection establishment with peer.\n"
320 "--down cmd : Run command cmd after tun device close.\n"
321 " (post --user/--group UID/GID change and/or --chroot)\n"
322 " (command parameters are same as --up option)\n"
323 "--down-pre : Run --down command before TUN/TAP close.\n"
324 "--up-restart : Run up/down commands for all restarts including those\n"
325 " caused by --ping-restart or SIGUSR1\n"
326 "--user user : Set UID to user after initialization.\n"
327 "--group group : Set GID to group after initialization.\n"
328 "--chroot dir : Chroot to this directory after initialization.\n"
329 #ifdef ENABLE_SELINUX
330 "--setcon context: Apply this SELinux context after initialization.\n"
331 #endif
332 "--cd dir : Change to this directory before initialization.\n"
333 "--daemon [name] : Become a daemon after initialization.\n"
334 " The optional 'name' parameter will be passed\n"
335 " as the program name to the system logger.\n"
336 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
337 " See --daemon above for a description of the 'name' parm.\n"
338 "--log file : Output log to file which is created/truncated on open.\n"
339 "--log-append file : Append log to file, or create file if nonexistent.\n"
340 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
341 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
342 "--writepid file : Write main process ID to file.\n"
343 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
344 "--echo [parms ...] : Echo parameters to log output.\n"
345 "--verb n : Set output verbosity to n (default=%d):\n"
346 " (Level 3 is recommended if you want a good summary\n"
347 " of what's happening without being swamped by output).\n"
348 " : 0 -- no output except fatal errors\n"
349 " : 1 -- startup info + connection initiated messages +\n"
350 " non-fatal encryption & net errors\n"
351 " : 2,3 -- show TLS negotiations & route info\n"
352 " : 4 -- show parameters\n"
353 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
354 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
355 " : 6 to 11 -- debug messages of increasing verbosity\n"
356 "--mute n : Log at most n consecutive messages in the same category.\n"
357 "--status file [n] : Write operational status to file every n seconds.\n"
358 "--status-version [n] : Choose the status file format version number.\n"
359 " Currently, n can be 1, 2, or 3 (default=1).\n"
360 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
361 #ifdef ENABLE_DEBUG
362 "--gremlin mask : Special stress testing mode (for debugging only).\n"
363 #endif
364 #if defined(USE_COMP)
365 "--compress alg : Use compression algorithm alg\n"
366 "--allow-compression: Specify whether compression should be allowed\n"
367 #if defined(ENABLE_LZO)
368 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
369 " packet for incompressible data.\n"
370 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
371 " is specified.\n"
372 #endif
373 #endif
374 #ifdef ENABLE_MANAGEMENT
375 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
376 " management functions. pass is a password file\n"
377 " or 'stdin' to prompt from console.\n"
378 #if UNIX_SOCK_SUPPORT
379 " To listen on a unix domain socket, specific the pathname\n"
380 " in place of ip and use 'unix' as the port number.\n"
381 #endif
382 "--management-client : Management interface will connect as a TCP client to\n"
383 " ip/port rather than listen as a TCP server.\n"
384 "--management-query-passwords : Query management channel for private key\n"
385 " and auth-user-pass passwords.\n"
386 "--management-query-proxy : Query management channel for proxy information.\n"
387 "--management-query-remote : Query management channel for --remote directive.\n"
388 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
389 " of the management interface explicitly starts it.\n"
390 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
391 "--management-forget-disconnect : Forget passwords when management disconnect\n"
392 " event occurs.\n"
393 "--management-up-down : Report tunnel up/down events to management interface.\n"
394 "--management-log-cache n : Cache n lines of log file history for usage\n"
395 " by the management channel.\n"
396 #if UNIX_SOCK_SUPPORT
397 "--management-client-user u : When management interface is a unix socket, only\n"
398 " allow connections from user u.\n"
399 "--management-client-group g : When management interface is a unix socket, only\n"
400 " allow connections from group g.\n"
401 #endif
402 "--management-client-auth : gives management interface client the responsibility\n"
403 " to authenticate clients after their client certificate\n"
404 " has been verified.\n"
405 #endif /* ifdef ENABLE_MANAGEMENT */
406 #ifdef ENABLE_PLUGIN
407 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
408 " to its initialization function.\n"
409 #endif
410 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
411 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
412 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
413 "\n"
414 "Multi-Client Server options (when --mode server is used):\n"
415 "--server network netmask : Helper option to easily configure server mode.\n"
416 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
417 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
418 " easily configure ethernet bridging server mode.\n"
419 "--push \"option\" : Push a config file option back to the peer for remote\n"
420 " execution. Peer must specify --pull in its config file.\n"
421 "--push-reset : Don't inherit global push list for specific\n"
422 " client instance.\n"
423 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
424 " a specific client instance.\n"
425 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
426 " to be dynamically allocated to connecting clients.\n"
427 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
428 " data to file, at seconds intervals (default=600).\n"
429 " If seconds=0, file will be treated as read-only.\n"
430 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
431 " to be dynamically allocated to connecting clients.\n"
432 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
433 " overrides --ifconfig-pool dynamic allocation.\n"
434 " Only valid in a client-specific config file.\n"
435 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
436 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
437 " Only valid in a client-specific config file.\n"
438 "--iroute network [netmask] : Route subnet to client.\n"
439 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
440 " Sets up internal routes only.\n"
441 " Only valid in a client-specific config file.\n"
442 "--disable : Client is disabled.\n"
443 " Only valid in a client-specific config file.\n"
444 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
445 " mandatory client certificate verification.\n"
446 " Default is to require the client to supply a certificate.\n"
447 "--username-as-common-name : For auth-user-pass authentication, use\n"
448 " the authenticated username as the common name,\n"
449 " rather than the common name from the client cert.\n"
450 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
451 " run command cmd to verify. If method='via-env', pass\n"
452 " user/pass via environment, if method='via-file', pass\n"
453 " user/pass via temporary file.\n"
454 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
455 " to each client, replacing the password. Useful when\n"
456 " OTP based two-factor auth mechanisms are in use and\n"
457 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
458 " for generated tokens can be set.\n"
459 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
460 " with those of the server will be disconnected.\n"
461 "--auth-user-pass-optional : Allow connections by clients that don't\n"
462 " specify a username/password.\n"
463 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
464 " any printable character.\n"
465 "--client-to-client : Internally route client-to-client traffic.\n"
466 "--duplicate-cn : Allow multiple clients with the same common name to\n"
467 " concurrently connect.\n"
468 "--client-connect cmd : Run command cmd on client connection.\n"
469 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
470 "--client-config-dir dir : Directory for custom client config files.\n"
471 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
472 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
473 "--hash-size r v : Set the size of the real address hash table to r and the\n"
474 " virtual address table to v.\n"
475 "--bcast-buffers n : Allocate n broadcast buffers.\n"
476 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
477 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
478 " as well as pushes it to connecting clients.\n"
479 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
480 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
481 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
482 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
483 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
484 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
485 " older than n seconds. Run this check every t\n"
486 " seconds (defaults to n).\n"
487 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
488 " clients. n = 1 - reconnect to same server,\n"
489 " 2 - advance to next server, default=1.\n"
490 #if PORT_SHARE
491 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
492 " sessions to a web server at host:port. dir specifies an\n"
493 " optional directory to write origin IP:port data.\n"
494 #endif
495 "\n"
496 "Client options (when connecting to a multi-client server):\n"
497 "--client : Helper option to easily configure client mode.\n"
498 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
499 " up is a file containing the username on the first line,\n"
500 " and a password on the second. If either the password or both\n"
501 " the username and the password are omitted OpenVPN will prompt\n"
502 " for them from console.\n"
503 "--pull : Accept certain config file options from the peer as if they\n"
504 " were part of the local config file. Must be specified\n"
505 " when connecting to a '--mode server' remote host.\n"
506 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
507 " server if it starts with the text t. The action flag accept,\n"
508 " ignore or reject causes the option to be allowed, removed or\n"
509 " rejected with error. May be specified multiple times, and\n"
510 " each filter is applied in the order of appearance.\n"
511 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
512 " Valid options are :\n"
513 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
514 " resolve-domains <domain> [domain ...] : split domains\n"
515 " dnssec <yes|no|optional> : option to use DNSSEC\n"
516 " type <DoH|DoT> : query server over HTTPS / TLS\n"
517 " sni <domain> : DNS server name indication\n"
518 "--dns search-domains <domain> [domain ...]:\n"
519 " Add domains to DNS domain search list\n"
520 "--auth-retry t : How to handle auth failures. Set t to\n"
521 " none (default), interact, or nointeract.\n"
522 "--static-challenge t e : Enable static challenge/response protocol using\n"
523 " challenge text t, with e indicating echo flag (0|1)\n"
524 "--connect-timeout n : when polling possible remote servers to connect to\n"
525 " in a round-robin fashion, spend no more than n seconds\n"
526 " waiting for a response before trying the next server.\n"
527 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
528 " incoming tun packets with same destination as host.\n"
529 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
530 " server/remote. n = # of retries, default=1.\n"
531 "\n"
532 "Data Channel Encryption Options (must be compatible between peers):\n"
533 "(These options are meaningful for both Static Key & TLS-mode)\n"
534 "--auth alg : Authenticate packets with HMAC using message\n"
535 " digest algorithm alg (default=%s).\n"
536 " (usually adds 16 or 20 bytes per packet)\n"
537 " Set alg=none to disable authentication.\n"
538 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
539 " You should usually use --data-ciphers instead.\n"
540 " Set alg=none to disable encryption.\n"
541 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
542 #ifndef ENABLE_CRYPTO_MBEDTLS
543 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
544 #endif
545 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
546 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
547 " and a time window of t seconds.\n"
548 " Default n=%d t=%d\n"
549 "--replay-persist file : Persist replay-protection state across sessions\n"
550 " using file.\n"
551 "--test-crypto : Run a self-test of crypto features enabled.\n"
552 " For debugging only.\n"
553 #ifdef ENABLE_PREDICTION_RESISTANCE
554 "--use-prediction-resistance: Enable prediction resistance on the random\n"
555 " number generator.\n"
556 #endif
557 "\n"
558 "TLS Key Negotiation Options:\n"
559 "(These options are meaningful only for TLS-mode)\n"
560 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
561 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
562 "--ca file : Certificate authority file in .pem format containing\n"
563 " root certificate.\n"
564 #ifndef ENABLE_CRYPTO_MBEDTLS
565 "--capath dir : A directory of trusted certificates (CAs"
566 " and CRLs).\n"
567 #endif /* ENABLE_CRYPTO_MBEDTLS */
568 "--dh file : File containing Diffie Hellman parameters\n"
569 " in .pem format (for --tls-server only).\n"
570 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
571 "--cert file : Local certificate in .pem format -- must be signed\n"
572 " by a Certificate Authority in --ca file.\n"
573 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
574 "--key file : Local private key in .pem format.\n"
575 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
576 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
577 " is specified, require max TLS version supported by SSL implementation.\n"
578 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
579 #ifndef ENABLE_CRYPTO_MBEDTLS
580 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
581 " and optionally the root CA certificate.\n"
582 #endif
583 #ifdef ENABLE_X509ALTUSERNAME
584 "--x509-username-field : Field in x509 certificate containing the username.\n"
585 " Default is CN in the Subject field.\n"
586 #endif
587 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
588 " Valid algo flags are SHA1 and SHA256. \n"
589 #ifdef _WIN32
590 "--cryptoapicert select-string : Load the certificate and private key from the\n"
591 " Windows Certificate System Store.\n"
592 #endif
593 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
594 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
595 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
596 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
597 " (default=legacy).\n"
598 "--providers l : A list l of OpenSSL providers to load.\n"
599 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
600 " if no ACK from remote within n seconds (default=%d).\n"
601 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
602 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
603 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
604 " and at least min (defaults to 90%% of max on servers and equal\n"
605 " to max on clients).\n"
606 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
607 " of handshake initiation by any peer (default=%d).\n"
608 "--tran-window n : Transition window -- old key can live this many seconds\n"
609 " after new key renegotiation begins (default=%d).\n"
610 "--single-session: Allow only one session (reset state on restart).\n"
611 "--tls-exit : Exit on TLS negotiation failure.\n"
612 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
613 " control channel to protect against attacks on the TLS stack\n"
614 " and DoS attacks.\n"
615 " f (required) is a shared-secret key file.\n"
616 " The optional d parameter controls key directionality.\n"
617 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
618 " of the TLS control channel to hide the TLS certificate,\n"
619 " provide basic post-quantum security and protect against\n"
620 " attacks on the TLS stack and DoS attacks.\n"
621 " key (required) provides the pre-shared key file.\n"
622 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
623 " For servers: use key to decrypt client-specific keys. For\n"
624 " key generation (--genkey tls-crypt-v2-client): use key to\n"
625 " encrypt generated client-specific key. (See --tls-crypt.)\n"
626 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
627 " fresh tls-crypt-v2 client key, and store to\n"
628 " keyfile. If supplied, include metadata in wrapped key.\n"
629 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
630 " fresh tls-crypt-v2 server key, and store to keyfile\n"
631 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
632 " client-supplied tls-crypt-v2 client key\n"
633 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
634 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
635 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
636 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
637 " pending TLS connection that has otherwise passed all other\n"
638 " tests of certification. cmd should return 0 to allow\n"
639 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
640 " executed as 'cmd certificate_depth subject')\n"
641 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
642 " in an openvpn temporary file in [directory]. Peer cert is \n"
643 " stored before tls-verify script execution and deleted after.\n"
644 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
645 " DN name. The remote host must also pass all other tests\n"
646 " of verification.\n"
647 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
648 " an explicit nsCertType designation t = 'client' | 'server'.\n"
649 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
650 " plugins and management interface.\n"
651 #ifdef HAVE_EXPORT_KEYING_MATERIAL
652 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
653 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
654 #endif
655 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
656 " explicit key usage, you can specify more than one value.\n"
657 " value should be given in hex format.\n"
658 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
659 " explicit extended key usage. Extended key usage can be encoded\n"
660 " as an object identifier or OpenSSL string representation.\n"
661 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
662 " key usage and extended key usage based on RFC3280 TLS rules.\n"
663 " t = 'client' | 'server'.\n"
664 #ifdef ENABLE_PKCS11
665 "\n"
666 "PKCS#11 Options:\n"
667 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
668 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
669 " path. Set for each provider.\n"
670 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
671 " 0 : Try to determine automatically (default).\n"
672 " 1 : Use Sign.\n"
673 " 2 : Use SignRecover.\n"
674 " 4 : Use Decrypt.\n"
675 " 8 : Use Unwrap.\n"
676 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
677 " certificate can be accessed. Set for each provider.\n"
678 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
679 " cache until token is removed.\n"
680 "--pkcs11-id-management : Acquire identity from management interface.\n"
681 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
682 #endif /* ENABLE_PKCS11 */
683 "\n"
684 "SSL Library information:\n"
685 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
686 "--show-digests : Show message digest algorithms to use with --auth option.\n"
687 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
688 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
689 #ifdef _WIN32
690 "\n"
691 "Windows Specific:\n"
692 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
693 " from SystemRoot environment variable.\n"
694 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
695 " IP address using method = manual, netsh, ipapi,\n"
696 " dynamic, or adaptive (default = adaptive).\n"
697 " Dynamic method allows two optional parameters:\n"
698 " offset: DHCP server address offset (> -256 and < 256).\n"
699 " If 0, use network address, if >0, take nth\n"
700 " address forward from network address, if <0,\n"
701 " take nth address backward from broadcast\n"
702 " address.\n"
703 " Default is 0.\n"
704 " lease-time: Lease time in seconds.\n"
705 " Default is one year.\n"
706 "--route-method : Which method to use for adding routes on Windows?\n"
707 " adaptive (default) -- Try ipapi then fall back to exe.\n"
708 " ipapi -- Use IP helper API.\n"
709 " exe -- Call the route.exe shell command.\n"
710 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
711 " be used with --ip-win32 dynamic. For options\n"
712 " which allow multiple addresses,\n"
713 " --dhcp-option must be repeated.\n"
714 " DOMAIN name : Set DNS suffix\n"
715 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
716 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
717 " NTP : Set NTP server address(es)\n"
718 " NBDD : Set NBDD server address(es)\n"
719 " WINS addr : Set WINS server address(es)\n"
720 " NBT type : Set NetBIOS over TCP/IP Node type\n"
721 " 1: B, 2: P, 4: M, 8: H\n"
722 " NBS id : Set NetBIOS scope ID\n"
723 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
724 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
725 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
726 " startup.\n"
727 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
728 " on connection initiation.\n"
729 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
730 " attempting to set adapter properties.\n"
731 "--pause-exit : When run from a console window, pause before exiting.\n"
732 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
733 " service, and should not be used directly by end-users.\n"
734 " ex is the name of an event object which, when\n"
735 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
736 " optional parameter controls the initial state of ex.\n"
737 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
738 " after TAP adapter is up and routes have been added.\n"
739 "--windows-driver : Which tun driver to use?\n"
740 " ovpn-dco (default)\n"
741 " tap-windows6\n"
742 " wintun\n"
743 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
744 "Windows Standalone Options:\n"
745 "\n"
746 "--show-adapters : Show all TAP-Windows adapters.\n"
747 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
748 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
749 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
750 " to access TAP adapter.\n"
751 #endif /* ifdef _WIN32 */
752 "\n"
753 "Generate a new key :\n"
754 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
755 " (for use with --tls-auth or --tls-crypt)."
756 #ifdef ENABLE_FEATURE_TUN_PERSIST
757 "\n"
758 "Tun/tap config mode (available with linux 2.4+):\n"
759 "--mktun : Create a persistent tunnel.\n"
760 "--rmtun : Remove a persistent tunnel.\n"
761 "--dev tunX|tapX : tun/tap device\n"
762 "--dev-type dt : Device type. See tunnel options above for details.\n"
763 "--user user : User to set privilege to.\n"
764 "--group group : Group to set privilege to.\n"
765 #endif
766 #ifdef ENABLE_PKCS11
767 "\n"
768 "PKCS#11 standalone options:\n"
769 #ifdef DEFAULT_PKCS11_MODULE
770 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
771 #else
772 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
773 #endif
774 " --verb option can be added *BEFORE* this.\n"
775 #endif /* ENABLE_PKCS11 */
776 "\n"
777 "General Standalone Options:\n"
778 #ifdef ENABLE_DEBUG
779 "--show-gateway : Show info about default gateway.\n"
780 #endif
781 ;
782
783 #endif /* !ENABLE_SMALL */
784
785 /*
786 * This is where the options defaults go.
787 * Any option not explicitly set here
788 * will be set to 0.
789 */
790 void
791 init_options(struct options *o, const bool init_gc)
792 {
793 CLEAR(*o);
794 if (init_gc)
795 {
796 gc_init(&o->gc);
797 gc_init(&o->dns_options.gc);
798 o->gc_owned = true;
799 }
800 o->mode = MODE_POINT_TO_POINT;
801 o->topology = TOP_NET30;
802 o->ce.proto = PROTO_UDP;
803 o->ce.af = AF_UNSPEC;
804 o->ce.bind_ipv6_only = false;
805 o->ce.connect_retry_seconds = 1;
806 o->ce.connect_retry_seconds_max = 300;
807 o->ce.connect_timeout = 120;
808 o->connect_retry_max = 0;
809 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
810 o->verbosity = 1;
811 o->status_file_update_freq = 60;
812 o->status_file_version = 1;
813 o->ce.bind_local = true;
814 o->ce.tun_mtu = TUN_MTU_DEFAULT;
815 o->ce.occ_mtu = 0;
816 o->ce.link_mtu = LINK_MTU_DEFAULT;
817 o->ce.tls_mtu = TLS_MTU_DEFAULT;
818 o->ce.mtu_discover_type = -1;
819 o->ce.mssfix = 0;
820 o->ce.mssfix_default = true;
821 o->ce.mssfix_encap = true;
822 o->route_delay_window = 30;
823 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
824 o->resolve_in_advance = false;
825 o->proto_force = -1;
826 o->occ = true;
827 #ifdef ENABLE_MANAGEMENT
828 o->management_log_history_cache = 250;
829 o->management_echo_buffer_size = 100;
830 o->management_state_buffer_size = 100;
831 #endif
832 #ifdef ENABLE_FEATURE_TUN_PERSIST
833 o->persist_mode = 1;
834 #endif
835 #ifdef _WIN32
836 #if 0
837 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
838 #else
839 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
840 #endif
841 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
842 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
843 o->route_method = ROUTE_METHOD_ADAPTIVE;
844 o->block_outside_dns = false;
845 o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
846 #endif
847 o->vlan_accept = VLAN_ALL;
848 o->vlan_pvid = 1;
849 o->real_hash_size = 256;
850 o->virtual_hash_size = 256;
851 o->n_bcast_buf = 256;
852 o->tcp_queue_limit = 64;
853 o->max_clients = 1024;
854 o->cf_initial_per = 10;
855 o->cf_initial_max = 100;
856 o->max_routes_per_client = 256;
857 o->stale_routes_check_interval = 0;
858 o->ifconfig_pool_persist_refresh_freq = 600;
859 o->scheduled_exit_interval = 5;
860 o->authname = "SHA1";
861 o->replay_window = DEFAULT_SEQ_BACKTRACK;
862 o->replay_time = DEFAULT_TIME_BACKTRACK;
863 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
864 #ifdef ENABLE_PREDICTION_RESISTANCE
865 o->use_prediction_resistance = false;
866 #endif
867 o->tls_timeout = 2;
868 o->renegotiate_bytes = -1;
869 o->renegotiate_seconds = 3600;
870 o->renegotiate_seconds_min = -1;
871 o->handshake_window = 60;
872 o->transition_window = 3600;
873 o->tls_cert_profile = NULL;
874 o->ecdh_curve = NULL;
875 #ifdef ENABLE_X509ALTUSERNAME
876 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
877 #endif
878 #ifdef ENABLE_PKCS11
879 o->pkcs11_pin_cache_period = -1;
880 #endif /* ENABLE_PKCS11 */
881
882 /* P2MP server context features */
883 o->auth_token_generate = false;
884
885 /* Set default --tmp-dir */
886 #ifdef _WIN32
887 /* On Windows, find temp dir via environment variables */
888 o->tmp_dir = win_get_tempdir();
889 #else
890 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
891 o->tmp_dir = getenv("TMPDIR");
892 if (!o->tmp_dir)
893 {
894 o->tmp_dir = "/tmp";
895 }
896 #endif /* _WIN32 */
897 o->allow_recursive_routing = false;
898
899 #ifndef ENABLE_DCO
900 o->tuntap_options.disable_dco = true;
901 #endif /* ENABLE_DCO */
902 }
903
904 void
905 uninit_options(struct options *o)
906 {
907 if (o->connection_list)
908 {
909 CLEAR(*o->connection_list);
910 }
911 if (o->remote_list)
912 {
913 CLEAR(*o->remote_list);
914 }
915 if (o->gc_owned)
916 {
917 gc_free(&o->gc);
918 gc_free(&o->dns_options.gc);
919 }
920 }
921
922 struct pull_filter
923 {
924 #define PUF_TYPE_UNDEF 0 /** undefined filter type */
925 #define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
926 #define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
927 #define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
928 int type;
929 int size;
930 char *pattern;
931 struct pull_filter *next;
932 };
933
934 struct pull_filter_list
935 {
936 struct pull_filter *head;
937 struct pull_filter *tail;
938 };
939
940 #ifndef ENABLE_SMALL
941
942 static const char *
943 pull_filter_type_name(int type)
944 {
945 if (type == PUF_TYPE_ACCEPT)
946 {
947 return "accept";
948 }
949 if (type == PUF_TYPE_IGNORE)
950 {
951 return "ignore";
952 }
953 if (type == PUF_TYPE_REJECT)
954 {
955 return "reject";
956 }
957 else
958 {
959 return "???";
960 }
961 }
962
963 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
964 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
965 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
966 o->var ## _inline ? "[INLINE]" : \
967 (o->var ? o->var : "[UNDEF]"), \
968 "'%s'")
969 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
970 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
971 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
972 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
973 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
974
975 #endif /* ifndef ENABLE_SMALL */
976
977 static void
978 setenv_connection_entry(struct env_set *es,
979 const struct connection_entry *e,
980 const int i)
981 {
982 setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
983 setenv_str_i(es, "local", e->local, i);
984 setenv_str_i(es, "local_port", e->local_port, i);
985 setenv_str_i(es, "remote", e->remote, i);
986 setenv_str_i(es, "remote_port", e->remote_port, i);
987
988 if (e->http_proxy_options)
989 {
990 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
991 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
992 }
993 if (e->socks_proxy_server)
994 {
995 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
996 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
997 }
998 }
999
1000 void
1001 setenv_settings(struct env_set *es, const struct options *o)
1002 {
1003 setenv_str(es, "config", o->config);
1004 setenv_int(es, "verb", o->verbosity);
1005 setenv_int(es, "daemon", o->daemon);
1006 setenv_int(es, "daemon_log_redirect", o->log);
1007 setenv_long_long(es, "daemon_start_time", time(NULL));
1008 setenv_int(es, "daemon_pid", platform_getpid());
1009
1010 if (o->connection_list)
1011 {
1012 int i;
1013 for (i = 0; i < o->connection_list->len; ++i)
1014 {
1015 setenv_connection_entry(es, o->connection_list->array[i], i+1);
1016 }
1017 }
1018 else
1019 {
1020 setenv_connection_entry(es, &o->ce, 1);
1021 }
1022
1023 if (!o->pull)
1024 {
1025 setenv_dns_options(&o->dns_options, es);
1026 }
1027 }
1028
1029 #ifndef _WIN32
1030 static void
1031 setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1032 {
1033 if (len > 0)
1034 {
1035 struct gc_arena gc = gc_new();
1036 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1037 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1038 int i;
1039 bool first = true;
1040 bool good = true;
1041
1042 good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1043 ++o->foreign_option_index;
1044 for (i = 0; i < len; ++i)
1045 {
1046 if (argv[i])
1047 {
1048 if (!first)
1049 {
1050 good &= buf_printf(&value, " ");
1051 }
1052 good &= buf_printf(&value, "%s", argv[i]);
1053 first = false;
1054 }
1055 }
1056 if (good)
1057 {
1058 setenv_str(es, BSTR(&name), BSTR(&value));
1059 }
1060 else
1061 {
1062 msg(M_WARN, "foreign_option: name/value overflow");
1063 }
1064 gc_free(&gc);
1065 }
1066 }
1067 #endif /* ifndef _WIN32 */
1068
1069 static in_addr_t
1070 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1071 {
1072 unsigned int flags = GETADDR_HOST_ORDER;
1073 bool succeeded = false;
1074 in_addr_t ret;
1075
1076 if (msglevel & M_FATAL)
1077 {
1078 flags |= GETADDR_FATAL;
1079 }
1080
1081 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1082 if (!succeeded && error)
1083 {
1084 *error = true;
1085 }
1086 return ret;
1087 }
1088
1089 /**
1090 * Returns newly allocated string containing address part without "/nn".
1091 *
1092 * If gc != NULL, the allocated memory is registered in the supplied gc.
1093 */
1094 static char *
1095 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1096 {
1097 const char *end = strchr(addr, '/');
1098 char *ret = NULL;
1099 if (NULL == end)
1100 {
1101 ret = string_alloc(addr, gc);
1102 }
1103 else
1104 {
1105 size_t len = end - addr;
1106 ret = gc_malloc(len + 1, true, gc);
1107 memcpy(ret, addr, len);
1108 }
1109 return ret;
1110 }
1111
1112 static bool
1113 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1114 {
1115 struct in6_addr t_addr;
1116 unsigned int t_bits;
1117
1118 return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1119 }
1120
1121 static char *
1122 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1123 {
1124 char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1125 char *dest = ret;
1126 char c;
1127
1128 do
1129 {
1130 c = *src++;
1131 if (c == from)
1132 {
1133 c = to;
1134 }
1135 *dest++ = c;
1136 }
1137 while (c);
1138 return ret;
1139 }
1140
1141 /**
1142 * Parses a hexstring and checks if the string has the correct length. Return
1143 * a verify_hash_list containing the parsed hash string.
1144 *
1145 * @param str String to check/parse
1146 * @param nbytes Number of bytes expected in the hexstr (e.g. 20 for SHA1)
1147 * @param msglevel message level to use when printing warnings/errors
1148 * @param gc The returned object will be allocated in this gc
1149 */
1150 static struct verify_hash_list *
1151 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1152 {
1153 int i = 0;
1154 const char *cp = str;
1155
1156 struct verify_hash_list *ret;
1157 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1158
1159 char term = 0;
1160 unsigned int byte;
1161
1162 while (*cp && i < nbytes)
1163 {
1164 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1165 if (!isxdigit(cp[0])
1166 || !isxdigit(cp[1])
1167 || (cp[2] != ':' && cp[2] != '\0')
1168 || sscanf(cp, "%x", &byte) != 1)
1169 {
1170 msg(msglevel, "format error in hash fingerprint: %s", str);
1171 break;
1172 }
1173
1174 ret->hash[i++] = (uint8_t)byte;
1175
1176 term = cp[2];
1177 if (term == '\0')
1178 {
1179 break;
1180 }
1181 cp += 3;
1182 }
1183 if (i < nbytes)
1184 {
1185 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1186 }
1187 else if (term != '\0')
1188 {
1189 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1190 }
1191 return ret;
1192 }
1193
1194 /**
1195 * Parses a string consisting of multiple lines of hexstrings and checks if each
1196 * string has the correct length. Empty lines are ignored. Returns
1197 * a linked list of (possibly) multiple verify_hash_list objects.
1198 *
1199 * @param str String to check/parse
1200 * @param nbytes Number of bytes expected in the hexstring (e.g. 20 for SHA1)
1201 * @param msglevel message level to use when printing warnings/errors
1202 * @param gc The returned list items will be allocated in this gc
1203 */
1204 static struct verify_hash_list *
1205 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1206 struct gc_arena *gc)
1207 {
1208 struct gc_arena gc_temp = gc_new();
1209 char *lines = string_alloc(str, &gc_temp);
1210
1211 struct verify_hash_list *ret = NULL;
1212
1213 const char *line;
1214 while ((line = strsep(&lines, "\n")))
1215 {
1216 /* ignore leading whitespace */
1217 while (isspace(*line))
1218 {
1219 line++;
1220 }
1221 /* skip empty lines and comment lines */
1222 if (strlen(line) == 0 || *line == '#' || *line == ';')
1223 {
1224 continue;
1225 }
1226
1227 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1228 msglevel, gc);
1229
1230 if (!hash)
1231 {
1232 gc_free(&gc_temp);
1233 return NULL;
1234 }
1235
1236 hash->next = ret;
1237 ret = hash;
1238 }
1239 gc_free(&gc_temp);
1240
1241 return ret;
1242 }
1243 #ifdef _WIN32
1244
1245 #ifndef ENABLE_SMALL
1246
1247 static void
1248 show_dhcp_option_list(const char *name, const char *const *array, int len)
1249 {
1250 int i;
1251 for (i = 0; i < len; ++i)
1252 {
1253 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1254 }
1255 }
1256
1257 static void
1258 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1259 {
1260 struct gc_arena gc = gc_new();
1261 int i;
1262 for (i = 0; i < len; ++i)
1263 {
1264 msg(D_SHOW_PARMS, " %s[%d] = %s",
1265 name,
1266 i,
1267 print_in_addr_t(array[i], 0, &gc));
1268 }
1269 gc_free(&gc);
1270 }
1271
1272 static void
1273 show_tuntap_options(const struct tuntap_options *o)
1274 {
1275 SHOW_BOOL(ip_win32_defined);
1276 SHOW_INT(ip_win32_type);
1277 SHOW_INT(dhcp_masq_offset);
1278 SHOW_INT(dhcp_lease_time);
1279 SHOW_INT(tap_sleep);
1280 SHOW_UNSIGNED(dhcp_options);
1281 SHOW_BOOL(dhcp_renew);
1282 SHOW_BOOL(dhcp_pre_release);
1283 SHOW_STR(domain);
1284 SHOW_STR(netbios_scope);
1285 SHOW_INT(netbios_node_type);
1286 SHOW_BOOL(disable_nbt);
1287
1288 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1289 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1290 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1291 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1292 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1293 }
1294
1295 #endif /* ifndef ENABLE_SMALL */
1296 #endif /* ifdef _WIN32 */
1297
1298 #if defined(_WIN32) || defined(TARGET_ANDROID)
1299 static void
1300 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1301 {
1302 struct in6_addr addr;
1303 if (*len >= N_DHCP_ADDR)
1304 {
1305 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1306 N_DHCP_ADDR);
1307 }
1308 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1309 {
1310 dns6_list[(*len)++] = addr;
1311 }
1312 }
1313 static void
1314 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1315 {
1316 if (*len >= N_DHCP_ADDR)
1317 {
1318 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1319 name,
1320 N_DHCP_ADDR,
1321 name);
1322 }
1323 else
1324 {
1325 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1326 {
1327 bool error = false;
1328 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1329 if (!error)
1330 {
1331 array[(*len)++] = addr;
1332 }
1333 }
1334 else
1335 {
1336 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1337 }
1338 }
1339 }
1340
1341 /*
1342 * If DNS options are set use these for TUN/TAP options as well.
1343 * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1344 * Existing options will be discarded.
1345 */
1346 static void
1347 tuntap_options_copy_dns(struct options *o)
1348 {
1349 struct tuntap_options *tt = &o->tuntap_options;
1350 struct dns_options *dns = &o->dns_options;
1351
1352 if (dns->search_domains)
1353 {
1354 tt->domain_search_list_len = 0;
1355 const struct dns_domain *domain = dns->search_domains;
1356 while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN)
1357 {
1358 tt->domain_search_list[tt->domain_search_list_len++] = domain->name;
1359 domain = domain->next;
1360 }
1361 if (domain)
1362 {
1363 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1364 }
1365 }
1366
1367 if (dns->servers)
1368 {
1369 tt->dns_len = 0;
1370 tt->dns6_len = 0;
1371 bool overflow = false;
1372 const struct dns_server *server = dns->servers;
1373 while (server)
1374 {
1375 for (int i = 0; i < server->addr_count; ++i)
1376 {
1377 if (server->addr[i].family == AF_INET)
1378 {
1379 if (tt->dns_len >= N_DHCP_ADDR)
1380 {
1381 overflow = true;
1382 continue;
1383 }
1384 tt->dns[tt->dns_len++] = server->addr[i].in.a4.s_addr;
1385 }
1386 else
1387 {
1388 if (tt->dns6_len >= N_DHCP_ADDR)
1389 {
1390 overflow = true;
1391 continue;
1392 }
1393 tt->dns6[tt->dns6_len++] = server->addr[i].in.a6;
1394 }
1395 }
1396 server = server->next;
1397 }
1398 if (overflow)
1399 {
1400 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1401 }
1402 }
1403 }
1404 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1405 static void
1406 foreign_options_copy_dns(struct options *o, struct env_set *es)
1407 {
1408 const struct dns_domain *domain = o->dns_options.search_domains;
1409 const struct dns_server *server = o->dns_options.servers;
1410 if (!domain && !server)
1411 {
1412 return;
1413 }
1414
1415 /* reset the index since we're starting all over again */
1416 int opt_max = o->foreign_option_index;
1417 o->foreign_option_index = 0;
1418
1419 for (int i = 1; i <= opt_max; ++i)
1420 {
1421 char name[32];
1422 openvpn_snprintf(name, sizeof(name), "foreign_option_%d", i);
1423
1424 const char *env_str = env_set_get(es, name);
1425 const char *value = strchr(env_str, '=') + 1;
1426 if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value)
1427 || (server && strstr(value, "dhcp-option DNS") == value))
1428 {
1429 setenv_del(es, name);
1430 }
1431 else
1432 {
1433 setenv_foreign_option(o, &value, 1, es);
1434 }
1435 }
1436
1437 struct gc_arena gc = gc_new();
1438
1439 while (server)
1440 {
1441 for (int i = 0; i < server->addr_count; ++i)
1442 {
1443 if (server->addr[i].family == AF_INET)
1444 {
1445 const char *argv[] = {
1446 "dhcp-option",
1447 "DNS",
1448 print_in_addr_t(server->addr[i].in.a4.s_addr, 0, &gc)
1449 };
1450 setenv_foreign_option(o, argv, 3, es);
1451 }
1452 else
1453 {
1454 const char *argv[] = {
1455 "dhcp-option",
1456 "DNS6",
1457 print_in6_addr(server->addr[i].in.a6, 0, &gc)
1458 };
1459 setenv_foreign_option(o, argv, 3, es);
1460 }
1461 }
1462 server = server->next;
1463 }
1464 while (domain)
1465 {
1466 const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name };
1467 setenv_foreign_option(o, argv, 3, es);
1468 domain = domain->next;
1469 }
1470
1471 gc_free(&gc);
1472
1473 /* remove old leftover entries */
1474 while (o->foreign_option_index < opt_max)
1475 {
1476 char name[32];
1477 openvpn_snprintf(name, sizeof(name), "foreign_option_%d", opt_max--);
1478 setenv_del(es, name);
1479 }
1480 }
1481 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1482
1483 #ifndef ENABLE_SMALL
1484 static const char *
1485 print_vlan_accept(enum vlan_acceptable_frames mode)
1486 {
1487 switch (mode)
1488 {
1489 case VLAN_ONLY_TAGGED:
1490 return "tagged";
1491
1492 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1493 return "untagged";
1494
1495 case VLAN_ALL:
1496 return "all";
1497 }
1498 return NULL;
1499 }
1500
1501 static void
1502 show_p2mp_parms(const struct options *o)
1503 {
1504 struct gc_arena gc = gc_new();
1505
1506 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1507 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1508 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1509 SHOW_INT(server_netbits_ipv6);
1510 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1511 msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1512 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1513 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1514 if (o->push_list.head)
1515 {
1516 const struct push_entry *e = o->push_list.head;
1517 while (e)
1518 {
1519 if (e->enable)
1520 {
1521 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1522 }
1523 e = e->next;
1524 }
1525 }
1526 SHOW_BOOL(ifconfig_pool_defined);
1527 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1528 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1529 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1530 SHOW_STR(ifconfig_pool_persist_filename);
1531 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1532 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1533 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1534 SHOW_INT(ifconfig_ipv6_pool_netbits);
1535 SHOW_INT(n_bcast_buf);
1536 SHOW_INT(tcp_queue_limit);
1537 SHOW_INT(real_hash_size);
1538 SHOW_INT(virtual_hash_size);
1539 SHOW_STR(client_connect_script);
1540 SHOW_STR(learn_address_script);
1541 SHOW_STR(client_disconnect_script);
1542 SHOW_STR(client_crresponse_script);
1543 SHOW_STR(client_config_dir);
1544 SHOW_BOOL(ccd_exclusive);
1545 SHOW_STR(tmp_dir);
1546 SHOW_BOOL(push_ifconfig_defined);
1547 msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1548 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1549 SHOW_BOOL(push_ifconfig_ipv6_defined);
1550 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1551 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1552 SHOW_BOOL(enable_c2c);
1553 SHOW_BOOL(duplicate_cn);
1554 SHOW_INT(cf_max);
1555 SHOW_INT(cf_per);
1556 SHOW_INT(cf_initial_max);
1557 SHOW_INT(cf_initial_per);
1558 SHOW_INT(max_clients);
1559 SHOW_INT(max_routes_per_client);
1560 SHOW_STR(auth_user_pass_verify_script);
1561 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1562 SHOW_BOOL(auth_token_generate);
1563 SHOW_INT(auth_token_lifetime);
1564 SHOW_STR_INLINE(auth_token_secret_file);
1565 #if PORT_SHARE
1566 SHOW_STR(port_share_host);
1567 SHOW_STR(port_share_port);
1568 #endif
1569 SHOW_BOOL(vlan_tagging);
1570 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1571 SHOW_INT(vlan_pvid);
1572
1573 SHOW_BOOL(client);
1574 SHOW_BOOL(pull);
1575 SHOW_STR_INLINE(auth_user_pass_file);
1576
1577 gc_free(&gc);
1578 }
1579
1580 #endif /* ! ENABLE_SMALL */
1581
1582 static void
1583 option_iroute(struct options *o,
1584 const char *network_str,
1585 const char *netmask_str,
1586 int msglevel)
1587 {
1588 struct iroute *ir;
1589
1590 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1591 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1592 ir->netbits = 32; /* host route if no netmask given */
1593
1594 if (netmask_str)
1595 {
1596 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1597 ir->netbits = netmask_to_netbits2(netmask);
1598
1599 if (ir->netbits < 0)
1600 {
1601 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1602 network_str,
1603 netmask_str);
1604 return;
1605 }
1606 }
1607
1608 ir->next = o->iroutes;
1609 o->iroutes = ir;
1610 }
1611
1612 static void
1613 option_iroute_ipv6(struct options *o,
1614 const char *prefix_str,
1615 int msglevel)
1616 {
1617 struct iroute_ipv6 *ir;
1618
1619 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1620
1621 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1622 {
1623 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1624 prefix_str);
1625 return;
1626 }
1627
1628 ir->next = o->iroutes_ipv6;
1629 o->iroutes_ipv6 = ir;
1630 }
1631
1632 #ifndef ENABLE_SMALL
1633 static void
1634 show_http_proxy_options(const struct http_proxy_options *o)
1635 {
1636 int i;
1637 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1638 SHOW_STR(server);
1639 SHOW_STR(port);
1640 SHOW_STR(auth_method_string);
1641 SHOW_STR(auth_file);
1642 SHOW_STR(http_version);
1643 SHOW_STR(user_agent);
1644 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1645 {
1646 if (o->custom_headers[i].content)
1647 {
1648 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1649 o->custom_headers[i].name, o->custom_headers[i].content);
1650 }
1651 else
1652 {
1653 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1654 o->custom_headers[i].name);
1655 }
1656 }
1657 msg(D_SHOW_PARMS, "END http_proxy");
1658 }
1659 #endif /* ifndef ENABLE_SMALL */
1660
1661 void
1662 options_detach(struct options *o)
1663 {
1664 gc_detach(&o->gc);
1665 o->routes = NULL;
1666 o->client_nat = NULL;
1667 clone_push_list(o);
1668 }
1669
1670 void
1671 rol_check_alloc(struct options *options)
1672 {
1673 if (!options->routes)
1674 {
1675 options->routes = new_route_option_list(&options->gc);
1676 }
1677 }
1678
1679 static void
1680 rol6_check_alloc(struct options *options)
1681 {
1682 if (!options->routes_ipv6)
1683 {
1684 options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1685 }
1686 }
1687
1688 static void
1689 cnol_check_alloc(struct options *options)
1690 {
1691 if (!options->client_nat)
1692 {
1693 options->client_nat = new_client_nat_list(&options->gc);
1694 }
1695 }
1696
1697 #ifndef ENABLE_SMALL
1698 static void
1699 show_connection_entry(const struct connection_entry *o)
1700 {
1701 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1702 SHOW_STR(local);
1703 SHOW_STR(local_port);
1704 SHOW_STR(remote);
1705 SHOW_STR(remote_port);
1706 SHOW_BOOL(remote_float);
1707 SHOW_BOOL(bind_defined);
1708 SHOW_BOOL(bind_local);
1709 SHOW_BOOL(bind_ipv6_only);
1710 SHOW_INT(connect_retry_seconds);
1711 SHOW_INT(connect_timeout);
1712
1713 if (o->http_proxy_options)
1714 {
1715 show_http_proxy_options(o->http_proxy_options);
1716 }
1717 SHOW_STR(socks_proxy_server);
1718 SHOW_STR(socks_proxy_port);
1719 SHOW_INT(tun_mtu);
1720 SHOW_BOOL(tun_mtu_defined);
1721 SHOW_INT(link_mtu);
1722 SHOW_BOOL(link_mtu_defined);
1723 SHOW_INT(tun_mtu_extra);
1724 SHOW_BOOL(tun_mtu_extra_defined);
1725 SHOW_INT(tls_mtu);
1726
1727 SHOW_INT(mtu_discover_type);
1728
1729 #ifdef ENABLE_FRAGMENT
1730 SHOW_INT(fragment);
1731 #endif
1732 SHOW_INT(mssfix);
1733 SHOW_BOOL(mssfix_encap);
1734 SHOW_BOOL(mssfix_fixed);
1735
1736 SHOW_INT(explicit_exit_notification);
1737
1738 SHOW_STR_INLINE(tls_auth_file);
1739 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1740 "%s");
1741 SHOW_STR_INLINE(tls_crypt_file);
1742 SHOW_STR_INLINE(tls_crypt_v2_file);
1743 }
1744
1745
1746 static void
1747 show_connection_entries(const struct options *o)
1748 {
1749 if (o->connection_list)
1750 {
1751 const struct connection_list *l = o->connection_list;
1752 int i;
1753 for (i = 0; i < l->len; ++i)
1754 {
1755 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1756 show_connection_entry(l->array[i]);
1757 }
1758 }
1759 else
1760 {
1761 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1762 show_connection_entry(&o->ce);
1763 }
1764 msg(D_SHOW_PARMS, "Connection profiles END");
1765 }
1766
1767 static void
1768 show_pull_filter_list(const struct pull_filter_list *l)
1769 {
1770 struct pull_filter *f;
1771 if (!l)
1772 {
1773 return;
1774 }
1775
1776 msg(D_SHOW_PARMS, " Pull filters:");
1777 for (f = l->head; f; f = f->next)
1778 {
1779 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1780 }
1781 }
1782
1783 #endif /* ifndef ENABLE_SMALL */
1784
1785 void
1786 show_settings(const struct options *o)
1787 {
1788 #ifndef ENABLE_SMALL
1789 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1790
1791 SHOW_STR(config);
1792
1793 SHOW_INT(mode);
1794
1795 #ifdef ENABLE_FEATURE_TUN_PERSIST
1796 SHOW_BOOL(persist_config);
1797 SHOW_INT(persist_mode);
1798 #endif
1799
1800 SHOW_BOOL(show_ciphers);
1801 SHOW_BOOL(show_digests);
1802 SHOW_BOOL(show_engines);
1803 SHOW_BOOL(genkey);
1804 SHOW_STR(genkey_filename);
1805 SHOW_STR(key_pass_file);
1806 SHOW_BOOL(show_tls_ciphers);
1807
1808 SHOW_INT(connect_retry_max);
1809 show_connection_entries(o);
1810
1811 SHOW_BOOL(remote_random);
1812
1813 SHOW_STR(ipchange);
1814 SHOW_STR(dev);
1815 SHOW_STR(dev_type);
1816 SHOW_STR(dev_node);
1817 #if defined(ENABLE_DCO)
1818 SHOW_BOOL(tuntap_options.disable_dco);
1819 #endif
1820 SHOW_STR(lladdr);
1821 SHOW_INT(topology);
1822 SHOW_STR(ifconfig_local);
1823 SHOW_STR(ifconfig_remote_netmask);
1824 SHOW_BOOL(ifconfig_noexec);
1825 SHOW_BOOL(ifconfig_nowarn);
1826 SHOW_STR(ifconfig_ipv6_local);
1827 SHOW_INT(ifconfig_ipv6_netbits);
1828 SHOW_STR(ifconfig_ipv6_remote);
1829
1830 SHOW_INT(shaper);
1831 SHOW_INT(mtu_test);
1832
1833 SHOW_BOOL(mlock);
1834
1835 SHOW_INT(keepalive_ping);
1836 SHOW_INT(keepalive_timeout);
1837 SHOW_INT(inactivity_timeout);
1838 SHOW_INT(session_timeout);
1839 SHOW_INT64(inactivity_minimum_bytes);
1840 SHOW_INT(ping_send_timeout);
1841 SHOW_INT(ping_rec_timeout);
1842 SHOW_INT(ping_rec_timeout_action);
1843 SHOW_BOOL(ping_timer_remote);
1844 SHOW_INT(remap_sigusr1);
1845 SHOW_BOOL(persist_tun);
1846 SHOW_BOOL(persist_local_ip);
1847 SHOW_BOOL(persist_remote_ip);
1848 SHOW_BOOL(persist_key);
1849
1850 #if PASSTOS_CAPABILITY
1851 SHOW_BOOL(passtos);
1852 #endif
1853
1854 SHOW_INT(resolve_retry_seconds);
1855 SHOW_BOOL(resolve_in_advance);
1856
1857 SHOW_STR(username);
1858 SHOW_STR(groupname);
1859 SHOW_STR(chroot_dir);
1860 SHOW_STR(cd_dir);
1861 #ifdef ENABLE_SELINUX
1862 SHOW_STR(selinux_context);
1863 #endif
1864 SHOW_STR(writepid);
1865 SHOW_STR(up_script);
1866 SHOW_STR(down_script);
1867 SHOW_BOOL(down_pre);
1868 SHOW_BOOL(up_restart);
1869 SHOW_BOOL(up_delay);
1870 SHOW_BOOL(daemon);
1871 SHOW_BOOL(log);
1872 SHOW_BOOL(suppress_timestamps);
1873 SHOW_BOOL(machine_readable_output);
1874 SHOW_INT(nice);
1875 SHOW_INT(verbosity);
1876 SHOW_INT(mute);
1877 #ifdef ENABLE_DEBUG
1878 SHOW_INT(gremlin);
1879 #endif
1880 SHOW_STR(status_file);
1881 SHOW_INT(status_file_version);
1882 SHOW_INT(status_file_update_freq);
1883
1884 SHOW_BOOL(occ);
1885 SHOW_INT(rcvbuf);
1886 SHOW_INT(sndbuf);
1887 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1888 SHOW_INT(mark);
1889 #endif
1890 SHOW_INT(sockflags);
1891
1892 SHOW_BOOL(fast_io);
1893
1894 SHOW_INT(comp.alg);
1895 SHOW_INT(comp.flags);
1896
1897 SHOW_STR(route_script);
1898 SHOW_STR(route_default_gateway);
1899 SHOW_INT(route_default_metric);
1900 SHOW_BOOL(route_noexec);
1901 SHOW_INT(route_delay);
1902 SHOW_INT(route_delay_window);
1903 SHOW_BOOL(route_delay_defined);
1904 SHOW_BOOL(route_nopull);
1905 SHOW_BOOL(route_gateway_via_dhcp);
1906 SHOW_BOOL(allow_pull_fqdn);
1907 show_pull_filter_list(o->pull_filter_list);
1908
1909 if (o->routes)
1910 {
1911 print_route_options(o->routes, D_SHOW_PARMS);
1912 }
1913
1914 if (o->client_nat)
1915 {
1916 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1917 }
1918
1919 show_dns_options(&o->dns_options);
1920
1921 #ifdef ENABLE_MANAGEMENT
1922 SHOW_STR(management_addr);
1923 SHOW_STR(management_port);
1924 SHOW_STR(management_user_pass);
1925 SHOW_INT(management_log_history_cache);
1926 SHOW_INT(management_echo_buffer_size);
1927 SHOW_STR(management_client_user);
1928 SHOW_STR(management_client_group);
1929 SHOW_INT(management_flags);
1930 #endif
1931 #ifdef ENABLE_PLUGIN
1932 if (o->plugin_list)
1933 {
1934 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1935 }
1936 #endif
1937
1938 SHOW_STR_INLINE(shared_secret_file);
1939 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1940 SHOW_STR(ciphername);
1941 SHOW_STR(ncp_ciphers);
1942 SHOW_STR(authname);
1943 #ifndef ENABLE_CRYPTO_MBEDTLS
1944 SHOW_BOOL(engine);
1945 #endif /* ENABLE_CRYPTO_MBEDTLS */
1946 SHOW_BOOL(mute_replay_warnings);
1947 SHOW_INT(replay_window);
1948 SHOW_INT(replay_time);
1949 SHOW_STR(packet_id_file);
1950 SHOW_BOOL(test_crypto);
1951 #ifdef ENABLE_PREDICTION_RESISTANCE
1952 SHOW_BOOL(use_prediction_resistance);
1953 #endif
1954
1955 SHOW_BOOL(tls_server);
1956 SHOW_BOOL(tls_client);
1957 SHOW_STR_INLINE(ca_file);
1958 SHOW_STR(ca_path);
1959 SHOW_STR_INLINE(dh_file);
1960 if ((o->management_flags & MF_EXTERNAL_CERT))
1961 {
1962 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1963 }
1964 else
1965 {
1966 SHOW_STR_INLINE(cert_file);
1967 }
1968 SHOW_STR_INLINE(extra_certs_file);
1969
1970 if ((o->management_flags & MF_EXTERNAL_KEY))
1971 {
1972 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1973 }
1974 else
1975 {
1976 SHOW_STR_INLINE(priv_key_file);
1977 }
1978 #ifndef ENABLE_CRYPTO_MBEDTLS
1979 SHOW_STR_INLINE(pkcs12_file);
1980 #endif
1981 #ifdef ENABLE_CRYPTOAPI
1982 SHOW_STR(cryptoapi_cert);
1983 #endif
1984 SHOW_STR(cipher_list);
1985 SHOW_STR(cipher_list_tls13);
1986 SHOW_STR(tls_cert_profile);
1987 SHOW_STR(tls_verify);
1988 SHOW_STR(tls_export_cert);
1989 SHOW_INT(verify_x509_type);
1990 SHOW_STR(verify_x509_name);
1991 SHOW_STR_INLINE(crl_file);
1992 SHOW_INT(ns_cert_type);
1993 {
1994 int i;
1995 for (i = 0; i<MAX_PARMS; i++)
1996 {
1997 SHOW_INT(remote_cert_ku[i]);
1998 }
1999 }
2000 SHOW_STR(remote_cert_eku);
2001 if (o->verify_hash)
2002 {
2003 SHOW_INT(verify_hash_algo);
2004 SHOW_INT(verify_hash_depth);
2005 struct gc_arena gc = gc_new();
2006 struct verify_hash_list *hl = o->verify_hash;
2007 int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
2008 SHA256_DIGEST_LENGTH;
2009 while (hl)
2010 {
2011 char *s = format_hex_ex(hl->hash, digest_len, 0,
2012 1, ":", &gc);
2013 SHOW_PARM(verify_hash, s, "%s");
2014 hl = hl->next;
2015 }
2016 gc_free(&gc);
2017 }
2018 SHOW_INT(ssl_flags);
2019
2020 SHOW_INT(tls_timeout);
2021
2022 SHOW_INT(renegotiate_bytes);
2023 SHOW_INT(renegotiate_packets);
2024 SHOW_INT(renegotiate_seconds);
2025
2026 SHOW_INT(handshake_window);
2027 SHOW_INT(transition_window);
2028
2029 SHOW_BOOL(single_session);
2030 SHOW_BOOL(push_peer_info);
2031 SHOW_BOOL(tls_exit);
2032
2033 SHOW_STR(tls_crypt_v2_metadata);
2034
2035 #ifdef ENABLE_PKCS11
2036 {
2037 int i;
2038 for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2039 {
2040 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
2041 }
2042 }
2043 {
2044 int i;
2045 for (i = 0; i<MAX_PARMS; i++)
2046 {
2047 SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
2048 }
2049 }
2050 {
2051 int i;
2052 for (i = 0; i<MAX_PARMS; i++)
2053 {
2054 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
2055 }
2056 }
2057 {
2058 int i;
2059 for (i = 0; i<MAX_PARMS; i++)
2060 {
2061 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
2062 }
2063 }
2064 SHOW_INT(pkcs11_pin_cache_period);
2065 SHOW_STR(pkcs11_id);
2066 SHOW_BOOL(pkcs11_id_management);
2067 #endif /* ENABLE_PKCS11 */
2068
2069 show_p2mp_parms(o);
2070
2071 #ifdef _WIN32
2072 SHOW_BOOL(show_net_up);
2073 SHOW_INT(route_method);
2074 SHOW_BOOL(block_outside_dns);
2075 show_tuntap_options(&o->tuntap_options);
2076 #endif
2077 #endif /* ifndef ENABLE_SMALL */
2078 }
2079
2080 #undef SHOW_PARM
2081 #undef SHOW_STR
2082 #undef SHOW_INT
2083 #undef SHOW_BOOL
2084
2085 #ifdef ENABLE_MANAGEMENT
2086
2087 static struct http_proxy_options *
2088 parse_http_proxy_override(const char *server,
2089 const char *port,
2090 const char *flags,
2091 const int msglevel,
2092 struct gc_arena *gc)
2093 {
2094 if (server && port)
2095 {
2096 struct http_proxy_options *ho;
2097 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2098 ho->server = string_alloc(server, gc);
2099 ho->port = port;
2100 if (flags && !strcmp(flags, "nct"))
2101 {
2102 ho->auth_retry = PAR_NCT;
2103 }
2104 else
2105 {
2106 ho->auth_retry = PAR_ALL;
2107 }
2108 ho->http_version = "1.0";
2109 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2110 return ho;
2111 }
2112 else
2113 {
2114 return NULL;
2115 }
2116 }
2117
2118 static void
2119 options_postprocess_http_proxy_override(struct options *o)
2120 {
2121 const struct connection_list *l = o->connection_list;
2122 int i;
2123 bool succeed = false;
2124 for (i = 0; i < l->len; ++i)
2125 {
2126 struct connection_entry *ce = l->array[i];
2127 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2128 {
2129 ce->http_proxy_options = o->http_proxy_override;
2130 succeed = true;
2131 }
2132 }
2133 if (succeed)
2134 {
2135 for (i = 0; i < l->len; ++i)
2136 {
2137 struct connection_entry *ce = l->array[i];
2138 if (ce->proto == PROTO_UDP)
2139 {
2140 ce->flags |= CE_DISABLED;
2141 }
2142 }
2143 }
2144 else
2145 {
2146 msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2147 }
2148 }
2149
2150 #endif /* ifdef ENABLE_MANAGEMENT */
2151
2152 static struct connection_list *
2153 alloc_connection_list_if_undef(struct options *options)
2154 {
2155 if (!options->connection_list)
2156 {
2157 ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
2158 }
2159 return options->connection_list;
2160 }
2161
2162 static struct connection_entry *
2163 alloc_connection_entry(struct options *options, const int msglevel)
2164 {
2165 struct connection_list *l = alloc_connection_list_if_undef(options);
2166 struct connection_entry *e;
2167
2168 if (l->len == l->capacity)
2169 {
2170 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2171 struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
2172 if (ce == NULL)
2173 {
2174 msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
2175 return NULL;
2176 }
2177 l->array = ce;
2178 l->capacity = capacity;
2179 }
2180 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2181 l->array[l->len++] = e;
2182 return e;
2183 }
2184
2185 static struct remote_list *
2186 alloc_remote_list_if_undef(struct options *options)
2187 {
2188 if (!options->remote_list)
2189 {
2190 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2191 }
2192 return options->remote_list;
2193 }
2194
2195 static struct remote_entry *
2196 alloc_remote_entry(struct options *options, const int msglevel)
2197 {
2198 struct remote_list *l = alloc_remote_list_if_undef(options);
2199 struct remote_entry *e;
2200
2201 if (l->len == l->capacity)
2202 {
2203 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2204 struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
2205 if (re == NULL)
2206 {
2207 msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
2208 return NULL;
2209 }
2210 l->array = re;
2211 l->capacity = capacity;
2212 }
2213 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2214 l->array[l->len++] = e;
2215 return e;
2216 }
2217
2218 static struct pull_filter_list *
2219 alloc_pull_filter_list(struct options *o)
2220 {
2221 if (!o->pull_filter_list)
2222 {
2223 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2224 }
2225 return o->pull_filter_list;
2226 }
2227
2228 static struct pull_filter *
2229 alloc_pull_filter(struct options *o, const int msglevel)
2230 {
2231 struct pull_filter_list *l = alloc_pull_filter_list(o);
2232 struct pull_filter *f;
2233
2234 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2235 if (l->head)
2236 {
2237 ASSERT(l->tail);
2238 l->tail->next = f;
2239 }
2240 else
2241 {
2242 ASSERT(!l->tail);
2243 l->head = f;
2244 }
2245 l->tail = f;
2246 return f;
2247 }
2248
2249 static void
2250 connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2251 {
2252 if (re->remote)
2253 {
2254 ce->remote = re->remote;
2255 }
2256 if (re->remote_port)
2257 {
2258 ce->remote_port = re->remote_port;
2259 }
2260 if (re->proto >= 0)
2261 {
2262 ce->proto = re->proto;
2263 }
2264 if (re->af > 0)
2265 {
2266 ce->af = re->af;
2267 }
2268 }
2269
2270 static void
2271 connection_entry_preload_key(const char **key_file, bool *key_inline,
2272 struct gc_arena *gc)
2273 {
2274 if (key_file && *key_file && !(*key_inline))
2275 {
2276 struct buffer in = buffer_read_from_file(*key_file, gc);
2277 if (!buf_valid(&in))
2278 {
2279 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2280 }
2281
2282 *key_file = (const char *) in.data;
2283 *key_inline = true;
2284 }
2285 }
2286
2287 static void
2288 check_ca_required(const struct options *options)
2289 {
2290 if (options->verify_hash_no_ca
2291 || options->pkcs12_file
2292 || options->ca_file
2293 #ifndef ENABLE_CRYPTO_MBEDTLS
2294 || options->ca_path
2295 #endif
2296 )
2297 {
2298 return;
2299 }
2300
2301 const char *const str = "You must define CA file (--ca)"
2302 #ifndef ENABLE_CRYPTO_MBEDTLS
2303 " or CA path (--capath)"
2304 #endif
2305 " and/or peer fingerprint verification (--peer-fingerprint)";
2306 msg(M_USAGE, "%s", str);
2307 }
2308
2309 static void
2310 options_postprocess_verify_ce(const struct options *options,
2311 const struct connection_entry *ce)
2312 {
2313 struct options defaults;
2314 int dev = DEV_TYPE_UNDEF;
2315 bool pull = false;
2316
2317 init_options(&defaults, true);
2318
2319 if (options->test_crypto)
2320 {
2321 notnull(options->shared_secret_file, "key file (--secret)");
2322 }
2323 else
2324 {
2325 notnull(options->dev, "TUN/TAP device (--dev)");
2326 }
2327
2328 /*
2329 * Get tun/tap/null device type
2330 */
2331 dev = dev_type_enum(options->dev, options->dev_type);
2332
2333 /*
2334 * If "proto tcp" is specified, make sure we know whether it is
2335 * tcp-client or tcp-server.
2336 */
2337 if (ce->proto == PROTO_TCP)
2338 {
2339 msg(M_USAGE,
2340 "--proto tcp is ambiguous in this context. Please specify "
2341 "--proto tcp-server or --proto tcp-client");
2342 }
2343
2344 if (options->lladdr && dev != DEV_TYPE_TAP)
2345 {
2346 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2347 }
2348
2349 /*
2350 * Sanity check on MTU parameters
2351 */
2352 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2353 {
2354 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2355 }
2356
2357 if (!proto_is_udp(ce->proto) && options->mtu_test)
2358 {
2359 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2360 }
2361
2362 /* will we be pulling options from server? */
2363 pull = options->pull;
2364
2365 /*
2366 * Sanity check on --local, --remote, and --ifconfig
2367 */
2368
2369 if (proto_is_net(ce->proto)
2370 && string_defined_equal(ce->local, ce->remote)
2371 && string_defined_equal(ce->local_port, ce->remote_port))
2372 {
2373 msg(M_USAGE, "--remote and --local addresses are the same");
2374 }
2375
2376 if (string_defined_equal(ce->remote, options->ifconfig_local)
2377 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2378 {
2379 msg(M_USAGE,
2380 "--local and --remote addresses must be distinct from --ifconfig "
2381 "addresses");
2382 }
2383
2384 if (string_defined_equal(ce->local, options->ifconfig_local)
2385 || string_defined_equal(ce->local, options->ifconfig_remote_netmask))
2386 {
2387 msg(M_USAGE,
2388 "--local addresses must be distinct from --ifconfig addresses");
2389 }
2390
2391 if (string_defined_equal(options->ifconfig_local,
2392 options->ifconfig_remote_netmask))
2393 {
2394 msg(M_USAGE,
2395 "local and remote/netmask --ifconfig addresses must be different");
2396 }
2397
2398 if (ce->bind_defined && !ce->bind_local)
2399 {
2400 msg(M_USAGE, "--bind and --nobind can't be used together");
2401 }
2402
2403 if (ce->local && !ce->bind_local)
2404 {
2405 msg(M_USAGE,
2406 "--local and --nobind don't make sense when used together");
2407 }
2408
2409 if (ce->local_port_defined && !ce->bind_local)
2410 {
2411 msg(M_USAGE,
2412 "--lport and --nobind don't make sense when used together");
2413 }
2414
2415 if (!ce->remote && !ce->bind_local)
2416 {
2417 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2418 }
2419
2420 /*
2421 * Check for consistency of management options
2422 */
2423 #ifdef ENABLE_MANAGEMENT
2424 if (!options->management_addr
2425 && (options->management_flags
2426 || options->management_log_history_cache != defaults.management_log_history_cache))
2427 {
2428 msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2429 }
2430
2431 if ((options->management_client_user || options->management_client_group)
2432 && !(options->management_flags & MF_UNIX_SOCK))
2433 {
2434 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2435 }
2436
2437 if (options->management_addr
2438 && !(options->management_flags & MF_UNIX_SOCK)
2439 && (!options->management_user_pass))
2440 {
2441 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2442 "passwords is STRONGLY discouraged and considered insecure");
2443 }
2444
2445 #endif /* ifdef ENABLE_MANAGEMENT */
2446
2447 #if !defined(HAVE_XKEY_PROVIDER)
2448 if ((tls_version_max() >= TLS_VER_1_3)
2449 && (options->management_flags & MF_EXTERNAL_KEY)
2450 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2451 )
2452 {
2453 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2454 "nopadding argument/support");
2455 }
2456 #endif
2457 /*
2458 * Windows-specific options.
2459 */
2460
2461 #ifdef _WIN32
2462 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2463 {
2464 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2465 }
2466
2467 if ((options->tuntap_options.ip_win32_defined)
2468 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2469 {
2470 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2471 }
2472
2473 if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2474 {
2475 const char *prefix = "Some dhcp-options require DHCP server";
2476 if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2477 {
2478 msg(M_USAGE, "%s, which is not supported by selected %s driver",
2479 prefix, print_windows_driver(options->windows_driver));
2480 }
2481 else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2482 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2483 {
2484 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
2485 prefix);
2486 }
2487 }
2488
2489 if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2490 {
2491 msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2492 }
2493 #endif /* ifdef _WIN32 */
2494
2495 /*
2496 * Check that protocol options make sense.
2497 */
2498
2499 #ifdef ENABLE_FRAGMENT
2500 if (!proto_is_udp(ce->proto) && ce->fragment)
2501 {
2502 msg(M_USAGE, "--fragment can only be used with --proto udp");
2503 }
2504 #endif
2505
2506 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2507 {
2508 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2509 }
2510
2511 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2512 {
2513 msg(M_USAGE,
2514 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2515 "tcp-client)");
2516 }
2517
2518 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2519 {
2520 msg(M_USAGE,
2521 "--http-proxy not specified but other http proxy options present");
2522 }
2523
2524 if (ce->http_proxy_options && ce->socks_proxy_server)
2525 {
2526 msg(M_USAGE,
2527 "--http-proxy can not be used together with --socks-proxy");
2528 }
2529
2530 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2531 {
2532 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2533 }
2534
2535 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2536 {
2537 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2538 }
2539
2540 /*
2541 * Check consistency of --mode server options.
2542 */
2543 if (options->mode == MODE_SERVER)
2544 {
2545 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2546 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2547 #ifdef TARGET_ANDROID
2548 msg(M_FATAL, "--mode server not supported on Android");
2549 #endif
2550 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2551 {
2552 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2553 }
2554 if (options->pull)
2555 {
2556 msg(M_USAGE, "--pull cannot be used with --mode server");
2557 }
2558 if (options->pull_filter_list)
2559 {
2560 msg(M_WARN, "--pull-filter ignored for --mode server");
2561 }
2562 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2563 {
2564 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2565 }
2566 #if PORT_SHARE
2567 if ((options->port_share_host || options->port_share_port)
2568 && (ce->proto != PROTO_TCP_SERVER))
2569 {
2570 msg(M_USAGE, "--port-share only works in TCP server mode "
2571 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2572 }
2573 #endif
2574 if (!options->tls_server)
2575 {
2576 msg(M_USAGE, "--mode server requires --tls-server");
2577 }
2578 if (ce->remote)
2579 {
2580 msg(M_USAGE, "--remote cannot be used with --mode server");
2581 }
2582 if (!ce->bind_local)
2583 {
2584 msg(M_USAGE, "--nobind cannot be used with --mode server");
2585 }
2586 if (ce->http_proxy_options)
2587 {
2588 msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2589 }
2590 if (ce->socks_proxy_server)
2591 {
2592 msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2593 }
2594 /* <connection> blocks force to have a remote embedded, so we check
2595 * for the --remote and bail out if it is present
2596 */
2597 if (options->connection_list->len >1
2598 || options->connection_list->array[0]->remote)
2599 {
2600 msg(M_USAGE, "<connection> cannot be used with --mode server");
2601 }
2602
2603 if (options->shaper)
2604 {
2605 msg(M_USAGE, "--shaper cannot be used with --mode server");
2606 }
2607 if (options->ipchange)
2608 {
2609 msg(M_USAGE,
2610 "--ipchange cannot be used with --mode server (use "
2611 "--client-connect instead)");
2612 }
2613 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2614 {
2615 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2616 }
2617 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2618 {
2619 msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2620 }
2621 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2622 {
2623 msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2624 }
2625 if (options->routes && (options->routes->flags & RG_ENABLE))
2626 {
2627 msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2628 }
2629 if (options->route_delay_defined)
2630 {
2631 msg(M_USAGE, "--route-delay cannot be used with --mode server");
2632 }
2633 if (options->up_delay)
2634 {
2635 msg(M_USAGE, "--up-delay cannot be used with --mode server");
2636 }
2637 if (!options->ifconfig_pool_defined
2638 && !options->ifconfig_ipv6_pool_defined
2639 && options->ifconfig_pool_persist_filename)
2640 {
2641 msg(M_USAGE,
2642 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2643 }
2644 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2645 {
2646 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2647 }
2648 if (options->allow_recursive_routing)
2649 {
2650 msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2651 }
2652 if (options->auth_user_pass_file)
2653 {
2654 msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2655 }
2656 if (options->ccd_exclusive && !options->client_config_dir)
2657 {
2658 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2659 }
2660 if (options->auth_token_generate && !options->renegotiate_seconds)
2661 {
2662 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2663 "--renegotiate_seconds setting");
2664 }
2665 if (options->auth_token_generate && options->auth_token_renewal
2666 && options->auth_token_renewal < 2 * options->handshake_window)
2667 {
2668 msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
2669 " two times --hand-window (%d).",
2670 options->handshake_window);
2671
2672 }
2673 {
2674 const bool ccnr = (options->auth_user_pass_verify_script
2675 || PLUGIN_OPTION_LIST(options)
2676 || MAN_CLIENT_AUTH_ENABLED(options));
2677 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2678 if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
2679 {
2680 msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2681 }
2682 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2683 {
2684 msg(M_USAGE, "--username-as-common-name %s", postfix);
2685 }
2686 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2687 {
2688 msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2689 }
2690 }
2691
2692 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2693 {
2694 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2695 }
2696 if (!options->vlan_tagging)
2697 {
2698 if (options->vlan_accept != defaults.vlan_accept)
2699 {
2700 msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2701 }
2702 if (options->vlan_pvid != defaults.vlan_pvid)
2703 {
2704 msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2705 }
2706 }
2707 }
2708 else
2709 {
2710 /*
2711 * When not in server mode, err if parameters are
2712 * specified which require --mode server.
2713 */
2714 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2715 {
2716 msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2717 }
2718 if (options->ifconfig_ipv6_pool_defined)
2719 {
2720 msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2721 }
2722 if (options->real_hash_size != defaults.real_hash_size
2723 || options->virtual_hash_size != defaults.virtual_hash_size)
2724 {
2725 msg(M_USAGE, "--hash-size requires --mode server");
2726 }
2727 if (options->learn_address_script)
2728 {
2729 msg(M_USAGE, "--learn-address requires --mode server");
2730 }
2731 if (options->client_connect_script)
2732 {
2733 msg(M_USAGE, "--client-connect requires --mode server");
2734 }
2735 if (options->client_crresponse_script)
2736 {
2737 msg(M_USAGE, "--client-crresponse requires --mode server");
2738 }
2739 if (options->client_disconnect_script)
2740 {
2741 msg(M_USAGE, "--client-disconnect requires --mode server");
2742 }
2743 if (options->client_config_dir || options->ccd_exclusive)
2744 {
2745 msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2746 }
2747 if (options->enable_c2c)
2748 {
2749 msg(M_USAGE, "--client-to-client requires --mode server");
2750 }
2751 if (options->duplicate_cn)
2752 {
2753 msg(M_USAGE, "--duplicate-cn requires --mode server");
2754 }
2755 if (options->cf_max || options->cf_per)
2756 {
2757 msg(M_USAGE, "--connect-freq requires --mode server");
2758 }
2759 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2760 {
2761 msg(M_USAGE, "--verify-client-cert requires --mode server");
2762 }
2763 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2764 {
2765 msg(M_USAGE, "--username-as-common-name requires --mode server");
2766 }
2767 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2768 {
2769 msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2770 }
2771 if (options->ssl_flags & SSLF_OPT_VERIFY)
2772 {
2773 msg(M_USAGE, "--opt-verify requires --mode server");
2774 }
2775 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2776 {
2777 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2778 "affect the server. To have TCP_NODELAY in both direction use "
2779 "tcp-nodelay in the server configuration instead.");
2780 }
2781 if (options->auth_user_pass_verify_script)
2782 {
2783 msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2784 }
2785 if (options->auth_token_generate)
2786 {
2787 msg(M_USAGE, "--auth-gen-token requires --mode server");
2788 }
2789 #if PORT_SHARE
2790 if (options->port_share_host || options->port_share_port)
2791 {
2792 msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2793 }
2794 #endif
2795
2796 if (options->stale_routes_check_interval)
2797 {
2798 msg(M_USAGE, "--stale-routes-check requires --mode server");
2799 }
2800
2801 if (options->vlan_tagging)
2802 {
2803 msg(M_USAGE, "--vlan-tagging requires --mode server");
2804 }
2805 }
2806
2807 /*
2808 * SSL/TLS mode sanity checks.
2809 */
2810 if (options->tls_server + options->tls_client
2811 +(options->shared_secret_file != NULL) > 1)
2812 {
2813 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2814 }
2815
2816 if (!options->tls_server && !options->tls_client)
2817 {
2818 int msglevel = M_USAGE;
2819 if (options->allow_deprecated_insecure_static_crypto)
2820 {
2821 msglevel = M_INFO;
2822 }
2823
2824 msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2825 "configuration detected. OpenVPN 2.8 will remove the "
2826 "functionality to run a VPN without TLS. "
2827 "See the examples section in the manual page for "
2828 "examples of a similar quick setup with peer-fingerprint."
2829 "OpenVPN 2.7 allows using this configuration when using "
2830 "--allow-deprecated-insecure-static-crypto but you should move"
2831 "to a proper configuration using TLS as soon as possible."
2832 );
2833 }
2834
2835 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2836 {
2837 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2838 "--verify-client-cert none|optional "
2839 "may accept clients which do not present a certificate");
2840 }
2841
2842 const int tls_version_max =
2843 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2844 & SSLF_TLS_VERSION_MAX_MASK;
2845 const int tls_version_min =
2846 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2847 & SSLF_TLS_VERSION_MIN_MASK;
2848
2849 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2850 {
2851 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2852 }
2853
2854 if (options->tls_server || options->tls_client)
2855 {
2856 check_ca_required(options);
2857 #ifdef ENABLE_PKCS11
2858 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2859 {
2860 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2861 }
2862 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2863 {
2864 msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2865 }
2866
2867 if (options->pkcs11_providers[0])
2868 {
2869 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2870 {
2871 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2872 }
2873 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2874 {
2875 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2876 }
2877 if (options->cert_file)
2878 {
2879 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2880 }
2881 if (options->priv_key_file)
2882 {
2883 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2884 }
2885 if (options->management_flags & MF_EXTERNAL_KEY)
2886 {
2887 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2888 }
2889 if (options->management_flags & MF_EXTERNAL_CERT)
2890 {
2891 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2892 }
2893 if (options->pkcs12_file)
2894 {
2895 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2896 }
2897 #ifdef ENABLE_CRYPTOAPI
2898 if (options->cryptoapi_cert)
2899 {
2900 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2901 }
2902 #endif
2903 }
2904 else
2905 #endif /* ifdef ENABLE_PKCS11 */
2906 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2907 {
2908 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2909 }
2910 else if ((options->management_flags & MF_EXTERNAL_CERT))
2911 {
2912 if (options->cert_file)
2913 {
2914 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2915 }
2916 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2917 {
2918 msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2919 }
2920 }
2921 else
2922 #ifdef ENABLE_CRYPTOAPI
2923 if (options->cryptoapi_cert)
2924 {
2925 if (options->cert_file)
2926 {
2927 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2928 }
2929 if (options->priv_key_file)
2930 {
2931 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2932 }
2933 if (options->pkcs12_file)
2934 {
2935 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2936 }
2937 if (options->management_flags & MF_EXTERNAL_KEY)
2938 {
2939 msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2940 }
2941 if (options->management_flags & MF_EXTERNAL_CERT)
2942 {
2943 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2944 }
2945 }
2946 else
2947 #endif /* ifdef ENABLE_CRYPTOAPI */
2948 if (options->pkcs12_file)
2949 {
2950 #ifdef ENABLE_CRYPTO_MBEDTLS
2951 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2952 #else
2953 if (options->ca_path)
2954 {
2955 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2956 }
2957 if (options->cert_file)
2958 {
2959 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2960 }
2961 if (options->priv_key_file)
2962 {
2963 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2964 }
2965 if (options->management_flags & MF_EXTERNAL_KEY)
2966 {
2967 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2968 }
2969 if (options->management_flags & MF_EXTERNAL_CERT)
2970 {
2971 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2972 }
2973 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2974 }
2975 else
2976 {
2977 #ifdef ENABLE_CRYPTO_MBEDTLS
2978 if (options->ca_path)
2979 {
2980 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2981 }
2982 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2983 if (pull)
2984 {
2985
2986 const int sum =
2987 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2988 + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2989
2990 if (sum == 0)
2991 {
2992 if (!options->auth_user_pass_file)
2993 {
2994 msg(M_USAGE, "No client-side authentication method is "
2995 "specified. You must use either "
2996 "--cert/--key, --pkcs12, or "
2997 "--auth-user-pass");
2998 }
2999 }
3000 else if (sum != 2)
3001 {
3002 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
3003 }
3004 }
3005 else
3006 {
3007 if (!(options->management_flags & MF_EXTERNAL_CERT))
3008 {
3009 notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
3010 }
3011 if (!(options->management_flags & MF_EXTERNAL_KEY))
3012 {
3013 notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
3014 }
3015 }
3016 }
3017 if (ce->tls_auth_file && ce->tls_crypt_file)
3018 {
3019 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
3020 }
3021 if (options->tls_client && ce->tls_crypt_v2_file
3022 && (ce->tls_auth_file || ce->tls_crypt_file))
3023 {
3024 msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
3025 }
3026 }
3027 else
3028 {
3029 /*
3030 * Make sure user doesn't specify any TLS options
3031 * when in non-TLS mode.
3032 */
3033
3034 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
3035 }
3036
3037 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
3038
3039 MUST_BE_UNDEF(ca_file);
3040 MUST_BE_UNDEF(ca_path);
3041 MUST_BE_UNDEF(dh_file);
3042 MUST_BE_UNDEF(cert_file);
3043 MUST_BE_UNDEF(priv_key_file);
3044 #ifndef ENABLE_CRYPTO_MBEDTLS
3045 MUST_BE_UNDEF(pkcs12_file);
3046 #endif
3047 MUST_BE_UNDEF(cipher_list);
3048 MUST_BE_UNDEF(cipher_list_tls13);
3049 MUST_BE_UNDEF(tls_cert_profile);
3050 MUST_BE_UNDEF(tls_verify);
3051 MUST_BE_UNDEF(tls_export_cert);
3052 MUST_BE_UNDEF(verify_x509_name);
3053 MUST_BE_UNDEF(tls_timeout);
3054 MUST_BE_UNDEF(renegotiate_bytes);
3055 MUST_BE_UNDEF(renegotiate_packets);
3056 MUST_BE_UNDEF(renegotiate_seconds);
3057 MUST_BE_UNDEF(handshake_window);
3058 MUST_BE_UNDEF(transition_window);
3059 MUST_BE_UNDEF(tls_auth_file);
3060 MUST_BE_UNDEF(tls_crypt_file);
3061 MUST_BE_UNDEF(tls_crypt_v2_file);
3062 MUST_BE_UNDEF(single_session);
3063 MUST_BE_UNDEF(push_peer_info);
3064 MUST_BE_UNDEF(tls_exit);
3065 MUST_BE_UNDEF(crl_file);
3066 MUST_BE_UNDEF(ns_cert_type);
3067 MUST_BE_UNDEF(remote_cert_ku[0]);
3068 MUST_BE_UNDEF(remote_cert_eku);
3069 #ifdef ENABLE_PKCS11
3070 MUST_BE_UNDEF(pkcs11_providers[0]);
3071 MUST_BE_UNDEF(pkcs11_private_mode[0]);
3072 MUST_BE_UNDEF(pkcs11_id);
3073 MUST_BE_UNDEF(pkcs11_id_management);
3074 #endif
3075
3076 if (pull)
3077 {
3078 msg(M_USAGE, err, "--pull");
3079 }
3080 }
3081 #undef MUST_BE_UNDEF
3082
3083 if (options->auth_user_pass_file && !options->pull)
3084 {
3085 msg(M_USAGE, "--auth-user-pass requires --pull");
3086 }
3087
3088 uninit_options(&defaults);
3089 }
3090
3091 static void
3092 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
3093 {
3094 const int dev = dev_type_enum(o->dev, o->dev_type);
3095
3096 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3097 {
3098 if (ce->proto == PROTO_TCP)
3099 {
3100 ce->proto = PROTO_TCP_SERVER;
3101 }
3102 }
3103
3104 if (o->client)
3105 {
3106 if (ce->proto == PROTO_TCP)
3107 {
3108 ce->proto = PROTO_TCP_CLIENT;
3109 }
3110 }
3111
3112 /* an option is present that requires local bind to enabled */
3113 bool need_bind = ce->local || ce->local_port_defined || ce->bind_defined;
3114
3115 /* socks proxy is enabled */
3116 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
3117
3118 /* If binding is not forced by an explicit option and we have (at least)
3119 * one of --tcp-client, --pull (or --client), or socks we do not bind
3120 * locally to have "normal" IP client behaviour of a random source port */
3121 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
3122 {
3123 ce->bind_local = false;
3124 }
3125
3126 if (!ce->bind_local)
3127 {
3128 ce->local_port = NULL;
3129 }
3130
3131 /* if protocol forcing is enabled, disable all protocols
3132 * except for the forced one
3133 */
3134 if (o->proto_force >= 0 && o->proto_force != ce->proto)
3135 {
3136 ce->flags |= CE_DISABLED;
3137 }
3138
3139 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3140 * so fall back to IPv4-only (trac #1221)
3141 */
3142 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
3143 {
3144 if (ce->af == AF_INET6)
3145 {
3146 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
3147 "'--socks-proxy' today. Forcing IPv4 mode." );
3148 }
3149 else
3150 {
3151 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3152 "work correctly with '--socks-proxy' today. Forcing IPv4." );
3153 }
3154 ce->af = AF_INET;
3155 }
3156
3157 /*
3158 * Set MTU defaults
3159 */
3160 {
3161 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3162 {
3163 ce->tun_mtu_defined = true;
3164 }
3165 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3166 {
3167 ce->tun_mtu_extra_defined = true;
3168 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3169 }
3170 }
3171
3172 /*
3173 * If --mssfix is supplied without a parameter or not specified at all,
3174 * default it to --fragment value, if --fragment is specified and otherwise
3175 * to the default if tun-mtu is 1500
3176 */
3177 if (o->ce.mssfix_default)
3178 {
3179 #ifdef ENABLE_FRAGMENT
3180 if (ce->fragment)
3181 {
3182 ce->mssfix = ce->fragment;
3183 }
3184 else
3185 #endif
3186 if (ce->tun_mtu_defined)
3187 {
3188 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3189 {
3190 /* We want to only set mssfix default value if we use a default
3191 * MTU Size, otherwise the different size of tun should either
3192 * already solve the problem or mssfix might artifically make the
3193 * payload packets smaller without mssfix 0 */
3194 ce->mssfix = MSSFIX_DEFAULT;
3195 ce->mssfix_encap = true;
3196 }
3197 else
3198 {
3199 /* We still apply the mssfix value but only adjust it to the
3200 * size of the tun interface. */
3201 ce->mssfix = ce->tun_mtu;
3202 ce->mssfix_fixed = true;
3203 }
3204 }
3205 }
3206
3207 /*
3208 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3209 *
3210 * At the end only one of these will be really set because the parser
3211 * logic prevents configurations where more are set.
3212 */
3213 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3214 {
3215 ce->tls_auth_file = o->tls_auth_file;
3216 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3217 ce->key_direction = o->key_direction;
3218
3219 ce->tls_crypt_file = o->tls_crypt_file;
3220 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3221
3222 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3223 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3224 }
3225
3226 /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
3227 * keys were not already embedded in the config file.
3228 */
3229 if (o->persist_key)
3230 {
3231 connection_entry_preload_key(&ce->tls_auth_file,
3232 &ce->tls_auth_file_inline, &o->gc);
3233 connection_entry_preload_key(&ce->tls_crypt_file,
3234 &ce->tls_crypt_file_inline, &o->gc);
3235 connection_entry_preload_key(&ce->tls_crypt_v2_file,
3236 &ce->tls_crypt_v2_file_inline, &o->gc);
3237 }
3238
3239 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3240 {
3241 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3242 ce->explicit_exit_notification = 0;
3243 }
3244 }
3245
3246 #ifdef _WIN32
3247 /* If iservice is in use, we need def1 method for redirect-gateway */
3248 static void
3249 remap_redirect_gateway_flags(struct options *opt)
3250 {
3251 if (opt->routes
3252 && opt->route_method == ROUTE_METHOD_SERVICE
3253 && opt->routes->flags & RG_REROUTE_GW
3254 && !(opt->routes->flags & RG_DEF1))
3255 {
3256 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3257 opt->routes->flags |= RG_DEF1;
3258 }
3259 }
3260 #endif
3261
3262 /*
3263 * Save/Restore certain option defaults before --pull is applied.
3264 */
3265
3266 static void
3267 pre_connect_save(struct options *o)
3268 {
3269 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3270 o->pre_connect->tuntap_options = o->tuntap_options;
3271 o->pre_connect->tuntap_options_defined = true;
3272 o->pre_connect->foreign_option_index = o->foreign_option_index;
3273
3274 if (o->routes)
3275 {
3276 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3277 o->pre_connect->routes_defined = true;
3278 }
3279 if (o->routes_ipv6)
3280 {
3281 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3282 o->pre_connect->routes_ipv6_defined = true;
3283 }
3284 if (o->client_nat)
3285 {
3286 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3287 o->pre_connect->client_nat_defined = true;
3288 }
3289
3290 o->pre_connect->route_default_gateway = o->route_default_gateway;
3291 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3292
3293 o->pre_connect->dns_options = clone_dns_options(o->dns_options, &o->gc);
3294
3295 /* NCP related options that can be overwritten by a push */
3296 o->pre_connect->ciphername = o->ciphername;
3297 o->pre_connect->authname = o->authname;
3298
3299 /* Ping related options should be reset to the config values on reconnect */
3300 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3301 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3302 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3303
3304 /* Miscellaneous Options */
3305 o->pre_connect->comp = o->comp;
3306 }
3307
3308 void
3309 pre_connect_restore(struct options *o, struct gc_arena *gc)
3310 {
3311 const struct options_pre_connect *pp = o->pre_connect;
3312 if (pp)
3313 {
3314 CLEAR(o->tuntap_options);
3315 if (pp->tuntap_options_defined)
3316 {
3317 o->tuntap_options = pp->tuntap_options;
3318 }
3319
3320 if (pp->routes_defined)
3321 {
3322 rol_check_alloc(o);
3323 copy_route_option_list(o->routes, pp->routes, gc);
3324 }
3325 else
3326 {
3327 o->routes = NULL;
3328 }
3329
3330 if (pp->routes_ipv6_defined)
3331 {
3332 rol6_check_alloc(o);
3333 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3334 }
3335 else
3336 {
3337 o->routes_ipv6 = NULL;
3338 }
3339
3340 o->route_default_gateway = pp->route_default_gateway;
3341 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3342
3343 /* Free DNS options and reset them to pre-pull state */
3344 gc_free(&o->dns_options.gc);
3345 struct gc_arena dns_gc = gc_new();
3346 o->dns_options = clone_dns_options(pp->dns_options, &dns_gc);
3347 o->dns_options.gc = dns_gc;
3348
3349 if (pp->client_nat_defined)
3350 {
3351 cnol_check_alloc(o);
3352 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3353 }
3354 else
3355 {
3356 o->client_nat = NULL;
3357 }
3358
3359 o->foreign_option_index = pp->foreign_option_index;
3360
3361 o->ciphername = pp->ciphername;
3362 o->authname = pp->authname;
3363
3364 o->ping_rec_timeout = pp->ping_rec_timeout;
3365 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3366 o->ping_send_timeout = pp->ping_send_timeout;
3367
3368 /* Miscellaneous Options */
3369 o->comp = pp->comp;
3370 }
3371
3372 o->push_continuation = 0;
3373 o->push_option_types_found = 0;
3374 o->imported_protocol_flags = 0;
3375 }
3376
3377 static void
3378 options_postprocess_mutate_invariant(struct options *options)
3379 {
3380 #ifdef _WIN32
3381 const int dev = dev_type_enum(options->dev, options->dev_type);
3382
3383 /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3384 if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
3385 || options->windows_driver == WINDOWS_DRIVER_DCO)
3386 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3387 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3388 {
3389 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3390 }
3391
3392 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3393 {
3394 /* delay may only be necessary when we perform DHCP handshake */
3395 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3396 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3397 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3398 {
3399 options->route_delay_defined = true;
3400 options->route_delay = 5; /* Vista sometimes has a race without this */
3401 }
3402 }
3403
3404 if (options->ifconfig_noexec)
3405 {
3406 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3407 options->ifconfig_noexec = false;
3408 }
3409
3410 remap_redirect_gateway_flags(options);
3411
3412 /*
3413 * Check consistency of --mode server options.
3414 */
3415 if (options->mode == MODE_SERVER)
3416 {
3417 /*
3418 * We need to explicitly set --tap-sleep because
3419 * we do not schedule event timers in the top-level context.
3420 */
3421 options->tuntap_options.tap_sleep = 10;
3422 if (options->route_delay_defined && options->route_delay)
3423 {
3424 options->tuntap_options.tap_sleep = options->route_delay;
3425 }
3426 options->route_delay_defined = false;
3427 }
3428 #endif /* ifdef _WIN32 */
3429
3430 #ifdef DEFAULT_PKCS11_MODULE
3431 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3432 * by default if the user asks for PKCS#11 without otherwise specifying
3433 * the module to use. */
3434 if (!options->pkcs11_providers[0]
3435 && (options->pkcs11_id || options->pkcs11_id_management))
3436 {
3437 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3438 }
3439 #endif
3440 }
3441
3442 static void
3443 options_postprocess_verify(const struct options *o)
3444 {
3445 if (o->connection_list)
3446 {
3447 int i;
3448 for (i = 0; i < o->connection_list->len; ++i)
3449 {
3450 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3451 }
3452 }
3453 else
3454 {
3455 options_postprocess_verify_ce(o, &o->ce);
3456 }
3457
3458 dns_options_verify(M_FATAL, &o->dns_options);
3459
3460 if (dco_enabled(o) && o->enable_c2c)
3461 {
3462 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3463 "channel offload: packets are always sent to the VPN "
3464 "interface and then routed based on the system routing table");
3465 }
3466 }
3467
3468 /**
3469 * Checks for availibility of Chacha20-Poly1305 and sets
3470 * the ncp_cipher to either AES-256-GCM:AES-128-GCM or
3471 * AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.
3472 */
3473 static void
3474 options_postprocess_setdefault_ncpciphers(struct options *o)
3475 {
3476 if (o->ncp_ciphers)
3477 {
3478 /* custom --data-ciphers set, keep list */
3479 return;
3480 }
3481
3482 /* check if crypto library supports chacha */
3483 bool can_do_chacha = cipher_valid("CHACHA20-POLY1305");
3484
3485 if (can_do_chacha && dco_enabled(o))
3486 {
3487 /* also make sure that dco supports chacha */
3488 can_do_chacha = tls_item_in_cipher_list("CHACHA20-POLY1305", dco_get_supported_ciphers());
3489 }
3490
3491 if (can_do_chacha)
3492 {
3493 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3494 }
3495 else
3496 {
3497 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
3498 }
3499 }
3500
3501 static void
3502 options_postprocess_cipher(struct options *o)
3503 {
3504 if (!o->pull && !(o->mode == MODE_SERVER))
3505 {
3506 /* If the cipher is not set, use the old default of BF-CBC. We will
3507 * warn that this is deprecated on cipher initialisation, no need
3508 * to warn here as well */
3509 if (!o->ciphername)
3510 {
3511 o->ciphername = "BF-CBC";
3512 }
3513 else
3514 {
3515 o->enable_ncp_fallback = true;
3516 }
3517 return;
3518 }
3519
3520 /* pull or P2MP mode */
3521 if (!o->ciphername)
3522 {
3523 /* We still need to set the ciphername to BF-CBC since various other
3524 * parts of OpenVPN assert that the ciphername is set */
3525 o->ciphername = "BF-CBC";
3526
3527 msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3528 "defaulted to BF-CBC as fallback when cipher negotiation "
3529 "failed in this case. If you need this fallback please add "
3530 "'--data-ciphers-fallback BF-CBC' to your configuration "
3531 "and/or add BF-CBC to --data-ciphers.");
3532 }
3533 else if (!o->enable_ncp_fallback
3534 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3535 {
3536 msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3537 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3538 "negotiations. ",
3539 o->ciphername, o->ncp_ciphers);
3540 }
3541 }
3542
3543 /**
3544 * The option --compat-mode is used to set up default settings to values
3545 * used on the specified openvpn version and earlier.
3546 *
3547 * This function is used in various "default option" paths to test if the
3548 * user requested compatibility with a version before the one specified
3549 * as argument. This way some default settings can be automatically
3550 * altered to guarantee compatibility with the version specified by the
3551 * user via --compat-mode.
3552 *
3553 * @param version need compatibility with openvpn versions before the
3554 * one specified (20401 = before 2.4.1)
3555 * @return whether compatibility should be enabled
3556 */
3557 static bool
3558 need_compatibility_before(const struct options *o, unsigned int version)
3559 {
3560 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3561 }
3562
3563 /**
3564 * Changes default values so that OpenVPN can be compatible with the user
3565 * specified version
3566 */
3567 static void
3568 options_set_backwards_compatible_options(struct options *o)
3569 {
3570 /* TLS min version is not set */
3571 int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3572 & SSLF_TLS_VERSION_MIN_MASK;
3573 if (tls_ver_min == 0)
3574 {
3575 int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3576 & SSLF_TLS_VERSION_MAX_MASK;
3577 if (need_compatibility_before(o, 20307))
3578 {
3579 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3580 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3581 }
3582 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3583 {
3584 /* Use TLS 1.2 as proper default */
3585 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3586 }
3587 else
3588 {
3589 /* Maximize the minimum version */
3590 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3591 }
3592 }
3593
3594 if (need_compatibility_before(o, 20400))
3595 {
3596 if (!o->ciphername)
3597 {
3598 /* If ciphername is not set default to BF-CBC when targeting these
3599 * old versions that do not have NCP */
3600 o->ciphername = "BF-CBC";
3601 }
3602 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3603 * not have OCC strings required for "poor man's NCP" */
3604 o->enable_ncp_fallback = true;
3605 }
3606
3607 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3608 * Version 2.4 probably does not need it but NCP was not so
3609 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3610 * Only do this iff --cipher is set (explicitly or by compat mode
3611 * < 2.4.0, see above). This is not 100% correct backwards compatible
3612 * behaviour but 2.5 already behaved like this */
3613 if (o->ciphername && need_compatibility_before(o, 20500)
3614 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3615 {
3616 append_cipher_to_ncp_list(o, o->ciphername);
3617 }
3618
3619 #ifdef USE_COMP
3620 /* Compression is deprecated and we do not want to announce support for it
3621 * by default anymore, additionally DCO breaks with compression.
3622 *
3623 * Disable compression by default starting with 2.6.0 if no other
3624 * compression related option has been explicitly set */
3625 if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3626 {
3627 if (!comp_non_stub_enabled(&o->comp))
3628 {
3629 o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3630 }
3631 }
3632 #else /* ifdef USE_COMP */
3633 o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3634 #endif
3635 }
3636
3637 static void
3638 options_postprocess_mutate(struct options *o, struct env_set *es)
3639 {
3640 int i;
3641 /*
3642 * Process helper-type options which map to other, more complex
3643 * sequences of options.
3644 */
3645 helper_client_server(o);
3646 helper_keepalive(o);
3647 helper_tcp_nodelay(o);
3648
3649 options_postprocess_setdefault_ncpciphers(o);
3650 options_set_backwards_compatible_options(o);
3651
3652 options_postprocess_cipher(o);
3653 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3654 if (o->ncp_ciphers == NULL)
3655 {
3656 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3657 }
3658
3659 if (o->remote_list && !o->connection_list)
3660 {
3661 /*
3662 * Convert remotes into connection list
3663 */
3664 const struct remote_list *rl = o->remote_list;
3665 for (i = 0; i < rl->len; ++i)
3666 {
3667 const struct remote_entry *re = rl->array[i];
3668 struct connection_entry ce = o->ce;
3669 struct connection_entry *ace;
3670
3671 ASSERT(re->remote);
3672 connection_entry_load_re(&ce, re);
3673 ace = alloc_connection_entry(o, M_USAGE);
3674 ASSERT(ace);
3675 *ace = ce;
3676 }
3677 }
3678 else if (!o->remote_list && !o->connection_list)
3679 {
3680 struct connection_entry *ace;
3681 ace = alloc_connection_entry(o, M_USAGE);
3682 ASSERT(ace);
3683 *ace = o->ce;
3684 }
3685
3686 ASSERT(o->connection_list);
3687 for (i = 0; i < o->connection_list->len; ++i)
3688 {
3689 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3690 }
3691
3692 if (o->tls_server)
3693 {
3694 /* Check that DH file is specified, or explicitly disabled */
3695 notnull(o->dh_file, "DH file (--dh)");
3696 if (streq(o->dh_file, "none"))
3697 {
3698 o->dh_file = NULL;
3699 }
3700 }
3701 else if (o->dh_file)
3702 {
3703 /* DH file is only meaningful in a tls-server context. */
3704 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3705 "include this in your server configuration");
3706 o->dh_file = NULL;
3707 }
3708 #if ENABLE_MANAGEMENT
3709 if (o->http_proxy_override)
3710 {
3711 options_postprocess_http_proxy_override(o);
3712 }
3713 #endif
3714 if (!o->ca_file && !o->ca_path && o->verify_hash
3715 && o->verify_hash_depth == 0)
3716 {
3717 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3718 "option set). ");
3719 o->verify_hash_no_ca = true;
3720 }
3721
3722 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3723 {
3724 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3725 "incompatible with each other.");
3726 }
3727
3728 if (dco_enabled(o))
3729 {
3730 /* check if any option should force disabling DCO */
3731 o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o)
3732 || !dco_check_startup_option(D_DCO, o);
3733 }
3734 #ifdef USE_COMP
3735 if (dco_enabled(o))
3736 {
3737 o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3738 }
3739 #endif
3740
3741 #ifdef _WIN32
3742 if (dco_enabled(o))
3743 {
3744 o->windows_driver = WINDOWS_DRIVER_DCO;
3745 }
3746 else
3747 {
3748 if (o->windows_driver == WINDOWS_DRIVER_DCO)
3749 {
3750 msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3751 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3752 }
3753 else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3754 {
3755 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3756 }
3757 }
3758 #else /* _WIN32 */
3759 if (dco_enabled(o) && o->dev_node)
3760 {
3761 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3762 "data channel offload");
3763 o->dev_node = NULL;
3764 }
3765 #endif /* _WIN32 */
3766
3767 /* this depends on o->windows_driver, which is set above */
3768 options_postprocess_mutate_invariant(o);
3769
3770 /* check that compression settings in the options are okay */
3771 check_compression_settings_valid(&o->comp, M_USAGE);
3772
3773 /*
3774 * Save certain parms before modifying options during connect, especially
3775 * when using --pull
3776 */
3777 if (o->pull)
3778 {
3779 dns_options_preprocess_pull(&o->dns_options);
3780 }
3781 else
3782 {
3783 #if defined(_WIN32) || defined(TARGET_ANDROID)
3784 tuntap_options_copy_dns(o);
3785 #else
3786 foreign_options_copy_dns(o, es);
3787 #endif
3788 }
3789 if (o->auth_token_generate && !o->auth_token_renewal)
3790 {
3791 o->auth_token_renewal = o->renegotiate_seconds;
3792 }
3793 pre_connect_save(o);
3794 }
3795
3796 /*
3797 * Check file/directory sanity
3798 *
3799 */
3800 #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
3801
3802 #define CHKACC_FILE (1<<0) /** Check for a file/directory presence */
3803 #define CHKACC_DIRPATH (1<<1) /** Check for directory presence where a file should reside */
3804 #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
3805 #define CHKACC_ACPTSTDIN (1<<3) /** If filename is stdin, it's allowed and "exists" */
3806 #define CHKACC_PRIVATE (1<<4) /** Warn if this (private) file is group/others accessible */
3807
3808 static bool
3809 check_file_access(const int type, const char *file, const int mode, const char *opt)
3810 {
3811 int errcode = 0;
3812
3813 /* If no file configured, no errors to look for */
3814 if (!file)
3815 {
3816 return false;
3817 }
3818
3819 /* If stdin is allowed and the file name is 'stdin', then do no
3820 * further checks as stdin is always available
3821 */
3822 if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3823 {
3824 return false;
3825 }
3826
3827 /* Is the directory path leading to the given file accessible? */
3828 if (type & CHKACC_DIRPATH)
3829 {
3830 char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3831 char *dirpath = dirname(fullpath);
3832
3833 if (platform_access(dirpath, mode|X_OK) != 0)
3834 {
3835 errcode = errno;
3836 }
3837 free(fullpath);
3838 }
3839
3840 /* Is the file itself accessible? */
3841 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3842 {
3843 errcode = errno;
3844 }
3845
3846 /* If the file exists and is accessible, is it writable? */
3847 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3848 {
3849 if (platform_access(file, W_OK) != 0)
3850 {
3851 errcode = errno;
3852 }
3853 }
3854
3855 /* Warn if a given private file is group/others accessible. */
3856 if (type & CHKACC_PRIVATE)
3857 {
3858 platform_stat_t st;
3859 if (platform_stat(file, &st))
3860 {
3861 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3862 }
3863 #ifndef _WIN32
3864 else
3865 {
3866 if (st.st_mode & (S_IRWXG|S_IRWXO))
3867 {
3868 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3869 }
3870 }
3871 #endif
3872 }
3873
3874 /* Scream if an error is found */
3875 if (errcode > 0)
3876 {
3877 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3878 }
3879
3880 /* Return true if an error occurred */
3881 return (errcode != 0 ? true : false);
3882 }
3883
3884 /* A wrapper for check_file_access() which also takes a chroot directory.
3885 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3886 * otherwise it will look for the file inside the given chroot directory instead.
3887 */
3888 static bool
3889 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3890 {
3891 bool ret = false;
3892
3893 /* If no file configured, no errors to look for */
3894 if (!file)
3895 {
3896 return false;
3897 }
3898
3899 /* If chroot is set, look for the file/directory inside the chroot */
3900 if (chroot)
3901 {
3902 struct gc_arena gc = gc_new();
3903 struct buffer chroot_file;
3904
3905 chroot_file = prepend_dir(chroot, file, &gc);
3906 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3907 gc_free(&gc);
3908 }
3909 else
3910 {
3911 /* No chroot in play, just call core file check function */
3912 ret = check_file_access(type, file, mode, opt);
3913 }
3914 return ret;
3915 }
3916
3917 /**
3918 * A wrapper for check_file_access_chroot() that returns false immediately if
3919 * the file is inline (and therefore there is no access to check)
3920 */
3921 static bool
3922 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3923 const int type, const char *file,
3924 const int mode, const char *opt)
3925 {
3926 if (is_inline)
3927 {
3928 return false;
3929 }
3930
3931 return check_file_access_chroot(chroot, type, file, mode, opt);
3932 }
3933
3934 /**
3935 * A wrapper for check_file_access() that returns false immediately if the file
3936 * is inline (and therefore there is no access to check)
3937 */
3938 static bool
3939 check_file_access_inline(bool is_inline, const int type, const char *file,
3940 const int mode, const char *opt)
3941 {
3942 if (is_inline)
3943 {
3944 return false;
3945 }
3946
3947 return check_file_access(type, file, mode, opt);
3948 }
3949
3950 /*
3951 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3952 * valid file with appropriate permissions.
3953 *
3954 * "command" consists of a path, optionally followed by a space, which may be
3955 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3956 * performed.
3957 *
3958 * The path and arguments in "command" may be single- or double-quoted or escaped.
3959 *
3960 * The path is extracted from "command", then check_file_access() is called to check it. The
3961 * arguments, if any, are ignored.
3962 *
3963 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3964 * check_file_access() arguments.
3965 */
3966 static bool
3967 check_cmd_access(const char *command, const char *opt, const char *chroot)
3968 {
3969 struct argv argv;
3970 bool return_code;
3971
3972 /* If no command was set, there are no errors to look for */
3973 if (!command)
3974 {
3975 return false;
3976 }
3977
3978 /* Extract executable path and arguments */
3979 argv = argv_new();
3980 argv_parse_cmd(&argv, command);
3981
3982 /* if an executable is specified then check it; otherwise, complain */
3983 if (argv.argv[0])
3984 {
3985 /* Scripts requires R_OK as well, but that might fail on binaries which
3986 * only requires X_OK to function on Unix - a scenario not unlikely to
3987 * be seen on suid binaries.
3988 */
3989 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3990 }
3991 else
3992 {
3993 msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3994 opt, command);
3995 return_code = true;
3996 }
3997
3998 argv_free(&argv);
3999
4000 return return_code;
4001 }
4002
4003 /*
4004 * Sanity check of all file/dir options. Checks that file/dir
4005 * is accessible by OpenVPN
4006 */
4007 static void
4008 options_postprocess_filechecks(struct options *options)
4009 {
4010 bool errs = false;
4011
4012 /* ** SSL/TLS/crypto related files ** */
4013 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
4014 options->dh_file, R_OK, "--dh");
4015
4016 if (!options->verify_hash_no_ca)
4017 {
4018 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
4019 options->ca_file, R_OK, "--ca");
4020 }
4021
4022 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4023 options->ca_path, R_OK, "--capath");
4024
4025 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE,
4026 options->cert_file, R_OK, "--cert");
4027
4028 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4029 options->extra_certs_file, R_OK,
4030 "--extra-certs");
4031
4032 if (!(options->management_flags & MF_EXTERNAL_KEY))
4033 {
4034 errs |= check_file_access_inline(options->priv_key_file_inline,
4035 CHKACC_FILE|CHKACC_PRIVATE,
4036 options->priv_key_file, R_OK, "--key");
4037 }
4038
4039 errs |= check_file_access_inline(options->pkcs12_file_inline,
4040 CHKACC_FILE|CHKACC_PRIVATE,
4041 options->pkcs12_file, R_OK, "--pkcs12");
4042
4043 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4044 {
4045 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4046 options->crl_file, R_OK|X_OK,
4047 "--crl-verify directory");
4048 }
4049 else
4050 {
4051 errs |= check_file_access_chroot_inline(options->crl_file_inline,
4052 options->chroot_dir,
4053 CHKACC_FILE, options->crl_file,
4054 R_OK, "--crl-verify");
4055 }
4056
4057 ASSERT(options->connection_list);
4058 for (int i = 0; i < options->connection_list->len; ++i)
4059 {
4060 struct connection_entry *ce = options->connection_list->array[i];
4061
4062 errs |= check_file_access_inline(ce->tls_auth_file_inline,
4063 CHKACC_FILE|CHKACC_PRIVATE,
4064 ce->tls_auth_file, R_OK,
4065 "--tls-auth");
4066 errs |= check_file_access_inline(ce->tls_crypt_file_inline,
4067 CHKACC_FILE|CHKACC_PRIVATE,
4068 ce->tls_crypt_file, R_OK,
4069 "--tls-crypt");
4070 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4071 CHKACC_FILE|CHKACC_PRIVATE,
4072 ce->tls_crypt_v2_file, R_OK,
4073 "--tls-crypt-v2");
4074 }
4075
4076 errs |= check_file_access_inline(options->shared_secret_file_inline,
4077 CHKACC_FILE|CHKACC_PRIVATE,
4078 options->shared_secret_file, R_OK,
4079 "--secret");
4080
4081 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4082 options->packet_id_file, R_OK|W_OK, "--replay-persist");
4083
4084 /* ** Password files ** */
4085 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4086 options->key_pass_file, R_OK, "--askpass");
4087 #ifdef ENABLE_MANAGEMENT
4088 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4089 options->management_user_pass, R_OK,
4090 "--management user/password file");
4091 #endif /* ENABLE_MANAGEMENT */
4092 errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4093 CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4094 options->auth_user_pass_file, R_OK,
4095 "--auth-user-pass");
4096 /* ** System related ** */
4097 errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4098 R_OK|X_OK, "--chroot directory");
4099 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4100 R_OK|W_OK, "--writepid");
4101
4102 /* ** Log related ** */
4103 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4104 R_OK|W_OK, "--status");
4105
4106 /* ** Config related ** */
4107 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
4108 R_OK|W_OK|X_OK, "--tls-export-cert");
4109 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4110 R_OK|X_OK, "--client-config-dir");
4111 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4112 R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4113
4114 if (errs)
4115 {
4116 msg(M_USAGE, "Please correct these errors.");
4117 }
4118 }
4119 #endif /* !ENABLE_SMALL */
4120
4121 /*
4122 * Sanity check on options.
4123 * Also set some options based on other
4124 * options.
4125 */
4126 void
4127 options_postprocess(struct options *options, struct env_set *es)
4128 {
4129 options_postprocess_mutate(options, es);
4130 options_postprocess_verify(options);
4131 #ifndef ENABLE_SMALL
4132 options_postprocess_filechecks(options);
4133 #endif /* !ENABLE_SMALL */
4134 }
4135
4136 /*
4137 * Sanity check on options after more options were pulled from server.
4138 * Also time to modify some options based on other options.
4139 */
4140 bool
4141 options_postprocess_pull(struct options *o, struct env_set *es)
4142 {
4143 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4144 if (success)
4145 {
4146 dns_options_postprocess_pull(&o->dns_options);
4147 setenv_dns_options(&o->dns_options, es);
4148 #if defined(_WIN32) || defined(TARGET_ANDROID)
4149 tuntap_options_copy_dns(o);
4150 #else
4151 foreign_options_copy_dns(o, es);
4152 #endif
4153 }
4154 return success;
4155 }
4156
4157 /*
4158 * Build an options string to represent data channel encryption options.
4159 * This string must match exactly between peers. The keysize is checked
4160 * separately by read_key().
4161 *
4162 * The following options must match on both peers:
4163 *
4164 * Tunnel options:
4165 *
4166 * --dev tun|tap [unit number need not match]
4167 * --dev-type tun|tap
4168 * --link-mtu
4169 * --udp-mtu
4170 * --tun-mtu
4171 * --proto udp
4172 * --proto tcp-client [matched with --proto tcp-server
4173 * on the other end of the connection]
4174 * --proto tcp-server [matched with --proto tcp-client on
4175 * the other end of the connection]
4176 * --tun-ipv6
4177 * --ifconfig x y [matched with --ifconfig y x on
4178 * the other end of the connection]
4179 *
4180 * --comp-lzo
4181 * --compress alg
4182 * --fragment
4183 *
4184 * Crypto Options:
4185 *
4186 * --cipher
4187 * --auth
4188 * --secret
4189 *
4190 * SSL Options:
4191 *
4192 * --tls-auth
4193 * --tls-client [matched with --tls-server on
4194 * the other end of the connection]
4195 * --tls-server [matched with --tls-client on
4196 * the other end of the connection]
4197 */
4198 char *
4199 options_string(const struct options *o,
4200 const struct frame *frame,
4201 struct tuntap *tt,
4202 openvpn_net_ctx_t *ctx,
4203 bool remote,
4204 struct gc_arena *gc)
4205 {
4206 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4207 bool tt_local = false;
4208
4209 buf_printf(&out, "V4");
4210
4211 /*
4212 * Tunnel Options
4213 */
4214
4215 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4216 /* the link-mtu that we send has only a meaning if have a fixed
4217 * cipher (p2p) or have a fallback cipher configured for older non
4218 * ncp clients. But not sending it will make even 2.4 complain
4219 * about it being missing. So still send it. */
4220 buf_printf(&out, ",link-mtu %u",
4221 (unsigned int) calc_options_string_link_mtu(o, frame));
4222
4223 if (o->ce.occ_mtu != 0)
4224 {
4225 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4226 }
4227 else
4228 {
4229 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4230 }
4231
4232 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4233
4234 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4235 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4236 * is usually pushed by the server, triggering a non-helpful warning
4237 */
4238 if (o->ifconfig_ipv6_local && p2p_nopull)
4239 {
4240 buf_printf(&out, ",tun-ipv6");
4241 }
4242
4243 /*
4244 * Try to get ifconfig parameters into the options string.
4245 * If tt is undefined, make a temporary instantiation.
4246 */
4247 if (!tt)
4248 {
4249 tt = init_tun(o->dev,
4250 o->dev_type,
4251 o->topology,
4252 o->ifconfig_local,
4253 o->ifconfig_remote_netmask,
4254 o->ifconfig_ipv6_local,
4255 o->ifconfig_ipv6_netbits,
4256 o->ifconfig_ipv6_remote,
4257 NULL,
4258 NULL,
4259 false,
4260 NULL,
4261 ctx,
4262 NULL);
4263 if (tt)
4264 {
4265 tt_local = true;
4266 }
4267 }
4268
4269 if (tt && p2p_nopull)
4270 {
4271 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4272 if (ios && strlen(ios))
4273 {
4274 buf_printf(&out, ",ifconfig %s", ios);
4275 }
4276 }
4277 if (tt_local)
4278 {
4279 free(tt);
4280 tt = NULL;
4281 }
4282
4283 #ifdef USE_COMP
4284 if (o->comp.alg != COMP_ALG_UNDEF)
4285 {
4286 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4287 }
4288 #endif
4289
4290 #ifdef ENABLE_FRAGMENT
4291 if (o->ce.fragment)
4292 {
4293 buf_printf(&out, ",mtu-dynamic");
4294 }
4295 #endif
4296
4297 #define TLS_CLIENT (o->tls_client)
4298 #define TLS_SERVER (o->tls_server)
4299
4300 /*
4301 * Key direction
4302 */
4303 {
4304 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4305 if (kd)
4306 {
4307 buf_printf(&out, ",keydir %s", kd);
4308 }
4309 }
4310
4311 /*
4312 * Crypto Options
4313 */
4314 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4315 {
4316 struct key_type kt;
4317
4318 ASSERT((o->shared_secret_file != NULL)
4319 + (TLS_CLIENT == true)
4320 + (TLS_SERVER == true)
4321 <= 1);
4322
4323 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4324 * to work here in the default configuration */
4325 const char *ciphername = o->ciphername;
4326 int keysize = 0;
4327
4328 if (strcmp(o->ciphername, "BF-CBC") == 0)
4329 {
4330 init_key_type(&kt, "none", o->authname, true, false);
4331 keysize = 128;
4332 }
4333 else
4334 {
4335 init_key_type(&kt, o->ciphername, o->authname, true, false);
4336 ciphername = cipher_kt_name(kt.cipher);
4337 if (cipher_defined(o->ciphername))
4338 {
4339 keysize = cipher_kt_key_size(kt.cipher) * 8;
4340 }
4341 }
4342 /* Only announce the cipher to our peer if we are willing to
4343 * support it */
4344 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4345 {
4346 buf_printf(&out, ",cipher %s", ciphername);
4347 }
4348 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4349 buf_printf(&out, ",keysize %d", keysize);
4350 if (o->shared_secret_file)
4351 {
4352 buf_printf(&out, ",secret");
4353 }
4354
4355 #ifdef ENABLE_PREDICTION_RESISTANCE
4356 if (o->use_prediction_resistance)
4357 {
4358 buf_printf(&out, ",use-prediction-resistance");
4359 }
4360 #endif
4361 }
4362
4363 /*
4364 * SSL Options
4365 */
4366 {
4367 if (TLS_CLIENT || TLS_SERVER)
4368 {
4369 if (o->ce.tls_auth_file)
4370 {
4371 buf_printf(&out, ",tls-auth");
4372 }
4373 /* Not adding tls-crypt here, because we won't reach this code if
4374 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4375 * break stuff, so leaving that in place. */
4376
4377 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4378 }
4379
4380 if (remote)
4381 {
4382 if (TLS_CLIENT)
4383 {
4384 buf_printf(&out, ",tls-server");
4385 }
4386 else if (TLS_SERVER)
4387 {
4388 buf_printf(&out, ",tls-client");
4389 }
4390 }
4391 else
4392 {
4393 if (TLS_CLIENT)
4394 {
4395 buf_printf(&out, ",tls-client");
4396 }
4397 else if (TLS_SERVER)
4398 {
4399 buf_printf(&out, ",tls-server");
4400 }
4401 }
4402 }
4403
4404 #undef TLS_CLIENT
4405 #undef TLS_SERVER
4406
4407 return BSTR(&out);
4408 }
4409
4410 /*
4411 * Compare option strings for equality.
4412 * If the first two chars of the strings differ, it means that
4413 * we are looking at different versions of the options string,
4414 * therefore don't compare them and return true.
4415 */
4416
4417 bool
4418 options_cmp_equal(char *actual, const char *expected)
4419 {
4420 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4421 }
4422
4423 void
4424 options_warning(char *actual, const char *expected)
4425 {
4426 options_warning_safe(actual, expected, strlen(actual) + 1);
4427 }
4428
4429 static const char *
4430 options_warning_extract_parm1(const char *option_string,
4431 struct gc_arena *gc_ret)
4432 {
4433 struct gc_arena gc = gc_new();
4434 struct buffer b = string_alloc_buf(option_string, &gc);
4435 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4436 const char *ret;
4437
4438 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4439 ret = string_alloc(p, gc_ret);
4440 gc_free(&gc);
4441 return ret;
4442 }
4443
4444 static void
4445 options_warning_safe_scan2(const int msglevel,
4446 const int delim,
4447 const bool report_inconsistent,
4448 const char *p1,
4449 const struct buffer *b2_src,
4450 const char *b1_name,
4451 const char *b2_name)
4452 {
4453 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4454 * OCC in a future version (because it's not useful). To reduce questions
4455 * when interoperating, we no longer printing a warning about it.
4456 */
4457 if (strprefix(p1, "key-method ")
4458 || strprefix(p1, "keydir ")
4459 || strprefix(p1, "proto ")
4460 || streq(p1, "tls-auth")
4461 || strprefix(p1, "tun-ipv6")
4462 || strprefix(p1, "cipher "))
4463 {
4464 return;
4465 }
4466
4467 if (strlen(p1) > 0)
4468 {
4469 struct gc_arena gc = gc_new();
4470 struct buffer b2 = *b2_src;
4471 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4472 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4473
4474 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4475 {
4476 if (strlen(p2))
4477 {
4478 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4479
4480 if (!strcmp(p1, p2))
4481 {
4482 goto done;
4483 }
4484 if (!strcmp(p1_prefix, p2_prefix))
4485 {
4486 if (report_inconsistent)
4487 {
4488 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4489 safe_print(p1_prefix, &gc),
4490 b1_name,
4491 safe_print(p1, &gc),
4492 b2_name,
4493 safe_print(p2, &gc));
4494 }
4495 goto done;
4496 }
4497 }
4498 }
4499
4500 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4501 safe_print(p1_prefix, &gc),
4502 b1_name,
4503 b2_name,
4504 b1_name,
4505 safe_print(p1, &gc));
4506
4507 done:
4508 gc_free(&gc);
4509 }
4510 }
4511
4512 static void
4513 options_warning_safe_scan1(const int msglevel,
4514 const int delim,
4515 const bool report_inconsistent,
4516 const struct buffer *b1_src,
4517 const struct buffer *b2_src,
4518 const char *b1_name,
4519 const char *b2_name)
4520 {
4521 struct gc_arena gc = gc_new();
4522 struct buffer b = *b1_src;
4523 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4524
4525 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4526 {
4527 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4528 }
4529
4530 gc_free(&gc);
4531 }
4532
4533 static void
4534 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4535 {
4536 struct gc_arena gc = gc_new();
4537
4538 if (actual_n > 0)
4539 {
4540 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4541 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4542 actual[actual_n - 1] = 0;
4543
4544 buf_printf(&local, "version %s", expected);
4545 buf_printf(&remote, "version %s", actual);
4546
4547 options_warning_safe_scan1(msglevel, ',', true,
4548 &local, &remote,
4549 "local", "remote");
4550
4551 options_warning_safe_scan1(msglevel, ',', false,
4552 &remote, &local,
4553 "remote", "local");
4554 }
4555
4556 gc_free(&gc);
4557 }
4558
4559 bool
4560 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4561 {
4562 struct gc_arena gc = gc_new();
4563 bool ret = true;
4564
4565 if (actual_n > 0)
4566 {
4567 actual[actual_n - 1] = 0;
4568 if (strncmp(actual, expected, 2))
4569 {
4570 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4571 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4572 }
4573 else
4574 {
4575 ret = !strcmp(actual, expected);
4576 }
4577 }
4578 gc_free(&gc);
4579 return ret;
4580 }
4581
4582 void
4583 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4584 {
4585 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4586 }
4587
4588 const char *
4589 options_string_version(const char *s, struct gc_arena *gc)
4590 {
4591 struct buffer out = alloc_buf_gc(4, gc);
4592 strncpynt((char *) BPTR(&out), s, 3);
4593 return BSTR(&out);
4594 }
4595
4596 char *
4597 options_string_extract_option(const char *options_string, const char *opt_name,
4598 struct gc_arena *gc)
4599 {
4600 char *ret = NULL;
4601 const size_t opt_name_len = strlen(opt_name);
4602
4603 const char *p = options_string;
4604 while (p)
4605 {
4606 if (0 == strncmp(p, opt_name, opt_name_len)
4607 && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4608 {
4609 /* option found, extract value */
4610 const char *start = &p[opt_name_len+1];
4611 const char *end = strchr(p, ',');
4612 size_t val_len = end ? end - start : strlen(start);
4613 ret = gc_malloc(val_len+1, true, gc);
4614 memcpy(ret, start, val_len);
4615 break;
4616 }
4617 p = strchr(p, ',');
4618 if (p)
4619 {
4620 p++; /* skip delimiter */
4621 }
4622 }
4623 return ret;
4624 }
4625
4626 #ifdef _WIN32
4627 /**
4628 * Parses --windows-driver config option
4629 *
4630 * @param str value of --windows-driver option
4631 * @param msglevel msglevel to report parsing error
4632 * @return enum windows_driver_type driver type, WINDOWS_DRIVER_UNSPECIFIED on unknown --windows-driver value
4633 */
4634 static enum windows_driver_type
4635 parse_windows_driver(const char *str, const int msglevel)
4636 {
4637 if (streq(str, "tap-windows6"))
4638 {
4639 return WINDOWS_DRIVER_TAP_WINDOWS6;
4640 }
4641 else if (streq(str, "wintun"))
4642 {
4643 return WINDOWS_DRIVER_WINTUN;
4644 }
4645
4646 else if (streq(str, "ovpn-dco"))
4647 {
4648 return WINDOWS_DRIVER_DCO;
4649 }
4650 else
4651 {
4652 msg(msglevel, "--windows-driver must be tap-windows6, wintun "
4653 "or ovpn-dco");
4654 return WINDOWS_DRIVER_UNSPECIFIED;
4655 }
4656 }
4657 #endif /* ifdef _WIN32 */
4658
4659 /*
4660 * parse/print topology coding
4661 */
4662
4663 int
4664 parse_topology(const char *str, const int msglevel)
4665 {
4666 if (streq(str, "net30"))
4667 {
4668 return TOP_NET30;
4669 }
4670 else if (streq(str, "p2p"))
4671 {
4672 return TOP_P2P;
4673 }
4674 else if (streq(str, "subnet"))
4675 {
4676 return TOP_SUBNET;
4677 }
4678 else
4679 {
4680 msg(msglevel, "--topology must be net30, p2p, or subnet");
4681 return TOP_UNDEF;
4682 }
4683 }
4684
4685 const char *
4686 print_topology(const int topology)
4687 {
4688 switch (topology)
4689 {
4690 case TOP_UNDEF:
4691 return "undef";
4692
4693 case TOP_NET30:
4694 return "net30";
4695
4696 case TOP_P2P:
4697 return "p2p";
4698
4699 case TOP_SUBNET:
4700 return "subnet";
4701
4702 default:
4703 return "unknown";
4704 }
4705 }
4706
4707 /*
4708 * Manage auth-retry variable
4709 */
4710
4711 static int global_auth_retry; /* GLOBAL */
4712
4713 int
4714 auth_retry_get(void)
4715 {
4716 return global_auth_retry;
4717 }
4718
4719 bool
4720 auth_retry_set(const int msglevel, const char *option)
4721 {
4722 if (streq(option, "interact"))
4723 {
4724 global_auth_retry = AR_INTERACT;
4725 }
4726 else if (streq(option, "nointeract"))
4727 {
4728 global_auth_retry = AR_NOINTERACT;
4729 }
4730 else if (streq(option, "none"))
4731 {
4732 global_auth_retry = AR_NONE;
4733 }
4734 else
4735 {
4736 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4737 return false;
4738 }
4739 return true;
4740 }
4741
4742 const char *
4743 auth_retry_print(void)
4744 {
4745 switch (global_auth_retry)
4746 {
4747 case AR_NONE:
4748 return "none";
4749
4750 case AR_NOINTERACT:
4751 return "nointeract";
4752
4753 case AR_INTERACT:
4754 return "interact";
4755
4756 default:
4757 return "???";
4758 }
4759 }
4760
4761 /*
4762 * Print the help message.
4763 */
4764 static void
4765 usage(void)
4766 {
4767 FILE *fp = msg_fp(0);
4768
4769 #ifdef ENABLE_SMALL
4770
4771 fprintf(fp, "Usage message not available\n");
4772
4773 #else
4774
4775 struct options o;
4776 init_options(&o, true);
4777
4778 fprintf(fp, usage_message,
4779 title_string,
4780 o.ce.connect_retry_seconds,
4781 o.ce.connect_retry_seconds_max,
4782 o.ce.local_port, o.ce.remote_port,
4783 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4784 o.verbosity,
4785 o.authname,
4786 o.replay_window, o.replay_time,
4787 o.tls_timeout, o.renegotiate_seconds,
4788 o.handshake_window, o.transition_window);
4789 fflush(fp);
4790
4791 #endif /* ENABLE_SMALL */
4792
4793 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4794 }
4795
4796 void
4797 usage_small(void)
4798 {
4799 msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4800 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4801 }
4802
4803 #ifdef _WIN32
4804 void
4805 show_windows_version(const unsigned int flags)
4806 {
4807 struct gc_arena gc = gc_new();
4808 msg(flags, "Windows version %s", win32_version_string(&gc, true));
4809 gc_free(&gc);
4810 }
4811 #endif
4812
4813 void
4814 show_dco_version(const unsigned int flags)
4815 {
4816 #ifdef ENABLE_DCO
4817 struct gc_arena gc = gc_new();
4818 msg(flags, "DCO version: %s", dco_version_string(&gc));
4819 gc_free(&gc);
4820 #endif
4821 }
4822
4823 void
4824 show_library_versions(const unsigned int flags)
4825 {
4826 #ifdef ENABLE_LZO
4827 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4828 #else
4829 #define LZO_LIB_VER_STR "", ""
4830 #endif
4831
4832 msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4833 LZO_LIB_VER_STR);
4834
4835 #undef LZO_LIB_VER_STR
4836 }
4837
4838 static void
4839 usage_version(void)
4840 {
4841 msg(M_INFO|M_NOPREFIX, "%s", title_string);
4842 show_library_versions( M_INFO|M_NOPREFIX );
4843 #ifdef _WIN32
4844 show_windows_version( M_INFO|M_NOPREFIX );
4845 #endif
4846 show_dco_version(M_INFO | M_NOPREFIX);
4847 msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4848 msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>");
4849 #ifndef ENABLE_SMALL
4850 #ifdef CONFIGURE_DEFINES
4851 msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4852 #endif
4853 #ifdef CONFIGURE_SPECIAL_BUILD
4854 msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4855 #endif
4856 #endif
4857 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4858 }
4859
4860 void
4861 notnull(const char *arg, const char *description)
4862 {
4863 if (!arg)
4864 {
4865 msg(M_USAGE, "You must define %s", description);
4866 }
4867 }
4868
4869 bool
4870 string_defined_equal(const char *s1, const char *s2)
4871 {
4872 if (s1 && s2)
4873 {
4874 return !strcmp(s1, s2);
4875 }
4876 else
4877 {
4878 return false;
4879 }
4880 }
4881
4882 #if 0
4883 static void
4884 ping_rec_err(int msglevel)
4885 {
4886 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4887 }
4888 #endif
4889
4890 static int
4891 positive_atoi(const char *str)
4892 {
4893 const int i = atoi(str);
4894 return i < 0 ? 0 : i;
4895 }
4896
4897 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4898 static unsigned int
4899 atou(const char *str)
4900 {
4901 unsigned int val = 0;
4902 sscanf(str, "%u", &val);
4903 return val;
4904 }
4905 #endif
4906
4907 static inline bool
4908 space(unsigned char c)
4909 {
4910 return c == '\0' || isspace(c);
4911 }
4912
4913 int
4914 parse_line(const char *line,
4915 char *p[],
4916 const int n,
4917 const char *file,
4918 const int line_num,
4919 int msglevel,
4920 struct gc_arena *gc)
4921 {
4922 const int STATE_INITIAL = 0;
4923 const int STATE_READING_QUOTED_PARM = 1;
4924 const int STATE_READING_UNQUOTED_PARM = 2;
4925 const int STATE_DONE = 3;
4926 const int STATE_READING_SQUOTED_PARM = 4;
4927
4928 const char *error_prefix = "";
4929
4930 int ret = 0;
4931 const char *c = line;
4932 int state = STATE_INITIAL;
4933 bool backslash = false;
4934 char in, out;
4935
4936 char parm[OPTION_PARM_SIZE];
4937 unsigned int parm_len = 0;
4938
4939 msglevel &= ~M_OPTERR;
4940
4941 if (msglevel & M_MSG_VIRT_OUT)
4942 {
4943 error_prefix = "ERROR: ";
4944 }
4945
4946 do
4947 {
4948 in = *c;
4949 out = 0;
4950
4951 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4952 {
4953 backslash = true;
4954 }
4955 else
4956 {
4957 if (state == STATE_INITIAL)
4958 {
4959 if (!space(in))
4960 {
4961 if (in == ';' || in == '#') /* comment */
4962 {
4963 break;
4964 }
4965 if (!backslash && in == '\"')
4966 {
4967 state = STATE_READING_QUOTED_PARM;
4968 }
4969 else if (!backslash && in == '\'')
4970 {
4971 state = STATE_READING_SQUOTED_PARM;
4972 }
4973 else
4974 {
4975 out = in;
4976 state = STATE_READING_UNQUOTED_PARM;
4977 }
4978 }
4979 }
4980 else if (state == STATE_READING_UNQUOTED_PARM)
4981 {
4982 if (!backslash && space(in))
4983 {
4984 state = STATE_DONE;
4985 }
4986 else
4987 {
4988 out = in;
4989 }
4990 }
4991 else if (state == STATE_READING_QUOTED_PARM)
4992 {
4993 if (!backslash && in == '\"')
4994 {
4995 state = STATE_DONE;
4996 }
4997 else
4998 {
4999 out = in;
5000 }
5001 }
5002 else if (state == STATE_READING_SQUOTED_PARM)
5003 {
5004 if (in == '\'')
5005 {
5006 state = STATE_DONE;
5007 }
5008 else
5009 {
5010 out = in;
5011 }
5012 }
5013 if (state == STATE_DONE)
5014 {
5015 /* ASSERT (parm_len > 0); */
5016 p[ret] = gc_malloc(parm_len + 1, true, gc);
5017 memcpy(p[ret], parm, parm_len);
5018 p[ret][parm_len] = '\0';
5019 state = STATE_INITIAL;
5020 parm_len = 0;
5021 ++ret;
5022 }
5023
5024 if (backslash && out)
5025 {
5026 if (!(out == '\\' || out == '\"' || space(out)))
5027 {
5028 #ifdef ENABLE_SMALL
5029 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
5030 #else
5031 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
5032 #endif
5033 return 0;
5034 }
5035 }
5036 backslash = false;
5037 }
5038
5039 /* store parameter character */
5040 if (out)
5041 {
5042 if (parm_len >= SIZE(parm))
5043 {
5044 parm[SIZE(parm) - 1] = 0;
5045 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5046 error_prefix, file, line_num, (int) SIZE(parm), parm);
5047 return 0;
5048 }
5049 parm[parm_len++] = out;
5050 }
5051
5052 /* avoid overflow if too many parms in one config file line */
5053 if (ret >= n)
5054 {
5055 break;
5056 }
5057
5058 } while (*c++ != '\0');
5059
5060 if (state == STATE_READING_QUOTED_PARM)
5061 {
5062 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5063 return 0;
5064 }
5065 if (state == STATE_READING_SQUOTED_PARM)
5066 {
5067 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5068 return 0;
5069 }
5070 if (state != STATE_INITIAL)
5071 {
5072 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5073 return 0;
5074 }
5075 #if 0
5076 {
5077 int i;
5078 for (i = 0; i < ret; ++i)
5079 {
5080 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5081 }
5082 }
5083 #endif
5084 return ret;
5085 }
5086
5087 static void
5088 bypass_doubledash(char **p)
5089 {
5090 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5091 {
5092 *p += 2;
5093 }
5094 }
5095
5096 struct in_src {
5097 #define IS_TYPE_FP 1
5098 #define IS_TYPE_BUF 2
5099 int type;
5100 union {
5101 FILE *fp;
5102 struct buffer *multiline;
5103 } u;
5104 };
5105
5106 static bool
5107 in_src_get(const struct in_src *is, char *line, const int size)
5108 {
5109 if (is->type == IS_TYPE_FP)
5110 {
5111 return BOOL_CAST(fgets(line, size, is->u.fp));
5112 }
5113 else if (is->type == IS_TYPE_BUF)
5114 {
5115 bool status = buf_parse(is->u.multiline, '\n', line, size);
5116 if ((int) strlen(line) + 1 < size)
5117 {
5118 strcat(line, "\n");
5119 }
5120 return status;
5121 }
5122 else
5123 {
5124 ASSERT(0);
5125 return false;
5126 }
5127 }
5128
5129 static char *
5130 read_inline_file(struct in_src *is, const char *close_tag,
5131 int *num_lines, struct gc_arena *gc)
5132 {
5133 char line[OPTION_LINE_SIZE];
5134 struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5135 char *ret;
5136 bool endtagfound = false;
5137
5138 while (in_src_get(is, line, sizeof(line)))
5139 {
5140 (*num_lines)++;
5141 char *line_ptr = line;
5142 /* Remove leading spaces */
5143 while (isspace(*line_ptr))
5144 {
5145 line_ptr++;
5146 }
5147 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5148 {
5149 endtagfound = true;
5150 break;
5151 }
5152 if (!buf_safe(&buf, strlen(line)+1))
5153 {
5154 /* Increase buffer size */
5155 struct buffer buf2 = alloc_buf(buf.capacity * 2);
5156 ASSERT(buf_copy(&buf2, &buf));
5157 buf_clear(&buf);
5158 free_buf(&buf);
5159 buf = buf2;
5160 }
5161 buf_printf(&buf, "%s", line);
5162 }
5163 if (!endtagfound)
5164 {
5165 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5166 }
5167 ret = string_alloc(BSTR(&buf), gc);
5168 buf_clear(&buf);
5169 free_buf(&buf);
5170 secure_memzero(line, sizeof(line));
5171 return ret;
5172 }
5173
5174 static int
5175 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5176 {
5177 int num_inline_lines = 0;
5178
5179 if (p[0] && !p[1])
5180 {
5181 char *arg = p[0];
5182 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5183 {
5184 struct buffer close_tag;
5185
5186 arg[strlen(arg) - 1] = '\0';
5187 p[0] = string_alloc(arg + 1, gc);
5188 close_tag = alloc_buf(strlen(p[0]) + 4);
5189 buf_printf(&close_tag, "</%s>", p[0]);
5190 p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5191 p[2] = NULL;
5192 free_buf(&close_tag);
5193 }
5194 }
5195 return num_inline_lines;
5196 }
5197
5198 static int
5199 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5200 {
5201 struct in_src is;
5202 is.type = IS_TYPE_FP;
5203 is.u.fp = fp;
5204 return check_inline_file(&is, p, gc);
5205 }
5206
5207 static int
5208 check_inline_file_via_buf(struct buffer *multiline, char *p[],
5209 struct gc_arena *gc)
5210 {
5211 struct in_src is;
5212 is.type = IS_TYPE_BUF;
5213 is.u.multiline = multiline;
5214 return check_inline_file(&is, p, gc);
5215 }
5216
5217 static void
5218 add_option(struct options *options,
5219 char *p[],
5220 bool is_inline,
5221 const char *file,
5222 int line,
5223 const int level,
5224 const int msglevel,
5225 const unsigned int permission_mask,
5226 unsigned int *option_types_found,
5227 struct env_set *es);
5228
5229 static void
5230 read_config_file(struct options *options,
5231 const char *file,
5232 int level,
5233 const char *top_file,
5234 const int top_line,
5235 const int msglevel,
5236 const unsigned int permission_mask,
5237 unsigned int *option_types_found,
5238 struct env_set *es)
5239 {
5240 const int max_recursive_levels = 10;
5241 FILE *fp;
5242 int line_num;
5243 char line[OPTION_LINE_SIZE+1];
5244 char *p[MAX_PARMS+1];
5245
5246 ++level;
5247 if (level <= max_recursive_levels)
5248 {
5249 if (streq(file, "stdin"))
5250 {
5251 fp = stdin;
5252 }
5253 else
5254 {
5255 fp = platform_fopen(file, "r");
5256 }
5257 if (fp)
5258 {
5259 line_num = 0;
5260 while (fgets(line, sizeof(line), fp))
5261 {
5262 int offset = 0;
5263 CLEAR(p);
5264 ++line_num;
5265 if (strlen(line) == OPTION_LINE_SIZE)
5266 {
5267 msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5268 file, line_num, OPTION_LINE_SIZE, line);
5269 }
5270
5271 /* Ignore UTF-8 BOM at start of stream */
5272 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5273 {
5274 offset = 3;
5275 }
5276 if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5277 {
5278 bypass_doubledash(&p[0]);
5279 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5280 add_option(options, p, lines_inline, file, line_num, level,
5281 msglevel, permission_mask, option_types_found,
5282 es);
5283 line_num += lines_inline;
5284 }
5285 }
5286 if (fp != stdin)
5287 {
5288 fclose(fp);
5289 }
5290 }
5291 else
5292 {
5293 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5294 }
5295 }
5296 else
5297 {
5298 msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5299 }
5300 secure_memzero(line, sizeof(line));
5301 CLEAR(p);
5302 }
5303
5304 static void
5305 read_config_string(const char *prefix,
5306 struct options *options,
5307 const char *config,
5308 const int msglevel,
5309 const unsigned int permission_mask,
5310 unsigned int *option_types_found,
5311 struct env_set *es)
5312 {
5313 char line[OPTION_LINE_SIZE];
5314 struct buffer multiline;
5315 int line_num = 0;
5316
5317 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5318
5319 while (buf_parse(&multiline, '\n', line, sizeof(line)))
5320 {
5321 char *p[MAX_PARMS+1];
5322 CLEAR(p);
5323 ++line_num;
5324 if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5325 {
5326 bypass_doubledash(&p[0]);
5327 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5328 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5329 permission_mask, option_types_found, es);
5330 line_num += lines_inline;
5331 }
5332 CLEAR(p);
5333 }
5334 secure_memzero(line, sizeof(line));
5335 }
5336
5337 void
5338 parse_argv(struct options *options,
5339 const int argc,
5340 char *argv[],
5341 const int msglevel,
5342 const unsigned int permission_mask,
5343 unsigned int *option_types_found,
5344 struct env_set *es)
5345 {
5346 /* usage message */
5347 if (argc <= 1)
5348 {
5349 usage();
5350 }
5351
5352 /* config filename specified only? */
5353 if (argc == 2 && strncmp(argv[1], "--", 2))
5354 {
5355 char *p[MAX_PARMS+1];
5356 CLEAR(p);
5357 p[0] = "config";
5358 p[1] = argv[1];
5359 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5360 option_types_found, es);
5361 }
5362 else
5363 {
5364 /* parse command line */
5365 for (int i = 1; i < argc; ++i)
5366 {
5367 char *p[MAX_PARMS+1];
5368 CLEAR(p);
5369 p[0] = argv[i];
5370 if (strncmp(p[0], "--", 2))
5371 {
5372 msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5373 }
5374 else
5375 {
5376 p[0] += 2;
5377 }
5378
5379 int j;
5380 for (j = 1; j < MAX_PARMS; ++j)
5381 {
5382 if (i + j < argc)
5383 {
5384 char *arg = argv[i + j];
5385 if (strncmp(arg, "--", 2))
5386 {
5387 p[j] = arg;
5388 }
5389 else
5390 {
5391 break;
5392 }
5393 }
5394 }
5395 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5396 option_types_found, es);
5397 i += j - 1;
5398 }
5399 }
5400 }
5401
5402 /**
5403 * Filter an option line by all pull filters.
5404 *
5405 * If a match is found, the line is modified depending on
5406 * the filter type, and returns true. If the filter type is
5407 * reject, SIGUSR1 is triggered and the return value is false.
5408 * In that case the caller must end the push processing.
5409 */
5410 static bool
5411 apply_pull_filter(const struct options *o, char *line)
5412 {
5413 struct pull_filter *f;
5414
5415 if (!o->pull_filter_list)
5416 {
5417 return true;
5418 }
5419
5420 /* skip leading spaces matching the behaviour of parse_line */
5421 while (isspace(*line))
5422 {
5423 line++;
5424 }
5425
5426 for (f = o->pull_filter_list->head; f; f = f->next)
5427 {
5428 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5429 {
5430 msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5431 return true;
5432 }
5433 else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5434 {
5435 msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5436 *line = '\0';
5437 return true;
5438 }
5439 else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5440 {
5441 msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5442 *line = '\0';
5443 throw_signal_soft(SIGUSR1, "Offending option received from server");
5444 return false;
5445 }
5446 }
5447 return true;
5448 }
5449
5450 bool
5451 apply_push_options(struct options *options,
5452 struct buffer *buf,
5453 unsigned int permission_mask,
5454 unsigned int *option_types_found,
5455 struct env_set *es)
5456 {
5457 char line[OPTION_PARM_SIZE];
5458 int line_num = 0;
5459 const char *file = "[PUSH-OPTIONS]";
5460 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5461
5462 while (buf_parse(buf, ',', line, sizeof(line)))
5463 {
5464 char *p[MAX_PARMS+1];
5465 CLEAR(p);
5466 ++line_num;
5467 if (!apply_pull_filter(options, line))
5468 {
5469 return false; /* Cause push/pull error and stop push processing */
5470 }
5471 if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5472 {
5473 add_option(options, p, false, file, line_num, 0, msglevel,
5474 permission_mask, option_types_found, es);
5475 }
5476 }
5477 return true;
5478 }
5479
5480 void
5481 options_server_import(struct options *o,
5482 const char *filename,
5483 int msglevel,
5484 unsigned int permission_mask,
5485 unsigned int *option_types_found,
5486 struct env_set *es)
5487 {
5488 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5489 read_config_file(o,
5490 filename,
5491 0,
5492 filename,
5493 0,
5494 msglevel,
5495 permission_mask,
5496 option_types_found,
5497 es);
5498 }
5499
5500 void
5501 options_string_import(struct options *options,
5502 const char *config,
5503 const int msglevel,
5504 const unsigned int permission_mask,
5505 unsigned int *option_types_found,
5506 struct env_set *es)
5507 {
5508 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5509 }
5510
5511 #define VERIFY_PERMISSION(mask) { \
5512 if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5513 option_types_found, msglevel, options, is_inline)) \
5514 { \
5515 goto err; \
5516 } \
5517 }
5518
5519 static bool
5520 verify_permission(const char *name,
5521 const char *file,
5522 int line,
5523 const unsigned int type,
5524 const unsigned int allowed,
5525 unsigned int *found,
5526 const int msglevel,
5527 struct options *options,
5528 bool is_inline)
5529 {
5530 if (!(type & allowed))
5531 {
5532 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5533 return false;
5534 }
5535
5536 if (is_inline && !(type & OPT_P_INLINE))
5537 {
5538 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5539 file, line);
5540 return false;
5541 }
5542
5543 if (found)
5544 {
5545 *found |= type;
5546 }
5547
5548 #ifndef ENABLE_SMALL
5549 /* Check if this options is allowed in connection block,
5550 * but we are currently not in a connection block
5551 * unless this is a pushed option.
5552 * Parsing a connection block uses a temporary options struct without
5553 * connection_list
5554 */
5555
5556 if ((type & OPT_P_CONNECTION) && options->connection_list
5557 && !(allowed & OPT_P_PULL_MODE))
5558 {
5559 if (file)
5560 {
5561 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5562 }
5563 else
5564 {
5565 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5566 }
5567 }
5568 #endif
5569 return true;
5570 }
5571
5572 /*
5573 * Check that an option doesn't have too
5574 * many parameters.
5575 */
5576
5577 #define NM_QUOTE_HINT (1<<0)
5578
5579 static bool
5580 no_more_than_n_args(const int msglevel,
5581 char *p[],
5582 const int max,
5583 const unsigned int flags)
5584 {
5585 const int len = string_array_len((const char **)p);
5586
5587 if (!len)
5588 {
5589 return false;
5590 }
5591
5592 if (len > max)
5593 {
5594 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5595 p[0],
5596 max - 1,
5597 max >= 3 ? "s" : "",
5598 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5599 return false;
5600 }
5601 else
5602 {
5603 return true;
5604 }
5605 }
5606
5607 static inline int
5608 msglevel_forward_compatible(struct options *options, const int msglevel)
5609 {
5610 return options->forward_compatible ? M_WARN : msglevel;
5611 }
5612
5613 static void
5614 set_user_script(struct options *options,
5615 const char **script,
5616 const char *new_script,
5617 const char *type,
5618 bool in_chroot)
5619 {
5620 if (*script)
5621 {
5622 msg(M_WARN, "Multiple --%s scripts defined. "
5623 "The previously configured script is overridden.", type);
5624 }
5625 *script = new_script;
5626 options->user_script_used = true;
5627
5628 #ifndef ENABLE_SMALL
5629 {
5630 char script_name[100];
5631 openvpn_snprintf(script_name, sizeof(script_name),
5632 "--%s script", type);
5633
5634 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5635 {
5636 msg(M_USAGE, "Please correct this error.");
5637 }
5638
5639 }
5640 #endif
5641 }
5642
5643 static void
5644 show_compression_warning(struct compress_options *info)
5645 {
5646 if (comp_non_stub_enabled(info))
5647 {
5648 /*
5649 * Check if already displayed the strong warning and enabled full
5650 * compression
5651 */
5652 if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5653 {
5654 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5655 "Compression has been used in the past to break encryption. "
5656 "Sent packets are not compressed unless \"allow-compression yes\" "
5657 "is also set.");
5658 }
5659 }
5660 }
5661
5662 bool
5663 key_is_external(const struct options *options)
5664 {
5665 bool ret = false;
5666 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5667 #ifdef ENABLE_PKCS11
5668 ret = ret || (options->pkcs11_providers[0] != NULL);
5669 #endif
5670 #ifdef ENABLE_CRYPTOAPI
5671 ret = ret || options->cryptoapi_cert;
5672 #endif
5673
5674 return ret;
5675 }
5676
5677 static void
5678 add_option(struct options *options,
5679 char *p[],
5680 bool is_inline,
5681 const char *file,
5682 int line,
5683 const int level,
5684 const int msglevel,
5685 const unsigned int permission_mask,
5686 unsigned int *option_types_found,
5687 struct env_set *es)
5688 {
5689 struct gc_arena gc = gc_new();
5690 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5691 int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5692
5693 ASSERT(MAX_PARMS >= 7);
5694
5695 /*
5696 * If directive begins with "setenv opt" prefix, don't raise an error if
5697 * directive is unrecognized.
5698 */
5699 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5700 {
5701 if (!p[2])
5702 {
5703 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5704 }
5705 p += 2;
5706 msglevel_fc = M_WARN;
5707 }
5708
5709 if (!file)
5710 {
5711 file = "[CMD-LINE]";
5712 line = 1;
5713 }
5714 if (streq(p[0], "help"))
5715 {
5716 VERIFY_PERMISSION(OPT_P_GENERAL);
5717 usage();
5718 if (p[1])
5719 {
5720 msg(msglevel, "--help does not accept any parameters");
5721 goto err;
5722 }
5723 }
5724 if (streq(p[0], "version") && !p[1])
5725 {
5726 VERIFY_PERMISSION(OPT_P_GENERAL);
5727 usage_version();
5728 }
5729 else if (streq(p[0], "config") && p[1] && !p[2])
5730 {
5731 VERIFY_PERMISSION(OPT_P_CONFIG);
5732
5733 /* save first config file only in options */
5734 if (!options->config)
5735 {
5736 options->config = p[1];
5737 }
5738
5739 read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5740 }
5741 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5742 else if (streq(p[0], "show-gateway") && !p[2])
5743 {
5744 struct route_gateway_info rgi;
5745 struct route_ipv6_gateway_info rgi6;
5746 struct in6_addr remote = IN6ADDR_ANY_INIT;
5747 openvpn_net_ctx_t net_ctx;
5748 VERIFY_PERMISSION(OPT_P_GENERAL);
5749 if (p[1])
5750 {
5751 get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5752 }
5753 net_ctx_init(NULL, &net_ctx);
5754 get_default_gateway(&rgi, &net_ctx);
5755 get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5756 print_default_gateway(M_INFO, &rgi, &rgi6);
5757 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5758 }
5759 #endif
5760 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5761 {
5762 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5763 int j;
5764 bool good = true;
5765
5766 VERIFY_PERMISSION(OPT_P_ECHO);
5767
5768 for (j = 1; j < MAX_PARMS; ++j)
5769 {
5770 if (!p[j])
5771 {
5772 break;
5773 }
5774 if (j > 1)
5775 {
5776 good &= buf_printf(&string, " ");
5777 }
5778 good &= buf_printf(&string, "%s", p[j]);
5779 }
5780 if (good)
5781 {
5782 /* only message-related ECHO are logged, since other ECHOs
5783 * can potentially include security-sensitive strings */
5784 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5785 {
5786 msg(M_INFO, "%s:%s",
5787 pull_mode ? "ECHO-PULL" : "ECHO",
5788 BSTR(&string));
5789 }
5790 #ifdef ENABLE_MANAGEMENT
5791 if (management)
5792 {
5793 management_echo(management, BSTR(&string), pull_mode);
5794 }
5795 #endif
5796 }
5797 else
5798 {
5799 msg(M_WARN, "echo/parameter option overflow");
5800 }
5801 }
5802 #ifdef ENABLE_MANAGEMENT
5803 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5804 {
5805 VERIFY_PERMISSION(OPT_P_GENERAL);
5806 if (streq(p[2], "unix"))
5807 {
5808 #if UNIX_SOCK_SUPPORT
5809 options->management_flags |= MF_UNIX_SOCK;
5810 #else
5811 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5812 goto err;
5813 #endif
5814 }
5815
5816 options->management_addr = p[1];
5817 options->management_port = p[2];
5818 if (p[3])
5819 {
5820 options->management_user_pass = p[3];
5821 }
5822 }
5823 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5824 {
5825 VERIFY_PERMISSION(OPT_P_GENERAL);
5826 options->management_client_user = p[1];
5827 }
5828 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5829 {
5830 VERIFY_PERMISSION(OPT_P_GENERAL);
5831 options->management_client_group = p[1];
5832 }
5833 else if (streq(p[0], "management-query-passwords") && !p[1])
5834 {
5835 VERIFY_PERMISSION(OPT_P_GENERAL);
5836 options->management_flags |= MF_QUERY_PASSWORDS;
5837 }
5838 else if (streq(p[0], "management-query-remote") && !p[1])
5839 {
5840 VERIFY_PERMISSION(OPT_P_GENERAL);
5841 options->management_flags |= MF_QUERY_REMOTE;
5842 }
5843 else if (streq(p[0], "management-query-proxy") && !p[1])
5844 {
5845 VERIFY_PERMISSION(OPT_P_GENERAL);
5846 options->management_flags |= MF_QUERY_PROXY;
5847 }
5848 else if (streq(p[0], "management-hold") && !p[1])
5849 {
5850 VERIFY_PERMISSION(OPT_P_GENERAL);
5851 options->management_flags |= MF_HOLD;
5852 }
5853 else if (streq(p[0], "management-signal") && !p[1])
5854 {
5855 VERIFY_PERMISSION(OPT_P_GENERAL);
5856 options->management_flags |= MF_SIGNAL;
5857 }
5858 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5859 {
5860 VERIFY_PERMISSION(OPT_P_GENERAL);
5861 options->management_flags |= MF_FORGET_DISCONNECT;
5862 }
5863 else if (streq(p[0], "management-up-down") && !p[1])
5864 {
5865 VERIFY_PERMISSION(OPT_P_GENERAL);
5866 options->management_flags |= MF_UP_DOWN;
5867 }
5868 else if (streq(p[0], "management-client") && !p[1])
5869 {
5870 VERIFY_PERMISSION(OPT_P_GENERAL);
5871 options->management_flags |= MF_CONNECT_AS_CLIENT;
5872 }
5873 else if (streq(p[0], "management-external-key"))
5874 {
5875 VERIFY_PERMISSION(OPT_P_GENERAL);
5876 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5877 {
5878 if (streq(p[j], "nopadding"))
5879 {
5880 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5881 }
5882 else if (streq(p[j], "pkcs1"))
5883 {
5884 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5885 }
5886 else if (streq(p[j], "pss"))
5887 {
5888 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5889 }
5890 else if (streq(p[j], "digest"))
5891 {
5892 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5893 }
5894 else
5895 {
5896 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5897 }
5898 }
5899 /*
5900 * When no option is present, assume that only PKCS1
5901 * padding is supported
5902 */
5903 if (!(options->management_flags
5904 &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5905 {
5906 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5907 }
5908 options->management_flags |= MF_EXTERNAL_KEY;
5909 }
5910 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5911 {
5912 VERIFY_PERMISSION(OPT_P_GENERAL);
5913 options->management_flags |= MF_EXTERNAL_CERT;
5914 options->management_certificate = p[1];
5915 }
5916 else if (streq(p[0], "management-client-auth") && !p[1])
5917 {
5918 VERIFY_PERMISSION(OPT_P_GENERAL);
5919 options->management_flags |= MF_CLIENT_AUTH;
5920 }
5921 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5922 {
5923 int cache;
5924
5925 VERIFY_PERMISSION(OPT_P_GENERAL);
5926 cache = atoi(p[1]);
5927 if (cache < 1)
5928 {
5929 msg(msglevel, "--management-log-cache parameter is out of range");
5930 goto err;
5931 }
5932 options->management_log_history_cache = cache;
5933 }
5934 #endif /* ifdef ENABLE_MANAGEMENT */
5935 #ifdef ENABLE_PLUGIN
5936 else if (streq(p[0], "plugin") && p[1])
5937 {
5938 VERIFY_PERMISSION(OPT_P_PLUGIN);
5939 if (!options->plugin_list)
5940 {
5941 options->plugin_list = plugin_option_list_new(&options->gc);
5942 }
5943 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5944 {
5945 msg(msglevel, "plugin add failed: %s", p[1]);
5946 goto err;
5947 }
5948 }
5949 #endif
5950 else if (streq(p[0], "mode") && p[1] && !p[2])
5951 {
5952 VERIFY_PERMISSION(OPT_P_GENERAL);
5953 if (streq(p[1], "p2p"))
5954 {
5955 options->mode = MODE_POINT_TO_POINT;
5956 }
5957 else if (streq(p[1], "server"))
5958 {
5959 options->mode = MODE_SERVER;
5960 }
5961 else
5962 {
5963 msg(msglevel, "Bad --mode parameter: %s", p[1]);
5964 goto err;
5965 }
5966 }
5967 else if (streq(p[0], "dev") && p[1] && !p[2])
5968 {
5969 VERIFY_PERMISSION(OPT_P_GENERAL);
5970 options->dev = p[1];
5971 }
5972 else if (streq(p[0], "dev-type") && p[1] && !p[2])
5973 {
5974 VERIFY_PERMISSION(OPT_P_GENERAL);
5975 options->dev_type = p[1];
5976 }
5977 #ifdef _WIN32
5978 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5979 {
5980 VERIFY_PERMISSION(OPT_P_GENERAL);
5981 options->windows_driver = parse_windows_driver(p[1], M_FATAL);
5982 }
5983 #endif
5984 else if (streq(p[0], "disable-dco"))
5985 {
5986 options->tuntap_options.disable_dco = true;
5987 }
5988 else if (streq(p[0], "dev-node") && p[1] && !p[2])
5989 {
5990 VERIFY_PERMISSION(OPT_P_GENERAL);
5991 options->dev_node = p[1];
5992 }
5993 else if (streq(p[0], "lladdr") && p[1] && !p[2])
5994 {
5995 VERIFY_PERMISSION(OPT_P_UP);
5996 if (mac_addr_safe(p[1])) /* MAC address only */
5997 {
5998 options->lladdr = p[1];
5999 }
6000 else
6001 {
6002 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6003 goto err;
6004 }
6005 }
6006 else if (streq(p[0], "topology") && p[1] && !p[2])
6007 {
6008 VERIFY_PERMISSION(OPT_P_UP);
6009 options->topology = parse_topology(p[1], msglevel);
6010 }
6011 else if (streq(p[0], "tun-ipv6") && !p[1])
6012 {
6013 if (!pull_mode)
6014 {
6015 msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6016 }
6017 }
6018 #ifdef ENABLE_IPROUTE
6019 else if (streq(p[0], "iproute") && p[1] && !p[2])
6020 {
6021 VERIFY_PERMISSION(OPT_P_GENERAL);
6022 iproute_path = p[1];
6023 }
6024 #endif
6025 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6026 {
6027 VERIFY_PERMISSION(OPT_P_UP);
6028 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6029 {
6030 options->ifconfig_local = p[1];
6031 options->ifconfig_remote_netmask = p[2];
6032 }
6033 else
6034 {
6035 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6036 goto err;
6037 }
6038 }
6039 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6040 {
6041 unsigned int netbits;
6042
6043 VERIFY_PERMISSION(OPT_P_UP);
6044 if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
6045 && ipv6_addr_safe( p[2] ) )
6046 {
6047 if (netbits < 64 || netbits > 124)
6048 {
6049 msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
6050 goto err;
6051 }
6052
6053 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6054 options->ifconfig_ipv6_netbits = netbits;
6055 options->ifconfig_ipv6_remote = p[2];
6056 }
6057 else
6058 {
6059 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6060 goto err;
6061 }
6062 }
6063 else if (streq(p[0], "ifconfig-noexec") && !p[1])
6064 {
6065 VERIFY_PERMISSION(OPT_P_UP);
6066 options->ifconfig_noexec = true;
6067 }
6068 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6069 {
6070 VERIFY_PERMISSION(OPT_P_UP);
6071 options->ifconfig_nowarn = true;
6072 }
6073 else if (streq(p[0], "local") && p[1] && !p[2])
6074 {
6075 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6076 options->ce.local = p[1];
6077 }
6078 else if (streq(p[0], "remote-random") && !p[1])
6079 {
6080 VERIFY_PERMISSION(OPT_P_GENERAL);
6081 options->remote_random = true;
6082 }
6083 else if (streq(p[0], "connection") && p[1] && !p[3])
6084 {
6085 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6086 if (is_inline)
6087 {
6088 struct options sub;
6089 struct connection_entry *e;
6090
6091 init_options(&sub, true);
6092 sub.ce = options->ce;
6093 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6094 OPT_P_CONNECTION, option_types_found, es);
6095 if (!sub.ce.remote)
6096 {
6097 msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6098 uninit_options(&sub);
6099 goto err;
6100 }
6101
6102 e = alloc_connection_entry(options, msglevel);
6103 if (!e)
6104 {
6105 uninit_options(&sub);
6106 goto err;
6107 }
6108 *e = sub.ce;
6109 gc_transfer(&options->gc, &sub.gc);
6110 uninit_options(&sub);
6111 }
6112 }
6113 else if (streq(p[0], "ignore-unknown-option") && p[1])
6114 {
6115 int i;
6116 int j;
6117 int numignored = 0;
6118 const char **ignore;
6119
6120 VERIFY_PERMISSION(OPT_P_GENERAL);
6121 /* Find out how many options to be ignored */
6122 for (i = 1; p[i]; i++)
6123 {
6124 numignored++;
6125 }
6126
6127 /* add number of options already ignored */
6128 for (i = 0; options->ignore_unknown_option
6129 && options->ignore_unknown_option[i]; i++)
6130 {
6131 numignored++;
6132 }
6133
6134 /* Allocate array */
6135 ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6136 for (i = 0; options->ignore_unknown_option
6137 && options->ignore_unknown_option[i]; i++)
6138 {
6139 ignore[i] = options->ignore_unknown_option[i];
6140 }
6141
6142 options->ignore_unknown_option = ignore;
6143
6144 for (j = 1; p[j]; j++)
6145 {
6146 /* Allow the user to specify ignore-unknown-option --opt too */
6147 if (p[j][0]=='-' && p[j][1]=='-')
6148 {
6149 options->ignore_unknown_option[i] = (p[j]+2);
6150 }
6151 else
6152 {
6153 options->ignore_unknown_option[i] = p[j];
6154 }
6155 i++;
6156 }
6157
6158 options->ignore_unknown_option[i] = NULL;
6159 }
6160 #if ENABLE_MANAGEMENT
6161 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6162 {
6163 VERIFY_PERMISSION(OPT_P_GENERAL);
6164 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
6165 if (!options->http_proxy_override)
6166 {
6167 goto err;
6168 }
6169 }
6170 #endif
6171 else if (streq(p[0], "remote") && p[1] && !p[4])
6172 {
6173 struct remote_entry re;
6174 re.remote = re.remote_port = NULL;
6175 re.proto = -1;
6176 re.af = 0;
6177
6178 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6179 re.remote = p[1];
6180 if (p[2])
6181 {
6182 re.remote_port = p[2];
6183 if (p[3])
6184 {
6185 const int proto = ascii2proto(p[3]);
6186 const sa_family_t af = ascii2af(p[3]);
6187 if (proto < 0)
6188 {
6189 msg(msglevel,
6190 "remote: bad protocol associated with host %s: '%s'",
6191 p[1], p[3]);
6192 goto err;
6193 }
6194 re.proto = proto;
6195 re.af = af;
6196 }
6197 }
6198 if (permission_mask & OPT_P_GENERAL)
6199 {
6200 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6201 if (!e)
6202 {
6203 goto err;
6204 }
6205 *e = re;
6206 }
6207 else if (permission_mask & OPT_P_CONNECTION)
6208 {
6209 connection_entry_load_re(&options->ce, &re);
6210 }
6211 }
6212 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6213 {
6214 VERIFY_PERMISSION(OPT_P_GENERAL);
6215 if (streq(p[1], "infinite"))
6216 {
6217 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6218 }
6219 else
6220 {
6221 options->resolve_retry_seconds = positive_atoi(p[1]);
6222 }
6223 }
6224 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6225 {
6226 VERIFY_PERMISSION(OPT_P_GENERAL);
6227 options->resolve_in_advance = true;
6228 /* Note the ip-remote-hint and the argument p[1] are for
6229 * backward compatibility */
6230 if (p[1])
6231 {
6232 options->ip_remote_hint = p[1];
6233 }
6234 }
6235 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6236 {
6237 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6238 options->ce.connect_retry_seconds = positive_atoi(p[1]);
6239 /*
6240 * Limit the base value of retry wait interval to 16 bits to avoid
6241 * overflow when scaled up for exponential backoff
6242 */
6243 if (options->ce.connect_retry_seconds > 0xFFFF)
6244 {
6245 options->ce.connect_retry_seconds = 0xFFFF;
6246 msg(M_WARN, "connect retry wait interval truncated to %d",
6247 options->ce.connect_retry_seconds);
6248 }
6249
6250 if (p[2])
6251 {
6252 options->ce.connect_retry_seconds_max =
6253 max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
6254 }
6255 }
6256 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6257 && p[1] && !p[2])
6258 {
6259 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6260 options->ce.connect_timeout = positive_atoi(p[1]);
6261 }
6262 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6263 {
6264 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6265 options->connect_retry_max = positive_atoi(p[1]);
6266 }
6267 else if (streq(p[0], "ipchange") && p[1])
6268 {
6269 VERIFY_PERMISSION(OPT_P_SCRIPT);
6270 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6271 {
6272 goto err;
6273 }
6274 set_user_script(options,
6275 &options->ipchange,
6276 string_substitute(p[1], ',', ' ', &options->gc),
6277 "ipchange", true);
6278 }
6279 else if (streq(p[0], "float") && !p[1])
6280 {
6281 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6282 options->ce.remote_float = true;
6283 }
6284 #ifdef ENABLE_DEBUG
6285 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6286 {
6287 VERIFY_PERMISSION(OPT_P_GENERAL);
6288 options->gremlin = positive_atoi(p[1]);
6289 }
6290 #endif
6291 else if (streq(p[0], "chroot") && p[1] && !p[2])
6292 {
6293 VERIFY_PERMISSION(OPT_P_GENERAL);
6294 options->chroot_dir = p[1];
6295 }
6296 else if (streq(p[0], "cd") && p[1] && !p[2])
6297 {
6298 VERIFY_PERMISSION(OPT_P_GENERAL);
6299 if (platform_chdir(p[1]))
6300 {
6301 msg(M_ERR, "cd to '%s' failed", p[1]);
6302 goto err;
6303 }
6304 options->cd_dir = p[1];
6305 }
6306 #ifdef ENABLE_SELINUX
6307 else if (streq(p[0], "setcon") && p[1] && !p[2])
6308 {
6309 VERIFY_PERMISSION(OPT_P_GENERAL);
6310 options->selinux_context = p[1];
6311 }
6312 #endif
6313 else if (streq(p[0], "writepid") && p[1] && !p[2])
6314 {
6315 VERIFY_PERMISSION(OPT_P_GENERAL);
6316 options->writepid = p[1];
6317 }
6318 else if (streq(p[0], "up") && p[1])
6319 {
6320 VERIFY_PERMISSION(OPT_P_SCRIPT);
6321 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6322 {
6323 goto err;
6324 }
6325 set_user_script(options, &options->up_script, p[1], "up", false);
6326 }
6327 else if (streq(p[0], "down") && p[1])
6328 {
6329 VERIFY_PERMISSION(OPT_P_SCRIPT);
6330 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6331 {
6332 goto err;
6333 }
6334 set_user_script(options, &options->down_script, p[1], "down", true);
6335 }
6336 else if (streq(p[0], "down-pre") && !p[1])
6337 {
6338 VERIFY_PERMISSION(OPT_P_GENERAL);
6339 options->down_pre = true;
6340 }
6341 else if (streq(p[0], "up-delay") && !p[1])
6342 {
6343 VERIFY_PERMISSION(OPT_P_GENERAL);
6344 options->up_delay = true;
6345 }
6346 else if (streq(p[0], "up-restart") && !p[1])
6347 {
6348 VERIFY_PERMISSION(OPT_P_GENERAL);
6349 options->up_restart = true;
6350 }
6351 else if (streq(p[0], "syslog") && !p[2])
6352 {
6353 VERIFY_PERMISSION(OPT_P_GENERAL);
6354 open_syslog(p[1], false);
6355 }
6356 else if (streq(p[0], "daemon") && !p[2])
6357 {
6358 bool didit = false;
6359 VERIFY_PERMISSION(OPT_P_GENERAL);
6360 if (!options->daemon)
6361 {
6362 options->daemon = didit = true;
6363 open_syslog(p[1], false);
6364 }
6365 if (p[1])
6366 {
6367 if (!didit)
6368 {
6369 msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6370 goto err;
6371 }
6372 }
6373 }
6374 else if (streq(p[0], "log") && p[1] && !p[2])
6375 {
6376 VERIFY_PERMISSION(OPT_P_GENERAL);
6377 options->log = true;
6378 redirect_stdout_stderr(p[1], false);
6379 }
6380 else if (streq(p[0], "suppress-timestamps") && !p[1])
6381 {
6382 VERIFY_PERMISSION(OPT_P_GENERAL);
6383 options->suppress_timestamps = true;
6384 set_suppress_timestamps(true);
6385 }
6386 else if (streq(p[0], "machine-readable-output") && !p[1])
6387 {
6388 VERIFY_PERMISSION(OPT_P_GENERAL);
6389 options->machine_readable_output = true;
6390 set_machine_readable_output(true);
6391 }
6392 else if (streq(p[0], "log-append") && p[1] && !p[2])
6393 {
6394 VERIFY_PERMISSION(OPT_P_GENERAL);
6395 options->log = true;
6396 redirect_stdout_stderr(p[1], true);
6397 }
6398 #ifdef ENABLE_MEMSTATS
6399 else if (streq(p[0], "memstats") && p[1] && !p[2])
6400 {
6401 VERIFY_PERMISSION(OPT_P_GENERAL);
6402 options->memstats_fn = p[1];
6403 }
6404 #endif
6405 else if (streq(p[0], "mlock") && !p[1])
6406 {
6407 VERIFY_PERMISSION(OPT_P_GENERAL);
6408 options->mlock = true;
6409 }
6410 #if ENABLE_IP_PKTINFO
6411 else if (streq(p[0], "multihome") && !p[1])
6412 {
6413 VERIFY_PERMISSION(OPT_P_GENERAL);
6414 options->sockflags |= SF_USE_IP_PKTINFO;
6415 }
6416 #endif
6417 else if (streq(p[0], "verb") && p[1] && !p[2])
6418 {
6419 VERIFY_PERMISSION(OPT_P_MESSAGES);
6420 options->verbosity = positive_atoi(p[1]);
6421 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6422 {
6423 /* We pass this flag to the SSL library to avoid
6424 * mbed TLS always generating debug level logging */
6425 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6426 }
6427 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6428 /* Warn when a debug verbosity is supplied when built without debug support */
6429 if (options->verbosity >= 7)
6430 {
6431 msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6432 options->verbosity);
6433 }
6434 #endif
6435 }
6436 else if (streq(p[0], "mute") && p[1] && !p[2])
6437 {
6438 VERIFY_PERMISSION(OPT_P_MESSAGES);
6439 options->mute = positive_atoi(p[1]);
6440 }
6441 else if (streq(p[0], "errors-to-stderr") && !p[1])
6442 {
6443 VERIFY_PERMISSION(OPT_P_MESSAGES);
6444 errors_to_stderr();
6445 }
6446 else if (streq(p[0], "status") && p[1] && !p[3])
6447 {
6448 VERIFY_PERMISSION(OPT_P_GENERAL);
6449 options->status_file = p[1];
6450 if (p[2])
6451 {
6452 options->status_file_update_freq = positive_atoi(p[2]);
6453 }
6454 }
6455 else if (streq(p[0], "status-version") && p[1] && !p[2])
6456 {
6457 int version;
6458
6459 VERIFY_PERMISSION(OPT_P_GENERAL);
6460 version = atoi(p[1]);
6461 if (version < 1 || version > 3)
6462 {
6463 msg(msglevel, "--status-version must be 1 to 3");
6464 goto err;
6465 }
6466 options->status_file_version = version;
6467 }
6468 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6469 {
6470 VERIFY_PERMISSION(OPT_P_GENERAL);
6471 if (streq(p[1], "SIGHUP"))
6472 {
6473 options->remap_sigusr1 = SIGHUP;
6474 }
6475 else if (streq(p[1], "SIGTERM"))
6476 {
6477 options->remap_sigusr1 = SIGTERM;
6478 }
6479 else
6480 {
6481 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6482 goto err;
6483 }
6484 }
6485 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6486 {
6487 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6488 options->ce.link_mtu = positive_atoi(p[1]);
6489 options->ce.link_mtu_defined = true;
6490 }
6491 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6492 {
6493 VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
6494 options->ce.tun_mtu = positive_atoi(p[1]);
6495 options->ce.tun_mtu_defined = true;
6496 if (p[2])
6497 {
6498 options->ce.occ_mtu = positive_atoi(p[2]);
6499 }
6500 else
6501 {
6502 options->ce.occ_mtu = 0;
6503 }
6504 }
6505 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
6506 {
6507 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6508 int max_mtu = positive_atoi(p[1]);
6509 if (max_mtu < 68 || max_mtu > 65536)
6510 {
6511 msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
6512 }
6513 else
6514 {
6515 options->ce.tun_mtu_max = max_mtu;
6516 }
6517 }
6518 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6519 {
6520 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6521 options->ce.tun_mtu_extra = positive_atoi(p[1]);
6522 options->ce.tun_mtu_extra_defined = true;
6523 }
6524 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6525 {
6526 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6527 int maxmtu = positive_atoi(p[1]);
6528 options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6529
6530 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6531 {
6532 msg(M_WARN, "Note: max-packet-size value outside of allowed "
6533 "control channel packet size (%d to %d), will use %d "
6534 "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
6535 options->ce.tls_mtu);
6536 }
6537
6538 /* also set mssfix maxmtu mtu */
6539 options->ce.mssfix = maxmtu;
6540 options->ce.mssfix_default = false;
6541 options->ce.mssfix_encap = true;
6542 }
6543 #ifdef ENABLE_FRAGMENT
6544 else if (streq(p[0], "mtu-dynamic"))
6545 {
6546 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6547 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6548 goto err;
6549 }
6550 else if (streq(p[0], "fragment") && p[1] && !p[3])
6551 {
6552 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6553 options->ce.fragment = positive_atoi(p[1]);
6554
6555 if (options->ce.fragment < 68)
6556 {
6557 msg(msglevel, "--fragment needs to be at least 68");
6558 goto err;
6559 }
6560
6561 if (p[2] && streq(p[2], "mtu"))
6562 {
6563 options->ce.fragment_encap = true;
6564 }
6565 else if (p[2])
6566 {
6567 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6568 }
6569 }
6570 #endif /* ifdef ENABLE_FRAGMENT */
6571 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6572 {
6573 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6574 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6575 }
6576 else if (streq(p[0], "mtu-test") && !p[1])
6577 {
6578 VERIFY_PERMISSION(OPT_P_GENERAL);
6579 options->mtu_test = true;
6580 }
6581 else if (streq(p[0], "nice") && p[1] && !p[2])
6582 {
6583 VERIFY_PERMISSION(OPT_P_NICE);
6584 options->nice = atoi(p[1]);
6585 }
6586 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6587 {
6588 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6589 options->rcvbuf = positive_atoi(p[1]);
6590 }
6591 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6592 {
6593 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6594 options->sndbuf = positive_atoi(p[1]);
6595 }
6596 else if (streq(p[0], "mark") && p[1] && !p[2])
6597 {
6598 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6599 VERIFY_PERMISSION(OPT_P_GENERAL);
6600 options->mark = atoi(p[1]);
6601 #endif
6602 }
6603 else if (streq(p[0], "socket-flags"))
6604 {
6605 int j;
6606 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6607 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6608 {
6609 if (streq(p[j], "TCP_NODELAY"))
6610 {
6611 options->sockflags |= SF_TCP_NODELAY;
6612 }
6613 else
6614 {
6615 msg(msglevel, "unknown socket flag: %s", p[j]);
6616 }
6617 }
6618 }
6619 #ifdef TARGET_LINUX
6620 else if (streq(p[0], "bind-dev") && p[1])
6621 {
6622 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6623 options->bind_dev = p[1];
6624 }
6625 #endif
6626 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6627 {
6628 VERIFY_PERMISSION(OPT_P_GENERAL);
6629 #ifdef TARGET_LINUX
6630 options->tuntap_options.txqueuelen = positive_atoi(p[1]);
6631 #else
6632 msg(msglevel, "--txqueuelen not supported on this OS");
6633 goto err;
6634 #endif
6635 }
6636 else if (streq(p[0], "shaper") && p[1] && !p[2])
6637 {
6638 int shaper;
6639
6640 VERIFY_PERMISSION(OPT_P_SHAPER);
6641 shaper = atoi(p[1]);
6642 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6643 {
6644 msg(msglevel, "Bad shaper value, must be between %d and %d",
6645 SHAPER_MIN, SHAPER_MAX);
6646 goto err;
6647 }
6648 options->shaper = shaper;
6649 }
6650 else if (streq(p[0], "port") && p[1] && !p[2])
6651 {
6652 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6653 options->ce.local_port = options->ce.remote_port = p[1];
6654 }
6655 else if (streq(p[0], "lport") && p[1] && !p[2])
6656 {
6657 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6658 options->ce.local_port_defined = true;
6659 options->ce.local_port = p[1];
6660 }
6661 else if (streq(p[0], "rport") && p[1] && !p[2])
6662 {
6663 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6664 options->ce.remote_port = p[1];
6665 }
6666 else if (streq(p[0], "bind") && !p[2])
6667 {
6668 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6669 options->ce.bind_defined = true;
6670 if (p[1] && streq(p[1], "ipv6only"))
6671 {
6672 options->ce.bind_ipv6_only = true;
6673 }
6674
6675 }
6676 else if (streq(p[0], "nobind") && !p[1])
6677 {
6678 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6679 options->ce.bind_local = false;
6680 }
6681 else if (streq(p[0], "fast-io") && !p[1])
6682 {
6683 VERIFY_PERMISSION(OPT_P_GENERAL);
6684 options->fast_io = true;
6685 }
6686 else if (streq(p[0], "inactive") && p[1] && !p[3])
6687 {
6688 VERIFY_PERMISSION(OPT_P_TIMER);
6689 options->inactivity_timeout = positive_atoi(p[1]);
6690 if (p[2])
6691 {
6692 int64_t val = atoll(p[2]);
6693 options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6694 if (options->inactivity_minimum_bytes > INT_MAX)
6695 {
6696 msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6697 " >2 Gbyte was silently ignored in older versions. If "
6698 " your VPN exits unexpectedly with 'Inactivity timeout'"
6699 " in %d seconds, revisit this value.",
6700 options->inactivity_timeout );
6701 }
6702 }
6703 }
6704 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6705 {
6706 VERIFY_PERMISSION(OPT_P_TIMER);
6707 options->session_timeout = positive_atoi(p[1]);
6708 }
6709 else if (streq(p[0], "proto") && p[1] && !p[2])
6710 {
6711 int proto;
6712 sa_family_t af;
6713 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6714 proto = ascii2proto(p[1]);
6715 af = ascii2af(p[1]);
6716 if (proto < 0)
6717 {
6718 msg(msglevel,
6719 "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6720 p[1],
6721 proto2ascii_all(&gc));
6722 goto err;
6723 }
6724 options->ce.proto = proto;
6725 options->ce.af = af;
6726 }
6727 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6728 {
6729 int proto_force;
6730 VERIFY_PERMISSION(OPT_P_GENERAL);
6731 proto_force = ascii2proto(p[1]);
6732 if (proto_force < 0)
6733 {
6734 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6735 goto err;
6736 }
6737 options->proto_force = proto_force;
6738 }
6739 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6740 {
6741 struct http_proxy_options *ho;
6742
6743 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6744
6745 {
6746 if (!p[2])
6747 {
6748 msg(msglevel, "http-proxy port number not defined");
6749 goto err;
6750 }
6751
6752 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6753
6754 ho->server = p[1];
6755 ho->port = p[2];
6756 }
6757
6758 if (p[3])
6759 {
6760 /* auto -- try to figure out proxy addr, port, and type automatically */
6761 /* semiauto -- given proxy addr:port, try to figure out type automatically */
6762 /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6763 if (streq(p[3], "auto"))
6764 {
6765 ho->auth_retry = PAR_ALL;
6766 }
6767 else if (streq(p[3], "auto-nct"))
6768 {
6769 ho->auth_retry = PAR_NCT;
6770 }
6771 else
6772 {
6773 ho->auth_method_string = "basic";
6774 ho->auth_file = p[3];
6775
6776 if (p[4])
6777 {
6778 ho->auth_method_string = p[4];
6779 }
6780 }
6781 }
6782 else
6783 {
6784 ho->auth_method_string = "none";
6785 }
6786 }
6787 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6788 {
6789 struct http_proxy_options *ho;
6790 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6791 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6792 ho->auth_file = p[1];
6793 ho->inline_creds = is_inline;
6794 }
6795 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6796 {
6797 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6798 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6799 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6800 "Use connect-retry-max 1 to get a similar behavior as before.");
6801 }
6802 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6803 {
6804 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6805 msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6806 "server is established is managed with a single timeout set by connect-timeout");
6807 }
6808 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6809 {
6810 struct http_proxy_options *ho;
6811
6812 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6813 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6814
6815 if (streq(p[1], "VERSION") && p[2] && !p[3])
6816 {
6817 ho->http_version = p[2];
6818 }
6819 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6820 {
6821 ho->user_agent = p[2];
6822 }
6823 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6824 && p[2])
6825 {
6826 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6827 * with either two argument or one */
6828
6829 struct http_custom_header *custom_header = NULL;
6830 int i;
6831 /* Find the first free header */
6832 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6833 {
6834 if (!ho->custom_headers[i].name)
6835 {
6836 custom_header = &ho->custom_headers[i];
6837 break;
6838 }
6839 }
6840 if (!custom_header)
6841 {
6842 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6843 }
6844 else
6845 {
6846 /* We will save p[2] and p[3], the proxy code will detect if
6847 * p[3] is NULL */
6848 custom_header->name = p[2];
6849 custom_header->content = p[3];
6850 }
6851 }
6852 else
6853 {
6854 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6855 }
6856 }
6857 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6858 {
6859 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6860
6861 if (p[2])
6862 {
6863 options->ce.socks_proxy_port = p[2];
6864 }
6865 else
6866 {
6867 options->ce.socks_proxy_port = "1080";
6868 }
6869 options->ce.socks_proxy_server = p[1];
6870 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6871 }
6872 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6873 {
6874 VERIFY_PERMISSION(OPT_P_GENERAL);
6875 options->keepalive_ping = atoi(p[1]);
6876 options->keepalive_timeout = atoi(p[2]);
6877 }
6878 else if (streq(p[0], "ping") && p[1] && !p[2])
6879 {
6880 VERIFY_PERMISSION(OPT_P_TIMER);
6881 options->ping_send_timeout = positive_atoi(p[1]);
6882 }
6883 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6884 {
6885 VERIFY_PERMISSION(OPT_P_TIMER);
6886 options->ping_rec_timeout = positive_atoi(p[1]);
6887 options->ping_rec_timeout_action = PING_EXIT;
6888 }
6889 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6890 {
6891 VERIFY_PERMISSION(OPT_P_TIMER);
6892 options->ping_rec_timeout = positive_atoi(p[1]);
6893 options->ping_rec_timeout_action = PING_RESTART;
6894 }
6895 else if (streq(p[0], "ping-timer-rem") && !p[1])
6896 {
6897 VERIFY_PERMISSION(OPT_P_TIMER);
6898 options->ping_timer_remote = true;
6899 }
6900 else if (streq(p[0], "explicit-exit-notify") && !p[2])
6901 {
6902 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
6903 if (p[1])
6904 {
6905 options->ce.explicit_exit_notification = positive_atoi(p[1]);
6906 }
6907 else
6908 {
6909 options->ce.explicit_exit_notification = 1;
6910 }
6911 }
6912 else if (streq(p[0], "persist-tun") && !p[1])
6913 {
6914 VERIFY_PERMISSION(OPT_P_PERSIST);
6915 options->persist_tun = true;
6916 }
6917 else if (streq(p[0], "persist-key") && !p[1])
6918 {
6919 VERIFY_PERMISSION(OPT_P_PERSIST);
6920 options->persist_key = true;
6921 }
6922 else if (streq(p[0], "persist-local-ip") && !p[1])
6923 {
6924 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6925 options->persist_local_ip = true;
6926 }
6927 else if (streq(p[0], "persist-remote-ip") && !p[1])
6928 {
6929 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6930 options->persist_remote_ip = true;
6931 }
6932 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6933 {
6934 VERIFY_PERMISSION(OPT_P_ROUTE);
6935 cnol_check_alloc(options);
6936 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6937 }
6938 else if (streq(p[0], "route") && p[1] && !p[5])
6939 {
6940 VERIFY_PERMISSION(OPT_P_ROUTE);
6941 rol_check_alloc(options);
6942 if (pull_mode)
6943 {
6944 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
6945 {
6946 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
6947 goto err;
6948 }
6949 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
6950 {
6951 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
6952 goto err;
6953 }
6954 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
6955 {
6956 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
6957 goto err;
6958 }
6959 }
6960 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
6961 }
6962 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6963 {
6964 VERIFY_PERMISSION(OPT_P_ROUTE);
6965 rol6_check_alloc(options);
6966 if (pull_mode)
6967 {
6968 if (!ipv6_addr_safe_hexplusbits(p[1]))
6969 {
6970 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
6971 goto err;
6972 }
6973 if (p[2] && !ipv6_addr_safe(p[2]))
6974 {
6975 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
6976 goto err;
6977 }
6978 /* p[3] is metric, if present */
6979 }
6980 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
6981 }
6982 else if (streq(p[0], "max-routes") && !p[2])
6983 {
6984 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
6985 "The number of routes is unlimited as of OpenVPN 2.4. "
6986 "This option will be removed in a future version, "
6987 "please remove it from your configuration.");
6988 }
6989 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
6990 {
6991 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6992 if (streq(p[1], "dhcp"))
6993 {
6994 options->route_gateway_via_dhcp = true;
6995 }
6996 else
6997 {
6998 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
6999 {
7000 options->route_default_gateway = p[1];
7001 }
7002 else
7003 {
7004 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
7005 goto err;
7006 }
7007 }
7008 }
7009 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7010 {
7011 if (ipv6_addr_safe(p[1]))
7012 {
7013 options->route_ipv6_default_gateway = p[1];
7014 }
7015 else
7016 {
7017 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7018 goto err;
7019 }
7020 }
7021 else if (streq(p[0], "route-metric") && p[1] && !p[2])
7022 {
7023 VERIFY_PERMISSION(OPT_P_ROUTE);
7024 options->route_default_metric = positive_atoi(p[1]);
7025 }
7026 else if (streq(p[0], "route-delay") && !p[3])
7027 {
7028 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7029 options->route_delay_defined = true;
7030 if (p[1])
7031 {
7032 options->route_delay = positive_atoi(p[1]);
7033 if (p[2])
7034 {
7035 options->route_delay_window = positive_atoi(p[2]);
7036 }
7037 }
7038 else
7039 {
7040 options->route_delay = 0;
7041 }
7042 }
7043 else if (streq(p[0], "route-up") && p[1])
7044 {
7045 VERIFY_PERMISSION(OPT_P_SCRIPT);
7046 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7047 {
7048 goto err;
7049 }
7050 set_user_script(options, &options->route_script, p[1], "route-up", false);
7051 }
7052 else if (streq(p[0], "route-pre-down") && p[1])
7053 {
7054 VERIFY_PERMISSION(OPT_P_SCRIPT);
7055 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7056 {
7057 goto err;
7058 }
7059 set_user_script(options,
7060 &options->route_predown_script,
7061 p[1],
7062 "route-pre-down", true);
7063 }
7064 else if (streq(p[0], "route-noexec") && !p[1])
7065 {
7066 VERIFY_PERMISSION(OPT_P_SCRIPT);
7067 options->route_noexec = true;
7068 }
7069 else if (streq(p[0], "route-nopull") && !p[1])
7070 {
7071 VERIFY_PERMISSION(OPT_P_GENERAL);
7072 options->route_nopull = true;
7073 }
7074 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7075 {
7076 struct pull_filter *f;
7077 VERIFY_PERMISSION(OPT_P_GENERAL)
7078 f = alloc_pull_filter(options, msglevel);
7079
7080 if (strcmp("accept", p[1]) == 0)
7081 {
7082 f->type = PUF_TYPE_ACCEPT;
7083 }
7084 else if (strcmp("ignore", p[1]) == 0)
7085 {
7086 f->type = PUF_TYPE_IGNORE;
7087 }
7088 else if (strcmp("reject", p[1]) == 0)
7089 {
7090 f->type = PUF_TYPE_REJECT;
7091 }
7092 else
7093 {
7094 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7095 goto err;
7096 }
7097 f->pattern = p[2];
7098 f->size = strlen(p[2]);
7099 }
7100 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7101 {
7102 VERIFY_PERMISSION(OPT_P_GENERAL);
7103 options->allow_pull_fqdn = true;
7104 }
7105 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7106 {
7107 int j;
7108 VERIFY_PERMISSION(OPT_P_ROUTE);
7109 rol_check_alloc(options);
7110
7111 if (options->routes->flags & RG_ENABLE)
7112 {
7113 msg(M_WARN,
7114 "WARNING: You have specified redirect-gateway and "
7115 "redirect-private at the same time (or the same option "
7116 "multiple times). This is not well supported and may lead to "
7117 "unexpected results");
7118 }
7119
7120 options->routes->flags |= RG_ENABLE;
7121
7122 if (streq(p[0], "redirect-gateway"))
7123 {
7124 options->routes->flags |= RG_REROUTE_GW;
7125 }
7126 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7127 {
7128 if (streq(p[j], "local"))
7129 {
7130 options->routes->flags |= RG_LOCAL;
7131 }
7132 else if (streq(p[j], "autolocal"))
7133 {
7134 options->routes->flags |= RG_AUTO_LOCAL;
7135 }
7136 else if (streq(p[j], "def1"))
7137 {
7138 options->routes->flags |= RG_DEF1;
7139 }
7140 else if (streq(p[j], "bypass-dhcp"))
7141 {
7142 options->routes->flags |= RG_BYPASS_DHCP;
7143 }
7144 else if (streq(p[j], "bypass-dns"))
7145 {
7146 options->routes->flags |= RG_BYPASS_DNS;
7147 }
7148 else if (streq(p[j], "block-local"))
7149 {
7150 options->routes->flags |= RG_BLOCK_LOCAL;
7151 }
7152 else if (streq(p[j], "ipv6"))
7153 {
7154 rol6_check_alloc(options);
7155 options->routes_ipv6->flags |= RG_REROUTE_GW;
7156 }
7157 else if (streq(p[j], "!ipv4"))
7158 {
7159 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7160 }
7161 else
7162 {
7163 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7164 goto err;
7165 }
7166 }
7167 #ifdef _WIN32
7168 /* we need this here to handle pushed --redirect-gateway */
7169 remap_redirect_gateway_flags(options);
7170 #endif
7171 }
7172 else if (streq(p[0], "block-ipv6") && !p[1])
7173 {
7174 VERIFY_PERMISSION(OPT_P_ROUTE);
7175 options->block_ipv6 = true;
7176 }
7177 else if (streq(p[0], "remote-random-hostname") && !p[1])
7178 {
7179 VERIFY_PERMISSION(OPT_P_GENERAL);
7180 options->sockflags |= SF_HOST_RANDOMIZE;
7181 }
7182 else if (streq(p[0], "setenv") && p[1] && !p[3])
7183 {
7184 VERIFY_PERMISSION(OPT_P_GENERAL);
7185 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7186 {
7187 options->sockflags |= SF_HOST_RANDOMIZE;
7188 }
7189 else if (streq(p[1], "GENERIC_CONFIG"))
7190 {
7191 msg(msglevel, "this is a generic configuration and cannot directly be used");
7192 goto err;
7193 }
7194 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7195 {
7196 options->push_peer_info = true;
7197 }
7198 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7199 {
7200 options->ce.connect_timeout = positive_atoi(p[2]);
7201 }
7202 else
7203 {
7204 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7205 {
7206 options->forward_compatible = true;
7207 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7208 }
7209 setenv_str(es, p[1], p[2] ? p[2] : "");
7210 }
7211 }
7212 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7213 {
7214 unsigned int major, minor, patch;
7215 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7216 {
7217 msg(msglevel, "cannot parse version number for --compat-mode: %s",
7218 p[1]);
7219 goto err;
7220 }
7221
7222 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7223 }
7224 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7225 {
7226 VERIFY_PERMISSION(OPT_P_SETENV);
7227 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7228 }
7229 else if (streq(p[0], "script-security") && p[1] && !p[2])
7230 {
7231 VERIFY_PERMISSION(OPT_P_GENERAL);
7232 script_security_set(atoi(p[1]));
7233 }
7234 else if (streq(p[0], "mssfix") && !p[3])
7235 {
7236 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7237 if (p[1])
7238 {
7239 /* value specified, assume encapsulation is not
7240 * included unless "mtu" follows later */
7241 options->ce.mssfix = positive_atoi(p[1]);
7242 options->ce.mssfix_encap = false;
7243 options->ce.mssfix_default = false;
7244 }
7245 else
7246 {
7247 /* Set MTU to default values */
7248 options->ce.mssfix_default = true;
7249 options->ce.mssfix_encap = true;
7250 options->ce.mssfix_fixed = false;
7251 }
7252
7253 if (p[2] && streq(p[2], "mtu"))
7254 {
7255 options->ce.mssfix_encap = true;
7256 }
7257 else if (p[2] && streq(p[2], "fixed"))
7258 {
7259 options->ce.mssfix_fixed = true;
7260 }
7261 else if (p[2])
7262 {
7263 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7264 }
7265 }
7266 else if (streq(p[0], "disable-occ") && !p[1])
7267 {
7268 VERIFY_PERMISSION(OPT_P_GENERAL);
7269 options->occ = false;
7270 }
7271 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7272 {
7273 const int lev = M_WARN;
7274 bool error = false;
7275 in_addr_t network, netmask;
7276
7277 VERIFY_PERMISSION(OPT_P_GENERAL);
7278 network = get_ip_addr(p[1], lev, &error);
7279 netmask = get_ip_addr(p[2], lev, &error);
7280 if (error || !network || !netmask)
7281 {
7282 msg(msglevel, "error parsing --server parameters");
7283 goto err;
7284 }
7285 options->server_defined = true;
7286 options->server_network = network;
7287 options->server_netmask = netmask;
7288
7289 if (p[3])
7290 {
7291 if (streq(p[3], "nopool"))
7292 {
7293 options->server_flags |= SF_NOPOOL;
7294 }
7295 else
7296 {
7297 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7298 goto err;
7299 }
7300 }
7301 }
7302 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7303 {
7304 const int lev = M_WARN;
7305 struct in6_addr network;
7306 unsigned int netbits = 0;
7307
7308 VERIFY_PERMISSION(OPT_P_GENERAL);
7309 if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7310 {
7311 msg(msglevel, "error parsing --server-ipv6 parameter");
7312 goto err;
7313 }
7314 if (netbits < 64 || netbits > 124)
7315 {
7316 msg(msglevel,
7317 "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7318 netbits);
7319
7320 goto err;
7321 }
7322 options->server_ipv6_defined = true;
7323 options->server_network_ipv6 = network;
7324 options->server_netbits_ipv6 = netbits;
7325 }
7326 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7327 {
7328 const int lev = M_WARN;
7329 bool error = false;
7330 in_addr_t ip, netmask, pool_start, pool_end;
7331
7332 VERIFY_PERMISSION(OPT_P_GENERAL);
7333 ip = get_ip_addr(p[1], lev, &error);
7334 netmask = get_ip_addr(p[2], lev, &error);
7335 pool_start = get_ip_addr(p[3], lev, &error);
7336 pool_end = get_ip_addr(p[4], lev, &error);
7337 if (error || !ip || !netmask || !pool_start || !pool_end)
7338 {
7339 msg(msglevel, "error parsing --server-bridge parameters");
7340 goto err;
7341 }
7342 options->server_bridge_defined = true;
7343 options->server_bridge_ip = ip;
7344 options->server_bridge_netmask = netmask;
7345 options->server_bridge_pool_start = pool_start;
7346 options->server_bridge_pool_end = pool_end;
7347 }
7348 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7349 {
7350 VERIFY_PERMISSION(OPT_P_GENERAL);
7351 options->server_bridge_proxy_dhcp = true;
7352 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7353 }
7354 else if (streq(p[0], "server-bridge") && !p[1])
7355 {
7356 VERIFY_PERMISSION(OPT_P_GENERAL);
7357 options->server_bridge_proxy_dhcp = true;
7358 }
7359 else if (streq(p[0], "push") && p[1] && !p[2])
7360 {
7361 VERIFY_PERMISSION(OPT_P_PUSH);
7362 push_options(options, &p[1], msglevel, &options->gc);
7363 }
7364 else if (streq(p[0], "push-reset") && !p[1])
7365 {
7366 VERIFY_PERMISSION(OPT_P_INSTANCE);
7367 push_reset(options);
7368 }
7369 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7370 {
7371 VERIFY_PERMISSION(OPT_P_INSTANCE);
7372 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7373 push_remove_option(options, p[1]);
7374 }
7375 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7376 {
7377 const int lev = M_WARN;
7378 bool error = false;
7379 in_addr_t start, end, netmask = 0;
7380
7381 VERIFY_PERMISSION(OPT_P_GENERAL);
7382 start = get_ip_addr(p[1], lev, &error);
7383 end = get_ip_addr(p[2], lev, &error);
7384 if (p[3])
7385 {
7386 netmask = get_ip_addr(p[3], lev, &error);
7387 }
7388 if (error)
7389 {
7390 msg(msglevel, "error parsing --ifconfig-pool parameters");
7391 goto err;
7392 }
7393 if (!ifconfig_pool_verify_range(msglevel, start, end))
7394 {
7395 goto err;
7396 }
7397
7398 options->ifconfig_pool_defined = true;
7399 options->ifconfig_pool_start = start;
7400 options->ifconfig_pool_end = end;
7401 if (netmask)
7402 {
7403 options->ifconfig_pool_netmask = netmask;
7404 }
7405 }
7406 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7407 {
7408 VERIFY_PERMISSION(OPT_P_GENERAL);
7409 options->ifconfig_pool_persist_filename = p[1];
7410 if (p[2])
7411 {
7412 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]);
7413 }
7414 }
7415 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7416 {
7417 const int lev = M_WARN;
7418 struct in6_addr network;
7419 unsigned int netbits = 0;
7420
7421 VERIFY_PERMISSION(OPT_P_GENERAL);
7422 if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7423 {
7424 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7425 goto err;
7426 }
7427 if (netbits < 64 || netbits > 124)
7428 {
7429 msg(msglevel,
7430 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7431 netbits);
7432 goto err;
7433 }
7434
7435 options->ifconfig_ipv6_pool_defined = true;
7436 options->ifconfig_ipv6_pool_base = network;
7437 options->ifconfig_ipv6_pool_netbits = netbits;
7438 }
7439 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7440 {
7441 int real, virtual;
7442
7443 VERIFY_PERMISSION(OPT_P_GENERAL);
7444 real = atoi(p[1]);
7445 virtual = atoi(p[2]);
7446 if (real < 1 || virtual < 1)
7447 {
7448 msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7449 goto err;
7450 }
7451 options->real_hash_size = real;
7452 options->virtual_hash_size = real;
7453 }
7454 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7455 {
7456 int cf_max, cf_per;
7457
7458 VERIFY_PERMISSION(OPT_P_GENERAL);
7459 cf_max = atoi(p[1]);
7460 cf_per = atoi(p[2]);
7461 if (cf_max < 0 || cf_per < 0)
7462 {
7463 msg(msglevel, "--connect-freq parms must be > 0");
7464 goto err;
7465 }
7466 options->cf_max = cf_max;
7467 options->cf_per = cf_per;
7468 }
7469 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7470 {
7471 long cf_max, cf_per;
7472
7473 VERIFY_PERMISSION(OPT_P_GENERAL);
7474 char *e1, *e2;
7475 cf_max = strtol(p[1], &e1, 10);
7476 cf_per = strtol(p[2], &e2, 10);
7477 if (cf_max < 0 || cf_per < 0 || *e1 != '\0' || *e2 != '\0')
7478 {
7479 msg(msglevel, "--connect-freq-initial parameters must be integers and >= 0");
7480 goto err;
7481 }
7482 options->cf_initial_max = cf_max;
7483 options->cf_initial_per = cf_per;
7484 }
7485 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7486 {
7487 int max_clients;
7488
7489 VERIFY_PERMISSION(OPT_P_GENERAL);
7490 max_clients = atoi(p[1]);
7491 if (max_clients < 0)
7492 {
7493 msg(msglevel, "--max-clients must be at least 1");
7494 goto err;
7495 }
7496 if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7497 {
7498 msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7499 goto err;
7500 }
7501 options->max_clients = max_clients;
7502 }
7503 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7504 {
7505 VERIFY_PERMISSION(OPT_P_INHERIT);
7506 options->max_routes_per_client = max_int(atoi(p[1]), 1);
7507 }
7508 else if (streq(p[0], "client-cert-not-required") && !p[1])
7509 {
7510 VERIFY_PERMISSION(OPT_P_GENERAL);
7511 msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7512 }
7513 else if (streq(p[0], "verify-client-cert") && !p[2])
7514 {
7515 VERIFY_PERMISSION(OPT_P_GENERAL);
7516
7517 /* Reset any existing flags */
7518 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7519 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7520 if (p[1])
7521 {
7522 if (streq(p[1], "none"))
7523 {
7524 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7525 }
7526 else if (streq(p[1], "optional"))
7527 {
7528 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7529 }
7530 else if (!streq(p[1], "require"))
7531 {
7532 msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7533 goto err;
7534 }
7535 }
7536 }
7537 else if (streq(p[0], "username-as-common-name") && !p[1])
7538 {
7539 VERIFY_PERMISSION(OPT_P_GENERAL);
7540 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7541 }
7542 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7543 {
7544 VERIFY_PERMISSION(OPT_P_GENERAL);
7545 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7546 }
7547 else if (streq(p[0], "opt-verify") && !p[1])
7548 {
7549 VERIFY_PERMISSION(OPT_P_GENERAL);
7550 msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
7551 "in OpenVPN 2.7");
7552 options->ssl_flags |= SSLF_OPT_VERIFY;
7553 }
7554 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7555 {
7556 VERIFY_PERMISSION(OPT_P_SCRIPT);
7557 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7558 {
7559 goto err;
7560 }
7561 if (p[2])
7562 {
7563 if (streq(p[2], "via-env"))
7564 {
7565 options->auth_user_pass_verify_script_via_file = false;
7566 }
7567 else if (streq(p[2], "via-file"))
7568 {
7569 options->auth_user_pass_verify_script_via_file = true;
7570 }
7571 else
7572 {
7573 msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7574 goto err;
7575 }
7576 }
7577 else
7578 {
7579 msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7580 goto err;
7581 }
7582 set_user_script(options,
7583 &options->auth_user_pass_verify_script,
7584 p[1], "auth-user-pass-verify", true);
7585 }
7586 else if (streq(p[0], "auth-gen-token"))
7587 {
7588 VERIFY_PERMISSION(OPT_P_GENERAL);
7589 options->auth_token_generate = true;
7590 options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
7591
7592 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7593 {
7594 /* the second parameter can be the renewal time */
7595 if (i == 2 && positive_atoi(p[i]))
7596 {
7597 options->auth_token_renewal = positive_atoi(p[i]);
7598 }
7599 else if (streq(p[i], "external-auth"))
7600 {
7601 options->auth_token_call_auth = true;
7602 }
7603 else
7604 {
7605 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7606 }
7607 }
7608
7609 }
7610 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7611 {
7612 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7613 options->auth_token_secret_file = p[1];
7614 options->auth_token_secret_file_inline = is_inline;
7615
7616 }
7617 else if (streq(p[0], "client-connect") && p[1])
7618 {
7619 VERIFY_PERMISSION(OPT_P_SCRIPT);
7620 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7621 {
7622 goto err;
7623 }
7624 set_user_script(options, &options->client_connect_script,
7625 p[1], "client-connect", true);
7626 }
7627 else if (streq(p[0], "client-crresponse") && p[1])
7628 {
7629 VERIFY_PERMISSION(OPT_P_SCRIPT);
7630 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7631 {
7632 goto err;
7633 }
7634 set_user_script(options, &options->client_crresponse_script,
7635 p[1], "client-crresponse", true);
7636 }
7637 else if (streq(p[0], "client-disconnect") && p[1])
7638 {
7639 VERIFY_PERMISSION(OPT_P_SCRIPT);
7640 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7641 {
7642 goto err;
7643 }
7644 set_user_script(options, &options->client_disconnect_script,
7645 p[1], "client-disconnect", true);
7646 }
7647 else if (streq(p[0], "learn-address") && p[1])
7648 {
7649 VERIFY_PERMISSION(OPT_P_SCRIPT);
7650 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7651 {
7652 goto err;
7653 }
7654 set_user_script(options, &options->learn_address_script,
7655 p[1], "learn-address", true);
7656 }
7657 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7658 {
7659 VERIFY_PERMISSION(OPT_P_GENERAL);
7660 options->tmp_dir = p[1];
7661 }
7662 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7663 {
7664 VERIFY_PERMISSION(OPT_P_GENERAL);
7665 options->client_config_dir = p[1];
7666 }
7667 else if (streq(p[0], "ccd-exclusive") && !p[1])
7668 {
7669 VERIFY_PERMISSION(OPT_P_GENERAL);
7670 options->ccd_exclusive = true;
7671 }
7672 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7673 {
7674 int n_bcast_buf;
7675
7676 VERIFY_PERMISSION(OPT_P_GENERAL);
7677 n_bcast_buf = atoi(p[1]);
7678 if (n_bcast_buf < 1)
7679 {
7680 msg(msglevel, "--bcast-buffers parameter must be > 0");
7681 }
7682 options->n_bcast_buf = n_bcast_buf;
7683 }
7684 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7685 {
7686 int tcp_queue_limit;
7687
7688 VERIFY_PERMISSION(OPT_P_GENERAL);
7689 tcp_queue_limit = atoi(p[1]);
7690 if (tcp_queue_limit < 1)
7691 {
7692 msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7693 }
7694 options->tcp_queue_limit = tcp_queue_limit;
7695 }
7696 #if PORT_SHARE
7697 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7698 {
7699 VERIFY_PERMISSION(OPT_P_GENERAL);
7700 options->port_share_host = p[1];
7701 options->port_share_port = p[2];
7702 options->port_share_journal_dir = p[3];
7703 }
7704 #endif
7705 else if (streq(p[0], "client-to-client") && !p[1])
7706 {
7707 VERIFY_PERMISSION(OPT_P_GENERAL);
7708 options->enable_c2c = true;
7709 }
7710 else if (streq(p[0], "duplicate-cn") && !p[1])
7711 {
7712 VERIFY_PERMISSION(OPT_P_GENERAL);
7713 options->duplicate_cn = true;
7714 }
7715 else if (streq(p[0], "iroute") && p[1] && !p[3])
7716 {
7717 VERIFY_PERMISSION(OPT_P_INSTANCE);
7718 option_iroute(options, p[1], p[2], msglevel);
7719 }
7720 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7721 {
7722 VERIFY_PERMISSION(OPT_P_INSTANCE);
7723 option_iroute_ipv6(options, p[1], msglevel);
7724 }
7725 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7726 {
7727 in_addr_t local, remote_netmask;
7728
7729 VERIFY_PERMISSION(OPT_P_INSTANCE);
7730 local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7731 remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7732 if (local && remote_netmask)
7733 {
7734 options->push_ifconfig_defined = true;
7735 options->push_ifconfig_local = local;
7736 options->push_ifconfig_remote_netmask = remote_netmask;
7737 if (p[3])
7738 {
7739 options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7740 }
7741 }
7742 else
7743 {
7744 msg(msglevel, "cannot parse --ifconfig-push addresses");
7745 goto err;
7746 }
7747 }
7748 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7749 {
7750 in_addr_t network, netmask;
7751
7752 VERIFY_PERMISSION(OPT_P_GENERAL);
7753 network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7754 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7755 if (network && netmask)
7756 {
7757 options->push_ifconfig_constraint_defined = true;
7758 options->push_ifconfig_constraint_network = network;
7759 options->push_ifconfig_constraint_netmask = netmask;
7760 }
7761 else
7762 {
7763 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7764 goto err;
7765 }
7766 }
7767 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7768 {
7769 struct in6_addr local, remote;
7770 unsigned int netbits;
7771
7772 VERIFY_PERMISSION(OPT_P_INSTANCE);
7773
7774 if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7775 {
7776 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7777 goto err;
7778 }
7779
7780 if (p[2])
7781 {
7782 if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7783 {
7784 msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7785 goto err;
7786 }
7787 }
7788 else
7789 {
7790 if (!options->ifconfig_ipv6_local
7791 || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7792 NULL, msglevel ) )
7793 {
7794 msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7795 goto err;
7796 }
7797 }
7798
7799 options->push_ifconfig_ipv6_defined = true;
7800 options->push_ifconfig_ipv6_local = local;
7801 options->push_ifconfig_ipv6_netbits = netbits;
7802 options->push_ifconfig_ipv6_remote = remote;
7803 options->push_ifconfig_ipv6_blocked = false;
7804 }
7805 else if (streq(p[0], "disable") && !p[1])
7806 {
7807 VERIFY_PERMISSION(OPT_P_INSTANCE);
7808 options->disable = true;
7809 }
7810 else if (streq(p[0], "tcp-nodelay") && !p[1])
7811 {
7812 VERIFY_PERMISSION(OPT_P_GENERAL);
7813 options->server_flags |= SF_TCP_NODELAY_HELPER;
7814 }
7815 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7816 {
7817 int ageing_time, check_interval;
7818
7819 VERIFY_PERMISSION(OPT_P_GENERAL);
7820 ageing_time = atoi(p[1]);
7821 if (p[2])
7822 {
7823 check_interval = atoi(p[2]);
7824 }
7825 else
7826 {
7827 check_interval = ageing_time;
7828 }
7829
7830 if (ageing_time < 1 || check_interval < 1)
7831 {
7832 msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
7833 goto err;
7834 }
7835 options->stale_routes_ageing_time = ageing_time;
7836 options->stale_routes_check_interval = check_interval;
7837 }
7838
7839 else if (streq(p[0], "client") && !p[1])
7840 {
7841 VERIFY_PERMISSION(OPT_P_GENERAL);
7842 options->client = true;
7843 }
7844 else if (streq(p[0], "pull") && !p[1])
7845 {
7846 VERIFY_PERMISSION(OPT_P_GENERAL);
7847 options->pull = true;
7848 }
7849 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7850 {
7851 VERIFY_PERMISSION(OPT_P_PULL_MODE);
7852 options->push_continuation = atoi(p[1]);
7853 }
7854 else if (streq(p[0], "auth-user-pass") && !p[2])
7855 {
7856 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7857 if (p[1])
7858 {
7859 options->auth_user_pass_file = p[1];
7860 options->auth_user_pass_file_inline = is_inline;
7861 }
7862 else
7863 {
7864 options->auth_user_pass_file = "stdin";
7865 }
7866 }
7867 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7868 {
7869 VERIFY_PERMISSION(OPT_P_GENERAL);
7870 auth_retry_set(msglevel, p[1]);
7871 }
7872 #ifdef ENABLE_MANAGEMENT
7873 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
7874 {
7875 VERIFY_PERMISSION(OPT_P_GENERAL);
7876 options->sc_info.challenge_text = p[1];
7877 if (atoi(p[2]))
7878 {
7879 options->sc_info.flags |= SC_ECHO;
7880 }
7881 }
7882 #endif
7883 else if (streq(p[0], "msg-channel") && p[1])
7884 {
7885 #ifdef _WIN32
7886 VERIFY_PERMISSION(OPT_P_GENERAL);
7887 HANDLE process = GetCurrentProcess();
7888 HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1]));
7889 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
7890 FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7891 {
7892 msg(msglevel, "could not duplicate service pipe handle");
7893 goto err;
7894 }
7895 options->route_method = ROUTE_METHOD_SERVICE;
7896 #else /* ifdef _WIN32 */
7897 msg(msglevel, "--msg-channel is only supported on Windows");
7898 goto err;
7899 #endif
7900 }
7901 #ifdef _WIN32
7902 else if (streq(p[0], "win-sys") && p[1] && !p[2])
7903 {
7904 VERIFY_PERMISSION(OPT_P_GENERAL);
7905 if (streq(p[1], "env"))
7906 {
7907 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7908 "This entry will now be ignored. "
7909 "Please remove this entry from your configuration file.");
7910 }
7911 else
7912 {
7913 set_win_sys_path(p[1], es);
7914 }
7915 }
7916 else if (streq(p[0], "route-method") && p[1] && !p[2])
7917 {
7918 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7919 if (streq(p[1], "adaptive"))
7920 {
7921 options->route_method = ROUTE_METHOD_ADAPTIVE;
7922 }
7923 else if (streq(p[1], "ipapi"))
7924 {
7925 options->route_method = ROUTE_METHOD_IPAPI;
7926 }
7927 else if (streq(p[1], "exe"))
7928 {
7929 options->route_method = ROUTE_METHOD_EXE;
7930 }
7931 else
7932 {
7933 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7934 goto err;
7935 }
7936 }
7937 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7938 {
7939 const int index = ascii2ipset(p[1]);
7940 struct tuntap_options *to = &options->tuntap_options;
7941
7942 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7943
7944 if (index < 0)
7945 {
7946 msg(msglevel,
7947 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
7948 p[1],
7949 ipset2ascii_all(&gc));
7950 goto err;
7951 }
7952
7953 if (index == IPW32_SET_ADAPTIVE)
7954 {
7955 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
7956 }
7957
7958 if (index == IPW32_SET_DHCP_MASQ)
7959 {
7960 if (p[2])
7961 {
7962 if (!streq(p[2], "default"))
7963 {
7964 int offset = atoi(p[2]);
7965
7966 if (!(offset > -256 && offset < 256))
7967 {
7968 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
7969 goto err;
7970 }
7971
7972 to->dhcp_masq_custom_offset = true;
7973 to->dhcp_masq_offset = offset;
7974 }
7975
7976 if (p[3])
7977 {
7978 const int min_lease = 30;
7979 int lease_time;
7980 lease_time = atoi(p[3]);
7981 if (lease_time < min_lease)
7982 {
7983 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
7984 goto err;
7985 }
7986 to->dhcp_lease_time = lease_time;
7987 }
7988 }
7989 }
7990 to->ip_win32_type = index;
7991 to->ip_win32_defined = true;
7992 }
7993 #endif /* ifdef _WIN32 */
7994 else if (streq(p[0], "dns") && p[1])
7995 {
7996 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7997
7998 if (streq(p[1], "search-domains") && p[2])
7999 {
8000 dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
8001 }
8002 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
8003 {
8004 long priority;
8005 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
8006 {
8007 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
8008 goto err;
8009 }
8010
8011 struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
8012
8013 if (streq(p[3], "address") && p[4])
8014 {
8015 for (int i = 4; p[i]; ++i)
8016 {
8017 if (!dns_server_addr_parse(server, p[i]))
8018 {
8019 msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
8020 goto err;
8021 }
8022 }
8023 }
8024 else if (streq(p[3], "resolve-domains"))
8025 {
8026 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
8027 }
8028 else if (streq(p[3], "dnssec") && !p[5])
8029 {
8030 if (streq(p[4], "yes"))
8031 {
8032 server->dnssec = DNS_SECURITY_YES;
8033 }
8034 else if (streq(p[4], "no"))
8035 {
8036 server->dnssec = DNS_SECURITY_NO;
8037 }
8038 else if (streq(p[4], "optional"))
8039 {
8040 server->dnssec = DNS_SECURITY_OPTIONAL;
8041 }
8042 else
8043 {
8044 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
8045 goto err;
8046 }
8047 }
8048 else if (streq(p[3], "transport") && !p[5])
8049 {
8050 if (streq(p[4], "plain"))
8051 {
8052 server->transport = DNS_TRANSPORT_PLAIN;
8053 }
8054 else if (streq(p[4], "DoH"))
8055 {
8056 server->transport = DNS_TRANSPORT_HTTPS;
8057 }
8058 else if (streq(p[4], "DoT"))
8059 {
8060 server->transport = DNS_TRANSPORT_TLS;
8061 }
8062 else
8063 {
8064 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
8065 goto err;
8066 }
8067 }
8068 else if (streq(p[3], "sni") && !p[5])
8069 {
8070 server->sni = p[4];
8071 }
8072 else
8073 {
8074 msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
8075 goto err;
8076 }
8077 }
8078 else
8079 {
8080 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
8081 goto err;
8082 }
8083 }
8084 #if defined(_WIN32) || defined(TARGET_ANDROID)
8085 else if (streq(p[0], "dhcp-option") && p[1])
8086 {
8087 struct tuntap_options *o = &options->tuntap_options;
8088 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8089
8090 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
8091 && p[2] && !p[3])
8092 {
8093 o->domain = p[2];
8094 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8095 }
8096 else if (streq(p[1], "NBS") && p[2] && !p[3])
8097 {
8098 o->netbios_scope = p[2];
8099 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8100 }
8101 else if (streq(p[1], "NBT") && p[2] && !p[3])
8102 {
8103 int t;
8104 t = atoi(p[2]);
8105 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8106 {
8107 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8108 goto err;
8109 }
8110 o->netbios_node_type = t;
8111 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8112 }
8113 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8114 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8115 {
8116 if (strstr(p[2], ":"))
8117 {
8118 dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
8119 }
8120 else
8121 {
8122 dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
8123 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8124 }
8125 }
8126 else if (streq(p[1], "WINS") && p[2] && !p[3])
8127 {
8128 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8129 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8130 }
8131 else if (streq(p[1], "NTP") && p[2] && !p[3])
8132 {
8133 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8134 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8135 }
8136 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8137 {
8138 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8139 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8140 }
8141 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8142 {
8143 if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
8144 {
8145 o->domain_search_list[o->domain_search_list_len++] = p[2];
8146 }
8147 else
8148 {
8149 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8150 p[1], N_SEARCH_LIST_LEN);
8151 }
8152 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8153 }
8154 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8155 {
8156 o->disable_nbt = 1;
8157 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8158 }
8159 #if defined(TARGET_ANDROID)
8160 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8161 {
8162 o->http_proxy_port = atoi(p[3]);
8163 o->http_proxy = p[2];
8164 }
8165 #endif
8166 else
8167 {
8168 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8169 goto err;
8170 }
8171 }
8172 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8173 #ifdef _WIN32
8174 else if (streq(p[0], "show-adapters") && !p[1])
8175 {
8176 VERIFY_PERMISSION(OPT_P_GENERAL);
8177 show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8178 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8179 }
8180 else if (streq(p[0], "show-net") && !p[1])
8181 {
8182 VERIFY_PERMISSION(OPT_P_GENERAL);
8183 show_routes(M_INFO|M_NOPREFIX);
8184 show_adapters(M_INFO|M_NOPREFIX);
8185 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8186 }
8187 else if (streq(p[0], "show-net-up") && !p[1])
8188 {
8189 VERIFY_PERMISSION(OPT_P_UP);
8190 options->show_net_up = true;
8191 }
8192 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8193 {
8194 int s;
8195 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8196 s = atoi(p[1]);
8197 if (s < 0 || s >= 256)
8198 {
8199 msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8200 goto err;
8201 }
8202 options->tuntap_options.tap_sleep = s;
8203 }
8204 else if (streq(p[0], "dhcp-renew") && !p[1])
8205 {
8206 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8207 options->tuntap_options.dhcp_renew = true;
8208 }
8209 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8210 {
8211 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8212 options->tuntap_options.dhcp_pre_release = true;
8213 options->tuntap_options.dhcp_renew = true;
8214 }
8215 else if (streq(p[0], "dhcp-release") && !p[1])
8216 {
8217 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8218 }
8219 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8220 {
8221 unsigned int adapter_index;
8222 VERIFY_PERMISSION(OPT_P_GENERAL);
8223 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8224 adapter_index = atou(p[1]);
8225 sleep(options->tuntap_options.tap_sleep);
8226 if (options->tuntap_options.dhcp_pre_release)
8227 {
8228 dhcp_release_by_adapter_index(adapter_index);
8229 }
8230 if (options->tuntap_options.dhcp_renew)
8231 {
8232 dhcp_renew_by_adapter_index(adapter_index);
8233 }
8234 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8235 }
8236 else if (streq(p[0], "register-dns") && !p[1])
8237 {
8238 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8239 options->tuntap_options.register_dns = true;
8240 }
8241 else if (streq(p[0], "block-outside-dns") && !p[1])
8242 {
8243 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8244 options->block_outside_dns = true;
8245 }
8246 else if (streq(p[0], "rdns-internal") && !p[1])
8247 /* standalone method for internal use
8248 *
8249 * (if --register-dns is set, openvpn needs to call itself in a
8250 * sub-process to execute the required functions in a non-blocking
8251 * way, and uses --rdns-internal to signal that to itself)
8252 */
8253 {
8254 VERIFY_PERMISSION(OPT_P_GENERAL);
8255 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8256 if (options->tuntap_options.register_dns)
8257 {
8258 ipconfig_register_dns(NULL);
8259 }
8260 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8261 }
8262 else if (streq(p[0], "show-valid-subnets") && !p[1])
8263 {
8264 VERIFY_PERMISSION(OPT_P_GENERAL);
8265 show_valid_win32_tun_subnets();
8266 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8267 }
8268 else if (streq(p[0], "pause-exit") && !p[1])
8269 {
8270 VERIFY_PERMISSION(OPT_P_GENERAL);
8271 set_pause_exit_win32();
8272 }
8273 else if (streq(p[0], "service") && p[1] && !p[3])
8274 {
8275 VERIFY_PERMISSION(OPT_P_GENERAL);
8276 options->exit_event_name = p[1];
8277 if (p[2])
8278 {
8279 options->exit_event_initial_state = (atoi(p[2]) != 0);
8280 }
8281 }
8282 else if (streq(p[0], "allow-nonadmin") && !p[2])
8283 {
8284 VERIFY_PERMISSION(OPT_P_GENERAL);
8285 tap_allow_nonadmin_access(p[1]);
8286 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8287 }
8288 else if (streq(p[0], "user") && p[1] && !p[2])
8289 {
8290 VERIFY_PERMISSION(OPT_P_GENERAL);
8291 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8292 }
8293 else if (streq(p[0], "group") && p[1] && !p[2])
8294 {
8295 VERIFY_PERMISSION(OPT_P_GENERAL);
8296 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8297 }
8298 #else /* ifdef _WIN32 */
8299 else if (streq(p[0], "user") && p[1] && !p[2])
8300 {
8301 VERIFY_PERMISSION(OPT_P_GENERAL);
8302 options->username = p[1];
8303 }
8304 else if (streq(p[0], "group") && p[1] && !p[2])
8305 {
8306 VERIFY_PERMISSION(OPT_P_GENERAL);
8307 options->groupname = p[1];
8308 }
8309 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8310 {
8311 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8312 setenv_foreign_option(options, (const char **)p, 3, es);
8313 }
8314 else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
8315 {
8316 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8317 }
8318 #endif /* ifdef _WIN32 */
8319 #if PASSTOS_CAPABILITY
8320 else if (streq(p[0], "passtos") && !p[1])
8321 {
8322 VERIFY_PERMISSION(OPT_P_GENERAL);
8323 options->passtos = true;
8324 }
8325 #endif
8326 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8327 {
8328 VERIFY_PERMISSION(OPT_P_GENERAL);
8329
8330 if (streq(p[1], "no"))
8331 {
8332 options->comp.flags =
8333 COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8334 if (comp_non_stub_enabled(&options->comp))
8335 {
8336 msg(msglevel, "'--allow-compression no' conflicts with "
8337 " enabling compression");
8338 }
8339 }
8340 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8341 {
8342 /* Also printed on a push to hint at configuration problems */
8343 msg(msglevel, "Cannot set allow-compression to '%s' "
8344 "after set to 'no'", p[1]);
8345 goto err;
8346 }
8347 else if (streq(p[1], "asym"))
8348 {
8349 options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
8350 options->comp.flags |= COMP_F_ALLOW_ASYM;
8351 }
8352 else if (streq(p[1], "yes"))
8353 {
8354 msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has "
8355 "been used in the past to break encryption. Allowing compression allows "
8356 "attacks that break encryption. Using \"--allow-compression yes\" is "
8357 "strongly discouraged for common usage. See --compress in the manual "
8358 "page for more information ");
8359
8360 options->comp.flags |= COMP_F_ALLOW_COMPRESS;
8361 }
8362 else
8363 {
8364 msg(msglevel, "bad allow-compression option: %s -- "
8365 "must be 'yes', 'no', or 'asym'", p[1]);
8366 goto err;
8367 }
8368 }
8369 else if (streq(p[0], "comp-lzo") && !p[2])
8370 {
8371 VERIFY_PERMISSION(OPT_P_COMP);
8372
8373 /* All lzo variants do not use swap */
8374 options->comp.flags &= ~COMP_F_SWAP;
8375
8376 if (p[1] && streq(p[1], "no"))
8377 {
8378 options->comp.alg = COMP_ALG_STUB;
8379 options->comp.flags &= ~COMP_F_ADAPTIVE;
8380 }
8381 else if (p[1])
8382 {
8383 if (streq(p[1], "yes"))
8384 {
8385 options->comp.alg = COMP_ALG_LZO;
8386 options->comp.flags &= ~COMP_F_ADAPTIVE;
8387 }
8388 else if (streq(p[1], "adaptive"))
8389 {
8390 options->comp.alg = COMP_ALG_LZO;
8391 options->comp.flags |= COMP_F_ADAPTIVE;
8392 }
8393 else
8394 {
8395 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8396 goto err;
8397 }
8398 }
8399 else
8400 {
8401 options->comp.alg = COMP_ALG_LZO;
8402 options->comp.flags |= COMP_F_ADAPTIVE;
8403 }
8404 show_compression_warning(&options->comp);
8405 }
8406 else if (streq(p[0], "comp-noadapt") && !p[1])
8407 {
8408 /*
8409 * We do not need to check here if we allow compression since
8410 * it only modifies a flag if compression is enabled
8411 */
8412 VERIFY_PERMISSION(OPT_P_COMP);
8413 options->comp.flags &= ~COMP_F_ADAPTIVE;
8414 }
8415 else if (streq(p[0], "compress") && !p[2])
8416 {
8417 VERIFY_PERMISSION(OPT_P_COMP);
8418 const char *alg = "stub";
8419 if (p[1])
8420 {
8421 alg = p[1];
8422 }
8423
8424 if (streq(alg, "stub"))
8425 {
8426 options->comp.alg = COMP_ALG_STUB;
8427 options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8428 }
8429 else if (streq(alg, "stub-v2"))
8430 {
8431 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8432 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8433 }
8434 else if (streq(alg, "migrate"))
8435 {
8436 options->comp.alg = COMP_ALG_UNDEF;
8437 options->comp.flags = COMP_F_MIGRATE;
8438 }
8439 else if (streq(alg, "lzo"))
8440 {
8441 options->comp.alg = COMP_ALG_LZO;
8442 options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
8443 }
8444 else if (streq(alg, "lz4"))
8445 {
8446 options->comp.alg = COMP_ALG_LZ4;
8447 options->comp.flags |= COMP_F_SWAP;
8448 }
8449 else if (streq(alg, "lz4-v2"))
8450 {
8451 options->comp.alg = COMP_ALGV2_LZ4;
8452 }
8453 else
8454 {
8455 msg(msglevel, "bad comp option: %s", alg);
8456 goto err;
8457 }
8458
8459 show_compression_warning(&options->comp);
8460 }
8461 else if (streq(p[0], "show-ciphers") && !p[1])
8462 {
8463 VERIFY_PERMISSION(OPT_P_GENERAL);
8464 options->show_ciphers = true;
8465 }
8466 else if (streq(p[0], "show-digests") && !p[1])
8467 {
8468 VERIFY_PERMISSION(OPT_P_GENERAL);
8469 options->show_digests = true;
8470 }
8471 else if (streq(p[0], "show-engines") && !p[1])
8472 {
8473 VERIFY_PERMISSION(OPT_P_GENERAL);
8474 options->show_engines = true;
8475 }
8476 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8477 {
8478 int key_direction;
8479
8480 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8481
8482 key_direction = ascii2keydirection(msglevel, p[1]);
8483 if (key_direction >= 0)
8484 {
8485 if (permission_mask & OPT_P_GENERAL)
8486 {
8487 options->key_direction = key_direction;
8488 }
8489 else if (permission_mask & OPT_P_CONNECTION)
8490 {
8491 options->ce.key_direction = key_direction;
8492 }
8493 }
8494 else
8495 {
8496 goto err;
8497 }
8498 }
8499 else if (streq(p[0], "secret") && p[1] && !p[3])
8500 {
8501 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8502 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8503 options->shared_secret_file = p[1];
8504 options->shared_secret_file_inline = is_inline;
8505 if (!is_inline && p[2])
8506 {
8507 int key_direction;
8508
8509 key_direction = ascii2keydirection(msglevel, p[2]);
8510 if (key_direction >= 0)
8511 {
8512 options->key_direction = key_direction;
8513 }
8514 else
8515 {
8516 goto err;
8517 }
8518 }
8519 }
8520 else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8521 {
8522 VERIFY_PERMISSION(OPT_P_GENERAL);
8523 options->allow_deprecated_insecure_static_crypto = true;
8524
8525 }
8526 else if (streq(p[0], "genkey") && !p[4])
8527 {
8528 VERIFY_PERMISSION(OPT_P_GENERAL);
8529 options->genkey = true;
8530 if (!p[1])
8531 {
8532 options->genkey_type = GENKEY_SECRET;
8533 }
8534 else
8535 {
8536 if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8537 || streq(p[1], "tls-crypt"))
8538 {
8539 options->genkey_type = GENKEY_SECRET;
8540 }
8541 else if (streq(p[1], "tls-crypt-v2-server"))
8542 {
8543 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8544 }
8545 else if (streq(p[1], "tls-crypt-v2-client"))
8546 {
8547 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8548 if (p[3])
8549 {
8550 options->genkey_extra_data = p[3];
8551 }
8552 }
8553 else if (streq(p[1], "auth-token"))
8554 {
8555 options->genkey_type = GENKEY_AUTH_TOKEN;
8556 }
8557 else
8558 {
8559 msg(msglevel, "unknown --genkey type: %s", p[1]);
8560 }
8561
8562 }
8563 if (p[2])
8564 {
8565 options->genkey_filename = p[2];
8566 }
8567 }
8568 else if (streq(p[0], "auth") && p[1] && !p[2])
8569 {
8570 VERIFY_PERMISSION(OPT_P_GENERAL);
8571 options->authname = p[1];
8572 }
8573 else if (streq(p[0], "cipher") && p[1] && !p[2])
8574 {
8575 VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8576 options->ciphername = p[1];
8577 }
8578 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8579 {
8580 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8581 options->ciphername = p[1];
8582 options->enable_ncp_fallback = true;
8583 }
8584 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8585 && p[1] && !p[2])
8586 {
8587 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8588 if (streq(p[0], "ncp-ciphers"))
8589 {
8590 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8591 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8592 }
8593 options->ncp_ciphers = p[1];
8594 }
8595 else if (streq(p[0], "key-derivation") && p[1])
8596 {
8597 /* NCP only option that is pushed by the server to enable EKM,
8598 * should not be used by normal users in config files*/
8599 VERIFY_PERMISSION(OPT_P_NCP)
8600 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8601 if (streq(p[1], "tls-ekm"))
8602 {
8603 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8604 }
8605 else
8606 #endif
8607 {
8608 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8609 }
8610 }
8611 else if (streq(p[0], "protocol-flags") && p[1])
8612 {
8613 /* NCP only option that is pushed by the server to enable protocol
8614 * features that are negotiated, should not be used by normal users
8615 * in config files */
8616 VERIFY_PERMISSION(OPT_P_NCP)
8617 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8618 {
8619 if (streq(p[j], "cc-exit"))
8620 {
8621 options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8622 }
8623 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8624 else if (streq(p[j], "tls-ekm"))
8625 {
8626 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8627 }
8628 else if (streq(p[j], "dyn-tls-crypt"))
8629 {
8630 options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
8631 }
8632 #endif
8633 else
8634 {
8635 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8636 }
8637 }
8638 }
8639 else if (streq(p[0], "prng") && p[1] && !p[3])
8640 {
8641 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8642 }
8643 else if (streq(p[0], "no-replay") && !p[1])
8644 {
8645 VERIFY_PERMISSION(OPT_P_GENERAL);
8646 /* always error out, this breaks the connection */
8647 msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8648 "Update your configuration.");
8649 }
8650 else if (streq(p[0], "replay-window") && !p[3])
8651 {
8652 VERIFY_PERMISSION(OPT_P_GENERAL);
8653 if (p[1])
8654 {
8655 int replay_window;
8656
8657 replay_window = atoi(p[1]);
8658 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8659 {
8660 msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8661 replay_window,
8662 MIN_SEQ_BACKTRACK,
8663 MAX_SEQ_BACKTRACK);
8664 goto err;
8665 }
8666 options->replay_window = replay_window;
8667
8668 if (p[2])
8669 {
8670 int replay_time;
8671
8672 replay_time = atoi(p[2]);
8673 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8674 {
8675 msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8676 replay_time,
8677 MIN_TIME_BACKTRACK,
8678 MAX_TIME_BACKTRACK);
8679 goto err;
8680 }
8681 options->replay_time = replay_time;
8682 }
8683 }
8684 else
8685 {
8686 msg(msglevel, "replay-window option is missing window size parameter");
8687 goto err;
8688 }
8689 }
8690 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8691 {
8692 VERIFY_PERMISSION(OPT_P_GENERAL);
8693 options->mute_replay_warnings = true;
8694 }
8695 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8696 {
8697 VERIFY_PERMISSION(OPT_P_GENERAL);
8698 options->packet_id_file = p[1];
8699 }
8700 else if (streq(p[0], "test-crypto") && !p[1])
8701 {
8702 VERIFY_PERMISSION(OPT_P_GENERAL);
8703 options->test_crypto = true;
8704 }
8705 #ifndef ENABLE_CRYPTO_MBEDTLS
8706 else if (streq(p[0], "engine") && !p[2])
8707 {
8708 VERIFY_PERMISSION(OPT_P_GENERAL);
8709 if (p[1])
8710 {
8711 options->engine = p[1];
8712 }
8713 else
8714 {
8715 options->engine = "auto";
8716 }
8717 }
8718 #endif /* ENABLE_CRYPTO_MBEDTLS */
8719 else if (streq(p[0], "providers") && p[1])
8720 {
8721 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8722 {
8723 options->providers.names[j] = p[j];
8724 }
8725 }
8726 #ifdef ENABLE_PREDICTION_RESISTANCE
8727 else if (streq(p[0], "use-prediction-resistance") && !p[1])
8728 {
8729 VERIFY_PERMISSION(OPT_P_GENERAL);
8730 options->use_prediction_resistance = true;
8731 }
8732 #endif
8733 else if (streq(p[0], "show-tls") && !p[1])
8734 {
8735 VERIFY_PERMISSION(OPT_P_GENERAL);
8736 options->show_tls_ciphers = true;
8737 }
8738 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8739 {
8740 VERIFY_PERMISSION(OPT_P_GENERAL);
8741 options->show_curves = true;
8742 }
8743 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8744 {
8745 VERIFY_PERMISSION(OPT_P_GENERAL);
8746 msg(M_WARN, "Consider setting groups/curves preference with "
8747 "tls-groups instead of forcing a specific curve with "
8748 "ecdh-curve.");
8749 options->ecdh_curve = p[1];
8750 }
8751 else if (streq(p[0], "tls-server") && !p[1])
8752 {
8753 VERIFY_PERMISSION(OPT_P_GENERAL);
8754 options->tls_server = true;
8755 }
8756 else if (streq(p[0], "tls-client") && !p[1])
8757 {
8758 VERIFY_PERMISSION(OPT_P_GENERAL);
8759 options->tls_client = true;
8760 }
8761 else if (streq(p[0], "ca") && p[1] && !p[2])
8762 {
8763 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8764 options->ca_file = p[1];
8765 options->ca_file_inline = is_inline;
8766 }
8767 #ifndef ENABLE_CRYPTO_MBEDTLS
8768 else if (streq(p[0], "capath") && p[1] && !p[2])
8769 {
8770 VERIFY_PERMISSION(OPT_P_GENERAL);
8771 options->ca_path = p[1];
8772 }
8773 #endif /* ENABLE_CRYPTO_MBEDTLS */
8774 else if (streq(p[0], "dh") && p[1] && !p[2])
8775 {
8776 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8777 options->dh_file = p[1];
8778 options->dh_file_inline = is_inline;
8779 }
8780 else if (streq(p[0], "cert") && p[1] && !p[2])
8781 {
8782 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8783 options->cert_file = p[1];
8784 options->cert_file_inline = is_inline;
8785 }
8786 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8787 {
8788 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8789 options->extra_certs_file = p[1];
8790 options->extra_certs_file_inline = is_inline;
8791 }
8792 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8793 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8794 {
8795 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8796
8797 int verify_hash_depth = 0;
8798 if (streq(p[0], "verify-hash"))
8799 {
8800 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8801 "You should switch to the either use the level 1 certificate as "
8802 "--ca option, use --tls-verify or use --peer-fingerprint");
8803 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8804 verify_hash_depth = 1;
8805 }
8806
8807 options->verify_hash_algo = MD_SHA256;
8808
8809 int digest_len = SHA256_DIGEST_LENGTH;
8810
8811 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8812 {
8813 msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
8814 " --peer-fingerprint are mutually exclusive", p[0]);
8815 goto err;
8816 }
8817
8818 if (streq(p[0], "verify-hash"))
8819 {
8820 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8821 {
8822 options->verify_hash_algo = MD_SHA1;
8823 digest_len = SHA_DIGEST_LENGTH;
8824 }
8825 else if (p[2] && !streq(p[2], "SHA256"))
8826 {
8827 msg(msglevel, "invalid or unsupported hashing algorithm: %s "
8828 "(only SHA1 and SHA256 are supported)", p[2]);
8829 goto err;
8830 }
8831 }
8832
8833 struct verify_hash_list *newlist;
8834 newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
8835 msglevel, &options->gc);
8836
8837 /* Append the new list to the end of our current list */
8838 if (!options->verify_hash)
8839 {
8840 options->verify_hash = newlist;
8841 options->verify_hash_depth = verify_hash_depth;
8842 }
8843 else
8844 {
8845 /* since both the old and new list can have multiple entries
8846 * we need to go to the end of one of them to concatenate them */
8847 struct verify_hash_list *listend = options->verify_hash;
8848 while (listend->next)
8849 {
8850 listend = listend->next;
8851 }
8852 listend->next = newlist;
8853 }
8854 }
8855 #if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
8856 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8857 {
8858 VERIFY_PERMISSION(OPT_P_GENERAL);
8859 options->cryptoapi_cert = p[1];
8860 }
8861 #endif
8862 else if (streq(p[0], "key") && p[1] && !p[2])
8863 {
8864 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8865 options->priv_key_file = p[1];
8866 options->priv_key_file_inline = is_inline;
8867 }
8868 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8869 {
8870 int ver;
8871 VERIFY_PERMISSION(OPT_P_GENERAL);
8872 ver = tls_version_parse(p[1], p[2]);
8873 if (ver == TLS_VER_BAD)
8874 {
8875 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8876 goto err;
8877 }
8878 options->ssl_flags &=
8879 ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8880 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
8881 }
8882 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8883 {
8884 int ver;
8885 VERIFY_PERMISSION(OPT_P_GENERAL);
8886 ver = tls_version_parse(p[1], NULL);
8887 if (ver == TLS_VER_BAD)
8888 {
8889 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8890 goto err;
8891 }
8892 options->ssl_flags &=
8893 ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8894 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
8895 }
8896 #ifndef ENABLE_CRYPTO_MBEDTLS
8897 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8898 {
8899 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8900 options->pkcs12_file = p[1];
8901 options->pkcs12_file_inline = is_inline;
8902 }
8903 #endif /* ENABLE_CRYPTO_MBEDTLS */
8904 else if (streq(p[0], "askpass") && !p[2])
8905 {
8906 VERIFY_PERMISSION(OPT_P_GENERAL);
8907 if (p[1])
8908 {
8909 options->key_pass_file = p[1];
8910 }
8911 else
8912 {
8913 options->key_pass_file = "stdin";
8914 }
8915 }
8916 else if (streq(p[0], "auth-nocache") && !p[1])
8917 {
8918 VERIFY_PERMISSION(OPT_P_GENERAL);
8919 ssl_set_auth_nocache();
8920 }
8921 else if (streq(p[0], "auth-token") && p[1] && !p[2])
8922 {
8923 VERIFY_PERMISSION(OPT_P_ECHO);
8924 ssl_set_auth_token(p[1]);
8925 #ifdef ENABLE_MANAGEMENT
8926 if (management)
8927 {
8928 management_auth_token(management, p[1]);
8929 }
8930 #endif
8931 }
8932 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
8933 {
8934 VERIFY_PERMISSION(OPT_P_ECHO);
8935 ssl_set_auth_token_user(p[1]);
8936 }
8937 else if (streq(p[0], "single-session") && !p[1])
8938 {
8939 VERIFY_PERMISSION(OPT_P_GENERAL);
8940 options->single_session = true;
8941 }
8942 else if (streq(p[0], "push-peer-info") && !p[1])
8943 {
8944 VERIFY_PERMISSION(OPT_P_GENERAL);
8945 options->push_peer_info = true;
8946 }
8947 else if (streq(p[0], "tls-exit") && !p[1])
8948 {
8949 VERIFY_PERMISSION(OPT_P_GENERAL);
8950 options->tls_exit = true;
8951 }
8952 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
8953 {
8954 VERIFY_PERMISSION(OPT_P_GENERAL);
8955 options->cipher_list = p[1];
8956 }
8957 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
8958 {
8959 VERIFY_PERMISSION(OPT_P_GENERAL);
8960 options->tls_cert_profile = p[1];
8961 }
8962 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
8963 {
8964 VERIFY_PERMISSION(OPT_P_GENERAL);
8965 options->cipher_list_tls13 = p[1];
8966 }
8967 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
8968 {
8969 VERIFY_PERMISSION(OPT_P_GENERAL);
8970 options->tls_groups = p[1];
8971 }
8972 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
8973 || !p[2]))
8974 {
8975 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8976 if (p[2] && streq(p[2], "dir"))
8977 {
8978 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
8979 }
8980 options->crl_file = p[1];
8981 options->crl_file_inline = is_inline;
8982 }
8983 else if (streq(p[0], "tls-verify") && p[1])
8984 {
8985 VERIFY_PERMISSION(OPT_P_SCRIPT);
8986 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8987 {
8988 goto err;
8989 }
8990 set_user_script(options, &options->tls_verify,
8991 string_substitute(p[1], ',', ' ', &options->gc),
8992 "tls-verify", true);
8993 }
8994 #ifndef ENABLE_CRYPTO_MBEDTLS
8995 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
8996 {
8997 VERIFY_PERMISSION(OPT_P_GENERAL);
8998 options->tls_export_cert = p[1];
8999 }
9000 #endif
9001 else if (streq(p[0], "compat-names"))
9002 {
9003 VERIFY_PERMISSION(OPT_P_GENERAL);
9004 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9005 "Update your configuration.");
9006 goto err;
9007 }
9008 else if (streq(p[0], "no-name-remapping") && !p[1])
9009 {
9010 VERIFY_PERMISSION(OPT_P_GENERAL);
9011 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9012 "Update your configuration.");
9013 goto err;
9014 }
9015 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9016 {
9017 int type = VERIFY_X509_SUBJECT_DN;
9018 VERIFY_PERMISSION(OPT_P_GENERAL);
9019 if (p[2])
9020 {
9021 if (streq(p[2], "subject"))
9022 {
9023 type = VERIFY_X509_SUBJECT_DN;
9024 }
9025 else if (streq(p[2], "name"))
9026 {
9027 type = VERIFY_X509_SUBJECT_RDN;
9028 }
9029 else if (streq(p[2], "name-prefix"))
9030 {
9031 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9032 }
9033 else
9034 {
9035 msg(msglevel, "unknown X.509 name type: %s", p[2]);
9036 goto err;
9037 }
9038 }
9039 options->verify_x509_type = type;
9040 options->verify_x509_name = p[1];
9041 }
9042 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9043 {
9044 VERIFY_PERMISSION(OPT_P_GENERAL);
9045 if (streq(p[1], "server"))
9046 {
9047 options->ns_cert_type = NS_CERT_CHECK_SERVER;
9048 }
9049 else if (streq(p[1], "client"))
9050 {
9051 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9052 }
9053 else
9054 {
9055 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9056 goto err;
9057 }
9058 }
9059 else if (streq(p[0], "remote-cert-ku"))
9060 {
9061 VERIFY_PERMISSION(OPT_P_GENERAL);
9062
9063 size_t j;
9064 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9065 {
9066 sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
9067 }
9068 if (j == 1)
9069 {
9070 /* No specific KU required, but require KU to be present */
9071 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9072 }
9073 }
9074 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9075 {
9076 VERIFY_PERMISSION(OPT_P_GENERAL);
9077 options->remote_cert_eku = p[1];
9078 }
9079 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9080 {
9081 VERIFY_PERMISSION(OPT_P_GENERAL);
9082
9083 if (streq(p[1], "server"))
9084 {
9085 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9086 options->remote_cert_eku = "TLS Web Server Authentication";
9087 }
9088 else if (streq(p[1], "client"))
9089 {
9090 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9091 options->remote_cert_eku = "TLS Web Client Authentication";
9092 }
9093 else
9094 {
9095 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9096 goto err;
9097 }
9098 }
9099 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9100 {
9101 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9102 options->tls_timeout = positive_atoi(p[1]);
9103 }
9104 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9105 {
9106 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9107 options->renegotiate_bytes = positive_atoi(p[1]);
9108 }
9109 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9110 {
9111 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9112 options->renegotiate_packets = positive_atoi(p[1]);
9113 }
9114 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9115 {
9116 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9117 options->renegotiate_seconds = positive_atoi(p[1]);
9118 if (p[2])
9119 {
9120 options->renegotiate_seconds_min = positive_atoi(p[2]);
9121 }
9122 }
9123 else if (streq(p[0], "hand-window") && p[1] && !p[2])
9124 {
9125 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9126 options->handshake_window = positive_atoi(p[1]);
9127 }
9128 else if (streq(p[0], "tran-window") && p[1] && !p[2])
9129 {
9130 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9131 options->transition_window = positive_atoi(p[1]);
9132 }
9133 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9134 {
9135 int key_direction = -1;
9136
9137 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9138
9139 if (permission_mask & OPT_P_GENERAL)
9140 {
9141 options->tls_auth_file = p[1];
9142 options->tls_auth_file_inline = is_inline;
9143
9144 if (!is_inline && p[2])
9145 {
9146 key_direction = ascii2keydirection(msglevel, p[2]);
9147 if (key_direction < 0)
9148 {
9149 goto err;
9150 }
9151 options->key_direction = key_direction;
9152 }
9153
9154 }
9155 else if (permission_mask & OPT_P_CONNECTION)
9156 {
9157 options->ce.tls_auth_file = p[1];
9158 options->ce.tls_auth_file_inline = is_inline;
9159 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9160
9161 if (!is_inline && p[2])
9162 {
9163 key_direction = ascii2keydirection(msglevel, p[2]);
9164 if (key_direction < 0)
9165 {
9166 goto err;
9167 }
9168 options->ce.key_direction = key_direction;
9169 }
9170 }
9171 }
9172 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9173 {
9174 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9175 if (permission_mask & OPT_P_GENERAL)
9176 {
9177 options->tls_crypt_file = p[1];
9178 options->tls_crypt_file_inline = is_inline;
9179 }
9180 else if (permission_mask & OPT_P_CONNECTION)
9181 {
9182 options->ce.tls_crypt_file = p[1];
9183 options->ce.tls_crypt_file_inline = is_inline;
9184 }
9185 }
9186 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9187 {
9188 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9189 if (permission_mask & OPT_P_GENERAL)
9190 {
9191 options->tls_crypt_v2_file = p[1];
9192 options->tls_crypt_v2_file_inline = is_inline;
9193 }
9194 else if (permission_mask & OPT_P_CONNECTION)
9195 {
9196 options->ce.tls_crypt_v2_file = p[1];
9197 options->ce.tls_crypt_v2_file_inline = is_inline;
9198 }
9199
9200 if (p[2] && streq(p[2], "force-cookie"))
9201 {
9202 options->ce.tls_crypt_v2_force_cookie = true;
9203 }
9204 else if (p[2] && streq(p[2], "allow-noncookie"))
9205 {
9206 options->ce.tls_crypt_v2_force_cookie = false;
9207 }
9208 else if (p[2])
9209 {
9210 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9211 }
9212 }
9213 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9214 {
9215 VERIFY_PERMISSION(OPT_P_GENERAL);
9216 options->tls_crypt_v2_verify_script = p[1];
9217 }
9218 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9219 {
9220 VERIFY_PERMISSION(OPT_P_GENERAL);
9221 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9222 }
9223 #ifdef ENABLE_X509ALTUSERNAME
9224 else if (streq(p[0], "x509-username-field") && p[1])
9225 {
9226 /* This option used to automatically upcase the fieldnames passed as the
9227 * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
9228 * fine-tuned by only upcasing Subject field attribute names which consist
9229 * of all lower-case characters. Mixed-case attributes such as
9230 * "emailAddress" are left as-is. An option parameter having the "ext:"
9231 * prefix for matching X.509v3 extended fields will also remain unchanged.
9232 */
9233 VERIFY_PERMISSION(OPT_P_GENERAL);
9234 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9235 {
9236 char *s = p[j];
9237
9238 if (strncmp("ext:", s, 4) != 0)
9239 {
9240 size_t i = 0;
9241 while (s[i] && !isupper(s[i]))
9242 {
9243 i++;
9244 }
9245 if (strlen(s) == i)
9246 {
9247 while ((*s = toupper(*s)) != '\0')
9248 {
9249 s++;
9250 }
9251 msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
9252 "--x509-username-field parameter to '%s'; please update your"
9253 "configuration", p[j]);
9254 }
9255 }
9256 else if (!x509_username_field_ext_supported(s+4))
9257 {
9258 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9259 }
9260 options->x509_username_field[j-1] = p[j];
9261 }
9262 }
9263 #endif /* ENABLE_X509ALTUSERNAME */
9264 #ifdef ENABLE_PKCS11
9265 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9266 {
9267 char *provider = p[1];
9268 bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 ));
9269
9270 #ifdef DEFAULT_PKCS11_MODULE
9271 if (!provider)
9272 {
9273 provider = DEFAULT_PKCS11_MODULE;
9274 }
9275 else if (!p[2])
9276 {
9277 char *endp = NULL;
9278 int i = strtol(provider, &endp, 10);
9279
9280 if (*endp == 0)
9281 {
9282 /* There was one argument, and it was purely numeric.
9283 * Interpret it as the cert_private argument */
9284 provider = DEFAULT_PKCS11_MODULE;
9285 cert_private = i;
9286 }
9287 }
9288 #else /* ifdef DEFAULT_PKCS11_MODULE */
9289 if (!provider)
9290 {
9291 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9292 goto err;
9293 }
9294 #endif /* ifdef DEFAULT_PKCS11_MODULE */
9295 VERIFY_PERMISSION(OPT_P_GENERAL);
9296
9297 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9298 show_pkcs11_ids(provider, cert_private);
9299 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9300 }
9301 else if (streq(p[0], "pkcs11-providers") && p[1])
9302 {
9303 int j;
9304
9305 VERIFY_PERMISSION(OPT_P_GENERAL);
9306
9307 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9308 {
9309 options->pkcs11_providers[j-1] = p[j];
9310 }
9311 }
9312 else if (streq(p[0], "pkcs11-protected-authentication"))
9313 {
9314 int j;
9315
9316 VERIFY_PERMISSION(OPT_P_GENERAL);
9317
9318 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9319 {
9320 options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9321 }
9322 }
9323 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9324 {
9325 int j;
9326
9327 VERIFY_PERMISSION(OPT_P_GENERAL);
9328
9329 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9330 {
9331 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9332 }
9333 }
9334 else if (streq(p[0], "pkcs11-cert-private"))
9335 {
9336 int j;
9337
9338 VERIFY_PERMISSION(OPT_P_GENERAL);
9339
9340 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9341 {
9342 options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9343 }
9344 }
9345 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9346 {
9347 VERIFY_PERMISSION(OPT_P_GENERAL);
9348 options->pkcs11_pin_cache_period = atoi(p[1]);
9349 }
9350 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9351 {
9352 VERIFY_PERMISSION(OPT_P_GENERAL);
9353 options->pkcs11_id = p[1];
9354 }
9355 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9356 {
9357 VERIFY_PERMISSION(OPT_P_GENERAL);
9358 options->pkcs11_id_management = true;
9359 }
9360 #endif /* ifdef ENABLE_PKCS11 */
9361 else if (streq(p[0], "rmtun") && !p[1])
9362 {
9363 VERIFY_PERMISSION(OPT_P_GENERAL);
9364 options->persist_config = true;
9365 options->persist_mode = 0;
9366 }
9367 else if (streq(p[0], "mktun") && !p[1])
9368 {
9369 VERIFY_PERMISSION(OPT_P_GENERAL);
9370 options->persist_config = true;
9371 options->persist_mode = 1;
9372 }
9373 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9374 {
9375 VERIFY_PERMISSION(OPT_P_PEER_ID);
9376 options->use_peer_id = true;
9377 options->peer_id = atoi(p[1]);
9378 }
9379 #ifdef HAVE_EXPORT_KEYING_MATERIAL
9380 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9381 {
9382 int ekm_length = positive_atoi(p[2]);
9383
9384 VERIFY_PERMISSION(OPT_P_GENERAL);
9385
9386 if (strncmp(p[1], "EXPORTER", 8))
9387 {
9388 msg(msglevel, "Keying material exporter label must begin with "
9389 "\"EXPORTER\"");
9390 goto err;
9391 }
9392 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9393 {
9394 msg(msglevel, "Keying material exporter label must not be '"
9395 EXPORT_KEY_DATA_LABEL "'.");
9396 }
9397 if (ekm_length < 16 || ekm_length > 4095)
9398 {
9399 msg(msglevel, "Invalid keying material exporter length");
9400 goto err;
9401 }
9402
9403 options->keying_material_exporter_label = p[1];
9404 options->keying_material_exporter_length = ekm_length;
9405 }
9406 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
9407 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9408 {
9409 VERIFY_PERMISSION(OPT_P_GENERAL);
9410 options->allow_recursive_routing = true;
9411 }
9412 else if (streq(p[0], "vlan-tagging") && !p[1])
9413 {
9414 VERIFY_PERMISSION(OPT_P_GENERAL);
9415 options->vlan_tagging = true;
9416 }
9417 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9418 {
9419 VERIFY_PERMISSION(OPT_P_GENERAL);
9420 if (streq(p[1], "tagged"))
9421 {
9422 options->vlan_accept = VLAN_ONLY_TAGGED;
9423 }
9424 else if (streq(p[1], "untagged"))
9425 {
9426 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9427 }
9428 else if (streq(p[1], "all"))
9429 {
9430 options->vlan_accept = VLAN_ALL;
9431 }
9432 else
9433 {
9434 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9435 goto err;
9436 }
9437 }
9438 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9439 {
9440 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9441 options->vlan_pvid = positive_atoi(p[1]);
9442 if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9443 || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9444 {
9445 msg(msglevel,
9446 "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9447 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9448 goto err;
9449 }
9450 }
9451 else
9452 {
9453 int i;
9454 int msglevel_unknown = msglevel_fc;
9455 /* Check if an option is in --ignore-unknown-option and
9456 * set warning level to non fatal */
9457 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9458 {
9459 if (streq(p[0], options->ignore_unknown_option[i]))
9460 {
9461 msglevel_unknown = M_WARN;
9462 break;
9463 }
9464 }
9465 if (file)
9466 {
9467 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9468 }
9469 else
9470 {
9471 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9472 }
9473 }
9474 err:
9475 gc_free(&gc);
9476 }
Mirror of https://github.com/OpenVPN/openvpn.git